Commit graph

25,160 commits

Author SHA1 Message Date
Dylan Weijgertze
f1622c4e85 fix(ui): adjust sidebar distances and remove empty p elements (#12864)
I removed the empty `p` elements for accessibility as mentioned in this https://codeberg.org/forgejo/forgejo/pulls/12786#issuecomment-16247117. I also adjusted the spacing for the "reference" text with the divider to have the copy button have the same spacing as other buttons.

## Testing

Navigate to an issue and observe the spacing of the time tracker, reference and dependencies sections.

<table style="width:100%">
  <tr>
    <td>Before</td>
    <td>After</td>
  </tr>
  <tr>
    <td><img width="250" src="/attachments/a4e14050-1d14-457c-9d4f-ec9ac1ae3bcc" /></td>
    <td><img width="250" src="/attachments/3ab4445c-9f14-49d7-ac77-a7d69e914e58" /></td>
  </tr>
</table>

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12864
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2026-06-01 12:14:01 +02:00
oliverpool
216ff5c8fd refactor(tests): use forgery.CreateRepository in more places (#12555)
Followup of #11356 to convert `tests.CreateDeclarativeRepo` to `forgery.CreateRepository` (34 occurrences remaining after this PR - 39 occurrences replaced here).

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12555
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-06-01 11:59:05 +02:00
Renovate Bot
dcccb8baee Update dependency webpack-cli to v7.0.3 (forgejo) (#12839)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12839
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-06-01 11:12:47 +02:00
Renovate Bot
08f399172c Update dependency @vue/test-utils to v2.4.10 (forgejo) (#12858) 2026-06-01 11:12:09 +02:00
Renovate Bot
167f022e8f Update renovate Docker tag to v43.205.2 (forgejo) (#12857) 2026-06-01 11:10:19 +02:00
Renovate Bot
3b7620ff43 Update dependency @stoplight/spectral-cli to v6.16.0 (forgejo) (#12861)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12861
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-06-01 11:09:42 +02:00
Renovate Bot
95602c7625 Update dependency vite-string-plugin to v2.0.4 (forgejo) (#12859)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12859
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-06-01 11:09:13 +02:00
oliverpool
ee846b3c96 cleanup(tests): remove unused git hooks directories in testdata (#12824)
Since forgejo/forgejo!10397 and forgejo/forgejo!12335 have landed, there shouldn't be a need for the `hooks` directory in each repository.

This PR cleans up the `tests/gitea-repositories-meta/*` testdata.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12824
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-31 20:24:25 +02:00
Renovate Bot
2214be7f77 Update dependency @playwright/test to v1.60.0 (forgejo) (#12849)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12849
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-31 20:20:28 +02:00
Renovate Bot
ba3f54b283 Update linters (forgejo) (#12848) 2026-05-31 18:09:30 +02:00
oliverpool
8c3c3ca5db refactor(forgery): CreateProject helper to reduce dependency on global fixture when testing (#12796)
While working on #11356, I noticed https://codeberg.org/forgejo/forgejo/pulls/9906#issuecomment-10826066 which could have benefited from a `forgery.CreateProject` helper.
Since this helper wasn't available, the PR had to:
- adjust the global `project.yml` fixture
- fix the unrelated `models/project/project_test.go`, because of the fixture update

So 2/4 changed files in the PR were due to the usage of global fixtures.

This PR attempts at fixing this.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12796
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Antonin Delpeuch <wetneb@noreply.codeberg.org>
2026-05-31 16:46:54 +02:00
Renovate Bot
ff38c2ba7c Update dependency @vitejs/plugin-vue to v6.0.7 (forgejo) (#12847) 2026-05-31 16:20:17 +02:00
Renovate Bot
74e8029ef7 Update dependency @axe-core/playwright to v4.11.3 (forgejo) (#12846) 2026-05-31 16:15:16 +02:00
0ko
5f9745978a chore: update codeowners (#12844)
Make my frontend entry more scoped. I hope that having my notifications not overflowing could allow me to handle reviews more efficiently.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12844
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-31 14:42:17 +02:00
oliverpool
fcce196fb8 fix(git): treat missing hooks folder the same as missing hook file (#12833)
Extracted from #12824 on suggestion of @limiting-factor; refactored after @Gusted pointed out forgejo/forgejo!12335.

Behavior change: previously a missing `hooks` folder in a repository tree (should not happen before forgejo/forgejo!12335) would return a 500 on `/api/v1/repos/%s/hooks/git`. It now returns a 200, with the same reply as an empty `hooks` folder.

Test has been added to ensure correct handling of missing `hooks` folder and of its creation if necessary.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12833
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
2026-05-31 14:41:28 +02:00
Robert Wolff
3bee4ce24e fix(ui): adjust distances and remove a divider in the issue sidebar (#12786)
Some minor changes: coherent distances between heading and descriptions, drop a divider between time tracking related sections.

### Test

1. Go to an issue, add some time tracking and potentially dependencies.
2. Observe improved distances with a user with and once with a user without write permission.

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12786
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2026-05-31 10:11:17 +02:00
Mathieu Fenniak
e6119b89c3 fix: remove duplicate indexes in package_blob table (#12836)
Table `package_blob` has both unique indexes, and standard indexes, defined on each of its hash columns.  This PR removes the standard indexes and leaves just the unique indexes, which will reduce disk space usage and improve performance on writing to the table.

Manual testing: confirmed that the indexes are removed by inspecting the database table in my dev environment before and after the migration.

I've reviewed other database tables for similar situations where a unique index is present and non-unique indexes are present but therefore not needed.  I've found no other cases.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12836
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-05-30 20:59:46 +02:00
Robert Wolff
ef44b777f4 fix: hide some disallowed actions that lead to 404 errors in archived repos (#12773)
This
1. hides the “New issue” button, which currently leads to a 404 page, because it is not useful to have it, e.g., here: https://code.forgejo.org/forgejo/act/issues/169
2. removes the UI ability on projects in archived repos to move around issues and project columns. When a user performs such an action, currently it is shown as it were successful, but actually all requests lead to 404s without warning.
3. hides the hints for synching a fork or creating a pull request for recently pushed branches (which again would lead to 404s)
4. hides the branch selector (only shows the branch) on single issue/PR pages, which is disfunctional on archived repos

Thus, both these changes do not change anything related to what happens to issues or projects in archived repos, but only reduces 404 errors.

I don’t think this needs to be tested more than manually.

## Test

Create first a repository with at least **one issue** in **one project** and edit a file by creating a **new branch**. Then, perform following actions, once in the state where the repository is normal and once when it is archived:

action|unarchived|archived
---|---|---
\1. go to the issue|“New issue” button functional|“New issue” button removed
\2. click on the branch selector|menu opens|menu is now disabled and shows the branch
\3. go to the project|“New issue” button functional|“New issue” button removed
\4. try to move around columns|modifies columns|not possible anymore
\5. try to move around the issue|modifies issue location|not possible anymore
\6. go to the code view|see hint "You pushed …"|do not see this hint anymore

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12773
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-30 14:02:33 +02:00
Gabor Pihaj
efa3f4e2b2 feat: prevent default git templates to be created (#12335)
Prevent examples hooks, description file, and other files from the default template to be created during git init.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12335
Reviewed-by: Otto <otto@codeberg.org>
2026-05-30 14:02:03 +02:00
abidos
5b7bcf042c fix: make email token extraction case-insensitive (#12460)
Resolves forgejo/forgejo#12436

Uppercase the token before verification as verification is case-sensitive. Some mail clients might've lower cased.

Co-authored-by: Abidos <abdullah.sowilah@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12460
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-30 13:29:28 +02:00
Antonin Delpeuch
2f0f42272c fix: re-uploading the same avatar doesn't delete it (#12823)
Fixes #12822.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12823
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-30 13:25:36 +02:00
limiting-factor
4ce9f2b061 fix: always display the pull request merge box if there are actions pending approval (#12785)
For the same reason the merge box is displayed when the user can delete the branch from which the pull request was proposed, the trust panel must be displayed when runs are waiting approval, either for information or to approve/deny runs from untrusted users.

Closes forgejo/forgejo#12576

---

Note that since this is a followup of https://codeberg.org/forgejo/forgejo/pulls/12704/files and it has not yet been released, there is no need for a mention in the release notes.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12785
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-05-30 02:56:47 +02:00
limiting-factor
ec0e0399d8 fix: show the actions trust management panel when runs from trusted users are pending approval (#12812)
When the status of a user makes it implicitly trusted to run actions (for instance when it becomes a member of the Owners team of an organization), the runs that were blocked before they became trusted will need to be approved or denied.

The trust management panel was not displayed if the poster of the pull request was trusted. It is now displayed regardless of the current trust status of the user.

Closes forgejo/forgejo#12811

---

## Alternative implementation

An alternative implementation would be to approve all pending runs whenever the trust status of a user changes. That would require that change to happen when the user joins a team with permissions to run actions, becomes an admin, a collaborator to a repository with write access or when a repository ownership is transferred to an organization where the user already has such rights.

Such an implementation would save the effort of manually taking care of the runs pending approval for the now trusted user. But it would also be fragile to maintain because it would need a complete inventory of all the ways a user can become trusted. Or some kind of notification triggered whenever such an event happens, which is not currently in place.

Since this is a rare case and the manual operation is simple, I think the easiest fix consisting of showing the trust panel regardless of the trust status of the user is acceptable.

## Lingering rows in `ActionUser`

If a newly trusted user is explicitly always trusted **after** being implicitly trusted, a row is created in `ActionUser`. But the `Revoke` button will never show, because the user is now implicitly trusted. This leaves a lingering row in the `ActionUser` table. Such a row will be [removed](!9397 (commit e41bcf5048)) eventually and not clutter the table.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- User Interface bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12812): <!--number 12812 --><!--line 0 --><!--description Zml4OiBzaG93IHRoZSBhY3Rpb25zIHRydXN0IG1hbmFnZW1lbnQgcGFuZWwgd2hlbiBydW5zIGZyb20gdHJ1c3RlZCB1c2VycyBhcmUgcGVuZGluZyBhcHByb3ZhbA==-->fix: show the actions trust management panel when runs from trusted users are pending approval<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12812
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-30 02:55:17 +02:00
zachhandley
64bce47672 feat(api): expose action job + run logs via REST (#12666)
Closes #11859 🙂

Wanted to be able to grab action logs from my homelab dashboard without juggling session cookies. Two endpoints so scripts and webhooks can pull logs without scraping the rendered UI:

- `GET /repos/{owner}/{repo}/actions/jobs/{job_id}/logs` returns plaintext for a single job's latest task. The underlying reader is `io.ReadSeekCloser`, so passing it through `http.ServeContent` gives you HTTP `Range:` for free.
- `GET /repos/{owner}/{repo}/actions/runs/{run_id}/logs` streams a zip of every job's logs in the run. If a job hasn't started (`TaskID == 0`), its log expired, or opening the log file fails, the zip gets a `.MISSING` placeholder entry rather than bailing on the whole archive.

Both endpoints get `reqToken()` per-route. Logs can have secrets accidentally echoed into them, so I wanted auth required even though the outer `/repos` group's `tokenRequiresScopes(AccessTokenScopeCategoryRepository)` already covers scope.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. (`tests/integration/api_actions_job_logs_test.go`, `tests/integration/api_actions_run_logs_test.go`)
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it. (The new endpoints are covered by the regenerated swagger spec in this PR; `docs/user/api-usage.md` is general auth/usage guidance and doesn't need changes. Happy to open a docs PR if reviewers prefer.)

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Release note added as `release-notes/12666.md`.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12666
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-30 01:45:32 +02:00
Renovate Bot
8ab43cbc4c Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.7.0 (forgejo) (#12800)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12800
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-29 23:12:35 +02:00
Renovate Bot
498a64cc0e Update module github.com/go-swagger/go-swagger/cmd/swagger to v0.34.0 (forgejo) (#12803)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12803
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-29 23:11:29 +02:00
Andreas Ahlenstorf
9b9457582a fix: keep run in sync when rerunning individual jobs (#12818)
When an individual job is rerun, the run it belongs to has to be kept in sync. For example, the timestamps when the run was started and stopped have to be adjusted accordingly. That didn't happen since https://codeberg.org/forgejo/forgejo/pulls/12141 because the functionality was accidentally omitted.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12818
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-29 22:26:46 +02:00
Renovate Bot
57fde010dd Update module github.com/redis/go-redis/v9 to v9.20.0 (forgejo) (#12804)
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [github.com/redis/go-redis/v9](https://github.com/redis/go-redis) | `v9.19.0` → `v9.20.0` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fredis%2fgo-redis%2fv9/v9.20.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fredis%2fgo-redis%2fv9/v9.19.0/v9.20.0?slim=true) |

---

### Release Notes

<details>
<summary>redis/go-redis (github.com/redis/go-redis/v9)</summary>

### [`v9.20.0`](https://github.com/redis/go-redis/releases/tag/v9.20.0): 9.20.0

[Compare Source](https://github.com/redis/go-redis/compare/v9.19.0...v9.20.0)

#### 🚀 Highlights

##### Redis 8.8 Support

This release adds support for **Redis 8.8**. The README's supported-versions list now includes Redis 8.8 alongside 8.0/8.2/8.4, and CI exercises the `8.8` client-libs-test image across the full suite (Makefile, build workflow, doctests, run-tests action, and docker-compose).

Coverage for the new commands that ship in the 8.x line, rounded out in this release:

- **`AR*` array data type** ([#&#8203;3813](https://github.com/redis/go-redis/pull/3813)) — new array data structure, exposed via the `ArrayCmdable` interface (see the experimental-features highlight below).
- **`INCREX`** ([#&#8203;3816](https://github.com/redis/go-redis/pull/3816)) — atomic increment with expiration in a single round-trip.
- **`XNACK`** ([#&#8203;3790](https://github.com/redis/go-redis/pull/3790)) — explicit negative-acknowledge of pending stream entries.
- **`XAUTOCLAIM` PEL deletes** ([#&#8203;3798](https://github.com/redis/go-redis/pull/3798)) — `XAUTOCLAIM`/`XAUTOCLAIMJUSTID` now return the list of deleted message IDs from the pending entries list.
- **`TS.RANGE` multiple aggregators** ([#&#8203;3791](https://github.com/redis/go-redis/pull/3791)) — `TS.RANGE`/`TS.REVRANGE`/`TS.MRANGE`/`TS.MREVRANGE` accept multiple aggregators in a single call.
- **`Z(UNION|INTER|DIFF)` `COUNT` aggregator** ([#&#8203;3802](https://github.com/redis/go-redis/pull/3802)) — `COUNT` reducer for sorted-set set operations.
- **`JSON.SET FPHA`** ([#&#8203;3797](https://github.com/redis/go-redis/pull/3797)) — new `FPHA` argument that specifies the floating-point type for homogeneous FP arrays.

CI image bump ([#&#8203;3814](https://github.com/redis/go-redis/pull/3814)) by [@&#8203;ofekshenawa](https://github.com/ofekshenawa). Command coverage contributions by [@&#8203;cxljs](https://github.com/cxljs), [@&#8203;elena-kolevska](https://github.com/elena-kolevska), [@&#8203;Khukharr](https://github.com/Khukharr), [@&#8203;ndyakov](https://github.com/ndyakov), and [@&#8203;ofekshenawa](https://github.com/ofekshenawa).

##### Stable RESP3 for RediSearch (`UnstableResp3` deprecated)

`FT.SEARCH`, `FT.AGGREGATE`, `FT.INFO`, `FT.SPELLCHECK`, and `FT.SYNDUMP` now parse RESP3 (map) responses into the same typed result objects as RESP2 — `Val()` and `Result()` work uniformly on both protocols, no flag required. Previously, RESP3 search responses required `UnstableResp3: true` and were returned as opaque maps accessible only via `RawResult()` / `RawVal()`.

As a result, the `UnstableResp3` option is now a **no-op** across every options struct (`Options`, `ClusterOptions`, `UniversalOptions`, `FailoverOptions`, `RingOptions`) and has been marked `// Deprecated:`. The field is retained for backwards compatibility — existing code that sets `UnstableResp3: true` will continue to compile and behave identically — but it will be removed in a future release and new code should not set it. `RawResult()` / `RawVal()` continue to work for callers that prefer the raw RESP payload.

([#&#8203;3741](https://github.com/redis/go-redis/pull/3741)) by [@&#8203;ndyakov](https://github.com/ndyakov)

##### Experimental Array Data Structure Commands

Adds an experimental `ArrayCmdable` interface with the `AR*` command family (`ARSet`, `ARGet`, `ARGetRange`, `ARMSet`, `ARMGet`, `ARDel`, `ARDelRange`, `ARScan`, `ARSeek`, `ARNext`, `ARLastItems`, `ARGrep`, `ARGrepWithValues`, `ARInfo`/`ARInfoFull`, and typed reducers `AROpSum`/`AROpMin`/`AROpMax`/`AROpAnd`/`AROpOr`/`AROpXor`/`AROpMatch`/`AROpUsed`) for working with Redis 8.8's new array data type. **API is experimental and may change in a future release.**

([#&#8203;3813](https://github.com/redis/go-redis/pull/3813)) by [@&#8203;cxljs](https://github.com/cxljs)

####  New Features

- **RESP3 search parser**: First-class RESP3 parsing for `FT.SEARCH`/`FT.AGGREGATE`/`FT.INFO`/`FT.SPELLCHECK`/`FT.SYNDUMP` responses with backwards compatibility for RESP2 ([#&#8203;3741](https://github.com/redis/go-redis/pull/3741)) by [@&#8203;ndyakov](https://github.com/ndyakov)
- **INCREX**: New `INCREX` command support — atomic increment with expiration ([#&#8203;3816](https://github.com/redis/go-redis/pull/3816)) by [@&#8203;ndyakov](https://github.com/ndyakov)
- **XNACK**: Client support for the `XNACK` stream command for explicitly negative-acknowledging pending entries ([#&#8203;3790](https://github.com/redis/go-redis/pull/3790)) by [@&#8203;elena-kolevska](https://github.com/elena-kolevska)
- **TS range multiple aggregators**: `TS.RANGE`/`TS.REVRANGE`/`TS.MRANGE`/`TS.MREVRANGE` now accept multiple aggregators in a single call ([#&#8203;3791](https://github.com/redis/go-redis/pull/3791)) by [@&#8203;elena-kolevska](https://github.com/elena-kolevska)
- **`XAutoClaim` deleted IDs**: `XAUTOCLAIM`/`XAUTOCLAIMJUSTID` now return the list of deleted message IDs from the PEL ([#&#8203;3798](https://github.com/redis/go-redis/pull/3798)) by [@&#8203;Khukharr](https://github.com/Khukharr)
- **`JSON.SET FPHA`**: `JSON.SET` accepts a new `FPHA` argument that specifies the floating-point type for homogeneous floating-point arrays ([#&#8203;3797](https://github.com/redis/go-redis/pull/3797)) by [@&#8203;ndyakov](https://github.com/ndyakov)
- **Sorted-set union/intersection COUNT**: `ZUNION`/`ZINTER`/`ZDIFF` aggregator now supports `COUNT` ([#&#8203;3802](https://github.com/redis/go-redis/pull/3802)) by [@&#8203;ofekshenawa](https://github.com/ofekshenawa)
- **`FT.HYBRID` vector validation**: Validates hybrid-search vector input types and adds proper typed vector parameters ([#&#8203;3756](https://github.com/redis/go-redis/pull/3756)) by [@&#8203;DengY11](https://github.com/DengY11)
- **Cluster pool wait stats**: `ClusterClient.PoolStats()` now accumulates `WaitCount` and `WaitDurationNs` across all node pools (previously always zero) ([#&#8203;3809](https://github.com/redis/go-redis/pull/3809)) by [@&#8203;LINKIWI](https://github.com/LINKIWI)

#### 🐛 Bug Fixes

- **TLS-only Cluster PubSub**: `CLUSTER SLOTS` port-0 entries now fall back to the origin endpoint's port, fixing `dial tcp <ip>:0: connection refused` on TLS-only clusters started with `--port 0 --tls-port <port>` (fixes [#&#8203;3726](https://github.com/redis/go-redis/issues/3726)) ([#&#8203;3828](https://github.com/redis/go-redis/pull/3828)) by [@&#8203;ndyakov](https://github.com/ndyakov)
- **Sharded PubSub reconnect routing**: `PubSub.conn()` now passes both regular (`c.channels`) and sharded (`c.schannels`) channels into the per-PubSub `newConn` closure. Previously, `ClusterClient.SSubscribe`-only PubSubs reconnected to a random node (because the routing closure saw an empty channel list), the `SSUBSCRIBE` was sent to the wrong shard, and the resulting `MOVED` reply was silently dropped ([#&#8203;3829](https://github.com/redis/go-redis/pull/3829)) by [@&#8203;ndyakov](https://github.com/ndyakov)
- **ClusterClient `Watch` retry**: User errors returned from a `Watch` callback are no longer subjected to cluster-retry classification; transient cluster errors still retry, but a callback returning e.g. `net.ErrClosed` short-circuits immediately ([#&#8203;3821](https://github.com/redis/go-redis/pull/3821)) by [@&#8203;obiyang](https://github.com/obiyang)
- **Sentinel concurrent-probe leak**: `MasterAddr`'s concurrent sentinel probe now closes the non-winning sentinel clients instead of leaking them ([#&#8203;3827](https://github.com/redis/go-redis/pull/3827)) by [@&#8203;cxljs](https://github.com/cxljs)
- **Sentinel rediscovery loop on master-only setups**: `replicaAddrs` no longer tears down the cached sentinel client when the replica list is empty, eliminating a continuous rediscovery loop on master-only Sentinel deployments that flooded logs and added per-operation latency ([#&#8203;3795](https://github.com/redis/go-redis/pull/3795)) by [@&#8203;shahyash2609](https://github.com/shahyash2609)
- **Pool `CloseConn` hooks**: `Pool.CloseConn` now triggers registered hooks, fixing a memory leak when connections are closed explicitly rather than via the normal removal path ([#&#8203;3818](https://github.com/redis/go-redis/pull/3818)) by [@&#8203;ndyakov](https://github.com/ndyakov)
- **Dial TCP error redirection**: Wrapped `dial tcp` errors are now correctly classified as redirectable so cluster routing can recover from a single unreachable node ([#&#8203;3810](https://github.com/redis/go-redis/pull/3810)) by [@&#8203;vladisa88](https://github.com/vladisa88)
- **Pool `Close` health checks**: `ConnPool.Close` now only runs health checks against idle connections, avoiding spurious activity on connections still in use ([#&#8203;3805](https://github.com/redis/go-redis/pull/3805)) by [@&#8203;ndyakov](https://github.com/ndyakov)
- **VLinks return type**: Fixed the return type of `VLINKS`/`VLINKSWITHSCORES` vector-set replies ([#&#8203;3820](https://github.com/redis/go-redis/pull/3820)) by [@&#8203;romanpovol](https://github.com/romanpovol)

#### 🧪 Testing & Infrastructure

- **Flaky tests**: Stabilized several flaky tests in the sentinel and pool suites ([#&#8203;3815](https://github.com/redis/go-redis/pull/3815)) by [@&#8203;ndyakov](https://github.com/ndyakov)
- **Sentinel failover metric race**: Fixed a data race in the sentinel failover metric test ([#&#8203;3824](https://github.com/redis/go-redis/pull/3824)) by [@&#8203;cxljs](https://github.com/cxljs)
- **`waitForSentinelClusterStable` post-conditions**: The sentinel test harness now waits for replicas to be fully connected (not just present in the count) and is robust to randomized spec ordering after failover specs, eliminating an intermittent `Expected master to equal slave` flake ([#&#8203;3830](https://github.com/redis/go-redis/pull/3830)) by [@&#8203;ndyakov](https://github.com/ndyakov)
- **`govulncheck` workflow**: New scheduled GitHub Actions workflow runs `govulncheck` on every push, PR, and weekly, surfacing newly disclosed Go vulnerabilities even when no code changes ([#&#8203;3779](https://github.com/redis/go-redis/pull/3779)) by [@&#8203;solardome](https://github.com/solardome)
- **CI Redis 8.8-rc1**: CI now exercises the 8.8-rc1 Redis image ([#&#8203;3814](https://github.com/redis/go-redis/pull/3814)) by [@&#8203;ofekshenawa](https://github.com/ofekshenawa)

#### 🧰 Maintenance

- **`Cmd.Slot()` lookup refactor**: Caches the per-command `CommandInfo` and short-circuits keyless commands before the switch dispatch, removing redundant `Peek` calls ([#&#8203;3804](https://github.com/redis/go-redis/pull/3804)) by [@&#8203;retr0-kernel](https://github.com/retr0-kernel)
- **stdlib `math/rand`**: Replaced `internal/rand` with `math/rand` from the standard library now that the minimum Go version is 1.24 ([#&#8203;3823](https://github.com/redis/go-redis/pull/3823)) by [@&#8203;cxljs](https://github.com/cxljs)
- **ConnPool queue channel**: Removed the unused queue channel from `ConnPool`, trimming the pool's footprint ([#&#8203;3826](https://github.com/redis/go-redis/pull/3826)) by [@&#8203;cxljs](https://github.com/cxljs)
- **Extra packages LICENSE**: Added a LICENSE file to each `extra/*` package ([#&#8203;3817](https://github.com/redis/go-redis/pull/3817)) by [@&#8203;ndyakov](https://github.com/ndyakov)
- **README & CI image**: Documentation refresh and bumped the default CI image tag ([#&#8203;3822](https://github.com/redis/go-redis/pull/3822)) by [@&#8203;ndyakov](https://github.com/ndyakov)

#### 👥 Contributors

We'd like to thank all the contributors who worked on this release!

[@&#8203;cxljs](https://github.com/cxljs), [@&#8203;DengY11](https://github.com/DengY11), [@&#8203;elena-kolevska](https://github.com/elena-kolevska), [@&#8203;Khukharr](https://github.com/Khukharr), [@&#8203;LINKIWI](https://github.com/LINKIWI), [@&#8203;ndyakov](https://github.com/ndyakov), [@&#8203;obiyang](https://github.com/obiyang), [@&#8203;ofekshenawa](https://github.com/ofekshenawa), [@&#8203;retr0-kernel](https://github.com/retr0-kernel), [@&#8203;romanpovol](https://github.com/romanpovol), [@&#8203;shahyash2609](https://github.com/shahyash2609), [@&#8203;solardome](https://github.com/solardome), [@&#8203;vladisa88](https://github.com/vladisa88)

***

**Full Changelog**: <https://github.com/redis/go-redis/compare/v9.19.0...v9.20.0>

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NS4xIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12804
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-29 15:17:59 +02:00
Renovate Bot
c731987887 Update dependency webpack to v5.107.2 (forgejo) (#12798)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12798
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-29 05:05:15 +02:00
Andreas Ahlenstorf
531a43a9a5 fix: cancel dependent jobs when rerunning jobs (#12756)
When a single Forgejo Actions job should be rerun, its dependent jobs (those that have the job to be rerun in their `needs:`) might still be running. That means they cannot be rerun. Currently, Forgejo ignores and simply skips them. But that is wrong: their outcome is meaningless at best and wrong at worst because it depends on an outdated attempt of the job to be rerun. This is remedied by cancelling them before queueing them for a rerun, too.

Follow-up of https://codeberg.org/forgejo/forgejo/pulls/12141.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12756
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-29 04:46:57 +02:00
Mathieu Fenniak
de5f38c4ea feat: enable auth to raw resources, release downloads, & attachments via authorized integrations (#12776)
A handful of routes, described in this PR as "mixed routes", are currently accessible by both web-based sessions and authenticated API users.  The goal of this PR is to allow access to these routes for Authorized Integrations as well, bringing them to full API compatibility (to my knowledge) with other authentication methods.  These routes are impacted:
- `/{username}/{repo}/raw/*`
- `/{username}/{repo}/archive/*`
- `/{username}/{repo}/releases/download/{vTag}/{fileName}`
- `/{username}/{repo}/attachments/{uuid}`
- `/attachments/{uuid}`

The major work in this PR was to refactoring the existing authentication methods so that "path based matching" that they were currently doing was no longer required, as I didn't want to introduce that into Authorized Integrations.  All the path based matching is removed in this PR, and authentication methods are enabled entirely by the middleware applied to their endpoints.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12776
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-29 02:11:43 +02:00
oliverpool
bd0b44d01d chore: use io.ReadFull instead of io.ReadAll for DataAsync (#12795)
Since the final size is already known, no need to `ReadAll` a `LimitedReader`: directly `ReadFull` a properly sized buffer.

Tests are already present in `blob_test.go` (a failure can be triggered by creating a smaller `buf`).

`go test -run=TestBlob_Data -bench=Blob_Data -benchmem` before:
```
Benchmark_Blob_Data-18             43964             28727 ns/op            1373 B/op         11 allocs/op
```
After:
```
Benchmark_Blob_Data-18             41308             27679 ns/op             846 B/op         10 allocs/op
```

🎉 one allocation spared!

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12795
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-28 23:51:15 +02:00
Mathieu Fenniak
cdd35458a9 feat: enable auth to git LFS via authorized integrations (#12725)
The goal is to enable access to Git LFS resources with Authorized Integrations JWTs.

Blocker that needed to be resolved is that adding the `AuthorizedIntegration` auth method would conflict with the LFS tokens, which are handed out during git ssh clones to allow access to LFS resources -- `AuthorizedIntegration` would mark these as `AuthenticationAttemptedIncorrectCredential`, and therefore the requests would 401 before they got to the LFS-specific token validation routines.  The fix is to move LFS token authentication into an authentication group so that it could be resolved at the same time as the authorized integration, rather than doing it inside the LFS server routines.

Refactors for LFS tokens are covered by refreshed test automation.  Authorized integrations LFS Access has been manually tested, and will be further covered in an end-to-end integration test (https://code.forgejo.org/forgejo/end-to-end/pulls/1954).

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12725
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-28 23:20:58 +02:00
Renovate Bot
c37f5a96a9 Update google.golang.org/grpc (indirect) to v1.79.3 [SECURITY] (forgejo) (#12794)
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [google.golang.org/grpc](https://github.com/grpc/grpc-go) | `v1.75.0` → `v1.79.3` | ![age](https://developer.mend.io/api/mc/badges/age/go/google.golang.org%2fgrpc/v1.79.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/google.golang.org%2fgrpc/v1.75.0/v1.79.3?slim=true) |

---

### gRPC-Go has an authorization bypass via missing leading slash in :path
[CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186) / [GHSA-p77j-4mvh-x3m3](https://github.com/advisories/GHSA-p77j-4mvh-x3m3) / [GO-2026-4762](https://pkg.go.dev/vuln/GO-2026-4762)

<details>
<summary>More information</summary>

#### Details
##### Impact
_What kind of vulnerability is it? Who is impacted?_

It is an **Authorization Bypass** resulting from **Improper Input Validation** of the HTTP/2 `:path` pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

**Who is impacted?**
This affects gRPC-Go servers that meet both of the following criteria:
1. They use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`.
2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server.

##### Patches
_Has the problem been patched? What versions should users upgrade to?_

Yes, the issue has been patched. The fix ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):
* **v1.79.3**
* The latest **master** branch.

It is recommended that all users employing path-based authorization (especially `grpc/authz`) upgrade as soon as the patch is available in a tagged release.

##### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

##### 1. Use a Validating Interceptor (Recommended Mitigation)
Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:

```go
func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)
```

##### 2. Infrastructure-Level Normalization
If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the `:path` header does not start with a leading slash.

##### 3. Policy Hardening
Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

#### Severity
- CVSS Score: 9.1 / 10 (Critical)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`

#### References
- [https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3](https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3)
- [https://nvd.nist.gov/vuln/detail/CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186)
- [https://github.com/grpc/grpc-go](https://github.com/grpc/grpc-go)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-p77j-4mvh-x3m3) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc
[CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186) / [GHSA-p77j-4mvh-x3m3](https://github.com/advisories/GHSA-p77j-4mvh-x3m3) / [GO-2026-4762](https://pkg.go.dev/vuln/GO-2026-4762)

<details>
<summary>More information</summary>

#### Details
Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc

#### Severity
Unknown

#### References
- [https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3](https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3)

This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-4762) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)).
</details>

---

### Release Notes

<details>
<summary>grpc/grpc-go (google.golang.org/grpc)</summary>

### [`v1.79.3`](https://github.com/grpc/grpc-go/releases/tag/v1.79.3): Release 1.79.3

[Compare Source](https://github.com/grpc/grpc-go/compare/v1.79.2...v1.79.3)

### Security

- server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like `grpc/authz`. Any request with a non-canonical path is now immediately rejected with an `Unimplemented` error. ([#&#8203;8981](https://github.com/grpc/grpc-go/issues/8981))

### [`v1.79.2`](https://github.com/grpc/grpc-go/releases/tag/v1.79.2): Release 1.79.2

[Compare Source](https://github.com/grpc/grpc-go/compare/v1.79.1...v1.79.2)

### Bug Fixes

- stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. ([#&#8203;8874](https://github.com/grpc/grpc-go/pull/8874))

### [`v1.79.1`](https://github.com/grpc/grpc-go/releases/tag/v1.79.1): Release 1.79.1

[Compare Source](https://github.com/grpc/grpc-go/compare/v1.79.0...v1.79.1)

### Bug Fixes

- grpc: Remove the `-dev` suffix from the User-Agent header. ([#&#8203;8902](https://github.com/grpc/grpc-go/pull/8902))

### [`v1.79.0`](https://github.com/grpc/grpc-go/releases/tag/v1.79.0): Release 1.79.0

[Compare Source](https://github.com/grpc/grpc-go/compare/v1.78.0...v1.79.0)

### API Changes

- mem: Add experimental API `SetDefaultBufferPool` to change the default buffer pool. ([#&#8203;8806](https://github.com/grpc/grpc-go/issues/8806))
  - Special Thanks: [@&#8203;vanja-p](https://github.com/vanja-p)
- experimental/stats: Update `MetricsRecorder` to require embedding the new `UnimplementedMetricsRecorder` (a no-op struct) in all implementations for forward compatibility. ([#&#8203;8780](https://github.com/grpc/grpc-go/issues/8780))

### Behavior Changes

- balancer/weightedtarget: Remove handling of `Addresses` and only handle `Endpoints` in resolver updates. ([#&#8203;8841](https://github.com/grpc/grpc-go/issues/8841))

### New Features

- experimental/stats: Add support for asynchronous gauge metrics through the new `AsyncMetricReporter` and `RegisterAsyncReporter` APIs. ([#&#8203;8780](https://github.com/grpc/grpc-go/issues/8780))
- pickfirst: Add support for weighted random shuffling of endpoints, as described in [gRFC A113](https://github.com/grpc/proposal/pull/535).
  - This is enabled by default, and can be turned off using the environment variable `GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING`. ([#&#8203;8864](https://github.com/grpc/grpc-go/issues/8864))
- xds: Implement `:authority` rewriting, as specified in [gRFC A81](https://github.com/grpc/proposal/blob/master/A81-xds-authority-rewriting.md). ([#&#8203;8779](https://github.com/grpc/grpc-go/issues/8779))
- balancer/randomsubsetting: Implement the `random_subsetting` LB policy, as specified in [gRFC A68](https://github.com/grpc/proposal/blob/master/A68-random-subsetting.md). ([#&#8203;8650](https://github.com/grpc/grpc-go/issues/8650))
  - Special Thanks: [@&#8203;marek-szews](https://github.com/marek-szews)

### Bug Fixes

- credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. ([#&#8203;8726](https://github.com/grpc/grpc-go/issues/8726))
  - Special Thanks: [@&#8203;Atul1710](https://github.com/Atul1710)
- xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in `CONNECTING` state. ([#&#8203;8813](https://github.com/grpc/grpc-go/issues/8813))
- health: Fix a bug where health checks failed for clients using legacy compression options (`WithDecompressor` or `RPCDecompressor`). ([#&#8203;8765](https://github.com/grpc/grpc-go/issues/8765))
  - Special Thanks: [@&#8203;sanki92](https://github.com/sanki92)
- transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. ([#&#8203;8769](https://github.com/grpc/grpc-go/issues/8769))
  - Special Thanks: [@&#8203;joybestourous](https://github.com/joybestourous)
- server: Propagate status detail headers, if available, when terminating a stream during request header processing. ([#&#8203;8754](https://github.com/grpc/grpc-go/issues/8754))
  - Special Thanks: [@&#8203;joybestourous](https://github.com/joybestourous)

### Performance Improvements

- credentials/alts: Optimize read buffer alignment to reduce copies. ([#&#8203;8791](https://github.com/grpc/grpc-go/issues/8791))
- mem: Optimize pooling and creation of `buffer` objects.  ([#&#8203;8784](https://github.com/grpc/grpc-go/issues/8784))
- transport: Reduce slice re-allocations by reserving slice capacity. ([#&#8203;8797](https://github.com/grpc/grpc-go/issues/8797))

### [`v1.78.0`](https://github.com/grpc/grpc-go/releases/tag/v1.78.0): Release 1.78.0

[Compare Source](https://github.com/grpc/grpc-go/compare/v1.77.0...v1.78.0)

### Behavior Changes

- client: Align URL validation with Go 1.26+ to now reject target URLs with unbracketed colons in the hostname. ([#&#8203;8716](https://github.com/grpc/grpc-go/issues/8716))
  - Special Thanks: [@&#8203;neild](https://github.com/neild)
- transport/client : Return status code `Unknown` on malformed grpc-status. ([#&#8203;8735](https://github.com/grpc/grpc-go/issues/8735))
- - xds/resolver:
  - Drop previous route resources and report an error when no matching virtual host is found.
  - Only log LDS/RDS configuration errors following a successful update and retain the last valid resource to prevent transient failures. ([#&#8203;8711](https://github.com/grpc/grpc-go/issues/8711))

### New Features

- stats/otel: Add backend service label to weighted round robin metrics as part of A89. ([#&#8203;8737](https://github.com/grpc/grpc-go/issues/8737))
- stats/otel: Add subchannel metrics (without the disconnection reason) to eventually replace the pickfirst metrics. ([#&#8203;8738](https://github.com/grpc/grpc-go/issues/8738))
- client: Wait for all pending goroutines to complete when closing a graceful switch balancer. ([#&#8203;8746](https://github.com/grpc/grpc-go/issues/8746))
  - Special Thanks: [@&#8203;twz123](https://github.com/twz123)
- client: Add `experimental.AcceptCompressors` so callers can restrict the `grpc-accept-encoding` header advertised for a call. ([#&#8203;8718](https://github.com/grpc/grpc-go/issues/8718))
  - Special Thanks: [@&#8203;iblancasa](https://github.com/iblancasa)

### Bug Fixes

- xds: Fix a bug in `StringMatcher` where regexes would match incorrectly when ignore\_case is set to true. ([#&#8203;8723](https://github.com/grpc/grpc-go/issues/8723))
- client:
  - Change connectivity state to CONNECTING when creating the name resolver (as part of exiting IDLE).
  - Change connectivity state to TRANSIENT\_FAILURE if name resolver creation fails (as part of exiting IDLE).
  - Change connectivity state to IDLE after idle timeout expires even when current state is TRANSIENT\_FAILURE.
  - Fix a bug that resulted in `OnFinish` call option not being invoked for RPCs where stream creation failed. ([#&#8203;8710](https://github.com/grpc/grpc-go/issues/8710))
- xdsclient: Fix a race in the xdsClient that could lead to resource-not-found errors. ([#&#8203;8627](https://github.com/grpc/grpc-go/issues/8627))

### Performance Improvements

- mem: Round up to nearest 4KiB for pool allocations larger than 1MiB. ([#&#8203;8705](https://github.com/grpc/grpc-go/issues/8705))
  - Special Thanks: [@&#8203;cjc25](https://github.com/cjc25)

### [`v1.77.0`](https://github.com/grpc/grpc-go/releases/tag/v1.77.0): Release 1.77.0

[Compare Source](https://github.com/grpc/grpc-go/compare/v1.76.0...v1.77.0)

### API Changes

- mem: Replace the `Reader` interface with a struct for better performance and maintainability. ([#&#8203;8669](https://github.com/grpc/grpc-go/issues/8669))

### Behavior Changes

- balancer/pickfirst: Remove support for the old `pick_first` LB policy via the environment variable `GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST=false`. The new `pick_first` has been the default since `v1.71.0`. ([#&#8203;8672](https://github.com/grpc/grpc-go/issues/8672))

### Bug Fixes

- xdsclient: Fix a race condition in the ADS stream implementation that could result in `resource-not-found` errors, causing the gRPC client channel to move to `TransientFailure`. ([#&#8203;8605](https://github.com/grpc/grpc-go/issues/8605))
- client: Ignore HTTP status header for gRPC streams. ([#&#8203;8548](https://github.com/grpc/grpc-go/issues/8548))
- client: Set a read deadline when closing a transport to prevent it from blocking indefinitely on a broken connection. ([#&#8203;8534](https://github.com/grpc/grpc-go/issues/8534))
  - Special Thanks: [@&#8203;jgold2-stripe](https://github.com/jgold2-stripe)
- client: Fix a bug where default port 443 was not automatically added to addresses without a specified port when sent to a proxy.
  - Setting environment variable `GRPC_EXPERIMENTAL_ENABLE_DEFAULT_PORT_FOR_PROXY_TARGET=false` disables this change; please file a bug if any problems are encountered as we will remove this option soon. ([#&#8203;8613](https://github.com/grpc/grpc-go/issues/8613))
- balancer/pickfirst: Fix a bug where duplicate addresses were not being ignored as intended. ([#&#8203;8611](https://github.com/grpc/grpc-go/issues/8611))
- server: Fix a bug that caused overcounting of channelz metrics for successful and failed streams. ([#&#8203;8573](https://github.com/grpc/grpc-go/issues/8573))
  - Special Thanks: [@&#8203;hugehoo](https://github.com/hugehoo)
- balancer/pickfirst: When configured, shuffle addresses in resolver updates that lack endpoints. Since gRPC automatically adds endpoints to resolver updates, this bug only affects custom LB policies that delegate to `pick_first` but don't set endpoints. ([#&#8203;8610](https://github.com/grpc/grpc-go/issues/8610))
- mem: Clear large buffers before re-using. ([#&#8203;8670](https://github.com/grpc/grpc-go/issues/8670))

### Performance Improvements

- transport: Reduce heap allocations to reduce time spent in garbage collection. ([#&#8203;8624](https://github.com/grpc/grpc-go/issues/8624), [#&#8203;8630](https://github.com/grpc/grpc-go/issues/8630), [#&#8203;8639](https://github.com/grpc/grpc-go/issues/8639), [#&#8203;8668](https://github.com/grpc/grpc-go/issues/8668))
- transport: Avoid copies when reading and writing Data frames. ([#&#8203;8657](https://github.com/grpc/grpc-go/issues/8657), [#&#8203;8667](https://github.com/grpc/grpc-go/issues/8667))
- mem: Avoid clearing newly allocated buffers. ([#&#8203;8670](https://github.com/grpc/grpc-go/issues/8670))

### New Features

- outlierdetection: Add metrics specified in [gRFC A91](https://github.com/grpc/proposal/blob/master/A91-outlier-detection-metrics.md). ([#&#8203;8644](https://github.com/grpc/grpc-go/issues/8644))
  - Special Thanks: [@&#8203;davinci26](https://github.com/davinci26), [@&#8203;PardhuKonakanchi](https://github.com/PardhuKonakanchi)
- stats/opentelemetry: Add support for optional label `grpc.lb.backend_service` in per-call metrics ([#&#8203;8637](https://github.com/grpc/grpc-go/issues/8637))
- xds: Add support for JWT Call Credentials as specified in [gRFC A97](https://github.com/grpc/proposal/blob/master/A97-xds-jwt-call-creds.md). Set environment variable `GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS=true` to enable this feature. ([#&#8203;8536](https://github.com/grpc/grpc-go/issues/8536))
  - Special Thanks: [@&#8203;dimpavloff](https://github.com/dimpavloff)
- experimental/stats: Add support for up/down counters. ([#&#8203;8581](https://github.com/grpc/grpc-go/issues/8581))

### [`v1.76.0`](https://github.com/grpc/grpc-go/releases/tag/v1.76.0): Release 1.76.0

[Compare Source](https://github.com/grpc/grpc-go/compare/v1.75.1...v1.76.0)

### Dependencies

- Minimum supported Go version is now 1.24 ([#&#8203;8509](https://github.com/grpc/grpc-go/issues/8509))
  - Special Thanks: [@&#8203;kevinGC](https://github.com/kevinGC)

### Bug Fixes

- client: Return status `INTERNAL` when a server sends zero response messages for a unary or client-streaming RPC. ([#&#8203;8523](https://github.com/grpc/grpc-go/issues/8523))
- client: Fail RPCs with status `INTERNAL` instead of `UNKNOWN` upon receiving http headers with status 1xx and  `END_STREAM` flag set. ([#&#8203;8518](https://github.com/grpc/grpc-go/issues/8518))
  - Special Thanks: [@&#8203;vinothkumarr227](https://github.com/vinothkumarr227)
- pick\_first: Fix race condition that could cause pick\_first to get stuck in `IDLE` state on backend address change. ([#&#8203;8615](https://github.com/grpc/grpc-go/issues/8615))

### New Features

- credentials: Add `credentials/jwt` package providing file-based JWT PerRPCCredentials (A97). ([#&#8203;8431](https://github.com/grpc/grpc-go/issues/8431))
  - Special Thanks: [@&#8203;dimpavloff](https://github.com/dimpavloff)

### Performance Improvements

- client: Improve HTTP/2 header size estimate to reduce re-allocations. ([#&#8203;8547](https://github.com/grpc/grpc-go/issues/8547))
- encoding/proto: Avoid redundant message size calculation when marshaling. ([#&#8203;8569](https://github.com/grpc/grpc-go/issues/8569))
  - Special Thanks: [@&#8203;rs-unity](https://github.com/rs-unity)

### [`v1.75.1`](https://github.com/grpc/grpc-go/releases/tag/v1.75.1): Release 1.75.1

[Compare Source](https://github.com/grpc/grpc-go/compare/v1.75.0...v1.75.1)

### Bug Fixes

- transport: Fix a data race while copying headers for stats handlers in the std lib http2 server transport. ([#&#8203;8519](https://github.com/grpc/grpc-go/issues/8519))
- xdsclient:
  - Fix a data race caused while reporting load to LRS. ([#&#8203;8483](https://github.com/grpc/grpc-go/pull/8483))
  - Fix regression preventing empty node IDs when creating an LRS client. ([#&#8203;8483](https://github.com/grpc/grpc-go/issues/8483))
- server: Fix a regression preventing streams from being cancelled or timed out when blocked on flow control. ([#&#8203;8528](https://github.com/grpc/grpc-go/issues/8528))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NS4xIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12794
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-28 22:15:59 +02:00
numen
427457946b feat(api): return created time in /org/{org} endpoint (#12633)
closes #4126

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12633
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-28 21:25:41 +02:00
Alex619829
e35880e7ac Add code search with zoekt support (#8827)
This PR adds zoekt as a code search engine for forgejo. This Pull Request is a continuation of the discussion #8302.
The meilisearch search engine was not suitable, as it is not designed for searching by code. The zoekt project was proposed instead. Zoekt copes well with code indexing, but its operating principle differs from such search engines as elasticsearch.
While elasticsearch can return a result in a ready-made form (with pagination, ready-made snippets, etc.) and forgejo only needs to show this result in the interface with a little work with the data, zoekt works completely differently.

Zoekt finds matches in the repository index and returns a response. The response contains a line with the search word, its number from the file, and also a context, if specified in the request. This response is not suitable for Forgejo, so you need to assemble it yourself. To assemble the response from Zoekt into a form acceptable for Forgejo, I had to write some code and create a new function `searchZoektResult`, since the existing `searchResult` function is completely unsuitable for this search engine. I also had to write logic for pagination, highlighting, and correct display of lines in found snippets with a match, but this is a feature of Zoekt.
At the moment, Zoekt does not support deleting a repository index by repo_id, it only supports complete deletion of all repositories. But I still implemented the Delete function, which deletes a specific repository by its ID.

Co-authored-by: Aleksandr Gamzin <gamzin@altlinux.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8827
Reviewed-by: Shiny Nematoda <snematoda@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-28 20:52:34 +02:00
Shiny Nematoda
6f5df4fae6 fix(ui): fix typo in issue sort dropdown; relevance was misnamed as relevency (#12771)
closes #12769

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12771
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
2026-05-28 20:48:25 +02:00
Robert Wolff
44b93ff7cc fix: do not migrate confidential issues and internal notes from Gitlab (#12735)
A dedicated test repository was added at https://gitlab.com/forgejo/test_repo-confidential with one "confidential issue" and two "internal notes".

Closes: #12688

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12735
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-28 20:45:24 +02:00
Gusted
6c85dffb78 fix: load repo language for converting to api struct (#12737)
Load the primary language of the repository when it's converted to a API struct. This is simpler than adding `LoadAttributes` to a lot of places.

Resolves forgejo/forgejo#12729

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12737
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-28 17:00:40 +02:00
Andreas Ahlenstorf
fa5a2501d0 fix: do not hide previous attempts without task for latest attempt (#12779)
If a Forgejo Actions job was run more than once, Forgejo would not display previous attempts if no `ActionTask` existed for the latest attempt. That is the case when a job is cancelled or skipped before having been dispatched to a runner or while it is waiting for a runner. This is fixed by always loading all existing attempts.

Resolves #12626.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12779
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2026-05-28 15:16:48 +02:00
Mathieu Fenniak
81a5b0d840 fix: remove default 'REVERSE_PROXY_TRUSTED_PROXIES = *' from docker config (#12782)
Forgejo's docker containers had `REVERSE_PROXY_TRUSTED_PROXIES = *` configured in them by default.  In the event that the Forgejo sysadmin set the docker environment variable `FORGEJO__service__ENABLE_REVERSE_PROXY_AUTHENTICATION` to the value `true`, *and* an unauthorized user could access Forgejo without traversing a reverse proxy performing authentication, then an unauthorized user could use the `X-WebAuth-User` HTTP header to impersonate any user.  While this is an unlikely set of configuration settings, it seems more prudent for the Forgejo to require a sysadmin to choose an appropriate value for `REVERSE_PROXY_TRUSTED_PROXIES`.  Even in a containerized environment, this value can be used safely and set to reasonable values if firewall-level networking is in use (eg. using [Docker with iptables](https://docs.docker.com/engine/network/firewall-iptables/)), which is the common default for docker systems in 2026.

The intent of this PR is to change the default in Forgejo 16, and to mark it as a breaking change for highlighting in the release notes.  The risk of misconfiguration is not high enough to backport this breaking change to earlier Forgejo releases.

If a sysadmin wants to use the previous configuration, they can set the environment variable `FORGEJO__service__REVERSE_PROXY_TRUSTED_PROXIES` to the value `*`, but it would be recommended that they revise the setting to a narrower set of trusted IPs that they expect reverse proxy connections from.  See the [`[security]`](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#security-security) config block for more information.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12782
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-28 13:52:03 +02:00
Gusted
d25f7ae70d feat: show progress of issues and PRs migrations (#12738)
These are by the far the longest time spent on during a migration.
Indicate the progress of how many issues and PRs were migrated so far.
Don't overwhelm the messenger, so they are only updated once a batch is
migrated. Which is "slow" enough to see it's not stuck and still doing work.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12738
Reviewed-by: Ellen Εμίλια Άννα Zscheile <fogti@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2026-05-28 00:49:07 +02:00
oliverpool
68858a9de2 fix: enable "Add more..." unit hint for new users (#12565)
For new users, the `EnableRepoUnitHints` is set to false while I think that the original intent of #2221 was to set it to true (the migration set it to true for already existing users in `AddUserRepoUnitHintsSetting`).

This PR sets its to true upon user creation.

![screenshot showing the `Add more...` hint - from the original PR](https://codeberg.org/forgejo/forgejo/attachments/dc654ddd-e7cb-4667-b0d3-3fac39776be3)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12565
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2026-05-27 20:44:44 +02:00
oliverpool
fd283c80b7 feat: add hint to disable the "Enable more" units hint (#12747)
Following the feedback in #12565, this adds a hint to the units page when the "Enable more" hint is enabled:

![image](/attachments/32dac116-9f25-498d-9ef0-8b18b06cfc53)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12747
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-27 20:43:47 +02:00
Renovate Bot
c8fa66d42c Update dependency clippie to v4.2.0 (forgejo) (#12618)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12618
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-27 18:46:02 +02:00
Mathieu Fenniak
b18d28b3b5 fix: debian package cleanup failure due to xorm connection corruption (#12764)
Fixes #12645.  Detailed analysis in [this comment](https://codeberg.org/forgejo/forgejo/issues/12645#issuecomment-15939122).  New test case is verified to hit the bug -- the previous case just narrowly missed the problem because it ended up with an empty repository index.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12764
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-05-27 17:47:11 +02:00
Renovate Bot
7dea39659d Update module code.forgejo.org/forgejo/runner/v12 to v12.10.2 (forgejo) (#12759)
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [code.forgejo.org/forgejo/runner/v12](https://code.forgejo.org/forgejo/runner) | `v12.10.1` → `v12.10.2` | ![age](https://developer.mend.io/api/mc/badges/age/go/code.forgejo.org%2fforgejo%2frunner%2fv12/v12.10.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/code.forgejo.org%2fforgejo%2frunner%2fv12/v12.10.1/v12.10.2?slim=true) |

---

### Release Notes

<details>
<summary>forgejo/runner (code.forgejo.org/forgejo/runner/v12)</summary>

### [`v12.10.2`](https://code.forgejo.org/forgejo/runner/releases/tag/v12.10.2)

[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v12.10.1...v12.10.2)

- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)

Release Notes

***

<!--start release-notes-assistant-->

<!--URL:https://code.forgejo.org/forgejo/runner-->

- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1523): <!--number 1523 --><!--line 0 --><!--description Zml4OiByZW1vdmUgY29udGFpbmVycyBhZnRlciBmYWlsZWQgc3RhcnQtdXA=-->fix: remove containers after failed start-up<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1519): <!--number 1519 --><!--line 0 --><!--description Zml4OiByZWplY3QgaW52YWxpZCBjcm9uIHNjaGVkdWxlcyB3aGlsZSBwYXJzaW5nIHdvcmtmbG93cw==-->fix: reject invalid cron schedules while parsing workflows<!--description-->
- other
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1532): <!--number 1532 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL3JoeXNkL2FjdGlvbmxpbnQgdG8gdjEuNy4xMg==-->Update module github.com/rhysd/actionlint to v1.7.12<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1531): <!--number 1531 --><!--line 0 --><!--description UmVwbGFjZSBOb2RlLmpzIHdpdGggZGF0YS5mb3JnZWpvLm9yZy9vY2kvbm9kZSAyNC10cml4aWU=-->Replace Node.js with data.forgejo.org/oci/node 24-trixie<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1530): <!--number 1530 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL2Nhc2NhZGluZy1wciBhY3Rpb24gdG8gdjIuMy4y-->Update <https://data.forgejo.org/actions/cascading-pr> action to v2.3.2<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1522): <!--number 1522 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL21vYnkvcGF0dGVybm1hdGNoZXIgdG8gdjAuNi4x-->Update module github.com/moby/patternmatcher to v0.6.1<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1529): <!--number 1529 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvc3lzIHRvIHYwLjQ0LjAgW1NFQ1VSSVRZXQ==-->Update module golang.org/x/sys to v0.44.0 \[SECURITY]<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1527): <!--number 1527 --><!--line 0 --><!--description dGVzdDogdXBkYXRlIGFwdCBjYWNoZSBiZWZvcmUgaW5zdGFsbGluZyBwYWNrYWdlcyBpbiBQb2RtYW4gam9i-->test: update apt cache before installing packages in Podman job<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1521): <!--number 1521 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL21hdHRuL2dvLWlzYXR0eSB0byB2MC4wLjIy-->Update module github.com/mattn/go-isatty to v0.0.22<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1520): <!--number 1520 --><!--line 0 --><!--description VXBkYXRlIGRhdGEuZm9yZ2Vqby5vcmcvZm9yZ2Vqby9mb3JnZWpvIERvY2tlciB0YWcgdG8gdjExLjAuMTQ=-->Update data.forgejo.org/forgejo/forgejo Docker tag to v11.0.14<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1515): <!--number 1515 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb25uZWN0cnBjLmNvbS9jb25uZWN0IHRvIHYxLjE5LjI=-->Update module connectrpc.com/connect to v1.19.2<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1514): <!--number 1514 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL3NldHVwLWZvcmdlam8gYWN0aW9uIHRvIHYzLjEuMTE=-->Update <https://data.forgejo.org/actions/setup-forgejo> action to v3.1.11<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1513): <!--number 1513 --><!--line 0 --><!--description VXBkYXRlIGRhdGEuZm9yZ2Vqby5vcmcvZm9yZ2Vqby9mb3JnZWpvIERvY2tlciB0YWcgdG8gdjExLjAuMTM=-->Update data.forgejo.org/forgejo/forgejo Docker tag to v11.0.13<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1512): <!--number 1512 --><!--line 0 --><!--description VXBkYXRlIGdvIHRvb2xjaGFpbiBkaXJlY3RpdmUgdG8gdjEuMjUuMTA=-->Update go toolchain directive to v1.25.10<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1503): <!--number 1503 --><!--line 0 --><!--description cmVmYWN0b3I6IHJlcGxhY2UgYmFja2VuZCBpZGVudGl0eSBjaGVja3Mgd2l0aCBjYXBhYmlsaXR5IHF1ZXJpZXM=-->refactor: replace backend identity checks with capability queries<!--description-->

<!--end release-notes-assistant-->

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NS4xIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJydW4tZW5kLXRvLWVuZC10ZXN0cyIsInRlc3Qvbm90LW5lZWRlZCJdfQ==-->

Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12759
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-27 17:46:33 +02:00
oliverpool
1b1ede13f9 feat: add actionable message on lint-locale failure (#12748)
Before this PR:
![image](/attachments/dd1a8f68-8b87-41e5-86e0-4ba59cedf4f4)

After this PR:
![image](/attachments/51007bbd-cf3c-4828-b5fc-9aecc9c958bd)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12748
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Ellen Εμίλια Άννα Zscheile <fogti@noreply.codeberg.org>
2026-05-27 11:48:07 +02:00
0ko
8a72b70f5f fix(ui): do not clip overflow in workflow dispatch menu (#12753)
Fixes forgejo/forgejo#12090
Fixes forgejo/forgejo#12228
Fixes forgejo/forgejo#12743

Partially revert b5988efc85/web_src/css/actions.css (L91-L94) from forgejo/forgejo!10563.

This will cause overly long lists to overflow the viewport [like in this image](https://codeberg.org/forgejo/forgejo/attachments/b335c5b8-ad1a-44fc-bbd2-99c975c2a5e5), but will make the branch selector and select inputs usable again. In essence, replacing a serious bug with a less serious one.

Note: max-height limit wasn't effective since it was clipping inline (x) axis instead of block (y) axis. So the menu was still higher than 500 px.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12753
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-05-27 05:46:21 +02:00
Mathieu Fenniak
dfdd9b2e2a fix: check quota in LFS uploads against the repository owner, not operating user (#12755)
Follow-up to the previously closed #12437; verifies git LFS quotas are checked against the repository owner not the current actor.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12755): <!--number 12755 --><!--line 0 --><!--description Y2hlY2sgcXVvdGEgaW4gTEZTIHVwbG9hZHMgYWdhaW5zdCB0aGUgcmVwb3NpdG9yeSBvd25lciwgbm90IG9wZXJhdGluZyB1c2Vy-->check quota in LFS uploads against the repository owner, not operating user<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12755
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-05-27 04:31:09 +02:00