Commit graph

1,963 commits

Author SHA1 Message Date
Mathieu Fenniak
4b83448b7d 2026-06-10 security patches (#13001)
- fix: prevent stored XSS in user display name on Actions page
- fix: LFS locks must belong to the intended repo, port from Gitea
- fix: prevent unauthorized access to draft releases via API
- fix: prevent writes to OpenID visibility which may affect other users
- fix: prevent viewing private PRs that are linked to public issues on public projects

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13001
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Beowulf <beowulf@beocode.eu>
2026-06-10 06:05:01 +02:00
OFHansen
bb5919ea87 feat(api): add new /repos/{owner}/{repo}/actions/runs/{run_id}/cancel API endpoint (#12957)
This new API endpoint makes it possible to cancel action runs via the API. Previously this was only natively possible through the UI, the same `CancelRun` func has been reused for this feature.

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12957): <!--number 12957 --><!--line 0 --><!--description ZmVhdChhcGkpOiBhZGQgbmV3IGAvcmVwb3Mve293bmVyfS97cmVwb30vYWN0aW9ucy9ydW5zL3tydW5faWR9L2NhbmNlbGAgQVBJIGVuZHBvaW50-->feat(api): add new `/repos/{owner}/{repo}/actions/runs/{run_id}/cancel` API endpoint<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12957
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-06-09 04:00:56 +02:00
steven.guiheux
3dc2b52b5f fix: multiline comment invalidation (#12950)
Found issues during the process of invalidation of a multiline comment (link to #12582):
* Update a line in the middle of the comment
* Update/Delete the last line of the comment

No problem with:
* Deleting a line in the middle of the comment
* Update/Delete the first line of the comment

I added all these cases in the pull_review_test.go

### Tests for Go changes

- I added test coverage for Go changes...
  - [X] in their respective `*_test.go` for unit tests.
- I ran...
  - [X] `make pr-go` before pushing

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12950
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-06-09 03:07:56 +02:00
AverageHelper
408572dd35 feat: in-browser validation of website URLs for user, repository, and organization profiles (#12991)
This PR pertains to the client-side validation of the Website input on user, repo, and org profiles. #12962 extends `[service].VALID_SITE_URL_SCHEMES` to cover Website fields on repo and org profiles, where before that config key only applied to the one on user profiles. If that change merges, it will then be possible to construct an HTML [`pattern`](https://developer.mozilla.org/docs/Web/HTML/Reference/Elements/input#pattern) attribute for general use on any Website form input that the server validates this way, thus enabling browsers to catch errors early relating to URL scheme confusion.

This PR (1) introduces such a `pattern` attribute, and (2) adds a new UI note to make clear to users which URL schemes are permitted. This change helps explain the browser's otherwise cryptic error messages regarding pattern mismatch, while also letting users know what URI schemes the Forgejo instance supports as Website links (e.g. gemini:// URLs).

![A text field labeled "Website", with a note below which reads, "Allowed URL schemes include: http, https"](/attachments/304e17ee-b5aa-414e-a4fa-d48639336c6c)

This MUST NOT merge before #12962. To do so would introduce a regression wherein the UI may suggest and validate a different set of allowed URL schemes than the server actually permits.

See also #5519

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12991
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2026-06-08 17:35:15 +02:00
AverageHelper
0e283c5485 feat: apply service.VALID_SITE_URL_SCHEMES to apply to repository and organization profiles (#12962)
Turns out this was a one-line fix for each affected field (change the binding from `ValidUrl` to `ValidSiteUrl`), but the tests are rather verbose. The tests are, however, each a simple flow of Create Thing > Try HTTP Website > Try Different Website (notice failure) > Try Different Website With New Config (notice success). I wrote this PR by adding failing tests first, then making the change, for each affected field.

Not sure if this should be "feat:" or "fix:" tbh. I figured "fix:" for this PR since IMO the expected behavior is for `VALID_SITE_URL_SCHEMES` to apply in each of these cases, not only for user profiles via the UI form. (Later changed to "feat:" at @limiting-factor's suggestion, based on the observation that this change extends documented behavior.)

This PR deals with the server-side validation only. #12991 covers client-side validation (deriving a `pattern` attribute from `VALID_SITE_URL_SCHEMES`, etc.)

Closes #5519

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12962
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
2026-06-08 15:17:51 +02:00
rgon
c956dae73d feat: adds option to force overwrite new branch for /contents route (#12663)
Adds an option "force_overwrite_new_branch" when posting to
/repos/{owner}/{repo}/contents to modify multiple files in a repository.
When user provides both "branch" and "new_branch" options, and
"new_branch" already exists, the "force_overwrite_new_branch" option
allows the user to overwrite the existing branch. Under the hood this
amounts to a "git push --force".

[Issue #12600](https://codeberg.org/forgejo/forgejo/issues/12600)

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.
- [x] API swagger docs updated

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Co-authored-by: Rob Gonnella <rob.gonnella@papayapay.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12663
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-06-06 16:45:57 +02:00
Clouds
044f3d95b6 chore: re-enable nilnil lint for models/actions/task.go (#12768)
I added sentinel error values for jobs not being found and no jobs being updated by the `CreateTaskForRunner` function. This avoids the nilnil antipattern and allows the nilnil lint to be enabled for the `models/actions/task.go` file again.

The handling of these new errors was added to the `PickTask` function in `services/actions/task.go`.

Related issue: https://codeberg.org/forgejo/forgejo/issues/11261

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12768
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Reviewed-by: elle <0xllx0@noreply.codeberg.org>
2026-06-05 01:38:23 +02:00
steven.guiheux
6a27eb051d feat(api,ui): add multiline comment on pullrequest (#12582)
Closes https://codeberg.org/forgejo/forgejo/issues/6093

This PR adds support for **multi-line review comments** on pull requests, allowing reviewers to select a range of lines in diffs instead of only a single line — similar to GitHub's implementation.

### Tests for Go changes

- I added test coverage for Go changes...
  - [X] in their respective `*_test.go` for unit tests.
  - [X] `make pr-go` before pushing

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12582
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-06-03 16:06:29 +02:00
Yashwanth Rathakrishnan
cce8152879 feat(ui): commit view redesign for pull request page (#7948)
Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7948
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2026-06-02 20:12:32 +02:00
0ko
eb76582261 chore(e2e): refactor "Toggle visibility" org-members test (#12871)
This test fails very often in CI. This should hopefully improve it.

With a downclocked CPU I've got 2 errors in 10 tries. After adding

```
await page.waitForLoadState();
```

I got no errors in 20 tries. But my testing methodology is unreliable so there's no guarantee that this helps:
* `Locator.click()` documentation says that it already waits by default for caused navigation to finish
* I added some `date` time measurement and `waitForLoadState` was clocking in about 5-15 ms, which shouldn't be causing the issue for `expect` that times out in 3000ms
...but e2e issues were `element(s) not found` on timeout, not wrong state, so my assumption is that somehow it is asserting the wrong snapshot of a page that isn't fully loaded

Additionally, I've converted _revertion_ logic to _make consistent before testing_, which is better at handling test retries in case that the _revertion_ part of the code was never ran in previous failure. In such case test retry is guaranteed to fail as well, at least when testing locally, not sure about CI.

Additionally, a completely unrelated comment fix in Playwright config.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12871
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-06-02 14:52:01 +02:00
oliverpool
d11bd64691 refactor(tests): drop the need to compile gitea binary manually (#12855)
Thanks to forgejo/forgejo!10397 (by @voidcontext), the binary called on git hooks can now be dynamically set.

**This means that we can now run tests without needing to run `make gitea` first**! No more `Could not find gitea binary` or head-banging, when one forgets to re-compile it 🎉

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12855
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-06-02 00:04:50 +02:00
Antonin Delpeuch
19e1f58144 fix: adjust workflow link for pull_request_target workflow runs (#12734)
Fixes #12660, reported by @mahlzahn.

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] <s>`make pr-go` before pushing</s> because the OOM killer kills it before it does anything useful

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12734
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-06-01 15:03:29 +02:00
oliverpool
216ff5c8fd refactor(tests): use forgery.CreateRepository in more places (#12555)
Followup of #11356 to convert `tests.CreateDeclarativeRepo` to `forgery.CreateRepository` (34 occurrences remaining after this PR - 39 occurrences replaced here).

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12555
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-06-01 11:59:05 +02:00
oliverpool
ee846b3c96 cleanup(tests): remove unused git hooks directories in testdata (#12824)
Since forgejo/forgejo!10397 and forgejo/forgejo!12335 have landed, there shouldn't be a need for the `hooks` directory in each repository.

This PR cleans up the `tests/gitea-repositories-meta/*` testdata.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12824
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-31 20:24:25 +02:00
oliverpool
8c3c3ca5db refactor(forgery): CreateProject helper to reduce dependency on global fixture when testing (#12796)
While working on #11356, I noticed https://codeberg.org/forgejo/forgejo/pulls/9906#issuecomment-10826066 which could have benefited from a `forgery.CreateProject` helper.
Since this helper wasn't available, the PR had to:
- adjust the global `project.yml` fixture
- fix the unrelated `models/project/project_test.go`, because of the fixture update

So 2/4 changed files in the PR were due to the usage of global fixtures.

This PR attempts at fixing this.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12796
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Antonin Delpeuch <wetneb@noreply.codeberg.org>
2026-05-31 16:46:54 +02:00
oliverpool
fcce196fb8 fix(git): treat missing hooks folder the same as missing hook file (#12833)
Extracted from #12824 on suggestion of @limiting-factor; refactored after @Gusted pointed out forgejo/forgejo!12335.

Behavior change: previously a missing `hooks` folder in a repository tree (should not happen before forgejo/forgejo!12335) would return a 500 on `/api/v1/repos/%s/hooks/git`. It now returns a 200, with the same reply as an empty `hooks` folder.

Test has been added to ensure correct handling of missing `hooks` folder and of its creation if necessary.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12833
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
2026-05-31 14:41:28 +02:00
abidos
5b7bcf042c fix: make email token extraction case-insensitive (#12460)
Resolves forgejo/forgejo#12436

Uppercase the token before verification as verification is case-sensitive. Some mail clients might've lower cased.

Co-authored-by: Abidos <abdullah.sowilah@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12460
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-30 13:29:28 +02:00
limiting-factor
4ce9f2b061 fix: always display the pull request merge box if there are actions pending approval (#12785)
For the same reason the merge box is displayed when the user can delete the branch from which the pull request was proposed, the trust panel must be displayed when runs are waiting approval, either for information or to approve/deny runs from untrusted users.

Closes forgejo/forgejo#12576

---

Note that since this is a followup of https://codeberg.org/forgejo/forgejo/pulls/12704/files and it has not yet been released, there is no need for a mention in the release notes.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12785
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-05-30 02:56:47 +02:00
limiting-factor
ec0e0399d8 fix: show the actions trust management panel when runs from trusted users are pending approval (#12812)
When the status of a user makes it implicitly trusted to run actions (for instance when it becomes a member of the Owners team of an organization), the runs that were blocked before they became trusted will need to be approved or denied.

The trust management panel was not displayed if the poster of the pull request was trusted. It is now displayed regardless of the current trust status of the user.

Closes forgejo/forgejo#12811

---

## Alternative implementation

An alternative implementation would be to approve all pending runs whenever the trust status of a user changes. That would require that change to happen when the user joins a team with permissions to run actions, becomes an admin, a collaborator to a repository with write access or when a repository ownership is transferred to an organization where the user already has such rights.

Such an implementation would save the effort of manually taking care of the runs pending approval for the now trusted user. But it would also be fragile to maintain because it would need a complete inventory of all the ways a user can become trusted. Or some kind of notification triggered whenever such an event happens, which is not currently in place.

Since this is a rare case and the manual operation is simple, I think the easiest fix consisting of showing the trust panel regardless of the trust status of the user is acceptable.

## Lingering rows in `ActionUser`

If a newly trusted user is explicitly always trusted **after** being implicitly trusted, a row is created in `ActionUser`. But the `Revoke` button will never show, because the user is now implicitly trusted. This leaves a lingering row in the `ActionUser` table. Such a row will be [removed](!9397 (commit e41bcf5048)) eventually and not clutter the table.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- User Interface bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12812): <!--number 12812 --><!--line 0 --><!--description Zml4OiBzaG93IHRoZSBhY3Rpb25zIHRydXN0IG1hbmFnZW1lbnQgcGFuZWwgd2hlbiBydW5zIGZyb20gdHJ1c3RlZCB1c2VycyBhcmUgcGVuZGluZyBhcHByb3ZhbA==-->fix: show the actions trust management panel when runs from trusted users are pending approval<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12812
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-30 02:55:17 +02:00
zachhandley
64bce47672 feat(api): expose action job + run logs via REST (#12666)
Closes #11859 🙂

Wanted to be able to grab action logs from my homelab dashboard without juggling session cookies. Two endpoints so scripts and webhooks can pull logs without scraping the rendered UI:

- `GET /repos/{owner}/{repo}/actions/jobs/{job_id}/logs` returns plaintext for a single job's latest task. The underlying reader is `io.ReadSeekCloser`, so passing it through `http.ServeContent` gives you HTTP `Range:` for free.
- `GET /repos/{owner}/{repo}/actions/runs/{run_id}/logs` streams a zip of every job's logs in the run. If a job hasn't started (`TaskID == 0`), its log expired, or opening the log file fails, the zip gets a `.MISSING` placeholder entry rather than bailing on the whole archive.

Both endpoints get `reqToken()` per-route. Logs can have secrets accidentally echoed into them, so I wanted auth required even though the outer `/repos` group's `tokenRequiresScopes(AccessTokenScopeCategoryRepository)` already covers scope.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. (`tests/integration/api_actions_job_logs_test.go`, `tests/integration/api_actions_run_logs_test.go`)
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it. (The new endpoints are covered by the regenerated swagger spec in this PR; `docs/user/api-usage.md` is general auth/usage guidance and doesn't need changes. Happy to open a docs PR if reviewers prefer.)

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Release note added as `release-notes/12666.md`.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12666
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-30 01:45:32 +02:00
Mathieu Fenniak
de5f38c4ea feat: enable auth to raw resources, release downloads, & attachments via authorized integrations (#12776)
A handful of routes, described in this PR as "mixed routes", are currently accessible by both web-based sessions and authenticated API users.  The goal of this PR is to allow access to these routes for Authorized Integrations as well, bringing them to full API compatibility (to my knowledge) with other authentication methods.  These routes are impacted:
- `/{username}/{repo}/raw/*`
- `/{username}/{repo}/archive/*`
- `/{username}/{repo}/releases/download/{vTag}/{fileName}`
- `/{username}/{repo}/attachments/{uuid}`
- `/attachments/{uuid}`

The major work in this PR was to refactoring the existing authentication methods so that "path based matching" that they were currently doing was no longer required, as I didn't want to introduce that into Authorized Integrations.  All the path based matching is removed in this PR, and authentication methods are enabled entirely by the middleware applied to their endpoints.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12776
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-29 02:11:43 +02:00
Mathieu Fenniak
cdd35458a9 feat: enable auth to git LFS via authorized integrations (#12725)
The goal is to enable access to Git LFS resources with Authorized Integrations JWTs.

Blocker that needed to be resolved is that adding the `AuthorizedIntegration` auth method would conflict with the LFS tokens, which are handed out during git ssh clones to allow access to LFS resources -- `AuthorizedIntegration` would mark these as `AuthenticationAttemptedIncorrectCredential`, and therefore the requests would 401 before they got to the LFS-specific token validation routines.  The fix is to move LFS token authentication into an authentication group so that it could be resolved at the same time as the authorized integration, rather than doing it inside the LFS server routines.

Refactors for LFS tokens are covered by refreshed test automation.  Authorized integrations LFS Access has been manually tested, and will be further covered in an end-to-end integration test (https://code.forgejo.org/forgejo/end-to-end/pulls/1954).

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12725
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-28 23:20:58 +02:00
numen
427457946b feat(api): return created time in /org/{org} endpoint (#12633)
closes #4126

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12633
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-28 21:25:41 +02:00
Shiny Nematoda
6f5df4fae6 fix(ui): fix typo in issue sort dropdown; relevance was misnamed as relevency (#12771)
closes #12769

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12771
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
2026-05-28 20:48:25 +02:00
Gusted
6c85dffb78 fix: load repo language for converting to api struct (#12737)
Load the primary language of the repository when it's converted to a API struct. This is simpler than adding `LoadAttributes` to a lot of places.

Resolves forgejo/forgejo#12729

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12737
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-28 17:00:40 +02:00
Andreas Ahlenstorf
fa5a2501d0 fix: do not hide previous attempts without task for latest attempt (#12779)
If a Forgejo Actions job was run more than once, Forgejo would not display previous attempts if no `ActionTask` existed for the latest attempt. That is the case when a job is cancelled or skipped before having been dispatched to a runner or while it is waiting for a runner. This is fixed by always loading all existing attempts.

Resolves #12626.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12779
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2026-05-28 15:16:48 +02:00
oliverpool
68858a9de2 fix: enable "Add more..." unit hint for new users (#12565)
For new users, the `EnableRepoUnitHints` is set to false while I think that the original intent of #2221 was to set it to true (the migration set it to true for already existing users in `AddUserRepoUnitHintsSetting`).

This PR sets its to true upon user creation.

![screenshot showing the `Add more...` hint - from the original PR](https://codeberg.org/forgejo/forgejo/attachments/dc654ddd-e7cb-4667-b0d3-3fac39776be3)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12565
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2026-05-27 20:44:44 +02:00
oliverpool
fd283c80b7 feat: add hint to disable the "Enable more" units hint (#12747)
Following the feedback in #12565, this adds a hint to the units page when the "Enable more" hint is enabled:

![image](/attachments/32dac116-9f25-498d-9ef0-8b18b06cfc53)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12747
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-27 20:43:47 +02:00
Mathieu Fenniak
b18d28b3b5 fix: debian package cleanup failure due to xorm connection corruption (#12764)
Fixes #12645.  Detailed analysis in [this comment](https://codeberg.org/forgejo/forgejo/issues/12645#issuecomment-15939122).  New test case is verified to hit the bug -- the previous case just narrowly missed the problem because it ended up with an empty repository index.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12764
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-05-27 17:47:11 +02:00
Mathieu Fenniak
dfdd9b2e2a fix: check quota in LFS uploads against the repository owner, not operating user (#12755)
Follow-up to the previously closed #12437; verifies git LFS quotas are checked against the repository owner not the current actor.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12755): <!--number 12755 --><!--line 0 --><!--description Y2hlY2sgcXVvdGEgaW4gTEZTIHVwbG9hZHMgYWdhaW5zdCB0aGUgcmVwb3NpdG9yeSBvd25lciwgbm90IG9wZXJhdGluZyB1c2Vy-->check quota in LFS uploads against the repository owner, not operating user<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12755
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-05-27 04:31:09 +02:00
Catherine
0c418d2c0e feat: add /api/v1/actions/run endpoint (#12727)
This endpoint returns the Actions run metadata for the automatic token, making it possible for external services to authenticate a specific workflow run and understand its security context (e.g. whether it is a pull request run and if yes what pull request it is).

The concrete motivating case for this feature is safe pull request preview rendering. Currently, even Forgejo itself ([forgejo/docs](https://codeberg.org/forgejo/docs/src/branch/next/.forgejo/workflows/pr.yml), [forgejo/website](https://codeberg.org/forgejo/website/src/branch/main/.forgejo/workflows/pr.yml)) uses carefully managed `pull_request_target` workflows for this task. The `pull_request_target` workflow type coupled with intentionally cloning the merge head is widely recognized as insecure, including by Forgejo developers. However, right now there is no particularly good replacement for this approach: Forgejo doesn't expose enough metadata to grant an Actions run permissions to update a part of a website, and only that part (by whichever mechanism this would happen).

I am one of the developers of [git-pages](https://codeberg.org/git-pages/git-pages), which is used as the new Codeberg Pages backend. I would like to implement native support for pull request previews that does not rely on carefully written but still fragile workflows that try to hide authorization tokens from untrusted code, but rather recognizes "pull request Actions run" as a unique kind of security context, and allow it to publish to a special "preview zone", segregated by the repository name and PR number. To do this I need to be able to authorize a specific workflow run. Right now there's no reasonable way to do this, but with the new endpoint it becomes trivial: actions/git-pages passes the automatic token to git-pages, git-pages asks Forgejo for metadata then forms an authorized site URL (e.g. `http://<reponame>-<username>-pr-<number>.preview.codeberg.page` though this is not the final format) to which this PR workflow may upload a site.

The API endpoint implemented in this PR has been discussed in the Matrix room and I understood that this change would be uncontroversial, hence I'm sending this PR right away instead of opening a feature request first. It doesn't introduce new response types, only returns an `ActionRun` for the authorization token. The namespaced URL `/api/v1/actions/run` was chosen because there are a number of things one could conceivably want to retrieve (e.g. `/api/v1/actions/job`); this specific endpoint seems by far the most useful though.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [x] I did not document these changes and I do not expect someone else to do it.
  The new API endpint is surfaced in Swagger, which seems sufficient.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12727
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: crystal <crystal@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-26 16:03:21 +02:00
Andreas Ahlenstorf
761ed894c5 fix: workflow with pull_request trigger and path filter not run when merging (#12739)
Forgejo would not trigger Actions workflows `on: pull_request:` with `paths:` or `paths-ignore:` filters when the pull request was merged. The reason was that the triggers were evaluated after the PR was merged, but Forgejo still looked for changed files between the base branch and the PR's HEAD, which by then was already in the base branch.

Resolves https://codeberg.org/forgejo/forgejo/issues/12585.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12739
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-26 03:45:09 +02:00
Mathieu Fenniak
c8d24ff06a feat: enable auth to git HTTP via authorized integrations (#12715)
Allow authentication to git HTTP & git LFS via an authorized integration.

This is the first step in getting rid of OAuth, basic auth, etc.'s usage of [`isGitRawOrAttachPath(req)`](26f18a94ee/services/auth/method/basic.go (L38-L40)).  I don't want to follow that pattern of HTTP route matching in the authentication method, so I've broken the HTTP routes related to git functionality out to using a separate authentication middleware in the top-level `web.Routes` handler.  As this approach is expanded to the other endpoints in order to add support to them for authorized integrations, eventually it will be possible to remove this URL matching completely and just rely on middleware installation.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12715
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-25 19:33:36 +02:00
Gusted
385c0db94f feat: fsck incoming objects (#12695)
Weirdly, git doesn't verify the consistency of objects when receiving
new objects. Enable that git verifies this, so we don't allow a
repository to get in a weird or even corrupt state.

We've already dealt with a few cases of inconsistent objects, the most
notable one being mode of objects (forgejo/forgejo!9161). This can be
risky, as such ignore 3 consistency checks that are not harmful to
ignore and is battle tested by Gitlab.

bad timezone:
692a0d3476

missing space:
2da0b39399

non-zero padded filemode:
db8f2e8da5

Typically we set these settings in `modules/git/git.go`, but that means
a instance administrator wouldn't be able to override it. Given we don't
strictly require these settings to be set. A instance admin could
choose to disable the consistency checks or override our set of ignores
this would allow them to do so via the `[git.config]` section.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12695
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Reviewed-by: elle <0xllx0@noreply.codeberg.org>
2026-05-25 14:51:04 +02:00
0ko
c400a3fac7 chore(i18n): May 2026 maintenence (#12718)
* remove two unused strings I identified while doing other things
* update two strings per request of @mahlzahn while avoiding a whole separate PR for this
* move 126 strings to JSON, some are remapped with a better structure
    * previous migration: forgejo/forgejo!12280

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12718
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
2026-05-25 10:59:49 +02:00
numen
3650528262 fix: return API URL in the url field for pull requests using the API (#12643)
closes #10451

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12643): <!--number 12643 --><!--line 0 --><!--description cmV0dXJuIEFQSSBVUkwgaW4gdGhlIGB1cmxgIGZpZWxkIGZvciBwdWxsIHJlcXVlc3RzIHVzaW5nIHRoZSBBUEk=-->return API URL in the `url` field for pull requests using the API<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12643
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-25 04:01:17 +02:00
limiting-factor
5c61808014 fix: display the actions trust management panel on merged and closed pull requests (#12704)
It is possible for a user that is not trusted to run Forgejo Actions workflows on a repository to act on a pull request and trigger a workflow after it is merged or closed. For instance by modifying the title of the pull request or setting a label.

Closes forgejo/forgejo#12576

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- User Interface bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12704): <!--number 12704 --><!--line 0 --><!--description ZGlzcGxheSB0aGUgYWN0aW9ucyB0cnVzdCBtYW5hZ2VtZW50IHBhbmVsIG9uIG1lcmdlZCBhbmQgY2xvc2VkIHB1bGwgcmVxdWVzdHM=-->display the actions trust management panel on merged and closed pull requests<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12704
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-23 18:21:21 +02:00
Mathieu Fenniak
6d522ecba0 feat: add "Forgejo Actions (Local)" authorized integration UI (#12672)
Extracts the separate concepts for different UIs out of the original implementation, and then adds the new UI for Forgejo Actions (Local).  Manual end-to-end testing was performed on all variations of the "workflow file", "git reference", and "event" filter options as well.  They're covered by test automation, but not in an end-to-end manner.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [x] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
    - Documentation is next up after this change is complete.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12672
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-05-23 16:26:28 +02:00
limiting-factor
03d336de44 chore: TestAPIInternalAndExternalIssueTracker uses the wrong repository (#12706)
Regression introduced by forgejo/forgejo!11356

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12706
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-23 15:18:38 +02:00
B0sh
e49cb9e772 fix: emoji's should not render in inline code blocks in issue lists (#12644)
This fixes #12548. I used the `RenderRefIssueTitle` function so it wouldn't create issue or PR links from #<number> strings.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12644
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
2026-05-22 13:20:42 +02:00
Gusted
4131cc4159 ench: use GET for lastcommit route (#12670)
When it was introduced the route did receive for which entries it should get the last commit for. It was refactored in 1e29bccddb to HTMX and now simply gets the last commit for all entries.

In the spirit of using the correct HTTP methods, switch it to GET.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12670
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-22 10:40:28 +02:00
Shiny Nematoda
9ba57d5879 fix(issue-search): drop all labels ids if no label (0) is present (#12665)
Previously, only an exact "0" was considered as no label.
This however, lead to inconsistent results when label ids were added manually to the query string.
Such as, "?labels=100,0" or "?labels=0,100".

closes #12649

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12665
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-21 22:21:05 +02:00
guillermodotn
93638e11cc fix: return 404 instead of 500 for non-existing SHA in commit status endpoint (#12476)
API consumers will see a different HTTP status code (404 instead of 500) for invalid SHAs.

Fixes: #12239

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12476
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-21 21:52:34 +02:00
Mathieu Fenniak
29eddd311b chore: upgrade to https://code.forgejo.org/xorm/xorm v1.4.0 (#12639)
Upgrade Forgejo to our forked [xorm v1.4.0](https://code.forgejo.org/xorm/xorm/compare/v1.3.9-forgejo.12...v1.4.0), which is now named `code.forgejo.org/xorm/xorm` to reflect the current expectation that it is a permanent fork.  A small number of API changes were made recently in https://code.forgejo.org/xorm/xorm/issues/120 which are accounted for in this PR, in addition to the module rename.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12639
Reviewed-by: Otto <otto@codeberg.org>
2026-05-20 20:20:08 +02:00
steven.guiheux
0ef80f6b0f feat: expose access token creation date in API responses (#12620)
## Checklist

Following the previous contribution that added admin-level management of user access tokens (particularly useful for bot/service accounts), this change exposes the created_at field in the API response when listing or retrieving access tokens.

This information is needed to implement token rotation policies for these users — knowing when a token was created allows administrators to identify and revoke stale tokens.

### Tests for Go changes

- I added test coverage for Go changes...
  - [X] in their respective `*_test.go` for unit tests.
  - [X] `make pr-go` before pushing

### Documentation

- [X] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [X] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12620): <!--number 12620 --><!--line 0 --><!--description ZXhwb3NlIGFjY2VzcyB0b2tlbiBjcmVhdGlvbiBkYXRlIGluIEFQSSByZXNwb25zZXM=-->expose access token creation date in API responses<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12620
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-05-20 18:45:38 +02:00
vini sdl
aec047c7b5 fix(ui): fix and simplify org invite template view (#12580)
This fixes #12119 while simplifying the page a bit.

It also drops dependency on `/web_src/css/modules/card.css` module. Only the profile page still relies on it.

As an observation, I find the text "Please click the button below..." quite inadequate as web copy, but I decided to keep it as-is in this pull request.

In the `org.css` changes, I also removed references to two `.organization.invite #invite-box` selectors, since I couldn't find it anywhere in the source code.

Screenshot:
![image](/attachments/07a03b9f-0a69-41ff-b54a-1277783969e3)

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12580
Reviewed-by: Antonin Delpeuch <wetneb@noreply.codeberg.org>
2026-05-19 21:17:08 +02:00
Mathieu Fenniak
cd5a1173d5 feat: web UI to delete authorized integration (#12632)
Adds a "Delete" option to the authorized integration list.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [x] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12632
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-05-19 17:10:43 +02:00
John Berthels
08949c518a fix: expose API fields for ssh keys (#12517) (#12625)
The original issue only mentions 'Verified', but 'Updated' was also
missing and so is also included.

The integration test only covers the initial `false` state. Attempting
to cover the flip to true seemed to introduce more problems than
benefits (as outlined in `tests/integration/api_keys_test.go`)

Manual testing was performed to check that verifying the key in the web
ui caused the return value to change from false to true in the API
response (using `curl`).

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12625
Reviewed-by: Cyborus <cyborus@disroot.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-18 17:44:37 +02:00
Mathieu Fenniak
8d50e7b25e feat: create new authorized integration in web UI (#12613)
Extends work completed in #12601 to enable creating new authorized integrations in the web UI.  This UI is identical to the edit experience, except: "Audience" is only presented once the object is saved, "Save authorized integration is changed to "Create authorized integration", and performing the create redirects to the completed object to access the audience rather than redirecting the list page.

A drop-down menu is used for the "UI" of the new authorized integration, even though only the generic "write your own rule" UI is currently implemented.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [x] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
      - e2e tests here are for complete experience, but aren't for "JavaScript changes" as noted here.

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
    - Documentation coming soon.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12613
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-05-18 16:13:57 +02:00
IRONM00N
d130e1ee94 feat: add option to use preferred_username claim when registering users via oauth2 (#12504)
This is a continuation of #3346 based on the advise of https://codeberg.org/forgejo/forgejo/issues/1452#issuecomment-14591307.

fixes: #1452
docs: https://codeberg.org/forgejo/docs/pulls/1938

Extends the `oauth2_client` `USERNAME` setting to be able to use the `preferred_username` claim.

Co-authored-by: thepaperpilot <thepaperpilot@gmail.com>
Co-authored-by: Anthony Lawn <thepaperpilot@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12504
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-18 00:14:46 +02:00