Before it has only processed the newest 200 (or 50 for default `MAX_RESPONSE_ITEMS: 50`) versions.
After it processes all versions.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9219): <!--number 9219 --><!--line 0 --><!--description cGFja2FnZSBjbGVhbnVwIHJ1bGVzIGFyZSBub3QgYXBwbGllZCB3aGVuIHRoZXJlIGFyZSBtb3JlIHRoYW4gMjAwIHBhY2thZ2VzIChkZXBlbmRzIG9uIGBNQVhfUkVTUE9OU0VfSVRFTVNgKQ==-->package cleanup rules are not applied when there are more than 200 packages (depends on `MAX_RESPONSE_ITEMS`)<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9219
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Michael Kriese <michael.kriese@visualon.de>
Co-committed-by: Michael Kriese <michael.kriese@visualon.de>
- Set default pagination, so the API allows cases like `?limit=1`.
- Set the Link header when there are more items, but not shown because of pagination.
- Resolvesforgejo/forgejo#8828
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9201
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: deadkittens <montage_inches78@icloud.com>
Co-committed-by: deadkittens <montage_inches78@icloud.com>
This patch is mainly intended to fixforgejo/forgejo#7721, and to fixforgejo/forgejo#9019.
It also changes the evaluation of 0 limits to prevent all writes, instead of allowing one write and then failing on subsequent writes after the limit has been exceeded. This matches the expectation of the existing tests, and I believe it will better match the expectations of users.
Tests have been updated accordingly where necessary, and some additional test coverage added.
The fixes in this PR depend on each other in order for the quota system to function correctly, so I'm submitting them as a single PR instead of individually.
## Test Cases
### Quota subjects not covered by their parent subjects
Before enabling quotas, create a test user and test repository for that user.
Enable quotas, and set a default total to some large value. (Do not use unit suffixes forgejo/forgejo#8996)
```ini
[quota]
ENABLED = true
[quota.default]
TOTAL = 1073741824
```
With the test user, navigate to "Storage overview" and verify that the quota group "Global quota" is the only group listed, containing the rule "Default", and displays the configured limit, and that the limit has not been exceeded (eg. `42 MiB / 1 GiB`).
The default quota rule has the subject `size:all`, so any write action should be allowed.
#### Attempt to create a new repository.
Expected result: Repository is created.
Actual result: Error 413, You have exhausted your quota.
#### Attempt to create a new file in the existing repository.
Expected result: File is created.
Actual result: Error 413, You have exhausted your quota.
#### Create an issue on the test repository, and attempt to upload an image to the issue.
Expected result: Image is uploaded.
Actual Result: Quota exceeded. Displays error message: `JavaScript promise rejection: can't access property "submitted", oi[ji.uuid] is undefined. Open browser console to see more details.`
### Unlimited quota rules incorrectly allow all writes
With quotas enabled, [Use the API](https://forgejo.org/docs/latest/admin/advanced/quota/#advanced-usage-via-api) to create a quota group containing a single rule with a subject of `sizelfs`, and a limit of `-1` (Unlimited). Add the test user to this group.
```json
{
"name": "git-lfs-unlimited",
"rules": [
{
"name": "git-lfs-unlimited",
"limit": -1,
"subjects": ["sizelfs"]
}
]
}
```
With the test user, navigate to "Storage overview" and verify that the user has been added to this group, that it is the only group the user is assigned to, and that the rule limit displays as "Unlimited".
The user should only have the ability to write to Git LFS storage, all other writes should be denied.
#### Attempt to create a new repository.
Expected result: Error 413, You have exhausted your quota.
Actual result: Repository is created.
#### Attempt to create a new file in the test repository.
Expected result: Error 413, You have exhausted your quota.
Actual result: File is created.
#### Create an issue on the test repository, and attempt to upload an image to the issue.
Expected Result: Quota exceeded.
Actual result: Image is uploaded.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9033
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Brook Miles <brook@noreply.codeberg.org>
Co-committed-by: Brook Miles <brook@noreply.codeberg.org>
In #9017, the ability to view older logs of an action run was added. However, the 'Re-run all jobs' button was not updated in any way. When viewing the logs for attempt 1 and clicking 'Re-run all jobs', the UI would continue to show the logs for attempt 1. Before #9017 the behavior would have begun to view the logs from the re-run operation.
There are two commits in this PR:
- Update the `Rerun` view handler so that it redirects the user to the next attempt number for the job.
- The next attempt number isn't actually persisted to the DB until the rerun is picked up from a worker. By pure coincidence, viewing an out-of-range attempt number was fully functional because it also happened to be viewing a job that wasn't picked up by a worker, and fell into those code paths. However, as there were no automated tests around this codepath and it felt fragile, new tests have been added around the template render, backend data fetch, and frontend UI component, to ensure it continues to work in this corner-case in the future.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [x] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [x] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [x] I do not want this change to show in the release notes. (_Note_: This is a fix for an unreleased regression, no need for release notes.)
- [ ] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9172
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
When you access Actions logs, there is a momentary render of a partially blank screen such as this:
This is caused by the `RepoActionView` Vue component having no data. It then performs a fetch to two APIs in parallel (shown here as `/0` and `/artifacts`) to retrieve the steps and artifacts for the action run, and then it renders the page.
And then, even if the job is complete and the user hasn't yet interacted to expand any logs, it performs the same API calls a second time.
This PR fixes both problems by:
- Injecting the initial data for the Action's steps & Artifacts into the initial page render, and using that data into the `RepoActionView` to serve as its initial data load.
- No longer unconditionally starting a second invocation of `loadJob` 1 second later, as the initial data can be used to determine whether the job is still running and requires an interval refresh.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
**WIP**
- I added test coverage for Go changes...
- [ ] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [x] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- User Interface bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9099): <!--number 9099 --><!--line 0 --><!--description cHJldmVudCBpbml0aWFsICdibGFuaycgZGlzcGxheSBvZiBhY3Rpb24gbG9ncyB2aWV3LCByZW1vdmUgdW5uZWNlc3NhcnkgQVBJIGNhbGxz-->prevent initial 'blank' display of action logs view, remove unnecessary API calls<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9099
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
Adds a new dropdown to the job logs, visible only when a job has been retried at least once:
When an older run attempt from the dropdown is selected, displays the older run's logs:
Context on implementation & design decisions:
- It is important that when a URL from an Action's log is shared, the person on the other side sees the exact same logs that were being viewed. For this reason, all log views are automatically redirected to a fully-qualified URL (including the *run*, *job*, and *attempt*), so that when they are shared there is a guarantee of stability in the viewed logs.
- Individual jobs can be rerun any number of times independent of other jobs in the same workflow. This means there isn't a "set" of related jobs that were executed at the same time, and this led me to remove the display of current status of jobs on the left-hand side of the view. There isn't a logical set of job statuses to display here.
Fixes#1043. Based upon @gmem's original work in #1416.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [x] in their respective `*_test.go` for unit tests.
- [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [x] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- User Interface features
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9017): <!--number 9017 --><!--line 0 --><!--description YWJpbGl0eSB0byB2aWV3IHByZXZpb3VzIGxvZ3MgZm9yIEFjdGlvbnMgcnVucyB0aGF0IGhhdmUgYmVlbiByZXRyaWVk-->ability to view previous logs for Actions runs that have been retried<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9017
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
- When the issue unit is disabled for a repository, don't allow issue related APIs.
- Added integration tests.
- Resolves#8408
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8829
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: zokki <zokki.softwareschmiede@gmail.com>
Co-committed-by: zokki <zokki.softwareschmiede@gmail.com>
- CSRF has to be validated for any request that can change the state, in
practice this means any HTTP request where the method isn't
GET/HEAD/OPTIONS.
- The code only considered POST to be a state-changing request.
- Forgejo has several PUT/DELETE (that changes state) routes for which
no CSRF was being validated.
- Change the code to validate CSRF for all non-"safe" methods.
- The creation of new API tokens for users via the API is guarded behind
a extra check. This extra makes sure the user is authorized via the
reverse proxy method (if enabled) or via basic authorization.
- For, what seems to me, historical reasons the basic authorization also
handles logging in via the API token.
- This results in a API token (with `write:user` scope) or OAuth2 token
being able to create a new API token with escalated privileges.
- Add a new condition to this check to ensure the user logged in via
password.
- Change error to better indicate what went wrong.
Do not allow credentials to be present in the URLs that are provided for
migrations and push mirrors. They have to be given via the dedicated
input fields. Give a error when this happens.
There's nothing wrong with trying have the backend "correct" this, but
would be a larger patch than necessary in the context of a security fix.
This can be done in public.
While `repo.OriginalURL` is supposed to be sanitized, with username and
passwords removed, it appears that is not always the case, and sometimes
we may encounter original URLs that aren't sanitized. While that is
possibly a historical artifact, we should still treat it with care.
As such, before displaying `repo.OriginalURL` as an info flash when
syncing a pull repository, sanitize the URL first, to be on the safe
side.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
On GitHub, `DELETE /repos/{owner}/{repo}/issues/{index}/labels/{id}` takes the label name, not id:
https://docs.github.com/en/rest/issues/labels?apiVersion=2022-11-28#remove-a-label-from-an-issue
This breaks workflows and actions that interact with labels and delete them.
It also makes the API quite difficult to use, always having to query the ID first before deleting a label from an issue, potentially with two API calls, because it could be a repo or org label.
For backwards compatibility, if no label with the given name is found, and the name converts to an int without error, it'll still be looked up by ID.
The API on GitHub also does not return 204, but 200, with the label it just removed from the issue as content. So this is returned when `application/vnd.github+json` is set in the `Accept` request header.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8831
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: BtbN <btbn@btbn.de>
Co-committed-by: BtbN <btbn@btbn.de>
Print out a list of all unused msgids
Handle Go files that make calls to translation.
Handle `models/unit/unit.go`, which stores msgids in `$Unit.NameKey`
Handle .locale.Tr in templates
Handle simple dynamically constructed `Tr("msgid-prefix." + SomeFunctionCall())`.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8736
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Ellen Εμιλία Άννα Zscheile <fogti+devel@ytrizja.de>
Co-committed-by: Ellen Εμιλία Άννα Zscheile <fogti+devel@ytrizja.de>
- the run ID used to download artifacts is absolute (ID) instead of being
relative to the repository (Index) for compatibility with the url built
and returned as `artifact-url` by the the upload-artifact@v4 action.
- this is a breaking change because URLs to download artifacts
previous saved/bookmarked and not yet expired expired are no
longer working, they need to be looked up again by visiting the job
web page.
- add unit tests for getRunByID().
- RepoActionView.test.js verifies the download URL is built using the
run ID.
- lAdd integration tests to verify the RunID is set as expected in
the template used by RepoActionView.vue.
Refs https://code.forgejo.org/forgejo/runner/issues/187
This PR fixes the duplicate HTML ID issue (#8778) that can occur when rendering an issue page. An issue page contains multiple renderings of Markdown elements (the issue description and issue comments). When there is more than one Markdown rendering that uses footnotes we have an ID collision because the footnote ID count starts anew for each rendering.
This PR adds a `Metas["scope"]` entry to the `RenderContext` and sets it to "comment-{index}" when rendering Markdown for a comment. `Metas["scope"]` gets used as suffix during ID generation.
Fixes#8778.
## Additional Notes
- ID collision also happens if there are multiple header elements with the same ID. It does not seem to impact users because there are no links referencing headers. However, to err on the safe side, this PR also adds scope to the header IDs.
- `Metas["scope"]` might be useful for other Markdown renderings beside comments, e.g. multiple Markdown renderings are possible on Wiki pages.
- We apply `Metas["scope"]` as suffix instead of prefix because there are several places in the code that expect `user-content-` to be the ID's prefix.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [X] in their respective `*_test.go` for unit tests.
- [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [X] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8880
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: psii <psii@posteo.de>
Co-committed-by: psii <psii@posteo.de>
For pull request templates, Forgejo currently does not look in the `docs` directory, but [GitHub does](https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/creating-a-pull-request-template-for-your-repository#adding-a-pull-request-template). By making Forgejo also look there, it becomes possible to have the same repository work on both sites, without the need for vendor-specific paths.
There was duplication in the list of accepted file paths. On the one hand it’s nice for greppability that they are all spelled out, but it does mean adding 6 variants, I thought it would be more maintainable to deduplicate the Cartesian product. I added one fully spelled out path in the comment to still maintain some greppability.
Resolvesforgejo/forgejo#8284
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8863
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Ruud van Asseldonk <dev@veniogames.com>
Co-committed-by: Ruud van Asseldonk <dev@veniogames.com>
The web endpoint
`/{owner}/{repo}/actions/runs/{run_id}/artifacts/{artifact_name_or_id}`
can be used with either the artifact name used when it is uploaded or the instance wide unique number of the artifact, if it is not found. For instance:
`/root/myrepo/actions/run/3/artifacts/my_artifact_name`
or
`/root/myrepo/actions/run/3/artifacts/42`
The `upload-artifact@v4` output value `artifact-url` is built in this way and is now a valid URL to access the artifact.
Refs https://codeberg.org/forgejo/forgejo/issues/6147
Refs https://code.forgejo.org/forgejo/runner/issues/187
Refs https://code.forgejo.org/forgejo/upload-artifact/src/tag/v4#outputs
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [x] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8957): <!--number 8957 --><!--line 0 --><!--description YXJ0aWZhY3RzIGNhbiBiZSBkb3dubG9hZGVkIHVzaW5nIHRoZWlyIGlkIGluc3RlYWQgb2YgdGhlaXIgbmFtZQ==-->artifacts can be downloaded using their id instead of their name<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8957
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
- gopkg.in/yaml.v3 is archived and unmaintained
- go.yaml.in/yaml/v3 is a compatible fork under the umbrella
of https://yaml.org/
### Tests
There is no need for more tests than already provided: it is like an upgrade to a minor version, only from a fork. I browsed the changes and there are some bug fixes. They all seem reasonably minimal. It is not one of those forks that went crazy with breaking changes 😁 And there is a non zero chance that [a bug that matters to Forgejo Actions](https://github.com/yaml/go-yaml/issues/76) is fixed there. It is rare and can wait but it did happen on Codeberg.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8956
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
This is an alternate take on https://codeberg.org/forgejo/forgejo/pulls/8808 which allows Actions tokens to access other repos which are readable by by signed in users. In practise this means public repos belonging to public or limited owners.
This PR is split into two commits to aid review of the security-sensitive changes I've made:
* The first commit is a refactor _which is not intended to change behaviour_. It extracts the permission logic for Actions tokens from the githttp handler and moves it to `repo_permission.go` alongside the permission logic for regular users. The new function, `GetActionRepoPermission` returns a `Permission` object just like `GetUserRepoPermission`. Only code unit access is currently allowed in the interest of keeping this commit from changing any access logic.
* The second commit is the broadening of access: this commit changes the logic in `GetActionRepoPermission` to give actions tokens access to repos readable by signed in users.
cc @earl-warren
ref https://codeberg.org/forgejo/forgejo/issues/5877
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [x] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8889): <!--number 8889 --><!--line 0 --><!--description YWxsb3cgQWN0aW9ucyB0b2tlbnMgdG8gYWNjZXNzIHJlcG9zIHJlYWRhYmxlIGJ5IHNpZ25lZCBpbiB1c2Vycw==-->allow Actions tokens to access repos readable by signed in users<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8889
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Hailey Somerville <hailey@hails.org>
Co-committed-by: Hailey Somerville <hailey@hails.org>
resolves#8549
This PR add a config to enforce 2FA for the whole Forgejo instance. It can be configured to `none`, `admin` or `all`.
A user who is required to enable 2FA is like a disabled user. He can only see the `/user/settings/security`-Page to enable 2FA, this should be similar to a user which needs to change his password. Also api and git-commands are not allowed.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [x] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.
I will do it, if the general idea of this PR is a good feature.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security features
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8753): <!--number 8753 --><!--line 0 --><!--description R2xvYmFsIDJGQSBlbmZvcmNlbWVudA==-->Global 2FA enforcement<!--description-->
<!--end release-notes-assistant-->
Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8753
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Ellen Εμιλία Άννα Zscheile <fogti@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: zokki <zokki.softwareschmiede@gmail.com>
Co-committed-by: zokki <zokki.softwareschmiede@gmail.com>
Redirection from issue to pull is already working, but from pull to issue is not working. This is now fixed.
Resolvesforgejo/forgejo#7386
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8874
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: zokki <zokki.softwareschmiede@gmail.com>
Co-committed-by: zokki <zokki.softwareschmiede@gmail.com>
Disable the 'clear milestone' button in the issue sidebar when no milestone is set and update this state after a milestone is set or cleared.
Fixes#7949
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8266
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: iamyaash <iamyaash@outlook.com>
Co-committed-by: iamyaash <iamyaash@outlook.com>
- The "Git hooks of this repository seem to be broken" error is currently shown if for whatever reason the database doesn't agree with Git on what the commitID for a branch is. This can happen for a variety of reasons, but usually is just a transient error.
- Saying that the git hooks of the repository "looks broken" is very likely to be correct in some contexts, but I have not yet seen that case and in those cases; other stuff would also be broken and would indicate that Forgejo is not functioning correctly.
- Replace this warning with a more helpful message that contains a easy fix that works in the cases where it was a transient error - push another commit (so the git hooks get run again). If the warning persists contact the instance admins and they will figure out the git hooks are broken or contact Forgejo about this problem.
- Moreover removes a link to Gitea documentation.
- A potential improvement (if people will run into this problem, and we then know what they ran into), we could show a specific warning to instance admins that contains troubleshooting steps or point to our own documentation.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8820
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
Fixes#8529, supersedes #8597
Reverts the workaround of #8541 (while keeping the test) and ignore Close error (like #8527 did).
https://github.com/minio/minio-go/pull/2137 makes the test pass without the `io.NopCloser`:
```
docker run --rm -e MINIO_DOMAIN=minio -e MINIO_ROOT_USER=123456 -e MINIO_ROOT_PASSWORD=12345678 -p 9000:9000 data.forgejo.org/oci/bitnami/minio:2024.8.17
```
```
TEST_MINIO_ENDPOINT=localhost:9000 go test -v -run ^TestMinioStorageIterator$ ./modules/storage
```
Wrapping the `io.Reader` in an `io.NopCloser` also hides all other methods (like `WriteTo` or `Seek`), so is not ideal.
As a further "line of defense", the Close error is ignored (if saveAsPackageBlob was succesful, we don't really care if Close fails).
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8816
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: oliverpool <git@olivier.pfad.fr>
Co-committed-by: oliverpool <git@olivier.pfad.fr>
Add a new config option for OAuth2 authentication sources: allow users to change their username.
In the case where OAuth2 is more like a social OAuth2 login there's no need to not allow users to change their username. The information how the user is linked to the authentication source is stored in different fields.
Resolvesforgejo/forgejo#687
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8714
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
Resolvesforgejo/forgejo#8793
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [ ] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8802): <!--number 8802 --><!--line 0 --><!--description Y29ycmVjdCByZWxlYXNlIGxpbmsgaW4gZmVlZA==-->correct release link in feed<!--description-->
<!--end release-notes-assistant-->
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8802
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
This PR is part of #4767. It contains
* a refactoring of validation error messages
* adds the ability to send user-activities to distant federated servers
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8792
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
Co-committed-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
As stated in a comment: https://codeberg.org/forgejo/forgejo/issues/8634#issuecomment-6136933
> `routers/web/webfinger.go` was left unchanged, so it still includes the trailing slash, no longer matching the issuer specified in other endpoints.
>
> ...
>
> From the [OpenID Connect Discovery specification](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery):
>
> > The Issuer location MUST be returned in the WebFinger response as the value of the href member of a links array element with rel member value http://openid.net/specs/connect/1.0/issuer.
>
> This sounds to me like the `href` should be the issuer location exactly.
>
> Using Forgejo for OIDC for auth with Tailscale is one instance of this change breaking something - signing up to Tailscale with OIDC now gives an error. Unsure what happens for existing accounts.
In summary, since !8028, trailing slashes have been removed from the OIDC issuer locations specified by Forgejo everywhere except in WebFinger responses at `/.well-known/webfinger`, which still includes a trailing slash and so no longer matches the issuer as specified elsewhere (such as at `/.well-known/openid-configuration`).
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [ ] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8794
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: hazycora <git@hazy.gay>
Co-committed-by: hazycora <git@hazy.gay>
Mainly a port of https://github.com/go-gitea/gitea/pull/31082.
closes#3573
## Screenshots
---
## Checklist
### Tests
- I added test coverage for Go changes...
- [x] in their respective `*_test.go` for unit tests.
- [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- User Interface features
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8759): <!--number 8759 --><!--line 0 --><!--description YWRkIHRhZyBsYWJlbCB0byBjb21taXQgbGlzdCB2aWV3-->add tag label to commit list view<!--description-->
<!--end release-notes-assistant-->
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8759
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: pat-s <patrick.schratz@gmail.com>
Co-committed-by: pat-s <patrick.schratz@gmail.com>
Currently, the documentation mention that a CODEOWNERS file can be located in .forgejo for code owner PR review assignment, but this does not work. Add support for this location.
Resolves#8746
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8773
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: John Moon <john.moon@vts-i.com>
Co-committed-by: John Moon <john.moon@vts-i.com>
This PR is part of #4767. It
1. adds the ability to follow a local person from a distant federation server (see tests/integration/api_activitypub_person_inbox_follow_test.go)
2. streamlines the router code (refactor the person conversion & handling of inbox requests in service direction, unifies service call signature & error handling)
3. introduces queues for decoupling outgoing communication (delivery retry to cope network issues or distant service downtimes) and
4. adds minor fixes to integration tests (test timeout & invalid inbox activities)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8720
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
Co-committed-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
Resolves#8428
Its currently showing the diff of two branches, even if the PR-unit is disabled. But the POST to create the PR is still returning an error when the unit is disabled, so its only a change for UI.
Preview:
https://codeberg.org/attachments/610d6b81-a50f-4c43-91c2-db4c38e7b701
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8496
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: zokki <zokki.softwareschmiede@gmail.com>
Co-committed-by: zokki <zokki.softwareschmiede@gmail.com>
