[v14.0/forgejo] Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.6.0 (forgejo) (#12316 )

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12156 Co-authored-by: Renovate Bot <bot@kriese.eu> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12316 Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
[v14.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12294 )
2026-06-22 10:02:15 +00:00 · 2026-04-29 08:26:50 +02:00 · 2026-04-29 05:29:23 +02:00 · 2026-04-28 20:30:31 +02:00 · 2026-04-28 22:25:58 +05:00 · 2026-04-24 19:45:14 +02:00
2793 changed files with 47242 additions and 129930 deletions
--- a/.deadcode-out
+++ b/.deadcode-out
@ -19,10 +19,10 @@ forgejo.org/models/auth
 forgejo.org/models/db
 	TruncateBeans
 	TruncateBeansCascade
+	InTransaction
 	DumpTables
 	GetTableNames
 	extendBeansForCascade
-	IsErrNameActivityPubInvalid

 forgejo.org/models/dbfs
 	file.renameTo
@ -58,6 +58,7 @@ forgejo.org/models/user
 	IsErrUserSettingIsNotExist
 	GetUserAllSettings
 	DeleteUserSetting
+	GetFederatedUser

 forgejo.org/modules/activitypub
 	NewContext
@ -87,6 +88,7 @@ forgejo.org/modules/eventsource
 	Event.String

 forgejo.org/modules/forgefed
+	NewForgeFollow
 	NewForgeUndoLike
 	ForgeUndoLike.UnmarshalJSON
 	ForgeUndoLike.Validate
@ -132,9 +134,6 @@ forgejo.org/modules/json
 	StdJSON.Indent

 forgejo.org/modules/log
-	eventWriterBuffer.Close
-	eventWriterBuffer.Write
-	eventWriterBuffer.GetString
 	NewEventWriterBuffer

 forgejo.org/modules/markup
@ -219,63 +218,15 @@ forgejo.org/modules/zstd
 	Writer.Write
 	Writer.Close

-forgejo.org/routers/api/v1/permissions
-	Permissions.GetContext
-	Permissions.SetContext
-	Permissions.GetToken
-	Permissions.SetToken
-	Permissions.GetRepository
-	Permissions.SetRepository
-	Permissions.GetDoer
-	Permissions.SetDoer
-	Permissions.GetUser
-	Permissions.SetUser
-	Permissions.GetOrg
-	Permissions.SetOrg
-	Permissions.GetTeam
-	Permissions.SetTeam
-	Permissions.GetPackageOwner
-	Permissions.SetPackageOwner
-	Permissions.GetPackageAccessMode
-	Permissions.SetPackageAccessMode
-	Permissions.GetPermission
-	Permissions.SetPermission
-	Permissions.GetIsSigned
-	Permissions.SetIsSigned
-	Permissions.GetPublicOnly
-	Permissions.SetPublicOnly
-	Permissions.GetReducer
-	Permissions.SetReducer
-	Permissions.GetAuthentication
-	Permissions.SetAuthentication
-	Permissions.GetRequiredScopeCategories
-	Permissions.SetRequiredScopeCategories
-	Permissions.GetStatus
-	Permissions.SetStatus
-	Permissions.GetMessage
-	Permissions.SetMessage
-	Permissions.GetError
-	Permissions.Error
-	Permissions.NotFound
-	Permissions.InternalServerError
-	Permissions.WrittenStatus
-	Permissions.String
-	Permissions.Strings
-
-forgejo.org/routers/api/v1/permissions/testhelpers
-	GetSignatureStringToSignature
-	GetUniquePermissionsSequences
-	GetShortestPermissionSequenceForEachSignature
-
 forgejo.org/routers/web/org
 	MustEnableProjects

-forgejo.org/services/auth
-	RegisterInternalIssuerForTesting
-
 forgejo.org/services/context
 	GetPrivateContext

+forgejo.org/services/federation
+	FollowRemoteActor
+
 forgejo.org/services/notify
 	UnregisterNotifier

--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -1,6 +1,6 @@
 {
-  "name": "forgejo-dev",
-  "image": "mcr.microsoft.com/devcontainers/go:1.26-trixie",
+  "name": "Gitea DevContainer",
+  "image": "mcr.microsoft.com/devcontainers/go:1.25-trixie",
  "features": {
    // installs nodejs into container
    "ghcr.io/devcontainers/features/node:1": {
--- a/.editorconfig
+++ b/.editorconfig
@ -30,6 +30,7 @@ insert_final_newline = false
 [options/locale/locale_*.ini]
 insert_final_newline = false

-# Weblate is configured to use one tab for indention
+# Weblate JSON output defaults to four spaces
 [options/locale_next/locale_*.json]
-indent_style = tab
+indent_style = space
+indent_size = 4
--- a/.forgejo/issue_template/1-problem.yaml
+++ b/.forgejo/issue_template/1-problem.yaml
@ -13,18 +13,7 @@ body:
      - Please speak English, as this is the language all maintainers can speak and write.
      - Be civil, and follow the [Forgejo Code of Conduct](https://codeberg.org/forgejo/code-of-conduct).
      - Take a moment to [check if a similar problem has already been discussed in the past.](https://codeberg.org/forgejo/forgejo/issues?q=&type=all&labels=78137). Feel free to add your own experience there, if applicable.
- type: markdown
-  attributes:
-    value: |
-      ### New workflow
-      
-      We are currently experimenting with a new workflow to manage issues and better understand your problems and needs. This is step 1 of the workflow: Please try to focus on explaining the problem you are facing, which could be a bug in the code, a moment of confusion, or a need that you have.
-      
-      We do not expect anything from Forgejo users after creating a problem report, but we appreciate if you stay responsive to further questions. If you want, you can also participate in a discussion for solutions.
-      
-      Forgejo contributors will review your report, try to understand how important it is to you and other Forgejo users, and suggest potential solutions. In a next step, solutions can be documented and implemented.
-      
-      If you want to learn more about the background of our workflow, feel invited to read and participate in [the discussion that led to the current approach](https://codeberg.org/forgejo/discussions/issues/415). We are looking forward to your feedback.
+      - We are currently experimenting with a new workflow to understand your problems and requests. Please try to focus on explaining the problem you are facing, which could be a bug in the code, a moment of confusion, or a missing feature. We'll think about solutions to the problem at a later step. If you want to learn more about the background of our workflow, feel invited to read and participate in [the discussion that led to the current approach](https://codeberg.org/forgejo/discussions/issues/415). We are looking forward to your feedback.
 - type: dropdown
  id: can-reproduce
  attributes:
@ -41,18 +30,15 @@ body:
 - type: textarea
  id: environment
  attributes:
-    label: About your usage of Forgejo
+    label: Your usage of Forgejo
    description: |
-      Please provide a brief description of your usage of Forgejo. There is no clear guideline on how much you need to share here. You can be brief, but we value the insights you provide us to better understand your use case. Thank you very much!
+      Please provide a description of your usage of Forgejo. To better understand your problem, it will be relevant to know in which environment you use Forgejo and if you have performed specific configuration.
      <details><summary>Further instructions</summary>
      
-      * When reporting problems with certain functionality, you should include related information. Examples:
-        * When reporting an issue with setting up an identity provider, it is useful to know if you use Forgejo in a 10-users non-profit / start up, or if you are talking about a school / university with several thousands of users.
-        * When describing confusion, it will be relevant to know your skill level and background ("New, but used a similar product", "In my role as a project manager ..."), so we know for which target audience we need to design the functionality.
-        * When reporting workflow issues or needs, it will be useful to know how large your project is, how many team members you have, which skill level we are talking about etc. For example, we might choose a different design depending on whether a feature is only for professional developers or for hobby coders.
-      * If you want, we always appreciate generic information about your Forgejo usage to help us understand your usage and make better decisions. For example:
-        * Your personal relation to Forgejo and user role ("I'm new to Forgejo, but used a comparable product called …", "In my role as a designer, …").
-      * If you already explained your usage of Forgejo elsewhere (e.g. in another issue or in a user research repository), feel free to just drop a link.
+      * If you report a bug with a certain functionality, it will be relevant to learn about related configuration ("This is how I configured my identity provider", "This is how my Forgejo Actions runner is set up").
+      * Please elaborate on your personal relation to Forgejo and user role ("I'm new to Forgejo, but used a comparable product called …", "In my role as a designer, …").
+      * If you feel that Forgejo needs a change in functionality, please describe in which environment you want to use it, so that we can understand for which audience the complexity needs to appeal to ("We're a group of friends with no technical / professional background and use a personal Forgejo instance to prepare our first libre game").
+      * If you already explained your usage of Forgejo elsewhere (e.g. in another issue or in a user research repository), you can put a link here.
      
      </details>
  validations:
@ -62,7 +48,7 @@ body:
  attributes:
    label: Problem description
    description: |
-      Please describe your problem as a first-hand experience. Try to focus on the problem. You do not have to find a solution, you can leave this to us.
+      Please describe your problem as a first-hand experience. Try to focus on the problem. Finding a solution will happen in a next step.
      <details><summary>Further instructions</summary>
      
      * Start by explaining what you want to achieve ("I wanted to find an issue to work on").
@ -89,7 +75,7 @@ body:
  id: forgejo-ver
  attributes:
    label: Forgejo Version
-    description: Forgejo version (or commit reference) your instance is running or that you used to reproduce the bug on Forgejo Next.
+    description: Forgejo version (or commit reference) your instance is running
 - type: textarea
  id: versions
  attributes:
@ -98,10 +84,3 @@ body:
      Please include details to help us understand your problem: browser engine and version (for UI issues), operating system and version running Forgejo, database engine and version, deployment methods and relevant third-party packages (e.g. renderers, identity providers)
  validations:
    required: true
- type: markdown
-  attributes:
-    value: |
-      ### Solutions
-      
-      *Accepted solutions to address this problem will go here*
-  visible: [content]
--- a/.forgejo/issue_template/2-enhancement.yaml
+++ b/.forgejo/issue_template/2-enhancement.yaml
@ -1,5 +1,5 @@
 name: "Step 2: Enhancement"
-description: "[Advanced users only] Suggest a solution to one or multiple problems that have already been reported (see step 1)."
+description: Suggest a solution to one or multiple problems that have already been reported (see step 1).
 title: "enh: "
 labels: ["enhancement/feature"]
 body:
@ -8,28 +8,19 @@ body:
    value: |
      - Please speak English, as this is the language all maintainers can speak and write.
      - Be civil, and follow the [Forgejo Code of Conduct](https://codeberg.org/forgejo/code-of-conduct).
- type: markdown
-  attributes:
-    value: |
-      ### New workflow
-      
-      We are currently experimenting with a new workflow to manage issues and better understand your problems and needs. This is step 2 of the workflow, which is intended for Forgejo contributors: If you just want to raise a problem or need you have, please refer to step 1.
-      
-      This step allows to document a solution to one or multiple problems. It allows developers to focus on actionable implementation tasks without the clutter of previous discussions or triaging work.
-      
-      If you want to learn more about the background of our workflow, feel invited to read and participate in [the discussion that led to the current approach](https://codeberg.org/forgejo/discussions/issues/415). We are looking forward to your feedback.
+      - We are currently experimenting with a new workflow to understand your problems and requests. This is step 2 of a two-step-process. The goal is to discuss potential solutions to already-reported problems. If you want to learn more about the background of our workflow, feel invited to read and participate in [the discussion that led to the current approach](https://codeberg.org/forgejo/discussions/issues/415). We are looking forward to your feedback.
 - type: textarea
  id: problems
  attributes:
    label: Existing problems this enhancement addresses
-    description: Only list the issue numbers of the **existing** problems that your proposal addresses. **Do not add new descriptions.** If you haven't previously described a problem, please [complete step one of the workflow](https://codeberg.org/forgejo/forgejo/issues/new?template=.forgejo%2fissue_template%2fproblem.yaml) and describe the problem you'd like to solve first.
+    description: List the issue numbers of the reported problems that this enhancement addresses. If you haven't previously described a problem, please [complete step one of the workflow](https://codeberg.org/forgejo/forgejo/issues/new?template=.forgejo%2fissue_template%2fproblem.yaml) and describe the problem you'd like to solve first.
  validations:
    required: true
 - type: textarea
  id: description
  attributes:
    label: Enhancement description
-    description: Describe the changes you suggest for Forgejo and explain how they address the problems.
+    description: As concisely as possible, describe the changes you suggest for Forgejo and explain how they address the problems.
  validations:
    required: true
 - type: textarea
--- a/.forgejo/issue_template/config.yml
+++ b/.forgejo/issue_template/config.yml
@ -1,4 +1,3 @@
-blank_issues_enabled: false
 contact_links:
  - name: 🔓 Security Reports
    url: mailto:security@forgejo.org
--- a/.forgejo/pull_request_template.md
+++ b/.forgejo/pull_request_template.md
@ -10,22 +10,13 @@ labels:

 ## Checklist

-The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
+The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

-### Tests for Go changes
-
-(can be removed for JavaScript changes)
+### Tests

 - I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
-  - [ ] `make pr-go` before pushing
-
-### Tests for JavaScript changes
-
-(can be removed for Go changes)
-
 - I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
@ -37,9 +28,6 @@ The [contributor guide](https://forgejo.org/docs/next/contributor/) contains inf

 ### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
-
-*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*
-
-The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.
+- [ ] I do not want this change to show in the release notes.
+- [ ] I want the title to show in the release notes with a link to this pull request.
+- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
--- a/.forgejo/workflows-composite/build-backend/action.yaml
+++ b/.forgejo/workflows-composite/build-backend/action.yaml
@ -3,7 +3,7 @@ runs:
  steps:
    - run: |
        su forgejo -c 'make deps-backend'
-    - uses: https://data.forgejo.org/actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+    - uses: https://data.forgejo.org/actions/cache@v4
      id: cache-backend
      with:
        path: ${{github.workspace}}/gitea
--- a/.forgejo/workflows-composite/setup-cache-go/action.yaml
+++ b/.forgejo/workflows-composite/setup-cache-go/action.yaml
@ -17,7 +17,7 @@ runs:
        apt-get -q install -qq -y zstd

    - name: "Set up Go using setup-go"
-      uses: https://data.forgejo.org/actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      uses: https://data.forgejo.org/actions/setup-go@v6
      id: go-version
      with:
        go-version-file: "go.mod"
@ -50,7 +50,7 @@ runs:

    - name: "Restore Go dependencies from cache or mark for later caching"
      id: cache-deps
-      uses: https://data.forgejo.org/actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      uses: https://data.forgejo.org/actions/cache@v4
      with:
        key: setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-${{ steps.go-version.outputs.go_version }}-${{ hashFiles('go.sum', 'go.mod', 'Makefile') }}
        restore-keys: |
--- a/.forgejo/workflows/backport.yml
+++ b/.forgejo/workflows/backport.yml
@ -40,14 +40,14 @@ jobs:
      )
    runs-on: docker
    container:
-      image: 'data.forgejo.org/oci/node:24-trixie'
+      image: 'data.forgejo.org/oci/node:24-bookworm'
    steps:
      - name: event info
        run: |
          cat <<'EOF'
          ${{ toJSON(github) }}
          EOF
-      - uses: https://data.forgejo.org/actions/git-backporting@08da0b07ef2330d189f6074ec8db736b3aa9f465 # v4.9.1
+      - uses: https://data.forgejo.org/actions/git-backporting@v4.8.7
        with:
          target-branch-pattern: "^backport/(?<target>(v.*))$"
          strategy: ort
--- a/.forgejo/workflows/build-release-integration.yml
+++ b/.forgejo/workflows/build-release-integration.yml
@ -1,9 +1,6 @@
 name: Integration tests for the release process
 enable-email-notifications: true

-env:
-  FORGEJO_VERSION: 11.0.15 # renovate: datasource=docker depName=data.forgejo.org/forgejo/forgejo
-
 on:
  push:
    paths:
@ -29,14 +26,14 @@ jobs:
    if: vars.ROLE == 'forgejo-coding'
    runs-on: lxc-bookworm
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5

      - id: forgejo
-        uses: https://data.forgejo.org/actions/setup-forgejo@bb44e99c35dc50942a2a7b346a3de7c6c33c83f9 # v3.2.3
+        uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.7
        with:
          user: root
          password: admin1234
-          image-version: ${{ env.FORGEJO_VERSION }}
+          image-version: 1.21
          lxc-ip-prefix: 10.0.9

      - name: publish the forgejo release
--- a/.forgejo/workflows/build-release.yml
+++ b/.forgejo/workflows/build-release.yml
@ -33,7 +33,7 @@ jobs:
    # root is used for testing, allow it
    if: vars.ROLE == 'forgejo-integration' || github.repository_owner == 'root'
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5
        with:
          fetch-depth: 0

@ -43,11 +43,11 @@ jobs:
          repository="${{ github.repository }}"
          echo "value=${repository##*/}" >> "$GITHUB_OUTPUT"

-      - uses: https://data.forgejo.org/actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - uses: https://data.forgejo.org/actions/setup-node@v6
        with:
          node-version: 22

-      - uses: https://data.forgejo.org/actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: https://data.forgejo.org/actions/setup-go@v6
        with:
          go-version-file: "go.mod"

@ -93,7 +93,7 @@ jobs:

      - name: cache node_modules
        id: node
-        uses: https://data.forgejo.org/actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: https://data.forgejo.org/actions/cache@v4
        with:
          path: |
            node_modules
@ -164,7 +164,7 @@ jobs:

      - name: build container & release
        if: ${{ secrets.TOKEN != '' }}
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@c131a10d0dab056dc39c7df7923feaf92c41609a # v5.7.1
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.6.0
        with:
          forgejo: "${{ env.GITHUB_SERVER_URL }}"
          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
@ -183,7 +183,7 @@ jobs:

      - name: build rootless container
        if: ${{ secrets.TOKEN != '' }}
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@c131a10d0dab056dc39c7df7923feaf92c41609a # v5.7.1
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.6.0
        with:
          forgejo: "${{ env.GITHUB_SERVER_URL }}"
          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
@ -201,7 +201,7 @@ jobs:

      - name: end-to-end tests
        if: ${{ secrets.TOKEN != '' && vars.ROLE == 'forgejo-integration' && vars.SKIP_END_TO_END != 'true' }}
-        uses: https://data.forgejo.org/actions/cascading-pr@b52d5b1f4f7bc3dd8b9f6ceca3a05aea6e9920be # v2.3.2
+        uses: https://data.forgejo.org/actions/cascading-pr@v2.3.0
        with:
          origin-url: ${{ env.GITHUB_SERVER_URL }}
          origin-repo: ${{ github.repository }}
@ -227,14 +227,11 @@ jobs:
            curl -sS -X DELETE $url/api/v1/repos/forgejo-experimental/forgejo/releases/tags/$tag > /dev/null
            curl -sS -X DELETE $url/api/v1/repos/forgejo-experimental/forgejo/tags/$tag > /dev/null
          fi
-          # actions/checkout@v6 sets http.https://codeberg.org/.extraheader with the automatic token. Get rid of it so
-          # it does not prevent using the token that has write permissions. As of @v6, it is stored in
-          # $RUNNER_TEMP/git-credentials-(uuid).config and included in the repo via
-          # includeif.gitdir:...=$RUNNER_TEMP/git-credentials-(uuid).config. Since we don't need these credentials
-          # anymore we can just remove the generated config file.
-          rm -f $RUNNER_TEMP/git-credentials-*
+          # actions/checkout@v3 sets http.https://codeberg.org/.extraheader with the automatic token.
+          # Get rid of it so it does not prevent using the token that has write permissions
+          git config --local --unset http.https://codeberg.org/.extraheader
          if test -f .git/shallow ; then
-            echo "unexpected .git/shallow file is present"
+            echo "unexptected .git/shallow file is present"
            echo "it suggests a checkout --depth X was used which may prevent pushing the commit"
            echo "it happens when actions/checkout is called without depth: 0"
          fi
--- a/.forgejo/workflows/cascade-setup-end-to-end.yml
+++ b/.forgejo/workflows/cascade-setup-end-to-end.yml
@ -35,13 +35,13 @@ jobs:
      )
    runs-on: docker
    container:
-      image: data.forgejo.org/oci/node:24-trixie
+      image: data.forgejo.org/oci/node:24-bookworm
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5
        with:
          fetch-depth: '0'
          show-progress: 'false'
-      - uses: https://data.forgejo.org/actions/cascading-pr@b52d5b1f4f7bc3dd8b9f6ceca3a05aea6e9920be # v2.3.2
+      - uses: https://data.forgejo.org/actions/cascading-pr@v2.3.0
        with:
          origin-url: ${{ env.GITHUB_SERVER_URL }}
          origin-repo: ${{ github.repository }}
--- a/.forgejo/workflows/coverage.yml
+++ b/.forgejo/workflows/coverage.yml
@ -20,15 +20,15 @@ jobs:
  all:
    runs-on: docker
    container:
-      image: 'data.forgejo.org/oci/ci:2'
-      # options: --tmpfs /tmp:exec,noatime # Too much memory usage
+      image: 'data.forgejo.org/oci/ci:1'
+      options: --tmpfs /tmp:exec,noatime
    services:
      elasticsearch:
        image: data.forgejo.org/oci/bitnami/elasticsearch:7
        options: --tmpfs /bitnami/elasticsearch/data
        env:
          discovery.type: single-node
-          ES_JAVA_OPTS: '-Xms512m -Xmx512m'
+          ES_JAVA_OPTS: "-Xms512m -Xmx512m"
      minio:
        image: data.forgejo.org/oci/bitnami/minio:2024.8.17
        options: >-
@ -58,10 +58,10 @@ jobs:
          POSTGRESQL_EXTRA_FLAGS: -c full_page_writes=off
        options: --tmpfs /bitnami/postgresql
      cacher:
-        image: data.forgejo.org/oci/bitnami/redis:7.2
-        options: --tmpfs /data:noatime,uid=1000,gid=1000
+        image: registry.redict.io/redict:7.3.6-scratch
+        options: --tmpfs /data:noatime
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5
        with:
          repository: ${{ inputs.repository }}
          ref: ${{ inputs.ref }}
@ -83,7 +83,7 @@ jobs:
          TEST_MINIO_ENDPOINT: minio:9000
          TEST_LDAP: 1
          TEST_REDIS_SERVER: cacher:6379
-      - uses: https://data.forgejo.org/forgejo/upload-artifact@cb8afe72b42edc798abfb8fcb556cf660d894245 # v5
+      - uses: https://code.forgejo.org/forgejo/upload-artifact@v4
        with:
          name: coverage
          path: ${{ forge.workspace }}/coverage/merged
--- a/.forgejo/workflows/forgejo-integration-cleanup.yml
+++ b/.forgejo/workflows/forgejo-integration-cleanup.yml
@ -9,7 +9,7 @@ jobs:
    if: vars.ROLE == 'forgejo-integration'
    runs-on: docker
    container:
-      image: 'data.forgejo.org/oci/node:24-trixie'
+      image: 'data.forgejo.org/oci/node:24-bookworm'
    steps:

      - name: apt install curl jq
--- a/.forgejo/workflows/merge-requirements.yml
+++ b/.forgejo/workflows/merge-requirements.yml
@ -11,16 +11,13 @@ on:
      - opened
      - synchronize

-concurrency:
-  cancel-in-progress: true
-
 jobs:
  merge-conditions:
    if: >
      vars.ROLE == 'forgejo-coding' && forge.event.pull_request.head.repo.full_name != 'forgejo-cascading-pr/forgejo'
    runs-on: docker
    container:
-      image: 'data.forgejo.org/oci/node:24-trixie'
+      image: 'data.forgejo.org/oci/node:24-bookworm'
    steps:
      - name: Debug output
        run: |
--- a/.forgejo/workflows/milestone.yml
+++ b/.forgejo/workflows/milestone.yml
@ -13,9 +13,9 @@ jobs:
    if: vars.ROLE == 'forgejo-coding' && github.event.pull_request.merged
    runs-on: docker
    container:
-      image: 'data.forgejo.org/oci/ci:2'
+      image: 'data.forgejo.org/oci/ci:1'
    steps:
-      - uses: https://data.forgejo.org/forgejo/set-milestone@4010c1a99aa87eed8acd94064b4fa93f675ba561 # v1.0.0
+      - uses: https://data.forgejo.org/forgejo/set-milestone@v1.0.0
        with:
          forgejo: https://codeberg.org
          repository: forgejo/forgejo
--- a/.forgejo/workflows/mirror.yml
+++ b/.forgejo/workflows/mirror.yml
@ -11,7 +11,7 @@ jobs:
    if: ${{ secrets.MIRROR_TOKEN != '' }}
    runs-on: docker
    container:
-      image: 'data.forgejo.org/oci/node:24-trixie'
+      image: 'data.forgejo.org/oci/node:24-bookworm'
    steps:
      - name: git push {v*/,}forgejo
        run: |
--- a/.forgejo/workflows/publish-release.yml
+++ b/.forgejo/workflows/publish-release.yml
@ -41,10 +41,10 @@ jobs:
    runs-on: lxc-bookworm
    if: vars.DOER != '' && vars.FORGEJO != '' && vars.TO_OWNER != '' && vars.FROM_OWNER != '' && secrets.TOKEN != ''
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5

      - name: copy & sign
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/publish@c131a10d0dab056dc39c7df7923feaf92c41609a # v5.7.1
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/publish@v5.6.0
        with:
          from-forgejo: ${{ vars.FORGEJO }}
          to-forgejo: ${{ vars.FORGEJO }}
@ -63,14 +63,14 @@ jobs:

      - name: get trigger mirror issue
        id: mirror
-        uses: https://data.forgejo.org/infrastructure/issue-action/get@c66839063e70625ad4306aeb038c2a5e899af840 # v1.5.0
+        uses: https://data.forgejo.org/infrastructure/issue-action/get@v1.5.0
        with:
          forgejo: https://code.forgejo.org
          repository: forgejo/forgejo
          labels: mirror-trigger

      - name: trigger the mirror
-        uses: https://data.forgejo.org/infrastructure/issue-action/set@c66839063e70625ad4306aeb038c2a5e899af840 # v1.5.0
+        uses: https://data.forgejo.org/infrastructure/issue-action/set@v1.5.0
        with:
          forgejo: https://code.forgejo.org
          repository: forgejo/forgejo
@ -80,7 +80,7 @@ jobs:
          label: trigger

      - name: upgrade v*.next.forgejo.org
-        uses: https://data.forgejo.org/infrastructure/next-digest@e22026170bac6fd38c3034dbc33e66b52fe069d1 # v1.2.2
+        uses: https://data.forgejo.org/infrastructure/next-digest@v1.2.2
        with:
          url: https://placeholder:${{ secrets.TOKEN_NEXT_DIGEST }}@invisible.forgejo.org/infrastructure/next-digest
          ref_name: '${{ github.ref_name }}'
--- a/.forgejo/workflows/release-notes-assistant-milestones.yml
+++ b/.forgejo/workflows/release-notes-assistant-milestones.yml
@ -6,18 +6,18 @@ on:

 env:
  RNA_WORKDIR: /srv/rna
-  RNA_VERSION: v1.7.3 # renovate: datasource=forgejo-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
+  RNA_VERSION: v1.4.1 # renovate: datasource=gitea-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org

 jobs:
  release-notes:
    if: vars.ROLE == 'forgejo-coding'
    runs-on: docker
    container:
-      image: 'data.forgejo.org/oci/ci:2'
+      image: 'data.forgejo.org/oci/ci:1'
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5

-      - uses: https://data.forgejo.org/actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      - uses: https://data.forgejo.org/actions/cache@v4
        with:
          key: rna-${{ env.RNA_VERSION }}
          path: ${{ env.RNA_WORKDIR }}
--- a/.forgejo/workflows/release-notes-assistant.yml
+++ b/.forgejo/workflows/release-notes-assistant.yml
@ -8,16 +8,16 @@ on:
      - labeled

 env:
-  RNA_VERSION: v1.7.3 # renovate: datasource=forgejo-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
+  RNA_VERSION: v1.4.1 # renovate: datasource=gitea-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org

 jobs:
  release-notes:
    if: ( vars.ROLE == 'forgejo-coding' ) && contains(github.event.pull_request.labels.*.name, 'worth a release-note')
    runs-on: docker
    container:
-      image: 'data.forgejo.org/oci/ci:2'
+      image: 'data.forgejo.org/oci/node:24-bookworm'
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5

      - name: event
        run: |
@ -28,12 +28,17 @@ jobs:
          ${{ toJSON(github.event) }}
          EOF

-      - name: install release-notes-assistant
+      - uses: https://data.forgejo.org/actions/setup-go@v6
+        with:
+          go-version-file: "go.mod"
+          cache: false
+
+      - name: apt install jq
        run: |
-          set -x
-          wget -O /usr/local/bin/rna https://code.forgejo.org/forgejo/release-notes-assistant/releases/download/${{ env.RNA_VERSION}}/release-notes-assistant
-          chmod +x /usr/local/bin/rna
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get -q install -y -qq jq

      - name: release-notes-assistant preview
        run: |
-          rna --config .release-notes-assistant.yaml --storage pr --storage-location ${{ github.event.pull_request.number }} --forgejo-url $GITHUB_SERVER_URL --repository $GITHUB_REPOSITORY --token ${{ secrets.RELEASE_NOTES_ASSISTANT_TOKEN }} preview ${{ github.event.pull_request.number }}
+          go run code.forgejo.org/forgejo/release-notes-assistant@$RNA_VERSION --config .release-notes-assistant.yaml --storage pr --storage-location ${{ github.event.pull_request.number }}  --forgejo-url $GITHUB_SERVER_URL --repository $GITHUB_REPOSITORY --token ${{ secrets.RELEASE_NOTES_ASSISTANT_TOKEN }} preview ${{ github.event.pull_request.number }}
--- a/.forgejo/workflows/renovate.yml
+++ b/.forgejo/workflows/renovate.yml
@ -0,0 +1,79 @@
+#
+# Runs every 2 hours, but Renovate is limited to create new PR before 4am.
+# See renovate.json for more settings.
+# Automerge is enabled for Renovate PR's but need to be approved before.
+#
+name: renovate
+
+on:
+  push:
+    branches:
+      - renovate/** # self-test updates
+    paths:
+      - .forgejo/workflows/renovate.yml
+  schedule:
+    - cron: '0 0/2 * * *'
+  workflow_dispatch:
+
+env:
+  RENOVATE_DRY_RUN: ${{ (github.event_name != 'schedule' && github.ref_name != github.event.repository.default_branch) && 'full' || '' }}
+  RENOVATE_REPOSITORIES: ${{ github.repository }}
+  # fix because 10.0.0-58-7e1df53+gitea-1.22.0 < 10.0.0 for semver
+  # and codeberg api returns such versions from `git describe --tags`
+  # RENOVATE_X_PLATFORM_VERSION: 10.0.0+gitea-1.22.0 currently not needed
+
+jobs:
+  renovate:
+    if: vars.ROLE == 'forgejo-coding' && secrets.RENOVATE_TOKEN != ''
+
+    runs-on: docker
+    container:
+      image: data.forgejo.org/renovate/renovate:42.39.2
+
+    steps:
+      - name: Load renovate repo cache
+        uses: https://data.forgejo.org/actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+        with:
+          path: |
+            .tmp/cache/renovate/repository
+            .tmp/cache/renovate/renovate-cache-sqlite
+            .tmp/osv
+          key: repo-cache-${{ github.run_id }}
+          restore-keys: |
+            repo-cache-
+
+      - name: Run renovate
+        run: renovate
+        env:
+          GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}
+          LOG_LEVEL: debug
+          RENOVATE_BASE_DIR: ${{ github.workspace }}/.tmp
+          RENOVATE_ENDPOINT: ${{ github.server_url }}
+          RENOVATE_PLATFORM: forgejo
+          RENOVATE_REPOSITORY_CACHE: 'enabled'
+          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
+          RENOVATE_GIT_AUTHOR: 'Renovate Bot <forgejo-renovate-action@forgejo.org>'
+          RENOVATE_CONFIG_FILE_NAMES: '[".forgejo/renovate.json"]'
+
+          RENOVATE_X_SQLITE_PACKAGE_CACHE: true
+
+          GIT_AUTHOR_NAME: 'Renovate Bot'
+          GIT_AUTHOR_EMAIL: 'forgejo-renovate-action@forgejo.org'
+          GIT_COMMITTER_NAME: 'Renovate Bot'
+          GIT_COMMITTER_EMAIL: 'forgejo-renovate-action@forgejo.org'
+
+          OSV_OFFLINE_ROOT_DIR: ${{ github.workspace }}/.tmp/osv
+
+          # use direct connection for these domains for renovate go datasource instead of the go proxy
+          # allows faster lookups
+          GONOPROXY: code.forgejo.org
+
+      - name: Save renovate repo cache
+        if: always() && env.RENOVATE_DRY_RUN != 'full'
+        uses: https://data.forgejo.org/actions/cache/save@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+        with:
+          path: |
+            .tmp/cache/renovate/repository
+            .tmp/cache/renovate/renovate-cache-sqlite
+            .tmp/osv
+          key: repo-cache-${{ github.run_id }}
--- a/.forgejo/workflows/testing-integration.yml
+++ b/.forgejo/workflows/testing-integration.yml
@ -16,7 +16,7 @@
 name: testing-integration

 on:
-  #  pull_request:
+#  pull_request:
  push:
    tags: 'v[0-9]+.[0-9]+.*'
    branches:
@ -27,14 +27,14 @@ enable-email-notifications: true

 jobs:
  test-unit:
-    #    if: vars.ROLE == 'forgejo-coding'
+#    if: vars.ROLE == 'forgejo-coding'
    if: vars.ROLE == 'forgejo-integration'
    runs-on: docker
    container:
      image: 'data.forgejo.org/oci/node:24-trixie'
-      # options: --tmpfs /tmp:exec,noatime # Too much memory usage
+      options: --tmpfs /tmp:exec,noatime
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5
      - uses: ./.forgejo/workflows-composite/setup-env
      - name: install git 2.34.1 and git-lfs 3.0.2
        uses: ./.forgejo/workflows-composite/install-minimum-git-version
@ -46,14 +46,14 @@ jobs:
          RACE_ENABLED: 'true'
          TAGS: bindata
  test-sqlite:
-    #    if: vars.ROLE == 'forgejo-coding'
+#    if: vars.ROLE == 'forgejo-coding'
    if: vars.ROLE == 'forgejo-integration'
    runs-on: docker
    container:
      image: 'data.forgejo.org/oci/node:24-trixie'
-      # options: --tmpfs /tmp:exec,noatime # Too much memory usage
+      options: --tmpfs /tmp:exec,noatime
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5
      - uses: ./.forgejo/workflows-composite/setup-env
      - name: install git 2.34.1 and git-lfs 3.0.2
        uses: ./.forgejo/workflows-composite/install-minimum-git-version
@ -67,7 +67,7 @@ jobs:
          TEST_TAGS: sqlite sqlite_unlock_notify
          USE_REPO_TEST_DIR: 1
  test-mariadb:
-    #    if: vars.ROLE == 'forgejo-coding'
+#    if: vars.ROLE == 'forgejo-coding'
    if: vars.ROLE == 'forgejo-integration'
    runs-on: docker
    name: ${{ format('test-mariadb (v{0})', matrix.version) }}
@ -76,7 +76,7 @@ jobs:
        version: ['10.6', '11.8']
    container:
      image: 'data.forgejo.org/oci/node:24-trixie'
-      # options: --tmpfs /tmp:exec,noatime # Too much memory usage
+      options: --tmpfs /tmp:exec,noatime
    services:
      mysql:
        image: ${{ format('data.forgejo.org/oci/mariadb:{0}', matrix.version) }}
@ -85,7 +85,7 @@ jobs:
          MARIADB_DATABASE: testgitea
        options: --tmpfs /var/lib/mysql:noatime
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5
      - uses: ./.forgejo/workflows-composite/setup-env
      - name: install dependencies
        run: apt-get update -qq && apt-get -q install -qq -y git-lfs
--- a/.forgejo/workflows/testing.yml
+++ b/.forgejo/workflows/testing.yml
@ -15,38 +15,33 @@ jobs:
    runs-on: docker
    container:
      image: 'data.forgejo.org/oci/node:24-trixie'
-      # options: --tmpfs /tmp:exec,noatime # Too much memory usage
+      options: --tmpfs /tmp:exec,noatime
    steps:
      - name: event info
        run: |
          cat <<'EOF'
          ${{ toJSON(github) }}
          EOF
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5
      - uses: ./.forgejo/workflows-composite/setup-env
-      # DO NOT add checks here, but rather in the makefile
-      - run: su forgejo -c './tools/cimake.sh pr-go'
-      # this will re-run the backend target also contained in pr-go, but
-      # a re-build is insignificant
+      - run: su forgejo -c 'make deps-backend deps-tools'
+      - run: su forgejo -c 'make --always-make -j$(nproc) lint-backend tidy-check swagger-check lint-swagger fmt-check swagger-validate' # ensure the "go-licenses" make target runs
      - uses: ./.forgejo/workflows-composite/build-backend
  frontend-checks:
    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    container:
      image: 'data.forgejo.org/oci/node:24-trixie'
-      # options: --tmpfs /tmp:exec,noatime # Too much memory usage
+      options: --tmpfs /tmp:exec,noatime
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-
-      - uses: https://data.forgejo.org/actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - uses: https://data.forgejo.org/actions/checkout@v5
+      - uses: https://data.forgejo.org/actions/setup-node@v6
        with:
          node-version-file: .node-version
-
      - run: make deps-frontend
      - run: make lint-frontend
      - run: make checks-frontend
-      - name: make test-frontend-coverage
-        run: |
+      - run: |
          # Usage of `dayjs` can be impacted by local system timezone and can be sensitive to DST differences; since
          # frontend tests are very short they're run twice with varying DST rules to reduce regression risk.
          TZ=Europe/Berlin make test-frontend-coverage
@ -58,8 +53,8 @@ jobs:
        run: |
          apt-get update -qq
          apt-get -q install -qq -y zstd
-      - name: 'Cache frontend build for playwright testing'
-        uses: https://data.forgejo.org/actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      - name: "Cache frontend build for playwright testing"
+        uses: https://data.forgejo.org/actions/cache/save@v4
        with:
          path: ${{github.workspace}}/public/assets
          key: frontend-build-${{ github.sha }}
@ -69,14 +64,14 @@ jobs:
    needs: [backend-checks, frontend-checks]
    container:
      image: 'data.forgejo.org/oci/node:24-trixie'
-      # options: --tmpfs /tmp:exec,noatime # Too much memory usage
+      options: --tmpfs /tmp:exec,noatime
    services:
      elasticsearch:
        image: data.forgejo.org/oci/bitnami/elasticsearch:7
        options: --tmpfs /bitnami/elasticsearch/data
        env:
          discovery.type: single-node
-          ES_JAVA_OPTS: '-Xms512m -Xmx512m'
+          ES_JAVA_OPTS: "-Xms512m -Xmx512m"
      minio:
        image: data.forgejo.org/oci/bitnami/minio:2024.8.17
        options: >-
@ -86,12 +81,13 @@ jobs:
          MINIO_ROOT_USER: 123456
          MINIO_ROOT_PASSWORD: 12345678
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5
      - uses: ./.forgejo/workflows-composite/setup-env
      - name: test release-notes-assistant.sh
        run: |
          apt-get -q install -qq -y jq
          ./release-notes-assistant.sh test_main
+      - uses: ./.forgejo/workflows-composite/build-backend
      - run: |
          su forgejo -c 'make test-backend test-check'
        timeout-minutes: 120
@ -106,22 +102,23 @@ jobs:
    needs: [backend-checks, frontend-checks]
    container:
      image: 'data.forgejo.org/oci/playwright:latest'
-      # options: --tmpfs /tmp:exec,noatime # Too much memory usage
+      options: --tmpfs /tmp:exec,noatime
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5
        with:
          fetch-depth: 20
      - uses: ./.forgejo/workflows-composite/setup-env
-      - name: 'Restore frontend build'
-        uses: https://data.forgejo.org/actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      - name: "Restore frontend build"
+        uses: https://data.forgejo.org/actions/cache/restore@v4
        id: cache-frontend
        with:
          path: ${{github.workspace}}/public/assets
          key: frontend-build-${{ github.sha }}
-      - name: 'Build frontend (if not cached)'
+      - name: "Build frontend (if not cached)"
        if: steps.cache-frontend.outputs.cache-hit != 'true'
        run: |
          su forgejo -c 'make deps-frontend frontend'
+      - uses: ./.forgejo/workflows-composite/build-backend
      - name: Decide to run all tests
        id: run-all
        if: contains(github.event.pull_request.labels.*.name, 'run-all-playwright-tests') || contains(github.event.pull_request.title, 'playwright')
@ -129,7 +126,7 @@ jobs:
          echo "all=1" >> "$GITHUB_OUTPUT"
      - name: Get changed files
        id: changed-files
-        uses: https://data.forgejo.org/tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: https://data.forgejo.org/tj-actions/changed-files@v47
        with:
          separator: '\n'
      - run: |
@ -142,7 +139,7 @@ jobs:
          RUN_ALL: ${{steps.run-all.all}}
      - name: Upload test artifacts on failure
        if: failure()
-        uses: https://data.forgejo.org/forgejo/upload-artifact@cb8afe72b42edc798abfb8fcb556cf660d894245 # v5
+        uses: https://data.forgejo.org/forgejo/upload-artifact@v4
        with:
          name: test-artifacts.zip
          path: tests/e2e/test-artifacts/
@ -153,7 +150,7 @@ jobs:
    needs: [backend-checks, frontend-checks, test-unit]
    container:
      image: 'data.forgejo.org/oci/node:24-trixie'
-      # options: --tmpfs /tmp:exec,noatime # Too much memory usage
+      options: --tmpfs /tmp:exec,noatime
    name: ${{ format('test-remote-cacher ({0})', matrix.cacher.name) }}
    strategy:
      matrix:
@ -161,6 +158,9 @@ jobs:
          - name: redis
            image: data.forgejo.org/oci/bitnami/redis:7.2
            options: --tmpfs /bitnami/redis/data:noatime
+          - name: redict
+            image: registry.redict.io/redict:7.3.0-scratch
+            options: --tmpfs /data:noatime
          - name: valkey
            image: data.forgejo.org/oci/bitnami/valkey:7.2
            options: --tmpfs /bitnami/redis/data:noatime
@ -172,10 +172,11 @@ jobs:
        image: ${{ matrix.cacher.image }}
        options: ${{ matrix.cacher.options }}
        env:
-          ALLOW_EMPTY_PASSWORD: 'yes' # redis & valkey will immediately shutdown with no defined password unless overridden
+          ALLOW_EMPTY_PASSWORD: "yes" # redis & valkey will immediately shutdown with no defined password unless overridden
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5
      - uses: ./.forgejo/workflows-composite/setup-env
+      - uses: ./.forgejo/workflows-composite/build-backend
      - run: |
          su forgejo -c 'make test-remote-cacher test-check'
        timeout-minutes: 120
@ -189,7 +190,7 @@ jobs:
    needs: [backend-checks, frontend-checks]
    container:
      image: 'data.forgejo.org/oci/node:24-trixie'
-      # options: --tmpfs /tmp:exec,noatime # Too much memory usage
+      options: --tmpfs /tmp:exec,noatime
    services:
      mysql:
        image: 'data.forgejo.org/oci/bitnami/mysql:8.4'
@ -202,12 +203,13 @@ jobs:
          MYSQL_EXTRA_FLAGS: --innodb-adaptive-flushing=OFF --innodb-buffer-pool-size=4G --innodb-log-buffer-size=128M --innodb-flush-log-at-trx-commit=0 --innodb-flush-log-at-timeout=30 --innodb-flush-method=nosync --innodb-fsync-threshold=1000000000 --disable-log-bin
        options: --tmpfs /bitnami/mysql/data:noatime
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5
      - uses: ./.forgejo/workflows-composite/setup-env
      - name: install dependencies
        run: apt-get update -qq && apt-get -q install -qq -y git-lfs
        env:
          DEBIAN_FRONTEND: noninteractive
+      - uses: ./.forgejo/workflows-composite/build-backend
      - run: |
          su forgejo -c 'make test-mysql-migration test-mysql'
        timeout-minutes: 120
@ -219,7 +221,7 @@ jobs:
    needs: [backend-checks, frontend-checks]
    container:
      image: 'data.forgejo.org/oci/node:24-trixie'
-      # options: --tmpfs /tmp:exec,noatime # Too much memory usage
+      options: --tmpfs /tmp:exec,noatime
    services:
      minio:
        image: data.forgejo.org/oci/bitnami/minio:2024.8.17
@ -239,12 +241,13 @@ jobs:
          POSTGRESQL_EXTRA_FLAGS: -c full_page_writes=off
        options: --tmpfs /bitnami/postgresql
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5
      - uses: ./.forgejo/workflows-composite/setup-env
      - name: install dependencies
        run: apt-get update -qq && apt-get -q install -qq -y git-lfs
        env:
          DEBIAN_FRONTEND: noninteractive
+      - uses: ./.forgejo/workflows-composite/build-backend
      - run: |
          su forgejo -c 'make test-pgsql-migration test-pgsql'
        timeout-minutes: 120
@ -258,14 +261,15 @@ jobs:
    needs: [backend-checks, frontend-checks]
    container:
      image: 'data.forgejo.org/oci/node:24-trixie'
-      # options: --tmpfs /tmp:exec,noatime # Too much memory usage
+      options: --tmpfs /tmp:exec,noatime
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5
      - uses: ./.forgejo/workflows-composite/setup-env
      - name: install dependencies
        run: apt-get update -qq && apt-get -q install -qq -y git-lfs
        env:
          DEBIAN_FRONTEND: noninteractive
+      - uses: ./.forgejo/workflows-composite/build-backend
      - run: |
          su forgejo -c 'make test-sqlite-migration test-sqlite'
        timeout-minutes: 120
@ -285,22 +289,9 @@ jobs:
      - test-unit
    container:
      image: 'data.forgejo.org/oci/node:24-trixie'
-      # options: --tmpfs /tmp:exec,noatime # Too much memory usage
+      options: --tmpfs /tmp:exec,noatime
    steps:
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: https://data.forgejo.org/actions/checkout@v5
      - uses: ./.forgejo/workflows-composite/setup-env
      - run: su forgejo -c 'make deps-backend deps-tools'
      - run: su forgejo -c 'make security-check'
-  semgrep:
-    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
-    name: semgrep/ci
-    runs-on: docker
-    container:
-      image: 'data.forgejo.org/oci/semgrep:latest'
-    steps:
-      - run: apk add nodejs # required for actions/checkout
-      - uses: https://data.forgejo.org/actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-      - name: self-check semgrep rules
-        run: semgrep --test .semgrep/tests/ --config .semgrep/config/
-      - name: semgrep ci
-        run: semgrep ci --config .semgrep/config/ --metrics=off
--- a/.gitignore
+++ b/.gitignore
@ -107,7 +107,6 @@ cpu.out
 /.air
 /.go-licenses
 /.cur-deadcode-out
-/.deadcode.diff

 # Files and folders that were previously generated
 /public/assets/img/webpack
@ -135,6 +134,3 @@ prime/
 # Manpage
 /man
 tests/integration/api_activitypub_person_inbox_useractivity_test.go
-
-# Mise version management
-mise.toml
--- a/.golangci.yml
+++ b/.golangci.yml
@ -15,7 +15,6 @@ linters:
    - govet
    - importas
    - ineffassign
-    - modernize
    - nakedret
    - nolintlint
    - revive
@ -26,7 +25,6 @@ linters:
    - unused
    - usetesting
    - wastedassign
-    - nilnil
  settings:
    depguard:
      rules:
@ -46,25 +44,6 @@ linters:
              desc: use forgejo.org/modules/git instead, see https://codeberg.org/forgejo/forgejo/pulls/4941
            - pkg: gopkg.in/yaml.v3
              desc: use go.yaml.in/yaml instead, see https://codeberg.org/forgejo/forgejo/pulls/8956
-        migration-isolation:
-          list-mode: lax
-          files:
-            - "**/models/forgejo_migrations/**"
-          deny:
-            - pkg: "forgejo.org/models"
-              desc: >
-                Migrations must not import application models. Application models will be the most recent schema for
-                Forgejo, while migrations will be operating against the database schema that existed when they were
-                authored.
-            - pkg: "forgejo.org/services"
-              desc: >
-                Migrations must not import application services. Application services will reference application
-                models which will use the most recent schema for Forgejo, while migrations will be operating against the
-                database schema that existed when they were authored.
-          allow:
-            - "forgejo.org/models/db"
-            - "forgejo.org/models/gitea_migrations/base"
-            - "forgejo.org/models/gitea_migrations/test"
    gocritic:
      disabled-checks:
        - ifElseChain
@ -134,8 +113,6 @@ linters:
      disable:
        - error-is-as
        - go-require
-    nilnil:
-      only-two: false
  exclusions:
    generated: lax
    presets:
@ -154,16 +131,7 @@ linters:
          - gosec
          - staticcheck
          - unparam
-          - nilnil
        path: _test\.go
-      - linters:
-          - dupl
-          - errcheck
-          - gocyclo
-          - gosec
-          - staticcheck
-          - unparam
-        path: routers/api/v1/permissions/tests
      - linters:
          - dupl
          - errcheck
@ -173,9 +141,6 @@ linters:
      - linters:
          - forbidigo
        path: cmd
-      - linters:
-          - forbidigo
-        path: build/lint-single-response
      - linters:
          - dupl
        text: (?i)webhook
@ -198,188 +163,6 @@ linters:
      - linters:
          - staticcheck
        text: "(ST1005|ST1003|QF1001):"
-
-      # TODO: eventually remove this section entirely
-      - path: models/activities/action_list.go
-        linters:
-          - nilnil
-      - path: models/asymkey/gpg_key_object_verification.go
-        linters:
-          - nilnil
-      - path: models/auth/oauth2.go
-        linters:
-          - nilnil
-      - path: models/db/collation.go
-        linters:
-          - nilnil
-      - path: models/dbfs/dbfile.go
-        linters:
-          - nilnil
-      - path: models/forgejo_migrations_legacy/v32.go
-        linters:
-          - nilnil
-      - path: models/db/context.go
-        linters:
-          - nilnil
-      - path: models/git/branch_list.go
-        linters:
-          - nilnil
-      - path: models/git/lfs_lock.go
-        linters:
-          - nilnil
-      - path: models/git/protected_branch.go
-        linters:
-          - nilnil
-      - path: models/git/protected_tag.go
-        linters:
-          - nilnil
-      - path: models/issues/issue.go
-        linters:
-          - nilnil
-      - path: models/issues/issue_xref.go
-        linters:
-          - nilnil
-      - path: models/issues/review.go
-        linters:
-          - nilnil
-      - path: models/organization/org_user.go
-        linters:
-          - nilnil
-      - path: models/quota/rule.go
-        linters:
-          - nilnil
-      - path: models/repo/archiver.go
-        linters:
-          - nilnil
-      - path: models/repo/fork.go
-        linters:
-          - nilnil
-      - path: models/repo/topic.go
-        linters:
-          - nilnil
-      - path: models/user/email_address.go
-        linters:
-          - nilnil
-      - path: models/user/list.go
-        linters:
-          - nilnil
-      - path: models/user/user.go
-        linters:
-          - nilnil
-      - path: models/repo/repo.go
-        linters:
-          - nilnil
-      - path: modules/git/commit.go
-        linters:
-          - nilnil
-      - path: modules/git/foreachref/parser.go
-        linters:
-          - nilnil
-      - path: modules/git/last_commit_cache.go
-        linters:
-          - nilnil
-      - path: modules/git/log_name_status.go
-        linters:
-          - nilnil
-      - path: modules/graceful/net_unix.go
-        linters:
-          - nilnil
-      - path: modules/indexer/internal/bleve/util.go
-        linters:
-          - nilnil
-      - path: modules/indexer/issues/util.go
-        linters:
-          - nilnil
-      - path: modules/optional/serialization.go
-        linters:
-          - nilnil
-      - path: modules/setting/storage.go
-        linters:
-          - nilnil
-      - path: routers/api/packages/chef/auth.go
-        linters:
-          - nilnil
-      - path: routers/api/packages/container/auth.go
-        linters:
-          - nilnil
-      - path: routers/api/packages/nuget/auth.go
-        linters:
-          - nilnil
-      - path: routers/api/packages/swift/swift.go
-        linters:
-          - nilnil
-      - path: routers/web/auth/oauth.go
-        linters:
-          - nilnil
-      - path: routers/web/repo/compare.go
-        linters:
-          - nilnil
-      - path: routers/web/repo/release.go
-        linters:
-          - nilnil
-      - path: routers/web/repo/setting/runners.go
-        linters:
-          - nilnil
-      - path: routers/web/repo/setting/secrets.go
-        linters:
-          - nilnil
-      - path: routers/web/repo/setting/variables.go
-        linters:
-          - nilnil
-      - path: services/actions/context.go
-        linters:
-          - nilnil
-      - path: services/actions/trust.go
-        linters:
-          - nilnil
-      - path: services/contexttest/context_tests.go
-        linters:
-          - nilnil
-      - path: services/gitdiff/csv.go
-        linters:
-          - nilnil
-      - path: services/issue/assignee.go
-        linters:
-          - nilnil
-      - path: routers/api/packages/conan/auth.go
-        linters:
-          - nilnil
-      - path: services/issue/commit.go
-        linters:
-          - nilnil
-      - path: services/issue/issue.go
-        linters:
-          - nilnil
-      - path: services/migrations/onedev.go
-        linters:
-          - nilnil
-      - path: services/packages/cargo/index.go
-        linters:
-          - nilnil
-      - path: services/pull/check.go
-        linters:
-          - nilnil
-      - path: services/pull/comment.go
-        linters:
-          - nilnil
-      - path: services/pull/merge.go
-        linters:
-          - nilnil
-      - path: services/pull/review.go
-        linters:
-          - nilnil
-      - path: services/remote/promote.go
-        linters:
-          - nilnil
-      - path: services/repository/archiver/archiver.go
-        linters:
-          - nilnil
-      - path: services/repository/generate_repo_commit.go
-        linters:
-          - nilnil
-      - path: services/repository/repository.go
-        linters:
-          - nilnil
    paths:
      - node_modules
      - public
--- a/.mockery.yml
+++ b/.mockery.yml
@ -1,22 +0,0 @@
-formatter: gofmt
-template: testify
-packages:
-  forgejo.org/modules/nosql:
-    config:
-      filename: mocks.go # make mocks public so that external packages can use
-  forgejo.org/services/auth:
-    config:
-      filename: mocks.go # make mocks public so that external packages can use
-  forgejo.org/services/notify:
-    config:
-      filename: mocks.go # make mocks public so that external packages can use
-  forgejo.org/services/authz:
-    config:
-      filename: authorization_reducer_mock.go # make mocks public so that external packages can use
-  code.forgejo.org/go-chi/cache:
-    interfaces:
-      Cache:
-        config:
-          pkgname: cache
-          dir: modules/cache
-          filename: mocks.go # make mocks public, not `_test.go`, so that external packages can mock caching
--- a/.node-version
+++ b/.node-version
@ -1 +1 @@
-24.17.0
+24.12.0
--- a/.release-notes-assistant.yaml
+++ b/.release-notes-assistant.yaml
@ -7,8 +7,7 @@ branch-from-version: 'v%[1]d.%[2]d/forgejo'
 tag-from-version: 'v%[1]d.%[2]d.%[3]d'
 supported-release-count: 3
 branch-known:
-# replace with v15 when v11 becomes EOL
-  - 'v11.0/forgejo'
+  - 'v7.0/forgejo'
 cleanup-line: 'sed -Ee "s/^(feat|fix):\s*//g" -e "s/^\[WIP\] //" -e "s/^WIP: //" -e "s;\[(UI|BUG|FEAT|v.*?/forgejo)\]\s*;;g"'
 render-header: |

--- a/.semgrep/config/auth.yaml
+++ b/.semgrep/config/auth.yaml
@ -1,111 +0,0 @@
-rules:
-  - id: forgejo-api-use-resource-SearchRepoOptions
-    patterns:
-      - pattern: |
-          repo_model.SearchRepoOptions{...}
-      - pattern-not: |
-          repo_model.SearchRepoOptions{
-            ...,
-            AuthorizationReducer: ctx.Reducer,
-            ...
-          }
-    languages:
-      - go
-    message: >
-      SearchRepoOptions does not take into account fine-grained access token limitations.  Include the
-      AuthorizationReducer field.
-    severity: ERROR
-    paths:
-      include:
-        - "/routers/api/**/*.go"
-
-  - id: forgejo-api-use-resource-SearchRepoOptions
-    patterns:
-      - pattern: |
-          organization.SearchTeamRepoOptions{...}
-      - pattern-not: |
-          organization.SearchTeamRepoOptions{
-            ...,
-            AuthorizationReducer: ctx.Reducer,
-            ...
-          }
-    languages:
-      - go
-    message: >
-      SearchTeamRepoOptions does not take into account fine-grained access token limitations.  Include the
-      AuthorizationReducer field.
-    severity: ERROR
-    paths:
-      include:
-        - "/routers/api/**/*.go"
-
-  - id: forgejo-api-use-resource-GetUserRepoPermission
-    patterns:
-      - pattern: |
-          $X.GetUserRepoPermission($CTX, $REPO, $DOER)
-      - metavariable-type:
-          metavariable: $CTX
-          types:
-            - "*context.APIContext"
-    languages:
-      - go
-    message: >
-      GetUserRepoPermission does not take into account fine-grained access token limitations.  Use
-      GetUserRepoPermissionWithReducer.
-    fix: |
-      $X.GetUserRepoPermissionWithReducer($CTX, $REPO, $DOER, $CTX.Reducer)
-    severity: ERROR
-
-  - id: forgejo-api-suspicious-GetUserRepoPermission
-    patterns:
-      - pattern: $X.GetUserRepoPermission($CTX, $REPO, $DOER)
-      - pattern-not: # don't match if identical to forgejo-api-use-resource-GetUserRepoPermission
-          patterns:
-          - pattern: |
-              $X.GetUserRepoPermission($CTX, $REPO, $DOER)
-          - metavariable-type:
-              metavariable: $CTX
-              types:
-                - "*context.APIContext"
-    languages:
-      - go
-    message: >
-      API code is accessing GetUserRepoPermission which does not take into account fine-grained access token
-      limitations.  Should this use GetUserRepoPermissionWithReducer?
-    severity: ERROR
-    paths:
-      include:
-        - "/routers/api/**/*.go"
-
-  - id: forgejo-api-direct-IsAdmin-check
-    patterns:
-      - pattern: |
-          ctx.Doer.IsAdmin
-    languages:
-      - go
-    message: |
-      ctx.Doer.IsAdmin does not take into account limited API access tokens.  Use ctx.IsUserSiteAdmin() instead.
-    fix: |
-      ctx.IsUserSiteAdmin()
-    severity: ERROR
-    paths:
-      include:
-        - "/routers/api/**/*.go"
-
-  - id: forgejo-api-direct-repo-Admin-check
-    patterns:
-      - pattern: |
-          ctx.Repo.IsAdmin()
-      - pattern: |
-          ctx.Repo.IsOwner()
-    languages:
-      - go
-    message: |
-      ctx.Repo.IsAdmin/IsOwner() does not take into account limited API access tokens.  Use ctx.IsUserRepoAdmin() instead.
-    fix: |
-      ctx.IsUserRepoAdmin()
-    severity: ERROR
-    paths:
-      include:
-        - "/routers/api/**/*.go"
-
--- a/.semgrep/config/go.yaml
+++ b/.semgrep/config/go.yaml
@ -1,18 +0,0 @@
-rules:
-  - id: forgejo-switch-empty-case
-    pattern-either:
-      - pattern: |-
-          switch $_ {
-            case $_:
-          }
-      - patterns:
-        - pattern: |-
-            switch {
-              case $_:
-            }
-    languages:
-      - go
-    severity: ERROR
-    message: >
-      switch has a case block with no content. This is treated as "break" by Go, but developers may confuse it for
-      "fallthrough".  To fix this error, disambiguate by using "break" or "fallthrough".
--- a/.semgrep/config/logic.yaml
+++ b/.semgrep/config/logic.yaml
@ -1,11 +0,0 @@
-rules:
-  - id: forgejo-logic-suspicious-OwnerID-check
-    pattern: |-
-      $X.OwnerID > 0
-    languages:
-      - go
-    severity: ERROR
-    message: >
-      Many resources like comments or runners cannot only be owned by regular users, which have positive IDs, but also
-      by predefined system users like Ghost or Forgejo Actions that have negative IDs. In those cases, ownership checks
-      should only exclude 0: `OwnerID != 0`.
--- a/.semgrep/config/xorm.yaml
+++ b/.semgrep/config/xorm.yaml
@ -1,24 +0,0 @@
-rules:
-  - id: xorm-sync-missing-ignore-drop-indices
-    patterns:
-      - pattern-either:
-          - pattern: |
-              $X.Sync(...)
-          - pattern: |
-              $X.SyncWithOptions($OPTS, ...)
-      - pattern-not: |
-          $X.SyncWithOptions(xorm.SyncOptions{..., IgnoreDropIndices: true, ...}, ...)
-      - metavariable-type:
-          metavariable: $X
-          types:
-            - "*xorm.Engine"
-            - "*xorm.Session"
-    paths:
-      exclude:
-        - /models/gitea_migrations/**/*.go
-        - /models/forgejo_migrations_legacy/**/*.go
-    languages:
-      - go
-    message: |
-      xorm Sync operation may drop indices if used on an incomplete bean definition for an existing table. Use SyncWithOptions with IgnoreDropIndices: true instead.
-    severity: ERROR
--- a/.semgrep/tests/auth.fixed.go
+++ b/.semgrep/tests/auth.fixed.go
@ -1,58 +0,0 @@
-// Copyright 2016 The Gogs Authors. All rights reserved.
-// Copyright 2020 The Gitea Authors.
-// SPDX-License-Identifier: MIT
-
-package repo
-
-import (
-	"net/http"
-
-	"forgejo.org/models/db"
-	access_model "forgejo.org/models/perm/access"
-	repo_model "forgejo.org/models/repo"
-	api "forgejo.org/modules/structs"
-	"forgejo.org/routers/api/v1/utils"
-	"forgejo.org/services/context"
-	"forgejo.org/services/convert"
-)
-
-// ListForks list a repository's forks
-func ListForks(ctx *context.APIContext) {
-	forks, total, err := repo_model.GetForks(ctx, ctx.Repo.Repository, ctx.Doer, utils.GetListOptions(ctx))
-	if err != nil {
-		ctx.Error(http.StatusInternalServerError, "GetForks", err)
-		return
-	}
-	apiForks := make([]*api.Repository, len(forks))
-	for i, fork := range forks {
-		// ruleid:forgejo-api-use-resource-GetUserRepoPermission
-		permission, err := access_model.GetUserRepoPermissionWithReducer(ctx, fork, ctx.Doer, ctx.Reducer)
-		// ok:forgejo-api-use-resource-GetUserRepoPermission
-		permission, err := access_model.GetUserRepoPermissionWithReducer(ctx, fork, ctx.Doer, ctx.Reducer)
-		if err != nil {
-			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)
-			return
-		}
-		apiForks[i] = convert.ToRepo(ctx, fork, permission)
-	}
-}
-
-// getStarredRepos returns the repos that the user with the specified userID has
-// starred
-func getStarredRepos(ctx std_context.Context, user *user_model.User, private bool, listOptions db.ListOptions) ([]*api.Repository, error) {
-	starredRepos, err := repo_model.GetStarredRepos(ctx, user.ID, private, listOptions)
-	if err != nil {
-		return nil, err
-	}
-
-	repos := make([]*api.Repository, len(starredRepos))
-	for i, starred := range starredRepos {
-		// ruleid:forgejo-api-suspicious-GetUserRepoPermission
-		permission, err := access_model.GetUserRepoPermission(ctx, starred, user)
-		if err != nil {
-			return nil, err
-		}
-		repos[i] = convert.ToRepo(ctx, starred, permission)
-	}
-	return repos, nil
-}
--- a/.semgrep/tests/auth.go
+++ b/.semgrep/tests/auth.go
@ -1,58 +0,0 @@
-// Copyright 2016 The Gogs Authors. All rights reserved.
-// Copyright 2020 The Gitea Authors.
-// SPDX-License-Identifier: MIT
-
-package repo
-
-import (
-	"net/http"
-
-	"forgejo.org/models/db"
-	access_model "forgejo.org/models/perm/access"
-	repo_model "forgejo.org/models/repo"
-	api "forgejo.org/modules/structs"
-	"forgejo.org/routers/api/v1/utils"
-	"forgejo.org/services/context"
-	"forgejo.org/services/convert"
-)
-
-// ListForks list a repository's forks
-func ListForks(ctx *context.APIContext) {
-	forks, total, err := repo_model.GetForks(ctx, ctx.Repo.Repository, ctx.Doer, utils.GetListOptions(ctx))
-	if err != nil {
-		ctx.Error(http.StatusInternalServerError, "GetForks", err)
-		return
-	}
-	apiForks := make([]*api.Repository, len(forks))
-	for i, fork := range forks {
-		// ruleid:forgejo-api-use-resource-GetUserRepoPermission
-		permission, err := access_model.GetUserRepoPermission(ctx, fork, ctx.Doer)
-		// ok:forgejo-api-use-resource-GetUserRepoPermission
-		permission, err := access_model.GetUserRepoPermissionWithReducer(ctx, fork, ctx.Doer, ctx.Reducer)
-		if err != nil {
-			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)
-			return
-		}
-		apiForks[i] = convert.ToRepo(ctx, fork, permission)
-	}
-}
-
-// getStarredRepos returns the repos that the user with the specified userID has
-// starred
-func getStarredRepos(ctx std_context.Context, user *user_model.User, private bool, listOptions db.ListOptions) ([]*api.Repository, error) {
-	starredRepos, err := repo_model.GetStarredRepos(ctx, user.ID, private, listOptions)
-	if err != nil {
-		return nil, err
-	}
-
-	repos := make([]*api.Repository, len(starredRepos))
-	for i, starred := range starredRepos {
-		// ruleid:forgejo-api-suspicious-GetUserRepoPermission
-		permission, err := access_model.GetUserRepoPermission(ctx, starred, user)
-		if err != nil {
-			return nil, err
-		}
-		repos[i] = convert.ToRepo(ctx, starred, permission)
-	}
-	return repos, nil
-}
--- a/.semgrep/tests/go.go
+++ b/.semgrep/tests/go.go
@ -1,44 +0,0 @@
-// Copyright 2014 The Gogs Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"context"
-	"os"
-	"os/signal"
-	"strings"
-	"syscall"
-
-	_ "net/http/pprof" // Used for debugging if enabled and a web server is running
-
-	"forgejo.org/modules/setting"
-)
-
-func setPortEmptyCaseBad(port string) error {
-	setting.AppURL = strings.Replace(setting.AppURL, setting.HTTPPort, port, 1)
-	setting.HTTPPort = port
-
-	// ruleid:forgejo-switch-empty-case
-	switch setting.Protocol {
-	case setting.HTTPUnix:
-	case setting.FCGI:
-	case setting.FCGIUnix:
-	default:
-		defaultLocalURL := string(setting.Protocol) + "://"
-	}
-
-	// ok:forgejo-switch-empty-case
-	switch setting.Protocol {
-	case setting.HTTPUnix:
-		break
-	case setting.FCGI:
-		break
-	case setting.FCGIUnix:
-		break
-	default:
-		defaultLocalURL := string(setting.Protocol) + "://"
-	}
-
-	return nil
-}
--- a/.semgrep/tests/logic.go
+++ b/.semgrep/tests/logic.go
@ -1,35 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package actions
-
-import "xorm.io/builder"
-
-type FindRunJobOptions struct {
-	RepoID  int64
-	OwnerID int64
-}
-
-func (opts FindRunJobOptions) Bad() builder.Cond {
-	cond := builder.NewCond()
-	if opts.RepoID > 0 {
-		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
-	}
-	// ruleid:forgejo-logic-suspicious-OwnerID-check
-	if opts.OwnerID > 0 {
-		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
-	}
-	return cond
-}
-
-func (opts FindRunJobOptions) Good() builder.Cond {
-	cond := builder.NewCond()
-	if opts.RepoID > 0 {
-		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
-	}
-	// ok:forgejo-logic-suspicious-OwnerID-check
-	if opts.OwnerID != 0 {
-		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
-	}
-	return cond
-}
--- a/.semgrep/tests/xorm.go
+++ b/.semgrep/tests/xorm.go
@ -1,45 +0,0 @@
-// Copyright 2025 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: GPL-3.0-or-later
-
-package forgejo_migrations
-
-import (
-	"io/fs"
-
-	"forgejo.org/modules/timeutil"
-
-	"code.forgejo.org/xorm/xorm"
-)
-
-type ActionUser struct {
-	ID     int64 `xorm:"pk autoincr"`
-	UserID int64 `xorm:"INDEX UNIQUE(action_user_index) REFERENCES(user, id)"`
-	RepoID int64 `xorm:"INDEX UNIQUE(action_user_index) REFERENCES(repository, id)"`
-
-	TrustedWithPullRequests bool
-
-	LastAccess timeutil.TimeStamp `xorm:"INDEX"`
-}
-
-func testSyncBad1(x *xorm.Engine) error {
-	// ruleid:xorm-sync-missing-ignore-drop-indices
-	return x.Sync(new(ActionUser))
-}
-
-func testSyncBad2(x *xorm.Engine) error {
-	// ruleid:xorm-sync-missing-ignore-drop-indices
-	_, err = x.SyncWithOptions(xorm.SyncOptions{IgnoreDropIndices: false}, bean)
-	return err
-}
-
-func testSyncGood1(x *xorm.Engine) error {
-	// ok:xorm-sync-missing-ignore-drop-indices
-	_, err = x.SyncWithOptions(xorm.SyncOptions{IgnoreDropIndices: true}, bean)
-	return err
-}
-
-func testSyncGood2(x *fs.File) error {
-	// ok:xorm-sync-missing-ignore-drop-indices
-	_, err = x.Sync()
-	return err
-}
--- a/11
+++ b/11
@ -10,7 +10,7 @@

 # Javascript and CSS code.
 web_src/.* @beowulf @gusted
-web_src/css/modules/.* @0ko
+web_src/css/.* @0ko

 # HTML templates used by the backend.
 templates/.* @beowulf @gusted
@ -51,12 +51,3 @@ modules/structs/.* @Cyborus
 routers/api/v1/.* @Cyborus
 routers/api/forgejo/.* @Cyborus
 tests/integration/api_.* @Cyborus
-
-# Federation code, requires care to be taken with regards to interoperability
-# and backwards compatibility due to the way signatures work.
-services/federation/.* @famfo @0xllx0
-modules/forgefed/.* @famfo @0xllx0
-models/forgefed/.* @famfo @0xllx0
-routers/api/v1/activitypub/.* @famfo @0xllx0
-tests/integration/api_activitypub_.* @famfo @0xllx0
-tests/integration/activitypub_.* @famfo @0xllx0
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,15 +1,7 @@
-# Contributing to Forgejo
+# Forgejo Contributor Guide

-Thank you for improving Forgejo! This project is developed and maintained by a diverse and inclusive community of people from around the world. Please review our [Code of Conduct](https://codeberg.org/forgejo/code-of-conduct).
+The Forgejo project is run by a community of people who are expected to follow this guide when cooperating on a simple bug fix as well as when changing the governance. For more information about the project, take a look at [the documentation explaining what Forgejo provides](README.md).

-#### About the Use of Coding Agents
+Sensitive security-related issues should be reported to [security@forgejo.org](mailto:security@forgejo.org) using [encryption](https://keyoxide.org/security@forgejo.org).

-Forgejo does not accept any works (code, documentation, ...) that are partially or fully authored by coding agents or similar software based on large language models (LLM), diffusion models, or similar technology (often called "AI"). See the [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md) for details.
-
-#### Reporting Security Vulnerabilities
-
-Please report all security related issues by sending an [encrypted](https://keyoxide.org/security@forgejo.org) email to [security@forgejo.org](mailto:security@forgejo.org). Please review our [Security Policy](https://codeberg.org/forgejo/governance/src/branch/main/SECURITY-POLICY.md) for details.
-
-#### Before Sending a PR
-
-Please read the relevant sections of the [Forgejo Contributor Guide](https://forgejo.org/docs/latest/contributor/) and the [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md) before submitting a pull request.
+You can find links to the different aspects of Developer documentation on this page: [Forgejo Contributor Guide](https://forgejo.org/docs/next/contributor/).
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/xx AS xx

-FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.26-alpine3.23 AS build-env
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.25-alpine3.23 AS build-env

 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-https://proxy.golang.org,direct}
--- a/Dockerfile.rootless
+++ b/Dockerfile.rootless
@ -1,6 +1,6 @@
 FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/xx AS xx

-FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.26-alpine3.23 AS build-env
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.25-alpine3.23 AS build-env

 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-https://proxy.golang.org,direct}
@ -86,8 +86,8 @@ RUN addgroup \
    -G git \
    git

-RUN mkdir -p /var/lib/gitea
-RUN chown git:git /var/lib/gitea
+RUN mkdir -p /var/lib/gitea /etc/gitea
+RUN chown git:git /var/lib/gitea /etc/gitea

 COPY --from=build-env /tmp/local /
 RUN cd /usr/local/bin ; ln -s gitea forgejo
@ -103,9 +103,13 @@ ENV GITEA_CUSTOM=/var/lib/gitea/custom
 ENV GITEA_TEMP=/tmp/gitea
 ENV TMPDIR=/tmp/gitea

+# Legacy config file for backwards compatibility
+# TODO: remove on next major version release
+ENV GITEA_APP_INI_LEGACY=/etc/gitea/app.ini
+
 ENV GITEA_APP_INI=${GITEA_CUSTOM}/conf/app.ini
 ENV HOME="/var/lib/gitea/git"
-VOLUME ["/var/lib/gitea"]
+VOLUME ["/var/lib/gitea", "/etc/gitea"]
 WORKDIR /var/lib/gitea

 ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/docker-entrypoint.sh"]
--- a/90
+++ b/90
@ -37,18 +37,17 @@ endif
 XGO_VERSION := go-1.21.x

 AIR_PACKAGE ?= github.com/air-verse/air@v1 # renovate: datasource=go
-EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3.7.0 # renovate: datasource=go
+EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3.6.0 # renovate: datasource=go
 GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.9.2 # renovate: datasource=go
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4 # renovate: datasource=go
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.6.2 # renovate: datasource=go
 GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.15 # renovate: datasource=go
-SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.34.0 # renovate: datasource=go
+SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.33.1 # renovate: datasource=go
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
-GO_LICENSES_PACKAGE ?= github.com/google/go-licenses/v2@v2.0.1 # renovate: datasource=go
+GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.6.0 # renovate: datasource=go
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasource=go
-DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.46.0 # renovate: datasource=go
-ERRORTYPE_PACKAGE ?= fillmore-labs.com/errortype@v0.0.11 # renovate: datasource=go
-RENOVATE_NPM_PACKAGE ?= renovate@43.228.0 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
-MOCKERY_PACKAGE ?= github.com/vektra/mockery/v3@v3.7.1 # renovate: datasource=go
+DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.39.0 # renovate: datasource=go
+GOMOCK_PACKAGE ?= go.uber.org/mock/mockgen@v0.6.0 # renovate: datasource=go
+RENOVATE_NPM_PACKAGE ?= renovate@42.39.2 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate

 # https://github.com/disposable-email-domains/disposable-email-domains/commits/main/
 DISPOSABLE_EMAILS_SHA ?= 0c27e671231d27cf66370034d7f6818037416989 # renovate: ...
@ -75,10 +74,6 @@ MAKE_EVIDENCE_DIR := .make_evidence
 ifeq ($(RACE_ENABLED),true)
 	GOFLAGS += -race
 	GOTESTFLAGS += -race
-	# The test binary calls itself on each git hook
-	# When the race detector is enabled, don't wait 1s before exiting.
-	# https://go.dev/doc/articles/race_detector
-	GOTESTCOMPILEDRUNPREFIX += GORACE="atexit_sleep_ms=0"
 endif

 STORED_VERSION_FILE := VERSION
@ -249,7 +244,7 @@ help:
 	@echo " - generate-license                 update license files"
 	@echo " - generate-gitignore               update gitignore files"
 	@echo " - generate-manpage                 generate manpage"
-	@echo " - generate-mockery                 generate mockery files"
+	@echo " - generate-gomock                  generate gomock files"
 	@echo " - generate-forgejo-api             generate the forgejo API from spec"
 	@echo " - forgejo-api-validate             check if the forgejo API matches the specs"
 	@echo " - generate-swagger                 generate the swagger spec from code comments"
@ -327,7 +322,7 @@ git-check:
 node-check:
 	$(eval MIN_NODE_VERSION_STR := $(shell grep -Eo '"node":.*[0-9.]+"' package.json | sed -n 's/.*[^0-9.]\([0-9.]*\)"/\1/p'))
 	$(eval MIN_NODE_VERSION := $(shell printf "%03d%03d%03d" $(shell echo '$(MIN_NODE_VERSION_STR)' | tr '.' ' ')))
-	$(eval NODE_VERSION := $(shell printf "%03d%03d%03d" $(shell node -v | cut -c2- | sed 's:-.*::' | tr '.' ' ');))
+	$(eval NODE_VERSION := $(shell printf "%03d%03d%03d" $(shell node -v | cut -c2- | tr '.' ' ');))
 	$(eval NPM_MISSING := $(shell hash npm > /dev/null 2>&1 || echo 1))
 	@if [ "$(NODE_VERSION)" -lt "$(MIN_NODE_VERSION)" -o "$(NPM_MISSING)" = "1" ]; then \
 		echo "Forgejo requires Node.js $(MIN_NODE_VERSION_STR) or greater and npm to build. You can get it at https://nodejs.org/en/download/"; \
@ -443,7 +438,7 @@ lint-frontend: lint-js tsc lint-css
 lint-frontend-fix: lint-js-fix lint-css-fix

 .PHONY: lint-backend
-lint-backend: lint-go lint-go-vet lint-editorconfig lint-renovate lint-locale lint-locale-usage lint-disposable-emails lint-single-response
+lint-backend: lint-go lint-go-vet lint-editorconfig lint-renovate lint-locale lint-locale-usage lint-disposable-emails

 .PHONY: lint-backend-fix
 lint-backend-fix: lint-go-fix lint-go-vet lint-editorconfig lint-disposable-emails-fix
@ -470,7 +465,7 @@ lint-swagger: node_modules

 .PHONY: lint-renovate
 lint-renovate: node_modules
-	npx --yes --package $(RENOVATE_NPM_PACKAGE) -- renovate-config-validator --no-global .forgejo/renovate.json > .lint-renovate 2>&1 || true
+	npx --yes --package $(RENOVATE_NPM_PACKAGE) -- renovate-config-validator > .lint-renovate 2>&1 || true
 	@if grep --quiet --extended-regexp -e '^( ERROR:)' .lint-renovate ; then cat .lint-renovate ; rm .lint-renovate ; exit 1 ; fi
 	@rm .lint-renovate

@ -490,23 +485,10 @@ RUN_DEADCODE = $(GO) run $(DEADCODE_PACKAGE) -generated=false -f='{{println .Pat

 .PHONY: lint-go
 lint-go:
-	$(GO) run $(GOLANGCI_LINT_PACKAGE) run $(GOLANGCI_LINT_ARGS) \
-	|| (code=$$?; echo "Please run 'make lint-go-fix' and commit the result"; exit $${code})
+	$(GO) run $(GOLANGCI_LINT_PACKAGE) run $(GOLANGCI_LINT_ARGS)
 	$(RUN_DEADCODE) > .cur-deadcode-out
-	@$(DIFF) .deadcode-out .cur-deadcode-out >.deadcode.diff || true
-	@if grep -qE '^[+][^+]' .deadcode.diff ; then \
-		cat .deadcode.diff ; \
-		echo "Looks like you added dead code, please evaluate and remove or use it."; \
-		echo "If you are sure the dead code should stay around, please run 'make lint-go-fix',"; \
-		echo "commit the result and explain the reason in the commit message / PR description."; \
-		exit 1; \
-	fi
-	@if grep -qE '^[-][^-]' .deadcode.diff ; then \
-		cat .deadcode.diff ; \
-		echo "Looks like you removed dead code. Thank you!"; \
-		echo "Run 'make lint-go-fix' and commit the result to accept."; \
-	fi
-	$(GO) run $(ERRORTYPE_PACKAGE) ./...
+	@$(DIFF) .deadcode-out .cur-deadcode-out \
+	|| (code=$$?; echo "Please run 'make lint-go-fix' and commit the result"; exit $${code})

 .PHONY: lint-go-fix
 lint-go-fix:
@ -530,10 +512,6 @@ lint-disposable-emails:
 lint-disposable-emails-fix:
 	$(GO) run build/generate-disposable-email.go -r $(DISPOSABLE_EMAILS_SHA)

-.PHONY: lint-single-response
-lint-single-response:
-	$(GO) run ./build/lint-single-response/cmd ./...
-
 .PHONY: security-check
 security-check:
 	$(GO) run $(GOVULNCHECK_PACKAGE) -show color ./...
@ -542,11 +520,6 @@ security-check:
 tsc: node_modules
 	npx tsc --noEmit

-# target for PRs to be pushed. Mandatory to succeed in CI
-.PHONY: pr-go
-pr-go: deps-backend deps-tools lint-backend tidy-check swagger-check lint-swagger fmt-check swagger-validate
-	TAGS=bindata $(MAKE) backend
-
 ###
 # Development and testing targets
 ###
@ -570,12 +543,12 @@ test: test-frontend test-backend
 .PHONY: test-backend
 test-backend: | compute-go-test-packages
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@TZ=UTC GITEA_ROOT="$(CURDIR)" $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)
+	@TZ=UTC $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)

 .PHONY: test-remote-cacher
 test-remote-cacher:
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	GITEA_ROOT="$(CURDIR)" $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_REMOTE_CACHER_PACKAGES)
+	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_REMOTE_CACHER_PACKAGES)

 .PHONY: test-frontend
 test-frontend: node_modules
@ -600,7 +573,7 @@ test-check:
 .PHONY: test\#%
 test\#%: | compute-go-test-packages
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@TZ=UTC GITEA_ROOT="$(CURDIR)" $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)
+	@TZ=UTC $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)

 coverage-merge:
 	rm -fr coverage/merged ; mkdir -p coverage/merged
@ -656,9 +629,7 @@ $(GO_LICENSE_FILE): go.mod go.sum
 	@rm -rf $(GO_LICENSE_TMP_DIR)

 generate-ini-sqlite:
-	sed \
-		-e 's|{{REPO_TEST_DIR}}|$(or $(REPO_TEST_DIR),$(CURDIR)/)|g' \
-		-e 's|{{PROJECT_ROOT}}|$(CURDIR)|g' \
+	sed -e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
 		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
 		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
 			tests/sqlite.ini.tmpl > tests/sqlite.ini
@ -675,13 +646,11 @@ test-sqlite\#%: integrations.sqlite.test generate-ini-sqlite
 test-sqlite-migration:  migrations.sqlite.test migrations.individual.sqlite.test

 generate-ini-mysql:
-	sed \
-		-e 's|{{TEST_MYSQL_HOST}}|${TEST_MYSQL_HOST}|g' \
+	sed -e 's|{{TEST_MYSQL_HOST}}|${TEST_MYSQL_HOST}|g' \
 		-e 's|{{TEST_MYSQL_DBNAME}}|${TEST_MYSQL_DBNAME}|g' \
 		-e 's|{{TEST_MYSQL_USERNAME}}|${TEST_MYSQL_USERNAME}|g' \
 		-e 's|{{TEST_MYSQL_PASSWORD}}|${TEST_MYSQL_PASSWORD}|g' \
-		-e 's|{{REPO_TEST_DIR}}|$(or $(REPO_TEST_DIR),$(CURDIR)/)|g' \
-		-e 's|{{PROJECT_ROOT}}|$(CURDIR)|g' \
+		-e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
 		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
 		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
 			tests/mysql.ini.tmpl > tests/mysql.ini
@ -698,14 +667,12 @@ test-mysql\#%: integrations.mysql.test generate-ini-mysql
 test-mysql-migration: migrations.mysql.test migrations.individual.mysql.test

 generate-ini-pgsql:
-	sed \
-		-e 's|{{TEST_PGSQL_HOST}}|${TEST_PGSQL_HOST}|g' \
+	sed -e 's|{{TEST_PGSQL_HOST}}|${TEST_PGSQL_HOST}|g' \
 		-e 's|{{TEST_PGSQL_DBNAME}}|${TEST_PGSQL_DBNAME}|g' \
 		-e 's|{{TEST_PGSQL_USERNAME}}|${TEST_PGSQL_USERNAME}|g' \
 		-e 's|{{TEST_PGSQL_PASSWORD}}|${TEST_PGSQL_PASSWORD}|g' \
 		-e 's|{{TEST_PGSQL_SCHEMA}}|${TEST_PGSQL_SCHEMA}|g' \
-		-e 's|{{REPO_TEST_DIR}}|$(or $(REPO_TEST_DIR),$(CURDIR)/)|g' \
-		-e 's|{{PROJECT_ROOT}}|$(CURDIR)|g' \
+		-e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
 		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
 		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
 		-e 's|{{TEST_STORAGE_TYPE}}|$(or $(TEST_STORAGE_TYPE),minio)|g' \
@ -982,13 +949,16 @@ deps-tools:
 	$(GO) install $(XGO_PACKAGE)
 	$(GO) install $(GO_LICENSES_PACKAGE)
 	$(GO) install $(GOVULNCHECK_PACKAGE)
-	$(GO) install $(ERRORTYPE_PACKAGE)
-	$(GO) install $(MOCKERY_PACKAGE)
+	$(GO) install $(GOMOCK_PACKAGE)

 node_modules: package-lock.json
 	npm install --no-save
 	@touch node_modules

+.venv: poetry.lock
+	poetry install
+	@touch .venv
+
 .PHONY: fomantic
 fomantic:
 	rm -rf $(FOMANTIC_WORK_DIR)/build
@ -1038,9 +1008,9 @@ generate-license:
 generate-gitignore:
 	$(GO) run build/generate-gitignores.go

-.PHONY: generate-mockery
-generate-mockery:
-	$(GO) run $(MOCKERY_PACKAGE)
+.PHONY: generate-gomock
+generate-gomock:
+	$(GO) run $(GOMOCK_PACKAGE) -package mock -destination ./modules/queue/mock/redisuniversalclient.go forgejo.org/modules/nosql RedisClient

 .PHONY: generate-images
 generate-images: | node_modules
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
--- a/build/lint-locale-usage/allowed-masked-usage.txt
+++ b/build/lint-locale-usage/allowed-masked-usage.txt
@ -6,12 +6,39 @@ translation_meta.test
 # this also gets instantiated as a Messenger once
 repo.migrate.migrating_failed.error

+# models/asymkey/gpg_key_object_verification.go: $ObjectVerification.Reason
+# unfortunately, it is non-trivial to parse all the occurences
+gpg.error.extract_sign
+gpg.error.failed_retrieval_gpg_keys
+gpg.error.generate_hash
+gpg.error.no_committer_account
+
+# models/system/notice.go: func (n *Notice) TrStr() string
+admin.notices.type_1
+admin.notices.type_2
+
 # modules/setting/ui.go
 themes.names.

 # services/context/context.go
 relativetime.

+# templates/repo/issue/view_content.tmpl: indirection via $closeTranslationKey
+repo.issues.close
+repo.pulls.close
+
+# templates/repo/issue/view_content/comments.tmpl: indirection via $refTr
+repo.issues.ref_closing_from
+repo.issues.ref_issue_from
+repo.issues.ref_pull_from
+repo.issues.ref_reopening_from
+
+# templates/repo/issue/view_content/comments.tmpl: ctx.Locale.Tr (printf "projects.type-%d.display_name" .OldProject.Type)
+projects.
+projects.type-1.display_name
+projects.type-2.display_name
+projects.type-3.display_name
+
 # templates/repo/settings/webhook/link_menu.tmpl, templates/webhook/new.tmpl: repo.settings.web_hook_name_
 # tests/integration/repo_archive_text_test.go
 repo.settings.
--- a/build/lint-locale-usage/bin/handle-go.go
+++ b/build/lint-locale-usage/bin/handle-go.go
@ -15,7 +15,6 @@ import (
 	"strings"

 	llu "forgejo.org/build/lint-locale-usage"
-	lluAsymKey "forgejo.org/models/asymkey/lint-locale-usage"
 	lluUnit "forgejo.org/models/unit/lint-locale-usage"
 	lluMigrate "forgejo.org/services/migrations/lint-locale-usage"
 )
@ -37,172 +36,142 @@ func HandleGoFile(handler llu.Handler, fname string, src any) error {
 	}

 	ast.Inspect(node, func(n ast.Node) bool {
-		return HandleGoNode(handler, fset, fname, n)
-	})
+		// search for function calls of the form `anything.Tr(any-string-lit, ...)`

-	return nil
-}
-
-func HandleGoNode(handler llu.Handler, fset *token.FileSet, fname string, n ast.Node) bool {
-	// search for function calls of the form `anything.Tr(any-string-lit, ...)`
-
-	switch n2 := n.(type) {
-	case *ast.CallExpr:
-		if len(n2.Args) == 0 {
-			return true
-		}
-		funSel, ok := n2.Fun.(*ast.SelectorExpr)
-		if !ok {
-			return true
-		}
-
-		ltf, ok := handler.LocaleTrFunctions[funSel.Sel.Name]
-		if !ok {
-			return true
-		}
-
-		var gotUnexpectedInvoke *int
-
-		for _, argNum := range ltf {
-			if len(n2.Args) <= int(argNum) {
-				argc := len(n2.Args)
-				gotUnexpectedInvoke = &argc
-			} else {
-				handler.HandleGoTrArgument(fset, n2.Args[int(argNum)], "")
+		switch n2 := n.(type) {
+		case *ast.CallExpr:
+			if len(n2.Args) == 0 {
+				return true
 			}
-		}
-
-		if gotUnexpectedInvoke != nil {
-			handler.OnUnexpectedInvoke(fset, funSel.Sel.NamePos, funSel.Sel.Name, *gotUnexpectedInvoke)
-		}
-
-	case *ast.CompositeLit:
-		if strings.HasSuffix(fname, "models/unit/unit.go") {
-			lluUnit.HandleCompositeUnit(handler, fset, n2)
-		} else if strings.Contains(fname, "models/asymkey/") {
-			lluAsymKey.HandleCompositeErrorReason(handler, fset, n2)
-		}
-
-	case *ast.FuncDecl:
-		if matchInsPrefix := handler.HandleGoCommentGroup(fset, n2.Doc, "llu:returnsTrKeyWeak"); matchInsPrefix != nil {
-			results := n2.Type.Results.List
-			if len(results) != 1 {
-				handler.OnWarning(fset, n2.Type.Func, fmt.Sprintf("function %s has unexpected return type; expected single return value", n2.Name.Name))
+			funSel, ok := n2.Fun.(*ast.SelectorExpr)
+			if !ok {
 				return true
 			}

-			ast.Inspect(n2.Body, func(n ast.Node) bool {
-				// search for return stmts
-				// TODO: what about nested functions?
-				if ret, ok := n.(*ast.ReturnStmt); ok {
-					for _, res := range ret.Results {
-						ast.Inspect(res, func(n ast.Node) bool {
-							if expr, ok := n.(ast.Expr); ok {
-								handler.HandleGoTrArgument(fset, expr, *matchInsPrefix)
-							}
-							return true
-						})
-					}
-					return false
+			ltf, ok := handler.LocaleTrFunctions[funSel.Sel.Name]
+			if !ok {
+				return true
+			}
+
+			var gotUnexpectedInvoke *int
+
+			for _, argNum := range ltf {
+				if len(n2.Args) <= int(argNum) {
+					argc := len(n2.Args)
+					gotUnexpectedInvoke = &argc
+				} else {
+					handler.HandleGoTrArgument(fset, n2.Args[int(argNum)], "")
 				}
-				return true
-			})
-		}
-
-		if matchInsPrefix := handler.HandleGoCommentGroup(fset, n2.Doc, "llu:returnsTrKey"); matchInsPrefix != nil {
-			results := n2.Type.Results.List
-			if len(results) != 1 {
-				handler.OnWarning(fset, n2.Type.Func, fmt.Sprintf("function %s has unexpected return type; expected single return value", n2.Name.Name))
-				return true
 			}

-			ast.Inspect(n2.Body, func(n ast.Node) bool {
-				// search for return stmts
-				if ret, ok := n.(*ast.ReturnStmt); ok {
-					for _, res := range ret.Results {
-						handler.HandleGoTrArgument(fset, res, *matchInsPrefix)
-					}
-					return false
-				} else if _, ok := n.(*ast.FuncDecl); ok {
-					ast.Inspect(n, func(n2 ast.Node) bool {
-						return HandleGoNode(handler, fset, fname, n2)
-					})
-					// don't search inside nested functions for return stmts
-					return false
+			if gotUnexpectedInvoke != nil {
+				handler.OnUnexpectedInvoke(fset, funSel.Sel.NamePos, funSel.Sel.Name, *gotUnexpectedInvoke)
+			}
+
+		case *ast.CompositeLit:
+			if strings.HasSuffix(fname, "models/unit/unit.go") {
+				lluUnit.HandleCompositeUnit(handler, fset, n2)
+			}
+
+		case *ast.FuncDecl:
+			matchInsPrefix := handler.HandleGoCommentGroup(fset, n2.Doc, "llu:returnsTrKey")
+			if matchInsPrefix != nil {
+				results := n2.Type.Results.List
+				if len(results) != 1 {
+					handler.OnWarning(fset, n2.Type.Func, fmt.Sprintf("function %s has unexpected return type; expected single return value", n2.Name.Name))
+					return true
 				}
-				return true
-			})
-		}

-		if strings.HasSuffix(fname, "services/migrations/migrate.go") {
-			lluMigrate.HandleMessengerInFunc(handler, fset, n2)
-		}
-		return true
-	case *ast.GenDecl:
-		switch n2.Tok {
-		case token.CONST, token.VAR:
-			matchInsPrefix := handler.HandleGoCommentGroup(fset, n2.Doc, " llu:TrKeys")
-			if matchInsPrefix == nil {
-				return true
-			}
-			for _, spec := range n2.Specs {
-				// interpret all contained strings as message IDs
-				ast.Inspect(spec, func(n ast.Node) bool {
-					if argLit, ok := n.(*ast.BasicLit); ok {
-						handler.HandleGoTrBasicLit(fset, argLit, *matchInsPrefix)
+				ast.Inspect(n2.Body, func(n ast.Node) bool {
+					// search for return stmts
+					// TODO: what about nested functions?
+					if ret, ok := n.(*ast.ReturnStmt); ok {
+						for _, res := range ret.Results {
+							ast.Inspect(res, func(n ast.Node) bool {
+								if expr, ok := n.(ast.Expr); ok {
+									handler.HandleGoTrArgument(fset, expr, *matchInsPrefix)
+								}
+								return true
+							})
+						}
 						return false
 					}
 					return true
 				})
 			}

-		case token.TYPE:
-			// modules/web/middleware/binding.go:Validate uses the convention that structs
-			// entries can have tags.
-			// In particular, `locale:$msgid` should be handled; any fields with `form:-` shouldn't.
-			// Problem: we don't know which structs are forms, actually.
-
-			for _, spec := range n2.Specs {
-				tspec := spec.(*ast.TypeSpec)
-				structNode, ok := tspec.Type.(*ast.StructType)
-				if !ok || !(strings.HasSuffix(tspec.Name.Name, "Form") ||
-					(tspec.Doc != nil &&
-						slices.ContainsFunc(tspec.Doc.List, func(c *ast.Comment) bool {
-							return c.Text == "// swagger:model"
-						}))) {
-					continue
+			if strings.HasSuffix(fname, "services/migrations/migrate.go") {
+				lluMigrate.HandleMessengerInFunc(handler, fset, n2)
+			}
+			return true
+		case *ast.GenDecl:
+			switch n2.Tok {
+			case token.CONST, token.VAR:
+				matchInsPrefix := handler.HandleGoCommentGroup(fset, n2.Doc, " llu:TrKeys")
+				if matchInsPrefix == nil {
+					return true
 				}
-				for _, field := range structNode.Fields.List {
-					if field.Names == nil {
+				for _, spec := range n2.Specs {
+					// interpret all contained strings as message IDs
+					ast.Inspect(spec, func(n ast.Node) bool {
+						if argLit, ok := n.(*ast.BasicLit); ok {
+							handler.HandleGoTrBasicLit(fset, argLit, *matchInsPrefix)
+							return false
+						}
+						return true
+					})
+				}
+
+			case token.TYPE:
+				// modules/web/middleware/binding.go:Validate uses the convention that structs
+				// entries can have tags.
+				// In particular, `locale:$msgid` should be handled; any fields with `form:-` shouldn't.
+				// Problem: we don't know which structs are forms, actually.
+
+				for _, spec := range n2.Specs {
+					tspec := spec.(*ast.TypeSpec)
+					structNode, ok := tspec.Type.(*ast.StructType)
+					if !ok || !(strings.HasSuffix(tspec.Name.Name, "Form") ||
+						(tspec.Doc != nil &&
+							slices.ContainsFunc(tspec.Doc.List, func(c *ast.Comment) bool {
+								return c.Text == "// swagger:model"
+							}))) {
 						continue
 					}
-					if len(field.Names) != 1 {
-						handler.OnWarning(fset, field.Type.Pos(), "unsupported multiple field names")
-						continue
-					}
-					msgidPos := field.Names[0].NamePos
-					msgid := "form." + field.Names[0].Name
-					if field.Tag != nil && field.Tag.Kind == token.STRING {
-						rawTag, err := strconv.Unquote(field.Tag.Value)
-						if err != nil {
-							handler.OnWarning(fset, field.Tag.ValuePos, "invalid tag value encountered")
+					for _, field := range structNode.Fields.List {
+						if field.Names == nil {
 							continue
 						}
-						tag := reflect.StructTag(rawTag)
-						if tag.Get("form") == "-" {
+						if len(field.Names) != 1 {
+							handler.OnWarning(fset, field.Type.Pos(), "unsupported multiple field names")
 							continue
 						}
-						tmp := tag.Get("locale")
-						if len(tmp) != 0 {
-							msgidPos = field.Tag.ValuePos
-							msgid = tmp
+						msgidPos := field.Names[0].NamePos
+						msgid := "form." + field.Names[0].Name
+						if field.Tag != nil && field.Tag.Kind == token.STRING {
+							rawTag, err := strconv.Unquote(field.Tag.Value)
+							if err != nil {
+								handler.OnWarning(fset, field.Tag.ValuePos, "invalid tag value encountered")
+								continue
+							}
+							tag := reflect.StructTag(rawTag)
+							if tag.Get("form") == "-" {
+								continue
+							}
+							tmp := tag.Get("locale")
+							if len(tmp) != 0 {
+								msgidPos = field.Tag.ValuePos
+								msgid = tmp
+							}
 						}
+						handler.OnMsgid(fset, msgidPos, msgid, true)
 					}
-					handler.OnMsgid(fset, msgidPos, msgid, true)
 				}
 			}
 		}
-	}

-	return true
+		return true
+	})
+
+	return nil
 }
--- a/build/lint-locale-usage/bin/lint-locale-usage.go
+++ b/build/lint-locale-usage/bin/lint-locale-usage.go
@ -13,7 +13,6 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
-	"regexp"
 	"sort"
 	"strings"

@ -45,57 +44,12 @@ type StringTrie interface {

 type StringTrieMap map[string]StringTrie

-func printfPatternToRegex(key string) (string, bool) {
-	parts := strings.Split(key, "%")
-	if len(parts) < 2 {
-		return key, false
-	}
-	var pattern strings.Builder
-	pattern.WriteString("^")
-	pattern.WriteString(parts[0])
-	skip := false
-	for _, part := range parts[1:] {
-		if skip {
-			skip = false
-			continue
-		}
-		if len(part) == 0 {
-			// "%%"
-			pattern.WriteString("%")
-			continue
-		}
-		switch part[0] {
-		case 'd':
-			pattern.WriteString("[0-9]+")
-		default:
-			pattern.WriteString("[A-Za-z0-9]*")
-		}
-		pattern.WriteString(part[1:])
-	}
-	pattern.WriteString("$")
-	return pattern.String(), true
-}
-
 func (m StringTrieMap) Matches(key []string) bool {
 	if len(key) == 0 || m == nil {
 		return true
 	}
 	value, ok := m[key[0]]
 	if !ok {
-		for altKey, value := range m {
-			// TODO: cache mapping $printfFormatString -> $regexpCompileOutput
-			pattern, found := printfPatternToRegex(altKey)
-			if !found {
-				continue
-			}
-			matched, err := regexp.MatchString(pattern, key[0])
-			if err != nil {
-				panic(fmt.Sprintf("unable to compile regexp '%s': %s", pattern, err.Error()))
-			}
-			if matched && (value == nil || value.Matches(key[1:])) {
-				return true
-			}
-		}
 		return false
 	}
 	if value == nil {
@ -147,7 +101,7 @@ func ParseAllowedMaskedUsages(fname string, usedMsgids container.Set[string], al
 		if line == "" || strings.HasPrefix(line, "#") {
 			continue
 		}
-		if linePrefix, found := strings.CutSuffix(line, "."); found || strings.Contains(line, "%") {
+		if linePrefix, found := strings.CutSuffix(line, "."); found {
 			allowedMaskedPrefixes.Insert(strings.Split(linePrefix, "."))
 		} else {
 			if !chkMsgid(line) {
@ -191,14 +145,9 @@ func Usage() {

 	fmt.Fprintf(outp, "\nSpecial Go doc comments:\n")
 	for _, i := range []string{
-		"//llu:returnsTrKeyWeak",
-		"\tcan be used in front of functions to indicate",
-		"\tthat the function returns message IDs (allows nesting inside complicated function calls)",
-		"\tWARNING: this currently doesn't support nested functions properly",
-		"",
 		"//llu:returnsTrKey",
 		"\tcan be used in front of functions to indicate",
-		"\tthat the function returns message IDs (doesn't allow nesting inside complicated function calls)",
+		"\tthat the function returns message IDs",
 		"\tWARNING: this currently doesn't support nested functions properly",
 		"",
 		"//llu:returnsTrKeySuffix prefix.",
@ -311,10 +260,6 @@ func main() {
 	}

 	handler := llu.Handler{
-		OnMsgidPattern: func(fset *token.FileSet, pos token.Pos, msgidPattern string) {
-			msgidPatternSplit := strings.Split(msgidPattern, ".")
-			allowedMaskedPrefixes.Insert(msgidPatternSplit)
-		},
 		OnMsgidPrefix: func(fset *token.FileSet, pos token.Pos, msgidPrefix string, truncated bool) {
 			msgidPrefixSplit := strings.Split(msgidPrefix, ".")
 			if !truncated {
@ -325,10 +270,6 @@ func main() {
 			}
 		},
 		OnMsgid: func(fset *token.FileSet, pos token.Pos, msgid string, weak bool) {
-			if strings.Contains(msgid, "%") {
-				fmt.Printf("%s:\tunexpected msgid pattern: %s\n", fset.Position(pos).String(), msgid)
-				return
-			}
 			if !msgids.Contains(msgid) {
 				if weak && allowWeakMissingMsgids {
 					return
@ -361,7 +302,7 @@ func main() {
 			if name == "docker" || name == ".git" || name == "node_modules" {
 				return fs.SkipDir
 			}
-		} else if name == "bindata.go" || fpath == "modules/translation/i18n/i18n_test.go" || fpath == "modules/translation/i18n/i18n_ini_test.go" {
+		} else if name == "bindata.go" || fpath == "modules/translation/i18n/i18n_test.go" {
 			// skip false positives
 		} else if strings.HasSuffix(name, ".go") {
 			onError(HandleGoFile(handler, fpath, nil))
--- a/build/lint-locale-usage/handle-go.go
+++ b/build/lint-locale-usage/handle-go.go
@ -34,14 +34,12 @@ func (handler Handler) HandleGoTrBasicLit(fset *token.FileSet, argLit *ast.Basic
 }

 func (handler Handler) HandleGoTrArgument(fset *token.FileSet, n ast.Expr, prefix string) {
-	switch n := n.(type) {
-	case *ast.BasicLit:
-		handler.HandleGoTrBasicLit(fset, n, prefix)
-
-	case *ast.BinaryExpr:
-		if n.Op != token.ADD {
+	if argLit, ok := n.(*ast.BasicLit); ok {
+		handler.HandleGoTrBasicLit(fset, argLit, prefix)
+	} else if argBinExpr, ok := n.(*ast.BinaryExpr); ok {
+		if argBinExpr.Op != token.ADD {
 			// pass
-		} else if argLit, ok := n.X.(*ast.BasicLit); ok && argLit.Kind == token.STRING {
+		} else if argLit, ok := argBinExpr.X.(*ast.BasicLit); ok && argLit.Kind == token.STRING {
 			// extract string content
 			arg, err := strconv.Unquote(argLit.Value)
 			if err != nil {
@ -55,39 +53,6 @@ func (handler Handler) HandleGoTrArgument(fset *token.FileSet, n ast.Expr, prefi
 			}
 			handler.OnMsgidPrefix(fset, argLit.ValuePos, prep, trunc)
 		}
-
-	case *ast.CallExpr:
-		if selExpr, ok := n.Fun.(*ast.SelectorExpr); ok {
-			if xIdent, xok := selExpr.X.(*ast.Ident); !xok || xIdent.Name != "fmt" {
-				return
-			}
-			if selExpr.Sel.Name != "Sprintf" {
-				handler.OnWarning(fset, selExpr.Sel.NamePos, fmt.Sprintf("unexpected formatting function encountered: %s", selExpr.Sel.Name))
-				return
-			}
-			if len(n.Args) == 0 {
-				handler.OnWarning(fset, selExpr.Sel.NamePos, fmt.Sprintf("unexpected formatting function invocation (no arguments) of '%s'", selExpr.Sel.Name))
-				return
-			}
-
-			if argLit, ok := n.Args[0].(*ast.BasicLit); ok && argLit.Kind == token.STRING {
-				// extract string content
-				arg, err := strconv.Unquote(argLit.Value)
-				if err != nil {
-					return
-				}
-				if strings.Contains(arg, " ") {
-					handler.OnWarning(fset, argLit.ValuePos, fmt.Sprintf(
-						"formatting function invocation of '%s' with weird msgid format string: %s",
-						selExpr.Sel.Name,
-						arg,
-					))
-					return
-				}
-				// found interesting strings
-				handler.OnMsgidPattern(fset, argLit.ValuePos, prefix+arg)
-			}
-		}
 	}
 }

--- a/build/lint-locale-usage/handle-tmpl.go
+++ b/build/lint-locale-usage/handle-tmpl.go
@ -60,13 +60,9 @@ func (handler Handler) handleTemplateNode(fset *token.FileSet, node tmplParser.N

 		case tmplParser.NodeField:
 			nodeField := nodeCommand.Args[0].(*tmplParser.FieldNode)
-			if len(nodeField.Ident) != 2 || nodeField.Ident[0] != "locale" {
+			if len(nodeField.Ident) != 2 || !(nodeField.Ident[0] == "locale" || nodeField.Ident[0] == "Locale") {
 				return
 			}
-			resolvedPos := fset.PositionFor(token.Pos(nodeCommand.Pos), false)
-			if !strings.Contains(resolvedPos.Filename, "templates/mail/") {
-				handler.OnWarning(fset, token.Pos(nodeCommand.Pos), "encountered unexpected .locale usage")
-			}
 			funcname = nodeField.Ident[1]

 		case tmplParser.NodeVariable:
@ -150,12 +146,16 @@ func (handler Handler) handleTemplateMsgid(fset *token.FileSet, node tmplParser.
 			handler.OnMsgid(fset, stringPos, msgidPrefix, false)
 		} else {
 			if nodeIdent.Ident == "printf" {
-				// found interesting strings
-				if !(strings.HasSuffix(msgidPrefix, ".%s") && strings.Count(msgidPrefix, "%") == 1) {
-					handler.OnMsgidPattern(fset, stringPos, msgidPrefix)
+				parts := strings.SplitN(msgidPrefix, "%", 2)
+				if len(parts) != 2 {
+					handler.OnWarning(
+						fset,
+						stringPos,
+						fmt.Sprintf("unsupported invocation of locate function (format string doesn't match \"prefix%%smth\" pattern): %s", nodeString.String()),
+					)
 					return
 				}
-				msgidPrefix = strings.TrimSuffix(msgidPrefix, "%s")
+				msgidPrefix = parts[0]
 			}

 			msgidPrefixFin, truncated := PrepareMsgidPrefix(msgidPrefix)
--- a/build/lint-locale-usage/handler.go
+++ b/build/lint-locale-usage/handler.go
@ -47,7 +47,6 @@ func InitLocaleTrFunctions() map[string][]uint {
 type Handler struct {
 	OnMsgid            func(fset *token.FileSet, pos token.Pos, msgid string, weak bool)
 	OnMsgidPrefix      func(fset *token.FileSet, pos token.Pos, msgidPrefix string, truncated bool)
-	OnMsgidPattern     func(fset *token.FileSet, pos token.Pos, msgidPattern string)
 	OnUnexpectedInvoke func(fset *token.FileSet, pos token.Pos, funcname string, argc int)
 	OnWarning          func(fset *token.FileSet, pos token.Pos, msg string)
 	LocaleTrFunctions  map[string][]uint
--- a/build/lint-locale/lint-locale.go
+++ b/build/lint-locale/lint-locale.go
@ -191,24 +191,5 @@ func main() {
 		}
 	}

-	if exitCode != 0 {
-		fmt.Println(dmp.DiffPrettyText([]diffmatchpatch.Diff{{
-			Type: diffmatchpatch.DiffEqual,
-			Text: "Please adjust the locale files as suggested above (",
-		}, {
-			Type: diffmatchpatch.DiffDelete,
-			Text: "red",
-		}, {
-			Type: diffmatchpatch.DiffEqual,
-			Text: ": removal, ",
-		}, {
-			Type: diffmatchpatch.DiffInsert,
-			Text: "green",
-		}, {
-			Type: diffmatchpatch.DiffEqual,
-			Text: ": insertion)",
-		}}))
-	}
-
 	os.Exit(exitCode)
 }
--- a/build/lint-single-response/README.md
+++ b/build/lint-single-response/README.md
@ -1,44 +0,0 @@
-# lint-single-response
-
-The lint-single-response Go analyzer attempts to prevent a common problem in Forgejo where it is possible for a web handler to provide a response to a request, and then continue code execution unintentionally.  For example:
-
-```go
-err := json.Unmarshal(data, &claims)
-if err != nil {
-    ctx.Error(http.StatusInternalServerError, "Error in unmarshal", err)
-    // Oops, I forgot to `return` here...
-}
-// ... more work occurs ...
-ctx.JSON(http.StatusOK, resp)
-```
-
-In order to detect these cases, lint-single-response contains a list of functions that deliver a web response.  When any of those functions are used within a function, the control flow must not perform any work after the function is invoked -- it can only return and exit the function.
-
-Methods named `Test...` are omitted from analysis, as this naming scheme suggests a test case where an error would have no user impact, and such methods sometimes invoke web response methods in unusual but safe patterns.
-
-## Limitations
-
-lint-single-response only works within the control-flow of a single function.  If a web handler calls another function that invokes `ctx.Error(...)`, then there is no guarantee that the web handler doesn't go on to do more work.  This could be addressed in the future but would require a multi-pass analysis -- all functions that invoke web responses would need to be identified, then all functions that invoke those functions would need to be identified, recursively, until no new functions are identified.  And then lint-single-response's current behaviour would need to be implemented against that entire set of functions.
-
-## Usage
-
-Direct invocation:
-
-```
-go run ./build/lint-single-response/cmd ./...
-```
-
-It is also integrated into Forgejo's `Makefile`, and can be run directly as the target `make lint-single-response`, or as part of `make lint-backend` or `make pr-go`.
-
-## Testing
-
-lint-single-response contains internal tests to verify that it works correctly. These tests are included in `make test-backend`, but, Go tends to think that they're cached even if data in `testdata` is changed. For development and testing of lint-single-response, it is recommended to run the tests with `-count 1` to avoid caching:
-
-```
-GOTESTFLAGS="-count 1" GO_TEST_PACKAGES=forgejo.org/build/lint-single-response make test-backend
-```
-
-Testing is done with the [`analysistest` package](https://pkg.go.dev/golang.org/x/tools@v0.46.0/go/analysis/analysistest#Run). In short, comments `// want ...` indicate that a lint diagnostic must be produced on that line for the test to pass.
-
-An empty implementation of `context.Base`, `context.Context`, and `context.APIContext` are included in the test package so that the exact method signatures being used in Forgejo can be covered in the tests.
-
--- a/build/lint-single-response/cmd/main.go
+++ b/build/lint-single-response/cmd/main.go
@ -1,14 +0,0 @@
-// Copyright 2026 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: GPL-3.0-or-later
-
-package main
-
-import (
-	singleresponse "forgejo.org/build/lint-single-response"
-
-	"golang.org/x/tools/go/analysis/singlechecker"
-)
-
-func main() {
-	singlechecker.Main(singleresponse.Analyzer)
-}
--- a/build/lint-single-response/singleresponse.go
+++ b/build/lint-single-response/singleresponse.go
@ -1,218 +0,0 @@
-// Copyright 2026 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: GPL-3.0-or-later
-
-package singleresponse
-
-import (
-	"fmt"
-	"go/ast"
-	"go/types"
-	"strings"
-
-	"golang.org/x/tools/go/analysis"
-	"golang.org/x/tools/go/analysis/passes/ctrlflow"
-	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/ast/inspector"
-	"golang.org/x/tools/go/cfg"
-)
-
-var Analyzer = &analysis.Analyzer{
-	Name:     "singleresponse",
-	Doc:      "checks that Forgejo web response methods are only invoked once in a control flow",
-	Requires: []*analysis.Analyzer{inspect.Analyzer, ctrlflow.Analyzer},
-	Run:      run,
-}
-
-func run(pass *analysis.Pass) (any, error) {
-	insp := pass.ResultOf[inspect.Analyzer].(*inspector.Inspector)
-	cfgs := pass.ResultOf[ctrlflow.Analyzer].(*ctrlflow.CFGs)
-
-	webFuncs := map[string]map[string]any{
-		"*forgejo.org/services/context.APIContext": {
-			"Error":                 true,
-			"InternalServerError":   true,
-			"NotFound":              true,
-			"NotFoundOrServerError": true,
-			"ServerError":           true,
-		},
-		"*forgejo.org/services/context.Base": {
-			"Error":               true,
-			"JSON":                true,
-			"JSONWithContentType": true,
-			"PlainText":           true,
-			"PlainTextBytes":      true,
-			"Redirect":            true,
-			"ServeContent":        true,
-		},
-		"*forgejo.org/services/context.Context": {
-			"HTML":                  true,
-			"JSONError":             true,
-			"JSONOK":                true,
-			"JSONRedirect":          true,
-			"JSONTemplate":          true,
-			"NotFound":              true,
-			"NotFoundOrServerError": true,
-			"RedirectToFirst":       true,
-			"RenderWithErr":         true,
-			"ServerError":           true,
-		},
-		// Future: RedirectToUser does not accept a ctx LHS, but rather a first parameter -- needs different
-		// implementation of detection, or, refactoring: "RedirectToUser": true,
-	}
-
-	insp.Nodes([]ast.Node{
-		(*ast.FuncDecl)(nil),
-		(*ast.FuncLit)(nil),
-	}, func(n ast.Node, push bool) bool {
-		switch fn := n.(type) {
-		case *ast.FuncDecl:
-			// Skip test methods which are assumed to know what they're doing.
-			if strings.HasPrefix(fn.Name.Name, "Test") {
-				return false
-			}
-			cfg := cfgs.FuncDecl(fn)
-			if cfg == nil {
-				return true
-			}
-			inspectFunction(cfg, pass, webFuncs)
-		case *ast.FuncLit:
-			cfg := cfgs.FuncLit(fn)
-			if cfg == nil {
-				return true
-			}
-			inspectFunction(cfg, pass, webFuncs)
-		}
-		return false
-	})
-
-	return nil, nil //nolint:nilnil
-}
-
-func inspectFunction(cfg *cfg.CFG, pass *analysis.Pass, webFuncs map[string]map[string]any) {
-	for _, block := range cfg.Blocks {
-		for nodeIdx, node := range block.Nodes {
-			ast.Inspect(node, func(n ast.Node) bool {
-				// Don't recurse inside of a function literal inside of a function declaration, as this isn't
-				// related to the control flow that we're currently iterating through.
-				_, isFuncLit := n.(*ast.FuncLit)
-				if isFuncLit {
-					return false
-				}
-
-				call, isCall := n.(*ast.CallExpr)
-				if !isCall {
-					return true
-				}
-
-				// SelectorExpr: "an expression followed by a selector", like "ctx.Error".  All the functions
-				// we're interested in match this pattern.
-				selector, isSelector := call.Fun.(*ast.SelectorExpr)
-				if !isSelector {
-					return false
-				}
-
-				// We almost get the right information easily from the selector by using
-				// pass.TypesInfo.Uses[selector.X] -- but that will be the type of the variable that we're
-				// invoking a method on, and not the type of the method receiver.  eg. on `ctx
-				// *context.Context`, `ctx.ServerError(...)` will always be `*context.Context`, even if
-				// `ServerError` is actually implemented on `*context.Base`.
-				//
-				// We need to dig a little deeper here to get the function type, then its signature, and then
-				// it's receiver type, and we'll really have the method that will be invoked rather than just
-				// the variable that it is called upon.
-				selection, hasSelection := pass.TypesInfo.Selections[selector]
-				if !hasSelection {
-					return false
-				}
-				objFn, ok := selection.Obj().(*types.Func)
-				if !ok {
-					return false
-				}
-				fnSig, ok := objFn.Type().(*types.Signature)
-				if !ok {
-					return false
-				}
-				callType := fnSig.Recv().Type().String()
-
-				typeMap, inTypeMap := webFuncs[callType]
-				if inTypeMap {
-					callName := selector.Sel.Name
-					_, inFuncMap := typeMap[callName]
-					if inFuncMap {
-						// OK... we've found a call to a terminating function at
-						// cfg.Blocks[blockIdx].Nodes[nodeIdx].
-						trace := false
-						// For code-time debugging/analysis, set trace=true when digging into why something isn't
-						// working:
-						// if callName == "InternalServerError" {
-						// 	trace = true
-						// }
-						sketchy := inspectCallSite(block, nodeIdx, trace)
-						if sketchy != nil {
-							pass.Reportf(node.Pos(), "Invocation of %s / %s, and control flow continues afterwards.", callType, callName)
-						}
-					}
-				}
-
-				return false
-			})
-		}
-	}
-}
-
-type sketchyCall struct{}
-
-func inspectCallSite(callingBlock *cfg.Block, callingNodeIndex int, trace bool) *sketchyCall {
-	// Inspect the remainder of the block passed in, after callingNodeIndex, for "bad" statements
-	if trace {
-		println("remainder of block...")
-	}
-	for _, nextStmt := range callingBlock.Nodes[callingNodeIndex+1:] {
-		if trace {
-			println(fmt.Sprintf("\tnextStmt = %#v", nextStmt))
-		}
-		// Only `return` is permitted after one of the web return functions; maybe this needs to expand in the future
-		// but haven't identified any cases in Forgejo yet.
-		_, stmtOk := nextStmt.(*ast.ReturnStmt)
-		if !stmtOk {
-			if trace {
-				println(fmt.Sprintf("\tfound sketchy statement = %#v", nextStmt))
-			}
-			// Future: add information about what was following the call, so that the diagnostic can be more specific
-			// about the problematic next statement identified... but so far it seems pretty easy to analyze and fix.
-			return &sketchyCall{}
-		}
-	}
-	if trace {
-		println("nothing found in remainder of block")
-		println(fmt.Sprintf("%d Succs blocks will be investigated", len(callingBlock.Succs)))
-	}
-
-	// Now, assuming that there was nothing problematic found in the remainder of the block, use the control-flow graph
-	// to identify where code execution would continue and see if there's anything inappropriate in it.
-	//
-	// https://pkg.go.dev/golang.org/x/tools@v0.46.0/go/cfg#Block -> A block may have 0-2 successors: zero for a return
-	// block or a block that calls a function such as panic that never returns; one for a normal (jump) block; and two
-	// for a conditional (if) block.
-	//
-	// It's possible for the next block to have either no nodes, or, no nodes that continue to do work and trigger
-	// detection... but then to proceed into *another* block that does.  So this investigation has to be done
-	// recursively.  Control-flow graph should prevent us from needing to stop this recursive detection; we'll hit a
-	// return statement or end of function and that's the end of the CFG, and that's also the time we'd want to stop
-	// looking, so no additional exit logic should be needed.
-	for i, succ := range callingBlock.Succs {
-		if trace {
-			println(fmt.Sprintf("Succs[%d], block index %d, recursing:", i, succ.Index))
-		}
-		// `-1` is used to start at index 0 in the nodes.
-		sketchy := inspectCallSite(succ, -1, trace)
-		if trace {
-			println(fmt.Sprintf("Succs[%d], block index %d, had sketchy = %#v", i, succ.Index, sketchy))
-		}
-		if sketchy != nil {
-			return sketchy
-		}
-	}
-
-	return nil
-}
--- a/build/lint-single-response/singleresponse_test.go
+++ b/build/lint-single-response/singleresponse_test.go
@ -1,14 +0,0 @@
-// Copyright 2026 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: GPL-3.0-or-later
-
-package singleresponse
-
-import (
-	"testing"
-
-	"golang.org/x/tools/go/analysis/analysistest"
-)
-
-func TestSingleResponse(t *testing.T) {
-	analysistest.Run(t, analysistest.TestData(), Analyzer, "a")
-}
--- a/build/lint-single-response/testdata/src/a/api.go
+++ b/build/lint-single-response/testdata/src/a/api.go
@ -1,70 +0,0 @@
-// Copyright 2026 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: GPL-3.0-or-later
-
-package a
-
-import (
-	"errors"
-
-	"forgejo.org/services/context"
-)
-
-func work() {}
-
-func directApiCallFine(ctx *context.APIContext) {
-	ctx.Error(500, "title", nil)
-}
-
-// Directly call APIContext functions, then "do work", triggering a linting error:
-
-func directApiCallError(ctx *context.APIContext) {
-	ctx.Error(500, "title", nil) // want "Invocation of (.*) / Error, and control flow continues afterwards."
-	work()
-}
-
-func directApiCallInternalServerError(ctx *context.APIContext) {
-	ctx.InternalServerError(errors.New("something")) // want "Invocation of (.*) / InternalServerError, and control flow continues afterwards."
-	work()
-}
-
-func directApiCallNotFound(ctx *context.APIContext) {
-	ctx.NotFound("title") // want "Invocation of (.*) / NotFound, and control flow continues afterwards."
-	work()
-}
-
-func directApiCallNotFoundOrServerError(ctx *context.APIContext) {
-	ctx.NotFoundOrServerError("logMsg", func(err error) bool { return false }, errors.New("something")) // want "Invocation of (.*) / NotFoundOrServerError, and control flow continues afterwards."
-	work()
-}
-
-func directApiCallServerError(ctx *context.APIContext) {
-	ctx.ServerError("something", errors.New("something")) // want "Invocation of (.*) / ServerError, and control flow continues afterwards."
-	work()
-}
-
-// Call methods on ctx that will go to the `*Base` implementation:
-
-func indirectApiCallJSON(ctx *context.APIContext) {
-	ctx.JSON(200, "something") // want "Invocation of (.*).Base / JSON, and control flow continues afterwards."
-	work()
-}
-
-func indirectApiCallPlainText(ctx *context.APIContext) {
-	ctx.PlainText(200, "something") // want "Invocation of (.*).Base / PlainText, and control flow continues afterwards."
-	work()
-}
-
-func indirectApiCallPlainTextBytes(ctx *context.APIContext) {
-	ctx.PlainTextBytes(200, []byte{}) // want "Invocation of (.*).Base / PlainTextBytes, and control flow continues afterwards."
-	work()
-}
-
-func indirectApiCallRedirect(ctx *context.APIContext) {
-	ctx.Redirect("/somewhere") // want "Invocation of (.*).Base / Redirect, and control flow continues afterwards."
-	work()
-}
-
-func indirectApiCallServeContent(ctx *context.APIContext) {
-	ctx.ServeContent(nil, nil) // want "Invocation of (.*).Base / ServeContent, and control flow continues afterwards."
-	work()
-}
--- a/build/lint-single-response/testdata/src/a/flow.go
+++ b/build/lint-single-response/testdata/src/a/flow.go
@ -1,127 +0,0 @@
-// Copyright 2026 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: GPL-3.0-or-later
-
-package a
-
-import (
-	"errors"
-	"html/template"
-	"math/rand/v2"
-
-	"forgejo.org/services/context"
-)
-
-func controlFlowIf(ctx *context.APIContext) {
-	if rand.Float64() > 0.1 {
-		ctx.Error(500, "title", nil) // want "Invocation of (.*) and control flow continues afterwards."
-	}
-
-	work()
-
-	if rand.Float64() > 0.1 {
-		ctx.Error(500, "title", nil) // no want
-		return
-	}
-
-	work()
-
-	if rand.Float64() > 0.1 {
-		ctx.Error(500, "title", nil) // no want
-		return
-	} else {
-		ctx.Error(500, "title", nil) // want "Invocation of (.*) and control flow continues afterwards."
-	}
-
-	if rand.Float64() > 0.1 {
-		ctx.Error(500, "title", nil) // no want
-		return
-	} else if rand.Float64() > 0.1 {
-		ctx.Error(500, "title", nil) // no want
-		return
-	} else if rand.Float64() > 0.1 {
-		ctx.InternalServerError(errors.New("something")) // want "Invocation of (.*) and control flow continues afterwards."
-	} else {
-		ctx.Error(500, "title", nil) // no want
-		return
-	}
-
-	work()
-
-	if rand.Float64() > 0.1 {
-		ctx.Error(500, "title", nil) // no want -- method ends either way
-	} else {
-		ctx.Error(500, "title", nil) // no want -- method ends either way
-	}
-}
-
-func controlFlowSwitch(ctx *context.APIContext) {
-	switch {
-	case rand.Float64() > 0.1:
-		ctx.Error(500, "title", nil) // want "Invocation of (.*) and control flow continues afterwards."
-	case rand.Float64() > 0.1:
-		ctx.Error(500, "title", nil) // want "Invocation of (.*) and control flow continues afterwards."
-	case rand.Float64() > 0.1:
-		ctx.Error(500, "title", nil) // no want
-		return
-	}
-
-	work()
-
-	switch {
-	case rand.Float64() > 0.1:
-		ctx.Error(500, "title", nil) // want "Invocation of (.*) and control flow continues afterwards."
-		fallthrough
-	case rand.Float64() > 0.1:
-		ctx.Error(500, "title", nil) // no want
-		return
-	}
-
-	work()
-
-	switch {
-	case rand.Float64() > 0.1:
-		ctx.Error(500, "title", nil) // no want -- method ends either way
-	case rand.Float64() > 0.1:
-		ctx.Error(500, "title", nil) // no want -- method ends either way
-	}
-}
-
-func controlFlowLoop(ctx *context.APIContext) {
-	for range []int{1, 2, 3} {
-		ctx.Error(500, "title", nil) // want "Invocation of (.*) and control flow continues afterwards."
-	}
-
-	for range []int{1, 2, 3} {
-		ctx.Error(500, "title", nil)
-		return
-	}
-
-	for range []int{1, 2, 3} {
-		ctx.Error(500, "title", nil)
-		break
-	}
-	return
-}
-
-func controlFlowInternalDecl(ctx *context.Context) {
-	work()
-	renderWithError := func(msg template.HTML) {
-		ctx.RenderWithErr(msg, "tplAccessTokenEdit", nil) // no want -- within the context of `renderWithError` this is fine
-	}
-	if rand.Float64() > 0.1 {
-		renderWithError("")
-		return
-	}
-	if rand.Float64() > 0.1 {
-		// Future: would love if call to another method which calls ctx.*, followed by no `return`, could cause a
-		// diagnostic -- but that may require a multi-pass analysis to do a good job generally.  With a local function
-		// declaration it's more feasible but it's also not very common, may not be worth that effort.
-		renderWithError("")
-	}
-	work()
-}
-
-var localFunc = func(ctx *context.Context) {
-	ctx.PlainText(200, "title") // want "Invocation of (.*) / PlainText, and control flow continues afterwards."
-	work()
-}
--- a/build/lint-single-response/testdata/src/a/web.go
+++ b/build/lint-single-response/testdata/src/a/web.go
@ -1,98 +0,0 @@
-// Copyright 2026 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: GPL-3.0-or-later
-
-package a
-
-import (
-	"errors"
-
-	"forgejo.org/services/context"
-)
-
-func directWebCallFine(ctx *context.Context) {
-	ctx.HTML(200, "tmpl")
-}
-
-// Directly call Context functions, then "do work", triggering a linting error:
-
-func directWebCallHTML(ctx *context.Context) {
-	ctx.HTML(200, "tmpl") // want "Invocation of (.*) / HTML, and control flow continues afterwards."
-	work()
-}
-
-func directWebCallJSONError(ctx *context.Context) {
-	ctx.JSONError("something") // want "Invocation of (.*) / JSONError, and control flow continues afterwards."
-	work()
-}
-
-func directWebCallJSONOK(ctx *context.Context) {
-	ctx.JSONOK() // want "Invocation of (.*) / JSONOK, and control flow continues afterwards."
-	work()
-}
-
-func directWebCallJSONRedirect(ctx *context.Context) {
-	ctx.JSONRedirect("/somewhere") // want "Invocation of (.*) / JSONRedirect, and control flow continues afterwards."
-	work()
-}
-
-func directWebCallJSONTemplate(ctx *context.Context) {
-	ctx.JSONTemplate("tmpl") // want "Invocation of (.*) / JSONTemplate, and control flow continues afterwards."
-	work()
-}
-
-func directWebCallNotFound(ctx *context.Context) {
-	ctx.NotFound("something", errors.New("something")) // want "Invocation of (.*) / NotFound, and control flow continues afterwards."
-	work()
-}
-
-func directWebCallNotFoundOrServerError(ctx *context.Context) {
-	ctx.NotFoundOrServerError("something", func(err error) bool { return false }, errors.New("something")) // want "Invocation of (.*) / NotFoundOrServerError, and control flow continues afterwards."
-	work()
-}
-
-func directWebCallRedirectToFirst(ctx *context.Context) {
-	ctx.RedirectToFirst("/somewhere") // want "Invocation of (.*) / RedirectToFirst, and control flow continues afterwards."
-	work()
-}
-
-func directWebCallRenderWithErr(ctx *context.Context) {
-	ctx.RenderWithErr("something", "tmpl", errors.New("something")) // want "Invocation of (.*) / RenderWithErr, and control flow continues afterwards."
-	work()
-}
-
-func directWebCallServerError(ctx *context.Context) {
-	ctx.ServerError("something", errors.New("something")) // want "Invocation of (.*) / ServerError, and control flow continues afterwards."
-	work()
-}
-
-// Call methods on ctx that will go to the `*Base` implementation:
-
-func indirectWebCallError(ctx *context.Context) {
-	ctx.Error(500, "something") // want "Invocation of (.*).Base / Error, and control flow continues afterwards."
-	work()
-}
-
-func indirectWebCallJSON(ctx *context.Context) {
-	ctx.JSON(200, "something") // want "Invocation of (.*).Base / JSON, and control flow continues afterwards."
-	work()
-}
-
-func indirectWebCallPlainText(ctx *context.Context) {
-	ctx.PlainText(200, "something") // want "Invocation of (.*).Base / PlainText, and control flow continues afterwards."
-	work()
-}
-
-func indirectWebCallPlainTextBytes(ctx *context.Context) {
-	ctx.PlainTextBytes(200, []byte{}) // want "Invocation of (.*).Base / PlainTextBytes, and control flow continues afterwards."
-	work()
-}
-
-func indirectWebCallRedirect(ctx *context.Context) {
-	ctx.Redirect("/somewhere") // want "Invocation of (.*).Base / Redirect, and control flow continues afterwards."
-	work()
-}
-
-func indirectWebCallServeContent(ctx *context.Context) {
-	ctx.ServeContent(nil, nil) // want "Invocation of (.*).Base / ServeContent, and control flow continues afterwards."
-	work()
-}
--- a/build/lint-single-response/testdata/src/forgejo.org/services/context/api.go
+++ b/build/lint-single-response/testdata/src/forgejo.org/services/context/api.go
@ -1,19 +0,0 @@
-// Copyright 2026 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: GPL-3.0-or-later
-
-package context
-
-type APIContext struct {
-	*Base
-}
-
-func (ctx *APIContext) Error(status int, title string, obj any) {}
-
-func (ctx *APIContext) InternalServerError(err error) {}
-
-func (ctx *APIContext) NotFound(objs ...any) {}
-
-func (ctx *APIContext) NotFoundOrServerError(logMsg string, errCheck func(error) bool, logErr error) {
-}
-
-func (ctx *APIContext) ServerError(title string, err error) {}
--- a/build/lint-single-response/testdata/src/forgejo.org/services/context/base.go
+++ b/build/lint-single-response/testdata/src/forgejo.org/services/context/base.go
@ -1,41 +0,0 @@
-// Copyright 2026 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: GPL-3.0-or-later
-
-// Skeletal implementation of forgejo.org/services/context which allows for test data to access realistic methods on
-// Base, Context, APIContext, etc.
-
-package context
-
-import (
-	"io"
-	"net/http"
-	"time"
-)
-
-type Base struct{}
-
-func (*Base) Status(status int) {}
-
-func (*Base) Error(status int, contents ...string) {}
-
-func (*Base) JSON(status int, content any) {}
-
-func (*Base) PlainTextBytes(status int, bs []byte) {}
-
-func (*Base) PlainText(status int, text string) {}
-
-func (*Base) Redirect(location string, status ...int) {}
-
-func (*Base) ServeContent(r io.ReadSeeker, opts *ServeHeaderOptions) {}
-
-type ServeHeaderOptions struct {
-	ContentType        string // defaults to "application/octet-stream"
-	ContentTypeCharset string
-	ContentLength      *int64
-	Disposition        string // defaults to "attachment"
-	Filename           string
-	CacheDuration      time.Duration // defaults to 5 minutes
-	LastModified       time.Time
-	AdditionalHeaders  http.Header
-	RedirectStatusCode int
-}
--- a/build/lint-single-response/testdata/src/forgejo.org/services/context/context.go
+++ b/build/lint-single-response/testdata/src/forgejo.org/services/context/context.go
@ -1,33 +0,0 @@
-// Copyright 2026 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: GPL-3.0-or-later
-
-// Skeletal implementation of forgejo.org/services/context which allows for test data to access realistic methods on
-// Base, Context, APIContext, etc.
-
-package context
-
-type Context struct {
-	*Base
-}
-
-func (*Context) HTML(status int, name string) {}
-
-func (*Context) JSONError(msg any) {}
-
-func (*Context) JSONOK() {}
-
-func (*Context) JSONRedirect(redirect string) {}
-
-func (*Context) JSONTemplate(tmpl string) {}
-
-func (*Context) NotFound(logMsg string, logErr error) {}
-
-func (*Context) NotFoundOrServerError(logMsg string, errCheck func(error) bool, logErr error) {}
-
-func (*Context) RedirectToFirst(location ...string) string {
-	return ""
-}
-
-func (*Context) RenderWithErr(msg any, tpl string, form any) {}
-
-func (*Context) ServerError(logMsg string, logErr error) {}
--- a/cmd/admin.go
+++ b/cmd/admin.go
@ -47,6 +47,7 @@ func subcmdRegenerate() *cli.Command {
 		Name:  "regenerate",
 		Usage: "Regenerate specific files",
 		Commands: []*cli.Command{
+			microcmdRegenHooks,
 			microcmdRegenKeys,
 		},
 	}
--- a/cmd/admin_auth_oauth.go
+++ b/cmd/admin_auth_oauth.go
@ -125,15 +125,6 @@ func oauthCLIFlags() []cli.Flag {
 			Name:  "group-team-map-removal",
 			Usage: "Activate automatic team membership removal depending on groups",
 		},
-		&cli.StringFlag{
-			Name:  "dyn-group-maps",
-			Value: "",
-			Usage: "Dynamic mappings between groups and org teams",
-		},
-		&cli.BoolFlag{
-			Name:  "dyn-group-maps-removal",
-			Usage: "Activate automatic team membership removal of org teams not automatically added",
-		},
 		&cli.BoolFlag{
 			Name:  "allow-username-change",
 			Usage: "Allow users to change their username",
@ -205,8 +196,6 @@ func parseOAuth2Config(_ context.Context, c *cli.Command) *oauth2.Source {
 		RestrictedGroup:               c.String("restricted-group"),
 		GroupTeamMap:                  c.String("group-team-map"),
 		GroupTeamMapRemoval:           c.Bool("group-team-map-removal"),
-		DynGroupMaps:                  c.String("dyn-group-maps"),
-		DynGroupMapsRemoval:           c.Bool("dyn-group-maps-removal"),
 		AllowUsernameChange:           c.Bool("allow-username-change"),
 		QuotaGroupClaimName:           c.String("quota-group-claim-name"),
 		QuotaGroupMap:                 c.String("quota-group-map"),
@ -311,12 +300,6 @@ func (a *authService) updateOauth(ctx context.Context, c *cli.Command) error {
 	if c.IsSet("group-team-map-removal") {
 		oAuth2Config.GroupTeamMapRemoval = c.Bool("group-team-map-removal")
 	}
-	if c.IsSet("dyn-group-maps") {
-		oAuth2Config.DynGroupMaps = c.String("dyn-group-maps")
-	}
-	if c.IsSet("dyn-group-maps-removal") {
-		oAuth2Config.DynGroupMapsRemoval = c.Bool("dyn-group-maps-removal")
-	}
 	if c.IsSet("quota-group-claim-name") {
 		oAuth2Config.QuotaGroupClaimName = c.String("quota-group-claim-name")
 	}
--- a/cmd/admin_auth_oauth_test.go
+++ b/cmd/admin_auth_oauth_test.go
@ -55,8 +55,6 @@ func TestAddOauth(t *testing.T) {
 				"--restricted-group", "restricted",
 				"--group-team-map", `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
 				"--group-team-map-removal",
-				"--dyn-group-maps", `["dyn-{org}-{team}", "other-{org}-{team}"]`,
-				"--dyn-group-maps-removal",
 				"--allow-username-change",
 				"--quota-group-claim-name", "quota_groups",
 				"--quota-group-map", `{"oauth_group_1": ["quota_group_1"], "oauth_group_2": ["quota_group_2"]}`,
@ -87,8 +85,6 @@ func TestAddOauth(t *testing.T) {
 					AdminGroup:            "admin",
 					GroupTeamMap:          `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
 					GroupTeamMapRemoval:   true,
-					DynGroupMaps:          `["dyn-{org}-{team}", "other-{org}-{team}"]`,
-					DynGroupMapsRemoval:   true,
 					QuotaGroupClaimName:   "quota_groups",
 					QuotaGroupMap:         `{"oauth_group_1": ["quota_group_1"], "oauth_group_2": ["quota_group_2"]}`,
 					QuotaGroupMapRemoval:  true,
@ -368,8 +364,6 @@ func TestUpdateOauth(t *testing.T) {
 				"--restricted-group", "restricted",
 				"--group-team-map", `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
 				"--group-team-map-removal",
-				"--dyn-group-maps", `["dyn-{org}-{team}", "other-{org}-{team}"]`,
-				"--dyn-group-maps-removal",
 			},
 			id: 23,
 			existingAuthSource: &auth.Source{
@ -400,8 +394,6 @@ func TestUpdateOauth(t *testing.T) {
 					AdminGroup:            "admin",
 					GroupTeamMap:          `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
 					GroupTeamMapRemoval:   true,
-					DynGroupMaps:          `["dyn-{org}-{team}", "other-{org}-{team}"]`,
-					DynGroupMapsRemoval:   true,
 					RestrictedGroup:       "restricted",
 					// `--skip-local-2fa` is currently ignored.
 					// SkipLocalTwoFA:        true,
@ -846,58 +838,6 @@ func TestUpdateOauth(t *testing.T) {
 				},
 			},
 		},
-		// case 28
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--dyn-group-maps", `["dyn-{org}-{team}", "other-{org}-{team}"]`,
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					DynGroupMaps:     `["dyn-{org}-{team}", "other-{org}-{team}"]`,
-				},
-			},
-		},
-		// case 29
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--dyn-group-maps-removal",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping:    &oauth2.CustomURLMapping{},
-					DynGroupMapsRemoval: true,
-				},
-			},
-		},
-		// case 30
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "23",
-				"--dyn-group-maps-removal=false",
-			},
-			id: 23,
-			existingAuthSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					DynGroupMapsRemoval: true,
-				},
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping:    &oauth2.CustomURLMapping{},
-					DynGroupMapsRemoval: false,
-				},
-			},
-		},
 	}

 	for n, c := range cases {
--- a/cmd/admin_regenerate.go
+++ b/cmd/admin_regenerate.go
@ -7,15 +7,36 @@ import (
 	"context"

 	asymkey_model "forgejo.org/models/asymkey"
+	"forgejo.org/modules/graceful"
+	repo_service "forgejo.org/services/repository"

 	"github.com/urfave/cli/v3"
 )

-var microcmdRegenKeys = &cli.Command{
-	Name:   "keys",
-	Usage:  "Regenerate authorized_keys file",
-	Before: noDanglingArgs,
-	Action: runRegenerateKeys,
+var (
+	microcmdRegenHooks = &cli.Command{
+		Name:   "hooks",
+		Usage:  "Regenerate git-hooks",
+		Before: noDanglingArgs,
+		Action: runRegenerateHooks,
+	}
+
+	microcmdRegenKeys = &cli.Command{
+		Name:   "keys",
+		Usage:  "Regenerate authorized_keys file",
+		Before: noDanglingArgs,
+		Action: runRegenerateKeys,
+	}
+)
+
+func runRegenerateHooks(ctx context.Context, c *cli.Command) error {
+	ctx, cancel := installSignals(ctx)
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+	return repo_service.SyncRepositoryHooks(graceful.GetManager().ShutdownContext())
 }

 func runRegenerateKeys(ctx context.Context, c *cli.Command) error {
--- a/cmd/admin_user.go
+++ b/cmd/admin_user.go
@ -17,7 +17,6 @@ func subcmdUser() *cli.Command {
 			microcmdUserChangePassword(),
 			microcmdUserDelete(),
 			microcmdUserGenerateAccessToken(),
-			microcmdUserCreateAuthorizedIntegration(),
 			microcmdUserMustChangePassword(),
 			microcmdUserResetMFA(),
 		},
--- a/cmd/admin_user_create.go
+++ b/cmd/admin_user_create.go
@ -205,15 +205,7 @@ func runCreateUser(ctx context.Context, c *cli.Command) error {

 	// create the access token
 	if accessTokenScope != "" {
-		t := &auth_model.AccessToken{
-			Name:  accessTokenName,
-			UID:   u.ID,
-			Scope: accessTokenScope,
-
-			// maintain legacy behaviour until new CLI options are added -- token has access to all resources, is not
-			// fine-grained
-			ResourceAllRepos: true,
-		}
+		t := &auth_model.AccessToken{Name: accessTokenName, UID: u.ID, Scope: accessTokenScope}
 		if err := auth_model.NewAccessToken(ctx, t); err != nil {
 			return err
 		}
--- a/cmd/admin_user_generate_access_token.go
+++ b/cmd/admin_user_generate_access_token.go
@ -86,10 +86,6 @@ func runGenerateAccessToken(ctx context.Context, c *cli.Command) error {
 	}
 	t.Scope = accessTokenScope

-	// maintain legacy behaviour until new CLI options are added -- token has access to all resources, is not
-	// fine-grained
-	t.ResourceAllRepos = true
-
 	// create the token
 	if err := auth_model.NewAccessToken(ctx, t); err != nil {
 		return err
--- a/cmd/admin_user_generate_authorized_integration.go
+++ b/cmd/admin_user_generate_authorized_integration.go
@ -1,255 +0,0 @@
-// Copyright 2026 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: GPL-3.0-or-later
-
-package cmd
-
-import (
-	"bytes"
-	"context"
-	"errors"
-	"fmt"
-	"os"
-	"strings"
-
-	auth_model "forgejo.org/models/auth"
-	"forgejo.org/models/repo"
-	user_model "forgejo.org/models/user"
-	"forgejo.org/modules/json"
-	auth_service "forgejo.org/services/auth"
-
-	"github.com/urfave/cli/v3"
-)
-
-func microcmdUserCreateAuthorizedIntegration() *cli.Command {
-	return &cli.Command{
-		Name: "create-authorized-integration",
-		Description: `Creates an authorized integration. Authorized integrations allow Forgejo to
-receive JWTs from external sources, validate their claims against
-user-defined rules, and grant access to Forgejo's API on behalf of a user.
-
-The issuer may be set to "urn:forgejo:authorized-integrations:actions"
-to support JWTs from the local instance's Forgejo Actions, utilizing the
-enable-openid-connect flag in a workflow.`,
-
-		// `--claim-in sub=v1,v2,v3` needs to be parsed as a single parameter so that we can comma-split the value into
-		// an array.  To accomplish this, we disable urfave 's slice flag separator, which would cause this to be
-		// treated as "sub=v1", "v2=?", and "v3=?", resulting in an error of missing values.
-		DisableSliceFlagSeparator: true,
-
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:     "username",
-				Aliases:  []string{"u"},
-				Usage:    "Username",
-				Required: true,
-			},
-			&cli.StringFlag{
-				Name:     "name",
-				Usage:    "Name of the authorized integration for later identification",
-				Required: true,
-			},
-			&cli.StringFlag{
-				Name:  "description",
-				Usage: "Optional description for the authorized integration",
-			},
-
-			// JWT validation:
-			&cli.StringFlag{
-				Name:     "issuer",
-				Usage:    `JWT issuer ('iss' claim), example: https://forgejo.example.org/api/actions`,
-				Required: true,
-			},
-			&cli.StringMapFlag{
-				Name:  "claim-eq",
-				Value: map[string]string{},
-				Usage: `Zero-or-more claim equality checks, formatted as claim=value, example: "actor=someuser"`,
-			},
-			&cli.StringMapFlag{
-				Name:  "claim-in",
-				Value: map[string]string{},
-				Usage: `Zero-or-more claim equality in list checks, formatted as claim=value1,value2,... example: "actor=user1,user2"`,
-			},
-			&cli.StringMapFlag{
-				Name:  "claim-glob",
-				Value: map[string]string{},
-				Usage: `Zero-or-more claim glob checks, formatted as claim=value, example: "sub=repo:forgejo/*:pull_request"`,
-			},
-			&cli.StringMapFlag{
-				Name:  "claim-glob-in",
-				Value: map[string]string{},
-				Usage: `Zero-or-more claim glob in list checks, formatted as claim=va*ue1,va*ue2,... example: "sub=repo:*/*:pull_request,repo:*/*:refs:*"`,
-			},
-			// nested claim support omitted for now -- pretty complex for a CLI
-
-			// Permissions available on successful auth:
-			&cli.StringSliceFlag{
-				Name:  "scope",
-				Value: []string{"all"},
-				Usage: `One-or-more scopes to apply to access token, examples: "all", "read:issue", "write:repository"`,
-			},
-			&cli.StringSliceFlag{
-				Name:  "repo",
-				Value: []string{"all"},
-				Usage: `Zero-or-more specific repositories that can be accessed, or "all" to allow access to all repositories, example: "owner1/repo1"`,
-			},
-		},
-		Before: noDanglingArgs,
-		Action: runCreateAuthorizedIntegration,
-	}
-}
-
-func runCreateAuthorizedIntegration(ctx context.Context, c *cli.Command) error {
-	if !c.IsSet("username") {
-		return errors.New("you must provide a username to generate a token for")
-	}
-
-	ctx, cancel := installSignals(ctx)
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-
-	user, err := user_model.GetUserByName(ctx, c.String("username"))
-	if err != nil {
-		return err
-	}
-
-	ai := &auth_model.AuthorizedIntegration{
-		UserID:      user.ID,
-		Name:        c.String("name"),
-		Description: c.String("description"),
-		UI:          auth_model.AuthorizedIntegrationUIGeneric,
-	}
-
-	var rules []auth_model.ClaimRule
-	ai.Issuer = c.String("issuer")
-	for claim, value := range c.StringMap("claim-eq") {
-		rules = append(rules, auth_model.ClaimRule{
-			Claim:      claim,
-			Comparison: auth_model.ClaimEqual,
-			Value:      value,
-		})
-	}
-	for claim, value := range c.StringMap("claim-in") {
-		values := []string{}
-		for s := range strings.SplitSeq(value, ",") {
-			values = append(values, strings.TrimSpace(s))
-		}
-		rules = append(rules, auth_model.ClaimRule{
-			Claim:      claim,
-			Comparison: auth_model.ClaimIn,
-			Values:     values,
-		})
-	}
-	for claim, value := range c.StringMap("claim-glob") {
-		rules = append(rules, auth_model.ClaimRule{
-			Claim:      claim,
-			Comparison: auth_model.ClaimGlob,
-			Value:      value,
-		})
-	}
-	for claim, value := range c.StringMap("claim-glob-in") {
-		values := []string{}
-		for s := range strings.SplitSeq(value, ",") {
-			values = append(values, strings.TrimSpace(s))
-		}
-		rules = append(rules, auth_model.ClaimRule{
-			Claim:      claim,
-			Comparison: auth_model.ClaimGlobIn,
-			Values:     values,
-		})
-	}
-	ai.ClaimRules = &auth_model.ClaimRules{Rules: rules}
-
-	scopes := strings.Join(c.StringSlice("scope"), ",")
-	accessTokenScope, err := auth_model.AccessTokenScope(scopes).Normalize()
-	if err != nil {
-		return fmt.Errorf("invalid access token scope provided: %w", err)
-	}
-	ai.Scope = accessTokenScope
-
-	allRepos := false
-	repos := []*repo.Repository{}
-	for _, repoName := range c.StringSlice("repo") {
-		if repoName == "all" {
-			allRepos = true
-		} else {
-			split := strings.Split(repoName, "/")
-			if len(split) != 2 {
-				return fmt.Errorf("invalid repo name: %q", split)
-			}
-			owner := split[0]
-			name := split[1]
-			repo, err := repo.GetRepositoryByOwnerAndName(ctx, owner, name)
-			if err != nil {
-				return err
-			}
-			repos = append(repos, repo)
-		}
-	}
-	ai.ResourceAllRepos = allRepos
-
-	rr := make([]*auth_model.AuthorizedIntegResourceRepo, len(repos))
-	for i := range repos {
-		rr[i] = &auth_model.AuthorizedIntegResourceRepo{RepoID: repos[i].ID}
-	}
-
-	if err := auth_service.InsertAuthorizedIntegration(ctx, ai, rr); err != nil {
-		return err
-	}
-
-	type ClaimRuleDescription struct {
-		Description string                     `json:"description"`
-		Claim       string                     `json:"claim"`
-		Comparison  auth_model.ClaimComparison `json:"compare"`
-		Value       string                     `json:"value,omitempty"`
-		Values      []string                   `json:"values,omitempty"`
-	}
-	output := struct {
-		Message     string                 `json:"message"`
-		Name        string                 `json:"name"`
-		Description string                 `json:"description,omitempty"`
-		Issuer      string                 `json:"issuer"`
-		Audience    string                 `json:"audience"`
-		ClaimRules  []ClaimRuleDescription `json:"claim_rules"`
-	}{
-		Message:     "Authorized integration was successfully created.",
-		Name:        ai.Name,
-		Description: ai.Description,
-		Issuer:      ai.Issuer,
-		Audience:    ai.Audience,
-	}
-	for _, cr := range ai.ClaimRules.Rules {
-		var description string
-		switch cr.Comparison {
-		case auth_model.ClaimEqual:
-			description = fmt.Sprintf("%q = %q", cr.Claim, cr.Value)
-		case auth_model.ClaimIn:
-			description = fmt.Sprintf("%q in %q", cr.Claim, cr.Values)
-		case auth_model.ClaimGlob:
-			description = fmt.Sprintf("%q matches %q", cr.Claim, cr.Value)
-		case auth_model.ClaimGlobIn:
-			description = fmt.Sprintf("%q matches in %q", cr.Claim, cr.Values)
-		}
-		output.ClaimRules = append(output.ClaimRules, ClaimRuleDescription{
-			Description: description,
-			Claim:       cr.Claim,
-			Comparison:  cr.Comparison,
-			Value:       cr.Value,
-			Values:      cr.Values,
-		})
-	}
-
-	raw, err := json.Marshal(output)
-	if err != nil {
-		return err
-	}
-	var indent bytes.Buffer
-	if err := json.Indent(&indent, raw, "", "  "); err != nil {
-		return err
-	}
-	os.Stdout.Write(indent.Bytes())
-
-	return nil
-}
--- a/cmd/cert.go
+++ b/cmd/cert.go
@ -150,8 +150,8 @@ func runCert(ctx context.Context, c *cli.Command) error {
 		BasicConstraintsValid: true,
 	}

-	hosts := strings.SplitSeq(c.String("host"), ",")
-	for h := range hosts {
+	hosts := strings.Split(c.String("host"), ",")
+	for _, h := range hosts {
 		if ip := net.ParseIP(h); ip != nil {
 			template.IPAddresses = append(template.IPAddresses, ip)
 		} else {
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@ -1,5 +1,4 @@
 // Copyright 2018 The Gitea Authors. All rights reserved.
-// Copyright 2026 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT

 // Package cmd provides subcommands to the gitea binary - such as "web" or
@ -52,10 +51,6 @@ func noDanglingArgs(ctx context.Context, c *cli.Command) (context.Context, error
 		}
 		return nil, fmt.Errorf("unexpected arguments: %s", strings.Join(c.Args().Slice(), ", "))
 	}
-
-	// The CLI library doesn't require a new context here, so this has to be a
-	// nil, nil
-	//nolint:nilnil
 	return nil, nil
 }

@ -94,9 +89,26 @@ If this is the intended configuration file complete the [database] section.`, se
 	return nil
 }

-// installSignals returns a context that's cancelled on the SIGINT and SIGTERM signals or if the passed ctx is cancelled.
 func installSignals(ctx context.Context) (context.Context, context.CancelFunc) {
-	return signal.NotifyContext(ctx, syscall.SIGINT, syscall.SIGTERM)
+	ctx, cancel := context.WithCancel(ctx)
+	go func() {
+		// install notify
+		signalChannel := make(chan os.Signal, 1)
+
+		signal.Notify(
+			signalChannel,
+			syscall.SIGINT,
+			syscall.SIGTERM,
+		)
+		select {
+		case <-signalChannel:
+		case <-ctx.Done():
+		}
+		cancel()
+		signal.Reset()
+	}()
+
+	return ctx, cancel
 }

 func setupConsoleLogger(level log.Level, colorize bool, out io.Writer) {
--- a/cmd/cmd_test.go
+++ b/cmd/cmd_test.go
@ -1,39 +0,0 @@
-// Copyright 2026 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"runtime"
-	"syscall"
-	"testing"
-	"time"
-)
-
-func Test_installSignals(t *testing.T) {
-	if runtime.GOOS == "windows" {
-		t.Skipf("Windows does not terminate in an awaitable manner")
-		return
-	}
-
-	for _, s := range []syscall.Signal{syscall.SIGTERM, syscall.SIGINT} {
-		t.Run(fmt.Sprintf("Context is terminated on %s", s), func(t *testing.T) {
-			// Register the signal handler. context.Background() is chosen deliberately,
-			// because unlike t.Context(), we can be sure that it's not cancelled by a
-			// different handler.
-			ctx, cancel := installSignals(context.Background())
-			t.Cleanup(cancel)
-
-			// Send the signal in the background.
-			go syscall.Kill(syscall.Getpid(), s)
-
-			select {
-			case <-time.Tick(time.Second * 10):
-				t.Fatalf("Context not cancelled via signal after 10 seconds")
-			case <-ctx.Done():
-				t.Logf("Context was cancelled")
-			}
-		})
-	}
-}
--- a/cmd/doctor.go
+++ b/cmd/doctor.go
@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 	"image"
+	"io"
 	golog "log"
 	"os"
 	"path/filepath"
@ -19,15 +20,14 @@ import (
 	migrate_base "forgejo.org/models/gitea_migrations/base"
 	repo_model "forgejo.org/models/repo"
 	user_model "forgejo.org/models/user"
-	"forgejo.org/modules/avatarstore"
 	"forgejo.org/modules/container"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/storage"
 	"forgejo.org/services/doctor"

+	exif_terminator "code.superseriousbusiness.org/exif-terminator"
 	"github.com/urfave/cli/v3"
-	"xorm.io/builder"
 )

 // CmdDoctor represents the available doctor sub-command.
@ -43,7 +43,6 @@ func cmdDoctor() *cli.Command {
 			cmdDoctorConvert(),
 			cmdAvatarStripExif(),
 			cmdCleanupCommitStatuses(),
-			cmdResizeAvatars(),
 		},
 	}
 }
@ -111,40 +110,13 @@ You should back-up your database before doing this and ensure that your database

 func cmdAvatarStripExif() *cli.Command {
 	return &cli.Command{
-		Name:  "avatar-strip-exif",
-		Usage: "Strip EXIF metadata from all images in the avatar storage [unsupported]",
-		Description: `Stripping EXIF metadata is not currently supported. The capability was
-available in previous Forgejo releases, but has been removed. This command
-may be re-enabled in the future if the capability can be supported again.`,
+		Name:   "avatar-strip-exif",
+		Usage:  "Strip EXIF metadata from all images in the avatar storage",
 		Before: noDanglingArgs,
 		Action: runAvatarStripExif,
 	}
 }

-func cmdResizeAvatars() *cli.Command {
-	return &cli.Command{
-		Name:  "avatar-resize",
-		Usage: "Generate resized versions of user or repository avatars",
-		Description: `Forgejo serves small versions of avatars for inclusion in the web UI.
-
-Those rescaled versions are computed on-demand and cached in the avatar storage.
-
-This command pre-computes rescaled versions of avatars ahead of time.`,
-		Before: noDanglingArgs,
-		Action: runAvatarResize,
-		Flags: []cli.Flag{
-			&cli.BoolFlag{
-				Name:  "user",
-				Usage: "Resize the user avatars",
-			},
-			&cli.BoolFlag{
-				Name:  "repository",
-				Usage: "Resize the repository avatars",
-			},
-		},
-	}
-}
-
 func cmdCleanupCommitStatuses() *cli.Command {
 	return &cli.Command{
 		Name:  "cleanup-commit-status",
@ -327,78 +299,75 @@ func runDoctorCheck(stdCtx context.Context, ctx *cli.Command) error {
 }

 func runAvatarStripExif(ctx context.Context, c *cli.Command) error {
-	log.Warn("avatar-strip-exif is not currently supported.")
-	return nil
-}
-
-func precomputeResizedAvatars(imgStorage storage.ObjectStorage, imgPath string, maxOriginSize int64) error {
-	// Load the avatar
-	avatarBytes, err := imgStorage.Open(imgPath)
-	if err != nil {
-		return err
-	}
-	meta, err := avatarBytes.Stat()
-	if err != nil {
-		return err
-	}
-	// If the avatar is small enough, don't compute resized versions for it.
-	// This makes it possible to preserve animated avatars when they are small enough.
-	if meta.Size() < maxOriginSize {
-		return nil
-	}
-	img, _, err := image.Decode(avatarBytes)
-	if err != nil {
-		return err
-	}
-	return avatarstore.PrecomputeResizedAvatars(imgStorage, img, imgPath)
-}
-
-func runAvatarResize(ctx context.Context, c *cli.Command) error {
 	ctx, cancel := installSignals(ctx)
 	defer cancel()

 	if err := initDB(ctx); err != nil {
 		return err
 	}
-
 	if err := storage.Init(); err != nil {
 		return err
 	}

-	runUser := c.Bool("user")
-	runRepo := c.Bool("repository")
-	return RunAvatarResize(ctx, runUser, runRepo)
-}
-
-func RunAvatarResize(ctx context.Context, runUser, runRepo bool) error {
-	if !runUser && !runRepo {
-		return fmt.Errorf("at least one of --user or --repository should be provided")
+	type HasCustomAvatarRelativePath interface {
+		CustomAvatarRelativePath() string
 	}

-	if runUser {
-		log.Info("Resizing user avatars")
-		if err := db.Iterate(
-			ctx,
-			builder.Neq{"avatar": ""},
-			func(ctx context.Context, user *user_model.User) error {
-				return precomputeResizedAvatars(storage.Avatars, user.Avatar, setting.Avatar.MaxOriginSize)
-			},
-		); err != nil {
-			return err
+	doExifStrip := func(obj HasCustomAvatarRelativePath, name string, target_storage storage.ObjectStorage) error {
+		if obj.CustomAvatarRelativePath() == "" {
+			return nil
 		}
+
+		log.Info("Stripping avatar for %s...", name)
+
+		avatarFile, err := target_storage.Open(obj.CustomAvatarRelativePath())
+		if err != nil {
+			return fmt.Errorf("storage.Avatars.Open: %w", err)
+		}
+		_, imgType, err := image.DecodeConfig(avatarFile)
+		if err != nil {
+			return fmt.Errorf("image.DecodeConfig: %w", err)
+		}
+
+		// reset io.Reader for exif termination scan
+		_, err = avatarFile.Seek(0, io.SeekStart)
+		if err != nil {
+			return fmt.Errorf("avatarFile.Seek: %w", err)
+		}
+
+		cleanedData, err := exif_terminator.Terminate(avatarFile, imgType)
+		if err != nil && strings.Contains(err.Error(), "cannot be processed") {
+			// expected error for an image type that isn't supported by exif_terminator
+			log.Info("... image type %s is not supported by exif_terminator, skipping.", imgType)
+			return nil
+		} else if err != nil {
+			return fmt.Errorf("error cleaning exif data: %w", err)
+		}
+
+		if err := storage.SaveFrom(target_storage, obj.CustomAvatarRelativePath(), func(w io.Writer) error {
+			_, err := io.Copy(w, cleanedData)
+			return err
+		}); err != nil {
+			return fmt.Errorf("Failed to create dir %s: %w", obj.CustomAvatarRelativePath(), err)
+		}
+
+		log.Info("... completed %s.", name)
+
+		return nil
 	}

-	if runRepo {
-		log.Info("Resizing repository avatars")
-		if err := db.Iterate(
-			ctx,
-			builder.Neq{"avatar": ""},
-			func(ctx context.Context, repo *repo_model.Repository) error {
-				return precomputeResizedAvatars(storage.RepoAvatars, repo.Avatar, setting.Avatar.MaxOriginSize)
-			},
-		); err != nil {
-			return err
-		}
+	err := db.Iterate(ctx, nil, func(ctx context.Context, user *user_model.User) error {
+		return doExifStrip(user, fmt.Sprintf("user %s", user.Name), storage.Avatars)
+	})
+	if err != nil {
+		return err
+	}
+
+	err = db.Iterate(ctx, nil, func(ctx context.Context, repo *repo_model.Repository) error {
+		return doExifStrip(repo, fmt.Sprintf("repo %s", repo.Name), storage.RepoAvatars)
+	})
+	if err != nil {
+		return err
 	}

 	return nil
--- a/cmd/dump.go
+++ b/cmd/dump.go
@ -12,7 +12,6 @@ import (
 	"os"
 	"path"
 	"path/filepath"
-	"slices"
 	"strings"
 	"sync"
 	"time"
@ -84,9 +83,11 @@ func (o outputType) Join() string {
 }

 func (o *outputType) Set(value string) error {
-	if slices.Contains(o.Enum, value) {
-		o.selected = value
-		return nil
+	for _, enum := range o.Enum {
+		if enum == value {
+			o.selected = value
+			return nil
+		}
 	}

 	return fmt.Errorf("allowed values are %s", o.Join())
@ -112,10 +113,7 @@ func getArchiverByType(outType string) (archives.ArchiverAsync, error) {
 	var archiver archives.ArchiverAsync
 	switch outType {
 	case "zip":
-		archiver = archives.Zip{
-			Compression:          8,
-			SelectiveCompression: false,
-		}
+		archiver = archives.Zip{}
 	case "tar":
 		archiver = archives.Tar{}
 	case "tar.sz":
@ -252,8 +250,8 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 		setupConsoleLogger(log.FATAL, log.CanColorStderr, os.Stderr)
 	} else {
 		for _, suffix := range outputTypeEnum.Enum {
-			if before, ok := strings.CutSuffix(fileName, "."+suffix); ok {
-				fileName = before
+			if strings.HasSuffix(fileName, "."+suffix) {
+				fileName = strings.TrimSuffix(fileName, "."+suffix)
 				break
 			}
 		}
@ -332,12 +330,14 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 	go dumpDatabase(ctx, archiveJobs, &wg, verbose)

 	if len(setting.CustomConf) > 0 {
-		wg.Go(func() {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
 			log.Info("Adding custom configuration file from %s", setting.CustomConf)
 			if err := addFile(archiveJobs, "app.ini", setting.CustomConf, verbose); err != nil {
 				fatal("Failed to include specified app.ini: %v", err)
 			}
-		})
+		}()
 	}

 	if ctx.IsSet("skip-custom-dir") && ctx.Bool("skip-custom-dir") {
@ -361,13 +361,15 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 	if ctx.IsSet("skip-attachment-data") && ctx.Bool("skip-attachment-data") {
 		log.Info("Skipping attachment data")
 	} else {
-		wg.Go(func() {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
 			if err := storage.Attachments.IterateObjects("", func(objPath string, object storage.Object) error {
 				return addObject(archiveJobs, object, path.Join("data", "attachments", objPath), verbose)
 			}); err != nil {
 				fatal("Failed to dump attachments: %v", err)
 			}
-		})
+		}()
 	}

 	if ctx.IsSet("skip-package-data") && ctx.Bool("skip-package-data") {
@ -375,13 +377,15 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 	} else if !setting.Packages.Enabled {
 		log.Info("Package registry not enabled - skipping")
 	} else {
-		wg.Go(func() {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
 			if err := storage.Packages.IterateObjects("", func(objPath string, object storage.Object) error {
 				return addObject(archiveJobs, object, path.Join("data", "packages", objPath), verbose)
 			}); err != nil {
 				fatal("Failed to dump packages: %v", err)
 			}
-		})
+		}()
 	}

 	// Doesn't check if LogRootPath exists before processing --skip-log intentionally,
@ -395,11 +399,13 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 			log.Error("Failed to check if %s exists: %v", setting.Log.RootPath, err)
 		}
 		if isExist {
-			wg.Go(func() {
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
 				if err := addRecursiveExclude(archiveJobs, "log", setting.Log.RootPath, []string{absFileName}, verbose); err != nil {
 					fatal("Failed to include log: %v", err)
 				}
-			})
+			}()
 		}
 	}

--- a/cmd/dump_repo.go
+++ b/cmd/dump_repo.go
@ -143,8 +143,8 @@ func runDumpRepository(stdCtx context.Context, ctx *cli.Command) error {
 		opts.PullRequests = true
 		opts.ReleaseAssets = true
 	} else {
-		units := strings.SplitSeq(ctx.String("units"), ",")
-		for unit := range units {
+		units := strings.Split(ctx.String("units"), ",")
+		for _, unit := range units {
 			switch strings.ToLower(strings.TrimSpace(unit)) {
 			case "":
 				continue
--- a/cmd/forgejo/actions.go
+++ b/cmd/forgejo/actions.go
@ -13,7 +13,6 @@ import (
 	"strings"

 	actions_model "forgejo.org/models/actions"
-	"forgejo.org/modules/optional"
 	"forgejo.org/modules/private"
 	"forgejo.org/modules/setting"
 	private_routers "forgejo.org/routers/private"
@ -103,11 +102,6 @@ func SubcmdActionsRegister(ctx context.Context) *cli.Command {
 				Value: "",
 				Usage: "version of the runner (not required since v1.21)",
 			},
-			&cli.BoolFlag{
-				Name:  "ephemeral",
-				Value: false,
-				Usage: "instruct Forgejo to permanently unregister this runner after it has run one job",
-			},
 		},
 	}
 }
@ -145,15 +139,15 @@ func validateSecret(secret string) error {
 	return nil
 }

-func getLabels(cli *cli.Command) (optional.Option[*[]string], error) {
+func getLabels(cli *cli.Command) (*[]string, error) {
 	if !cli.Bool("keep-labels") {
 		lblValue := strings.Split(cli.String("labels"), ",")
-		return optional.Some(&lblValue), nil
+		return &lblValue, nil
 	}
 	if cli.String("labels") != "" {
 		return nil, errors.New("--labels and --keep-labels should not be used together")
 	}
-	return optional.None[*[]string](), nil
+	return nil, nil
 }

 func RunRegister(ctx context.Context, cli *cli.Command) error {
@ -178,7 +172,6 @@ func RunRegister(ctx context.Context, cli *cli.Command) error {
 	scope := cli.String("scope")
 	name := cli.String("name")
 	version := cli.String("version")
-	ephemeral := cli.Bool("ephemeral")
 	labels, err := getLabels(cli)
 	if err != nil {
 		return err
@ -206,12 +199,7 @@ func RunRegister(ctx context.Context, cli *cli.Command) error {
 		return err
 	}

-	var runnerLabels *[]string
-	if labels.Has() {
-		_, runnerLabels = labels.Get()
-	}
-
-	runner, err := actions_model.RegisterRunner(ctx, owner, repo, secret, runnerLabels, name, version, ephemeral)
+	runner, err := actions_model.RegisterRunner(ctx, owner, repo, secret, labels, name, version)
 	if err != nil {
 		return fmt.Errorf("error while registering runner: %v", err)
 	}
--- a/cmd/forgejo/actions_test.go
+++ b/cmd/forgejo/actions_test.go
@ -8,8 +8,6 @@ import (
 	"fmt"
 	"testing"

-	"forgejo.org/modules/optional"
-
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/urfave/cli/v3"
@ -23,7 +21,7 @@ func TestActions_getLabels(t *testing.T) {
 		labels    []string
 	}
 	type resultType struct {
-		labels optional.Option[*[]string]
+		labels *[]string
 		err    error
 	}

@ -73,12 +71,11 @@ func TestActions_getLabels(t *testing.T) {

 			// Test the results
 			require.NotNil(t, result)
-			has, labels := result.labels.Get()
 			if c.hasLabels {
-				assert.True(t, has)
-				assert.Equal(t, c.labels, *labels)
+				assert.NotNil(t, result.labels)
+				assert.Equal(t, c.labels, *result.labels)
 			} else {
-				assert.False(t, has)
+				assert.Nil(t, result.labels)
 			}
 			if c.hasError {
 				require.Error(t, result.err)
--- a/cmd/forgejo/f3.go
+++ b/cmd/forgejo/f3.go
@ -24,6 +24,7 @@ import (
 )

 func CmdF3(ctx context.Context) *cli.Command {
+	ctx = f3_logger.ContextSetLogger(ctx, util.NewF3Logger(nil, log.GetLogger(log.DEFAULT)))
 	return &cli.Command{
 		Name:  "f3",
 		Usage: "F3",
@ -37,9 +38,7 @@ func SubcmdF3Mirror(ctx context.Context) *cli.Command {
 	mirrorCmd := f3_cmd.CreateCmdMirror()
 	mirrorCmd.Before = prepareWorkPathAndCustomConf(ctx)
 	f3Action := mirrorCmd.Action
-	mirrorCmd.Action = func(ctx context.Context, cli *cli.Command) error {
-		return runMirror(ctx, cli, f3Action)
-	}
+	mirrorCmd.Action = func(ctx context.Context, cli *cli.Command) error { return runMirror(ctx, cli, f3Action) }
 	return mirrorCmd
 }

@ -68,8 +67,6 @@ func runMirror(ctx context.Context, c *cli.Command, action cli.ActionFunc) error
 		if err := models.Init(ctx); err != nil {
 			return err
 		}
-
-		ctx = f3_logger.ContextSetLogger(ctx, util.NewF3Logger(nil, log.GetLogger(log.DEFAULT)))
 	}

 	err := action(ctx, c)
--- a/cmd/forgejo/forgejo.go
+++ b/cmd/forgejo/forgejo.go
@ -126,9 +126,7 @@ func installSignals(ctx context.Context) (context.Context, context.CancelFunc) {
 		)
 		select {
 		case <-signalChannel:
-			break
 		case <-ctx.Done():
-			break
 		}
 		cancel()
 		signal.Reset()
--- a/cmd/hook.go
+++ b/cmd/hook.go
@ -568,7 +568,7 @@ Forgejo or set your environment appropriately.`, "")
 	hookOptions.RefFullNames = make([]git.RefName, 0, hookBatchSize)

 	for {
-		// note: pktLineTypeUnknown means pktLineTypeFlush and pktLineTypeData all allowed
+		// note: pktLineTypeUnknow means pktLineTypeFlush and pktLineTypeData all allowed
 		rs, err = readPktLine(ctx, reader, pktLineTypeUnknown)
 		if err != nil {
 			return err
--- a/cmd/mailer.go
+++ b/cmd/mailer.go
@ -24,10 +24,10 @@ func runSendMail(ctx context.Context, c *cli.Command) error {
 	}

 	subject := c.String("title")
-	confirmSkipped := c.Bool("force")
+	confirmSkiped := c.Bool("force")
 	body := c.String("content")

-	if !confirmSkipped {
+	if !confirmSkiped {
 		if len(body) == 0 {
 			fmt.Print("warning: Content is empty")
 		}
--- a/cmd/main.go
+++ b/cmd/main.go
@ -80,6 +80,7 @@ func appGlobalFlags() []cli.Flag {
 func prepareSubcommandWithConfig(command *cli.Command, globalFlags func() []cli.Flag) {
 	command.Flags = append(globalFlags(), command.Flags...)
 	command.Action = prepareWorkPathAndCustomConf(command.Action)
+	command.HideHelp = true
 	if command.Name != "help" {
 		command.Commands = append(command.Commands, cmdHelp())
 	}
@ -198,6 +199,7 @@ func innerNewMainApp(version, versionExtra string, subCmdsStandaloneArgs, subCmd
 	}
 	app.Flags = append(app.Flags, cli.VersionFlag)
 	app.Flags = append(app.Flags, globalFlags()...)
+	app.HideHelp = true // use our own help action to show helps (with more information like default config)
 	app.Before = PrepareConsoleLoggerLevel(log.INFO)
 	for i := range subCmdWithConfig {
 		prepareSubcommandWithConfig(subCmdWithConfig[i], globalFlags)
--- a/cmd/main_test.go
+++ b/cmd/main_test.go
@ -8,7 +8,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"os"
 	"path/filepath"
 	"strings"
 	"testing"
@ -63,12 +62,7 @@ func runTestApp(app *cli.Command, args ...string) (runResult, error) {
 }

 func TestCliCmd(t *testing.T) {
-	path, err := os.Executable()
-	if err != nil {
-		panic(err)
-	}
-
-	defaultWorkPath := filepath.Dir(path)
+	defaultWorkPath := filepath.Dir(setting.AppPath)
 	defaultCustomPath := filepath.Join(defaultWorkPath, "custom")
 	defaultCustomConf := filepath.Join(defaultCustomPath, "conf/app.ini")

@ -114,11 +108,6 @@ func TestCliCmd(t *testing.T) {
 			cmd: "./gitea test-cmd --config /tmp/app-other.ini",
 			exp: makePathOutput("/tmp", "/tmp/custom", "/tmp/app-other.ini"),
 		},
-		{
-			env: map[string]string{"GITEA_WORK_DIR": "/tmp"},
-			cmd: "./gitea forgejo-cli --help",
-			exp: "(subcommand help template)",
-		},
 	}

 	for _, c := range cases {
--- a/cmd/migrate_storage.go
+++ b/cmd/migrate_storage.go
@ -22,8 +22,8 @@ import (
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/storage"

-	"code.forgejo.org/xorm/xorm"
 	"github.com/urfave/cli/v3"
+	"xorm.io/xorm"
 )

 // CmdMigrateStorage represents the available migrate storage sub-command.
--- a/cmd/serv.go
+++ b/cmd/serv.go
@ -23,13 +23,13 @@ import (
 	"forgejo.org/models/perm"
 	"forgejo.org/modules/git"
 	"forgejo.org/modules/json"
-	"forgejo.org/modules/lfs"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/pprof"
 	"forgejo.org/modules/private"
 	"forgejo.org/modules/process"
 	repo_module "forgejo.org/modules/repository"
 	"forgejo.org/modules/setting"
+	"forgejo.org/services/lfs"

 	"github.com/golang-jwt/jwt/v5"
 	"github.com/kballard/go-shellquote"
@ -290,9 +290,10 @@ func runServ(ctx context.Context, c *cli.Command) error {
 			Op:     lfsVerb,
 			UserID: results.UserID,
 		}
+		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)

 		// Sign and get the complete encoded token as a string using the secret
-		tokenString, err := setting.LFS.SigningKey.JWT(claims)
+		tokenString, err := token.SignedString(setting.LFS.JWTSecretBytes)
 		if err != nil {
 			return fail(ctx, "Failed to sign JWT Token", "Failed to sign JWT token: %v", err)
 		}
--- a/cmd/web.go
+++ b/cmd/web.go
@ -164,6 +164,8 @@ func serveInstall(_ context.Context, ctx *cli.Command) error {
 }

 func serveInstalled(_ context.Context, ctx *cli.Command) error {
+	setting.InitCfgProvider(setting.CustomConf)
+	setting.LoadCommonSettings()
 	setting.MustInstalled()

 	showWebStartupMessage("Prepare to run web server")
@ -276,11 +278,8 @@ func setPort(port string) error {

 	switch setting.Protocol {
 	case setting.HTTPUnix:
-		break
 	case setting.FCGI:
-		break
 	case setting.FCGIUnix:
-		break
 	default:
 		defaultLocalURL := string(setting.Protocol) + "://"
 		if setting.HTTPAddr == "0.0.0.0" {
--- a/contrib/coverage-helper.sh
+++ b/contrib/coverage-helper.sh
@ -8,9 +8,8 @@ PS4='${BASH_SOURCE[0]}:$LINENO: ${FUNCNAME[0]}:  '
 # Those must be explicitly required and are excluded from the full list of packages because they
 # would interfere with the testing fixtures.
 #
-excluded+='forgejo.org/models/gitea_migrations|'          # must be run before database specific tests
-excluded+='forgejo.org/models/forgejo_migrations|'        # must be run before database specific tests
-excluded+='forgejo.org/models/forgejo_migrations_legacy|' # must be run before database specific tests
+excluded+='forgejo.org/models/gitea_migrations|'                # must be run before database specific tests
+excluded+='forgejo.org/models/forgejo_migrations_legacy|'        # must be run before database specific tests
 excluded+='forgejo.org/tests/integration/migration-test|' # must be run before database specific tests
 excluded+='forgejo.org/tests|'                            # only tests, no coverage to get there
 excluded+='forgejo.org/tests/e2e|'                        # JavaScript is not in scope here and if it adds coverage it should not be counted
@ -39,9 +38,7 @@ function run_test() {
  # -race cannot be used because it requires -covermode atomic which is
  # different from the end-to-end tests and would cause issues wen merging
  #
-  set -o pipefail
-  $GO test -timeout=40m -tags='sqlite sqlite_unlock_notify' -cover $package -coverpkg $COVERED_PACKAGES $COVERAGE_TEST_ARGS -args -test.gocoverdir=$coverage |& grep -v 'warning: no packages being tested depend on matches for pattern'
-  set +o pipefail
+  $GO test -timeout=20m -tags='sqlite sqlite_unlock_notify' -cover $package -coverpkg $COVERED_PACKAGES $COVERAGE_TEST_ARGS -args -test.gocoverdir=$coverage |& grep -v 'warning: no packages being tested depend on matches for pattern'
 }

 function test_packages() {
--- a/contrib/systemd/forgejo.service
+++ b/contrib/systemd/forgejo.service
@ -52,7 +52,7 @@ After=network.target
 # Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that
 # LimitNOFILE=524288:524288
 RestartSec=2s
-Type=notify
+Type=simple
 User=git
 Group=git
 WorkingDirectory=/var/lib/forgejo/
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@ -118,7 +118,7 @@ RUN_USER = ; git
 ;; SSL Cipher Suites
 ;SSL_CIPHER_SUITES=; Will default to "ecdhe_ecdsa_with_aes_256_gcm_sha384,ecdhe_rsa_with_aes_256_gcm_sha384,ecdhe_ecdsa_with_aes_128_gcm_sha256,ecdhe_rsa_with_aes_128_gcm_sha256,ecdhe_ecdsa_with_chacha20_poly1305,ecdhe_rsa_with_chacha20_poly1305" if aes is supported by hardware, otherwise chacha will be first.
 ;;
-;; Timeout for any write to the connection. (Set to -1s to disable all timeouts.)
+;; Timeout for any write to the connection. (Set to -1 to disable all timeouts.)
 ;PER_WRITE_TIMEOUT = 30s
 ;;
 ;; Timeout per Kb written to connections.
@ -232,7 +232,7 @@ RUN_USER = ; git
 ;; Command template for authorized keys entries
 ;SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE = {{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}
 ;;
-;; Timeout for any write to ssh connections. (Set to -1s to disable all timeouts.)
+;; Timeout for any write to ssh connections. (Set to -1 to disable all timeouts.)
 ;; Will default to the PER_WRITE_TIMEOUT.
 ;SSH_PER_WRITE_TIMEOUT = 30s
 ;;
@ -313,9 +313,6 @@ RUN_USER = ; git
 ;LFS_START_SERVER = false
 ;;
 ;;
-;; see JWT_* under [oauth2]
-;LFS_JWT_SIGNING_ALGORITHM = HS256
-;LFS_JWT_SIGNING_PRIVATE_KEY_FILE = jwt/lfs_private.pem
 ;; LFS authentication secret, change this yourself
 ;LFS_JWT_SECRET =
 ;;
@ -420,8 +417,8 @@ DB_TYPE = sqlite3
 ;; Database connection max idle time, 0 prevents closing due to idle time.
 ;CONN_MAX_IDLETIME = 0
 ;;
-;; Database maximum number of open connections. Ensure you only increase the value if your database server is configured to handle the amount of open connections accordingly.
-;MAX_OPEN_CONNS = 30
+;; Database maximum number of open connections, default is 100 which is the lowest default from Postgres (MariaDB + MySQL default to 151). Ensure you only increase the value if you configured your database server accordingly.
+;MAX_OPEN_CONNS = 100
 ;;
 ;; Whether execute database models migrations automatically
 ;AUTO_MIGRATION = true
@ -460,7 +457,7 @@ INTERNAL_TOKEN =
 ;GLOBAL_TWO_FACTOR_REQUIREMENT = none
 ;;
 ;; Name of cookie used to store authentication information.
-;COOKIE_REMEMBER_NAME = persistent
+;COOKIE_REMEMBER_NAME = gitea_incredible
 ;;
 ;; Reverse proxy authentication header name of user name, email, and full name
 ;REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
@ -547,7 +544,6 @@ ENABLED = true
 ;; Private key file path used to sign OAuth2 tokens. The path is relative to APP_DATA_PATH.
 ;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to RS256, RS384, RS512, ES256, ES384 or ES512.
 ;; The file must contain a RSA or ECDSA private key in the PKCS8 format. If no key exists a 4096 bit key will be created for you.
-;; XXX jwt/ is a misnomer, it should rather be oauth2/, because we use many JWTs
 ;JWT_SIGNING_PRIVATE_KEY_FILE = jwt/private.pem
 ;;
 ;; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://forgejo.org/docs/latest/admin/command-line/#generate-secret
@ -709,6 +705,10 @@ LEVEL = Info
 ;; see more on http://git-scm.com/docs/git-gc/
 ;GC_ARGS =
 ;;
+;; If use git wire protocol version 2 when git version >= 2.18, default is true, set to false when you always want git wire protocol version 1
+;; To enable this for Git over SSH when using a OpenSSH server, add `AcceptEnv GIT_PROTOCOL` to your sshd_config file.
+;ENABLE_AUTO_GIT_WIRE_PROTOCOL = true
+;;
 ;; Respond to pushes to a non-default branch with a URL for creating a Pull Request (if the repository has them enabled)
 ;PULL_REQUEST_PUSH_MESSAGE = true
 ;; Disable the usage of using partial clones for git.
@ -915,7 +915,7 @@ LEVEL = Info
 ;;
 ;; Minimum amount of time a user must exist before comments are kept when the user is deleted.
 ;USER_DELETE_WITH_COMMENTS_MAX_TIME = 0
-;; Valid site url schemes for user, organization, or repository profiles
+;; Valid site url schemes for user profiles
 ;VALID_SITE_URL_SCHEMES=http,https

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1062,7 +1062,7 @@ LEVEL = Info
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
-;; List of file extensions for which lines should be wrapped in the CodeMirror editor
+;; List of file extensions for which lines should be wrapped in the Monaco editor
 ;; Separate extensions with a comma. To line wrap files without an extension, just put a comma
 ;LINE_WRAP_EXTENSIONS = .txt,.md,.markdown,.mdown,.mkd,.livemd,

@ -1132,6 +1132,9 @@ LEVEL = Info
 ;; If an squash commit's comment should be populated with the commit messages of the squashed commits
 ;POPULATE_SQUASH_COMMENT_WITH_COMMIT_MESSAGES = false
 ;;
+;; Add co-authored-by and co-committed-by trailers if committer does not match author
+;ADD_CO_COMMITTER_TRAILERS = true
+;;
 ;; Retarget child pull requests to the parent pull request branch target on merge of parent pull request. It only works on merged PRs where the head and base branch target the same repo.
 ;RETARGET_CHILDREN_ON_MERGE = true

@ -1285,9 +1288,6 @@ LEVEL = Info
 ;; Number of line of codes shown for a code comment
 ;CODE_COMMENT_LINES = 4
 ;;
-;; Maximum number of lines a single (multi-line) code comment may span. 0 means no limit.
-;MAX_CODE_COMMENT_LINES = 50
-;;
 ;; Max size of files to be displayed (default is 8MiB)
 ;MAX_DISPLAY_FILE_SIZE = 8388608
 ;;
@ -1378,7 +1378,7 @@ LEVEL = Info
 ;;
 ;; Control how often the notification endpoint is polled to update the notification
 ;; The timeout will increase to MAX_TIMEOUT in TIMEOUT_STEPs if the notification count is unchanged
-;; Set MIN_TIMEOUT to -1s to turn off polling
+;; Set MIN_TIMEOUT to -1 to turn off
 ;MIN_TIMEOUT = 10s
 ;MAX_TIMEOUT = 60s
 ;TIMEOUT_STEP = 10s
@ -1470,7 +1470,7 @@ LEVEL = Info
 ;ISSUE_INDEXER_NAME = gitea_issues
 ;;
 ;; Timeout the indexer if it takes longer than this to start.
-;; Set to -1s to disable timeout.
+;; Set to -1 to disable timeout.
 ;STARTUP_TIMEOUT = 30s
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1484,10 +1484,10 @@ LEVEL = Info
 ;; If empty then it defaults to `sources` only, as if you'd like to disable fully please see REPO_INDEXER_ENABLED.
 ;REPO_INDEXER_REPO_TYPES = sources,forks,mirrors,templates
 ;;
-;; Code search engine type, could be `bleve`, `zoekt` or `elasticsearch`.
+;; Code search engine type, could be `bleve` or `elasticsearch`.
 ;REPO_INDEXER_TYPE = bleve
 ;;
-;; Index file used for code search. available when `REPO_INDEXER_TYPE` is bleve or zoekt
+;; Index file used for code search. available when `REPO_INDEXER_TYPE` is bleve
 ;REPO_INDEXER_PATH = indexers/repos.bleve
 ;;
 ;; Code indexer connection string, available when `REPO_INDEXER_TYPE` is elasticsearch. i.e. http://elastic:changeme@localhost:9200
@ -1497,10 +1497,10 @@ LEVEL = Info
 ;REPO_INDEXER_NAME = gitea_codes
 ;;
 ;; A comma separated list of glob patterns (see https://github.com/gobwas/glob) to include
-;; in the index; it's not compatible with the `zoekt` indexer type; default is empty
+;; in the index; default is empty
 ;REPO_INDEXER_INCLUDE =
 ;;
-;; A comma separated list of glob patterns to exclude from the index; it's not compatible with the `zoekt` indexer type; default is empty
+;; A comma separated list of glob patterns to exclude from the index; ; default is empty
 ;REPO_INDEXER_EXCLUDE =
 ;;
 ;; If vendored files should be excluded.
@ -1561,17 +1561,15 @@ LEVEL = Info
 ;DEFAULT_EMAIL_NOTIFICATIONS = enabled
 ;; Send an email to all admins when a new user signs up to inform the admins about this act. Options: true, false
 ;SEND_NOTIFICATION_EMAIL_ON_NEW_USER = false
-;; Disabled features for users, could be "deletion", "manage_ssh_keys","manage_gpg_keys", "manage_password" more features can be disabled in future
+;; Disabled features for users, could be "deletion", "manage_ssh_keys","manage_gpg_keys" more features can be disabled in future
 ;; - deletion: a user cannot delete their own account
 ;; - manage_ssh_keys: a user cannot configure ssh keys
 ;; - manage_gpg_keys: a user cannot configure gpg keys
-;; - manage_password: a user cannot configure their password
 ;USER_DISABLED_FEATURES =
-;; Comma separated list of disabled features ONLY if the user has an external login type (eg. LDAP, Oauth, etc.), could be `deletion`, `manage_ssh_keys`, `manage_gpg_keys`, `manage_password`. This setting is independent from `USER_DISABLED_FEATURES` and supplements its behavior.
+;; Comma separated list of disabled features ONLY if the user has an external login type (eg. LDAP, Oauth, etc.), could be `deletion`, `manage_ssh_keys`, `manage_gpg_keys`. This setting is independent from `USER_DISABLED_FEATURES` and supplements its behavior.
 ;; - deletion: a user cannot delete their own account
 ;; - manage_ssh_keys: a user cannot configure ssh keys
 ;; - manage_gpg_keys: a user cannot configure gpg keys
-;; - manage_password: a user cannot configure their password
 ;;EXTERNAL_USER_DISABLE_FEATURES =

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1898,7 +1896,7 @@ LEVEL = Info
 ;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
 ;;
 ;; Session cookie name
-;COOKIE_NAME = session
+;COOKIE_NAME = i_like_gitea
 ;;
 ;; If you use session in https only: true or false. If not set, it defaults to `true` if the ROOT_URL is an HTTPS URL.
 ;COOKIE_SECURE =
@ -2458,15 +2456,6 @@ LEVEL = Info
 ;; Enable/Disable RSS/Atom feed
 ;ENABLE_FEED = true

-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[pwa]
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;; Enable standalone mode; this allows PWA enabled browsers to "install" the website as an progressive web app,
-;; by setting the https://developer.mozilla.org/en-US/docs/Web/Manifest/display property to "standalone".
-;STANDALONE = false
-
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[markup]
@ -2554,7 +2543,7 @@ LEVEL = Info

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[f3]
+;[F3]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@ -2787,21 +2776,12 @@ LEVEL = Info
 ;ABANDONED_JOB_TIMEOUT = 24h
 ;; Strings committers can place inside a commit message or PR title to skip executing the corresponding actions workflow
 ;SKIP_WORKFLOW_STRINGS = [skip ci],[ci skip],[no ci],[skip actions],[actions skip]
-;; Limit on inputs for manual / workflow_dispatch triggers, default is 100
-;LIMIT_DISPATCH_INPUTS = 100
+;; Limit on inputs for manual / workflow_dispatch triggers, default is 10
+;LIMIT_DISPATCH_INPUTS = 10
 ;; Support queuing workflow jobs, by setting `concurrency.group` & `concurrency.cancel-in-progress: false`, can increase
 ;; server and database workload due to more complex database queries and more frequent server task querying; this
 ;; feature can be disabled to reduce performance impact
 ;CONCURRENCY_GROUP_QUEUE_ENABLED = true
-;; Algorithm used to sign ID tokens. Valid values: RS256, RS384, RS512, ES256, ES384, ES512, EdDSA.
-;; RS256 will ensure compatibility with all relying parties.
-;; If a different algorithm is chosen, verify that relying parties of interest support the signing algorithm.
-;ID_TOKEN_SIGNING_ALGORITHM = RS256
-;; Private key file path used to sign ID tokens. The path is relative to APP_DATA_PATH.
-;; The file must contain an RSA or ECDSA private key in the PKCS8 format. If no key exists, a key will be created for you.
-;ID_TOKEN_SIGNING_PRIVATE_KEY_FILE = actions_id_token/private.pem
-;; Lifetime of ID tokens generated by the actions `/idtoken` endpoint in seconds.
-;ID_TOKEN_EXPIRATION_TIME = 3600

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2822,30 +2802,3 @@ LEVEL = Info
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; storage type
 ;STORAGE_TYPE = local
-
-;; Authorized integrations are a capability for users to define external systems which can generate JWTs that Forgejo
-;; will trust in order to perform API access on behalf of that user. While validating a JWT from an external system,
-;; Forgejo makes outgoing HTTP requests to the JWT issuer.
-; [authorized_integration]
-;; Timeout for HTTP requests to remote servers. Default is 10 seconds.
-;REQUEST_TIMEOUT = 10s
-;
-;; Allowed domains for authorized integrations. Default is blank which means all domains will be allowed (except local
-;; networks, see ALLOW_LOCALNETWORKS).
-;; Multiple domains can be separated by commas.
-;; Wildcards are supported: "github.com, *.github.com"
-;ALLOWED_DOMAINS =
-;
-;; Blocklist for authorized integrations, default is blank.
-;; Multiple domains can be separated by commas.
-;; Wildcards are supported: "github.com, *.github.com"
-;BLOCKED_DOMAINS =
-;
-;; Allow private addresses defined by RFC 1918, RFC 1122, RFC 4632 and RFC 4291.
-;; Default is false.
-;; If a domain is allowed by ALLOWED_DOMAINS, this option will be ignored.
-;ALLOW_LOCALNETWORKS = false
-;
-;; Remote requests are cached after being received for the cache time-to-live (TTL). Default is 10 minutes.
-;; Caching uses the configured adapter in the [cache] config section.
-;CACHE_TTL = 10m
--- a/docker/root/etc/templates/app.ini
+++ b/docker/root/etc/templates/app.ini
@ -52,6 +52,7 @@ ROOT_PATH = /data/gitea/log
 INSTALL_LOCK = $INSTALL_LOCK
 SECRET_KEY   = $SECRET_KEY
 REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *

 [service]
 DISABLE_REGISTRATION = $DISABLE_REGISTRATION
--- a/docker/rootless/etc/templates/app.ini
+++ b/docker/rootless/etc/templates/app.ini
@ -49,6 +49,7 @@ ROOT_PATH = $GITEA_WORK_DIR/data/log
 INSTALL_LOCK = $INSTALL_LOCK
 SECRET_KEY   = $SECRET_KEY
 REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *

 [service]
 DISABLE_REGISTRATION = $DISABLE_REGISTRATION
--- a/docker/rootless/usr/local/bin/docker-entrypoint.sh
+++ b/docker/rootless/usr/local/bin/docker-entrypoint.sh
@ -13,5 +13,10 @@ fi
 if [ $# -gt 0 ]; then
    exec "$@"
 else
+    # TODO: remove on next major version release
+    # Honour legacy config file if existing
+    if [ -f ${GITEA_APP_INI_LEGACY} ]; then
+        GITEA_APP_INI=${GITEA_APP_INI_LEGACY}
+    fi
    exec /usr/local/bin/gitea -c ${GITEA_APP_INI} web
 fi
--- a/docker/rootless/usr/local/bin/docker-setup.sh
+++ b/docker/rootless/usr/local/bin/docker-setup.sh
@ -11,10 +11,22 @@ mkdir -p ${GITEA_CUSTOM} && chmod 0700 ${GITEA_CUSTOM}
 mkdir -p ${GITEA_TEMP} && chmod 0700 ${GITEA_TEMP}
 if [ ! -w ${GITEA_TEMP} ]; then echo "${GITEA_TEMP} is not writable"; exit 1; fi

-# Prepare config file
+# TODO: remove on next major version release
+# Honour legacy config file if existing, but inform the user
+if [ -f ${GITEA_APP_INI_LEGACY} ] && [ ${GITEA_APP_INI} != ${GITEA_APP_INI_LEGACY} ]; then
+    GITEA_APP_INI_DEFAULT=/var/lib/gitea/custom/conf/app.ini
+    echo -e \
+      "\033[33mWARNING\033[0m: detected configuration file in deprecated default path ${GITEA_APP_INI_LEGACY}." \
+      "The new default is ${GITEA_APP_INI_DEFAULT}. To remove this warning, choose one of the options:\n" \
+      "* Move ${GITEA_APP_INI_LEGACY} to ${GITEA_APP_INI_DEFAULT} (or to \$GITEA_APP_INI if you want to override this variable)\n" \
+      "* Explicitly override GITEA_APP_INI=${GITEA_APP_INI_LEGACY} in the container environment"
+    GITEA_APP_INI=${GITEA_APP_INI_LEGACY}
+fi
+
+#Prepare config file
 if [ ! -f ${GITEA_APP_INI} ]; then

-    # Prepare config file folder
+    #Prepare config file folder
    GITEA_APP_INI_DIR=$(dirname ${GITEA_APP_INI})
    mkdir -p ${GITEA_APP_INI_DIR} && chmod 0700 ${GITEA_APP_INI_DIR}
    if [ ! -w ${GITEA_APP_INI_DIR} ]; then echo "${GITEA_APP_INI_DIR} is not writable"; exit 1; fi
--- a/docker/rootless/usr/local/bin/gitea
+++ b/docker/rootless/usr/local/bin/gitea
@ -9,7 +9,7 @@
 # And place the original in /usr/lib/gitea with working files in /data/gitea
 GITEA="/app/gitea/gitea"
 WORK_DIR="/var/lib/gitea"
-APP_INI="/var/lib/gitea/custom/conf/app.ini"
+APP_INI="/etc/gitea/app.ini"

 APP_INI_SET=""
 for i in "$@"; do
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@ -1145,7 +1145,6 @@ export default tseslint.config(

      'playwright/prefer-comparison-matcher': [2],
      'playwright/prefer-equality-matcher': [2],
-      'playwright/prefer-locator': [0],
      'playwright/prefer-native-locators': [2],
      'playwright/prefer-to-contain': [2],
      'playwright/prefer-to-have-length': [2],
--- a/flake.lock
+++ b/flake.lock
@ -2,11 +2,11 @@
  "nodes": {
    "nixpkgs": {
      "locked": {
-        "lastModified": 1777954456,
-        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
+        "lastModified": 1762977756,
+        "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
+        "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55",
        "type": "github"
      },
      "original": {
--- a/go.mod
+++ b/go.mod
@ -1,215 +1,226 @@
 module forgejo.org

-go 1.26.0
+go 1.25.0

-toolchain go1.26.4
+toolchain go1.25.9

 require (
-	code.forgejo.org/f3/gof3/v3 v3.11.15
-	code.forgejo.org/forgejo-contrib/go-libravatar v0.0.0-20260301104140-add494e31dab
-	code.forgejo.org/forgejo/actions-proto v0.7.0
+	code.forgejo.org/f3/gof3/v3 v3.11.1
+	code.forgejo.org/forgejo-contrib/go-libravatar v0.0.0-20191008002943-06d1c002b251
+	code.forgejo.org/forgejo/actions-proto v0.6.0
 	code.forgejo.org/forgejo/go-rpmutils v1.0.0
-	code.forgejo.org/forgejo/levelqueue v1.1.0
+	code.forgejo.org/forgejo/levelqueue v1.0.0
 	code.forgejo.org/forgejo/reply v1.0.2
-	code.forgejo.org/forgejo/runner/v12 v12.12.0
+	code.forgejo.org/forgejo/runner/v12 v12.6.4
 	code.forgejo.org/go-chi/binding v1.0.1
 	code.forgejo.org/go-chi/cache v1.0.1
 	code.forgejo.org/go-chi/captcha v1.0.2
-	code.forgejo.org/go-chi/session v1.0.4
-	code.forgejo.org/xorm/xorm v1.4.0
+	code.forgejo.org/go-chi/session v1.0.2
 	code.gitea.io/sdk/gitea v0.21.0
+	code.superseriousbusiness.org/exif-terminator v0.11.1
+	code.superseriousbusiness.org/go-jpeg-image-structure/v2 v2.3.0
 	codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570
-	connectrpc.com/connect v1.20.0
+	connectrpc.com/connect v1.19.1
 	github.com/42wim/httpsig v1.2.3
 	github.com/42wim/sshsig v0.0.0-20250502153856-5100632e8920
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358
-	github.com/ProtonMail/go-crypto v1.4.1
-	github.com/PuerkitoBio/goquery v1.12.0
-	github.com/SaveTheRbtz/zstd-seekable-format-go/pkg v0.9.0
-	github.com/alecthomas/chroma/v2 v2.23.1
+	github.com/ProtonMail/go-crypto v1.3.0
+	github.com/PuerkitoBio/goquery v1.10.3
+	github.com/SaveTheRbtz/zstd-seekable-format-go/pkg v0.7.2
+	github.com/alecthomas/chroma/v2 v2.20.0
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb
-	github.com/blevesearch/bleve/v2 v2.6.0
+	github.com/blevesearch/bleve/v2 v2.5.6
 	github.com/buildkite/terminal-to-html/v3 v3.16.8
-	github.com/caddyserver/certmagic v0.25.3
+	github.com/caddyserver/certmagic v0.24.0
 	github.com/chi-middleware/proxy v1.1.1
 	github.com/djherbis/buffer v1.2.0
 	github.com/djherbis/nio/v3 v3.0.1
 	github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707
+	github.com/dsoprea/go-exif/v3 v3.0.1
 	github.com/dustin/go-humanize v1.0.1
 	github.com/editorconfig/editorconfig-core-go/v2 v2.6.4
 	github.com/emersion/go-imap v1.2.1
 	github.com/felixge/fgprof v0.9.5
-	github.com/fsnotify/fsnotify v1.10.1
-	github.com/gdgvda/cron v0.7.0
+	github.com/fsnotify/fsnotify v1.9.0
 	github.com/gliderlabs/ssh v0.3.8
-	github.com/go-ap/activitypub v0.0.0-20260208110334-902f6cf8c2cc
+	github.com/go-ap/activitypub v0.0.0-20231114162308-e219254dc5c9
 	github.com/go-ap/jsonld v0.0.0-20251216162253-e38fa664ea77
-	github.com/go-chi/chi/v5 v5.2.5
+	github.com/go-chi/chi/v5 v5.2.4
 	github.com/go-chi/cors v1.2.2
 	github.com/go-co-op/gocron v1.37.0
-	github.com/go-enry/go-enry/v2 v2.9.6
+	github.com/go-enry/go-enry/v2 v2.9.2
 	github.com/go-ldap/ldap/v3 v3.4.12
-	github.com/go-openapi/spec v0.22.5
-	github.com/go-sql-driver/mysql v1.10.0
-	github.com/go-webauthn/webauthn v0.16.5
+	github.com/go-openapi/spec v0.22.1
+	github.com/go-sql-driver/mysql v1.9.3
+	github.com/go-webauthn/webauthn v0.14.0
 	github.com/gobwas/glob v0.2.3
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f
 	github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85
-	github.com/golang-jwt/jwt/v5 v5.3.1
+	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0
 	github.com/google/go-github/v81 v81.0.0
-	github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc
+	github.com/google/pprof v0.0.0-20251114195745-4902fdda35c8
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/feeds v1.2.0
 	github.com/gorilla/sessions v1.4.0
-	github.com/hashicorp/go-version v1.8.0
+	github.com/hashicorp/go-version v1.7.0
 	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/huandu/xstrings v1.5.0
-	github.com/inbucket/html2text v1.0.0
-	github.com/jackc/pgx/v5 v5.10.0
+	github.com/inbucket/html2text v0.9.0
+	github.com/jackc/pgx/v5 v5.9.0
 	github.com/jhillyerd/enmime/v2 v2.2.0
 	github.com/json-iterator/go v1.1.12
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/compress v1.18.6
-	github.com/klauspost/cpuid/v2 v2.3.0
-	github.com/markbates/goth v1.82.0
-	github.com/mattn/go-isatty v0.0.22
-	github.com/mattn/go-sqlite3 v1.14.46
-	github.com/meilisearch/meilisearch-go v0.36.2
+	github.com/klauspost/compress v1.18.3
+	github.com/klauspost/cpuid/v2 v2.2.11
+	github.com/markbates/goth v1.80.0
+	github.com/mattn/go-isatty v0.0.20
+	github.com/mattn/go-sqlite3 v1.14.34
+	github.com/meilisearch/meilisearch-go v0.34.0
 	github.com/mholt/archives v0.1.5
 	github.com/microcosm-cc/bluemonday v1.0.27
-	github.com/minio/minio-go/v7 v7.1.0
+	github.com/minio/minio-go/v7 v7.0.95
 	github.com/msteinert/pam/v2 v2.1.0
 	github.com/niklasfasching/go-org v1.9.1
 	github.com/olivere/elastic/v7 v7.0.32
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
-	github.com/pquerna/otp v1.5.0
+	github.com/pquerna/otp v1.4.0
 	github.com/prometheus/client_golang v1.21.1
-	github.com/redis/go-redis/v9 v9.20.1
+	github.com/redis/go-redis/v9 v9.17.2
+	github.com/robfig/cron/v3 v3.0.1
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
 	github.com/sergi/go-diff v1.4.0
-	github.com/sourcegraph/zoekt v0.0.0-20260114143800-c747a3bccc2a
 	github.com/stretchr/testify v1.11.1
 	github.com/syndtr/goleveldb v1.0.0
 	github.com/ulikunitz/xz v0.5.15
-	github.com/urfave/cli/v3 v3.9.1
-	github.com/valyala/fastjson v1.6.10
+	github.com/urfave/cli/v3 v3.5.0
+	github.com/valyala/fastjson v1.6.7
 	github.com/yohcop/openid-go v1.0.1
-	github.com/yuin/goldmark v1.8.2
+	github.com/yuin/goldmark v1.7.13
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	gitlab.com/gitlab-org/api/client-go v0.143.2
+	go.uber.org/mock v0.6.0
 	go.yaml.in/yaml/v3 v3.0.4
-	golang.org/x/crypto v0.53.0
-	golang.org/x/image v0.43.0
-	golang.org/x/net v0.56.0
-	golang.org/x/oauth2 v0.36.0
-	golang.org/x/sync v0.21.0
-	golang.org/x/sys v0.46.0
-	golang.org/x/text v0.38.0
-	golang.org/x/tools v0.46.0
+	golang.org/x/crypto v0.49.0
+	golang.org/x/image v0.39.0
+	golang.org/x/net v0.52.0
+	golang.org/x/oauth2 v0.34.0
+	golang.org/x/sync v0.20.0
+	golang.org/x/sys v0.42.0
+	golang.org/x/text v0.36.0
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
-	gopkg.in/ini.v1 v1.67.3
-	mvdan.cc/xurls/v2 v2.6.0
+	gopkg.in/ini.v1 v1.67.0
+	mvdan.cc/xurls/v2 v2.5.0
 	xorm.io/builder v0.3.13
+	xorm.io/xorm v1.3.9
 )

 require (
-	cloud.google.com/go/compute/metadata v0.9.0 // indirect
-	filippo.io/edwards25519 v1.2.0 // indirect
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	code.superseriousbusiness.org/go-png-image-structure/v2 v2.3.0 // indirect
+	filippo.io/edwards25519 v1.1.1 // indirect
 	git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078 // indirect
-	github.com/RoaringBitmap/roaring v1.9.4 // indirect
-	github.com/RoaringBitmap/roaring/v2 v2.14.5 // indirect
+	github.com/RoaringBitmap/roaring/v2 v2.4.5 // indirect
 	github.com/STARRY-S/zip v0.2.3 // indirect
 	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bits-and-blooms/bitset v1.24.2 // indirect
-	github.com/blevesearch/bleve_index_api v1.3.11 // indirect
-	github.com/blevesearch/geo v0.2.5 // indirect
-	github.com/blevesearch/go-faiss v1.1.0 // indirect
+	github.com/bits-and-blooms/bitset v1.22.0 // indirect
+	github.com/blevesearch/bleve_index_api v1.2.11 // indirect
+	github.com/blevesearch/geo v0.2.4 // indirect
+	github.com/blevesearch/go-faiss v1.0.26 // indirect
 	github.com/blevesearch/go-porterstemmer v1.0.3 // indirect
 	github.com/blevesearch/gtreap v0.1.1 // indirect
-	github.com/blevesearch/mmap-go v1.2.0 // indirect
-	github.com/blevesearch/scorch_segment_api/v2 v2.4.7 // indirect
+	github.com/blevesearch/mmap-go v1.0.4 // indirect
+	github.com/blevesearch/scorch_segment_api/v2 v2.3.13 // indirect
 	github.com/blevesearch/segment v0.9.1 // indirect
 	github.com/blevesearch/snowballstem v0.9.0 // indirect
 	github.com/blevesearch/upsidedown_store_api v1.0.2 // indirect
-	github.com/blevesearch/vellum v1.2.0 // indirect
-	github.com/blevesearch/zapx/v11 v11.4.3 // indirect
-	github.com/blevesearch/zapx/v12 v12.4.3 // indirect
-	github.com/blevesearch/zapx/v13 v13.4.3 // indirect
-	github.com/blevesearch/zapx/v14 v14.4.3 // indirect
-	github.com/blevesearch/zapx/v15 v15.4.3 // indirect
-	github.com/blevesearch/zapx/v16 v16.3.4 // indirect
-	github.com/blevesearch/zapx/v17 v17.1.2 // indirect
-	github.com/bmatcuk/doublestar v1.3.4 // indirect
-	github.com/bmatcuk/doublestar/v4 v4.10.0 // indirect
+	github.com/blevesearch/vellum v1.1.0 // indirect
+	github.com/blevesearch/zapx/v11 v11.4.2 // indirect
+	github.com/blevesearch/zapx/v12 v12.4.2 // indirect
+	github.com/blevesearch/zapx/v13 v13.4.2 // indirect
+	github.com/blevesearch/zapx/v14 v14.4.2 // indirect
+	github.com/blevesearch/zapx/v15 v15.4.2 // indirect
+	github.com/blevesearch/zapx/v16 v16.2.7 // indirect
+	github.com/bmatcuk/doublestar/v4 v4.9.1 // indirect
 	github.com/bodgit/plumbing v1.3.0 // indirect
 	github.com/bodgit/sevenzip v1.6.1 // indirect
 	github.com/bodgit/windows v1.0.1 // indirect
 	github.com/boombuler/barcode v1.0.1 // indirect
 	github.com/bradfitz/gomemcache v0.0.0-20250403215159-8d39553ac7cf // indirect
-	github.com/caddyserver/zerossl v0.1.5 // indirect
+	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
 	github.com/cloudflare/circl v1.6.3 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/davidmz/go-pageant v1.0.2 // indirect
+	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dlclark/regexp2 v1.11.5 // indirect
+	github.com/dsoprea/go-iptc v0.0.0-20200609062250-162ae6b44feb // indirect
+	github.com/dsoprea/go-logging v0.0.0-20200710184922-b02d349568dd // indirect
+	github.com/dsoprea/go-photoshop-info-format v0.0.0-20200609050348-3db9b63b202c // indirect
+	github.com/dsoprea/go-utility/v2 v2.0.0-20221003172846-a3e1774ef349 // indirect
 	github.com/emersion/go-sasl v0.0.0-20231106173351-e73c9f7bad43 // indirect
-	github.com/fatih/color v1.19.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.9.1 // indirect
-	github.com/go-ap/errors v0.0.0-20260208110149-e1b309365966 // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-ap/errors v0.0.0-20231003111023-183eef4b31b7 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-enry/go-oniguruma v1.2.1 // indirect
+	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-fed/httpsig v1.1.0 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.8.0 // indirect
+	github.com/go-git/go-git/v5 v5.18.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
-	github.com/go-openapi/jsonpointer v0.23.1 // indirect
-	github.com/go-openapi/jsonreference v0.21.5 // indirect
-	github.com/go-openapi/swag/conv v0.26.0 // indirect
-	github.com/go-openapi/swag/jsonname v0.26.0 // indirect
-	github.com/go-openapi/swag/jsonutils v0.26.0 // indirect
-	github.com/go-openapi/swag/loading v0.26.0 // indirect
-	github.com/go-openapi/swag/stringutils v0.26.0 // indirect
-	github.com/go-openapi/swag/typeutils v0.26.0 // indirect
-	github.com/go-openapi/swag/yamlutils v0.26.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
-	github.com/go-webauthn/x v0.2.3 // indirect
-	github.com/golang/snappy v1.0.0 // indirect
-	github.com/google/btree v1.1.3 // indirect
+	github.com/go-openapi/jsonpointer v0.22.3 // indirect
+	github.com/go-openapi/jsonreference v0.21.3 // indirect
+	github.com/go-openapi/swag/conv v0.25.3 // indirect
+	github.com/go-openapi/swag/jsonname v0.25.3 // indirect
+	github.com/go-openapi/swag/jsonutils v0.25.3 // indirect
+	github.com/go-openapi/swag/loading v0.25.3 // indirect
+	github.com/go-openapi/swag/stringutils v0.25.3 // indirect
+	github.com/go-openapi/swag/typeutils v0.25.3 // indirect
+	github.com/go-openapi/swag/yamlutils v0.25.3 // indirect
+	github.com/go-webauthn/x v0.1.25 // indirect
+	github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
+	github.com/golang/geo v0.0.0-20210211234256-740aa86cb551 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/btree v1.1.2 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/go-tpm v0.9.8 // indirect
+	github.com/google/go-tpm v0.9.5 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
-	github.com/grafana/regexp v0.0.0-20240607082908-2cb410fa05da // indirect
-	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/klauspost/crc32 v1.3.0 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
-	github.com/libdns/libdns v1.1.1 // indirect
+	github.com/lib/pq v1.11.2 // indirect
+	github.com/libdns/libdns v1.0.0 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/markbates/going v1.0.3 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-runewidth v0.0.21 // indirect
+	github.com/mattn/go-runewidth v0.0.17 // indirect
 	github.com/mattn/go-shellwords v1.0.12 // indirect
-	github.com/mholt/acmez/v3 v3.1.6 // indirect
-	github.com/miekg/dns v1.1.72 // indirect
+	github.com/mholt/acmez/v3 v3.1.2 // indirect
+	github.com/miekg/dns v1.1.63 // indirect
 	github.com/mikelolasagasti/xz v1.0.1 // indirect
-	github.com/minio/crc64nvme v1.1.1 // indirect
+	github.com/minio/crc64nvme v1.0.2 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
 	github.com/minio/minlz v1.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mrjones/oauth v0.0.0-20190623134757-126b35219450 // indirect
@ -220,8 +231,6 @@ require (
 	github.com/olekukonko/ll v0.0.9 // indirect
 	github.com/olekukonko/tablewriter v1.0.7 // indirect
 	github.com/onsi/ginkgo v1.16.5 // indirect
-	github.com/onsi/gomega v1.34.1 // indirect
-	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/philhofer/fwd v1.2.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
@ -229,32 +238,30 @@ require (
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/rhysd/actionlint v1.7.12 // indirect
+	github.com/rhysd/actionlint v1.7.10 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/rs/xid v1.6.0 // indirect
 	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/sorairolake/lzip-go v0.3.8 // indirect
-	github.com/sourcegraph/go-ctags v0.0.0-20250729094530-349a251d78d8 // indirect
 	github.com/spf13/afero v1.15.0 // indirect
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
-	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/tinylib/msgp v1.6.4 // indirect
+	github.com/tinylib/msgp v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
+	github.com/zeebo/assert v1.3.0 // indirect
 	github.com/zeebo/blake3 v0.2.4 // indirect
-	github.com/zeebo/xxh3 v1.1.0 // indirect
 	go.etcd.io/bbolt v1.4.3 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.27.1 // indirect
+	go.uber.org/zap v1.27.0 // indirect
 	go.uber.org/zap/exp v0.3.0 // indirect
 	go.yaml.in/yaml/v4 v4.0.0-rc.3 // indirect
 	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
-	golang.org/x/mod v0.37.0 // indirect
-	golang.org/x/time v0.15.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
-	google.golang.org/grpc v1.79.3 // indirect
+	golang.org/x/mod v0.34.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
+	golang.org/x/tools v0.43.0 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

@ -265,3 +272,5 @@ replace github.com/mholt/archiver/v3 => code.forgejo.org/forgejo/archiver/v3 v3.
 replace github.com/gliderlabs/ssh => code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616

 replace git.sr.ht/~mariusor/go-xsd-duration => code.forgejo.org/forgejo/go-xsd-duration v0.0.0-20220703122237-02e73435a078
+
+replace xorm.io/xorm v1.3.9 => code.forgejo.org/xorm/xorm v1.3.9-forgejo.8
--- a/go.sum
+++ b/go.sum
--- a/manifest.scm
+++ b/manifest.scm
@ -11,62 +11,28 @@
 ;;; made available to fetch required Go and Node dependencies.
 ;;;
 #|
-
 guix shell -CNF --share=$HOME -m manifest.scm
 export GOTOOLCHAIN=local     # to use the Go binary from Guix
 export CC=gcc CGO_ENABLED=1
-# The following is to preserve debug info symbols:
-export STRIP=0 CGO_CFLAGS='-O0 -g' EXTRA_GOFLAGS='-gcflags="all=-N -l"'
 export TAGS="timetzdata sqlite sqlite_unlock_notify"
 make clean
 make -j$(nproc)
 make test -j$(nproc)         # run unit tests
 make test-sqlite -j$(nproc)  # run integration tests
 make watch                   # run an instance/rebuild on changes
-
-# For debugging, you can either attach the delve debugger like this:
-dlv attach $(pgrep gitea)
-
-# Or start Forgejo directly with it:
-dlv exec ./gitea
-
 |#
-
-(use-modules (guix packages)
-             (guix utils))
-
-(define go-1.26                         ;minimal version required by Forgejo
-  (specification->package "go@1.26"))
-
-(define (package-with-go base go)
-  "Return a variant of BASE, a Guix package object built with GO, another
-package."
-  (package/inherit base
-    (arguments (ensure-keyword-arguments (package-arguments base)
-                                         (list #:go go)))))
-
-(define packages-for-debugging
-  (list (specification->package "procps")   ;pgrep
-        (package-with-go (specification->package "delve") go-1.26)     ;debugger
-        (package-with-go (specification->package "gomacro") go-1.26))) ;Go REPL
-
-(concatenate-manifests
- (list
-  (packages->manifest
-   (append (list go-1.26)
-           packages-for-debugging))
-  (specifications->manifest
-   (list "bash-minimal"
-         "coreutils"
-         "diffutils"
-         "findutils"
-         "gcc-toolchain"
-         "git"                            ;libpcre support is required
-         "git-lfs"
-         "gnupg"
-         "grep"
-         "make"
-         "node"
-         "nss-certs"
-         "openssh"
-         "sed"))))
+(specifications->manifest
+ (list "bash-minimal"
+       "coreutils"
+       "findutils"
+       "gcc-toolchain"
+       "git"                            ;libpcre support is required
+       "git-lfs"
+       "gnupg"
+       "go"
+       "grep"
+       "make"
+       "node"
+       "nss-certs"
+       "openssh"
+       "sed"))
--- a/models/actions/TestActionTask_GetAvailableJobsForRunner/action_run.yml
+++ b/models/actions/TestActionTask_GetAvailableJobsForRunner/action_run.yml
@ -1,29 +0,0 @@
- id: 50401
-  title: .forgejo/workflows/test.yaml
-  repo_id: 62 # test_workflows
-  owner_id: 2
-  workflow_id: test.yaml
-  workflow_directory: .forgejo/workflows
-  status: 5 # waiting
-  priority: 0
-  prioritize: false
-
- id: 50402
-  title: .forgejo/workflows/test.yaml
-  repo_id: 62 # test_workflows
-  owner_id: 2
-  workflow_id: test.yaml
-  workflow_directory: .forgejo/workflows
-  status: 5 # waiting
-  priority: 1
-  prioritize: false
-
- id: 50403
-  title: .forgejo/workflows/test.yaml
-  repo_id: 62 # test_workflows
-  owner_id: 2
-  workflow_id: test.yaml
-  workflow_directory: .forgejo/workflows
-  status: 5 # waiting
-  priority: 0
-  prioritize: false
--- a/Show more
+++ b/Show more
 @ -1 +1 @@
 .17.0
 .12.0