[v11.0/forgejo] chore: do not navigate to same URL in E2E test (#8462 )

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8461 - In `test.beforeEach` the browser is navigated to `/user2/repo1/pulls/5` and the test environment is prepared by making sure the pull request is not WIP. At the start of `simple toggle` the browser is navigated to the same URL (and the browser is already on this URL) which the Mobile Chrome browser does not handle gracefully and reliably errors with `net::ERR_ABORTED`. - Because we are already at that URL, do not try to navigate to it again. - I cannot offer a rationale why the Mobile Chrome browser does give a error when this happens in subsequent tests of 'Pull: Toggle WIP'. - Ref forgejo/forgejo#8359 Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8462 Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
[v11.0/forgejo] fix: do not ignore automerge while a PR is checking for conflicts (#8456 )
2025-09-14 23:07:14 +00:00 · 2025-07-10 01:53:57 +02:00 · 2025-07-09 14:09:12 +02:00 · 2025-07-08 18:52:59 +02:00 · 2025-07-06 10:42:45 +02:00 · 2025-07-03 21:33:34 +02:00
2210 changed files with 30766 additions and 70089 deletions
--- a/.deadcode-out
+++ b/.deadcode-out
@ -20,13 +20,15 @@ forgejo.org/models/db
 	TruncateBeans
 	InTransaction
 	DumpTables
-	GetTableNames

 forgejo.org/models/dbfs
 	file.renameTo
 	Create
 	Rename

+forgejo.org/models/forgefed
+	GetFederationHost
+
 forgejo.org/models/forgejo/semver
 	GetVersion
 	SetVersionString
@ -55,7 +57,6 @@ forgejo.org/models/user
 	IsErrUserSettingIsNotExist
 	GetUserAllSettings
 	DeleteUserSetting
-	GetFederatedUser

 forgejo.org/modules/activitypub
 	NewContext
@ -86,11 +87,9 @@ forgejo.org/modules/eventsource
 	Event.String

 forgejo.org/modules/forgefed
-	NewForgeFollow
 	NewForgeUndoLike
 	ForgeUndoLike.UnmarshalJSON
 	ForgeUndoLike.Validate
-	NewPersonIDFromModel
 	GetItemByType
 	JSONUnmarshalerFn
 	NotEmpty
@ -189,14 +188,10 @@ forgejo.org/modules/translation
 	MockLocale.Tr
 	MockLocale.TrN
 	MockLocale.TrPluralString
-	MockLocale.TrPluralStringAllForms
 	MockLocale.TrSize
 	MockLocale.HasKey
 	MockLocale.PrettyNumber

-forgejo.org/modules/translation/localeiter
-	IterateMessagesContent
-
 forgejo.org/modules/util
 	OptionalArg

@ -215,15 +210,15 @@ forgejo.org/modules/zstd
 	Writer.Write
 	Writer.Close

+forgejo.org/routers/web
+	NotFound
+
 forgejo.org/routers/web/org
 	MustEnableProjects

 forgejo.org/services/context
 	GetPrivateContext

-forgejo.org/services/federation
-	FollowRemoteActor
-
 forgejo.org/services/repository
 	IsErrForkAlreadyExist

--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -4,9 +4,13 @@
  "features": {
    // installs nodejs into container
    "ghcr.io/devcontainers/features/node:1": {
-      "version": "22"
+      "version": "20"
+    },
+    "ghcr.io/devcontainers/features/git-lfs:1.2.3": {},
+    "ghcr.io/devcontainers-contrib/features/poetry:2": {},
+    "ghcr.io/devcontainers/features/python:1": {
+      "version": "3.12"
    },
-    "ghcr.io/devcontainers/features/git-lfs:1.2.5": {},
    "ghcr.io/warrenbuckley/codespace-features/sqlite:1": {}
  },
  "customizations": {
--- a/.dockerignore
+++ b/.dockerignore
@ -37,9 +37,13 @@ coverage.all
 coverage/
 cpu.out

+/modules/migration/bindata.go
 /modules/migration/bindata.go.hash
+/modules/options/bindata.go
 /modules/options/bindata.go.hash
+/modules/public/bindata.go
 /modules/public/bindata.go.hash
+/modules/templates/bindata.go
 /modules/templates/bindata.go.hash

 *.db
--- a/.editorconfig
+++ b/.editorconfig
@ -12,9 +12,6 @@ insert_final_newline = true
 [{*.{go,tmpl,html},Makefile,go.mod}]
 indent_style = tab

-[go.*]
-indent_style = tab
-
 [templates/custom/*.tmpl]
 insert_final_newline = false

--- a/.forgejo/issue_template/bug-report-ui.yaml
+++ b/.forgejo/issue_template/bug-report-ui.yaml
@ -6,7 +6,7 @@ body:
 - type: markdown
  attributes:
    value: |
-      **NOTE: If your issue is a security concern, please email <security@forgejo.org> ([security.txt](https://forgejo.org/.well-known/security.txt)) instead of opening a public issue.**
+      **NOTE: If your issue is a security concern, please email <security@forgejo.org> (GPG: `A4676E79`) instead of opening a public issue.**
 - type: markdown
  attributes:
    value: |
@ -23,9 +23,8 @@ body:
      It is running the latest development branch and will confirm the problem is not already fixed.
      If you can reproduce it, provide a URL in the description.
    options:
-    - "Yes, I've linked the repository below"
-    - "No, I've tried it and the problem is not present there"
-    - "No, I can't try it on the test instance for some reason"
+    - "Yes"
+    - "No"
  validations:
    required: true
 - type: textarea
--- a/.forgejo/issue_template/bug-report.yaml
+++ b/.forgejo/issue_template/bug-report.yaml
@ -6,7 +6,7 @@ body:
 - type: markdown
  attributes:
    value: |
-      **NOTE: If your issue is a security concern, please email <security@forgejo.org> ([security.txt](https://forgejo.org/.well-known/security.txt)) instead of opening a public issue.**
+      **NOTE: If your issue is a security concern, please email <security@forgejo.org> (GPG: `A4676E79`) instead of opening a public issue.**
 - type: markdown
  attributes:
    value: |
@ -23,9 +23,8 @@ body:
      It is running the latest development branch and will confirm the problem is not already fixed.
      If you can reproduce it, provide a URL in the description.
    options:
-    - "Yes, I've linked the repository below"
-    - "No, I've tried it and the problem is not present there"
-    - "No, I can't try it on the test instance for some reason"
+    - "Yes"
+    - "No"
  validations:
    required: true
 - type: textarea
--- a/.forgejo/testdata/build-release/Dockerfile
+++ b/.forgejo/testdata/build-release/Dockerfile
@ -1,4 +1,4 @@
-FROM data.forgejo.org/oci/alpine:3.22
+FROM data.forgejo.org/oci/alpine:3.21
 ARG RELEASE_VERSION=unkown
 LABEL maintainer="contact@forgejo.org" \
      org.opencontainers.image.version="${RELEASE_VERSION}"
--- a/.forgejo/workflows-composite/apt-install-from/action.yaml
+++ b/.forgejo/workflows-composite/apt-install-from/action.yaml
@ -18,7 +18,7 @@ runs:
    - name: install packages
      run: |
        apt-get update -qq
-        apt-get -q install --allow-downgrades -qq -y ${PACKAGES}
+        apt-get -q install -qq -y ${PACKAGES}
      env:
        PACKAGES: ${{inputs.packages}}
    - name: remove temporary package list to prevent using it in other steps
--- a/.forgejo/workflows-composite/install-minimum-git-version/action.yaml
+++ b/.forgejo/workflows-composite/install-minimum-git-version/action.yaml
@ -1,22 +0,0 @@
-#
-# Install the minimal version of Git supported by Forgejo
-#
-runs:
-  using: "composite"
-  steps:
-    - name: install git and git-lfs
-      run: |
-        set -x
-
-        export DEBIAN_FRONTEND=noninteractive
-
-        apt-get update -qq
-        apt-get -q install -y -qq curl ca-certificates
-
-        curl -sS -o /tmp/git-man.deb http://archive.ubuntu.com/ubuntu/pool/main/g/git/git-man_2.34.1-1ubuntu1_all.deb
-        curl -sS -o /tmp/git.deb https://archive.ubuntu.com/ubuntu/pool/main/g/git/git_2.34.1-1ubuntu1_amd64.deb
-        curl -sS -o /tmp/git-lfs.deb https://archive.ubuntu.com/ubuntu/pool/universe/g/git-lfs/git-lfs_3.0.2-1_amd64.deb
-
-        apt-get -q install --allow-downgrades -y -qq /tmp/git-man.deb
-        apt-get -q install --allow-downgrades -y -qq /tmp/git.deb
-        apt-get -q install --allow-downgrades -y -qq /tmp/git-lfs.deb
--- a/.forgejo/workflows/backport.yml
+++ b/.forgejo/workflows/backport.yml
@ -47,7 +47,7 @@ jobs:
          cat <<'EOF'
          ${{ toJSON(github) }}
          EOF
-      - uses: https://data.forgejo.org/actions/git-backporting@v4.8.5
+      - uses: https://data.forgejo.org/actions/git-backporting@v4.8.4
        with:
          target-branch-pattern: "^backport/(?<target>(v.*))$"
          strategy: ort
--- a/.forgejo/workflows/build-release-integration.yml
+++ b/.forgejo/workflows/build-release-integration.yml
@ -28,7 +28,7 @@ jobs:
      - uses: https://data.forgejo.org/actions/checkout@v4

      - id: forgejo
-        uses: https://data.forgejo.org/actions/setup-forgejo@v3.0.3
+        uses: https://data.forgejo.org/actions/setup-forgejo@v2.0.4
        with:
          user: root
          password: admin1234
--- a/.forgejo/workflows/build-release.yml
+++ b/.forgejo/workflows/build-release.yml
@ -164,7 +164,7 @@ jobs:

      - name: build container & release
        if: ${{ secrets.TOKEN != '' }}
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.4.1
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.3.4
        with:
          forgejo: "${{ env.GITHUB_SERVER_URL }}"
          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
@ -183,7 +183,7 @@ jobs:

      - name: build rootless container
        if: ${{ secrets.TOKEN != '' }}
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.4.1
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.3.4
        with:
          forgejo: "${{ env.GITHUB_SERVER_URL }}"
          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
@ -201,7 +201,7 @@ jobs:

      - name: end-to-end tests
        if: ${{ secrets.TOKEN != '' && vars.ROLE == 'forgejo-integration' && vars.SKIP_END_TO_END != 'true' }}
-        uses: https://data.forgejo.org/actions/cascading-pr@v2.3.0
+        uses: https://data.forgejo.org/actions/cascading-pr@v2.2.0
        with:
          origin-url: ${{ env.GITHUB_SERVER_URL }}
          origin-repo: ${{ github.repository }}
@ -212,7 +212,6 @@ jobs:
          destination-repo: forgejo/end-to-end
          destination-branch: main
          destination-token: ${{ secrets.CASCADE_DESTINATION_TOKEN }}
-          close: true
          update: .forgejo/cascading-release-end-to-end

      - name: copy to experimental
--- a/.forgejo/workflows/cascade-setup-end-to-end.yml
+++ b/.forgejo/workflows/cascade-setup-end-to-end.yml
@ -41,7 +41,7 @@ jobs:
        with:
          fetch-depth: '0'
          show-progress: 'false'
-      - uses: https://data.forgejo.org/actions/cascading-pr@v2.3.0
+      - uses: https://data.forgejo.org/actions/cascading-pr@v2.2.0
        with:
          origin-url: ${{ env.GITHUB_SERVER_URL }}
          origin-repo: ${{ github.repository }}
@ -53,5 +53,5 @@ jobs:
          destination-repo: forgejo/end-to-end
          destination-branch: main
          destination-token: ${{ secrets.END_TO_END_CASCADING_PR_DESTINATION }}
-          close: true
+          close-merge: true
          update: .forgejo/cascading-pr-end-to-end
--- a/.forgejo/workflows/coverage.yml
+++ b/.forgejo/workflows/coverage.yml
@ -1,89 +0,0 @@
-name: coverage
-
-on:
-  workflow_dispatch:
-    inputs:
-      repository:
-        description: 'repository'
-        type: string
-      ref:
-        description: 'ref'
-        type: string
-      unit-tests-env:
-        description: 'COVERAGE_TEST_PACKAGES=forgejo.org/modules/actions'
-        type: string
-      integration-tests-env:
-        description: 'COVERAGE_TEST_ARGS=-run=TestAPIListRepoComments'
-        type: string
-
-jobs:
-  all:
-    runs-on: docker
-    container:
-      image: 'data.forgejo.org/oci/ci:1'
-      options: --tmpfs /tmp:exec,noatime
-    services:
-      elasticsearch:
-        image: data.forgejo.org/oci/bitnami/elasticsearch:7
-        options: --tmpfs /bitnami/elasticsearch/data
-        env:
-          discovery.type: single-node
-          ES_JAVA_OPTS: "-Xms512m -Xmx512m"
-      minio:
-        image: data.forgejo.org/oci/bitnami/minio:2024.8.17
-        options: >-
-          --hostname gitea.minio --tmpfs /bitnami/minio/data:noatime
-        env:
-          MINIO_DOMAIN: minio
-          MINIO_ROOT_USER: 123456
-          MINIO_ROOT_PASSWORD: 12345678
-      mysql:
-        image: 'data.forgejo.org/oci/bitnami/mysql:8.4'
-        env:
-          ALLOW_EMPTY_PASSWORD: yes
-          MYSQL_DATABASE: testgitea
-          #
-          # See also https://codeberg.org/forgejo/forgejo/issues/976
-          #
-          MYSQL_EXTRA_FLAGS: --innodb-adaptive-flushing=OFF --innodb-buffer-pool-size=4G --innodb-log-buffer-size=128M --innodb-flush-log-at-trx-commit=0 --innodb-flush-log-at-timeout=30 --innodb-flush-method=nosync --innodb-fsync-threshold=1000000000 --disable-log-bin
-        options: --tmpfs /bitnami/mysql/data:noatime
-      ldap:
-        image: data.forgejo.org/oci/test-openldap:latest
-      pgsql:
-        image: data.forgejo.org/oci/bitnami/postgresql:16
-        env:
-          POSTGRESQL_DATABASE: test
-          POSTGRESQL_PASSWORD: postgres
-          POSTGRESQL_FSYNC: off
-          POSTGRESQL_EXTRA_FLAGS: -c full_page_writes=off
-        options: --tmpfs /bitnami/postgresql
-      cacher:
-        image: registry.redict.io/redict:7.3.5-scratch
-        options: --tmpfs /data:noatime
-    steps:
-      - uses: https://data.forgejo.org/actions/checkout@v4
-        with:
-          repository: ${{ inputs.repository }}
-          ref: ${{ inputs.ref }}
-      - uses: ./.forgejo/workflows-composite/setup-env
-      - name: install git >= 2.42
-        uses: ./.forgejo/workflows-composite/apt-install-from
-        with:
-          packages: git
-      - uses: ./.forgejo/workflows-composite/build-backend
-      - run: |
-          su forgejo -c '${{ inputs.unit-tests-env }} make coverage-run'
-          su forgejo -c '${{ inputs.integration-tests-env }} make coverage-run-pgsql'
-          su forgejo -c '${{ inputs.integration-tests-env }} make coverage-run-mysql'
-          su forgejo -c '${{ inputs.integration-tests-env }} make coverage-run-sqlite'
-          su forgejo -c 'make coverage-merge'
-        timeout-minutes: 180
-        env:
-          TEST_ELASTICSEARCH_URL: http://elasticsearch:9200
-          TEST_MINIO_ENDPOINT: minio:9000
-          TEST_LDAP: 1
-          TEST_REDIS_SERVER: cacher:6379
-      - uses: https://code.forgejo.org/forgejo/upload-artifact@v4
-        with:
-          name: coverage
-          path: ${{ forge.workspace }}/coverage/merged
--- a/.forgejo/workflows/merge-requirements.yml
+++ b/.forgejo/workflows/merge-requirements.yml
@ -1,4 +1,4 @@
-# Copyright 2025 The Forgejo Authors
+# Copyright 2024 The Forgejo Authors
 # SPDX-License-Identifier: MIT

 name: requirements
@ -13,8 +13,7 @@ on:

 jobs:
  merge-conditions:
-    if: >
-      vars.ROLE == 'forgejo-coding' && forge.event.pull_request.head.repo.full_name != 'forgejo-cascading-pr/forgejo'
+    if: vars.ROLE == 'forgejo-coding'
    runs-on: docker
    container:
      image: 'data.forgejo.org/oci/node:22-bookworm'
@ -27,18 +26,18 @@ jobs:
      - name: Missing test label
        if: >
          !(
-            contains(toJSON(forge.event.pull_request.labels), 'test/present')
-            || contains(toJSON(forge.event.pull_request.labels), 'test/not-needed')
-            || contains(toJSON(forge.event.pull_request.labels), 'test/manual')
+            contains(toJSON(github.event.pull_request.labels), 'test/present')
+            || contains(toJSON(github.event.pull_request.labels), 'test/not-needed')
+            || contains(toJSON(github.event.pull_request.labels), 'test/manual')
          )
        run: |
-          echo "A team member must set the label to either 'present', 'not-needed' or 'manual'."
+          echo "Test label must be set to either 'present', 'not-needed' or 'manual'."
          exit 1
      - name: Missing manual test instructions
        if: >
          (
-            contains(toJSON(forge.event.pull_request.labels), 'test/manual')
-            && !contains(toJSON(forge.event.pull_request.body), '# Test')
+            contains(toJSON(github.event.pull_request.labels), 'test/manual')
+            && !contains(toJSON(github.event.pull_request.body), '# Test')
          )
        run: |
          echo "Manual test label is set. The PR description needs to contain test steps introduced by a heading like:"
--- a/.forgejo/workflows/publish-release.yml
+++ b/.forgejo/workflows/publish-release.yml
@ -44,7 +44,7 @@ jobs:
      - uses: https://data.forgejo.org/actions/checkout@v4

      - name: copy & sign
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/publish@v5.4.1
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/publish@v5.3.4
        with:
          from-forgejo: ${{ vars.FORGEJO }}
          to-forgejo: ${{ vars.FORGEJO }}
@ -80,7 +80,7 @@ jobs:
          label: trigger

      - name: upgrade v*.next.forgejo.org
-        uses: https://data.forgejo.org/infrastructure/next-digest@v1.2.2
+        uses: https://data.forgejo.org/infrastructure/next-digest@v1.1.0
        with:
          url: https://placeholder:${{ secrets.TOKEN_NEXT_DIGEST }}@invisible.forgejo.org/infrastructure/next-digest
          ref_name: '${{ github.ref_name }}'
--- a/.forgejo/workflows/release-notes-assistant-milestones.yml
+++ b/.forgejo/workflows/release-notes-assistant-milestones.yml
@ -4,35 +4,30 @@ on:
  schedule:
    - cron: '@daily'

-env:
-  RNA_WORKDIR: /srv/rna
-  RNA_VERSION: v1.4.1 # renovate: datasource=gitea-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
-
 jobs:
  release-notes:
    if: vars.ROLE == 'forgejo-coding'
    runs-on: docker
    container:
-      image: 'data.forgejo.org/oci/ci:1'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
    steps:
      - uses: https://data.forgejo.org/actions/checkout@v4

-      - uses: https://data.forgejo.org/actions/cache@v4
+      - uses: https://data.forgejo.org/actions/setup-go@v5
        with:
-          key: rna-${{ env.RNA_VERSION }}
-          path: ${{ env.RNA_WORKDIR }}
+          go-version-file: "go.mod"
+          cache: false

-      - name: install release-notes-assistant
+      - name: apt install jq
        run: |
-          set -x
-          wget -O /usr/local/bin/rna https://code.forgejo.org/forgejo/release-notes-assistant/releases/download/${{ env.RNA_VERSION}}/release-notes-assistant
-          chmod +x /usr/local/bin/rna
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get -q install -y -qq jq

      - name: update open milestones
        run: |
          set -x
-          mkdir -p ${{ env.RNA_WORKDIR }}
-          curl -sS $FORGEJO_SERVER_URL/api/v1/repos/$FORGEJO_REPOSITORY/milestones?state=open | jq -r '.[] | .title' | while read forgejo version ; do
+          curl -sS $GITHUB_SERVER_URL/api/v1/repos/$GITHUB_REPOSITORY/milestones?state=open | jq -r '.[] | .title' | while read forgejo version ; do
            milestone="$forgejo $version"
-            rna --workdir ${{ env.RNA_WORKDIR }} --config .release-notes-assistant.yaml --storage milestone --storage-location "$milestone" --forgejo-url $FORGEJO_SERVER_URL --repository $FORGEJO_REPOSITORY --token ${{ secrets.RELEASE_NOTES_ASSISTANT_TOKEN }} release $version
+            go run code.forgejo.org/forgejo/release-notes-assistant@v1.1.1 --config .release-notes-assistant.yaml --storage milestone --storage-location "$milestone"  --forgejo-url $GITHUB_SERVER_URL --repository $GITHUB_REPOSITORY --token ${{ secrets.RELEASE_NOTES_ASSISTANT_TOKEN }} release $version
          done
--- a/.forgejo/workflows/release-notes-assistant.yml
+++ b/.forgejo/workflows/release-notes-assistant.yml
@ -7,9 +7,6 @@ on:
      - synchronize
      - labeled

-env:
-  RNA_VERSION: v1.4.1 # renovate: datasource=gitea-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
-
 jobs:
  release-notes:
    if: ( vars.ROLE == 'forgejo-coding' ) && contains(github.event.pull_request.labels.*.name, 'worth a release-note')
@ -41,4 +38,4 @@ jobs:

      - name: release-notes-assistant preview
        run: |
-          go run code.forgejo.org/forgejo/release-notes-assistant@$RNA_VERSION --config .release-notes-assistant.yaml --storage pr --storage-location ${{ github.event.pull_request.number }}  --forgejo-url $GITHUB_SERVER_URL --repository $GITHUB_REPOSITORY --token ${{ secrets.RELEASE_NOTES_ASSISTANT_TOKEN }} preview ${{ github.event.pull_request.number }}
+          go run code.forgejo.org/forgejo/release-notes-assistant@v1.1.1 --config .release-notes-assistant.yaml --storage pr --storage-location ${{ github.event.pull_request.number }}  --forgejo-url $GITHUB_SERVER_URL --repository $GITHUB_REPOSITORY --token ${{ secrets.RELEASE_NOTES_ASSISTANT_TOKEN }} preview ${{ github.event.pull_request.number }}
--- a/.forgejo/workflows/renovate.yml
+++ b/.forgejo/workflows/renovate.yml
@ -20,7 +20,7 @@ env:
  RENOVATE_REPOSITORIES: ${{ github.repository }}
  # fix because 10.0.0-58-7e1df53+gitea-1.22.0 < 10.0.0 for semver
  # and codeberg api returns such versions from `git describe --tags`
-  # RENOVATE_X_PLATFORM_VERSION: 10.0.0+gitea-1.22.0 currently not needed
+  RENOVATE_X_PLATFORM_VERSION: 10.0.0+gitea-1.22.0

 jobs:
  renovate:
@ -28,7 +28,7 @@ jobs:

    runs-on: docker
    container:
-      image: data.forgejo.org/renovate/renovate:41.76.0
+      image: data.forgejo.org/renovate/renovate:39.212.0

    steps:
      - name: Load renovate repo cache
@ -49,7 +49,7 @@ jobs:
          LOG_LEVEL: debug
          RENOVATE_BASE_DIR: ${{ github.workspace }}/.tmp
          RENOVATE_ENDPOINT: ${{ github.server_url }}
-          RENOVATE_PLATFORM: forgejo
+          RENOVATE_PLATFORM: gitea
          RENOVATE_REPOSITORY_CACHE: 'enabled'
          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
          RENOVATE_GIT_AUTHOR: 'Renovate Bot <forgejo-renovate-action@forgejo.org>'
@ -63,10 +63,6 @@ jobs:

          OSV_OFFLINE_ROOT_DIR: ${{ github.workspace }}/.tmp/osv

-          # use direct connection for these domains for renovate go datasource instead of the go proxy
-          # allows faster lookups
-          GONOPROXY: code.forgejo.org
-
      - name: Save renovate repo cache
        if: always() && env.RENOVATE_DRY_RUN != 'full'
        uses: https://data.forgejo.org/actions/cache/save@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
--- a/.forgejo/workflows/testing-integration.yml
+++ b/.forgejo/workflows/testing-integration.yml
@ -1,99 +0,0 @@
-#
-# Additional integration tests designed to run once a day when
-# `mirror.yml` pushes to https://codeberg.org/forgejo-integration/forgejo
-# and send a notification via email to the contact email of the
-# organization should they fail.
-#
-# For debug purposes:
-#
-# - uncomment [on].pull_request
-# - swap 'forgejo-integration' and 'forgejo-coding'
-# - open a pull request at https://codeberg.org/forgejo/forgejo and fix things
-# - swap 'forgejo-integration' and 'forgejo-coding'
-# - comment [on].pull_request
-#
-
-name: testing-integration
-
-on:
-#  pull_request:
-  push:
-    tags: 'v[0-9]+.[0-9]+.*'
-    branches:
-      - 'forgejo'
-      - 'v*/forgejo'
-
-enable-email-notifications: true
-
-jobs:
-  test-unit:
-#    if: vars.ROLE == 'forgejo-coding'
-    if: vars.ROLE == 'forgejo-integration'
-    runs-on: docker
-    container:
-      image: 'data.forgejo.org/oci/node:22-bookworm'
-      options: --tmpfs /tmp:exec,noatime
-    steps:
-      - uses: https://data.forgejo.org/actions/checkout@v4
-      - uses: ./.forgejo/workflows-composite/setup-env
-      - name: install git 2.34.1 and git-lfs 3.0.2
-        uses: ./.forgejo/workflows-composite/install-minimum-git-version
-      - uses: ./.forgejo/workflows-composite/build-backend
-      - run: |
-          su forgejo -c 'make test-backend test-check'
-        timeout-minutes: 120
-        env:
-          RACE_ENABLED: 'true'
-          TAGS: bindata
-  test-sqlite:
-#    if: vars.ROLE == 'forgejo-coding'
-    if: vars.ROLE == 'forgejo-integration'
-    runs-on: docker
-    container:
-      image: 'data.forgejo.org/oci/node:22-bookworm'
-      options: --tmpfs /tmp:exec,noatime
-    steps:
-      - uses: https://data.forgejo.org/actions/checkout@v4
-      - uses: ./.forgejo/workflows-composite/setup-env
-      - name: install git 2.34.1 and git-lfs 3.0.2
-        uses: ./.forgejo/workflows-composite/install-minimum-git-version
-      - uses: ./.forgejo/workflows-composite/build-backend
-      - run: |
-          su forgejo -c 'make test-sqlite-migration test-sqlite'
-        timeout-minutes: 120
-        env:
-          TAGS: sqlite sqlite_unlock_notify
-          RACE_ENABLED: true
-          TEST_TAGS: sqlite sqlite_unlock_notify
-          USE_REPO_TEST_DIR: 1
-  test-mariadb:
-#    if: vars.ROLE == 'forgejo-coding'
-    if: vars.ROLE == 'forgejo-integration'
-    runs-on: docker
-    name: ${{ format('test-mariadb (v{0})', matrix.version) }}
-    strategy:
-      matrix:
-        version: ['10.6', '11.8']
-    container:
-      image: 'data.forgejo.org/oci/node:22-bookworm'
-      options: --tmpfs /tmp:exec,noatime
-    services:
-      mysql:
-        image: ${{ format('data.forgejo.org/oci/mariadb:{0}', matrix.version) }}
-        env:
-          MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: yes
-          MARIADB_DATABASE: testgitea
-        options: --tmpfs /var/lib/mysql:noatime
-    steps:
-      - uses: https://data.forgejo.org/actions/checkout@v4
-      - uses: ./.forgejo/workflows-composite/setup-env
-      - name: install dependencies & git >= 2.42
-        uses: ./.forgejo/workflows-composite/apt-install-from
-        with:
-          packages: git git-lfs
-      - uses: ./.forgejo/workflows-composite/build-backend
-      - run: |
-          su forgejo -c 'make test-mysql-migration test-mysql'
-        timeout-minutes: 120
-        env:
-          USE_REPO_TEST_DIR: 1
--- a/.forgejo/workflows/testing.yml
+++ b/.forgejo/workflows/testing.yml
@ -37,11 +37,7 @@ jobs:
      - run: make deps-frontend
      - run: make lint-frontend
      - run: make checks-frontend
-      - run: |
-          # Usage of `dayjs` can be impacted by local system timezone and can be sensitive to DST differences; since
-          # frontend tests are very short they're run twice with varying DST rules to reduce regression risk.
-          TZ=Europe/Berlin make test-frontend-coverage
-          TZ=America/Edmonton make test-frontend-coverage
+      - run: make test-frontend-coverage
      - run: make frontend
      - name: Install zstd for cache saving
        # works around https://github.com/actions/cache/issues/1169, because the
@ -95,7 +91,6 @@ jobs:
          RACE_ENABLED: 'true'
          TAGS: bindata
          TEST_ELASTICSEARCH_URL: http://elasticsearch:9200
-          TEST_MINIO_ENDPOINT: minio:9000
  test-e2e:
    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
@ -119,14 +114,9 @@ jobs:
        run: |
          su forgejo -c 'make deps-frontend frontend'
      - uses: ./.forgejo/workflows-composite/build-backend
-      - name: Decide to run all tests
-        id: run-all
-        if: contains(github.event.pull_request.labels.*.name, 'run-all-playwright-tests') || contains(github.event.pull_request.title, 'playwright')
-        run: |
-          echo "all=1" >> "$GITHUB_OUTPUT"
      - name: Get changed files
        id: changed-files
-        uses: https://data.forgejo.org/tj-actions/changed-files@v46
+        uses: https://data.forgejo.org/tj-actions/changed-files@v45
        with:
          separator: '\n'
      - run: |
@ -136,7 +126,6 @@ jobs:
          USE_REPO_TEST_DIR: 1
          PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
          CHANGED_FILES: ${{steps.changed-files.outputs.all_changed_files}}
-          RUN_ALL: ${{steps.run-all.all}}
      - name: Upload test artifacts on failure
        if: failure()
        uses: https://data.forgejo.org/forgejo/upload-artifact@v4
--- a/.gitignore
+++ b/.gitignore
@ -37,8 +37,6 @@ _testmain.go

 *coverage.out
 coverage.all
-coverage.html
-coverage.html.gz
 coverage/
 cpu.out

@ -55,8 +53,6 @@ cpu.out
 *.log
 *.log.*.gz

-/build/lint-locale/lint-locale
-/build/lint-locale-usage/lint-locale-usage
 /gitea
 /gitea-vet
 /debug
@ -133,4 +129,3 @@ prime/

 # Manpage
 /man
-tests/integration/api_activitypub_person_inbox_useractivity_test.go
--- a/.golangci.yml
+++ b/.golangci.yml
@ -1,9 +1,7 @@
-version: "2"
-output:
-  sort-order:
-    - file
 linters:
-  default: none
+  enable-all: false
+  disable-all: true
+  fast: false
  enable:
    - bidichk
    - depguard
@ -11,163 +9,142 @@ linters:
    - errcheck
    - forbidigo
    - gocritic
+    - gofmt
+    - gofumpt
+    - gosimple
    - govet
    - ineffassign
    - nakedret
    - nolintlint
    - revive
    - staticcheck
+    - stylecheck
    - testifylint
+    - typecheck
    - unconvert
-    - unparam
    - unused
+    - unparam
    - usetesting
    - wastedassign
-  settings:
-    depguard:
-      rules:
-        main:
-          deny:
-            - pkg: encoding/json
-              desc: use gitea's modules/json instead of encoding/json
-            - pkg: github.com/unknwon/com
-              desc: use gitea's util and replacements
-            - pkg: io/ioutil
-              desc: use os or io instead
-            - pkg: golang.org/x/exp
-              desc: it's experimental and unreliable
-            - pkg: forgejo.org/modules/git/internal
-              desc: do not use the internal package, use AddXxx function instead
-            - pkg: gopkg.in/ini.v1
-              desc: do not use the ini package, use gitea's config system instead
-            - pkg: github.com/minio/sha256-simd
-              desc: use crypto/sha256 instead, see https://codeberg.org/forgejo/forgejo/pulls/1528
-            - pkg: github.com/go-git/go-git
-              desc: use forgejo.org/modules/git instead, see https://codeberg.org/forgejo/forgejo/pulls/4941
-            - pkg: gopkg.in/yaml.v3
-              desc: use go.yaml.in/yaml instead, see https://codeberg.org/forgejo/forgejo/pulls/8956
-    gocritic:
-      disabled-checks:
-        - ifElseChain
-    revive:
-      severity: error
-      rules:
-        - name: atomic
-        - name: bare-return
-        - name: blank-imports
-        - name: constant-logical-expr
-        - name: context-as-argument
-        - name: context-keys-type
-        - name: dot-imports
-        - name: duplicated-imports
-        - name: empty-lines
-        - name: error-naming
-        - name: error-return
-        - name: error-strings
-        - name: errorf
-        - name: exported
-        - name: identical-branches
-        - name: if-return
-        - name: increment-decrement
-        - name: indent-error-flow
-        - name: modifies-value-receiver
-        - name: package-comments
-        - name: range
-        - name: receiver-naming
-        - name: redefines-builtin-id
-        - name: string-of-int
-        - name: superfluous-else
-        - name: time-naming
-        - name: unconditional-recursion
-        - name: unexported-return
-        - name: unreachable-code
-        - name: var-declaration
-        - name: var-naming
-          arguments:
-            - []
-            - []
-            - - skip-package-name-checks: true
-        - name: redefines-builtin-id
-          disabled: true
-    staticcheck:
-      checks:
-        - all
-    testifylint:
-      disable:
-        - go-require
-  exclusions:
-    generated: lax
-    presets:
-      - comments
-      - common-false-positives
-      - legacy
-      - std-error-handling
+
+run:
+  timeout: 10m
+
+output:
+  sort-results: true
+  sort-order: [file]
+  show-stats: true
+
+linters-settings:
+  stylecheck:
+    checks: ["all", "-ST1005", "-ST1003"]
+  nakedret:
+    max-func-lines: 0
+  gocritic:
+    disabled-checks:
+      - ifElseChain
+  revive:
+    severity: error
    rules:
-      - linters:
-          - nolintlint
-        path: models/db/sql_postgres_with_schema.go
-      - linters:
-          - dupl
-          - errcheck
-          - gocyclo
-          - gosec
-          - staticcheck
-          - unparam
-        path: _test\.go
-      - linters:
-          - dupl
-          - errcheck
-          - gocyclo
-          - gosec
-        path: models/migrations/v
-      - linters:
-          - forbidigo
-        path: cmd
-      - linters:
-          - dupl
-        text: (?i)webhook
-      - linters:
-          - gocritic
-        text: (?i)`ID' should not be capitalized
-      - linters:
-          - deadcode
-          - unused
-        text: (?i)swagger
-      - linters:
-          - staticcheck
-        text: (?i)argument x is overwritten before first use
-      - linters:
-          - gocritic
-        text: '(?i)commentFormatting: put a space between `//` and comment text'
-      - linters:
-          - gocritic
-        text: '(?i)exitAfterDefer:'
-      - linters:
-          - staticcheck
-        text: "(ST1005|ST1003|QF1001):"
-    paths:
-      - node_modules
-      - public
-      - web_src
-      - third_party$
-      - builtin$
-      - examples$
+      - name: atomic
+      - name: bare-return
+      - name: blank-imports
+      - name: constant-logical-expr
+      - name: context-as-argument
+      - name: context-keys-type
+      - name: dot-imports
+      - name: duplicated-imports
+      - name: empty-lines
+      - name: error-naming
+      - name: error-return
+      - name: error-strings
+      - name: errorf
+      - name: exported
+      - name: identical-branches
+      - name: if-return
+      - name: increment-decrement
+      - name: indent-error-flow
+      - name: modifies-value-receiver
+      - name: package-comments
+      - name: range
+      - name: receiver-naming
+      - name: redefines-builtin-id
+      - name: string-of-int
+      - name: superfluous-else
+      - name: time-naming
+      - name: unconditional-recursion
+      - name: unexported-return
+      - name: unreachable-code
+      - name: var-declaration
+      - name: var-naming
+      - name: redefines-builtin-id
+        disabled: true
+  gofumpt:
+    extra-rules: true
+  depguard:
+    rules:
+      main:
+        deny:
+          - pkg: encoding/json
+            desc: use gitea's modules/json instead of encoding/json
+          - pkg: github.com/unknwon/com
+            desc: use gitea's util and replacements
+          - pkg: io/ioutil
+            desc: use os or io instead
+          - pkg: golang.org/x/exp
+            desc: it's experimental and unreliable
+          - pkg: forgejo.org/modules/git/internal
+            desc: do not use the internal package, use AddXxx function instead
+          - pkg: gopkg.in/ini.v1
+            desc: do not use the ini package, use gitea's config system instead
+          - pkg: github.com/minio/sha256-simd
+            desc: use crypto/sha256 instead, see https://codeberg.org/forgejo/forgejo/pulls/1528
+  testifylint:
+    disable:
+      - go-require
+
 issues:
  max-issues-per-linter: 0
  max-same-issues: 0
-formatters:
-  enable:
-    - gofmt
-    - gofumpt
-  settings:
-    gofumpt:
-      extra-rules: true
-  exclusions:
-    generated: lax
-    paths:
-      - node_modules
-      - public
-      - web_src
-      - third_party$
-      - builtin$
-      - examples$
+  exclude-dirs: [node_modules, public, web_src]
+  exclude-case-sensitive: true
+  exclude-rules:
+    - path: models/db/sql_postgres_with_schema.go
+      linters:
+        - nolintlint
+    - path: _test\.go
+      linters:
+        - gocyclo
+        - errcheck
+        - dupl
+        - gosec
+        - unparam
+        - staticcheck
+    - path: models/migrations/v
+      linters:
+        - gocyclo
+        - errcheck
+        - dupl
+        - gosec
+    - path: cmd
+      linters:
+        - forbidigo
+    - text: "webhook"
+      linters:
+        - dupl
+    - text: "`ID' should not be capitalized"
+      linters:
+        - gocritic
+    - text: "swagger"
+      linters:
+        - unused
+        - deadcode
+    - text: "argument x is overwritten before first use"
+      linters:
+        - staticcheck
+    - text: "commentFormatting: put a space between `//` and comment text"
+      linters:
+        - gocritic
+    - text: "exitAfterDefer:"
+      linters:
+        - gocritic
--- a/17
+++ b/17
@ -36,6 +36,10 @@ GARGS = "--no-print-directory"
    JARG = -j$(.MAKE.JOBS)
 .endif

+# bmake prefers out-of-source builds and tries to cd into ./obj (among others)
+# where possible. GNU Make doesn't, so override that value.
+.OBJDIR: ./
+
 # The GNU convention is to use the lowercased `prefix` variable/macro to
 # specify the installation directory. Humor them.
 GPREFIX =
@ -44,12 +48,11 @@ GPREFIX =
 .endif

 .BEGIN: .SILENT
-	which $(GMAKE) >/dev/null || (printf "Error: GNU Make is required!\n\n" 1>&2 && false)
+	which $(GMAKE) || (printf "Error: GNU Make is required!\n\n" 1>&2 && false)

-.PHONY: EMPTY
-EMPTY: .SILENT
-	$(GMAKE) $(GPREFIX) $(GARGS) $(JARG)
+.PHONY: FRC
+$(.TARGETS): FRC
+	$(GMAKE) $(GPREFIX) $(GARGS) $(.TARGETS:S,.DONE,,) $(JARG)

-.PHONY: $(.TARGETS)
-$(.TARGETS): .SILENT
-	$(GMAKE) $(GPREFIX) $(GARGS) $(JARG) $@
+.DONE .DEFAULT: .SILENT
+	$(GMAKE) $(GPREFIX) $(GARGS) $(.TARGETS:S,.DONE,,) $(JARG)
--- a/6
+++ b/6
@ -9,11 +9,10 @@
 # Files related to frontend development.

 # Javascript and CSS code.
-web_src/.* @beowulf @gusted
-web_src/css/.* @0ko
+web_src/.* @caesar @crystal @gusted

 # HTML templates used by the backend.
-templates/.* @beowulf @gusted
+templates/.* @caesar @crystal @gusted
 ## the issue sidebar was touched by fnetx
 templates/repo/issue/view_content/sidebar.* @fnetx

@ -39,5 +38,4 @@ options/locale/.* @0ko
 options/locale_next/.* @0ko

 # Personal interest
-build/lint-locale-usage/.* @fogti
 .*/webhook.* @oliverpool
--- a/10
+++ b/10
@ -1,9 +1,9 @@
 FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/xx AS xx

-FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.24-alpine3.22 AS build-env
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.24-alpine3.21 AS build-env

 ARG GOPROXY
-ENV GOPROXY=${GOPROXY:-https://proxy.golang.org,direct}
+ENV GOPROXY=${GOPROXY:-direct}

 ARG RELEASE_VERSION
 ARG TAGS="sqlite sqlite_unlock_notify"
@ -33,10 +33,10 @@ RUN apk --no-cache add build-base git nodejs npm
 COPY . ${GOPATH}/src/forgejo.org
 WORKDIR ${GOPATH}/src/forgejo.org

-RUN make clean-no-bindata
+RUN make clean
 RUN make frontend
 RUN go build contrib/environment-to-ini/environment-to-ini.go && xx-verify environment-to-ini
-RUN LDFLAGS="-buildid=" make FORGEJO_GENERATE_SKIP_HASH=true RELEASE_VERSION=$RELEASE_VERSION GOFLAGS="-trimpath" go-check generate-backend static-executable && xx-verify gitea
+RUN LDFLAGS="-buildid=" make RELEASE_VERSION=$RELEASE_VERSION GOFLAGS="-trimpath" go-check generate-backend static-executable && xx-verify gitea

 # Copy local files
 COPY docker/root /tmp/local
@ -51,7 +51,7 @@ RUN chmod 755 /tmp/local/usr/bin/entrypoint \
              /go/src/forgejo.org/environment-to-ini
 RUN chmod 644 /go/src/forgejo.org/contrib/autocompletion/bash_autocomplete

-FROM data.forgejo.org/oci/alpine:3.22
+FROM data.forgejo.org/oci/alpine:3.21
 ARG RELEASE_VERSION
 LABEL maintainer="contact@forgejo.org" \
      org.opencontainers.image.authors="Forgejo" \
--- a/Dockerfile.rootless
+++ b/Dockerfile.rootless
@ -1,9 +1,9 @@
 FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/xx AS xx

-FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.24-alpine3.22 AS build-env
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.24-alpine3.21 AS build-env

 ARG GOPROXY
-ENV GOPROXY=${GOPROXY:-https://proxy.golang.org,direct}
+ENV GOPROXY=${GOPROXY:-direct}

 ARG RELEASE_VERSION
 ARG TAGS="sqlite sqlite_unlock_notify"
@ -33,10 +33,10 @@ RUN apk --no-cache add build-base git nodejs npm
 COPY . ${GOPATH}/src/forgejo.org
 WORKDIR ${GOPATH}/src/forgejo.org

-RUN make clean-no-bindata
+RUN make clean
 RUN make frontend
 RUN go build contrib/environment-to-ini/environment-to-ini.go && xx-verify environment-to-ini
-RUN make FORGEJO_GENERATE_SKIP_HASH=true RELEASE_VERSION=$RELEASE_VERSION go-check generate-backend static-executable && xx-verify gitea
+RUN make RELEASE_VERSION=$RELEASE_VERSION go-check generate-backend static-executable && xx-verify gitea

 # Copy local files
 COPY docker/rootless /tmp/local
@ -49,7 +49,7 @@ RUN chmod 755 /tmp/local/usr/local/bin/docker-entrypoint.sh \
              /go/src/forgejo.org/environment-to-ini
 RUN chmod 644 /go/src/forgejo.org/contrib/autocompletion/bash_autocomplete

-FROM data.forgejo.org/oci/alpine:3.22
+FROM data.forgejo.org/oci/alpine:3.21
 ARG RELEASE_VERSION
 LABEL maintainer="contact@forgejo.org" \
      org.opencontainers.image.authors="Forgejo" \
--- a/246
+++ b/246
@ -37,17 +37,19 @@ endif
 XGO_VERSION := go-1.21.x

 AIR_PACKAGE ?= github.com/air-verse/air@v1 # renovate: datasource=go
-EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3.3.0 # renovate: datasource=go
-GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.8.0 # renovate: datasource=go
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.3.1 # renovate: datasource=go
-GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.15 # renovate: datasource=go
+EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3.2.1 # renovate: datasource=go
+GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.7.0 # renovate: datasource=go
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.64.7 # renovate: datasource=go
+GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.11 # renovate: datasource=go
+MISSPELL_PACKAGE ?= github.com/golangci/misspell/cmd/misspell@v0.6.0 # renovate: datasource=go
 SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.31.0 # renovate: datasource=go
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
 GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.6.0 # renovate: datasource=go
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasource=go
-DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.36.0 # renovate: datasource=go
-GOMOCK_PACKAGE ?= go.uber.org/mock/mockgen@v0.6.0 # renovate: datasource=go
-RENOVATE_NPM_PACKAGE ?= renovate@41.76.0 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
+DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.31.0 # renovate: datasource=go
+GOMOCK_PACKAGE ?= go.uber.org/mock/mockgen@v0.4.0 # renovate: datasource=go
+GOPLS_PACKAGE ?= golang.org/x/tools/gopls@v0.18.1 # renovate: datasource=go
+RENOVATE_NPM_PACKAGE ?= renovate@39.212.0 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate

 # https://github.com/disposable-email-domains/disposable-email-domains/commits/main/
 DISPOSABLE_EMAILS_SHA ?= 0c27e671231d27cf66370034d7f6818037416989 # renovate: ...
@ -90,22 +92,29 @@ else
    FORGEJO_VERSION_API ?= $(GITEA_VERSION)+${GITEA_COMPATIBILITY}
  else
    # drop the "g" prefix prepended by git describe to the commit hash
-    FORGEJO_VERSION ?= $(shell git describe --exclude '*-test' --tags --always 2>/dev/null | sed 's/^v//' | sed 's/\-g/-/')
-    ifneq ($(FORGEJO_VERSION),)
-      ifeq ($(findstring $(GITEA_COMPATIBILITY),$(FORGEJO_VERSION)),)
-        FORGEJO_VERSION := $(FORGEJO_VERSION)+$(GITEA_COMPATIBILITY)
-      endif
-    endif
+    FORGEJO_VERSION ?= $(shell git describe --exclude '*-test' --tags --always | sed 's/^v//' | sed 's/\-g/-/')+${GITEA_COMPATIBILITY}
  endif
 endif
 FORGEJO_VERSION_MAJOR=$(shell echo $(FORGEJO_VERSION) | sed -e 's/\..*//')
 FORGEJO_VERSION_MINOR=$(shell echo $(FORGEJO_VERSION) | sed -E -e 's/^([0-9]+\.[0-9]+).*/\1/')

+show-version-full:
+	@echo ${FORGEJO_VERSION}
+
+show-version-major:
+	@echo ${FORGEJO_VERSION_MAJOR}
+
+show-version-minor:
+	@echo ${FORGEJO_VERSION_MINOR}
+
 RELEASE_VERSION ?= ${FORGEJO_VERSION}
 VERSION ?= ${RELEASE_VERSION}

 FORGEJO_VERSION_API ?= ${FORGEJO_VERSION}

+show-version-api:
+	@echo ${FORGEJO_VERSION_API}
+
 # Strip binaries by default to reduce size, allow overriding for debugging
 STRIP ?= 1
 ifeq ($(STRIP),1)
@ -115,6 +124,9 @@ LDFLAGS := $(LDFLAGS) -X "main.ReleaseVersion=$(RELEASE_VERSION)" -X "main.MakeV

 LINUX_ARCHS ?= linux/amd64,linux/386,linux/arm-5,linux/arm-6,linux/arm64

+ifeq ($(HAS_GO), yes)
+	GO_TEST_PACKAGES ?= $(filter-out $(shell $(GO) list forgejo.org/models/migrations/...) $(shell $(GO) list forgejo.org/models/forgejo_migrations/...) forgejo.org/tests/integration/migration-test forgejo.org/tests forgejo.org/tests/integration forgejo.org/tests/e2e,$(shell $(GO) list ./...))
+endif
 REMOTE_CACHER_MODULES ?= cache nosql session queue
 GO_TEST_REMOTE_CACHER_PACKAGES ?= $(addprefix forgejo.org/modules/,$(REMOTE_CACHER_MODULES))

@ -125,7 +137,7 @@ WEBPACK_CONFIGS := webpack.config.js tailwind.config.js
 WEBPACK_DEST := public/assets/js/index.js public/assets/css/index.css
 WEBPACK_DEST_ENTRIES := public/assets/js public/assets/css public/assets/fonts

-BINDATA_DEST := modules/migration/bindata.go modules/public/bindata.go modules/options/bindata.go modules/templates/bindata.go
+BINDATA_DEST := modules/public/bindata.go modules/options/bindata.go modules/templates/bindata.go
 BINDATA_HASH := $(addsuffix .hash,$(BINDATA_DEST))

 GENERATED_GO_DEST := modules/charset/invisible_gen.go modules/charset/ambiguous_gen.go
@ -156,6 +168,9 @@ GO_SOURCES += $(shell find $(GO_DIRS) -type f -name "*.go" ! -path modules/optio
 GO_SOURCES += $(GENERATED_GO_DEST)
 GO_SOURCES_NO_BINDATA := $(GO_SOURCES)

+ifeq ($(HAS_GO), yes)
+	MIGRATION_PACKAGES := $(shell $(GO) list forgejo.org/models/migrations/... forgejo.org/models/forgejo_migrations/...)
+endif

 ifeq ($(filter $(TAGS_SPLIT),bindata),bindata)
 	GO_SOURCES += $(BINDATA_DEST)
@ -193,7 +208,7 @@ all: build
 .PHONY: help
 help:
 	@echo "Make Routines:"
-	@echo " - \"\"                               equivalent to \"build\""
+	@echo " - \"\"                             equivalent to \"build\""
 	@echo " - build                            build everything"
 	@echo " - frontend                         build frontend files"
 	@echo " - backend                          build backend files"
@ -206,22 +221,31 @@ help:
 	@echo " - deps-frontend                    install frontend dependencies"
 	@echo " - deps-backend                     install backend dependencies"
 	@echo " - deps-tools                       install tool dependencies"
+	@echo " - deps-py                          install python dependencies"
 	@echo " - lint                             lint everything"
 	@echo " - lint-fix                         lint everything and fix issues"
 	@echo " - lint-frontend                    lint frontend files"
 	@echo " - lint-frontend-fix                lint frontend files and fix issues"
 	@echo " - lint-backend                     lint backend files"
 	@echo " - lint-backend-fix                 lint backend files and fix issues"
+	@echo " - lint-codespell                   lint typos"
+	@echo " - lint-codespell-fix               lint typos and fix them automatically"
+	@echo " - lint-codespell-fix-i             lint typos and fix them interactively"
 	@echo " - lint-go                          lint go files"
 	@echo " - lint-go-fix                      lint go files and fix issues"
 	@echo " - lint-go-vet                      lint go files with vet"
+	@echo " - lint-go-gopls                    lint go files with gopls"
 	@echo " - lint-js                          lint js files"
 	@echo " - lint-js-fix                      lint js files and fix issues"
 	@echo " - lint-css                         lint css files"
 	@echo " - lint-css-fix                     lint css files and fix issues"
 	@echo " - lint-md                          lint markdown files"
 	@echo " - lint-swagger                     lint swagger files"
+	@echo " - lint-templates                   lint template files"
 	@echo " - lint-renovate                    lint renovate files"
+	@echo " - lint-yaml                        lint yaml files"
+	@echo " - lint-spell                       lint spelling"
+	@echo " - lint-spell-fix                   lint spelling and fix issues"
 	@echo " - checks                           run various consistency checks"
 	@echo " - checks-frontend                  check frontend files"
 	@echo " - checks-backend                   check backend files"
@ -232,9 +256,6 @@ help:
 	@echo " - test-frontend-coverage           test frontend files and display code coverage"
 	@echo " - test-backend                     test backend files"
 	@echo " - test-remote-cacher               test backend files that use a remote cache"
-	@echo " - coverage-run*                    test and collect coverages in the coverage/data directory"
-	@echo " - coverage-show-html               display coverage-run results in an HTML page"
-	@echo " - coverage-show-percent            display coverage-run per package coverage percentage"
 	@echo " - test-e2e-sqlite[\#name.test.e2e] test end to end using playwright and sqlite"
 	@echo " - webpack                          build webpack files"
 	@echo " - svg                              build svg files"
@ -255,48 +276,6 @@ help:
 	@echo " - test-sqlite[\#TestSpecificName]  run integration test for sqlite"
 	@echo " - reproduce-build\#version         build a reproducible binary for the specified release version"

-.PHONY: verify-version
-verify-version:
-ifeq ($(FORGEJO_VERSION),)
-	@echo "Error: Could not determine FORGEJO_VERSION; version file $(STORED_VERSION_FILE) not present and no suitable git tag found"
-	@echo 'In most cases this likely means you forgot to fetch git tags, you can fix this by executing `git fetch --tags`. If this is not possible and this is part of a custom build process, then you can set a specific version by writing it to $(STORED_VERSION_FILE) (This must be a semver compatible version).'
-	@false
-endif
-
-.PHONY: show-version-full
-show-version-full: verify-version
-	@echo ${FORGEJO_VERSION}
-
-.PHONY: show-version-major
-show-version-major: verify-version
-	@echo ${FORGEJO_VERSION_MAJOR}
-
-.PHONY: show-version-minor
-show-version-minor: verify-version
-	@echo ${FORGEJO_VERSION_MINOR}
-
-.PHONY: show-version-api
-show-version-api: verify-version
-	@echo ${FORGEJO_VERSION_API}
-
-###
-# Package computation targets
-###
-
-# Target to compute GO_TEST_PACKAGES - only runs when needed
-.PHONY: compute-go-test-packages
-compute-go-test-packages:
-ifeq ($(HAS_GO), yes)
-	$(eval GO_TEST_PACKAGES ?= $(filter-out $(shell $(GO) list forgejo.org/models/migrations/...) $(shell $(GO) list forgejo.org/models/forgejo_migrations/...) forgejo.org/tests/integration/migration-test forgejo.org/tests forgejo.org/tests/integration forgejo.org/tests/e2e,$(shell $(GO) list ./...)))
-endif
-
-# Target to compute MIGRATION_PACKAGES - only runs when needed
-.PHONY: compute-migration-packages
-compute-migration-packages:
-ifeq ($(HAS_GO), yes)
-	$(eval MIGRATION_PACKAGES := $(shell $(GO) list forgejo.org/models/migrations/... forgejo.org/models/forgejo_migrations/...))
-endif
-
 ###
 # Check system and environment requirements
 ###
@ -338,12 +317,8 @@ clean-all: clean
 	rm -rf $(WEBPACK_DEST_ENTRIES) node_modules

 .PHONY: clean
-clean: clean-no-bindata
-	rm -rf $(BINDATA_DEST) $(BINDATA_HASH)
-
-.PHONY: clean-no-bindata
-clean-no-bindata:
-	rm -rf $(EXECUTABLE) $(DIST) \
+clean:
+	rm -rf $(EXECUTABLE) $(DIST) $(BINDATA_DEST) $(BINDATA_HASH) \
 		integrations*.test \
 		e2e*.test \
 		tests/integration/gitea-integration-* \
@ -426,10 +401,10 @@ checks-frontend: lockfile-check svg-check
 checks-backend: tidy-check swagger-check fmt-check swagger-validate security-check

 .PHONY: lint
-lint: lint-frontend lint-backend
+lint: lint-frontend lint-backend lint-spell

 .PHONY: lint-fix
-lint-fix: lint-frontend-fix lint-backend-fix
+lint-fix: lint-frontend-fix lint-backend-fix lint-spell-fix

 .PHONY: lint-frontend
 lint-frontend: lint-js lint-css
@ -443,6 +418,18 @@ lint-backend: lint-go lint-go-vet lint-editorconfig lint-renovate lint-locale li
 .PHONY: lint-backend-fix
 lint-backend-fix: lint-go-fix lint-go-vet lint-editorconfig lint-disposable-emails-fix

+.PHONY: lint-codespell
+lint-codespell: deps-py
+	@poetry run codespell
+
+.PHONY: lint-codespell-fix
+lint-codespell-fix: deps-py
+	@poetry run codespell -w
+
+.PHONY: lint-codespell-fix-i
+lint-codespell-fix-i: deps-py
+	@poetry run codespell -w -i 3 -C 2
+
 .PHONY: lint-js
 lint-js: node_modules
 	npx eslint --color --max-warnings=0
@ -465,8 +452,8 @@ lint-swagger: node_modules

 .PHONY: lint-renovate
 lint-renovate: node_modules
-	npx --yes --package $(RENOVATE_NPM_PACKAGE) -- renovate-config-validator > .lint-renovate 2>&1 || true
-	@if grep --quiet --extended-regexp -e '^( ERROR:)' .lint-renovate ; then cat .lint-renovate ; rm .lint-renovate ; exit 1 ; fi
+	npx --yes --package $(RENOVATE_NPM_PACKAGE) -- renovate-config-validator --strict > .lint-renovate 2>&1 || true
+	@if grep --quiet --extended-regexp -e '^( WARN:|ERROR:)' .lint-renovate ; then cat .lint-renovate ; rm .lint-renovate ; exit 1 ; fi
 	@rm .lint-renovate

 .PHONY: lint-locale
@ -475,12 +462,20 @@ lint-locale:

 .PHONY: lint-locale-usage
 lint-locale-usage:
-	$(GO) run ./build/lint-locale-usage --allow-masked-usages-from=build/lint-locale-usage/allowed-masked-usage.txt
+	$(GO) run build/lint-locale-usage/lint-locale-usage.go --allow-missing-msgids

 .PHONY: lint-md
 lint-md: node_modules
 	npx markdownlint docs *.md

+.PHONY: lint-spell
+lint-spell: lint-codespell
+	@go run $(MISSPELL_PACKAGE) -error $(SPELLCHECK_FILES)
+
+.PHONY: lint-spell-fix
+lint-spell-fix: lint-codespell-fix
+	@go run $(MISSPELL_PACKAGE) -w $(SPELLCHECK_FILES)
+
 RUN_DEADCODE = $(GO) run $(DEADCODE_PACKAGE) -generated=false -f='{{println .Path}}{{range .Funcs}}{{printf "\t%s\n" .Name}}{{end}}{{println}}' -test forgejo.org

 .PHONY: lint-go
@ -500,6 +495,11 @@ lint-go-vet:
 	@echo "Running go vet..."
 	@$(GO) vet ./...

+.PHONY: lint-go-gopls
+lint-go-gopls:
+	@echo "Running gopls check..."
+	@GO=$(GO) GOPLS_PACKAGE=$(GOPLS_PACKAGE) tools/lint-go-gopls.sh $(GO_SOURCES_NO_BINDATA)
+
 .PHONY: lint-editorconfig
 lint-editorconfig:
 	$(GO) run $(EDITORCONFIG_CHECKER_PACKAGE) templates .forgejo/workflows
@ -512,9 +512,18 @@ lint-disposable-emails:
 lint-disposable-emails-fix:
 	$(GO) run build/generate-disposable-email.go -r $(DISPOSABLE_EMAILS_SHA)

+.PHONY: lint-templates
+lint-templates: .venv node_modules
+	@node tools/lint-templates-svg.js
+	@poetry run djlint $(shell find templates -type f -iname '*.tmpl')
+
+.PHONY: lint-yaml
+lint-yaml: .venv
+	@poetry run yamllint -s .
+
 .PHONY: security-check
 security-check:
-	go run $(GOVULNCHECK_PACKAGE) -show color ./...
+	go run $(GOVULNCHECK_PACKAGE) ./...

 ###
 # Development and testing targets
@ -537,9 +546,9 @@ watch-backend: go-check
 test: test-frontend test-backend

 .PHONY: test-backend
-test-backend: | compute-go-test-packages
+test-backend:
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@TZ=UTC $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)
+	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)

 .PHONY: test-remote-cacher
 test-remote-cacher:
@ -567,39 +576,20 @@ test-check:
 	fi

 .PHONY: test\#%
-test\#%: | compute-go-test-packages
-	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@TZ=UTC $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)
+test\#%:
+	@echo "Running go test with -tags '$(TEST_TAGS)'..."
+	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)

-coverage-merge:
-	rm -fr coverage/merged ; mkdir -p coverage/merged
-	$(GO) tool covdata merge -i `find coverage/data -name 'covmeta.*' | sed -e 's|/covmeta.*|,|' | tr -d '\n' | sed -e 's/,$$//'` -o coverage/merged
+.PHONY: coverage
+coverage:
+	grep '^\(mode: .*\)\|\(.*:[0-9]\+\.[0-9]\+,[0-9]\+\.[0-9]\+ [0-9]\+ [0-9]\+\)$$' coverage.out > coverage-bodged.out
+	grep '^\(mode: .*\)\|\(.*:[0-9]\+\.[0-9]\+,[0-9]\+\.[0-9]\+ [0-9]\+ [0-9]\+\)$$' integration.coverage.out > integration.coverage-bodged.out
+	$(GO) run build/gocovmerge.go integration.coverage-bodged.out coverage-bodged.out > coverage.all

-coverage-convert: coverage-merge
-	$(GO) tool covdata textfmt -i=coverage/merged -o=coverage/textfmt.out
-
-coverage-show-html: coverage-convert
-	( cd coverage ; $(GO) tool cover -html=textfmt.out -o coverage.html )
-	xdg-open coverage/coverage.html
-
-coverage-show-percentage: coverage-convert
-	go tool cover -func=coverage/textfmt.out
-
-coverage-run: | compute-go-test-packages
-	contrib/coverage-helper.sh test_packages $(COVERAGE_TEST_PACKAGES)
-
-coverage-run-%: generate-ini-% | compute-migration-packages
-  #
-  # Migration tests go first
-  #
-	$(MAKE) GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/$*.ini COVERAGE_TEST_ARGS= COVERAGE_TEST_PACKAGES=forgejo.org/tests/integration/migration-test coverage-run
-	for pkg in $(MIGRATION_PACKAGES); do \
-		$(MAKE) GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/$*.ini COVERAGE_TEST_DATABASE=$* COVERAGE_TEST_ARGS= COVERAGE_TEST_PACKAGES=$$pkg coverage-run ; \
-	done
-  #
-  # All other integration tests follow
-  #
-	$(MAKE) GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/$*.ini COVERAGE_TEST_DATABASE=$* COVERAGE_TEST_PACKAGES=forgejo.org/tests/integration coverage-run
+.PHONY: unit-test-coverage
+unit-test-coverage:
+	@echo "Running unit-test-coverage $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
+	@$(GOTEST) $(GOTESTFLAGS) -timeout=20m -tags='$(TEST_TAGS)' -cover -coverprofile coverage.out $(GO_TEST_PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1

 .PHONY: tidy
 tidy:
@ -672,7 +662,6 @@ generate-ini-pgsql:
 		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
 		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
 		-e 's|{{TEST_STORAGE_TYPE}}|$(or $(TEST_STORAGE_TYPE),minio)|g' \
-		-e 's|{{TEST_S3_HOST}}|$(or $(TEST_S3_HOST),minio:9000)|g' \
 			tests/pgsql.ini.tmpl > tests/pgsql.ini

 .PHONY: test-pgsql
@ -719,7 +708,7 @@ test-e2e-mysql\#%: playwright e2e.mysql.test generate-ini-mysql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.mysql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e/$*

 .PHONY: test-e2e-pgsql
-GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.initest-e2e-pgsql: playwright e2e.pgsql.test generate-ini-pgsql
+test-e2e-pgsql: playwright e2e.pgsql.test generate-ini-pgsql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e

 .PHONY: test-e2e-pgsql\#%
@ -742,6 +731,14 @@ bench-mysql: integrations.mysql.test generate-ini-mysql
 bench-pgsql: integrations.pgsql.test generate-ini-pgsql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./integrations.pgsql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .

+.PHONY: integration-test-coverage
+integration-test-coverage: integrations.cover.test generate-ini-mysql
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.cover.test -test.coverprofile=integration.coverage.out
+
+.PHONY: integration-test-coverage-sqlite
+integration-test-coverage-sqlite: integrations.cover.sqlite.test generate-ini-sqlite
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.cover.sqlite.test -test.coverprofile=integration.coverage.out
+
 integrations.mysql.test: git-check $(GO_SOURCES)
 	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -o integrations.mysql.test

@ -751,6 +748,12 @@ integrations.pgsql.test: git-check $(GO_SOURCES)
 integrations.sqlite.test: git-check $(GO_SOURCES)
 	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -o integrations.sqlite.test -tags '$(TEST_TAGS)'

+integrations.cover.test: git-check $(GO_SOURCES)
+	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.test
+
+integrations.cover.sqlite.test: git-check $(GO_SOURCES)
+	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.sqlite.test -tags '$(TEST_TAGS)'
+
 .PHONY: migrations.mysql.test
 migrations.mysql.test: $(GO_SOURCES) generate-ini-mysql
 	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration/migration-test -o migrations.mysql.test
@ -767,7 +770,7 @@ migrations.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./migrations.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX)

 .PHONY: migrations.individual.mysql.test
-migrations.individual.mysql.test: $(GO_SOURCES) | compute-migration-packages
+migrations.individual.mysql.test: $(GO_SOURCES)
 	for pkg in $(MIGRATION_PACKAGES); do \
 		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
 	done
@ -777,7 +780,7 @@ migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' forgejo.org/models/migrations/$*

 .PHONY: migrations.individual.pgsql.test
-migrations.individual.pgsql.test: $(GO_SOURCES) | compute-migration-packages
+migrations.individual.pgsql.test: $(GO_SOURCES)
 	for pkg in $(MIGRATION_PACKAGES); do \
 		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1;\
 	done
@ -787,7 +790,7 @@ migrations.individual.pgsql.test\#%: $(GO_SOURCES) generate-ini-pgsql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' forgejo.org/models/migrations/$*

 .PHONY: migrations.individual.sqlite.test
-migrations.individual.sqlite.test: $(GO_SOURCES) generate-ini-sqlite | compute-migration-packages
+migrations.individual.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
 	for pkg in $(MIGRATION_PACKAGES); do \
 		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
 	done
@ -813,7 +816,7 @@ check: test
 ###

 .PHONY: install $(TAGS_PREREQ)
-install: $(wildcard *.go) | verify-version
+install: $(wildcard *.go)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) install -v -tags '$(TAGS)' -ldflags '$(LDFLAGS)'

 .PHONY: build
@ -841,13 +844,13 @@ generate-go: $(TAGS_PREREQ)
 merge-locales:
 	@echo "NOT NEEDED: THIS IS A NOOP AS OF Forgejo 7.0 BUT KEPT FOR BACKWARD COMPATIBILITY"

-$(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ) | verify-version
+$(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '$(LDFLAGS)' -o $@

 forgejo: $(EXECUTABLE)
 	ln -f $(EXECUTABLE) forgejo

-static-executable: $(GO_SOURCES) $(TAGS_PREREQ) | verify-version
+static-executable: $(GO_SOURCES) $(TAGS_PREREQ)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -o $(EXECUTABLE)

 .PHONY: release
@ -860,18 +863,18 @@ $(DIST_DIRS):
 	mkdir -p $(DIST_DIRS)

 .PHONY: release-linux
-release-linux: | $(DIST_DIRS) verify-version
+release-linux: | $(DIST_DIRS)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(LINUX_ARCHS)' -out forgejo-$(VERSION) .
 ifeq ($(CI),true)
 	cp /build/* $(DIST)/binaries
 endif

 .PHONY: release-darwin
-release-darwin: | $(DIST_DIRS) verify-version
+release-darwin: | $(DIST_DIRS)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '$(LDFLAGS)' -targets 'darwin-10.12/amd64,darwin-10.12/arm64' -out gitea-$(VERSION) .

 .PHONY: release-freebsd
-release-freebsd: | $(DIST_DIRS) verify-version
+release-freebsd: | $(DIST_DIRS)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '$(LDFLAGS)' -targets 'freebsd/amd64' -out gitea-$(VERSION) .

 .PHONY: release-copy
@ -925,7 +928,10 @@ reproduce-build\#%:
 ###

 .PHONY: deps
-deps: deps-frontend deps-backend deps-tools
+deps: deps-frontend deps-backend deps-tools deps-py
+
+.PHONY: deps-py
+deps-py: .venv

 .PHONY: deps-frontend
 deps-frontend: node_modules
@ -941,11 +947,13 @@ deps-tools:
 	$(GO) install $(GOFUMPT_PACKAGE)
 	$(GO) install $(GOLANGCI_LINT_PACKAGE)
 	$(GO) install $(GXZ_PACKAGE)
+	$(GO) install $(MISSPELL_PACKAGE)
 	$(GO) install $(SWAGGER_PACKAGE)
 	$(GO) install $(XGO_PACKAGE)
 	$(GO) install $(GO_LICENSES_PACKAGE)
 	$(GO) install $(GOVULNCHECK_PACKAGE)
 	$(GO) install $(GOMOCK_PACKAGE)
+	$(GO) install $(GOPLS_PACKAGE)

 node_modules: package-lock.json
 	npm install --no-save
@ -961,7 +969,6 @@ fomantic:
 	cd $(FOMANTIC_WORK_DIR) && npm install --no-save
 	cp -f $(FOMANTIC_WORK_DIR)/theme.config.less $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/theme.config
 	cp -rf $(FOMANTIC_WORK_DIR)/_site $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/
-	rm -rf $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/themes/default/modules/dropdown.overrides
 	$(SED_INPLACE) -e 's/  overrideBrowserslist\r/  overrideBrowserslist: ["defaults"]\r/g' $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/tasks/config/tasks.js
 	cd $(FOMANTIC_WORK_DIR) && npx gulp -f node_modules/fomantic-ui/gulpfile.js build
 	# fomantic uses "touchstart" as click event for some browsers, it's not ideal, so we force fomantic to always use "click" as click event
@ -1010,7 +1017,8 @@ generate-gomock:

 .PHONY: generate-images
 generate-images: | node_modules
-	node tools/generate-images.js
+	npm install --no-save fabric@6 imagemin-zopfli@7
+	node tools/generate-images.js $(TAGS)

 .PHONY: generate-manpage
 generate-manpage:
--- a/README.md
+++ b/README.md
@ -6,7 +6,7 @@
 Hi there! Tired of big platforms playing monopoly?
 Providing Git hosting for your project, friends, company or community?
 **Forgejo** (/for'd&#865;ʒe.jo/ inspired by forĝejo – the Esperanto word for *forge*) has you covered with its intuitive interface,
-light and easy hosting and a lot of built-in functionality.
+light and easy hosting and a lot of builtin functionality.

 Forgejo was [created in 2022](https://forgejo.org/2022-12-15-hello-forgejo/)
 because we think that the project should be owned by an independent community.
@ -15,6 +15,11 @@ Our promise: **Independent Free/Libre Software forever!**

 ## What does Forgejo offer?

+<!-- If you want to know what Forgejo is like,
+you can check out public instances,
+e.g. [Codeberg.org](https://codeberg.org).
+-->
+
 If you like any of the following, Forgejo is literally meant for you:

 - Lightweight: Forgejo can easily be hosted on nearly **every machine**.
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@ -4,7 +4,7 @@ A minor or major Forgejo release is published every [three months](https://forge

 A [patch or minor release](https://semver.org/spec/v2.0.0.html) (e.g. upgrading from v7.0.0 to v7.0.1 or v7.1.0) does not require manual intervention. But [major releases](https://semver.org/spec/v2.0.0.html#spec-item-8) where the first version number changes (e.g. upgrading from v1.21 to v7.0) contain breaking changes and the release notes explain how to deal with them.

-The release notes of each release [are available in the release-notes-published directory of this repository](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published), starting with [Forgejo 7.0.7](release-notes-published/7.0.7.md) and [Forgejo 8.0.1](release-notes-published/8.0.1.md).
+The release notes of each release [are available in the release-notes-published directory of this repository](release-notes-published), starting with [Forgejo 7.0.7](release-notes-published/7.0.7.md) and [Forgejo 8.0.1](release-notes-published/8.0.1.md).

 ## 9.0.2

--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
--- a/build.go
+++ b/build.go
@ -0,0 +1,14 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build vendor
+
+package main
+
+// Libraries that are included to vendor utilities used during build.
+// These libraries will not be included in a normal compilation.
+
+import (
+	// for embed
+	_ "github.com/shurcooL/vfsgen"
+)
--- a/build/generate-bindata.go
+++ b/build/generate-bindata.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Copyright 2025 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: GPL-3.0-or-later
+// SPDX-License-Identifier: MIT

 //go:build ignore

@ -8,40 +7,30 @@ package main

 import (
 	"bytes"
-	"crypto/sha256"
+	"crypto/sha1"
 	"fmt"
-	"io"
-	"io/fs"
 	"log"
+	"net/http"
 	"os"
-	"path"
 	"path/filepath"
 	"strconv"
-	"text/template"

-	"github.com/klauspost/compress/zstd"
+	"github.com/shurcooL/vfsgen"
 )

-func fileExists(filename string) bool {
-	_, err := os.Stat(filename)
-	if err == nil {
-		return true
-	}
-	if os.IsNotExist(err) {
-		return false
-	}
-	panic(err)
-}
-
 func needsUpdate(dir, filename string) (bool, []byte) {
-	needRegen := !fileExists(filename)
+	needRegen := false
+	_, err := os.Stat(filename)
+	if err != nil {
+		needRegen = true
+	}

 	oldHash, err := os.ReadFile(filename + ".hash")
 	if err != nil {
 		oldHash = []byte{}
 	}

-	hasher := sha256.New()
+	hasher := sha1.New()

 	err = filepath.WalkDir(dir, func(path string, d os.DirEntry, err error) error {
 		if err != nil {
@ -62,7 +51,7 @@ func needsUpdate(dir, filename string) (bool, []byte) {

 	newHash := hasher.Sum([]byte{})

-	if !bytes.Equal(oldHash, newHash) {
+	if bytes.Compare(oldHash, newHash) != 0 {
 		return true, newHash
 	}

@ -80,280 +69,24 @@ func main() {
 		useGlobalModTime, _ = strconv.ParseBool(os.Args[4])
 	}

-	if os.Getenv("FORGEJO_GENERATE_SKIP_HASH") == "true" && fileExists(filename) {
-		fmt.Printf("bindata %s already exists and FORGEJO_GENERATE_SKIP_HASH=true\n", packageName)
-		return
-	}
-
 	update, newHash := needsUpdate(dir, filename)
+
 	if !update {
-		fmt.Printf("bindata %s already exists and the checksum is a match\n", packageName)
+		fmt.Printf("bindata for %s already up-to-date\n", packageName)
 		return
 	}

 	fmt.Printf("generating bindata for %s\n", packageName)
-
-	root, err := os.OpenRoot(dir)
+	var fsTemplates http.FileSystem = http.Dir(dir)
+	err := vfsgen.Generate(fsTemplates, vfsgen.Options{
+		PackageName:      packageName,
+		BuildTags:        "bindata",
+		VariableName:     "Assets",
+		Filename:         filename,
+		UseGlobalModTime: useGlobalModTime,
+	})
 	if err != nil {
-		log.Fatal(err)
-	}
-
-	out, err := os.OpenFile(filename, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0o644)
-	if err != nil {
-		log.Fatal(err)
-	}
-	defer out.Close()
-
-	if err := generate(root.FS(), packageName, useGlobalModTime, out); err != nil {
-		log.Fatal(err)
+		log.Fatalf("%v\n", err)
 	}
 	_ = os.WriteFile(filename+".hash", newHash, 0o666)
 }
-
-type file struct {
-	Path             string
-	Name             string
-	UncompressedSize int
-	CompressedData   []byte
-	UncompressedData []byte
-}
-
-type direntry struct {
-	Name  string
-	IsDir bool
-}
-
-func generate(fsRoot fs.FS, packageName string, globalTime bool, output io.Writer) error {
-	enc, err := zstd.NewWriter(nil, zstd.WithEncoderLevel(zstd.SpeedBestCompression))
-	if err != nil {
-		return err
-	}
-
-	files := []file{}
-
-	dirs := map[string][]direntry{}
-
-	if err := fs.WalkDir(fsRoot, ".", func(filePath string, d fs.DirEntry, err error) error {
-		if err != nil {
-			return err
-		}
-
-		if d.IsDir() {
-			entries, err := fs.ReadDir(fsRoot, filePath)
-			if err != nil {
-				return err
-			}
-			dirEntries := make([]direntry, 0, len(entries))
-			for _, entry := range entries {
-				dirEntries = append(dirEntries, direntry{Name: entry.Name(), IsDir: entry.IsDir()})
-			}
-			dirs[filePath] = dirEntries
-			return nil
-		}
-
-		src, err := fs.ReadFile(fsRoot, filePath)
-		if err != nil {
-			return err
-		}
-
-		dst := enc.EncodeAll(src, nil)
-		if len(dst) < len(src) {
-			files = append(files, file{
-				Path:             filePath,
-				Name:             path.Base(filePath),
-				UncompressedSize: len(src),
-				CompressedData:   dst,
-			})
-		} else {
-			files = append(files, file{
-				Path:             filePath,
-				Name:             path.Base(filePath),
-				UncompressedData: src,
-			})
-		}
-		return nil
-	}); err != nil {
-		return err
-	}
-
-	return generatedTmpl.Execute(output, map[string]any{
-		"Packagename": packageName,
-		"GlobalTime":  globalTime,
-		"Files":       files,
-		"Dirs":        dirs,
-	})
-}
-
-var generatedTmpl = template.Must(template.New("").Parse(`// Code generated by efs-gen. DO NOT EDIT.
-
-//go:build bindata
-
-package {{.Packagename}}
-
-import (
-	"bytes"
-	"time"
-	"io"
-	"io/fs"
-
-	"github.com/klauspost/compress/zstd"
-)
-
-type normalFile struct {
-	name    string
-	content []byte
-}
-
-type compressedFile struct {
-	name             string
-	uncompressedSize int64
-	data             []byte
-}
-
-var files = map[string]any{
-{{- range .Files}}
-	"{{.Path}}": {{if .CompressedData}}compressedFile{"{{.Name}}", {{.UncompressedSize}}, []byte({{printf "%+q" .CompressedData}})}{{else}}normalFile{"{{.Name}}", []byte({{printf "%+q" .UncompressedData}})}{{end}},
-{{- end}}
-}
-
-var dirs = map[string][]fs.DirEntry{
-{{- range $key, $entry := .Dirs}}
-	"{{$key}}": {
-{{- range $entry}}
-		direntry{"{{.Name}}", {{.IsDir}}},
-{{- end}}
-	},
-{{- end}}
-}
-
-type assets struct{}
-
-var Assets = assets{}
-
-func (a assets) Open(name string) (fs.File, error) {
-	f, ok := files[name]
-	if !ok {
-		return nil, &fs.PathError{Op: "open", Path: name, Err: fs.ErrNotExist}
-	}
-
-	switch f := f.(type) {
-	case normalFile:
-		return file{name: f.name, size: int64(len(f.content)), data: bytes.NewReader(f.content)}, nil
-	case compressedFile:
-		r, _ := zstd.NewReader(bytes.NewReader(f.data))
-		return &compressFile{name: f.name, size: f.uncompressedSize, data: r, content: f.data}, nil
-	default:
-		panic("unknown file type")
-	}
-}
-
-func (a assets) ReadDir(name string) ([]fs.DirEntry, error) {
-	d, ok := dirs[name]
-	if !ok {
-		return nil, &fs.PathError{Op: "open", Path: name, Err: fs.ErrNotExist}
-	}
-	return d, nil
-}
-
-type file struct {
-	name string
-	size int64
-	data io.ReadSeeker
-}
-
-var _ io.ReadSeeker = (*file)(nil)
-
-func (f file) Stat() (fs.FileInfo, error) {
-	return fileinfo{name: f.name, size: f.size}, nil
-}
-
-func (f file) Read(p []byte) (int, error) {
-	return f.data.Read(p)
-}
-
-func (f file) Seek(offset int64, whence int) (int64, error) {
-	return f.data.Seek(offset, whence)
-}
-
-func (f file) Close() error { return nil }
-
-type compressFile struct {
-	name    string
-	size    int64
-	data    *zstd.Decoder
-	content []byte
-	zstdPos int64
-	seekPos int64
-}
-
-var _ io.ReadSeeker = (*compressFile)(nil)
-
-func (f *compressFile) Stat() (fs.FileInfo, error) {
-	return fileinfo{name: f.name, size: f.size}, nil
-}
-
-func (f *compressFile) Read(p []byte) (int, error) {
-	if f.zstdPos > f.seekPos {
-		if err := f.data.Reset(bytes.NewReader(f.content)); err != nil {
-			return 0, err
-		}
-		f.zstdPos = 0
-	}
-	if f.zstdPos < f.seekPos {
-		if _, err := io.CopyN(io.Discard, f.data, f.seekPos - f.zstdPos); err != nil {
-			return 0, err
-		}
-		f.zstdPos = f.seekPos
-	}
-	n, err := f.data.Read(p)
-	f.zstdPos += int64(n)
-	f.seekPos = f.zstdPos
-	return n, err
-}
-
-func (f *compressFile) Seek(offset int64, whence int) (int64, error) {
-	switch whence {
-	case io.SeekStart:
-		f.seekPos = 0 + offset
-	case io.SeekCurrent:
-		f.seekPos += offset
-	case io.SeekEnd:
-		f.seekPos = f.size + offset
-	}
-	return f.seekPos, nil
-}
-
-func (f *compressFile) Close() error {
-	f.data.Close()
-	return nil
-}
-
-func (f *compressFile) ZstdBytes() []byte { return f.content }
-
-type fileinfo struct {
-	name string
-	size int64
-}
-
-func (f fileinfo) Name() string       { return f.name }
-func (f fileinfo) Size() int64        { return f.size }
-func (f fileinfo) Mode() fs.FileMode  { return 0o444 }
-func (f fileinfo) ModTime() time.Time { return {{if .GlobalTime}}GlobalModTime(f.name){{else}}time.Unix(0, 0){{end}} }
-func (f fileinfo) IsDir() bool        { return false }
-func (f fileinfo) Sys() any           { return nil }
-
-type direntry struct {
-	name  string
-	isDir bool
-}
-
-func (d direntry) Name() string { return d.name }
-func (d direntry) IsDir() bool  { return d.isDir }
-func (d direntry) Type() fs.FileMode {
-	if d.isDir {
-		return 0o755 | fs.ModeDir
-	}
-	return 0o444
-}
-func (direntry) Info() (fs.FileInfo, error) { return nil, fs.ErrNotExist }
-`))
--- a/build/lint-locale-usage/allowed-masked-usage.txt
+++ b/build/lint-locale-usage/allowed-masked-usage.txt
@ -1,54 +0,0 @@
-# translation tooling test keys
-meta.last_line
-translation_meta.test
-
-# models/admin/task.go: instances of $TranslatableMessage.Format
-# this also gets instantiated as a Messenger once
-repo.migrate.migrating_failed.error
-
-# models/asymkey/gpg_key_object_verification.go: $ObjectVerification.Reason
-# unfortunately, it is non-trivial to parse all the occurences
-gpg.error.extract_sign
-gpg.error.failed_retrieval_gpg_keys
-gpg.error.generate_hash
-gpg.error.no_committer_account
-
-# models/system/notice.go: func (n *Notice) TrStr() string
-admin.notices.type_1
-admin.notices.type_2
-
-# modules/setting/ui.go
-themes.names.
-
-# services/context/context.go
-relativetime.
-
-# templates/mail/issue/default.tmpl: $.locale.Tr
-mail.issue.in_tree_path
-
-# templates/package/metadata/arch.tmpl: $.locale.Tr
-packages.details.license
-
-# templates/repo/issue/view_content.tmpl: indirection via $closeTranslationKey
-repo.issues.close
-repo.pulls.close
-
-# templates/repo/issue/view_content/comments.tmpl: indirection via $refTr
-repo.issues.ref_closing_from
-repo.issues.ref_issue_from
-repo.issues.ref_pull_from
-repo.issues.ref_reopening_from
-
-# templates/repo/issue/view_content/comments.tmpl: ctx.Locale.Tr (printf "projects.type-%d.display_name" .OldProject.Type)
-projects.
-projects.type-1.display_name
-projects.type-2.display_name
-projects.type-3.display_name
-
-# templates/repo/settings/webhook/link_menu.tmpl, templates/webhook/new.tmpl: repo.settings.web_hook_name_
-# tests/integration/repo_archive_text_test.go
-repo.settings.
-
-# services/migrations/migrate.go: messenger calls
-# ToDo: give them a unique prefix
-repo.migrate.
--- a/build/lint-locale-usage/handle-go.go
+++ b/build/lint-locale-usage/handle-go.go
@ -1,217 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// Copyright 2025 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package main
-
-import (
-	"fmt"
-	"go/ast"
-	goParser "go/parser"
-	"go/token"
-	"strconv"
-	"strings"
-)
-
-func (handler Handler) handleGoTrBasicLit(fset *token.FileSet, argLit *ast.BasicLit, prefix string) {
-	if argLit.Kind == token.STRING {
-		// extract string content
-		arg, err := strconv.Unquote(argLit.Value)
-		if err != nil {
-			return
-		}
-		// found interesting strings
-		arg = prefix + arg
-		if strings.HasSuffix(arg, ".") || strings.HasSuffix(arg, "_") {
-			prep, trunc := PrepareMsgidPrefix(arg)
-			if trunc {
-				handler.OnWarning(fset, argLit.ValuePos, fmt.Sprintf("needed to truncate message id prefix: %s", arg))
-			}
-			handler.OnMsgidPrefix(fset, argLit.ValuePos, prep, trunc)
-		} else {
-			handler.OnMsgid(fset, argLit.ValuePos, arg)
-		}
-	}
-}
-
-func (handler Handler) handleGoTrArgument(fset *token.FileSet, n ast.Expr, prefix string) {
-	if argLit, ok := n.(*ast.BasicLit); ok {
-		handler.handleGoTrBasicLit(fset, argLit, prefix)
-	} else if argBinExpr, ok := n.(*ast.BinaryExpr); ok {
-		if argBinExpr.Op != token.ADD {
-			// pass
-		} else if argLit, ok := argBinExpr.X.(*ast.BasicLit); ok && argLit.Kind == token.STRING {
-			// extract string content
-			arg, err := strconv.Unquote(argLit.Value)
-			if err != nil {
-				return
-			}
-			// found interesting strings
-			arg = prefix + arg
-			prep, trunc := PrepareMsgidPrefix(arg)
-			if trunc {
-				handler.OnWarning(fset, argLit.ValuePos, fmt.Sprintf("needed to truncate message id prefix: %s", arg))
-			}
-			handler.OnMsgidPrefix(fset, argLit.ValuePos, prep, trunc)
-		}
-	}
-}
-
-func (handler Handler) handleGoCommentGroup(fset *token.FileSet, cg *ast.CommentGroup, commentPrefix string) *string {
-	if cg == nil {
-		return nil
-	}
-	var matches []token.Pos
-	matchInsPrefix := ""
-	commentPrefix = "//" + commentPrefix
-	for _, comment := range cg.List {
-		ctxt := strings.TrimSpace(comment.Text)
-		if ctxt == commentPrefix {
-			matches = append(matches, comment.Slash)
-		} else if after, found := strings.CutPrefix(ctxt, commentPrefix+"Suffix "); found {
-			matches = append(matches, comment.Slash)
-			matchInsPrefix = strings.TrimSpace(after)
-		}
-	}
-	switch len(matches) {
-	case 0:
-		return nil
-	case 1:
-		return &matchInsPrefix
-	default:
-		handler.OnWarning(
-			fset,
-			matches[0],
-			fmt.Sprintf("encountered multiple %s... directives, ignoring", strings.TrimSpace(commentPrefix)),
-		)
-		return &matchInsPrefix
-	}
-}
-
-// the `Handle*File` functions follow the following calling convention:
-// * `fname` is the name of the input file
-// * `src` is either `nil` (then the function invokes `ReadFile` to read the file)
-//   or the contents of the file as {`[]byte`, or a `string`}
-
-func (handler Handler) HandleGoFile(fname string, src any) error {
-	fset := token.NewFileSet()
-	node, err := goParser.ParseFile(fset, fname, src, goParser.SkipObjectResolution|goParser.ParseComments)
-	if err != nil {
-		return LocatedError{
-			Location: fname,
-			Kind:     "Go parser",
-			Err:      err,
-		}
-	}
-
-	ast.Inspect(node, func(n ast.Node) bool {
-		// search for function calls of the form `anything.Tr(any-string-lit, ...)`
-
-		switch n2 := n.(type) {
-		case *ast.CallExpr:
-			if len(n2.Args) == 0 {
-				return true
-			}
-			funSel, ok := n2.Fun.(*ast.SelectorExpr)
-			if !ok {
-				return true
-			}
-
-			ltf, ok := handler.LocaleTrFunctions[funSel.Sel.Name]
-			if !ok {
-				return true
-			}
-
-			var gotUnexpectedInvoke *int
-
-			for _, argNum := range ltf {
-				if len(n2.Args) <= int(argNum) {
-					argc := len(n2.Args)
-					gotUnexpectedInvoke = &argc
-				} else {
-					handler.handleGoTrArgument(fset, n2.Args[int(argNum)], "")
-				}
-			}
-
-			if gotUnexpectedInvoke != nil {
-				handler.OnUnexpectedInvoke(fset, funSel.Sel.NamePos, funSel.Sel.Name, *gotUnexpectedInvoke)
-			}
-		case *ast.CompositeLit:
-			ident, ok := n2.Type.(*ast.Ident)
-			if !ok {
-				return true
-			}
-
-			// special case: models/unit/unit.go
-			if strings.HasSuffix(fname, "unit.go") && ident.Name == "Unit" {
-				if len(n2.Elts) != 6 {
-					handler.OnWarning(fset, n2.Pos(), "unexpected initialization of 'Unit' (unexpected number of arguments)")
-				}
-				// NameKey has index 2
-				//   invoked like '{{ctx.Locale.Tr $unit.NameKey}}'
-				nameKey, ok := n2.Elts[2].(*ast.BasicLit)
-				if !ok || nameKey.Kind != token.STRING {
-					handler.OnWarning(fset, n2.Elts[2].Pos(), "unexpected initialization of 'Unit' (expected string literal as NameKey)")
-					return true
-				}
-
-				// extract string content
-				arg, err := strconv.Unquote(nameKey.Value)
-				if err == nil {
-					// found interesting strings
-					handler.OnMsgid(fset, nameKey.ValuePos, arg)
-				}
-			}
-		case *ast.FuncDecl:
-			matchInsPrefix := handler.handleGoCommentGroup(fset, n2.Doc, "llu:returnsTrKey")
-			if matchInsPrefix == nil {
-				return true
-			}
-			results := n2.Type.Results.List
-			if len(results) != 1 {
-				handler.OnWarning(fset, n2.Type.Func, fmt.Sprintf("function %s has unexpected return type; expected single return value", n2.Name.Name))
-				return true
-			}
-
-			ast.Inspect(n2.Body, func(n ast.Node) bool {
-				// search for return stmts
-				// TODO: what about nested functions?
-				if ret, ok := n.(*ast.ReturnStmt); ok {
-					for _, res := range ret.Results {
-						ast.Inspect(res, func(n ast.Node) bool {
-							if expr, ok := n.(ast.Expr); ok {
-								handler.handleGoTrArgument(fset, expr, *matchInsPrefix)
-							}
-							return true
-						})
-					}
-					return false
-				}
-				return true
-			})
-			return true
-		case *ast.GenDecl:
-			if !(n2.Tok == token.CONST || n2.Tok == token.VAR) {
-				return true
-			}
-			matchInsPrefix := handler.handleGoCommentGroup(fset, n2.Doc, " llu:TrKeys")
-			if matchInsPrefix == nil {
-				return true
-			}
-			for _, spec := range n2.Specs {
-				// interpret all contained strings as message IDs
-				ast.Inspect(spec, func(n ast.Node) bool {
-					if argLit, ok := n.(*ast.BasicLit); ok {
-						handler.handleGoTrBasicLit(fset, argLit, *matchInsPrefix)
-						return false
-					}
-					return true
-				})
-			}
-		}
-
-		return true
-	})
-
-	return nil
-}
--- a/build/lint-locale-usage/handle-tmpl.go
+++ b/build/lint-locale-usage/handle-tmpl.go
@ -1,233 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// Copyright 2025 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package main
-
-import (
-	"fmt"
-	"go/token"
-	"os"
-	"strings"
-	"text/template"
-	tmplParser "text/template/parse"
-
-	fjTemplates "forgejo.org/modules/templates"
-	"forgejo.org/modules/util"
-)
-
-// derived from source: modules/templates/scopedtmpl/scopedtmpl.go, L169-L213
-func (handler Handler) handleTemplateNode(fset *token.FileSet, node tmplParser.Node) {
-	switch node.Type() {
-	case tmplParser.NodeAction:
-		handler.handleTemplatePipeNode(fset, node.(*tmplParser.ActionNode).Pipe)
-	case tmplParser.NodeList:
-		nodeList := node.(*tmplParser.ListNode)
-		handler.handleTemplateFileNodes(fset, nodeList.Nodes)
-	case tmplParser.NodePipe:
-		handler.handleTemplatePipeNode(fset, node.(*tmplParser.PipeNode))
-	case tmplParser.NodeTemplate:
-		handler.handleTemplatePipeNode(fset, node.(*tmplParser.TemplateNode).Pipe)
-	case tmplParser.NodeIf:
-		nodeIf := node.(*tmplParser.IfNode)
-		handler.handleTemplateBranchNode(fset, nodeIf.BranchNode)
-	case tmplParser.NodeRange:
-		nodeRange := node.(*tmplParser.RangeNode)
-		handler.handleTemplateBranchNode(fset, nodeRange.BranchNode)
-	case tmplParser.NodeWith:
-		nodeWith := node.(*tmplParser.WithNode)
-		handler.handleTemplateBranchNode(fset, nodeWith.BranchNode)
-
-	case tmplParser.NodeCommand:
-		nodeCommand := node.(*tmplParser.CommandNode)
-
-		handler.handleTemplateFileNodes(fset, nodeCommand.Args)
-
-		if len(nodeCommand.Args) < 2 {
-			return
-		}
-
-		funcname := ""
-		if nodeChain, ok := nodeCommand.Args[0].(*tmplParser.ChainNode); ok {
-			if nodeIdent, ok := nodeChain.Node.(*tmplParser.IdentifierNode); ok {
-				if nodeIdent.Ident != "ctx" || len(nodeChain.Field) != 2 || nodeChain.Field[0] != "Locale" {
-					return
-				}
-				funcname = nodeChain.Field[1]
-			}
-		} else if nodeField, ok := nodeCommand.Args[0].(*tmplParser.FieldNode); ok {
-			if len(nodeField.Ident) != 2 || !(nodeField.Ident[0] == "locale" || nodeField.Ident[0] == "Locale") {
-				return
-			}
-			funcname = nodeField.Ident[1]
-		}
-
-		var gotUnexpectedInvoke *int
-		ltf, ok := handler.LocaleTrFunctions[funcname]
-		if !ok {
-			return
-		}
-
-		for _, argNum := range ltf {
-			if len(nodeCommand.Args) >= int(argNum+2) {
-				handler.handleTemplateMsgid(fset, nodeCommand.Args[int(argNum+1)])
-			} else {
-				argc := len(nodeCommand.Args) - 1
-				gotUnexpectedInvoke = &argc
-			}
-		}
-
-		if gotUnexpectedInvoke != nil {
-			handler.OnUnexpectedInvoke(fset, token.Pos(nodeCommand.Pos), funcname, *gotUnexpectedInvoke)
-		}
-
-	default:
-	}
-}
-
-func (handler Handler) handleTemplateMsgid(fset *token.FileSet, node tmplParser.Node) {
-	// the column numbers are a bit "off", but much better than nothing
-	pos := token.Pos(node.Position())
-
-	switch node.Type() {
-	case tmplParser.NodeString:
-		nodeString := node.(*tmplParser.StringNode)
-		// found interesting strings
-		handler.OnMsgid(fset, pos, nodeString.Text)
-
-	case tmplParser.NodePipe:
-		nodePipe := node.(*tmplParser.PipeNode)
-		handler.handleTemplatePipeNode(fset, nodePipe)
-
-		if len(nodePipe.Cmds) == 0 {
-			handler.OnWarning(fset, pos, fmt.Sprintf("unsupported invocation of locate function (no commands): %s", node.String()))
-		} else if len(nodePipe.Cmds) != 1 {
-			handler.OnWarning(fset, pos, fmt.Sprintf("unsupported invocation of locate function (too many commands): %s", node.String()))
-			return
-		}
-		nodeCommand := nodePipe.Cmds[0]
-		if len(nodeCommand.Args) < 2 {
-			handler.OnWarning(fset, pos, fmt.Sprintf("unsupported invocation of locate function (not enough arguments): %s", node.String()))
-			return
-		}
-
-		nodeIdent, ok := nodeCommand.Args[0].(*tmplParser.IdentifierNode)
-		if !ok || (nodeIdent.Ident != "print" && nodeIdent.Ident != "printf") {
-			// handler.OnWarning(fset, pos, fmt.Sprintf("unsupported invocation of locate function (bad command): %s", node.String()))
-			return
-		}
-
-		nodeString, ok := nodeCommand.Args[1].(*tmplParser.StringNode)
-		if !ok {
-			//handler.OnWarning(
-			//	fset,
-			//	pos,
-			//	fmt.Sprintf("unsupported invocation of locate function (string should be first argument to %s): %s", nodeIdent.Ident, node.String()),
-			//)
-			return
-		}
-
-		msgidPrefix := nodeString.Text
-		stringPos := token.Pos(nodeString.Pos)
-
-		if len(nodeCommand.Args) == 2 {
-			// found interesting strings
-			handler.OnMsgid(fset, stringPos, msgidPrefix)
-		} else {
-			if nodeIdent.Ident == "printf" {
-				parts := strings.SplitN(msgidPrefix, "%", 2)
-				if len(parts) != 2 {
-					handler.OnWarning(
-						fset,
-						stringPos,
-						fmt.Sprintf("unsupported invocation of locate function (format string doesn't match \"prefix%%smth\" pattern): %s", nodeString.String()),
-					)
-					return
-				}
-				msgidPrefix = parts[0]
-			}
-
-			msgidPrefixFin, truncated := PrepareMsgidPrefix(msgidPrefix)
-			if truncated {
-				handler.OnWarning(fset, stringPos, fmt.Sprintf("needed to truncate message id prefix: %s", msgidPrefix))
-			}
-
-			// found interesting strings
-			handler.OnMsgidPrefix(fset, stringPos, msgidPrefixFin, truncated)
-		}
-
-	default:
-		// handler.OnWarning(fset, pos, fmt.Sprintf("unknown invocation of locate function: %s", node.String()))
-	}
-}
-
-func (handler Handler) handleTemplatePipeNode(fset *token.FileSet, pipeNode *tmplParser.PipeNode) {
-	if pipeNode == nil {
-		return
-	}
-
-	// NOTE: we can't pass `pipeNode.Cmds` to handleTemplateFileNodes due to incompatible argument types
-	for _, node := range pipeNode.Cmds {
-		handler.handleTemplateNode(fset, node)
-	}
-}
-
-func (handler Handler) handleTemplateBranchNode(fset *token.FileSet, branchNode tmplParser.BranchNode) {
-	handler.handleTemplatePipeNode(fset, branchNode.Pipe)
-	handler.handleTemplateFileNodes(fset, branchNode.List.Nodes)
-	if branchNode.ElseList != nil {
-		handler.handleTemplateFileNodes(fset, branchNode.ElseList.Nodes)
-	}
-}
-
-func (handler Handler) handleTemplateFileNodes(fset *token.FileSet, nodes []tmplParser.Node) {
-	for _, node := range nodes {
-		handler.handleTemplateNode(fset, node)
-	}
-}
-
-// the `Handle*File` functions follow the following calling convention:
-// * `fname` is the name of the input file
-// * `src` is either `nil` (then the function invokes `ReadFile` to read the file)
-//   or the contents of the file as {`[]byte`, or a `string`}
-
-func (handler Handler) HandleTemplateFile(fname string, src any) error {
-	var tmplContent []byte
-	switch src2 := src.(type) {
-	case nil:
-		var err error
-		tmplContent, err = os.ReadFile(fname)
-		if err != nil {
-			return LocatedError{
-				Location: fname,
-				Kind:     "ReadFile",
-				Err:      err,
-			}
-		}
-	case []byte:
-		tmplContent = src2
-	case string:
-		// SAFETY: we do not modify tmplContent below
-		tmplContent = util.UnsafeStringToBytes(src2)
-	default:
-		panic("invalid type for 'src'")
-	}
-
-	fset := token.NewFileSet()
-	fset.AddFile(fname, 1, len(tmplContent)).SetLinesForContent(tmplContent)
-	// SAFETY: we do not modify tmplContent2 below
-	tmplContent2 := util.UnsafeBytesToString(tmplContent)
-
-	tmpl := template.New(fname)
-	tmpl.Funcs(fjTemplates.NewFuncMap())
-	tmplParsed, err := tmpl.Parse(tmplContent2)
-	if err != nil {
-		return LocatedError{
-			Location: fname,
-			Kind:     "Template parser",
-			Err:      err,
-		}
-	}
-	handler.handleTemplateFileNodes(fset, tmplParsed.Root.Nodes)
-	return nil
-}
--- a/build/lint-locale-usage/lint-locale-usage.go
+++ b/build/lint-locale-usage/lint-locale-usage.go
@ -5,24 +5,29 @@
 package main

 import (
-	"bufio"
-	"errors"
-	"flag"
 	"fmt"
+	"go/ast"
+	goParser "go/parser"
 	"go/token"
 	"io/fs"
 	"os"
 	"path/filepath"
-	"sort"
+	"strconv"
 	"strings"
+	"text/template"
+	tmplParser "text/template/parse"

 	"forgejo.org/modules/container"
-	"forgejo.org/modules/translation/localeiter"
+	"forgejo.org/modules/locale"
+	fjTemplates "forgejo.org/modules/templates"
+	"forgejo.org/modules/util"
 )

 // this works by first gathering all valid source string IDs from `en-US` reference files
 // and then checking if all used source strings are actually defined

+type OnMsgidHandler func(fset *token.FileSet, pos token.Pos, msgid string)
+
 type LocatedError struct {
 	Location string
 	Kind     string
@ -44,198 +49,219 @@ func (e LocatedError) Error() string {
 	return sb.String()
 }

-func InitLocaleTrFunctions() map[string][]uint {
-	ret := make(map[string][]uint)
-
-	f0 := []uint{0}
-	ret["Tr"] = f0
-	ret["TrString"] = f0
-	ret["TrHTML"] = f0
-
-	ret["TrPluralString"] = []uint{1}
-	ret["TrN"] = []uint{1, 2}
-
-	return ret
+func isLocaleTrFunction(funcname string) bool {
+	return funcname == "Tr" || funcname == "TrN"
 }

-type Handler struct {
-	OnMsgid            func(fset *token.FileSet, pos token.Pos, msgid string)
-	OnMsgidPrefix      func(fset *token.FileSet, pos token.Pos, msgidPrefix string, truncated bool)
-	OnUnexpectedInvoke func(fset *token.FileSet, pos token.Pos, funcname string, argc int)
-	OnWarning          func(fset *token.FileSet, pos token.Pos, msg string)
-	LocaleTrFunctions  map[string][]uint
-}
+// the `Handle*File` functions follow the following calling convention:
+// * `fname` is the name of the input file
+// * `src` is either `nil` (then the function invokes `ReadFile` to read the file)
+//   or the contents of the file as {`[]byte`, or a `string`}

-type StringTrie interface {
-	Matches(key []string) bool
-}
-
-type StringTrieMap map[string]StringTrie
-
-func (m StringTrieMap) Matches(key []string) bool {
-	if len(key) == 0 || m == nil {
-		return true
-	}
-	value, ok := m[key[0]]
-	if !ok {
-		return false
-	}
-	if value == nil {
-		return true
-	}
-	return value.Matches(key[1:])
-}
-
-func (m StringTrieMap) Insert(key []string) {
-	if m == nil {
-		return
-	}
-
-	switch len(key) {
-	case 0:
-		return
-
-	case 1:
-		m[key[0]] = nil
-
-	default:
-		if value, ok := m[key[0]]; ok {
-			if value == nil {
-				return
-			}
-		} else {
-			m[key[0]] = make(StringTrieMap)
-		}
-		m[key[0]].(StringTrieMap).Insert(key[1:])
-	}
-}
-
-func ParseAllowedMaskedUsages(fname string, usedMsgids container.Set[string], allowedMaskedPrefixes StringTrieMap, chkMsgid func(msgid string) bool) error {
-	file, err := os.Open(fname)
+func (omh OnMsgidHandler) HandleGoFile(fname string, src any) error {
+	fset := token.NewFileSet()
+	node, err := goParser.ParseFile(fset, fname, src, goParser.SkipObjectResolution)
 	if err != nil {
 		return LocatedError{
 			Location: fname,
-			Kind:     "Open",
+			Kind:     "Go parser",
 			Err:      err,
 		}
 	}
-	defer file.Close()

-	scanner := bufio.NewScanner(file)
-	lno := 0
-	for scanner.Scan() {
-		lno++
-		line := strings.TrimSpace(scanner.Text())
-		if line == "" || strings.HasPrefix(line, "#") {
-			continue
+	ast.Inspect(node, func(n ast.Node) bool {
+		// search for function calls of the form `anything.Tr(any-string-lit)`
+
+		call, ok := n.(*ast.CallExpr)
+		if !ok || len(call.Args) != 1 {
+			return true
 		}
-		if linePrefix, found := strings.CutSuffix(line, "."); found {
-			allowedMaskedPrefixes.Insert(strings.Split(linePrefix, "."))
-		} else {
-			if !chkMsgid(line) {
-				return LocatedError{
-					Location: fmt.Sprintf("%s: line %d", fname, lno),
-					Kind:     "undefined msgid",
-					Err:      errors.New(line),
-				}
-			}
-			usedMsgids.Add(line)
+
+		funSel, ok := call.Fun.(*ast.SelectorExpr)
+		if (!ok) || !isLocaleTrFunction(funSel.Sel.Name) {
+			return true
 		}
-	}
-	if err := scanner.Err(); err != nil {
-		return LocatedError{
-			Location: fname,
-			Kind:     "Scanner",
-			Err:      err,
+
+		argLit, ok := call.Args[0].(*ast.BasicLit)
+		if (!ok) || argLit.Kind != token.STRING {
+			return true
 		}
-	}
+
+		// extract string content
+		arg, err := strconv.Unquote(argLit.Value)
+		if err != nil {
+			return true
+		}
+
+		// found interesting string
+		omh(fset, argLit.ValuePos, arg)
+
+		return true
+	})
+
 	return nil
 }

-// Truncating a message id prefix to the last dot
-func PrepareMsgidPrefix(s string) (string, bool) {
-	index := strings.LastIndexByte(s, 0x2e)
-	if index == -1 {
-		return "", true
+// derived from source: modules/templates/scopedtmpl/scopedtmpl.go, L169-L213
+func (omh OnMsgidHandler) handleTemplateNode(fset *token.FileSet, node tmplParser.Node) {
+	switch node.Type() {
+	case tmplParser.NodeAction:
+		omh.handleTemplatePipeNode(fset, node.(*tmplParser.ActionNode).Pipe)
+	case tmplParser.NodeList:
+		nodeList := node.(*tmplParser.ListNode)
+		omh.handleTemplateFileNodes(fset, nodeList.Nodes)
+	case tmplParser.NodePipe:
+		omh.handleTemplatePipeNode(fset, node.(*tmplParser.PipeNode))
+	case tmplParser.NodeTemplate:
+		omh.handleTemplatePipeNode(fset, node.(*tmplParser.TemplateNode).Pipe)
+	case tmplParser.NodeIf:
+		nodeIf := node.(*tmplParser.IfNode)
+		omh.handleTemplateBranchNode(fset, nodeIf.BranchNode)
+	case tmplParser.NodeRange:
+		nodeRange := node.(*tmplParser.RangeNode)
+		omh.handleTemplateBranchNode(fset, nodeRange.BranchNode)
+	case tmplParser.NodeWith:
+		nodeWith := node.(*tmplParser.WithNode)
+		omh.handleTemplateBranchNode(fset, nodeWith.BranchNode)
+
+	case tmplParser.NodeCommand:
+		nodeCommand := node.(*tmplParser.CommandNode)
+
+		omh.handleTemplateFileNodes(fset, nodeCommand.Args)
+
+		if len(nodeCommand.Args) != 2 {
+			return
+		}
+
+		nodeChain, ok := nodeCommand.Args[0].(*tmplParser.ChainNode)
+		if !ok {
+			return
+		}
+
+		nodeString, ok := nodeCommand.Args[1].(*tmplParser.StringNode)
+		if !ok {
+			return
+		}
+
+		nodeIdent, ok := nodeChain.Node.(*tmplParser.IdentifierNode)
+		if !ok || nodeIdent.Ident != "ctx" {
+			return
+		}
+
+		if len(nodeChain.Field) != 2 || nodeChain.Field[0] != "Locale" || !isLocaleTrFunction(nodeChain.Field[1]) {
+			return
+		}
+
+		// found interesting string
+		// the column numbers are a bit "off", but much better than nothing
+		omh(fset, token.Pos(nodeString.Pos), nodeString.Text)
+
+	default:
 	}
-	return s[:index], index != len(s)-1
 }

-func Usage() {
-	outp := flag.CommandLine.Output()
-	fmt.Fprintf(outp, "Usage of %s:\n", os.Args[0])
-	flag.PrintDefaults()
-
-	fmt.Fprintf(outp, "\nThis command assumes that it gets started from the project root directory.\n")
-
-	fmt.Fprintf(outp, "\nExit codes:\n")
-	for _, i := range []string{
-		"0\tsuccess, no issues found",
-		"1\tunable to walk directory tree",
-		"2\tunable to parse locale ini/json files",
-		"3\tunable to parse go or text/template files",
-		"4\tfound missing message IDs",
-		"5\tfound unused message IDs",
-	} {
-		fmt.Fprintf(outp, "\t%s\n", i)
+func (omh OnMsgidHandler) handleTemplatePipeNode(fset *token.FileSet, pipeNode *tmplParser.PipeNode) {
+	if pipeNode == nil {
+		return
 	}

-	fmt.Fprintf(outp, "\nSpecial Go doc comments:\n")
-	for _, i := range []string{
-		"//llu:returnsTrKey",
-		"\tcan be used in front of functions to indicate",
-		"\tthat the function returns message IDs",
-		"\tWARNING: this currently doesn't support nested functions properly",
-		"",
-		"//llu:returnsTrKeySuffix prefix.",
-		"\tsimilar to llu:returnsTrKey, but the given prefix is prepended",
-		"\tto the found strings before interpreting them as msgids",
-		"",
-		"// llu:TrKeys",
-		"\tcan be used in front of 'const' and 'var' blocks",
-		"\tin order to mark all contained strings as message IDs",
-		"",
-		"// llu:TrKeysSuffix prefix.",
-		"\tlike llu:returnsTrKeySuffix, but for 'const' and 'var' blocks",
-	} {
-		if i == "" {
-			fmt.Fprintf(outp, "\n")
-		} else {
-			fmt.Fprintf(outp, "\t%s\n", i)
+	// NOTE: we can't pass `pipeNode.Cmds` to handleTemplateFileNodes due to incompatible argument types
+	for _, node := range pipeNode.Cmds {
+		omh.handleTemplateNode(fset, node)
+	}
+}
+
+func (omh OnMsgidHandler) handleTemplateBranchNode(fset *token.FileSet, branchNode tmplParser.BranchNode) {
+	omh.handleTemplatePipeNode(fset, branchNode.Pipe)
+	omh.handleTemplateFileNodes(fset, branchNode.List.Nodes)
+	if branchNode.ElseList != nil {
+		omh.handleTemplateFileNodes(fset, branchNode.ElseList.Nodes)
+	}
+}
+
+func (omh OnMsgidHandler) handleTemplateFileNodes(fset *token.FileSet, nodes []tmplParser.Node) {
+	for _, node := range nodes {
+		omh.handleTemplateNode(fset, node)
+	}
+}
+
+func (omh OnMsgidHandler) HandleTemplateFile(fname string, src any) error {
+	var tmplContent []byte
+	switch src2 := src.(type) {
+	case nil:
+		var err error
+		tmplContent, err = os.ReadFile(fname)
+		if err != nil {
+			return LocatedError{
+				Location: fname,
+				Kind:     "ReadFile",
+				Err:      err,
+			}
+		}
+	case []byte:
+		tmplContent = src2
+	case string:
+		// SAFETY: we do not modify tmplContent below
+		tmplContent = util.UnsafeStringToBytes(src2)
+	default:
+		panic("invalid type for 'src'")
+	}
+
+	fset := token.NewFileSet()
+	fset.AddFile(fname, 1, len(tmplContent)).SetLinesForContent(tmplContent)
+	// SAFETY: we do not modify tmplContent2 below
+	tmplContent2 := util.UnsafeBytesToString(tmplContent)
+
+	tmpl := template.New(fname)
+	tmpl.Funcs(fjTemplates.NewFuncMap())
+	tmplParsed, err := tmpl.Parse(tmplContent2)
+	if err != nil {
+		return LocatedError{
+			Location: fname,
+			Kind:     "Template parser",
+			Err:      err,
 		}
 	}
+	omh.handleTemplateFileNodes(fset, tmplParsed.Tree.Root.Nodes)
+	return nil
 }

+// This command assumes that we get started from the project root directory
+//
+// Possible command line flags:
+//
+//	--allow-missing-msgids        don't return an error code if missing message IDs are found
+//
+// EXIT CODES:
+//
+//	0  success, no issues found
+//	1  unable to walk directory tree
+//	2  unable to parse locale ini/json files
+//	3  unable to parse go or text/template files
+//	4  found missing message IDs
+//
 //nolint:forbidigo
 func main() {
 	allowMissingMsgids := false
-	allowUnusedMsgids := false
-	usedMsgids := make(container.Set[string])
-	allowedMaskedPrefixes := make(StringTrieMap)
-
-	// It's possible for execl to hand us an empty os.Args.
-	if len(os.Args) == 0 {
-		flag.CommandLine = flag.NewFlagSet("lint-locale-usage", flag.ExitOnError)
-	} else {
-		flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
+	for _, arg := range os.Args[1:] {
+		if arg == "--allow-missing-msgids" {
+			allowMissingMsgids = true
+		}
 	}
-	flag.CommandLine.Usage = Usage
-	flag.Usage = Usage

-	flag.BoolVar(
-		&allowMissingMsgids,
-		"allow-missing-msgids",
-		false,
-		"don't return an error code if missing message IDs are found",
-	)
-	flag.BoolVar(
-		&allowUnusedMsgids,
-		"allow-unused-msgids",
-		false,
-		"don't return an error code if unused message IDs are found",
-	)
+	onError := func(err error) {
+		if err == nil {
+			return
+		}
+		fmt.Println(err.Error())
+		os.Exit(3)
+	}

 	msgids := make(container.Set[string])
+	onMsgid := func(trKey, trValue string) error {
+		msgids[trKey] = struct{}{}
+		return nil
+	}

 	localeFile := filepath.Join(filepath.Join("options", "locale"), "locale_en-US.ini")
 	localeContent, err := os.ReadFile(localeFile)
@ -244,10 +270,7 @@ func main() {
 		os.Exit(2)
 	}

-	if err = localeiter.IterateMessagesContent(localeContent, func(trKey, trValue string) error {
-		msgids[trKey] = struct{}{}
-		return nil
-	}); err != nil {
+	if err = locale.IterateMessagesContent(localeContent, onMsgid); err != nil {
 		fmt.Printf("%s:\tERROR: %s\n", localeFile, err.Error())
 		os.Exit(2)
 	}
@ -259,63 +282,19 @@ func main() {
 		os.Exit(2)
 	}

-	if err := localeiter.IterateMessagesNextContent(localeContent, func(trKey, pluralForm, trValue string) error {
-		// ignore plural form
-		msgids[trKey] = struct{}{}
-		return nil
-	}); err != nil {
+	if err := locale.IterateMessagesNextContent(localeContent, onMsgid); err != nil {
 		fmt.Printf("%s:\tERROR: %s\n", localeFile, err.Error())
 		os.Exit(2)
 	}

 	gotAnyMsgidError := false

-	flag.Func(
-		"allow-masked-usages-from",
-		"supply a file containing a newline-separated list of allowed masked usages",
-		func(argval string) error {
-			return ParseAllowedMaskedUsages(argval, usedMsgids, allowedMaskedPrefixes, func(msgid string) bool {
-				return msgids.Contains(msgid)
-			})
-		},
-	)
-	flag.Parse()
-
-	onError := func(err error) {
-		if err == nil {
-			return
-		}
-		fmt.Println(err.Error())
-		os.Exit(3)
-	}
-
-	handler := Handler{
-		OnMsgidPrefix: func(fset *token.FileSet, pos token.Pos, msgidPrefix string, truncated bool) {
-			msgidPrefixSplit := strings.Split(msgidPrefix, ".")
-			if !truncated {
-				allowedMaskedPrefixes.Insert(msgidPrefixSplit)
-			} else if !allowedMaskedPrefixes.Matches(msgidPrefixSplit) {
-				gotAnyMsgidError = true
-				fmt.Printf("%s:\tmissing msgid prefix: %s\n", fset.Position(pos).String(), msgidPrefix)
-			}
-		},
-		OnMsgid: func(fset *token.FileSet, pos token.Pos, msgid string) {
-			if !msgids.Contains(msgid) {
-				gotAnyMsgidError = true
-				fmt.Printf("%s:\tmissing msgid: %s\n", fset.Position(pos).String(), msgid)
-			} else {
-				usedMsgids.Add(msgid)
-			}
-		},
-		OnUnexpectedInvoke: func(fset *token.FileSet, pos token.Pos, funcname string, argc int) {
+	omh := OnMsgidHandler(func(fset *token.FileSet, pos token.Pos, msgid string) {
+		if !msgids.Contains(msgid) {
 			gotAnyMsgidError = true
-			fmt.Printf("%s:\tunexpected invocation of %s with %d arguments\n", fset.Position(pos).String(), funcname, argc)
-		},
-		OnWarning: func(fset *token.FileSet, pos token.Pos, msg string) {
-			fmt.Printf("%s:\tWARNING: %s\n", fset.Position(pos).String(), msg)
-		},
-		LocaleTrFunctions: InitLocaleTrFunctions(),
-	}
+			fmt.Printf("%s:\tmissing msgid: %s\n", fset.Position(pos).String(), msgid)
+		}
+	})

 	if err := filepath.WalkDir(".", func(fpath string, d fs.DirEntry, err error) error {
 		if err != nil {
@ -329,15 +308,15 @@ func main() {
 			if name == "docker" || name == ".git" || name == "node_modules" {
 				return fs.SkipDir
 			}
-		} else if name == "bindata.go" || fpath == "modules/translation/i18n/i18n_test.go" {
+		} else if name == "bindata.go" {
 			// skip false positives
 		} else if strings.HasSuffix(name, ".go") {
-			onError(handler.HandleGoFile(fpath, nil))
+			onError(omh.HandleGoFile(fpath, nil))
 		} else if strings.HasSuffix(name, ".tmpl") {
 			if strings.HasPrefix(fpath, "tests") && strings.HasSuffix(name, ".ini.tmpl") {
 				// skip false positives
 			} else {
-				onError(handler.HandleTemplateFile(fpath, nil))
+				onError(omh.HandleTemplateFile(fpath, nil))
 			}
 		}
 		return nil
@ -346,27 +325,7 @@ func main() {
 		os.Exit(1)
 	}

-	unusedMsgids := []string{}
-
-	for msgid := range msgids {
-		if !usedMsgids.Contains(msgid) && !allowedMaskedPrefixes.Matches(strings.Split(msgid, ".")) {
-			unusedMsgids = append(unusedMsgids, msgid)
-		}
-	}
-
-	sort.Strings(unusedMsgids)
-
-	if len(unusedMsgids) != 0 {
-		fmt.Printf("=== unused msgids (%d): ===\n", len(unusedMsgids))
-		for _, msgid := range unusedMsgids {
-			fmt.Printf("- %s\n", msgid)
-		}
-	}
-
 	if !allowMissingMsgids && gotAnyMsgidError {
 		os.Exit(4)
 	}
-	if !allowUnusedMsgids && len(unusedMsgids) != 0 {
-		os.Exit(5)
-	}
 }
--- a/build/lint-locale-usage/lint-locale-usage_test.go
+++ b/build/lint-locale-usage/lint-locale-usage_test.go
@ -11,39 +11,33 @@ import (
 	"github.com/stretchr/testify/require"
 )

-func buildHandler(ret *[]string) Handler {
-	return Handler{
-		OnMsgid: func(fset *token.FileSet, pos token.Pos, msgid string) {
-			*ret = append(*ret, msgid)
-		},
-		OnUnexpectedInvoke: func(fset *token.FileSet, pos token.Pos, funcname string, argc int) {},
-		LocaleTrFunctions:  InitLocaleTrFunctions(),
-	}
-}
-
 func HandleGoFileWrapped(t *testing.T, fname, src string) []string {
 	var ret []string
-	handler := buildHandler(&ret)
-	require.NoError(t, handler.HandleGoFile(fname, src))
+	omh := OnMsgidHandler(func(fset *token.FileSet, pos token.Pos, msgid string) {
+		ret = append(ret, msgid)
+	})
+	require.NoError(t, omh.HandleGoFile(fname, src))
 	return ret
 }

 func HandleTemplateFileWrapped(t *testing.T, fname, src string) []string {
 	var ret []string
-	handler := buildHandler(&ret)
-	require.NoError(t, handler.HandleTemplateFile(fname, src))
+	omh := OnMsgidHandler(func(fset *token.FileSet, pos token.Pos, msgid string) {
+		ret = append(ret, msgid)
+	})
+	require.NoError(t, omh.HandleTemplateFile(fname, src))
 	return ret
 }

 func TestUsagesParser(t *testing.T) {
 	t.Run("go, simple", func(t *testing.T) {
-		assert.Equal(t,
+		assert.EqualValues(t,
 			[]string{"what.an.example"},
 			HandleGoFileWrapped(t, "<g1>", "package main\nfunc Render(ctx *context.Context) string { return ctx.Tr(\"what.an.example\"); }\n"))
 	})

 	t.Run("template, simple", func(t *testing.T) {
-		assert.Equal(t,
+		assert.EqualValues(t,
 			[]string{"what.an.example"},
 			HandleTemplateFileWrapped(t, "<t1>", "{{ ctx.Locale.Tr \"what.an.example\" }}\n"))
 	})
--- a/build/lint-locale/lint-locale.go
+++ b/build/lint-locale/lint-locale.go
@ -14,7 +14,7 @@ import (
 	"slices"
 	"strings"

-	"forgejo.org/modules/translation/localeiter"
+	"forgejo.org/modules/locale"

 	"github.com/microcosm-cc/bluemonday"
 	"github.com/sergi/go-diff/diffmatchpatch"
@ -52,7 +52,7 @@ func initBlueMondayPolicy() {
 	policy.AllowAttrs("id").Matching(positionalPlaceholderRe).OnElements("code")

 	// Allowed elements with no attributes. Must be a recognized tagname.
-	policy.AllowElements("strong", "br", "b", "strike", "code", "i", "kbd")
+	policy.AllowElements("strong", "br", "b", "strike", "code", "i")

 	// TODO: Remove <c> in `actions.workflow.dispatch.trigger_found`.
 	policy.AllowNoAttrs().OnElements("c")
@ -100,7 +100,7 @@ func checkValue(trKey, value string) []string {
 func checkLocaleContent(localeContent []byte) []string {
 	errors := []string{}

-	if err := localeiter.IterateMessagesContent(localeContent, func(trKey, trValue string) error {
+	if err := locale.IterateMessagesContent(localeContent, func(trKey, trValue string) error {
 		errors = append(errors, checkValue(trKey, trValue)...)
 		return nil
 	}); err != nil {
@ -113,12 +113,8 @@ func checkLocaleContent(localeContent []byte) []string {
 func checkLocaleNextContent(localeContent []byte) []string {
 	errors := []string{}

-	if err := localeiter.IterateMessagesNextContent(localeContent, func(trKey, pluralForm, trValue string) error {
-		fullKey := trKey
-		if pluralForm != "" {
-			fullKey = trKey + "." + pluralForm
-		}
-		errors = append(errors, checkValue(fullKey, trValue)...)
+	if err := locale.IterateMessagesNextContent(localeContent, func(trKey, trValue string) error {
+		errors = append(errors, checkValue(trKey, trValue)...)
 		return nil
 	}); err != nil {
 		panic(err)
--- a/build/lint-locale/lint-locale_test.go
+++ b/build/lint-locale/lint-locale_test.go
@ -15,9 +15,9 @@ func TestLocalizationPolicy(t *testing.T) {
 	t.Run("Remove tags", func(t *testing.T) {
 		assert.Empty(t, checkLocaleContent([]byte(`hidden_comment_types_description = Comment types checked here will not be shown inside issue pages. Checking "Label" for example removes all "<user> added/removed <label>" comments.`)))

-		assert.Equal(t, []string{"key: \x1b[31m<not-an-allowed-key>\x1b[0m REPLACED-TAG"}, checkLocaleContent([]byte(`key = "<not-an-allowed-key> <label>"`)))
-		assert.Equal(t, []string{"key: \x1b[31m<user@example.com>\x1b[0m REPLACED-TAG"}, checkLocaleContent([]byte(`key = "<user@example.com> <email@example.com>"`)))
-		assert.Equal(t, []string{"key: \x1b[31m<tag>\x1b[0m REPLACED-TAG \x1b[31m</tag>\x1b[0m"}, checkLocaleContent([]byte(`key = "<tag> <email@example.com> </tag>"`)))
+		assert.EqualValues(t, []string{"key: \x1b[31m<not-an-allowed-key>\x1b[0m REPLACED-TAG"}, checkLocaleContent([]byte(`key = "<not-an-allowed-key> <label>"`)))
+		assert.EqualValues(t, []string{"key: \x1b[31m<user@example.com>\x1b[0m REPLACED-TAG"}, checkLocaleContent([]byte(`key = "<user@example.com> <email@example.com>"`)))
+		assert.EqualValues(t, []string{"key: \x1b[31m<tag>\x1b[0m REPLACED-TAG \x1b[31m</tag>\x1b[0m"}, checkLocaleContent([]byte(`key = "<tag> <email@example.com> </tag>"`)))
 	})

 	t.Run("Specific exception", func(t *testing.T) {
@ -25,11 +25,11 @@ func TestLocalizationPolicy(t *testing.T) {
 		assert.Empty(t, checkLocaleContent([]byte(`pulls.title_desc_one = wants to merge %[1]d commit from <code>%[2]s</code> into <code id="%[4]s">%[3]s</code>`)))
 		assert.Empty(t, checkLocaleContent([]byte(`editor.commit_directly_to_this_branch = Commit directly to the <strong class="%[2]s">%[1]s</strong> branch.`)))

-		assert.Equal(t, []string{"workflow.dispatch.trigger_found: This workflow has a \x1b[31m<d>\x1b[0mworkflow_dispatch\x1b[31m</d>\x1b[0m event trigger."}, checkLocaleContent([]byte(`workflow.dispatch.trigger_found = This workflow has a <d>workflow_dispatch</d> event trigger.`)))
-		assert.Equal(t, []string{"key: <code\x1b[31m id=\"branch_targe\"\x1b[0m>%[3]s</code>"}, checkLocaleContent([]byte(`key = <code id="branch_targe">%[3]s</code>`)))
-		assert.Equal(t, []string{"key: <a\x1b[31m class=\"ui sh\"\x1b[0m href=\"https://TO-BE-REPLACED.COM\">"}, checkLocaleContent([]byte(`key = <a class="ui sh" href="%[3]s">`)))
-		assert.Equal(t, []string{"key: <a\x1b[31m class=\"js-click-me\"\x1b[0m href=\"https://TO-BE-REPLACED.COM\">"}, checkLocaleContent([]byte(`key = <a class="js-click-me" href="%[3]s">`)))
-		assert.Equal(t, []string{"key: <strong\x1b[31m class=\"branch-target\"\x1b[0m>%[1]s</strong>"}, checkLocaleContent([]byte(`key = <strong class="branch-target">%[1]s</strong>`)))
+		assert.EqualValues(t, []string{"workflow.dispatch.trigger_found: This workflow has a \x1b[31m<d>\x1b[0mworkflow_dispatch\x1b[31m</d>\x1b[0m event trigger."}, checkLocaleContent([]byte(`workflow.dispatch.trigger_found = This workflow has a <d>workflow_dispatch</d> event trigger.`)))
+		assert.EqualValues(t, []string{"key: <code\x1b[31m id=\"branch_targe\"\x1b[0m>%[3]s</code>"}, checkLocaleContent([]byte(`key = <code id="branch_targe">%[3]s</code>`)))
+		assert.EqualValues(t, []string{"key: <a\x1b[31m class=\"ui sh\"\x1b[0m href=\"https://TO-BE-REPLACED.COM\">"}, checkLocaleContent([]byte(`key = <a class="ui sh" href="%[3]s">`)))
+		assert.EqualValues(t, []string{"key: <a\x1b[31m class=\"js-click-me\"\x1b[0m href=\"https://TO-BE-REPLACED.COM\">"}, checkLocaleContent([]byte(`key = <a class="js-click-me" href="%[3]s">`)))
+		assert.EqualValues(t, []string{"key: <strong\x1b[31m class=\"branch-target\"\x1b[0m>%[1]s</strong>"}, checkLocaleContent([]byte(`key = <strong class="branch-target">%[1]s</strong>`)))
 	})

 	t.Run("General safe tags", func(t *testing.T) {
@ -37,9 +37,8 @@ func TestLocalizationPolicy(t *testing.T) {
 		assert.Empty(t, checkLocaleContent([]byte("teams.specific_repositories_helper = Members will only have access to repositories explicitly added to the team. Selecting this <strong>will not</strong> automatically remove repositories already added with <i>All repositories</i>.")))
 		assert.Empty(t, checkLocaleContent([]byte("sqlite_helper = File path for the SQLite3 database.<br>Enter an absolute path if you run Forgejo as a service.")))
 		assert.Empty(t, checkLocaleContent([]byte("hi_user_x = Hi <b>%s</b>,")))
-		assert.Empty(t, checkLocaleContent([]byte("key = Press <kbd>Shift</kbd>")))

-		assert.Equal(t, []string{"error404: The page you are trying to reach either <strong\x1b[31m title='aaa'\x1b[0m>does not exist</strong> or <strong>you are not authorized</strong> to view it."}, checkLocaleContent([]byte("error404 = The page you are trying to reach either <strong title='aaa'>does not exist</strong> or <strong>you are not authorized</strong> to view it.")))
+		assert.EqualValues(t, []string{"error404: The page you are trying to reach either <strong\x1b[31m title='aaa'\x1b[0m>does not exist</strong> or <strong>you are not authorized</strong> to view it."}, checkLocaleContent([]byte("error404 = The page you are trying to reach either <strong title='aaa'>does not exist</strong> or <strong>you are not authorized</strong> to view it.")))
 	})

 	t.Run("<a>", func(t *testing.T) {
@ -48,20 +47,20 @@ func TestLocalizationPolicy(t *testing.T) {
 		assert.Empty(t, checkLocaleContent([]byte(`webauthn_desc = Security keys are hardware devices containing cryptographic keys. They can be used for two-factor authentication. Security keys must support the <a rel="noreferrer" target="_blank" href="%s">WebAuthn Authenticator</a> standard.`)))
 		assert.Empty(t, checkLocaleContent([]byte("issues.closed_at = `closed this issue <a id=\"%[1]s\" href=\"#%[1]s\">%[2]s</a>`")))

-		assert.Equal(t, []string{"key: \x1b[31m<a href=\"https://example.com\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="https://example.com">`)))
-		assert.Equal(t, []string{"key: \x1b[31m<a href=\"javascript:alert('1')\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="javascript:alert('1')">`)))
-		assert.Equal(t, []string{"key: <a href=\"https://TO-BE-REPLACED.COM\"\x1b[31m download\x1b[0m>"}, checkLocaleContent([]byte(`key = <a href="%s" download>`)))
-		assert.Equal(t, []string{"key: <a href=\"https://TO-BE-REPLACED.COM\"\x1b[31m target=\"_self\"\x1b[0m>"}, checkLocaleContent([]byte(`key = <a href="%s" target="_self">`)))
-		assert.Equal(t, []string{"key: \x1b[31m<a href=\"https://example.com/%s\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="https://example.com/%s">`)))
-		assert.Equal(t, []string{"key: \x1b[31m<a href=\"https://example.com/?q=%s\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="https://example.com/?q=%s">`)))
-		assert.Equal(t, []string{"key: \x1b[31m<a href=\"%s/open-redirect\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="%s/open-redirect">`)))
-		assert.Equal(t, []string{"key: \x1b[31m<a href=\"%s?q=open-redirect\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="%s?q=open-redirect">`)))
+		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"https://example.com\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="https://example.com">`)))
+		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"javascript:alert('1')\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="javascript:alert('1')">`)))
+		assert.EqualValues(t, []string{"key: <a href=\"https://TO-BE-REPLACED.COM\"\x1b[31m download\x1b[0m>"}, checkLocaleContent([]byte(`key = <a href="%s" download>`)))
+		assert.EqualValues(t, []string{"key: <a href=\"https://TO-BE-REPLACED.COM\"\x1b[31m target=\"_self\"\x1b[0m>"}, checkLocaleContent([]byte(`key = <a href="%s" target="_self">`)))
+		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"https://example.com/%s\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="https://example.com/%s">`)))
+		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"https://example.com/?q=%s\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="https://example.com/?q=%s">`)))
+		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"%s/open-redirect\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="%s/open-redirect">`)))
+		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"%s?q=open-redirect\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="%s?q=open-redirect">`)))
 	})

 	t.Run("Escaped HTML characters", func(t *testing.T) {
 		assert.Empty(t, checkLocaleContent([]byte("activity.git_stats_push_to_branch = `إلى %s و\"`")))

-		assert.Equal(t, []string{"key: و\x1b[31m&nbsp;\x1b[0m\x1b[32m\u00a0\x1b[0m"}, checkLocaleContent([]byte(`key = و&nbsp;`)))
+		assert.EqualValues(t, []string{"key: و\x1b[31m&nbsp\x1b[0m\x1b[32m\u00a0\x1b[0m"}, checkLocaleContent([]byte(`key = و&nbsp;`)))
 	})
 }

@ -76,7 +75,7 @@ func TestNextLocalizationPolicy(t *testing.T) {
 			}
 		}`)))

-		assert.Equal(t, []string{"settings.hidden_comment_types_description: \"\x1b[31m<not-an-allowed-key>\x1b[0m REPLACED-TAG\""}, checkLocaleNextContent([]byte(`{
+		assert.EqualValues(t, []string{"settings.hidden_comment_types_description: \"\x1b[31m<not-an-allowed-key>\x1b[0m REPLACED-TAG\""}, checkLocaleNextContent([]byte(`{
 			"settings": {
 				"hidden_comment_types_description": "\"<not-an-allowed-key> <label>\""
 			}
@ -88,20 +87,8 @@ func TestNextLocalizationPolicy(t *testing.T) {
 			"settings.hidden_comment_types_description": "Comment types checked here will not be shown inside issue pages. Checking \"Label\" for example removes all \"<user> added/removed <label>\" comments."
 		}`)))

-		assert.Equal(t, []string{"settings.hidden_comment_types_description: \"\x1b[31m<not-an-allowed-key>\x1b[0m REPLACED-TAG\""}, checkLocaleNextContent([]byte(`{
+		assert.EqualValues(t, []string{"settings.hidden_comment_types_description: \"\x1b[31m<not-an-allowed-key>\x1b[0m REPLACED-TAG\""}, checkLocaleNextContent([]byte(`{
 			"settings.hidden_comment_types_description": "\"<not-an-allowed-key> <label>\""
 		}`)))
 	})
-
-	t.Run("Plural form", func(t *testing.T) {
-		assert.Equal(t, []string{"repo.pulls.title_desc: key = \x1b[31m<a href=\"https://example.com\">\x1b[0m"}, checkLocaleNextContent([]byte(`{"repo.pulls.title_desc": {
-                       "few": "key = <a href=\"%s\">",
-                       "other": "key = <a href=\"https://example.com\">"
-    }}`)))
-
-		assert.Equal(t, []string{"repo.pulls.title_desc.few: key = \x1b[31m<a href=\"https://example.com\">\x1b[0m"}, checkLocaleNextContent([]byte(`{"repo.pulls.title_desc": {
-                       "few": "key = <a href=\"https://example.com\">",
-                       "other": "key = <a href=\"%s\">"
-    }}`)))
-	})
 }
--- a/build/update-locales.sh
+++ b/build/update-locales.sh
@ -0,0 +1,52 @@
+#!/bin/sh
+
+# this script runs in alpine image which only has `sh` shell
+
+set +e
+if sed --version 2>/dev/null | grep -q GNU; then
+  SED_INPLACE="sed -i"
+else
+  SED_INPLACE="sed -i ''"
+fi
+set -e
+
+if [ ! -f ./options/locale/locale_en-US.ini ]; then
+  echo "please run this script in the root directory of the project"
+  exit 1
+fi
+
+mv ./options/locale/locale_en-US.ini ./options/
+
+# the "ini" library for locale has many quirks, its behavior is different from Crowdin.
+# see i18n_test.go for more details
+
+# this script helps to unquote the Crowdin outputs for the quirky ini library
+# * find all `key="...\"..."` lines
+# * remove the leading quote
+# * remove the trailing quote
+# * unescape the quotes
+# * eg: key="...\"..." => key=..."...
+$SED_INPLACE -r -e '/^[-.A-Za-z0-9_]+[ ]*=[ ]*".*"$/ {
+	s/^([-.A-Za-z0-9_]+)[ ]*=[ ]*"/\1=/
+	s/"$//
+	s/\\"/"/g
+	}' ./options/locale/*.ini
+
+# * if the escaped line is incomplete like `key="...` or `key=..."`, quote it with backticks
+# * eg: key="... => key=`"...`
+# * eg: key=..." => key=`..."`
+$SED_INPLACE -r -e 's/^([-.A-Za-z0-9_]+)[ ]*=[ ]*(".*[^"])$/\1=`\2`/' ./options/locale/*.ini
+$SED_INPLACE -r -e 's/^([-.A-Za-z0-9_]+)[ ]*=[ ]*([^"].*")$/\1=`\2`/' ./options/locale/*.ini
+
+# Remove translation under 25% of en_us
+baselines=$(wc -l "./options/locale_en-US.ini" | cut -d" " -f1)
+baselines=$((baselines / 4))
+for filename in ./options/locale/*.ini; do
+  lines=$(wc -l "$filename" | cut -d" " -f1)
+  if [ $lines -lt $baselines ]; then
+    echo "Removing $filename: $lines/$baselines"
+    rm "$filename"
+  fi
+done
+
+mv ./options/locale_en-US.ini ./options/locale/
--- a/cmd/actions.go
+++ b/cmd/actions.go
@ -4,28 +4,25 @@
 package cmd

 import (
-	"context"
 	"fmt"

 	"forgejo.org/modules/private"
 	"forgejo.org/modules/setting"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-// CmdActions represents the available actions sub-commands.
-func cmdActions() *cli.Command {
-	return &cli.Command{
+var (
+	// CmdActions represents the available actions sub-commands.
+	CmdActions = &cli.Command{
 		Name:  "actions",
 		Usage: "Manage Forgejo Actions",
-		Commands: []*cli.Command{
-			subcmdActionsGenRunnerToken(),
+		Subcommands: []*cli.Command{
+			subcmdActionsGenRunnerToken,
 		},
 	}
-}

-func subcmdActionsGenRunnerToken() *cli.Command {
-	return &cli.Command{
+	subcmdActionsGenRunnerToken = &cli.Command{
 		Name:    "generate-runner-token",
 		Usage:   "Generate a new token for a runner to use to register with the server",
 		Action:  runGenerateActionsRunnerToken,
@ -39,10 +36,10 @@ func subcmdActionsGenRunnerToken() *cli.Command {
 			},
 		},
 	}
-}
+)

-func runGenerateActionsRunnerToken(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runGenerateActionsRunnerToken(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

 	setting.MustInstalled()
--- a/cmd/admin.go
+++ b/cmd/admin.go
@ -15,64 +15,56 @@ import (
 	"forgejo.org/modules/log"
 	repo_module "forgejo.org/modules/repository"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-// CmdAdmin represents the available admin sub-command.
-func cmdAdmin() *cli.Command {
-	return &cli.Command{
+var (
+	// CmdAdmin represents the available admin sub-command.
+	CmdAdmin = &cli.Command{
 		Name:  "admin",
 		Usage: "Perform common administrative operations",
-		Commands: []*cli.Command{
-			subcmdUser(),
-			subcmdRepoSyncReleases(),
-			subcmdRegenerate(),
-			subcmdAuth(),
-			subcmdSendMail(),
+		Subcommands: []*cli.Command{
+			subcmdUser,
+			subcmdRepoSyncReleases,
+			subcmdRegenerate,
+			subcmdAuth,
+			subcmdSendMail,
 		},
 	}
-}

-func subcmdRepoSyncReleases() *cli.Command {
-	return &cli.Command{
+	subcmdRepoSyncReleases = &cli.Command{
 		Name:   "repo-sync-releases",
 		Usage:  "Synchronize repository releases with tags",
 		Action: runRepoSyncReleases,
 	}
-}

-func subcmdRegenerate() *cli.Command {
-	return &cli.Command{
+	subcmdRegenerate = &cli.Command{
 		Name:  "regenerate",
 		Usage: "Regenerate specific files",
-		Commands: []*cli.Command{
+		Subcommands: []*cli.Command{
 			microcmdRegenHooks,
 			microcmdRegenKeys,
 		},
 	}
-}

-func subcmdAuth() *cli.Command {
-	return &cli.Command{
+	subcmdAuth = &cli.Command{
 		Name:  "auth",
 		Usage: "Modify external auth providers",
-		Commands: []*cli.Command{
-			microcmdAuthAddOauth(),
-			microcmdAuthUpdateOauth(),
-			microcmdAuthAddLdapBindDn(),
-			microcmdAuthUpdateLdapBindDn(),
-			microcmdAuthAddLdapSimpleAuth(),
-			microcmdAuthUpdateLdapSimpleAuth(),
-			microcmdAuthAddSMTP(),
-			microcmdAuthUpdateSMTP(),
-			microcmdAuthList(),
-			microcmdAuthDelete(),
+		Subcommands: []*cli.Command{
+			microcmdAuthAddOauth,
+			microcmdAuthUpdateOauth,
+			microcmdAuthAddLdapBindDn,
+			microcmdAuthUpdateLdapBindDn,
+			microcmdAuthAddLdapSimpleAuth,
+			microcmdAuthUpdateLdapSimpleAuth,
+			microcmdAuthAddSMTP,
+			microcmdAuthUpdateSMTP,
+			microcmdAuthList,
+			microcmdAuthDelete,
 		},
 	}
-}

-func subcmdSendMail() *cli.Command {
-	return &cli.Command{
+	subcmdSendMail = &cli.Command{
 		Name:   "sendmail",
 		Usage:  "Send a message to all users",
 		Action: runSendMail,
@ -94,17 +86,15 @@ func subcmdSendMail() *cli.Command {
 			},
 		},
 	}
-}

-func idFlag() *cli.Int64Flag {
-	return &cli.Int64Flag{
+	idFlag = &cli.Int64Flag{
 		Name:  "id",
 		Usage: "ID of authentication source",
 	}
-}
+)

-func runRepoSyncReleases(ctx context.Context, _ *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runRepoSyncReleases(_ *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

 	if err := initDB(ctx); err != nil {
--- a/cmd/admin_auth.go
+++ b/cmd/admin_auth.go
@ -4,7 +4,6 @@
 package cmd

 import (
-	"context"
 	"errors"
 	"fmt"
 	"os"
@ -14,29 +13,17 @@ import (
 	"forgejo.org/models/db"
 	auth_service "forgejo.org/services/auth"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-type (
-	authService struct {
-		initDB            func(ctx context.Context) error
-		createAuthSource  func(context.Context, *auth_model.Source) error
-		updateAuthSource  func(context.Context, *auth_model.Source) error
-		getAuthSourceByID func(ctx context.Context, id int64) (*auth_model.Source, error)
-	}
-)
-
-func microcmdAuthDelete() *cli.Command {
-	return &cli.Command{
+var (
+	microcmdAuthDelete = &cli.Command{
 		Name:   "delete",
 		Usage:  "Delete specific auth source",
-		Flags:  []cli.Flag{idFlag()},
+		Flags:  []cli.Flag{idFlag},
 		Action: runDeleteAuth,
 	}
-}
-
-func microcmdAuthList() *cli.Command {
-	return &cli.Command{
+	microcmdAuthList = &cli.Command{
 		Name:   "list",
 		Usage:  "List auth sources",
 		Action: runListAuth,
@ -67,20 +54,10 @@ func microcmdAuthList() *cli.Command {
 			},
 		},
 	}
-}
+)

-// newAuthService creates a service with default functions.
-func newAuthService() *authService {
-	return &authService{
-		initDB:            initDB,
-		createAuthSource:  auth_model.CreateSource,
-		updateAuthSource:  auth_model.UpdateSource,
-		getAuthSourceByID: auth_model.GetSourceByID,
-	}
-}
-
-func runListAuth(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runListAuth(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

 	if err := initDB(ctx); err != nil {
@ -104,7 +81,7 @@ func runListAuth(ctx context.Context, c *cli.Command) error {

 	// loop through each source and print
 	w := tabwriter.NewWriter(os.Stdout, c.Int("min-width"), c.Int("tab-width"), c.Int("padding"), padChar, flags)
-	fmt.Fprint(w, "ID\tName\tType\tEnabled\n")
+	fmt.Fprintf(w, "ID\tName\tType\tEnabled\n")
 	for _, source := range authSources {
 		fmt.Fprintf(w, "%d\t%s\t%s\t%t\n", source.ID, source.Name, source.Type.String(), source.IsActive)
 	}
@ -113,12 +90,12 @@ func runListAuth(ctx context.Context, c *cli.Command) error {
 	return nil
 }

-func runDeleteAuth(ctx context.Context, c *cli.Command) error {
+func runDeleteAuth(c *cli.Context) error {
 	if !c.IsSet("id") {
 		return errors.New("--id flag is missing")
 	}

-	ctx, cancel := installSignals(ctx)
+	ctx, cancel := installSignals()
 	defer cancel()

 	if err := initDB(ctx); err != nil {
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@ -11,11 +11,20 @@ import (
 	"forgejo.org/models/auth"
 	"forgejo.org/services/auth/source/ldap"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-func commonLdapCLIFlags() []cli.Flag {
-	return []cli.Flag{
+type (
+	authService struct {
+		initDB            func(ctx context.Context) error
+		createAuthSource  func(context.Context, *auth.Source) error
+		updateAuthSource  func(context.Context, *auth.Source) error
+		getAuthSourceByID func(ctx context.Context, id int64) (*auth.Source, error)
+	}
+)
+
+var (
+	commonLdapCLIFlags = []cli.Flag{
 		&cli.StringFlag{
 			Name:  "name",
 			Usage: "Authentication name.",
@ -93,10 +102,8 @@ func commonLdapCLIFlags() []cli.Flag {
 			Usage: "The attribute of the user’s LDAP record containing the user’s avatar.",
 		},
 	}
-}

-func ldapBindDnCLIFlags() []cli.Flag {
-	return append(commonLdapCLIFlags(),
+	ldapBindDnCLIFlags = append(commonLdapCLIFlags,
 		&cli.StringFlag{
 			Name:  "bind-dn",
 			Usage: "The DN to bind to the LDAP server with when searching for the user.",
@ -121,62 +128,62 @@ func ldapBindDnCLIFlags() []cli.Flag {
 			Name:  "page-size",
 			Usage: "Search page size.",
 		})
-}

-func ldapSimpleAuthCLIFlags() []cli.Flag {
-	return append(commonLdapCLIFlags(),
+	ldapSimpleAuthCLIFlags = append(commonLdapCLIFlags,
 		&cli.StringFlag{
 			Name:  "user-dn",
 			Usage: "The user's DN.",
 		})
-}

-func microcmdAuthAddLdapBindDn() *cli.Command {
-	return &cli.Command{
+	microcmdAuthAddLdapBindDn = &cli.Command{
 		Name:  "add-ldap",
 		Usage: "Add new LDAP (via Bind DN) authentication source",
-		Action: func(ctx context.Context, cli *cli.Command) error {
-			return newAuthService().addLdapBindDn(ctx, cli)
+		Action: func(c *cli.Context) error {
+			return newAuthService().addLdapBindDn(c)
 		},
-		Flags: ldapBindDnCLIFlags(),
+		Flags: ldapBindDnCLIFlags,
 	}
-}

-func microcmdAuthUpdateLdapBindDn() *cli.Command {
-	return &cli.Command{
+	microcmdAuthUpdateLdapBindDn = &cli.Command{
 		Name:  "update-ldap",
 		Usage: "Update existing LDAP (via Bind DN) authentication source",
-		Action: func(ctx context.Context, cli *cli.Command) error {
-			return newAuthService().updateLdapBindDn(ctx, cli)
+		Action: func(c *cli.Context) error {
+			return newAuthService().updateLdapBindDn(c)
 		},
-		Flags: append([]cli.Flag{idFlag()}, ldapBindDnCLIFlags()...),
+		Flags: append([]cli.Flag{idFlag}, ldapBindDnCLIFlags...),
 	}
-}

-func microcmdAuthAddLdapSimpleAuth() *cli.Command {
-	return &cli.Command{
+	microcmdAuthAddLdapSimpleAuth = &cli.Command{
 		Name:  "add-ldap-simple",
 		Usage: "Add new LDAP (simple auth) authentication source",
-		Action: func(ctx context.Context, cli *cli.Command) error {
-			return newAuthService().addLdapSimpleAuth(ctx, cli)
+		Action: func(c *cli.Context) error {
+			return newAuthService().addLdapSimpleAuth(c)
 		},
-		Flags: ldapSimpleAuthCLIFlags(),
+		Flags: ldapSimpleAuthCLIFlags,
 	}
-}

-func microcmdAuthUpdateLdapSimpleAuth() *cli.Command {
-	return &cli.Command{
+	microcmdAuthUpdateLdapSimpleAuth = &cli.Command{
 		Name:  "update-ldap-simple",
 		Usage: "Update existing LDAP (simple auth) authentication source",
-		Action: func(ctx context.Context, cli *cli.Command) error {
-			return newAuthService().updateLdapSimpleAuth(ctx, cli)
+		Action: func(c *cli.Context) error {
+			return newAuthService().updateLdapSimpleAuth(c)
 		},
-		Flags: append([]cli.Flag{idFlag()}, ldapSimpleAuthCLIFlags()...),
+		Flags: append([]cli.Flag{idFlag}, ldapSimpleAuthCLIFlags...),
+	}
+)
+
+// newAuthService creates a service with default functions.
+func newAuthService() *authService {
+	return &authService{
+		initDB:            initDB,
+		createAuthSource:  auth.CreateSource,
+		updateAuthSource:  auth.UpdateSource,
+		getAuthSourceByID: auth.GetSourceByID,
 	}
 }

 // parseAuthSource assigns values on authSource according to command line flags.
-func parseAuthSource(c *cli.Command, authSource *auth.Source) {
+func parseAuthSource(c *cli.Context, authSource *auth.Source) {
 	if c.IsSet("name") {
 		authSource.Name = c.String("name")
 	}
@ -195,7 +202,7 @@ func parseAuthSource(c *cli.Command, authSource *auth.Source) {
 }

 // parseLdapConfig assigns values on config according to command line flags.
-func parseLdapConfig(c *cli.Command, config *ldap.Source) error {
+func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
 	if c.IsSet("name") {
 		config.Name = c.String("name")
 	}
@ -282,7 +289,7 @@ func findLdapSecurityProtocolByName(name string) (ldap.SecurityProtocol, bool) {

 // getAuthSource gets the login source by its id defined in the command line flags.
 // It returns an error if the id is not set, does not match any source or if the source is not of expected type.
-func (a *authService) getAuthSource(ctx context.Context, c *cli.Command, authType auth.Type) (*auth.Source, error) {
+func (a *authService) getAuthSource(ctx context.Context, c *cli.Context, authType auth.Type) (*auth.Source, error) {
 	if err := argsSet(c, "id"); err != nil {
 		return nil, err
 	}
@ -300,12 +307,12 @@ func (a *authService) getAuthSource(ctx context.Context, c *cli.Command, authTyp
 }

 // addLdapBindDn adds a new LDAP via Bind DN authentication source.
-func (a *authService) addLdapBindDn(ctx context.Context, c *cli.Command) error {
+func (a *authService) addLdapBindDn(c *cli.Context) error {
 	if err := argsSet(c, "name", "security-protocol", "host", "port", "user-search-base", "user-filter", "email-attribute"); err != nil {
 		return err
 	}

-	ctx, cancel := installSignals(ctx)
+	ctx, cancel := installSignals()
 	defer cancel()

 	if err := a.initDB(ctx); err != nil {
@ -329,8 +336,8 @@ func (a *authService) addLdapBindDn(ctx context.Context, c *cli.Command) error {
 }

 // updateLdapBindDn updates a new LDAP via Bind DN authentication source.
-func (a *authService) updateLdapBindDn(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func (a *authService) updateLdapBindDn(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

 	if err := a.initDB(ctx); err != nil {
@ -351,12 +358,12 @@ func (a *authService) updateLdapBindDn(ctx context.Context, c *cli.Command) erro
 }

 // addLdapSimpleAuth adds a new LDAP (simple auth) authentication source.
-func (a *authService) addLdapSimpleAuth(ctx context.Context, c *cli.Command) error {
+func (a *authService) addLdapSimpleAuth(c *cli.Context) error {
 	if err := argsSet(c, "name", "security-protocol", "host", "port", "user-dn", "user-filter", "email-attribute"); err != nil {
 		return err
 	}

-	ctx, cancel := installSignals(ctx)
+	ctx, cancel := installSignals()
 	defer cancel()

 	if err := a.initDB(ctx); err != nil {
@ -380,8 +387,8 @@ func (a *authService) addLdapSimpleAuth(ctx context.Context, c *cli.Command) err
 }

 // updateLdapSimpleAuth updates a new LDAP (simple auth) authentication source.
-func (a *authService) updateLdapSimpleAuth(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func (a *authService) updateLdapSimpleAuth(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

 	if err := a.initDB(ctx); err != nil {
--- a/cmd/admin_auth_ldap_test.go
+++ b/cmd/admin_auth_ldap_test.go
@ -8,17 +8,18 @@ import (
 	"testing"

 	"forgejo.org/models/auth"
-	"forgejo.org/modules/test"
 	"forgejo.org/services/auth/source/ldap"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 func TestAddLdapBindDn(t *testing.T) {
 	// Mock cli functions to do not exit on error
-	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
+	osExiter := cli.OsExiter
+	defer func() { cli.OsExiter = osExiter }()
+	cli.OsExiter = func(code int) {}

 	// Test cases
 	cases := []struct {
@ -215,22 +216,22 @@ func TestAddLdapBindDn(t *testing.T) {
 				return nil
 			},
 			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				assert.FailNow(t, "should not call updateAuthSource", "case: %d", n)
+				assert.FailNow(t, "case %d: should not call updateAuthSource", n)
 				return nil
 			},
 			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
-				assert.FailNow(t, "should not call getAuthSourceByID", "case: %d", n)
+				assert.FailNow(t, "case %d: should not call getAuthSourceByID", n)
 				return nil, nil
 			},
 		}

 		// Create a copy of command to test
-		app := cli.Command{}
-		app.Flags = microcmdAuthAddLdapBindDn().Flags
+		app := cli.NewApp()
+		app.Flags = microcmdAuthAddLdapBindDn.Flags
 		app.Action = service.addLdapBindDn

 		// Run it
-		err := app.Run(t.Context(), c.args)
+		err := app.Run(c.args)
 		if c.errMsg != "" {
 			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
 		} else {
@ -242,7 +243,9 @@ func TestAddLdapBindDn(t *testing.T) {

 func TestAddLdapSimpleAuth(t *testing.T) {
 	// Mock cli functions to do not exit on error
-	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
+	osExiter := cli.OsExiter
+	defer func() { cli.OsExiter = osExiter }()
+	cli.OsExiter = func(code int) {}

 	// Test cases
 	cases := []struct {
@ -444,22 +447,22 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 				return nil
 			},
 			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				assert.FailNow(t, "should not call updateAuthSource", "case: %d", n)
+				assert.FailNow(t, "case %d: should not call updateAuthSource", n)
 				return nil
 			},
 			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
-				assert.FailNow(t, "should not call getAuthSourceByID", "case: %d", n)
+				assert.FailNow(t, "case %d: should not call getAuthSourceByID", n)
 				return nil, nil
 			},
 		}

 		// Create a copy of command to test
-		app := cli.Command{}
-		app.Flags = microcmdAuthAddLdapSimpleAuth().Flags
+		app := cli.NewApp()
+		app.Flags = microcmdAuthAddLdapSimpleAuth.Flags
 		app.Action = service.addLdapSimpleAuth

 		// Run it
-		err := app.Run(t.Context(), c.args)
+		err := app.Run(c.args)
 		if c.errMsg != "" {
 			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
 		} else {
@ -471,7 +474,9 @@ func TestAddLdapSimpleAuth(t *testing.T) {

 func TestUpdateLdapBindDn(t *testing.T) {
 	// Mock cli functions to do not exit on error
-	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
+	osExiter := cli.OsExiter
+	defer func() { cli.OsExiter = osExiter }()
+	cli.OsExiter = func(code int) {}

 	// Test cases
 	cases := []struct {
@ -893,7 +898,7 @@ func TestUpdateLdapBindDn(t *testing.T) {
 				return nil
 			},
 			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				assert.FailNow(t, "should not call createAuthSource", "case: %d", n)
+				assert.FailNow(t, "case %d: should not call createAuthSource", n)
 				return nil
 			},
 			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
@ -915,12 +920,12 @@ func TestUpdateLdapBindDn(t *testing.T) {
 		}

 		// Create a copy of command to test
-		app := cli.Command{}
-		app.Flags = microcmdAuthUpdateLdapBindDn().Flags
+		app := cli.NewApp()
+		app.Flags = microcmdAuthUpdateLdapBindDn.Flags
 		app.Action = service.updateLdapBindDn

 		// Run it
-		err := app.Run(t.Context(), c.args)
+		err := app.Run(c.args)
 		if c.errMsg != "" {
 			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
 		} else {
@ -932,7 +937,9 @@ func TestUpdateLdapBindDn(t *testing.T) {

 func TestUpdateLdapSimpleAuth(t *testing.T) {
 	// Mock cli functions to do not exit on error
-	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
+	osExiter := cli.OsExiter
+	defer func() { cli.OsExiter = osExiter }()
+	cli.OsExiter = func(code int) {}

 	// Test cases
 	cases := []struct {
@ -1281,7 +1288,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
 				return nil
 			},
 			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				assert.FailNow(t, "should not call createAuthSource", "case: %d", n)
+				assert.FailNow(t, "case %d: should not call createAuthSource", n)
 				return nil
 			},
 			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
@ -1303,12 +1310,12 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
 		}

 		// Create a copy of command to test
-		app := cli.Command{}
-		app.Flags = microcmdAuthUpdateLdapSimpleAuth().Flags
+		app := cli.NewApp()
+		app.Flags = microcmdAuthUpdateLdapSimpleAuth.Flags
 		app.Action = service.updateLdapSimpleAuth

 		// Run it
-		err := app.Run(t.Context(), c.args)
+		err := app.Run(c.args)
 		if c.errMsg != "" {
 			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
 		} else {
--- a/cmd/admin_auth_oauth.go
+++ b/cmd/admin_auth_oauth.go
@ -4,7 +4,6 @@
 package cmd

 import (
-	"context"
 	"errors"
 	"fmt"
 	"net/url"
@ -12,11 +11,11 @@ import (
 	auth_model "forgejo.org/models/auth"
 	"forgejo.org/services/auth/source/oauth2"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-func oauthCLIFlags() []cli.Flag {
-	return []cli.Flag{
+var (
+	oauthCLIFlags = []cli.Flag{
 		&cli.StringFlag{
 			Name:  "name",
 			Value: "",
@ -86,11 +85,6 @@ func oauthCLIFlags() []cli.Flag {
 			Value: nil,
 			Usage: "Scopes to request when to authenticate against this OAuth2 source",
 		},
-		&cli.StringFlag{
-			Name:  "attribute-ssh-public-key",
-			Value: "",
-			Usage: "Claim name providing SSH public keys for this source",
-		},
 		&cli.StringFlag{
 			Name:  "required-claim-name",
 			Value: "",
@ -125,32 +119,24 @@ func oauthCLIFlags() []cli.Flag {
 			Name:  "group-team-map-removal",
 			Usage: "Activate automatic team membership removal depending on groups",
 		},
-		&cli.BoolFlag{
-			Name:  "allow-username-change",
-			Usage: "Allow users to change their username",
-		},
 	}
-}

-func microcmdAuthAddOauth() *cli.Command {
-	return &cli.Command{
+	microcmdAuthAddOauth = &cli.Command{
 		Name:   "add-oauth",
 		Usage:  "Add new Oauth authentication source",
-		Action: newAuthService().addOauth,
-		Flags:  oauthCLIFlags(),
+		Action: runAddOauth,
+		Flags:  oauthCLIFlags,
 	}
-}

-func microcmdAuthUpdateOauth() *cli.Command {
-	return &cli.Command{
+	microcmdAuthUpdateOauth = &cli.Command{
 		Name:   "update-oauth",
 		Usage:  "Update existing Oauth authentication source",
-		Action: newAuthService().updateOauth,
-		Flags:  append(oauthCLIFlags()[:1], append([]cli.Flag{idFlag()}, oauthCLIFlags()[1:]...)...),
+		Action: runUpdateOauth,
+		Flags:  append(oauthCLIFlags[:1], append([]cli.Flag{idFlag}, oauthCLIFlags[1:]...)...),
 	}
-}
+)

-func parseOAuth2Config(_ context.Context, c *cli.Command) *oauth2.Source {
+func parseOAuth2Config(c *cli.Context) *oauth2.Source {
 	var customURLMapping *oauth2.CustomURLMapping
 	if c.IsSet("use-custom-urls") {
 		customURLMapping = &oauth2.CustomURLMapping{
@ -172,7 +158,6 @@ func parseOAuth2Config(_ context.Context, c *cli.Command) *oauth2.Source {
 		IconURL:                       c.String("icon-url"),
 		SkipLocalTwoFA:                c.Bool("skip-local-2fa"),
 		Scopes:                        c.StringSlice("scopes"),
-		AttributeSSHPublicKey:         c.String("attribute-ssh-public-key"),
 		RequiredClaimName:             c.String("required-claim-name"),
 		RequiredClaimValue:            c.String("required-claim-value"),
 		GroupClaimName:                c.String("group-claim-name"),
@ -180,19 +165,18 @@ func parseOAuth2Config(_ context.Context, c *cli.Command) *oauth2.Source {
 		RestrictedGroup:               c.String("restricted-group"),
 		GroupTeamMap:                  c.String("group-team-map"),
 		GroupTeamMapRemoval:           c.Bool("group-team-map-removal"),
-		AllowUsernameChange:           c.Bool("allow-username-change"),
 	}
 }

-func (a *authService) addOauth(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runAddOauth(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

-	if err := a.initDB(ctx); err != nil {
+	if err := initDB(ctx); err != nil {
 		return err
 	}

-	config := parseOAuth2Config(ctx, c)
+	config := parseOAuth2Config(c)
 	if config.Provider == "openidConnect" {
 		discoveryURL, err := url.Parse(config.OpenIDConnectAutoDiscoveryURL)
 		if err != nil || (discoveryURL.Scheme != "http" && discoveryURL.Scheme != "https") {
@ -200,7 +184,7 @@ func (a *authService) addOauth(ctx context.Context, c *cli.Command) error {
 		}
 	}

-	return a.createAuthSource(ctx, &auth_model.Source{
+	return auth_model.CreateSource(ctx, &auth_model.Source{
 		Type:     auth_model.OAuth2,
 		Name:     c.String("name"),
 		IsActive: true,
@ -208,19 +192,19 @@ func (a *authService) addOauth(ctx context.Context, c *cli.Command) error {
 	})
 }

-func (a *authService) updateOauth(ctx context.Context, c *cli.Command) error {
+func runUpdateOauth(c *cli.Context) error {
 	if !c.IsSet("id") {
 		return errors.New("--id flag is missing")
 	}

-	ctx, cancel := installSignals(ctx)
+	ctx, cancel := installSignals()
 	defer cancel()

-	if err := a.initDB(ctx); err != nil {
+	if err := initDB(ctx); err != nil {
 		return err
 	}

-	source, err := a.getAuthSourceByID(ctx, c.Int64("id"))
+	source, err := auth_model.GetSourceByID(ctx, c.Int64("id"))
 	if err != nil {
 		return err
 	}
@ -255,10 +239,6 @@ func (a *authService) updateOauth(ctx context.Context, c *cli.Command) error {
 		oAuth2Config.Scopes = c.StringSlice("scopes")
 	}

-	if c.IsSet("attribute-ssh-public-key") {
-		oAuth2Config.AttributeSSHPublicKey = c.String("attribute-ssh-public-key")
-	}
-
 	if c.IsSet("required-claim-name") {
 		oAuth2Config.RequiredClaimName = c.String("required-claim-name")
 	}
@ -282,10 +262,6 @@ func (a *authService) updateOauth(ctx context.Context, c *cli.Command) error {
 		oAuth2Config.GroupTeamMapRemoval = c.Bool("group-team-map-removal")
 	}

-	if c.IsSet("allow-username-change") {
-		oAuth2Config.AllowUsernameChange = c.Bool("allow-username-change")
-	}
-
 	// update custom URL mapping
 	customURLMapping := &oauth2.CustomURLMapping{}

@ -319,5 +295,5 @@ func (a *authService) updateOauth(ctx context.Context, c *cli.Command) error {
 	oAuth2Config.CustomURLMapping = customURLMapping
 	source.Cfg = oAuth2Config

-	return a.updateAuthSource(ctx, source)
+	return auth_model.UpdateSource(ctx, source)
 }
--- a/cmd/admin_auth_oauth_test.go
+++ b/cmd/admin_auth_oauth_test.go
@ -1,706 +0,0 @@
-// Copyright 2025 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: GPL-3.0-or-later
-
-package cmd
-
-import (
-	"context"
-	"testing"
-
-	"forgejo.org/models/auth"
-	"forgejo.org/modules/test"
-	"forgejo.org/services/auth/source/oauth2"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"github.com/urfave/cli/v3"
-)
-
-func TestAddOauth(t *testing.T) {
-	// Mock cli functions to do not exit on error
-	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
-
-	// Test cases
-	cases := []struct {
-		args   []string
-		source *auth.Source
-		errMsg string
-	}{
-		// case 0
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 (via openidConnect) source full",
-				"--provider", "openidConnect",
-				"--key", "client id",
-				"--secret", "client secret",
-				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
-				"--use-custom-urls", "",
-				"--custom-tenant-id", "tenant id",
-				"--custom-auth-url", "https://example.com/auth",
-				"--custom-token-url", "https://example.com/token",
-				"--custom-profile-url", "https://example.com/profile",
-				"--custom-email-url", "https://example.com/email",
-				"--icon-url", "https://example.com/icon.svg",
-				"--skip-local-2fa",
-				"--scopes", "address",
-				"--scopes", "email",
-				"--scopes", "phone",
-				"--scopes", "profile",
-				"--attribute-ssh-public-key", "ssh_public_key",
-				"--required-claim-name", "can_access",
-				"--required-claim-value", "yes",
-				"--group-claim-name", "groups",
-				"--admin-group", "admin",
-				"--restricted-group", "restricted",
-				"--group-team-map", `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
-				"--group-team-map-removal",
-				"--allow-username-change",
-			},
-			source: &auth.Source{
-				Type:     auth.OAuth2,
-				Name:     "oauth2 (via openidConnect) source full",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:                      "openidConnect",
-					ClientID:                      "client id",
-					ClientSecret:                  "client secret",
-					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
-					CustomURLMapping: &oauth2.CustomURLMapping{
-						AuthURL:    "https://example.com/auth",
-						TokenURL:   "https://example.com/token",
-						ProfileURL: "https://example.com/profile",
-						EmailURL:   "https://example.com/email",
-						Tenant:     "tenant id",
-					},
-					IconURL:               "https://example.com/icon.svg",
-					Scopes:                []string{"address", "email", "phone", "profile"},
-					AttributeSSHPublicKey: "ssh_public_key",
-					RequiredClaimName:     "can_access",
-					RequiredClaimValue:    "yes",
-					GroupClaimName:        "groups",
-					AdminGroup:            "admin",
-					GroupTeamMap:          `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
-					GroupTeamMapRemoval:   true,
-					RestrictedGroup:       "restricted",
-					SkipLocalTwoFA:        true,
-					AllowUsernameChange:   true,
-				},
-			},
-		},
-		// case 1
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 (via openidConnect) source min",
-				"--provider", "openidConnect",
-				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
-			},
-			source: &auth.Source{
-				Type:     auth.OAuth2,
-				Name:     "oauth2 (via openidConnect) source min",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:                      "openidConnect",
-					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
-					Scopes:                        []string{},
-				},
-			},
-		},
-		// case 2
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 (via openidConnect) source `--use-custom-urls` required for `--custom-*` flags",
-				"--custom-tenant-id", "tenant id",
-				"--custom-auth-url", "https://example.com/auth",
-				"--custom-token-url", "https://example.com/token",
-				"--custom-profile-url", "https://example.com/profile",
-				"--custom-email-url", "https://example.com/email",
-			},
-			source: &auth.Source{
-				Type:     auth.OAuth2,
-				Name:     "oauth2 (via openidConnect) source `--use-custom-urls` required for `--custom-*` flags",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Scopes: []string{},
-				},
-			},
-		},
-		// case 3
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 (via openidConnect) source `--scopes` aggregates multiple uses",
-				"--provider", "openidConnect",
-				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
-				"--scopes", "address",
-				"--scopes", "email",
-				"--scopes", "phone",
-				"--scopes", "profile",
-			},
-			source: &auth.Source{
-				Type:     auth.OAuth2,
-				Name:     "oauth2 (via openidConnect) source `--scopes` aggregates multiple uses",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:                      "openidConnect",
-					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
-					Scopes:                        []string{"address", "email", "phone", "profile"},
-				},
-			},
-		},
-		// case 4
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 (via openidConnect) source `--scopes` supports commas as separators",
-				"--provider", "openidConnect",
-				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
-				"--scopes", "address,email,phone,profile",
-			},
-			source: &auth.Source{
-				Type:     auth.OAuth2,
-				Name:     "oauth2 (via openidConnect) source `--scopes` supports commas as separators",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:                      "openidConnect",
-					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
-					Scopes:                        []string{"address", "email", "phone", "profile"},
-				},
-			},
-		},
-		// case 5
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 (via openidConnect) source",
-				"--provider", "openidConnect",
-			},
-			errMsg: "invalid Auto Discovery URL:  (this must be a valid URL starting with http:// or https://)",
-		},
-		// case 6
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 (via openidConnect) source",
-				"--provider", "openidConnect",
-				"--auto-discover-url", "example.com",
-			},
-			errMsg: "invalid Auto Discovery URL: example.com (this must be a valid URL starting with http:// or https://)",
-		},
-	}
-
-	for n, c := range cases {
-		// Mock functions.
-		var createdAuthSource *auth.Source
-		service := &authService{
-			initDB: func(context.Context) error {
-				return nil
-			},
-			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				createdAuthSource = authSource
-				return nil
-			},
-			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				assert.FailNow(t, "should not call updateAuthSource", "case: %d", n)
-				return nil
-			},
-			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
-				assert.FailNow(t, "should not call getAuthSourceByID", "case: %d", n)
-				return nil, nil
-			},
-		}
-
-		// Create a copy of command to test
-		app := cli.Command{}
-		app.Flags = microcmdAuthAddOauth().Flags
-		app.Action = service.addOauth
-
-		// Run it
-		err := app.Run(t.Context(), c.args)
-		if c.errMsg != "" {
-			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
-		} else {
-			require.NoError(t, err, "case %d: should have no errors", n)
-			assert.Equal(t, c.source, createdAuthSource, "case %d: wrong authSource", n)
-		}
-	}
-}
-
-func TestUpdateOauth(t *testing.T) {
-	// Mock cli functions to do not exit on error
-	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
-
-	// Test cases
-	cases := []struct {
-		args               []string
-		id                 int64
-		existingAuthSource *auth.Source
-		authSource         *auth.Source
-		errMsg             string
-	}{
-		// case 0
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "23",
-				"--name", "oauth2 (via openidConnect) source full",
-				"--provider", "openidConnect",
-				"--key", "client id",
-				"--secret", "client secret",
-				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
-				"--use-custom-urls", "",
-				"--custom-tenant-id", "tenant id",
-				"--custom-auth-url", "https://example.com/auth",
-				"--custom-token-url", "https://example.com/token",
-				"--custom-profile-url", "https://example.com/profile",
-				"--custom-email-url", "https://example.com/email",
-				"--icon-url", "https://example.com/icon.svg",
-				"--skip-local-2fa",
-				"--scopes", "address",
-				"--scopes", "email",
-				"--scopes", "phone",
-				"--scopes", "profile",
-				"--attribute-ssh-public-key", "ssh_public_key",
-				"--required-claim-name", "can_access",
-				"--required-claim-value", "yes",
-				"--group-claim-name", "groups",
-				"--admin-group", "admin",
-				"--restricted-group", "restricted",
-				"--group-team-map", `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
-				"--group-team-map-removal",
-			},
-			id: 23,
-			existingAuthSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg:  &oauth2.Source{},
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Name: "oauth2 (via openidConnect) source full",
-				Cfg: &oauth2.Source{
-					Provider:                      "openidConnect",
-					ClientID:                      "client id",
-					ClientSecret:                  "client secret",
-					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
-					CustomURLMapping: &oauth2.CustomURLMapping{
-						AuthURL:    "https://example.com/auth",
-						TokenURL:   "https://example.com/token",
-						ProfileURL: "https://example.com/profile",
-						EmailURL:   "https://example.com/email",
-						Tenant:     "tenant id",
-					},
-					IconURL:               "https://example.com/icon.svg",
-					Scopes:                []string{"address", "email", "phone", "profile"},
-					AttributeSSHPublicKey: "ssh_public_key",
-					RequiredClaimName:     "can_access",
-					RequiredClaimValue:    "yes",
-					GroupClaimName:        "groups",
-					AdminGroup:            "admin",
-					GroupTeamMap:          `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
-					GroupTeamMapRemoval:   true,
-					RestrictedGroup:       "restricted",
-					// `--skip-local-2fa` is currently ignored.
-					// SkipLocalTwoFA:        true,
-				},
-			},
-		},
-		// case 1
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-				},
-			},
-		},
-		// case 2
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--name", "oauth2 (via openidConnect) source full",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Name: "oauth2 (via openidConnect) source full",
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-				},
-			},
-		},
-		// case 3
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--provider", "openidConnect",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					Provider:         "openidConnect",
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-				},
-			},
-		},
-		// case 4
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--key", "client id",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					ClientID:         "client id",
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-				},
-			},
-		},
-		// case 5
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--secret", "client secret",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					ClientSecret:     "client secret",
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-				},
-			},
-		},
-		// case 6
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
-					CustomURLMapping:              &oauth2.CustomURLMapping{},
-				},
-			},
-		},
-		// case 7
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--use-custom-urls", "",
-				"--custom-tenant-id", "tenant id",
-				"--custom-auth-url", "https://example.com/auth",
-				"--custom-token-url", "https://example.com/token",
-				"--custom-profile-url", "https://example.com/profile",
-				"--custom-email-url", "https://example.com/email",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{
-						AuthURL:    "https://example.com/auth",
-						TokenURL:   "https://example.com/token",
-						ProfileURL: "https://example.com/profile",
-						EmailURL:   "https://example.com/email",
-						Tenant:     "tenant id",
-					},
-				},
-			},
-		},
-		// case 8
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--name", "oauth2 (via openidConnect) source `--use-custom-urls` required for `--custom-*` flags",
-				"--custom-tenant-id", "tenant id",
-				"--custom-auth-url", "https://example.com/auth",
-				"--custom-token-url", "https://example.com/token",
-				"--custom-profile-url", "https://example.com/profile",
-				"--custom-email-url", "https://example.com/email",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Name: "oauth2 (via openidConnect) source `--use-custom-urls` required for `--custom-*` flags",
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-				},
-			},
-		},
-		// case 9
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--icon-url", "https://example.com/icon.svg",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					IconURL:          "https://example.com/icon.svg",
-				},
-			},
-		},
-		// case 10
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--name", "oauth2 (via openidConnect) source `--skip-local-2fa` is currently ignored",
-				"--skip-local-2fa",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Name: "oauth2 (via openidConnect) source `--skip-local-2fa` is currently ignored",
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					// `--skip-local-2fa` is currently ignored.
-					// SkipLocalTwoFA: true,
-				},
-			},
-		},
-		// case 11
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--name", "oauth2 (via openidConnect) source `--scopes` aggregates multiple uses",
-				"--scopes", "address",
-				"--scopes", "email",
-				"--scopes", "phone",
-				"--scopes", "profile",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Name: "oauth2 (via openidConnect) source `--scopes` aggregates multiple uses",
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					Scopes:           []string{"address", "email", "phone", "profile"},
-				},
-			},
-		},
-		// case 12
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--name", "oauth2 (via openidConnect) source `--scopes` supports commas as separators",
-				"--scopes", "address,email,phone,profile",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Name: "oauth2 (via openidConnect) source `--scopes` supports commas as separators",
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					Scopes:           []string{"address", "email", "phone", "profile"},
-				},
-			},
-		},
-		// case 13
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--attribute-ssh-public-key", "ssh_public_key",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping:      &oauth2.CustomURLMapping{},
-					AttributeSSHPublicKey: "ssh_public_key",
-				},
-			},
-		},
-		// case 14
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--required-claim-name", "can_access",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping:  &oauth2.CustomURLMapping{},
-					RequiredClaimName: "can_access",
-				},
-			},
-		},
-		// case 15
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--required-claim-value", "yes",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping:   &oauth2.CustomURLMapping{},
-					RequiredClaimValue: "yes",
-				},
-			},
-		},
-		// case 16
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--group-claim-name", "groups",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					GroupClaimName:   "groups",
-				},
-			},
-		},
-		// case 17
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--admin-group", "admin",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					AdminGroup:       "admin",
-				},
-			},
-		},
-		// case 18
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--restricted-group", "restricted",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					RestrictedGroup:  "restricted",
-				},
-			},
-		},
-		// case 19
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--group-team-map", `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					GroupTeamMap:     `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
-				},
-			},
-		},
-		// case 20
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--group-team-map-removal",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping:    &oauth2.CustomURLMapping{},
-					GroupTeamMapRemoval: true,
-				},
-			},
-		},
-		// case 21
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "23",
-				"--group-team-map-removal=false",
-			},
-			id: 23,
-			existingAuthSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					GroupTeamMapRemoval: true,
-				},
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping:    &oauth2.CustomURLMapping{},
-					GroupTeamMapRemoval: false,
-				},
-			},
-		},
-		// case 22
-		{
-			args: []string{
-				"oauth-test",
-			},
-			errMsg: "--id flag is missing",
-		},
-	}
-
-	for n, c := range cases {
-		// Mock functions.
-		var updatedAuthSource *auth.Source
-		service := &authService{
-			initDB: func(context.Context) error {
-				return nil
-			},
-			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				assert.FailNow(t, "should not call createAuthSource", "case: %d", n)
-				return nil
-			},
-			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				updatedAuthSource = authSource
-				return nil
-			},
-			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
-				if c.id != 0 {
-					assert.Equal(t, c.id, id, "case %d: wrong id", n)
-				}
-				if c.existingAuthSource != nil {
-					return c.existingAuthSource, nil
-				}
-				return &auth.Source{
-					Type: auth.OAuth2,
-					Cfg:  &oauth2.Source{},
-				}, nil
-			},
-		}
-
-		// Create a copy of command to test
-		app := cli.Command{}
-		app.Flags = microcmdAuthUpdateOauth().Flags
-		app.Action = service.updateOauth
-
-		// Run it
-		err := app.Run(t.Context(), c.args)
-		if c.errMsg != "" {
-			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
-		} else {
-			require.NoError(t, err, "case %d: should have no errors", n)
-			assert.Equal(t, c.authSource, updatedAuthSource, "case %d: wrong authSource", n)
-		}
-	}
-}
--- a/cmd/admin_auth_stmp.go
+++ b/cmd/admin_auth_stmp.go
@ -4,7 +4,6 @@
 package cmd

 import (
-	"context"
 	"errors"
 	"strings"

@ -12,11 +11,11 @@ import (
 	"forgejo.org/modules/util"
 	"forgejo.org/services/auth/source/smtp"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-func smtpCLIFlags() []cli.Flag {
-	return []cli.Flag{
+var (
+	smtpCLIFlags = []cli.Flag{
 		&cli.StringFlag{
 			Name:  "name",
 			Value: "",
@ -72,27 +71,23 @@ func smtpCLIFlags() []cli.Flag {
 			Value: true,
 		},
 	}
-}

-func microcmdAuthAddSMTP() *cli.Command {
-	return &cli.Command{
+	microcmdAuthAddSMTP = &cli.Command{
 		Name:   "add-smtp",
 		Usage:  "Add new SMTP authentication source",
 		Action: runAddSMTP,
-		Flags:  smtpCLIFlags(),
+		Flags:  smtpCLIFlags,
 	}
-}

-func microcmdAuthUpdateSMTP() *cli.Command {
-	return &cli.Command{
+	microcmdAuthUpdateSMTP = &cli.Command{
 		Name:   "update-smtp",
 		Usage:  "Update existing SMTP authentication source",
 		Action: runUpdateSMTP,
-		Flags:  append(smtpCLIFlags()[:1], append([]cli.Flag{idFlag()}, smtpCLIFlags()[1:]...)...),
+		Flags:  append(smtpCLIFlags[:1], append([]cli.Flag{idFlag}, smtpCLIFlags[1:]...)...),
 	}
-}
+)

-func parseSMTPConfig(c *cli.Command, conf *smtp.Source) error {
+func parseSMTPConfig(c *cli.Context, conf *smtp.Source) error {
 	if c.IsSet("auth-type") {
 		conf.Auth = c.String("auth-type")
 		validAuthTypes := []string{"PLAIN", "LOGIN", "CRAM-MD5"}
@ -128,8 +123,8 @@ func parseSMTPConfig(c *cli.Command, conf *smtp.Source) error {
 	return nil
 }

-func runAddSMTP(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runAddSMTP(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

 	if err := initDB(ctx); err != nil {
@ -168,12 +163,12 @@ func runAddSMTP(ctx context.Context, c *cli.Command) error {
 	})
 }

-func runUpdateSMTP(ctx context.Context, c *cli.Command) error {
+func runUpdateSMTP(c *cli.Context) error {
 	if !c.IsSet("id") {
 		return errors.New("--id flag is missing")
 	}

-	ctx, cancel := installSignals(ctx)
+	ctx, cancel := installSignals()
 	defer cancel()

 	if err := initDB(ctx); err != nil {
--- a/cmd/admin_regenerate.go
+++ b/cmd/admin_regenerate.go
@ -4,13 +4,11 @@
 package cmd

 import (
-	"context"
-
 	asymkey_model "forgejo.org/models/asymkey"
 	"forgejo.org/modules/graceful"
 	repo_service "forgejo.org/services/repository"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 var (
@ -27,8 +25,8 @@ var (
 	}
 )

-func runRegenerateHooks(ctx context.Context, _ *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runRegenerateHooks(_ *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

 	if err := initDB(ctx); err != nil {
@ -37,8 +35,8 @@ func runRegenerateHooks(ctx context.Context, _ *cli.Command) error {
 	return repo_service.SyncRepositoryHooks(graceful.GetManager().ShutdownContext())
 }

-func runRegenerateKeys(ctx context.Context, _ *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runRegenerateKeys(_ *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

 	if err := initDB(ctx); err != nil {
--- a/cmd/admin_user.go
+++ b/cmd/admin_user.go
@ -4,21 +4,18 @@
 package cmd

 import (
-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-func subcmdUser() *cli.Command {
-	return &cli.Command{
-		Name:  "user",
-		Usage: "Modify users",
-		Commands: []*cli.Command{
-			microcmdUserCreate(),
-			microcmdUserList(),
-			microcmdUserChangePassword(),
-			microcmdUserDelete(),
-			microcmdUserGenerateAccessToken(),
-			microcmdUserMustChangePassword(),
-			microcmdUserResetMFA(),
-		},
-	}
+var subcmdUser = &cli.Command{
+	Name:  "user",
+	Usage: "Modify users",
+	Subcommands: []*cli.Command{
+		microcmdUserCreate,
+		microcmdUserList,
+		microcmdUserChangePassword,
+		microcmdUserDelete,
+		microcmdUserGenerateAccessToken,
+		microcmdUserMustChangePassword,
+	},
 }
--- a/cmd/admin_user_change_password.go
+++ b/cmd/admin_user_change_password.go
@ -4,7 +4,6 @@
 package cmd

 import (
-	"context"
 	"errors"
 	"fmt"

@ -14,42 +13,40 @@ import (
 	"forgejo.org/modules/setting"
 	user_service "forgejo.org/services/user"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-func microcmdUserChangePassword() *cli.Command {
-	return &cli.Command{
-		Name:   "change-password",
-		Usage:  "Change a user's password",
-		Action: runChangePassword,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:    "username",
-				Aliases: []string{"u"},
-				Value:   "",
-				Usage:   "The user to change password for",
-			},
-			&cli.StringFlag{
-				Name:    "password",
-				Aliases: []string{"p"},
-				Value:   "",
-				Usage:   "New password to set for user",
-			},
-			&cli.BoolFlag{
-				Name:  "must-change-password",
-				Usage: "User must change password",
-				Value: true,
-			},
+var microcmdUserChangePassword = &cli.Command{
+	Name:   "change-password",
+	Usage:  "Change a user's password",
+	Action: runChangePassword,
+	Flags: []cli.Flag{
+		&cli.StringFlag{
+			Name:    "username",
+			Aliases: []string{"u"},
+			Value:   "",
+			Usage:   "The user to change password for",
 		},
-	}
+		&cli.StringFlag{
+			Name:    "password",
+			Aliases: []string{"p"},
+			Value:   "",
+			Usage:   "New password to set for user",
+		},
+		&cli.BoolFlag{
+			Name:  "must-change-password",
+			Usage: "User must change password",
+			Value: true,
+		},
+	},
 }

-func runChangePassword(ctx context.Context, c *cli.Command) error {
+func runChangePassword(c *cli.Context) error {
 	if err := argsSet(c, "username", "password"); err != nil {
 		return err
 	}

-	ctx, cancel := installSignals(ctx)
+	ctx, cancel := installSignals()
 	defer cancel()

 	if err := initDB(ctx); err != nil {
--- a/cmd/admin_user_create.go
+++ b/cmd/admin_user_create.go
@ -4,10 +4,8 @@
 package cmd

 import (
-	"context"
 	"errors"
 	"fmt"
-	"strings"

 	auth_model "forgejo.org/models/auth"
 	"forgejo.org/models/db"
@ -16,76 +14,61 @@ import (
 	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-func microcmdUserCreate() *cli.Command {
-	return &cli.Command{
-		Name:   "create",
-		Usage:  "Create a new user in database",
-		Action: runCreateUser,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:  "name",
-				Usage: "Username. DEPRECATED: use username instead",
-			},
-			&cli.StringFlag{
-				Name:  "username",
-				Usage: "Username",
-			},
-			&cli.StringFlag{
-				Name:  "password",
-				Usage: "User password",
-			},
-			&cli.StringFlag{
-				Name:  "email",
-				Usage: "User email address",
-			},
-			&cli.BoolFlag{
-				Name:  "admin",
-				Usage: "User is an admin",
-			},
-			&cli.BoolFlag{
-				Name:  "random-password",
-				Usage: "Generate a random password for the user",
-			},
-			&cli.BoolFlag{
-				Name:  "must-change-password",
-				Usage: "Set this option to false to prevent forcing the user to change their password after initial login",
-				Value: true,
-			},
-			&cli.IntFlag{
-				Name:  "random-password-length",
-				Usage: "Length of the random password to be generated",
-				Value: 12,
-			},
-			&cli.BoolFlag{
-				Name:  "access-token",
-				Usage: "Generate access token for the user",
-			},
-			&cli.StringFlag{
-				Name:  "access-token-name",
-				Usage: `Name of the generated access token`,
-				Value: "gitea-admin",
-			},
-			&cli.StringFlag{
-				Name:  "access-token-scopes",
-				Usage: `Scopes of the generated access token, comma separated. Examples: "all", "public-only,read:issue", "write:repository,write:user"`,
-				Value: "all",
-			},
-			&cli.BoolFlag{
-				Name:  "restricted",
-				Usage: "Make a restricted user account",
-			},
-			&cli.StringFlag{
-				Name:  "fullname",
-				Usage: `The full, human-readable name of the user`,
-			},
+var microcmdUserCreate = &cli.Command{
+	Name:   "create",
+	Usage:  "Create a new user in database",
+	Action: runCreateUser,
+	Flags: []cli.Flag{
+		&cli.StringFlag{
+			Name:  "name",
+			Usage: "Username. DEPRECATED: use username instead",
 		},
-	}
+		&cli.StringFlag{
+			Name:  "username",
+			Usage: "Username",
+		},
+		&cli.StringFlag{
+			Name:  "password",
+			Usage: "User password",
+		},
+		&cli.StringFlag{
+			Name:  "email",
+			Usage: "User email address",
+		},
+		&cli.BoolFlag{
+			Name:  "admin",
+			Usage: "User is an admin",
+		},
+		&cli.BoolFlag{
+			Name:  "random-password",
+			Usage: "Generate a random password for the user",
+		},
+		&cli.BoolFlag{
+			Name:               "must-change-password",
+			Usage:              "Set this option to false to prevent forcing the user to change their password after initial login",
+			Value:              true,
+			DisableDefaultText: true,
+		},
+		&cli.IntFlag{
+			Name:  "random-password-length",
+			Usage: "Length of the random password to be generated",
+			Value: 12,
+		},
+		&cli.BoolFlag{
+			Name:  "access-token",
+			Usage: "Generate access token for the user",
+		},
+		&cli.BoolFlag{
+			Name:  "restricted",
+			Usage: "Make a restricted user account",
+		},
+	},
 }

-func runCreateUser(ctx context.Context, c *cli.Command) error {
+func runCreateUser(c *cli.Context) error {
 	// this command highly depends on the many setting options (create org, visibility, etc.), so it must have a full setting load first
 	// duplicate setting loading should be safe at the moment, but it should be refactored & improved in the future.
 	setting.LoadSettings()
@ -110,10 +93,10 @@ func runCreateUser(ctx context.Context, c *cli.Command) error {
 		username = c.String("username")
 	} else {
 		username = c.String("name")
-		_, _ = fmt.Fprint(c.Root().ErrWriter, "--name flag is deprecated. Use --username instead.\n")
+		_, _ = fmt.Fprintf(c.App.ErrWriter, "--name flag is deprecated. Use --username instead.\n")
 	}

-	ctx, cancel := installSignals(ctx)
+	ctx, cancel := installSignals()
 	defer cancel()

 	if err := initDB(ctx); err != nil {
@ -167,7 +150,6 @@ func runCreateUser(ctx context.Context, c *cli.Command) error {
 		IsAdmin:            isAdmin,
 		MustChangePassword: mustChangePassword,
 		Visibility:         visibility,
-		FullName:           c.String("fullname"),
 	}

 	overwriteDefault := &user_model.CreateUserOverwriteOptions{
@ -175,40 +157,23 @@ func runCreateUser(ctx context.Context, c *cli.Command) error {
 		IsRestricted: restricted,
 	}

-	var accessTokenName string
-	var accessTokenScope auth_model.AccessTokenScope
-	if c.IsSet("access-token") {
-		accessTokenName = strings.TrimSpace(c.String("access-token-name"))
-		if accessTokenName == "" {
-			return errors.New("access-token-name cannot be empty")
-		}
-		var err error
-		accessTokenScope, err = auth_model.AccessTokenScope(c.String("access-token-scopes")).Normalize()
-		if err != nil {
-			return fmt.Errorf("invalid access token scope provided: %w", err)
-		}
-		if !accessTokenScope.HasPermissionScope() {
-			return errors.New("access token does not have any permission")
-		}
-	} else if c.IsSet("access-token-name") || c.IsSet("access-token-scopes") {
-		return errors.New("access-token-name and access-token-scopes flags are only valid when access-token flag is set")
-	}
-
-	// arguments should be prepared before creating the user & access token, in case there is anything wrong
-
-	// create the user
 	if err := user_model.CreateUser(ctx, u, overwriteDefault); err != nil {
 		return fmt.Errorf("CreateUser: %w", err)
 	}
-	fmt.Printf("New user '%s' has been successfully created!\n", username)

-	// create the access token
-	if accessTokenScope != "" {
-		t := &auth_model.AccessToken{Name: accessTokenName, UID: u.ID, Scope: accessTokenScope}
+	if c.Bool("access-token") {
+		t := &auth_model.AccessToken{
+			Name: "gitea-admin",
+			UID:  u.ID,
+		}
+
 		if err := auth_model.NewAccessToken(ctx, t); err != nil {
 			return err
 		}
+
 		fmt.Printf("Access token was successfully created... %s\n", t.Token)
 	}
+
+	fmt.Printf("New user '%s' has been successfully created!\n", username)
 	return nil
 }
--- a/cmd/admin_user_delete.go
+++ b/cmd/admin_user_delete.go
@ -4,7 +4,6 @@
 package cmd

 import (
-	"context"
 	"errors"
 	"fmt"
 	"strings"
@ -13,43 +12,41 @@ import (
 	"forgejo.org/modules/storage"
 	user_service "forgejo.org/services/user"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-func microcmdUserDelete() *cli.Command {
-	return &cli.Command{
-		Name:  "delete",
-		Usage: "Delete specific user by id, name or email",
-		Flags: []cli.Flag{
-			&cli.Int64Flag{
-				Name:  "id",
-				Usage: "ID of user of the user to delete",
-			},
-			&cli.StringFlag{
-				Name:    "username",
-				Aliases: []string{"u"},
-				Usage:   "Username of the user to delete",
-			},
-			&cli.StringFlag{
-				Name:    "email",
-				Aliases: []string{"e"},
-				Usage:   "Email of the user to delete",
-			},
-			&cli.BoolFlag{
-				Name:  "purge",
-				Usage: "Purge user, all their repositories, organizations and comments",
-			},
+var microcmdUserDelete = &cli.Command{
+	Name:  "delete",
+	Usage: "Delete specific user by id, name or email",
+	Flags: []cli.Flag{
+		&cli.Int64Flag{
+			Name:  "id",
+			Usage: "ID of user of the user to delete",
 		},
-		Action: runDeleteUser,
-	}
+		&cli.StringFlag{
+			Name:    "username",
+			Aliases: []string{"u"},
+			Usage:   "Username of the user to delete",
+		},
+		&cli.StringFlag{
+			Name:    "email",
+			Aliases: []string{"e"},
+			Usage:   "Email of the user to delete",
+		},
+		&cli.BoolFlag{
+			Name:  "purge",
+			Usage: "Purge user, all their repositories, organizations and comments",
+		},
+	},
+	Action: runDeleteUser,
 }

-func runDeleteUser(ctx context.Context, c *cli.Command) error {
+func runDeleteUser(c *cli.Context) error {
 	if !c.IsSet("id") && !c.IsSet("username") && !c.IsSet("email") {
 		return errors.New("You must provide the id, username or email of a user to delete")
 	}

-	ctx, cancel := installSignals(ctx)
+	ctx, cancel := installSignals()
 	defer cancel()

 	if err := initDB(ctx); err != nil {
--- a/cmd/admin_user_generate_access_token.go
+++ b/cmd/admin_user_generate_access_token.go
@ -4,52 +4,49 @@
 package cmd

 import (
-	"context"
 	"errors"
 	"fmt"

 	auth_model "forgejo.org/models/auth"
 	user_model "forgejo.org/models/user"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-func microcmdUserGenerateAccessToken() *cli.Command {
-	return &cli.Command{
-		Name:  "generate-access-token",
-		Usage: "Generate an access token for a specific user",
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:    "username",
-				Aliases: []string{"u"},
-				Usage:   "Username",
-			},
-			&cli.StringFlag{
-				Name:    "token-name",
-				Aliases: []string{"t"},
-				Usage:   "Token name",
-				Value:   "gitea-admin",
-			},
-			&cli.BoolFlag{
-				Name:  "raw",
-				Usage: "Display only the token value",
-			},
-			&cli.StringFlag{
-				Name:  "scopes",
-				Value: "all",
-				Usage: `Comma separated list of scopes to apply to access token, examples: "all", "public-only,read:issue", "write:repository,write:user"`,
-			},
+var microcmdUserGenerateAccessToken = &cli.Command{
+	Name:  "generate-access-token",
+	Usage: "Generate an access token for a specific user",
+	Flags: []cli.Flag{
+		&cli.StringFlag{
+			Name:    "username",
+			Aliases: []string{"u"},
+			Usage:   "Username",
 		},
-		Action: runGenerateAccessToken,
-	}
+		&cli.StringFlag{
+			Name:    "token-name",
+			Aliases: []string{"t"},
+			Usage:   "Token name",
+			Value:   "gitea-admin",
+		},
+		&cli.BoolFlag{
+			Name:  "raw",
+			Usage: "Display only the token value",
+		},
+		&cli.StringFlag{
+			Name:  "scopes",
+			Value: "",
+			Usage: "Comma separated list of scopes to apply to access token",
+		},
+	},
+	Action: runGenerateAccessToken,
 }

-func runGenerateAccessToken(ctx context.Context, c *cli.Command) error {
+func runGenerateAccessToken(c *cli.Context) error {
 	if !c.IsSet("username") {
-		return errors.New("you must provide a username to generate a token for")
+		return errors.New("You must provide a username to generate a token for")
 	}

-	ctx, cancel := installSignals(ctx)
+	ctx, cancel := installSignals()
 	defer cancel()

 	if err := initDB(ctx); err != nil {
@ -80,9 +77,6 @@ func runGenerateAccessToken(ctx context.Context, c *cli.Command) error {
 	if err != nil {
 		return fmt.Errorf("invalid access token scope provided: %w", err)
 	}
-	if !accessTokenScope.HasPermissionScope() {
-		return errors.New("access token does not have any permission")
-	}
 	t.Scope = accessTokenScope

 	// create the token
--- a/cmd/admin_user_list.go
+++ b/cmd/admin_user_list.go
@ -4,32 +4,29 @@
 package cmd

 import (
-	"context"
 	"fmt"
 	"os"
 	"text/tabwriter"

 	user_model "forgejo.org/models/user"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-func microcmdUserList() *cli.Command {
-	return &cli.Command{
-		Name:   "list",
-		Usage:  "List users",
-		Action: runListUsers,
-		Flags: []cli.Flag{
-			&cli.BoolFlag{
-				Name:  "admin",
-				Usage: "List only admin users",
-			},
+var microcmdUserList = &cli.Command{
+	Name:   "list",
+	Usage:  "List users",
+	Action: runListUsers,
+	Flags: []cli.Flag{
+		&cli.BoolFlag{
+			Name:  "admin",
+			Usage: "List only admin users",
 		},
-	}
+	},
 }

-func runListUsers(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runListUsers(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

 	if err := initDB(ctx); err != nil {
@ -44,7 +41,7 @@ func runListUsers(ctx context.Context, c *cli.Command) error {
 	w := tabwriter.NewWriter(os.Stdout, 5, 0, 1, ' ', 0)

 	if c.IsSet("admin") {
-		fmt.Fprint(w, "ID\tUsername\tEmail\tIsActive\n")
+		fmt.Fprintf(w, "ID\tUsername\tEmail\tIsActive\n")
 		for _, u := range users {
 			if u.IsAdmin {
 				fmt.Fprintf(w, "%d\t%s\t%s\t%t\n", u.ID, u.Name, u.Email, u.IsActive)
@ -52,7 +49,7 @@ func runListUsers(ctx context.Context, c *cli.Command) error {
 		}
 	} else {
 		twofa := user_model.UserList(users).GetTwoFaStatus(ctx)
-		fmt.Fprint(w, "ID\tUsername\tEmail\tIsActive\tIsAdmin\t2FA\n")
+		fmt.Fprintf(w, "ID\tUsername\tEmail\tIsActive\tIsAdmin\t2FA\n")
 		for _, u := range users {
 			fmt.Fprintf(w, "%d\t%s\t%s\t%t\t%t\t%t\n", u.ID, u.Name, u.Email, u.IsActive, u.IsAdmin, twofa[u.ID])
 		}
--- a/cmd/admin_user_must_change_password.go
+++ b/cmd/admin_user_must_change_password.go
@ -4,41 +4,38 @@
 package cmd

 import (
-	"context"
 	"errors"
 	"fmt"

 	user_model "forgejo.org/models/user"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-func microcmdUserMustChangePassword() *cli.Command {
-	return &cli.Command{
-		Name:   "must-change-password",
-		Usage:  "Set the must change password flag for the provided users or all users",
-		Action: runMustChangePassword,
-		Flags: []cli.Flag{
-			&cli.BoolFlag{
-				Name:    "all",
-				Aliases: []string{"A"},
-				Usage:   "All users must change password, except those explicitly excluded with --exclude",
-			},
-			&cli.StringSliceFlag{
-				Name:    "exclude",
-				Aliases: []string{"e"},
-				Usage:   "Do not change the must-change-password flag for these users",
-			},
-			&cli.BoolFlag{
-				Name:  "unset",
-				Usage: "Instead of setting the must-change-password flag, unset it",
-			},
+var microcmdUserMustChangePassword = &cli.Command{
+	Name:   "must-change-password",
+	Usage:  "Set the must change password flag for the provided users or all users",
+	Action: runMustChangePassword,
+	Flags: []cli.Flag{
+		&cli.BoolFlag{
+			Name:    "all",
+			Aliases: []string{"A"},
+			Usage:   "All users must change password, except those explicitly excluded with --exclude",
 		},
-	}
+		&cli.StringSliceFlag{
+			Name:    "exclude",
+			Aliases: []string{"e"},
+			Usage:   "Do not change the must-change-password flag for these users",
+		},
+		&cli.BoolFlag{
+			Name:  "unset",
+			Usage: "Instead of setting the must-change-password flag, unset it",
+		},
+	},
 }

-func runMustChangePassword(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runMustChangePassword(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

 	if c.NArg() == 0 && !c.IsSet("all") {
--- a/cmd/admin_user_reset_mfa.go
+++ b/cmd/admin_user_reset_mfa.go
@ -1,73 +0,0 @@
-// Copyright 2025 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"context"
-	"fmt"
-
-	auth_model "forgejo.org/models/auth"
-	user_model "forgejo.org/models/user"
-
-	"github.com/urfave/cli/v3"
-)
-
-func microcmdUserResetMFA() *cli.Command {
-	return &cli.Command{
-		Name:   "reset-mfa",
-		Usage:  "Remove all two-factor authentication configurations for a user",
-		Action: runResetMFA,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:    "username",
-				Aliases: []string{"u"},
-				Value:   "",
-				Usage:   "The user to update",
-			},
-		},
-	}
-}
-
-func runResetMFA(ctx context.Context, c *cli.Command) error {
-	if err := argsSet(c, "username"); err != nil {
-		return err
-	}
-
-	ctx, cancel := installSignals(ctx)
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-
-	user, err := user_model.GetUserByName(ctx, c.String("username"))
-	if err != nil {
-		return err
-	}
-
-	webAuthnList, err := auth_model.GetWebAuthnCredentialsByUID(ctx, user.ID)
-	if err != nil {
-		return err
-	}
-
-	for _, credential := range webAuthnList {
-		if _, err := auth_model.DeleteCredential(ctx, credential.ID, user.ID); err != nil {
-			return err
-		}
-	}
-
-	tfaModes, err := auth_model.GetTwoFactorByUID(ctx, user.ID)
-	if err == nil && tfaModes != nil {
-		if err := auth_model.DeleteTwoFactorByID(ctx, tfaModes.ID, user.ID); err != nil {
-			return err
-		}
-	} else {
-		if _, is := err.(auth_model.ErrTwoFactorNotEnrolled); !is {
-			return err
-		}
-	}
-
-	fmt.Printf("%s's two-factor authentication settings have been removed!\n", user.Name)
-	return nil
-}
--- a/cmd/cert.go
+++ b/cmd/cert.go
@ -6,7 +6,6 @@
 package cmd

 import (
-	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
@ -21,49 +20,47 @@ import (
 	"strings"
 	"time"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 // CmdCert represents the available cert sub-command.
-func cmdCert() *cli.Command {
-	return &cli.Command{
-		Name:  "cert",
-		Usage: "Generate self-signed certificate",
-		Description: `Generate a self-signed X.509 certificate for a TLS server.
+var CmdCert = &cli.Command{
+	Name:  "cert",
+	Usage: "Generate self-signed certificate",
+	Description: `Generate a self-signed X.509 certificate for a TLS server.
 Outputs to 'cert.pem' and 'key.pem' and will overwrite existing files.`,
-		Action: runCert,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:  "host",
-				Value: "",
-				Usage: "Comma-separated hostnames and IPs to generate a certificate for",
-			},
-			&cli.StringFlag{
-				Name:  "ecdsa-curve",
-				Value: "",
-				Usage: "ECDSA curve to use to generate a key. Valid values are P224, P256, P384, P521",
-			},
-			&cli.IntFlag{
-				Name:  "rsa-bits",
-				Value: 3072,
-				Usage: "Size of RSA key to generate. Ignored if --ecdsa-curve is set",
-			},
-			&cli.StringFlag{
-				Name:  "start-date",
-				Value: "",
-				Usage: "Creation date formatted as Jan 1 15:04:05 2011",
-			},
-			&cli.DurationFlag{
-				Name:  "duration",
-				Value: 365 * 24 * time.Hour,
-				Usage: "Duration that certificate is valid for",
-			},
-			&cli.BoolFlag{
-				Name:  "ca",
-				Usage: "whether this cert should be its own Certificate Authority",
-			},
+	Action: runCert,
+	Flags: []cli.Flag{
+		&cli.StringFlag{
+			Name:  "host",
+			Value: "",
+			Usage: "Comma-separated hostnames and IPs to generate a certificate for",
 		},
-	}
+		&cli.StringFlag{
+			Name:  "ecdsa-curve",
+			Value: "",
+			Usage: "ECDSA curve to use to generate a key. Valid values are P224, P256, P384, P521",
+		},
+		&cli.IntFlag{
+			Name:  "rsa-bits",
+			Value: 3072,
+			Usage: "Size of RSA key to generate. Ignored if --ecdsa-curve is set",
+		},
+		&cli.StringFlag{
+			Name:  "start-date",
+			Value: "",
+			Usage: "Creation date formatted as Jan 1 15:04:05 2011",
+		},
+		&cli.DurationFlag{
+			Name:  "duration",
+			Value: 365 * 24 * time.Hour,
+			Usage: "Duration that certificate is valid for",
+		},
+		&cli.BoolFlag{
+			Name:  "ca",
+			Usage: "whether this cert should be its own Certificate Authority",
+		},
+	},
 }

 func publicKey(priv any) any {
@ -92,7 +89,7 @@ func pemBlockForKey(priv any) *pem.Block {
 	}
 }

-func runCert(ctx context.Context, c *cli.Command) error {
+func runCert(c *cli.Context) error {
 	if err := argsSet(c, "host"); err != nil {
 		return err
 	}
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@ -20,21 +20,19 @@ import (
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/util"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 // argsSet checks that all the required arguments are set. args is a list of
 // arguments that must be set in the passed Context.
-func argsSet(c *cli.Command, args ...string) error {
+func argsSet(c *cli.Context, args ...string) error {
 	for _, a := range args {
 		if !c.IsSet(a) {
 			return errors.New(a + " is not set")
 		}

-		if s, ok := c.Value(a).(string); ok {
-			if util.IsEmptyString(s) {
-				return errors.New(a + " is required")
-			}
+		if util.IsEmptyString(c.String(a)) {
+			return errors.New(a + " is required")
 		}
 	}
 	return nil
@ -75,8 +73,8 @@ If this is the intended configuration file complete the [database] section.`, se
 	return nil
 }

-func installSignals(ctx context.Context) (context.Context, context.CancelFunc) {
-	ctx, cancel := context.WithCancel(ctx)
+func installSignals() (context.Context, context.CancelFunc) {
+	ctx, cancel := context.WithCancel(context.Background())
 	go func() {
 		// install notify
 		signalChannel := make(chan os.Signal, 1)
@ -111,7 +109,7 @@ func setupConsoleLogger(level log.Level, colorize bool, out io.Writer) {
 	log.GetManager().GetLogger(log.DEFAULT).ReplaceAllWriters(writer)
 }

-func globalBool(c *cli.Command, name string) bool {
+func globalBool(c *cli.Context, name string) bool {
 	for _, ctx := range c.Lineage() {
 		if ctx.Bool(name) {
 			return true
@ -122,16 +120,16 @@ func globalBool(c *cli.Command, name string) bool {

 // PrepareConsoleLoggerLevel by default, use INFO level for console logger, but some sub-commands (for git/ssh protocol) shouldn't output any log to stdout.
 // Any log appears in git stdout pipe will break the git protocol, eg: client can't push and hangs forever.
-func PrepareConsoleLoggerLevel(defaultLevel log.Level) func(ctx context.Context, cli *cli.Command) (context.Context, error) {
-	return func(ctx context.Context, cli *cli.Command) (context.Context, error) {
+func PrepareConsoleLoggerLevel(defaultLevel log.Level) func(*cli.Context) error {
+	return func(c *cli.Context) error {
 		level := defaultLevel
-		if globalBool(cli, "quiet") {
+		if globalBool(c, "quiet") {
 			level = log.FATAL
 		}
-		if globalBool(cli, "debug") || globalBool(cli, "verbose") {
+		if globalBool(c, "debug") || globalBool(c, "verbose") {
 			level = log.TRACE
 		}
 		log.SetConsoleLogger(log.DEFAULT, "console-default", level)
-		return ctx, nil
+		return nil
 	}
 }
--- a/cmd/docs.go
+++ b/cmd/docs.go
@ -0,0 +1,65 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/urfave/cli/v2"
+)
+
+// CmdDocs represents the available docs sub-command.
+var CmdDocs = &cli.Command{
+	Name:        "docs",
+	Usage:       "Output CLI documentation",
+	Description: "A command to output Forgejo's CLI documentation, optionally to a file.",
+	Action:      runDocs,
+	Flags: []cli.Flag{
+		&cli.BoolFlag{
+			Name:  "man",
+			Usage: "Output man pages instead",
+		},
+		&cli.StringFlag{
+			Name:    "output",
+			Aliases: []string{"o"},
+			Usage:   "Path to output to instead of stdout (will overwrite if exists)",
+		},
+	},
+}
+
+func runDocs(ctx *cli.Context) error {
+	docs, err := ctx.App.ToMarkdown()
+	if ctx.Bool("man") {
+		docs, err = ctx.App.ToMan()
+	}
+	if err != nil {
+		return err
+	}
+
+	if !ctx.Bool("man") {
+		// Clean up markdown. The following bug was fixed in v2, but is present in v1.
+		// It affects markdown output (even though the issue is referring to man pages)
+		// https://github.com/urfave/cli/issues/1040
+		firstHashtagIndex := strings.Index(docs, "#")
+
+		if firstHashtagIndex > 0 {
+			docs = docs[firstHashtagIndex:]
+		}
+	}
+
+	out := os.Stdout
+	if ctx.String("output") != "" {
+		fi, err := os.Create(ctx.String("output"))
+		if err != nil {
+			return err
+		}
+		defer fi.Close()
+		out = fi
+	}
+
+	_, err = fmt.Fprintln(out, docs)
+	return err
+}
--- a/cmd/doctor.go
+++ b/cmd/doctor.go
@ -4,7 +4,6 @@
 package cmd

 import (
-	"context"
 	"fmt"
 	golog "log"
 	"os"
@ -20,86 +19,81 @@ import (
 	"forgejo.org/modules/setting"
 	"forgejo.org/services/doctor"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
+	"xorm.io/xorm"
 )

 // CmdDoctor represents the available doctor sub-command.
-func cmdDoctor() *cli.Command {
-	return &cli.Command{
-		Name:        "doctor",
-		Usage:       "Diagnose and optionally fix problems, convert or re-create database tables",
-		Description: "A command to diagnose problems with the current Forgejo instance according to the given configuration. Some problems can optionally be fixed by modifying the database or data storage.",
+var CmdDoctor = &cli.Command{
+	Name:        "doctor",
+	Usage:       "Diagnose and optionally fix problems, convert or re-create database tables",
+	Description: "A command to diagnose problems with the current Forgejo instance according to the given configuration. Some problems can optionally be fixed by modifying the database or data storage.",

-		Commands: []*cli.Command{
-			cmdDoctorCheck(),
-			cmdRecreateTable(),
-			cmdDoctorConvert(),
-		},
-	}
+	Subcommands: []*cli.Command{
+		cmdDoctorCheck,
+		cmdRecreateTable,
+		cmdDoctorConvert,
+	},
 }

-func cmdDoctorCheck() *cli.Command {
-	return &cli.Command{
-		Name:        "check",
-		Usage:       "Diagnose and optionally fix problems",
-		Description: "A command to diagnose problems with the current Forgejo instance according to the given configuration. Some problems can optionally be fixed by modifying the database or data storage.",
-		Action:      runDoctorCheck,
-		Flags: []cli.Flag{
-			&cli.BoolFlag{
-				Name:  "list",
-				Usage: "List the available checks",
-			},
-			&cli.BoolFlag{
-				Name:  "default",
-				Usage: "Run the default checks (if neither --run or --all is set, this is the default behaviour)",
-			},
-			&cli.StringSliceFlag{
-				Name:  "run",
-				Usage: "Run the provided checks - (if --default is set, the default checks will also run)",
-			},
-			&cli.BoolFlag{
-				Name:  "all",
-				Usage: "Run all the available checks",
-			},
-			&cli.BoolFlag{
-				Name:  "fix",
-				Usage: "Automatically fix what we can",
-			},
-			&cli.StringFlag{
-				Name:  "log-file",
-				Usage: `Name of the log file (no verbose log output by default). Set to "-" to output to stdout`,
-			},
-			&cli.BoolFlag{
-				Name:    "color",
-				Aliases: []string{"H"},
-				Usage:   "Use color for outputted information",
-			},
+var cmdDoctorCheck = &cli.Command{
+	Name:        "check",
+	Usage:       "Diagnose and optionally fix problems",
+	Description: "A command to diagnose problems with the current Forgejo instance according to the given configuration. Some problems can optionally be fixed by modifying the database or data storage.",
+	Action:      runDoctorCheck,
+	Flags: []cli.Flag{
+		&cli.BoolFlag{
+			Name:  "list",
+			Usage: "List the available checks",
 		},
-	}
+		&cli.BoolFlag{
+			Name:  "default",
+			Usage: "Run the default checks (if neither --run or --all is set, this is the default behaviour)",
+		},
+		&cli.StringSliceFlag{
+			Name:  "run",
+			Usage: "Run the provided checks - (if --default is set, the default checks will also run)",
+		},
+		&cli.BoolFlag{
+			Name:  "all",
+			Usage: "Run all the available checks",
+		},
+		&cli.BoolFlag{
+			Name:  "fix",
+			Usage: "Automatically fix what we can",
+		},
+		&cli.StringFlag{
+			Name:  "log-file",
+			Usage: `Name of the log file (no verbose log output by default). Set to "-" to output to stdout`,
+		},
+		&cli.BoolFlag{
+			Name:    "color",
+			Aliases: []string{"H"},
+			Usage:   "Use color for outputted information",
+		},
+	},
 }

-func cmdRecreateTable() *cli.Command {
-	return &cli.Command{
-		Name:      "recreate-table",
-		Usage:     "Recreate tables from XORM definitions and copy the data.",
-		ArgsUsage: "[TABLE]... : (TABLEs to recreate - leave blank for all)",
-		Flags: []cli.Flag{
-			&cli.BoolFlag{
-				Name:  "debug",
-				Usage: "Print SQL commands sent",
-			},
+var cmdRecreateTable = &cli.Command{
+	Name:      "recreate-table",
+	Usage:     "Recreate tables from XORM definitions and copy the data.",
+	ArgsUsage: "[TABLE]... : (TABLEs to recreate - leave blank for all)",
+	Flags: []cli.Flag{
+		&cli.BoolFlag{
+			Name:  "debug",
+			Usage: "Print SQL commands sent",
 		},
-		Description: `The database definitions Forgejo uses change across versions, sometimes changing default values and leaving old unused columns.
+	},
+	Description: `The database definitions Forgejo uses change across versions, sometimes changing default values and leaving old unused columns.

 This command will cause Xorm to recreate tables, copying over the data and deleting the old table.

 You should back-up your database before doing this and ensure that your database is up-to-date first.`,
-		Action: runRecreateTable,
-	}
+	Action: runRecreateTable,
 }

-func runRecreateTable(stdCtx context.Context, ctx *cli.Command) error {
-	stdCtx, cancel := installSignals(stdCtx)
+func runRecreateTable(ctx *cli.Context) error {
+	stdCtx, cancel := installSignals()
 	defer cancel()

 	// Redirect the default golog to here
@ -126,7 +120,7 @@ func runRecreateTable(stdCtx context.Context, ctx *cli.Command) error {

 	args := ctx.Args()
 	names := make([]string, 0, ctx.NArg())
-	for i := range ctx.NArg() {
+	for i := 0; i < ctx.NArg(); i++ {
 		names = append(names, args.Get(i))
 	}

@ -136,31 +130,24 @@ func runRecreateTable(stdCtx context.Context, ctx *cli.Command) error {
 	}
 	recreateTables := migrate_base.RecreateTables(beans...)

-	return db.InitEngineWithMigration(stdCtx, func(x db.Engine) error {
-		engine, err := db.GetMasterEngine(x)
-		if err != nil {
+	return db.InitEngineWithMigration(stdCtx, func(x *xorm.Engine) error {
+		if err := migrations.EnsureUpToDate(x); err != nil {
 			return err
 		}
-
-		if err := migrations.EnsureUpToDate(engine); err != nil {
-			return err
-		}
-
-		return recreateTables(engine)
+		return recreateTables(x)
 	})
 }

-func setupDoctorDefaultLogger(ctx *cli.Command, colorize bool) {
+func setupDoctorDefaultLogger(ctx *cli.Context, colorize bool) {
 	// Silence the default loggers
 	setupConsoleLogger(log.FATAL, log.CanColorStderr, os.Stderr)

 	logFile := ctx.String("log-file")
-	switch logFile {
-	case "":
+	if logFile == "" {
 		return // if no doctor log-file is set, do not show any log from default logger
-	case "-":
+	} else if logFile == "-" {
 		setupConsoleLogger(log.TRACE, colorize, os.Stdout)
-	default:
+	} else {
 		logFile, _ = filepath.Abs(logFile)
 		writeMode := log.WriterMode{Level: log.TRACE, WriterOption: log.WriterFileOption{FileName: logFile}}
 		writer, err := log.NewEventWriter("console-to-file", "file", writeMode)
@ -172,8 +159,8 @@ func setupDoctorDefaultLogger(ctx *cli.Command, colorize bool) {
 	}
 }

-func runDoctorCheck(stdCtx context.Context, ctx *cli.Command) error {
-	stdCtx, cancel := installSignals(stdCtx)
+func runDoctorCheck(ctx *cli.Context) error {
+	stdCtx, cancel := installSignals()
 	defer cancel()

 	colorize := log.CanColorStdout
--- a/cmd/doctor_convert.go
+++ b/cmd/doctor_convert.go
@ -4,28 +4,25 @@
 package cmd

 import (
-	"context"
 	"fmt"

 	"forgejo.org/models/db"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 // cmdDoctorConvert represents the available convert sub-command.
-func cmdDoctorConvert() *cli.Command {
-	return &cli.Command{
-		Name:        "convert",
-		Usage:       "Convert the database",
-		Description: "A command to convert an existing MySQL database from utf8 to utf8mb4",
-		Action:      runDoctorConvert,
-	}
+var cmdDoctorConvert = &cli.Command{
+	Name:        "convert",
+	Usage:       "Convert the database",
+	Description: "A command to convert an existing MySQL database from utf8 to utf8mb4",
+	Action:      runDoctorConvert,
 }

-func runDoctorConvert(stdCtx context.Context, ctx *cli.Command) error {
-	stdCtx, cancel := installSignals(stdCtx)
+func runDoctorConvert(ctx *cli.Context) error {
+	stdCtx, cancel := installSignals()
 	defer cancel()

 	if err := initDB(stdCtx); err != nil {
--- a/cmd/doctor_test.go
+++ b/cmd/doctor_test.go
@ -11,7 +11,7 @@ import (
 	"forgejo.org/services/doctor"

 	"github.com/stretchr/testify/require"
-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 func TestDoctorRun(t *testing.T) {
@ -22,12 +22,12 @@ func TestDoctorRun(t *testing.T) {

 		SkipDatabaseInitialization: true,
 	})
-	app := cli.Command{}
-	app.Commands = []*cli.Command{cmdDoctorCheck()}
-	err := app.Run(t.Context(), []string{"./gitea", "check", "--run", "test-check"})
+	app := cli.NewApp()
+	app.Commands = []*cli.Command{cmdDoctorCheck}
+	err := app.Run([]string{"./gitea", "check", "--run", "test-check"})
 	require.NoError(t, err)
-	err = app.Run(t.Context(), []string{"./gitea", "check", "--run", "no-such"})
+	err = app.Run([]string{"./gitea", "check", "--run", "no-such"})
 	require.ErrorContains(t, err, `unknown checks: "no-such"`)
-	err = app.Run(t.Context(), []string{"./gitea", "check", "--run", "test-check,no-such"})
+	err = app.Run([]string{"./gitea", "check", "--run", "test-check,no-such"})
 	require.ErrorContains(t, err, `unknown checks: "no-such"`)
 }
--- a/cmd/dump.go
+++ b/cmd/dump.go
@ -5,15 +5,12 @@
 package cmd

 import (
-	"context"
-	"errors"
 	"fmt"
-	"io/fs"
+	"io"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
-	"sync"
 	"time"

 	"forgejo.org/models/db"
@ -24,43 +21,36 @@ import (
 	"forgejo.org/modules/util"

 	"code.forgejo.org/go-chi/session"
-	"github.com/mholt/archives"
-	"github.com/urfave/cli/v3"
+	"github.com/mholt/archiver/v3"
+	"github.com/urfave/cli/v2"
 )

-func addObject(archiveJobs chan archives.ArchiveAsyncJob, object fs.File, customName string, verbose bool) error {
+func addReader(w archiver.Writer, r io.ReadCloser, info os.FileInfo, customName string, verbose bool) error {
 	if verbose {
 		log.Info("Adding file %s", customName)
 	}

-	info, err := object.Stat()
-	if err != nil {
-		return err
-	}
-
-	ch := make(chan error)
-
-	archiveJobs <- archives.ArchiveAsyncJob{
-		File: archives.FileInfo{
-			FileInfo:      info,
-			NameInArchive: customName,
-			Open: func() (fs.File, error) {
-				return object, nil
-			},
+	return w.Write(archiver.File{
+		FileInfo: archiver.FileInfo{
+			FileInfo:   info,
+			CustomName: customName,
 		},
-		Result: ch,
-	}
-
-	return <-ch
+		ReadCloser: r,
+	})
 }

-func addFile(archiveJobs chan archives.ArchiveAsyncJob, filePath, absPath string, verbose bool) error {
-	file, err := os.Open(absPath) // Closed by archiver
+func addFile(w archiver.Writer, filePath, absPath string, verbose bool) error {
+	file, err := os.Open(absPath)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+	fileInfo, err := file.Stat()
 	if err != nil {
 		return err
 	}

-	return addObject(archiveJobs, file, filePath, verbose)
+	return addReader(w, file, fileInfo, filePath, verbose)
 }

 func isSubdir(upper, lower string) (bool, error) {
@ -93,10 +83,6 @@ func (o *outputType) Set(value string) error {
 	return fmt.Errorf("allowed values are %s", o.Join())
 }

-func (o *outputType) Get() any {
-	return o.String()
-}
-
 func (o outputType) String() string {
 	if o.selected == "" {
 		return o.Default
@ -109,130 +95,81 @@ var outputTypeEnum = &outputType{
 	Default: "zip",
 }

-func getArchiverByType(outType string) (archives.ArchiverAsync, error) {
-	var archiver archives.ArchiverAsync
-	switch outType {
-	case "zip":
-		archiver = archives.Zip{}
-	case "tar":
-		archiver = archives.Tar{}
-	case "tar.sz":
-		archiver = archives.CompressedArchive{
-			Archival:    archives.Tar{},
-			Compression: archives.Sz{},
-		}
-	case "tar.gz":
-		archiver = archives.CompressedArchive{
-			Archival:    archives.Tar{},
-			Compression: archives.Gz{},
-		}
-	case "tar.xz":
-		archiver = archives.CompressedArchive{
-			Archival:    archives.Tar{},
-			Compression: archives.Xz{},
-		}
-	case "tar.bz2":
-		archiver = archives.CompressedArchive{
-			Archival:    archives.Tar{},
-			Compression: archives.Bz2{},
-		}
-	case "tar.br":
-		archiver = archives.CompressedArchive{
-			Archival:    archives.Tar{},
-			Compression: archives.Brotli{},
-		}
-	case "tar.lz4":
-		archiver = archives.CompressedArchive{
-			Archival:    archives.Tar{},
-			Compression: archives.Lz4{},
-		}
-	case "tar.zst":
-		archiver = archives.CompressedArchive{
-			Archival:    archives.Tar{},
-			Compression: archives.Zstd{},
-		}
-	default:
-		return nil, fmt.Errorf("unsupported output type: %s", outType)
-	}
-	return archiver, nil
-}
-
 // CmdDump represents the available dump sub-command.
-func cmdDump() *cli.Command {
-	return &cli.Command{
-		Name:  "dump",
-		Usage: "Dump Forgejo files and database",
-		Description: `Dump compresses all related files and database into zip file.
+var CmdDump = &cli.Command{
+	Name:  "dump",
+	Usage: "Dump Forgejo files and database",
+	Description: `Dump compresses all related files and database into zip file.
 It can be used for backup and capture Forgejo server image to send to maintainer`,
-		Action: runDump,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:    "file",
-				Aliases: []string{"f"},
-				Value:   fmt.Sprintf("forgejo-dump-%d.zip", time.Now().Unix()),
-				Usage:   "Name of the dump file which will be created. Supply '-' for stdout. See type for available types.",
-			},
-			&cli.BoolFlag{
-				Name:    "verbose",
-				Aliases: []string{"V"},
-				Usage:   "Show process details",
-			},
-			&cli.BoolFlag{
-				Name:    "quiet",
-				Aliases: []string{"q"},
-				Usage:   "Only display warnings and errors",
-			},
-			&cli.StringFlag{
-				Name:    "tempdir",
-				Aliases: []string{"t"},
-				Usage:   "Temporary dir path",
-			},
-			&cli.StringFlag{
-				Name:    "database",
-				Aliases: []string{"d"},
-				Usage:   "Specify the database SQL syntax: sqlite3, mysql, postgres",
-			},
-			&cli.BoolFlag{
-				Name:    "skip-repository",
-				Aliases: []string{"R"},
-				Usage:   "Skip repositories",
-			},
-			&cli.BoolFlag{
-				Name:    "skip-log",
-				Aliases: []string{"L"},
-				Usage:   "Skip logs",
-			},
-			&cli.BoolFlag{
-				Name:  "skip-custom-dir",
-				Usage: "Skip custom directory",
-			},
-			&cli.BoolFlag{
-				Name:  "skip-lfs-data",
-				Usage: "Skip LFS data",
-			},
-			&cli.BoolFlag{
-				Name:  "skip-attachment-data",
-				Usage: "Skip attachment data",
-			},
-			&cli.BoolFlag{
-				Name:  "skip-package-data",
-				Usage: "Skip package data",
-			},
-			&cli.BoolFlag{
-				Name:  "skip-index",
-				Usage: "Skip bleve index data",
-			},
-			&cli.BoolFlag{
-				Name:  "skip-repo-archives",
-				Usage: "Skip repository archives",
-			},
-			&cli.GenericFlag{
-				Name:  "type",
-				Value: outputTypeEnum,
-				Usage: fmt.Sprintf("Dump output format: %s", outputTypeEnum.Join()),
-			},
+	Action: runDump,
+	Flags: []cli.Flag{
+		&cli.StringFlag{
+			Name:    "file",
+			Aliases: []string{"f"},
+			Value:   fmt.Sprintf("forgejo-dump-%d.zip", time.Now().Unix()),
+			Usage:   "Name of the dump file which will be created. Supply '-' for stdout. See type for available types.",
 		},
-	}
+		&cli.BoolFlag{
+			Name:    "verbose",
+			Aliases: []string{"V"},
+			Usage:   "Show process details",
+		},
+		&cli.BoolFlag{
+			Name:    "quiet",
+			Aliases: []string{"q"},
+			Usage:   "Only display warnings and errors",
+		},
+		&cli.StringFlag{
+			Name:    "tempdir",
+			Aliases: []string{"t"},
+			Value:   os.TempDir(),
+			Usage:   "Temporary dir path",
+		},
+		&cli.StringFlag{
+			Name:    "database",
+			Aliases: []string{"d"},
+			Usage:   "Specify the database SQL syntax: sqlite3, mysql, postgres",
+		},
+		&cli.BoolFlag{
+			Name:    "skip-repository",
+			Aliases: []string{"R"},
+			Usage:   "Skip repositories",
+		},
+		&cli.BoolFlag{
+			Name:    "skip-log",
+			Aliases: []string{"L"},
+			Usage:   "Skip logs",
+		},
+		&cli.BoolFlag{
+			Name:  "skip-custom-dir",
+			Usage: "Skip custom directory",
+		},
+		&cli.BoolFlag{
+			Name:  "skip-lfs-data",
+			Usage: "Skip LFS data",
+		},
+		&cli.BoolFlag{
+			Name:  "skip-attachment-data",
+			Usage: "Skip attachment data",
+		},
+		&cli.BoolFlag{
+			Name:  "skip-package-data",
+			Usage: "Skip package data",
+		},
+		&cli.BoolFlag{
+			Name:  "skip-index",
+			Usage: "Skip bleve index data",
+		},
+		&cli.BoolFlag{
+			Name:  "skip-repo-archives",
+			Usage: "Skip repository archives",
+		},
+		&cli.GenericFlag{
+			Name:  "type",
+			Value: outputTypeEnum,
+			Usage: fmt.Sprintf("Dump output format: %s", outputTypeEnum.Join()),
+		},
+	},
 }

 func fatal(format string, args ...any) {
@ -240,7 +177,7 @@ func fatal(format string, args ...any) {
 	log.Fatal(format, args...)
 }

-func runDump(stdCtx context.Context, ctx *cli.Command) error {
+func runDump(ctx *cli.Context) error {
 	var file *os.File
 	fileName := ctx.String("file")
 	outType := ctx.String("type")
@ -276,16 +213,16 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {

 	if !setting.InstallLock {
 		log.Error("Is '%s' really the right config path?\n", setting.CustomConf)
-		return errors.New("forgejo is not initialized")
+		return fmt.Errorf("forgejo is not initialized")
 	}
 	setting.LoadSettings() // cannot access session settings otherwise

 	verbose := ctx.Bool("verbose")
 	if verbose && ctx.Bool("quiet") {
-		return errors.New("--quiet and --verbose cannot both be set")
+		return fmt.Errorf("--quiet and --verbose cannot both be set")
 	}

-	stdCtx, cancel := installSignals(stdCtx)
+	stdCtx, cancel := installSignals()
 	defer cancel()

 	err := db.InitEngine(stdCtx)
@ -310,211 +247,59 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 		return err
 	}

-	archiveJobs := make(chan archives.ArchiveAsyncJob)
-	wg := sync.WaitGroup{}
-	archiver, err := getArchiverByType(outType)
+	var iface any
+	if fileName == "-" {
+		iface, err = archiver.ByExtension(fmt.Sprintf(".%s", outType))
+	} else {
+		iface, err = archiver.ByExtension(fileName)
+	}
 	if err != nil {
 		fatal("Failed to get archiver for extension: %v", err)
 	}

+	w, _ := iface.(archiver.Writer)
+	if err := w.Create(file); err != nil {
+		fatal("Creating archiver.Writer failed: %v", err)
+	}
+	defer w.Close()
+
 	if ctx.IsSet("skip-repository") && ctx.Bool("skip-repository") {
 		log.Info("Skipping local repositories")
 	} else {
 		log.Info("Dumping local repositories... %s", setting.RepoRootPath)
-		wg.Add(1)
-		go dumpRepos(ctx, archiveJobs, &wg, absFileName, verbose)
-	}
+		if err := addRecursiveExclude(w, "repos", setting.RepoRootPath, []string{absFileName}, verbose); err != nil {
+			fatal("Failed to include repositories: %v", err)
+		}

-	wg.Add(1)
-	go dumpDatabase(ctx, archiveJobs, &wg, verbose)
-
-	if len(setting.CustomConf) > 0 {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			log.Info("Adding custom configuration file from %s", setting.CustomConf)
-			if err := addFile(archiveJobs, "app.ini", setting.CustomConf, verbose); err != nil {
-				fatal("Failed to include specified app.ini: %v", err)
+		if ctx.IsSet("skip-lfs-data") && ctx.Bool("skip-lfs-data") {
+			log.Info("Skipping LFS data")
+		} else if !setting.LFS.StartServer {
+			log.Info("LFS not enabled - skipping")
+		} else if err := storage.LFS.IterateObjects("", func(objPath string, object storage.Object) error {
+			info, err := object.Stat()
+			if err != nil {
+				return err
 			}
-		}()
-	}

-	if ctx.IsSet("skip-custom-dir") && ctx.Bool("skip-custom-dir") {
-		log.Info("Skipping custom directory")
-	} else {
-		wg.Add(1)
-		go dumpCustom(archiveJobs, &wg, absFileName, verbose)
-	}
-
-	isExist, err := util.IsExist(setting.AppDataPath)
-	if err != nil {
-		log.Error("Failed to check if %s exists: %v", setting.AppDataPath, err)
-	}
-	if isExist {
-		log.Info("Packing data directory...%s", setting.AppDataPath)
-
-		wg.Add(1)
-		go dumpData(ctx, archiveJobs, &wg, absFileName, verbose)
-	}
-
-	if ctx.IsSet("skip-attachment-data") && ctx.Bool("skip-attachment-data") {
-		log.Info("Skipping attachment data")
-	} else {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			if err := storage.Attachments.IterateObjects("", func(objPath string, object storage.Object) error {
-				return addObject(archiveJobs, object, path.Join("data", "attachments", objPath), verbose)
-			}); err != nil {
-				fatal("Failed to dump attachments: %v", err)
-			}
-		}()
-	}
-
-	if ctx.IsSet("skip-package-data") && ctx.Bool("skip-package-data") {
-		log.Info("Skipping package data")
-	} else if !setting.Packages.Enabled {
-		log.Info("Package registry not enabled - skipping")
-	} else {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			if err := storage.Packages.IterateObjects("", func(objPath string, object storage.Object) error {
-				return addObject(archiveJobs, object, path.Join("data", "packages", objPath), verbose)
-			}); err != nil {
-				fatal("Failed to dump packages: %v", err)
-			}
-		}()
-	}
-
-	// Doesn't check if LogRootPath exists before processing --skip-log intentionally,
-	// ensuring that it's clear the dump is skipped whether the directory's initialized
-	// yet or not.
-	if ctx.IsSet("skip-log") && ctx.Bool("skip-log") {
-		log.Info("Skipping log files")
-	} else {
-		isExist, err := util.IsExist(setting.Log.RootPath)
-		if err != nil {
-			log.Error("Failed to check if %s exists: %v", setting.Log.RootPath, err)
-		}
-		if isExist {
-			wg.Add(1)
-			go func() {
-				defer wg.Done()
-				if err := addRecursiveExclude(archiveJobs, "log", setting.Log.RootPath, []string{absFileName}, verbose); err != nil {
-					fatal("Failed to include log: %v", err)
-				}
-			}()
+			return addReader(w, object, info, path.Join("data", "lfs", objPath), verbose)
+		}); err != nil {
+			fatal("Failed to dump LFS objects: %v", err)
 		}
 	}

-	// Wait for all jobs to finish before closing the channel
-	// ArchiveAsync will only return after the channel is closed
-	go func() {
-		wg.Wait()
-		close(archiveJobs)
-	}()
-
-	if err := archiver.ArchiveAsync(stdCtx, file, archiveJobs); err != nil {
-		_ = util.Remove(fileName)
-
-		fatal("Archiving failed: %v", err)
-	}
-
-	if fileName != "-" {
-		if err := os.Chmod(fileName, 0o600); err != nil {
-			log.Info("Can't change file access permissions mask to 0600: %v", err)
-		}
-
-		log.Info("Finished dumping in file %s", fileName)
-	} else {
-		log.Info("Finished dumping to stdout")
-	}
-
-	return nil
-}
-
-func dumpData(ctx *cli.Command, archiveJobs chan archives.ArchiveAsyncJob, wg *sync.WaitGroup, absFileName string, verbose bool) {
-	defer wg.Done()
-
-	var excludes []string
-	if setting.SessionConfig.OriginalProvider == "file" {
-		var opts session.Options
-		if err := json.Unmarshal([]byte(setting.SessionConfig.ProviderConfig), &opts); err != nil {
-			fatal("Failed to parse session config: %v", err)
-		}
-		excludes = append(excludes, opts.ProviderConfig)
-	}
-
-	if ctx.IsSet("skip-index") && ctx.Bool("skip-index") {
-		log.Info("Skipping bleve index data")
-		excludes = append(excludes, setting.Indexer.RepoPath)
-		excludes = append(excludes, setting.Indexer.IssuePath)
-	}
-
-	if ctx.IsSet("skip-repo-archives") && ctx.Bool("skip-repo-archives") {
-		log.Info("Skipping repository archives data")
-		excludes = append(excludes, setting.RepoArchive.Storage.Path)
-	}
-
-	excludes = append(excludes, setting.RepoRootPath)
-	excludes = append(excludes, setting.LFS.Storage.Path)
-	excludes = append(excludes, setting.Attachment.Storage.Path)
-	excludes = append(excludes, setting.Packages.Storage.Path)
-	excludes = append(excludes, setting.Log.RootPath)
-	excludes = append(excludes, absFileName)
-	if err := addRecursiveExclude(archiveJobs, "data", setting.AppDataPath, excludes, verbose); err != nil {
-		fatal("Failed to include data directory: %v", err)
-	}
-}
-
-func dumpCustom(archiveJobs chan archives.ArchiveAsyncJob, wg *sync.WaitGroup, absFileName string, verbose bool) {
-	defer wg.Done()
-
-	customDir, err := os.Stat(setting.CustomPath)
-	if err == nil && customDir.IsDir() {
-		if is, _ := isSubdir(setting.AppDataPath, setting.CustomPath); !is {
-			if err := addRecursiveExclude(archiveJobs, "custom", setting.CustomPath, []string{absFileName}, verbose); err != nil {
-				fatal("Failed to include custom: %v", err)
-			}
-		} else {
-			log.Info("Custom dir %s is inside data dir %s, skipping", setting.CustomPath, setting.AppDataPath)
-		}
-	} else {
-		log.Info("Custom dir %s does not exist, skipping", setting.CustomPath)
-	}
-}
-
-func dumpDatabase(ctx *cli.Command, archiveJobs chan archives.ArchiveAsyncJob, wg *sync.WaitGroup, verbose bool) {
-	defer wg.Done()
-
-	var err error
 	tmpDir := ctx.String("tempdir")
-	if tmpDir == "" {
-		tmpDir, err = os.MkdirTemp("", "forgejo-dump-*")
-		if err != nil {
-			fatal("Failed to create temporary directory: %v", err)
-		}
-
-		defer func() {
-			if err := util.Remove(tmpDir); err != nil {
-				log.Warn("Failed to remove temporary directory: %s: Error: %v", tmpDir, err)
-			}
-		}()
-	}
-
 	if _, err := os.Stat(tmpDir); os.IsNotExist(err) {
 		fatal("Path does not exist: %s", tmpDir)
 	}

 	dbDump, err := os.CreateTemp(tmpDir, "forgejo-db.sql")
 	if err != nil {
-		fatal("Failed to create temporary file: %v", err)
+		fatal("Failed to create tmp file: %v", err)
 	}
 	defer func() {
 		_ = dbDump.Close()
 		if err := util.Remove(dbDump.Name()); err != nil {
-			log.Warn("Failed to remove temporary database file: %s: Error: %v", dbDump.Name(), err)
+			log.Warn("Failed to remove temporary file: %s: Error: %v", dbDump.Name(), err)
 		}
 	}()

@ -529,32 +314,139 @@ func dumpDatabase(ctx *cli.Command, archiveJobs chan archives.ArchiveAsyncJob, w
 		fatal("Failed to dump database: %v", err)
 	}

-	if err := addFile(archiveJobs, "forgejo-db.sql", dbDump.Name(), verbose); err != nil {
+	if err := addFile(w, "forgejo-db.sql", dbDump.Name(), verbose); err != nil {
 		fatal("Failed to include forgejo-db.sql: %v", err)
 	}
-}

-func dumpRepos(ctx *cli.Command, archiveJobs chan archives.ArchiveAsyncJob, wg *sync.WaitGroup, absFileName string, verbose bool) {
-	defer wg.Done()
-
-	if err := addRecursiveExclude(archiveJobs, "repos", setting.RepoRootPath, []string{absFileName}, verbose); err != nil {
-		fatal("Failed to include repositories: %v", err)
+	if len(setting.CustomConf) > 0 {
+		log.Info("Adding custom configuration file from %s", setting.CustomConf)
+		if err := addFile(w, "app.ini", setting.CustomConf, verbose); err != nil {
+			fatal("Failed to include specified app.ini: %v", err)
+		}
 	}

-	if ctx.IsSet("skip-lfs-data") && ctx.Bool("skip-lfs-data") {
-		log.Info("Skipping LFS data")
-	} else if !setting.LFS.StartServer {
-		log.Info("LFS not enabled - skipping")
-	} else if err := storage.LFS.IterateObjects("", func(objPath string, object storage.Object) error {
-		return addObject(archiveJobs, object, path.Join("data", "lfs", objPath), verbose)
+	if ctx.IsSet("skip-custom-dir") && ctx.Bool("skip-custom-dir") {
+		log.Info("Skipping custom directory")
+	} else {
+		customDir, err := os.Stat(setting.CustomPath)
+		if err == nil && customDir.IsDir() {
+			if is, _ := isSubdir(setting.AppDataPath, setting.CustomPath); !is {
+				if err := addRecursiveExclude(w, "custom", setting.CustomPath, []string{absFileName}, verbose); err != nil {
+					fatal("Failed to include custom: %v", err)
+				}
+			} else {
+				log.Info("Custom dir %s is inside data dir %s, skipping", setting.CustomPath, setting.AppDataPath)
+			}
+		} else {
+			log.Info("Custom dir %s does not exist, skipping", setting.CustomPath)
+		}
+	}
+
+	isExist, err := util.IsExist(setting.AppDataPath)
+	if err != nil {
+		log.Error("Failed to check if %s exists: %v", setting.AppDataPath, err)
+	}
+	if isExist {
+		log.Info("Packing data directory...%s", setting.AppDataPath)
+
+		var excludes []string
+		if setting.SessionConfig.OriginalProvider == "file" {
+			var opts session.Options
+			if err = json.Unmarshal([]byte(setting.SessionConfig.ProviderConfig), &opts); err != nil {
+				return err
+			}
+			excludes = append(excludes, opts.ProviderConfig)
+		}
+
+		if ctx.IsSet("skip-index") && ctx.Bool("skip-index") {
+			log.Info("Skipping bleve index data")
+			excludes = append(excludes, setting.Indexer.RepoPath)
+			excludes = append(excludes, setting.Indexer.IssuePath)
+		}
+
+		if ctx.IsSet("skip-repo-archives") && ctx.Bool("skip-repo-archives") {
+			log.Info("Skipping repository archives data")
+			excludes = append(excludes, setting.RepoArchive.Storage.Path)
+		}
+
+		excludes = append(excludes, setting.RepoRootPath)
+		excludes = append(excludes, setting.LFS.Storage.Path)
+		excludes = append(excludes, setting.Attachment.Storage.Path)
+		excludes = append(excludes, setting.Packages.Storage.Path)
+		excludes = append(excludes, setting.Log.RootPath)
+		excludes = append(excludes, absFileName)
+		if err := addRecursiveExclude(w, "data", setting.AppDataPath, excludes, verbose); err != nil {
+			fatal("Failed to include data directory: %v", err)
+		}
+	}
+
+	if ctx.IsSet("skip-attachment-data") && ctx.Bool("skip-attachment-data") {
+		log.Info("Skipping attachment data")
+	} else if err := storage.Attachments.IterateObjects("", func(objPath string, object storage.Object) error {
+		info, err := object.Stat()
+		if err != nil {
+			return err
+		}
+
+		return addReader(w, object, info, path.Join("data", "attachments", objPath), verbose)
 	}); err != nil {
-		fatal("Failed to dump LFS objects: %v", err)
+		fatal("Failed to dump attachments: %v", err)
 	}
+
+	if ctx.IsSet("skip-package-data") && ctx.Bool("skip-package-data") {
+		log.Info("Skipping package data")
+	} else if !setting.Packages.Enabled {
+		log.Info("Package registry not enabled - skipping")
+	} else if err := storage.Packages.IterateObjects("", func(objPath string, object storage.Object) error {
+		info, err := object.Stat()
+		if err != nil {
+			return err
+		}
+
+		return addReader(w, object, info, path.Join("data", "packages", objPath), verbose)
+	}); err != nil {
+		fatal("Failed to dump packages: %v", err)
+	}
+
+	// Doesn't check if LogRootPath exists before processing --skip-log intentionally,
+	// ensuring that it's clear the dump is skipped whether the directory's initialized
+	// yet or not.
+	if ctx.IsSet("skip-log") && ctx.Bool("skip-log") {
+		log.Info("Skipping log files")
+	} else {
+		isExist, err := util.IsExist(setting.Log.RootPath)
+		if err != nil {
+			log.Error("Failed to check if %s exists: %v", setting.Log.RootPath, err)
+		}
+		if isExist {
+			if err := addRecursiveExclude(w, "log", setting.Log.RootPath, []string{absFileName}, verbose); err != nil {
+				fatal("Failed to include log: %v", err)
+			}
+		}
+	}
+
+	if fileName != "-" {
+		if err = w.Close(); err != nil {
+			_ = util.Remove(fileName)
+			fatal("Failed to save %s: %v", fileName, err)
+		}
+
+		if err := os.Chmod(fileName, 0o600); err != nil {
+			log.Info("Can't change file access permissions mask to 0600: %v", err)
+		}
+	}
+
+	if fileName != "-" {
+		log.Info("Finish dumping in file %s", fileName)
+	} else {
+		log.Info("Finish dumping to stdout")
+	}
+
+	return nil
 }

 // addRecursiveExclude zips absPath to specified insidePath inside writer excluding excludeAbsPath
-// archives.FilesFromDisk doesn't support excluding files, so we have to do it manually
-func addRecursiveExclude(archiveJobs chan archives.ArchiveAsyncJob, insidePath, absPath string, excludeAbsPath []string, verbose bool) error {
+func addRecursiveExclude(w archiver.Writer, insidePath, absPath string, excludeAbsPath []string, verbose bool) error {
 	absPath, err := filepath.Abs(absPath)
 	if err != nil {
 		return err
@ -579,11 +471,10 @@ func addRecursiveExclude(archiveJobs chan archives.ArchiveAsyncJob, insidePath,
 		}

 		if file.IsDir() {
-			if err := addFile(archiveJobs, currentInsidePath, currentAbsPath, false); err != nil {
+			if err := addFile(w, currentInsidePath, currentAbsPath, false); err != nil {
 				return err
 			}
-
-			if err := addRecursiveExclude(archiveJobs, currentInsidePath, currentAbsPath, excludeAbsPath, verbose); err != nil {
+			if err = addRecursiveExclude(w, currentInsidePath, currentAbsPath, excludeAbsPath, verbose); err != nil {
 				return err
 			}
 		} else {
@ -601,7 +492,7 @@ func addRecursiveExclude(archiveJobs chan archives.ArchiveAsyncJob, insidePath,
 				shouldAdd = targetStat.Mode().IsRegular()
 			}
 			if shouldAdd {
-				if err := addFile(archiveJobs, currentInsidePath, currentAbsPath, verbose); err != nil {
+				if err = addFile(w, currentInsidePath, currentAbsPath, verbose); err != nil {
 					return err
 				}
 			}
--- a/cmd/dump_repo.go
+++ b/cmd/dump_repo.go
@ -19,75 +19,68 @@ import (
 	"forgejo.org/services/convert"
 	"forgejo.org/services/migrations"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 // CmdDumpRepository represents the available dump repository sub-command.
-func cmdDumpRepository() *cli.Command {
-	return &cli.Command{
-		Name:        "dump-repo",
-		Usage:       "Dump the repository from git/github/gitea/gitlab",
-		Description: "This is a command for dumping the repository data.",
-		Action:      runDumpRepository,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:  "git_service",
-				Value: "",
-				Usage: "Git service, git, github, gitea, gitlab. If clone_addr could be recognized, this could be ignored.",
-			},
-			&cli.StringFlag{
-				Name:    "repo_dir",
-				Aliases: []string{"r"},
-				Value:   "./data",
-				Usage:   "Repository dir path to store the data",
-			},
-			&cli.StringFlag{
-				Name:  "clone_addr",
-				Value: "",
-				Usage: "The URL will be clone, currently could be a git/github/gitea/gitlab http/https URL",
-			},
-			&cli.StringFlag{
-				Name:  "auth_username",
-				Value: "",
-				Usage: "The username to visit the clone_addr",
-			},
-			&cli.StringFlag{
-				Name:  "auth_password",
-				Value: "",
-				Usage: "The password to visit the clone_addr",
-			},
-			&cli.StringFlag{
-				Name:  "auth_token",
-				Value: "",
-				Usage: "The personal token to visit the clone_addr",
-			},
-			&cli.StringFlag{
-				Name:  "owner_name",
-				Value: "",
-				Usage: "The data will be stored on a directory with owner name if not empty",
-			},
-			&cli.StringFlag{
-				Name:  "repo_name",
-				Value: "",
-				Usage: "The data will be stored on a directory with repository name if not empty",
-			},
-			&cli.StringFlag{
-				Name:  "units",
-				Value: "",
-				Usage: `Which items will be migrated, one or more units should be separated as comma.
-wiki, issues, labels, releases, release_assets, milestones, pull_requests, comments are allowed. Empty means all units.`,
-			},
+var CmdDumpRepository = &cli.Command{
+	Name:        "dump-repo",
+	Usage:       "Dump the repository from git/github/gitea/gitlab",
+	Description: "This is a command for dumping the repository data.",
+	Action:      runDumpRepository,
+	Flags: []cli.Flag{
+		&cli.StringFlag{
+			Name:  "git_service",
+			Value: "",
+			Usage: "Git service, git, github, gitea, gitlab. If clone_addr could be recognized, this could be ignored.",
 		},
-	}
+		&cli.StringFlag{
+			Name:    "repo_dir",
+			Aliases: []string{"r"},
+			Value:   "./data",
+			Usage:   "Repository dir path to store the data",
+		},
+		&cli.StringFlag{
+			Name:  "clone_addr",
+			Value: "",
+			Usage: "The URL will be clone, currently could be a git/github/gitea/gitlab http/https URL",
+		},
+		&cli.StringFlag{
+			Name:  "auth_username",
+			Value: "",
+			Usage: "The username to visit the clone_addr",
+		},
+		&cli.StringFlag{
+			Name:  "auth_password",
+			Value: "",
+			Usage: "The password to visit the clone_addr",
+		},
+		&cli.StringFlag{
+			Name:  "auth_token",
+			Value: "",
+			Usage: "The personal token to visit the clone_addr",
+		},
+		&cli.StringFlag{
+			Name:  "owner_name",
+			Value: "",
+			Usage: "The data will be stored on a directory with owner name if not empty",
+		},
+		&cli.StringFlag{
+			Name:  "repo_name",
+			Value: "",
+			Usage: "The data will be stored on a directory with repository name if not empty",
+		},
+		&cli.StringFlag{
+			Name:  "units",
+			Value: "",
+			Usage: `Which items will be migrated, one or more units should be separated as comma.
+wiki, issues, labels, releases, release_assets, milestones, pull_requests, comments are allowed. Empty means all units.`,
+		},
+	},
 }

-func runDumpRepository(stdCtx context.Context, ctx *cli.Command) error {
-	setupConsoleLogger(log.INFO, log.CanColorStderr, os.Stderr)
-
-	// setting.DisableLoggerInit()
-	setting.LoadSettings() // cannot access skip_tls_verify settings otherwise
-
-	stdCtx, cancel := installSignals(stdCtx)
+func runDumpRepository(ctx *cli.Context) error {
+	stdCtx, cancel := installSignals()
 	defer cancel()

 	if err := initDB(stdCtx); err != nil {
--- a/cmd/dump_test.go
+++ b/cmd/dump_test.go
@ -4,32 +4,40 @@
 package cmd

 import (
+	"io"
 	"os"
 	"testing"

-	"github.com/mholt/archives"
+	"github.com/mholt/archiver/v3"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

-func mockArchiverAsync(ch chan archives.ArchiveAsyncJob, files *[]string) {
-	for job := range ch {
-		*files = append(*files, job.File.NameInArchive)
-		job.Result <- nil
-	}
+type mockArchiver struct {
+	addedFiles []string
+}
+
+func (mockArchiver) Create(out io.Writer) error {
+	return nil
+}
+
+func (m *mockArchiver) Write(f archiver.File) error {
+	m.addedFiles = append(m.addedFiles, f.Name())
+	return nil
+}
+
+func (mockArchiver) Close() error {
+	return nil
 }

 func TestAddRecursiveExclude(t *testing.T) {
 	t.Run("Empty", func(t *testing.T) {
-		ch := make(chan archives.ArchiveAsyncJob)
-		var files []string
-		go mockArchiverAsync(ch, &files)
-
 		dir := t.TempDir()
+		archiver := &mockArchiver{}

-		err := addRecursiveExclude(ch, "", dir, []string{}, false)
+		err := addRecursiveExclude(archiver, "", dir, []string{}, false)
 		require.NoError(t, err)
-		assert.Empty(t, files)
+		assert.Empty(t, archiver.addedFiles)
 	})

 	t.Run("Single file", func(t *testing.T) {
@ -38,25 +46,20 @@ func TestAddRecursiveExclude(t *testing.T) {
 		require.NoError(t, err)

 		t.Run("No exclude", func(t *testing.T) {
-			ch := make(chan archives.ArchiveAsyncJob)
-			var files []string
-			go mockArchiverAsync(ch, &files)
+			archiver := &mockArchiver{}

-			err := addRecursiveExclude(ch, "", dir, nil, false)
+			err = addRecursiveExclude(archiver, "", dir, nil, false)
 			require.NoError(t, err)
-
-			assert.Len(t, files, 1)
-			assert.Contains(t, files, "example")
+			assert.Len(t, archiver.addedFiles, 1)
+			assert.Contains(t, archiver.addedFiles, "example")
 		})

 		t.Run("With exclude", func(t *testing.T) {
-			ch := make(chan archives.ArchiveAsyncJob)
-			var files []string
-			go mockArchiverAsync(ch, &files)
+			archiver := &mockArchiver{}

-			err := addRecursiveExclude(ch, "", dir, []string{dir + "/example"}, false)
+			err = addRecursiveExclude(archiver, "", dir, []string{dir + "/example"}, false)
 			require.NoError(t, err)
-			assert.Empty(t, files)
+			assert.Empty(t, archiver.addedFiles)
 		})
 	})

@ -70,57 +73,46 @@ func TestAddRecursiveExclude(t *testing.T) {
 		require.NoError(t, err)

 		t.Run("No exclude", func(t *testing.T) {
-			ch := make(chan archives.ArchiveAsyncJob)
-			var files []string
-			go mockArchiverAsync(ch, &files)
+			archiver := &mockArchiver{}

-			err := addRecursiveExclude(ch, "", dir, nil, false)
+			err = addRecursiveExclude(archiver, "", dir, nil, false)
 			require.NoError(t, err)
-			assert.Len(t, files, 5)
-
-			assert.Contains(t, files, "deep")
-			assert.Contains(t, files, "deep/nested")
-			assert.Contains(t, files, "deep/nested/folder")
-			assert.Contains(t, files, "deep/nested/folder/example")
-			assert.Contains(t, files, "deep/nested/folder/another-file")
+			assert.Len(t, archiver.addedFiles, 5)
+			assert.Contains(t, archiver.addedFiles, "deep")
+			assert.Contains(t, archiver.addedFiles, "deep/nested")
+			assert.Contains(t, archiver.addedFiles, "deep/nested/folder")
+			assert.Contains(t, archiver.addedFiles, "deep/nested/folder/example")
+			assert.Contains(t, archiver.addedFiles, "deep/nested/folder/another-file")
 		})

 		t.Run("Exclude first directory", func(t *testing.T) {
-			ch := make(chan archives.ArchiveAsyncJob)
-			var files []string
-			go mockArchiverAsync(ch, &files)
+			archiver := &mockArchiver{}

-			err := addRecursiveExclude(ch, "", dir, []string{dir + "/deep"}, false)
+			err = addRecursiveExclude(archiver, "", dir, []string{dir + "/deep"}, false)
 			require.NoError(t, err)
-			assert.Empty(t, files)
+			assert.Empty(t, archiver.addedFiles)
 		})

 		t.Run("Exclude nested directory", func(t *testing.T) {
-			ch := make(chan archives.ArchiveAsyncJob)
-			var files []string
-			go mockArchiverAsync(ch, &files)
+			archiver := &mockArchiver{}

-			err := addRecursiveExclude(ch, "", dir, []string{dir + "/deep/nested/folder"}, false)
+			err = addRecursiveExclude(archiver, "", dir, []string{dir + "/deep/nested/folder"}, false)
 			require.NoError(t, err)
-			assert.Len(t, files, 2)
-
-			assert.Contains(t, files, "deep")
-			assert.Contains(t, files, "deep/nested")
+			assert.Len(t, archiver.addedFiles, 2)
+			assert.Contains(t, archiver.addedFiles, "deep")
+			assert.Contains(t, archiver.addedFiles, "deep/nested")
 		})

 		t.Run("Exclude file", func(t *testing.T) {
-			ch := make(chan archives.ArchiveAsyncJob)
-			var files []string
-			go mockArchiverAsync(ch, &files)
+			archiver := &mockArchiver{}

-			err := addRecursiveExclude(ch, "", dir, []string{dir + "/deep/nested/folder/example"}, false)
+			err = addRecursiveExclude(archiver, "", dir, []string{dir + "/deep/nested/folder/example"}, false)
 			require.NoError(t, err)
-			assert.Len(t, files, 4)
-
-			assert.Contains(t, files, "deep")
-			assert.Contains(t, files, "deep/nested")
-			assert.Contains(t, files, "deep/nested/folder")
-			assert.Contains(t, files, "deep/nested/folder/another-file")
+			assert.Len(t, archiver.addedFiles, 4)
+			assert.Contains(t, archiver.addedFiles, "deep")
+			assert.Contains(t, archiver.addedFiles, "deep/nested")
+			assert.Contains(t, archiver.addedFiles, "deep/nested/folder")
+			assert.Contains(t, archiver.addedFiles, "deep/nested/folder/another-file")
 		})
 	})
 }
--- a/cmd/embedded.go
+++ b/cmd/embedded.go
@ -4,7 +4,6 @@
 package cmd

 import (
-	"context"
 	"errors"
 	"fmt"
 	"os"
@ -20,25 +19,23 @@ import (
 	"forgejo.org/modules/util"

 	"github.com/gobwas/glob"
-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 // CmdEmbedded represents the available extract sub-command.
-func cmdEmbedded() *cli.Command {
-	return &cli.Command{
+var (
+	CmdEmbedded = &cli.Command{
 		Name:        "embedded",
 		Usage:       "Extract embedded resources",
 		Description: "A command for extracting embedded resources, like templates and images",
-		Commands: []*cli.Command{
-			subcmdList(),
-			subcmdView(),
-			subcmdExtract(),
+		Subcommands: []*cli.Command{
+			subcmdList,
+			subcmdView,
+			subcmdExtract,
 		},
 	}
-}

-func subcmdList() *cli.Command {
-	return &cli.Command{
+	subcmdList = &cli.Command{
 		Name:   "list",
 		Usage:  "List files matching the given pattern",
 		Action: runList,
@ -50,10 +47,8 @@ func subcmdList() *cli.Command {
 			},
 		},
 	}
-}

-func subcmdView() *cli.Command {
-	return &cli.Command{
+	subcmdView = &cli.Command{
 		Name:   "view",
 		Usage:  "View a file matching the given pattern",
 		Action: runView,
@ -65,10 +60,8 @@ func subcmdView() *cli.Command {
 			},
 		},
 	}
-}

-func subcmdExtract() *cli.Command {
-	return &cli.Command{
+	subcmdExtract = &cli.Command{
 		Name:   "extract",
 		Usage:  "Extract resources",
 		Action: runExtract,
@ -97,9 +90,9 @@ func subcmdExtract() *cli.Command {
 			},
 		},
 	}
-}

-var matchedAssetFiles []assetFile
+	matchedAssetFiles []assetFile
+)

 type assetFile struct {
 	fs   *assetfs.LayeredFS
@ -107,7 +100,7 @@ type assetFile struct {
 	path string
 }

-func initEmbeddedExtractor(_ context.Context, c *cli.Command) error {
+func initEmbeddedExtractor(c *cli.Context) error {
 	setupConsoleLogger(log.ERROR, log.CanColorStderr, os.Stderr)

 	patterns, err := compileCollectPatterns(c.Args().Slice())
@ -122,32 +115,32 @@ func initEmbeddedExtractor(_ context.Context, c *cli.Command) error {
 	return nil
 }

-func runList(ctx context.Context, c *cli.Command) error {
-	if err := runListDo(ctx, c); err != nil {
+func runList(c *cli.Context) error {
+	if err := runListDo(c); err != nil {
 		fmt.Fprintf(os.Stderr, "%v\n", err)
 		return err
 	}
 	return nil
 }

-func runView(ctx context.Context, c *cli.Command) error {
-	if err := runViewDo(ctx, c); err != nil {
+func runView(c *cli.Context) error {
+	if err := runViewDo(c); err != nil {
 		fmt.Fprintf(os.Stderr, "%v\n", err)
 		return err
 	}
 	return nil
 }

-func runExtract(ctx context.Context, c *cli.Command) error {
-	if err := runExtractDo(ctx, c); err != nil {
+func runExtract(c *cli.Context) error {
+	if err := runExtractDo(c); err != nil {
 		fmt.Fprintf(os.Stderr, "%v\n", err)
 		return err
 	}
 	return nil
 }

-func runListDo(ctx context.Context, c *cli.Command) error {
-	if err := initEmbeddedExtractor(ctx, c); err != nil {
+func runListDo(c *cli.Context) error {
+	if err := initEmbeddedExtractor(c); err != nil {
 		return err
 	}

@ -158,8 +151,8 @@ func runListDo(ctx context.Context, c *cli.Command) error {
 	return nil
 }

-func runViewDo(ctx context.Context, c *cli.Command) error {
-	if err := initEmbeddedExtractor(ctx, c); err != nil {
+func runViewDo(c *cli.Context) error {
+	if err := initEmbeddedExtractor(c); err != nil {
 		return err
 	}

@ -181,8 +174,8 @@ func runViewDo(ctx context.Context, c *cli.Command) error {
 	return nil
 }

-func runExtractDo(ctx context.Context, c *cli.Command) error {
-	if err := initEmbeddedExtractor(ctx, c); err != nil {
+func runExtractDo(c *cli.Context) error {
+	if err := initEmbeddedExtractor(c); err != nil {
 		return err
 	}

@ -278,7 +271,7 @@ func extractAsset(d string, a assetFile, overwrite, rename bool) error {
 	return nil
 }

-func collectAssetFilesByPattern(c *cli.Command, globs []glob.Glob, path string, layer *assetfs.Layer) {
+func collectAssetFilesByPattern(c *cli.Context, globs []glob.Glob, path string, layer *assetfs.Layer) {
 	fs := assetfs.Layered(layer)
 	files, err := fs.ListAllFiles(".", true)
 	if err != nil {
--- a/cmd/forgejo/actions.go
+++ b/cmd/forgejo/actions.go
@ -6,7 +6,6 @@ package forgejo
 import (
 	"context"
 	"encoding/hex"
-	"errors"
 	"fmt"
 	"io"
 	"os"
@ -17,14 +16,14 @@ import (
 	"forgejo.org/modules/setting"
 	private_routers "forgejo.org/routers/private"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 func CmdActions(ctx context.Context) *cli.Command {
 	return &cli.Command{
 		Name:  "actions",
 		Usage: "Commands for managing Forgejo Actions",
-		Commands: []*cli.Command{
+		Subcommands: []*cli.Command{
 			SubcmdActionsGenerateRunnerToken(ctx),
 			SubcmdActionsGenerateRunnerSecret(ctx),
 			SubcmdActionsRegister(ctx),
@ -37,7 +36,7 @@ func SubcmdActionsGenerateRunnerToken(ctx context.Context) *cli.Command {
 		Name:   "generate-runner-token",
 		Usage:  "Generate a new token for a runner to use to register with the server",
 		Before: prepareWorkPathAndCustomConf(ctx),
-		Action: RunGenerateActionsRunnerToken,
+		Action: func(cliCtx *cli.Context) error { return RunGenerateActionsRunnerToken(ctx, cliCtx) },
 		Flags: []cli.Flag{
 			&cli.StringFlag{
 				Name:    "scope",
@ -53,7 +52,7 @@ func SubcmdActionsGenerateRunnerSecret(ctx context.Context) *cli.Command {
 	return &cli.Command{
 		Name:   "generate-secret",
 		Usage:  "Generate a secret suitable for input to the register subcommand",
-		Action: RunGenerateSecret,
+		Action: func(cliCtx *cli.Context) error { return RunGenerateSecret(ctx, cliCtx) },
 	}
 }

@ -62,7 +61,7 @@ func SubcmdActionsRegister(ctx context.Context) *cli.Command {
 		Name:   "register",
 		Usage:  "Idempotent registration of a runner using a shared secret",
 		Before: prepareWorkPathAndCustomConf(ctx),
-		Action: RunRegister,
+		Action: func(cliCtx *cli.Context) error { return RunRegister(ctx, cliCtx) },
 		Flags: []cli.Flag{
 			&cli.StringFlag{
 				Name:  "secret",
@ -106,26 +105,26 @@ func SubcmdActionsRegister(ctx context.Context) *cli.Command {
 	}
 }

-func readSecret(ctx context.Context, cli *cli.Command) (string, error) {
-	if cli.IsSet("secret") {
-		return cli.String("secret"), nil
+func readSecret(ctx context.Context, cliCtx *cli.Context) (string, error) {
+	if cliCtx.IsSet("secret") {
+		return cliCtx.String("secret"), nil
 	}
-	if cli.IsSet("secret-stdin") {
+	if cliCtx.IsSet("secret-stdin") {
 		buf, err := io.ReadAll(ContextGetStdin(ctx))
 		if err != nil {
 			return "", err
 		}
 		return string(buf), nil
 	}
-	if cli.IsSet("secret-file") {
-		path := cli.String("secret-file")
+	if cliCtx.IsSet("secret-file") {
+		path := cliCtx.String("secret-file")
 		buf, err := os.ReadFile(path)
 		if err != nil {
 			return "", err
 		}
 		return string(buf), nil
 	}
-	return "", errors.New("at least one of the --secret, --secret-stdin, --secret-file options is required")
+	return "", fmt.Errorf("at least one of the --secret, --secret-stdin, --secret-file options is required")
 }

 func validateSecret(secret string) error {
@ -139,18 +138,18 @@ func validateSecret(secret string) error {
 	return nil
 }

-func getLabels(cli *cli.Command) (*[]string, error) {
-	if !cli.Bool("keep-labels") {
-		lblValue := strings.Split(cli.String("labels"), ",")
+func getLabels(cliCtx *cli.Context) (*[]string, error) {
+	if !cliCtx.Bool("keep-labels") {
+		lblValue := strings.Split(cliCtx.String("labels"), ",")
 		return &lblValue, nil
 	}
-	if cli.String("labels") != "" {
-		return nil, errors.New("--labels and --keep-labels should not be used together")
+	if cliCtx.String("labels") != "" {
+		return nil, fmt.Errorf("--labels and --keep-labels should not be used together")
 	}
 	return nil, nil
 }

-func RunRegister(ctx context.Context, cli *cli.Command) error {
+func RunRegister(ctx context.Context, cliCtx *cli.Context) error {
 	var cancel context.CancelFunc
 	if !ContextGetNoInit(ctx) {
 		ctx, cancel = installSignals(ctx)
@ -162,17 +161,17 @@ func RunRegister(ctx context.Context, cli *cli.Command) error {
 	}
 	setting.MustInstalled()

-	secret, err := readSecret(ctx, cli)
+	secret, err := readSecret(ctx, cliCtx)
 	if err != nil {
 		return err
 	}
 	if err := validateSecret(secret); err != nil {
 		return err
 	}
-	scope := cli.String("scope")
-	name := cli.String("name")
-	version := cli.String("version")
-	labels, err := getLabels(cli)
+	scope := cliCtx.String("scope")
+	name := cliCtx.String("name")
+	version := cliCtx.String("version")
+	labels, err := getLabels(cliCtx)
 	if err != nil {
 		return err
 	}
@ -210,7 +209,7 @@ func RunRegister(ctx context.Context, cli *cli.Command) error {
 	return nil
 }

-func RunGenerateSecret(ctx context.Context, cli *cli.Command) error {
+func RunGenerateSecret(ctx context.Context, cliCtx *cli.Context) error {
 	runner := actions_model.ActionRunner{}
 	if err := runner.GenerateToken(); err != nil {
 		return err
@ -221,7 +220,7 @@ func RunGenerateSecret(ctx context.Context, cli *cli.Command) error {
 	return nil
 }

-func RunGenerateActionsRunnerToken(ctx context.Context, cli *cli.Command) error {
+func RunGenerateActionsRunnerToken(ctx context.Context, cliCtx *cli.Context) error {
 	if !ContextGetNoInit(ctx) {
 		var cancel context.CancelFunc
 		ctx, cancel = installSignals(ctx)
@ -230,7 +229,7 @@ func RunGenerateActionsRunnerToken(ctx context.Context, cli *cli.Command) error

 	setting.MustInstalled()

-	scope := cli.String("scope")
+	scope := cliCtx.String("scope")

 	respText, extra := private.GenerateActionsRunnerToken(ctx, scope)
 	if extra.HasError() {
--- a/cmd/forgejo/actions_test.go
+++ b/cmd/forgejo/actions_test.go
@ -4,13 +4,14 @@
 package forgejo

 import (
-	"context"
 	"fmt"
 	"testing"

+	"forgejo.org/services/context"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 func TestActions_getLabels(t *testing.T) {
@ -53,21 +54,21 @@ func TestActions_getLabels(t *testing.T) {
 		},
 	}

-	flags := SubcmdActionsRegister(t.Context()).Flags
+	flags := SubcmdActionsRegister(context.Context{}).Flags
 	for _, c := range cases {
 		t.Run(fmt.Sprintf("args: %v", c.args), func(t *testing.T) {
 			// Create a copy of command to test
 			var result *resultType
-			app := cli.Command{}
+			app := cli.NewApp()
 			app.Flags = flags
-			app.Action = func(_ context.Context, ctx *cli.Command) error {
+			app.Action = func(ctx *cli.Context) error {
 				labels, err := getLabels(ctx)
 				result = &resultType{labels, err}
 				return nil
 			}

 			// Run it
-			_ = app.Run(t.Context(), c.args)
+			_ = app.Run(c.args)

 			// Test the results
 			require.NotNil(t, result)
--- a/cmd/forgejo/f3.go
+++ b/cmd/forgejo/f3.go
@ -20,7 +20,7 @@ import (
 	f3_cmd "code.forgejo.org/f3/gof3/v3/cmd"
 	f3_logger "code.forgejo.org/f3/gof3/v3/logger"
 	f3_util "code.forgejo.org/f3/gof3/v3/util"
-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 func CmdF3(ctx context.Context) *cli.Command {
@ -28,21 +28,21 @@ func CmdF3(ctx context.Context) *cli.Command {
 	return &cli.Command{
 		Name:  "f3",
 		Usage: "F3",
-		Commands: []*cli.Command{
+		Subcommands: []*cli.Command{
 			SubcmdF3Mirror(ctx),
 		},
 	}
 }

 func SubcmdF3Mirror(ctx context.Context) *cli.Command {
-	mirrorCmd := f3_cmd.CreateCmdMirror()
+	mirrorCmd := f3_cmd.CreateCmdMirror(ctx)
 	mirrorCmd.Before = prepareWorkPathAndCustomConf(ctx)
 	f3Action := mirrorCmd.Action
-	mirrorCmd.Action = func(ctx context.Context, cli *cli.Command) error { return runMirror(ctx, cli, f3Action) }
+	mirrorCmd.Action = func(c *cli.Context) error { return runMirror(ctx, c, f3Action) }
 	return mirrorCmd
 }

-func runMirror(ctx context.Context, c *cli.Command, action cli.ActionFunc) error {
+func runMirror(ctx context.Context, c *cli.Context, action cli.ActionFunc) error {
 	setting.LoadF3Setting()
 	if !setting.F3.Enabled {
 		return errors.New("F3 is disabled, it is not ready to be used and is only present for development purposes")
@ -69,7 +69,7 @@ func runMirror(ctx context.Context, c *cli.Command, action cli.ActionFunc) error
 		}
 	}

-	err := action(ctx, c)
+	err := action(c)
 	if panicError, ok := err.(f3_util.PanicError); ok {
 		log.Debug("F3 Stack trace\n%s", panicError.Stack())
 	}
--- a/cmd/forgejo/forgejo.go
+++ b/cmd/forgejo/forgejo.go
@ -16,7 +16,7 @@ import (
 	"forgejo.org/modules/private"
 	"forgejo.org/modules/setting"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 type key int
@ -34,7 +34,7 @@ func CmdForgejo(ctx context.Context) *cli.Command {
 		Name:  "forgejo-cli",
 		Usage: "Forgejo CLI",
 		Flags: []cli.Flag{},
-		Commands: []*cli.Command{
+		Subcommands: []*cli.Command{
 			CmdActions(ctx),
 			CmdF3(ctx),
 		},
@ -147,12 +147,12 @@ func handleCliResponseExtra(ctx context.Context, extra private.ResponseExtra) er
 	return cli.Exit(extra.Error, 1)
 }

-func prepareWorkPathAndCustomConf(ctx context.Context) func(ctx context.Context, cli *cli.Command) (context.Context, error) {
-	return func(ctx context.Context, cli *cli.Command) (context.Context, error) {
+func prepareWorkPathAndCustomConf(ctx context.Context) func(c *cli.Context) error {
+	return func(c *cli.Context) error {
 		if !ContextGetNoInit(ctx) {
 			var args setting.ArgWorkPathAndCustomConf
 			// from children to parent, check the global flags
-			for _, curCtx := range cli.Lineage() {
+			for _, curCtx := range c.Lineage() {
 				if curCtx.IsSet("work-path") && args.WorkPath == "" {
 					args.WorkPath = curCtx.String("work-path")
 				}
@ -165,6 +165,6 @@ func prepareWorkPathAndCustomConf(ctx context.Context) func(ctx context.Context,
 			}
 			setting.InitWorkPathAndCommonConfig(os.Getenv, args)
 		}
-		return ctx, nil
+		return nil
 	}
 }
--- a/cmd/generate.go
+++ b/cmd/generate.go
@ -5,65 +5,56 @@
 package cmd

 import (
-	"context"
 	"fmt"
 	"os"

 	"forgejo.org/modules/generate"

 	"github.com/mattn/go-isatty"
-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-// CmdGenerate represents the available generate sub-command.
-func cmdGenerate() *cli.Command {
-	return &cli.Command{
+var (
+	// CmdGenerate represents the available generate sub-command.
+	CmdGenerate = &cli.Command{
 		Name:  "generate",
 		Usage: "Generate Gitea's secrets/keys/tokens",
-		Commands: []*cli.Command{
-			subcmdSecret(),
+		Subcommands: []*cli.Command{
+			subcmdSecret,
 		},
 	}
-}

-func subcmdSecret() *cli.Command {
-	return &cli.Command{
+	subcmdSecret = &cli.Command{
 		Name:  "secret",
 		Usage: "Generate a secret token",
-		Commands: []*cli.Command{
-			microcmdGenerateInternalToken(),
-			microcmdGenerateLfsJwtSecret(),
-			microcmdGenerateSecretKey(),
+		Subcommands: []*cli.Command{
+			microcmdGenerateInternalToken,
+			microcmdGenerateLfsJwtSecret,
+			microcmdGenerateSecretKey,
 		},
 	}
-}

-func microcmdGenerateInternalToken() *cli.Command {
-	return &cli.Command{
+	microcmdGenerateInternalToken = &cli.Command{
 		Name:   "INTERNAL_TOKEN",
 		Usage:  "Generate a new INTERNAL_TOKEN",
 		Action: runGenerateInternalToken,
 	}
-}

-func microcmdGenerateLfsJwtSecret() *cli.Command {
-	return &cli.Command{
+	microcmdGenerateLfsJwtSecret = &cli.Command{
 		Name:    "JWT_SECRET",
 		Aliases: []string{"LFS_JWT_SECRET"},
 		Usage:   "Generate a new JWT_SECRET",
 		Action:  runGenerateLfsJwtSecret,
 	}
-}

-func microcmdGenerateSecretKey() *cli.Command {
-	return &cli.Command{
+	microcmdGenerateSecretKey = &cli.Command{
 		Name:   "SECRET_KEY",
 		Usage:  "Generate a new SECRET_KEY",
 		Action: runGenerateSecretKey,
 	}
-}
+)

-func runGenerateInternalToken(ctx context.Context, c *cli.Command) error {
+func runGenerateInternalToken(c *cli.Context) error {
 	internalToken, err := generate.NewInternalToken()
 	if err != nil {
 		return err
@ -72,25 +63,28 @@ func runGenerateInternalToken(ctx context.Context, c *cli.Command) error {
 	fmt.Printf("%s", internalToken)

 	if isatty.IsTerminal(os.Stdout.Fd()) {
-		fmt.Println()
+		fmt.Printf("\n")
 	}

 	return nil
 }

-func runGenerateLfsJwtSecret(ctx context.Context, c *cli.Command) error {
-	_, jwtSecretBase64 := generate.NewJwtSecret()
+func runGenerateLfsJwtSecret(c *cli.Context) error {
+	_, jwtSecretBase64, err := generate.NewJwtSecret()
+	if err != nil {
+		return err
+	}

 	fmt.Printf("%s", jwtSecretBase64)

 	if isatty.IsTerminal(os.Stdout.Fd()) {
-		fmt.Print("\n")
+		fmt.Printf("\n")
 	}

 	return nil
 }

-func runGenerateSecretKey(ctx context.Context, c *cli.Command) error {
+func runGenerateSecretKey(c *cli.Context) error {
 	secretKey, err := generate.NewSecretKey()
 	if err != nil {
 		return err
@ -99,7 +93,7 @@ func runGenerateSecretKey(ctx context.Context, c *cli.Command) error {
 	fmt.Printf("%s", secretKey)

 	if isatty.IsTerminal(os.Stdout.Fd()) {
-		fmt.Print("\n")
+		fmt.Printf("\n")
 	}

 	return nil
--- a/cmd/hook.go
+++ b/cmd/hook.go
@ -21,31 +21,29 @@ import (
 	repo_module "forgejo.org/modules/repository"
 	"forgejo.org/modules/setting"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 const (
 	hookBatchSize = 30
 )

-// CmdHook represents the available hooks sub-command.
-func cmdHook() *cli.Command {
-	return &cli.Command{
+var (
+	// CmdHook represents the available hooks sub-command.
+	CmdHook = &cli.Command{
 		Name:        "hook",
 		Usage:       "(internal) Should only be called by Git",
 		Description: "Delegate commands to corresponding Git hooks",
 		Before:      PrepareConsoleLoggerLevel(log.FATAL),
-		Commands: []*cli.Command{
-			subcmdHookPreReceive(),
-			subcmdHookUpdate(),
-			subcmdHookPostReceive(),
-			subcmdHookProcReceive(),
+		Subcommands: []*cli.Command{
+			subcmdHookPreReceive,
+			subcmdHookUpdate,
+			subcmdHookPostReceive,
+			subcmdHookProcReceive,
 		},
 	}
-}

-func subcmdHookPreReceive() *cli.Command {
-	return &cli.Command{
+	subcmdHookPreReceive = &cli.Command{
 		Name:        "pre-receive",
 		Usage:       "Delegate pre-receive Git hook",
 		Description: "This command should only be called by Git",
@ -56,10 +54,7 @@ func subcmdHookPreReceive() *cli.Command {
 			},
 		},
 	}
-}
-
-func subcmdHookUpdate() *cli.Command {
-	return &cli.Command{
+	subcmdHookUpdate = &cli.Command{
 		Name:        "update",
 		Usage:       "Delegate update Git hook",
 		Description: "This command should only be called by Git",
@ -70,10 +65,7 @@ func subcmdHookUpdate() *cli.Command {
 			},
 		},
 	}
-}
-
-func subcmdHookPostReceive() *cli.Command {
-	return &cli.Command{
+	subcmdHookPostReceive = &cli.Command{
 		Name:        "post-receive",
 		Usage:       "Delegate post-receive Git hook",
 		Description: "This command should only be called by Git",
@ -84,11 +76,8 @@ func subcmdHookPostReceive() *cli.Command {
 			},
 		},
 	}
-}
-
-// Note: new hook since git 2.29
-func subcmdHookProcReceive() *cli.Command {
-	return &cli.Command{
+	// Note: new hook since git 2.29
+	subcmdHookProcReceive = &cli.Command{
 		Name:        "proc-receive",
 		Usage:       "Delegate proc-receive Git hook",
 		Description: "This command should only be called by Git",
@ -99,7 +88,7 @@ func subcmdHookProcReceive() *cli.Command {
 			},
 		},
 	}
-}
+)

 type delayWriter struct {
 	internal io.Writer
@ -172,14 +161,14 @@ func (n *nilWriter) WriteString(s string) (int, error) {
 	return len(s), nil
 }

-func runHookPreReceive(ctx context.Context, c *cli.Command) error {
+func runHookPreReceive(c *cli.Context) error {
 	if isInternal, _ := strconv.ParseBool(os.Getenv(repo_module.EnvIsInternal)); isInternal {
 		return nil
 	}
-	ctx, cancel := installSignals(ctx)
+	ctx, cancel := installSignals()
 	defer cancel()

-	setup(ctx, c.Bool("debug"), true)
+	setup(ctx, c.Bool("debug"))

 	if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
 		if setting.OnlyAllowPushIfGiteaEnvironmentSet {
@ -231,6 +220,11 @@ Forgejo or set your environment appropriately.`, "")
 		}
 	}

+	supportProcReceive := false
+	if git.CheckGitVersionAtLeast("2.29") == nil {
+		supportProcReceive = true
+	}
+
 	for scanner.Scan() {
 		// TODO: support news feeds for wiki
 		if isWiki {
@ -248,28 +242,34 @@ Forgejo or set your environment appropriately.`, "")
 		total++
 		lastline++

-		// All references should be checked because permission check was delayed.
-		oldCommitIDs[count] = oldCommitID
-		newCommitIDs[count] = newCommitID
-		refFullNames[count] = refFullName
-		count++
-		fmt.Fprint(out, "*")
+		// If the ref is a branch or tag, check if it's protected
+		// if supportProcReceive all ref should be checked because
+		// permission check was delayed
+		if supportProcReceive || refFullName.IsBranch() || refFullName.IsTag() {
+			oldCommitIDs[count] = oldCommitID
+			newCommitIDs[count] = newCommitID
+			refFullNames[count] = refFullName
+			count++
+			fmt.Fprintf(out, "*")

-		if count >= hookBatchSize {
-			fmt.Fprintf(out, " Checking %d references\n", count)
+			if count >= hookBatchSize {
+				fmt.Fprintf(out, " Checking %d references\n", count)

-			hookOptions.OldCommitIDs = oldCommitIDs
-			hookOptions.NewCommitIDs = newCommitIDs
-			hookOptions.RefFullNames = refFullNames
-			extra := private.HookPreReceive(ctx, username, reponame, hookOptions)
-			if extra.HasError() {
-				return fail(ctx, extra.UserMsg, "HookPreReceive(batch) failed: %v", extra.Error)
+				hookOptions.OldCommitIDs = oldCommitIDs
+				hookOptions.NewCommitIDs = newCommitIDs
+				hookOptions.RefFullNames = refFullNames
+				extra := private.HookPreReceive(ctx, username, reponame, hookOptions)
+				if extra.HasError() {
+					return fail(ctx, extra.UserMsg, "HookPreReceive(batch) failed: %v", extra.Error)
+				}
+				count = 0
+				lastline = 0
 			}
-			count = 0
-			lastline = 0
+		} else {
+			fmt.Fprintf(out, ".")
 		}
 		if lastline >= hookBatchSize {
-			fmt.Fprint(out, "\n")
+			fmt.Fprintf(out, "\n")
 			lastline = 0
 		}
 	}
@ -286,7 +286,7 @@ Forgejo or set your environment appropriately.`, "")
 			return fail(ctx, extra.UserMsg, "HookPreReceive(last) failed: %v", extra.Error)
 		}
 	} else if lastline > 0 {
-		fmt.Fprint(out, "\n")
+		fmt.Fprintf(out, "\n")
 	}

 	fmt.Fprintf(out, "Checked %d references in total\n", total)
@ -294,13 +294,13 @@ Forgejo or set your environment appropriately.`, "")
 }

 // runHookUpdate process the update hook: https://git-scm.com/docs/githooks#update
-func runHookUpdate(ctx context.Context, c *cli.Command) error {
+func runHookUpdate(c *cli.Context) error {
 	// Now if we're an internal don't do anything else
 	if isInternal, _ := strconv.ParseBool(os.Getenv(repo_module.EnvIsInternal)); isInternal {
 		return nil
 	}

-	ctx, cancel := installSignals(ctx)
+	ctx, cancel := installSignals()
 	defer cancel()

 	if c.NArg() != 3 {
@ -326,11 +326,11 @@ func runHookUpdate(ctx context.Context, c *cli.Command) error {
 	return fail(ctx, fmt.Sprintf("The modification of %s is skipped as it's an internal reference.", refFullName), "")
 }

-func runHookPostReceive(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runHookPostReceive(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

-	setup(ctx, c.Bool("debug"), true)
+	setup(ctx, c.Bool("debug"))

 	// First of all run update-server-info no matter what
 	if _, _, err := git.NewCommand(ctx, "update-server-info").RunStdString(nil); err != nil {
@ -402,7 +402,7 @@ Forgejo or set your environment appropriately.`, "")
 			continue
 		}

-		fmt.Fprint(out, ".")
+		fmt.Fprintf(out, ".")
 		oldCommitIDs[count] = string(fields[0])
 		newCommitIDs[count] = string(fields[1])
 		refFullNames[count] = git.RefName(fields[2])
@ -490,11 +490,11 @@ func hookPrintResults(results []private.HookPostReceiveBranchResult) {
 	}
 }

-func runHookProcReceive(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runHookProcReceive(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

-	setup(ctx, c.Bool("debug"), true)
+	setup(ctx, c.Bool("debug"))

 	if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
 		if setting.OnlyAllowPushIfGiteaEnvironmentSet {
@ -505,6 +505,10 @@ Forgejo or set your environment appropriately.`, "")
 		return nil
 	}

+	if git.CheckGitVersionAtLeast("2.29") != nil {
+		return fail(ctx, "No proc-receive support", "current git version doesn't support proc-receive.")
+	}
+
 	reader := bufio.NewReader(os.Stdin)
 	repoUser := os.Getenv(repo_module.EnvRepoUsername)
 	repoName := os.Getenv(repo_module.EnvRepoName)
--- a/cmd/hook_test.go
+++ b/cmd/hook_test.go
@ -19,7 +19,7 @@ import (

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 // Capture what's being written into a standard file descriptor.
@ -134,14 +134,14 @@ func TestDelayWriter(t *testing.T) {
 	defer ts.Close()
 	defer test.MockVariableValue(&setting.LocalURL, ts.URL+"/")()

-	app := cli.Command{}
-	app.Commands = []*cli.Command{subcmdHookPreReceive()}
+	app := cli.NewApp()
+	app.Commands = []*cli.Command{subcmdHookPreReceive}

 	t.Run("Should delay", func(t *testing.T) {
 		defer test.MockVariableValue(&setting.Git.VerbosePushDelay, time.Millisecond*500)()
 		finish := captureOutput(t, os.Stdout)

-		err = app.Run(t.Context(), []string{"./forgejo", "pre-receive"})
+		err = app.Run([]string{"./forgejo", "pre-receive"})
 		require.NoError(t, err)
 		out := finish()

@ -153,7 +153,7 @@ func TestDelayWriter(t *testing.T) {
 		defer test.MockVariableValue(&setting.Git.VerbosePushDelay, time.Second*5)()
 		finish := captureOutput(t, os.Stdout)

-		err = app.Run(t.Context(), []string{"./forgejo", "pre-receive"})
+		err = app.Run([]string{"./forgejo", "pre-receive"})
 		require.NoError(t, err)
 		out := finish()

@ -163,15 +163,15 @@ func TestDelayWriter(t *testing.T) {
 }

 func TestRunHookUpdate(t *testing.T) {
-	app := cli.Command{}
-	app.Commands = []*cli.Command{subcmdHookUpdate()}
+	app := cli.NewApp()
+	app.Commands = []*cli.Command{subcmdHookUpdate}

 	t.Run("Removal of internal reference", func(t *testing.T) {
 		defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
 		defer test.MockVariableValue(&setting.IsProd, false)()
 		finish := captureOutput(t, os.Stderr)

-		err := app.Run(t.Context(), []string{"./forgejo", "update", "refs/pull/1/head", "0a51ae26bc73c47e2f754560c40904cf14ed51a9", "0000000000000000000000000000000000000000"})
+		err := app.Run([]string{"./forgejo", "update", "refs/pull/1/head", "0a51ae26bc73c47e2f754560c40904cf14ed51a9", "0000000000000000000000000000000000000000"})
 		out := finish()
 		require.Error(t, err)

@ -183,7 +183,7 @@ func TestRunHookUpdate(t *testing.T) {
 		defer test.MockVariableValue(&setting.IsProd, false)()
 		finish := captureOutput(t, os.Stderr)

-		err := app.Run(t.Context(), []string{"./forgejo", "update", "refs/pull/1/head", "0a51ae26bc73c47e2f754560c40904cf14ed51a9", "0000000000000000000000000000000000000001"})
+		err := app.Run([]string{"./forgejo", "update", "refs/pull/1/head", "0a51ae26bc73c47e2f754560c40904cf14ed51a9", "0000000000000000000000000000000000000001"})
 		out := finish()
 		require.Error(t, err)

@ -191,12 +191,12 @@ func TestRunHookUpdate(t *testing.T) {
 	})

 	t.Run("Removal of branch", func(t *testing.T) {
-		err := app.Run(t.Context(), []string{"./forgejo", "update", "refs/head/main", "0a51ae26bc73c47e2f754560c40904cf14ed51a9", "0000000000000000000000000000000000000000"})
+		err := app.Run([]string{"./forgejo", "update", "refs/head/main", "0a51ae26bc73c47e2f754560c40904cf14ed51a9", "0000000000000000000000000000000000000000"})
 		require.NoError(t, err)
 	})

 	t.Run("Not enough arguments", func(t *testing.T) {
-		err := app.Run(t.Context(), []string{"./forgejo", "update"})
+		err := app.Run([]string{"./forgejo", "update"})
 		require.NoError(t, err)
 	})
 }
--- a/cmd/keys.go
+++ b/cmd/keys.go
@ -4,7 +4,6 @@
 package cmd

 import (
-	"context"
 	"errors"
 	"fmt"
 	"strings"
@ -12,47 +11,45 @@ import (
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/private"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 // CmdKeys represents the available keys sub-command
-func cmdKeys() *cli.Command {
-	return &cli.Command{
-		Name:        "keys",
-		Usage:       "(internal) Should only be called by SSH server",
-		Description: "Queries the Forgejo database to get the authorized command for a given ssh key fingerprint",
-		Before:      PrepareConsoleLoggerLevel(log.FATAL),
-		Action:      runKeys,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:    "expected",
-				Aliases: []string{"e"},
-				Value:   "git",
-				Usage:   "Expected user for whom provide key commands",
-			},
-			&cli.StringFlag{
-				Name:    "username",
-				Aliases: []string{"u"},
-				Value:   "",
-				Usage:   "Username trying to log in by SSH",
-			},
-			&cli.StringFlag{
-				Name:    "type",
-				Aliases: []string{"t"},
-				Value:   "",
-				Usage:   "Type of the SSH key provided to the SSH Server (requires content to be provided too)",
-			},
-			&cli.StringFlag{
-				Name:    "content",
-				Aliases: []string{"k"},
-				Value:   "",
-				Usage:   "Base64 encoded content of the SSH key provided to the SSH Server (requires type to be provided too)",
-			},
+var CmdKeys = &cli.Command{
+	Name:        "keys",
+	Usage:       "(internal) Should only be called by SSH server",
+	Description: "Queries the Forgejo database to get the authorized command for a given ssh key fingerprint",
+	Before:      PrepareConsoleLoggerLevel(log.FATAL),
+	Action:      runKeys,
+	Flags: []cli.Flag{
+		&cli.StringFlag{
+			Name:    "expected",
+			Aliases: []string{"e"},
+			Value:   "git",
+			Usage:   "Expected user for whom provide key commands",
 		},
-	}
+		&cli.StringFlag{
+			Name:    "username",
+			Aliases: []string{"u"},
+			Value:   "",
+			Usage:   "Username trying to log in by SSH",
+		},
+		&cli.StringFlag{
+			Name:    "type",
+			Aliases: []string{"t"},
+			Value:   "",
+			Usage:   "Type of the SSH key provided to the SSH Server (requires content to be provided too)",
+		},
+		&cli.StringFlag{
+			Name:    "content",
+			Aliases: []string{"k"},
+			Value:   "",
+			Usage:   "Base64 encoded content of the SSH key provided to the SSH Server (requires type to be provided too)",
+		},
+	},
 }

-func runKeys(ctx context.Context, c *cli.Command) error {
+func runKeys(c *cli.Context) error {
 	if !c.IsSet("username") {
 		return errors.New("No username provided")
 	}
@ -71,16 +68,16 @@ func runKeys(ctx context.Context, c *cli.Command) error {
 		return errors.New("No key type and content provided")
 	}

-	ctx, cancel := installSignals(ctx)
+	ctx, cancel := installSignals()
 	defer cancel()

-	setup(ctx, c.Bool("debug"), true)
+	setup(ctx, c.Bool("debug"))

 	authorizedString, extra := private.AuthorizedPublicKeyByContent(ctx, content)
 	// do not use handleCliResponseExtra or cli.NewExitError, if it exists immediately, it breaks some tests like Test_CmdKeys
 	if extra.Error != nil {
 		return extra.Error
 	}
-	_, _ = fmt.Fprintln(c.Root().Writer, strings.TrimSpace(authorizedString.Text))
+	_, _ = fmt.Fprintln(c.App.Writer, strings.TrimSpace(authorizedString.Text))
 	return nil
 }
--- a/cmd/mailer.go
+++ b/cmd/mailer.go
@ -4,17 +4,16 @@
 package cmd

 import (
-	"context"
 	"fmt"

 	"forgejo.org/modules/private"
 	"forgejo.org/modules/setting"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-func runSendMail(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runSendMail(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

 	setting.MustInstalled()
--- a/cmd/main.go
+++ b/cmd/main.go
@ -14,7 +14,7 @@ import (
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 // cmdHelp is our own help subcommand with more information
@ -25,18 +25,18 @@ func cmdHelp() *cli.Command {
 		Aliases:   []string{"h"},
 		Usage:     "Shows a list of commands or help for one command",
 		ArgsUsage: "[command]",
-		Action: func(ctx context.Context, c *cli.Command) (err error) {
-			lineage := c.Lineage() // The order is from child to parent: help, doctor, Forgejo
+		Action: func(c *cli.Context) (err error) {
+			lineage := c.Lineage() // The order is from child to parent: help, doctor, Gitea, {Command:nil}
 			targetCmdIdx := 0
-			if c.Name == "help" {
+			if c.Command.Name == "help" {
 				targetCmdIdx = 1
 			}
-			if targetCmdIdx+1 < len(lineage) {
-				err = cli.ShowCommandHelp(ctx, lineage[targetCmdIdx+1], lineage[targetCmdIdx].Name)
+			if lineage[targetCmdIdx+1].Command != nil {
+				err = cli.ShowCommandHelp(lineage[targetCmdIdx+1], lineage[targetCmdIdx].Command.Name)
 			} else {
 				err = cli.ShowAppHelp(c)
 			}
-			_, _ = fmt.Fprintf(c.Root().Writer, `
+			_, _ = fmt.Fprintf(c.App.Writer, `
 DEFAULT CONFIGURATION:
   AppPath:    %s
   WorkPath:   %s
@ -77,25 +77,25 @@ func appGlobalFlags() []cli.Flag {
 	}
 }

-func prepareSubcommandWithConfig(command *cli.Command, globalFlags func() []cli.Flag) {
-	command.Flags = append(globalFlags(), command.Flags...)
+func prepareSubcommandWithConfig(command *cli.Command, globalFlags []cli.Flag) {
+	command.Flags = append(append([]cli.Flag{}, globalFlags...), command.Flags...)
 	command.Action = prepareWorkPathAndCustomConf(command.Action)
 	command.HideHelp = true
 	if command.Name != "help" {
-		command.Commands = append(command.Commands, cmdHelp())
+		command.Subcommands = append(command.Subcommands, cmdHelp())
 	}
-	for i := range command.Commands {
-		prepareSubcommandWithConfig(command.Commands[i], globalFlags)
+	for i := range command.Subcommands {
+		prepareSubcommandWithConfig(command.Subcommands[i], globalFlags)
 	}
 }

 // prepareWorkPathAndCustomConf wraps the Action to prepare the work path and custom config
 // It can't use "Before", because each level's sub-command's Before will be called one by one, so the "init" would be done multiple times
-func prepareWorkPathAndCustomConf(action cli.ActionFunc) func(_ context.Context, _ *cli.Command) error {
-	return func(ctx context.Context, cli *cli.Command) error {
+func prepareWorkPathAndCustomConf(action cli.ActionFunc) func(ctx *cli.Context) error {
+	return func(ctx *cli.Context) error {
 		var args setting.ArgWorkPathAndCustomConf
 		// from children to parent, check the global flags
-		for _, curCtx := range cli.Lineage() {
+		for _, curCtx := range ctx.Lineage() {
 			if curCtx.IsSet("work-path") && args.WorkPath == "" {
 				args.WorkPath = curCtx.String("work-path")
 			}
@ -107,24 +107,24 @@ func prepareWorkPathAndCustomConf(action cli.ActionFunc) func(_ context.Context,
 			}
 		}
 		setting.InitWorkPathAndCommonConfig(os.Getenv, args)
-		if cli.Bool("help") || action == nil {
+		if ctx.Bool("help") || action == nil {
 			// the default behavior of "urfave/cli": "nil action" means "show help"
-			return cmdHelp().Action(ctx, cli)
+			return cmdHelp().Action(ctx)
 		}
-		return action(ctx, cli)
+		return action(ctx)
 	}
 }

-func NewMainApp(version, versionExtra string) *cli.Command {
+func NewMainApp(version, versionExtra string) *cli.App {
 	path, err := os.Executable()
 	if err != nil {
 		panic(err)
 	}
 	executable := filepath.Base(path)

-	subCmdsStandalone := make([]*cli.Command, 0, 10)
-	subCmdWithConfig := make([]*cli.Command, 0, 10)
-	globalFlags := func() []cli.Flag { return []cli.Flag{} }
+	var subCmdsStandalone []*cli.Command = make([]*cli.Command, 0, 10)
+	var subCmdWithConfig []*cli.Command = make([]*cli.Command, 0, 10)
+	var globalFlags []cli.Flag = make([]cli.Flag, 0, 10)

 	//
 	// If the executable is forgejo-cli, provide a Forgejo specific CLI
@ -133,16 +133,14 @@ func NewMainApp(version, versionExtra string) *cli.Command {
 	if executable == "forgejo-cli" {
 		subCmdsStandalone = append(subCmdsStandalone, forgejo.CmdActions(context.Background()))
 		subCmdWithConfig = append(subCmdWithConfig, forgejo.CmdF3(context.Background()))
-		globalFlags = func() []cli.Flag {
-			return []cli.Flag{
-				&cli.BoolFlag{
-					Name: "quiet",
-				},
-				&cli.BoolFlag{
-					Name: "verbose",
-				},
-			}
-		}
+		globalFlags = append(globalFlags, []cli.Flag{
+			&cli.BoolFlag{
+				Name: "quiet",
+			},
+			&cli.BoolFlag{
+				Name: "verbose",
+			},
+		}...)
 	} else {
 		//
 		// Otherwise provide a Gitea compatible CLI which includes Forgejo
@ -151,54 +149,55 @@ func NewMainApp(version, versionExtra string) *cli.Command {
 		// binary and rename it to forgejo if they want.
 		//
 		subCmdsStandalone = append(subCmdsStandalone, forgejo.CmdForgejo(context.Background()))
-		subCmdWithConfig = append(subCmdWithConfig, cmdActions())
+		subCmdWithConfig = append(subCmdWithConfig, CmdActions)
 	}

 	return innerNewMainApp(version, versionExtra, subCmdsStandalone, subCmdWithConfig, globalFlags)
 }

-func innerNewMainApp(version, versionExtra string, subCmdsStandaloneArgs, subCmdWithConfigArgs []*cli.Command, globalFlagsArgs func() []cli.Flag) *cli.Command {
-	app := &cli.Command{}
-	app.Name = "forgejo"
+func innerNewMainApp(version, versionExtra string, subCmdsStandaloneArgs, subCmdWithConfigArgs []*cli.Command, globalFlagsArgs []cli.Flag) *cli.App {
+	app := cli.NewApp()
+	app.HelpName = "forgejo"
+	app.Name = "Forgejo"
 	app.Usage = "Beyond coding. We forge."
 	app.Description = `By default, forgejo will start serving using the web-server with no argument, which can alternatively be run by running the subcommand "web".`
 	app.Version = version + versionExtra
-	app.EnableShellCompletion = true
+	app.EnableBashCompletion = true

 	// these sub-commands need to use config file
 	subCmdWithConfig := []*cli.Command{
 		cmdHelp(), // the "help" sub-command was used to show the more information for "work path" and "custom config"
-		cmdWeb(),
-		cmdServ(),
-		cmdHook(),
-		cmdKeys(),
-		cmdDump(),
-		cmdAdmin(),
-		cmdMigrate(),
-		cmdDoctor(),
-		cmdManager(),
-		cmdEmbedded(),
-		cmdMigrateStorage(),
-		cmdDumpRepository(),
-		cmdRestoreRepository(),
+		CmdWeb,
+		CmdServ,
+		CmdHook,
+		CmdKeys,
+		CmdDump,
+		CmdAdmin,
+		CmdMigrate,
+		CmdDoctor,
+		CmdManager,
+		CmdEmbedded,
+		CmdMigrateStorage,
+		CmdDumpRepository,
+		CmdRestoreRepository,
 	}

 	subCmdWithConfig = append(subCmdWithConfig, subCmdWithConfigArgs...)

 	// these sub-commands do not need the config file, and they do not depend on any path or environment variable.
 	subCmdStandalone := []*cli.Command{
-		cmdCert(),
-		cmdGenerate(),
+		CmdCert,
+		CmdGenerate,
+		CmdDocs,
 	}
 	subCmdStandalone = append(subCmdStandalone, subCmdsStandaloneArgs...)

-	app.DefaultCommand = cmdWeb().Name
+	app.DefaultCommand = CmdWeb.Name

-	globalFlags := func() []cli.Flag {
-		return append(appGlobalFlags(), globalFlagsArgs()...)
-	}
+	globalFlags := appGlobalFlags()
+	globalFlags = append(globalFlags, globalFlagsArgs...)
 	app.Flags = append(app.Flags, cli.VersionFlag)
-	app.Flags = append(app.Flags, globalFlags()...)
+	app.Flags = append(app.Flags, globalFlags...)
 	app.HideHelp = true // use our own help action to show helps (with more information like default config)
 	app.Before = PrepareConsoleLoggerLevel(log.INFO)
 	for i := range subCmdWithConfig {
@ -211,8 +210,8 @@ func innerNewMainApp(version, versionExtra string, subCmdsStandaloneArgs, subCmd
 	return app
 }

-func RunMainApp(app *cli.Command, args ...string) error {
-	err := app.Run(context.Background(), args)
+func RunMainApp(app *cli.App, args ...string) error {
+	err := app.Run(args)
 	if err == nil {
 		return nil
 	}
@ -221,7 +220,7 @@ func RunMainApp(app *cli.Command, args ...string) error {
 		cli.OsExiter(1)
 		return err
 	}
-	_, _ = fmt.Fprintf(app.Root().ErrWriter, "Command error: %v\n", err)
+	_, _ = fmt.Fprintf(app.ErrWriter, "Command error: %v\n", err)
 	cli.OsExiter(1)
 	return err
 }
--- a/cmd/main_test.go
+++ b/cmd/main_test.go
@ -4,8 +4,6 @@
 package cmd

 import (
-	"context"
-	"errors"
 	"fmt"
 	"io"
 	"path/filepath"
@ -18,7 +16,7 @@ import (

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 func TestMain(m *testing.M) {
@ -29,10 +27,10 @@ func makePathOutput(workPath, customPath, customConf string) string {
 	return fmt.Sprintf("WorkPath=%s\nCustomPath=%s\nCustomConf=%s", workPath, customPath, customConf)
 }

-func newTestApp(testCmdAction func(_ context.Context, ctx *cli.Command) error) *cli.Command {
+func newTestApp(testCmdAction func(ctx *cli.Context) error) *cli.App {
 	app := NewMainApp("version", "version-extra")
 	testCmd := &cli.Command{Name: "test-cmd", Action: testCmdAction}
-	prepareSubcommandWithConfig(testCmd, appGlobalFlags)
+	prepareSubcommandWithConfig(testCmd, appGlobalFlags())
 	app.Commands = append(app.Commands, testCmd)
 	app.DefaultCommand = testCmd.Name
 	return app
@ -44,7 +42,7 @@ type runResult struct {
 	ExitCode int
 }

-func runTestApp(app *cli.Command, args ...string) (runResult, error) {
+func runTestApp(app *cli.App, args ...string) (runResult, error) {
 	outBuf := new(strings.Builder)
 	errBuf := new(strings.Builder)
 	app.Writer = outBuf
@ -67,6 +65,7 @@ func TestCliCmd(t *testing.T) {
 	defaultCustomConf := filepath.Join(defaultCustomPath, "conf/app.ini")

 	cli.CommandHelpTemplate = "(command help template)"
+	cli.AppHelpTemplate = "(app help template)"
 	cli.SubcommandHelpTemplate = "(subcommand help template)"

 	cases := []struct {
@ -110,17 +109,12 @@ func TestCliCmd(t *testing.T) {
 		},
 	}

+	app := newTestApp(func(ctx *cli.Context) error {
+		_, _ = fmt.Fprint(ctx.App.Writer, makePathOutput(setting.AppWorkPath, setting.CustomPath, setting.CustomConf))
+		return nil
+	})
 	for _, c := range cases {
 		t.Run(c.cmd, func(t *testing.T) {
-			defer test.MockProtect(&setting.AppWorkPath)()
-			defer test.MockProtect(&setting.CustomPath)()
-			defer test.MockProtect(&setting.CustomConf)()
-
-			app := newTestApp(func(_ context.Context, ctx *cli.Command) error {
-				_, _ = fmt.Fprint(ctx.Root().Writer, makePathOutput(setting.AppWorkPath, setting.CustomPath, setting.CustomConf))
-				return nil
-			})
-
 			for k, v := range c.env {
 				t.Setenv(k, v)
 			}
@ -128,37 +122,37 @@ func TestCliCmd(t *testing.T) {
 			r, err := runTestApp(app, args...)
 			require.NoError(t, err, c.cmd)
 			assert.NotEmpty(t, c.exp, c.cmd)
-			assert.Contains(t, r.Stdout, c.exp, c.cmd+"\n"+r.Stdout)
+			assert.Contains(t, r.Stdout, c.exp, c.cmd)
 		})
 	}
 }

 func TestCliCmdError(t *testing.T) {
-	app := newTestApp(func(_ context.Context, ctx *cli.Command) error { return errors.New("normal error") })
+	app := newTestApp(func(ctx *cli.Context) error { return fmt.Errorf("normal error") })
 	r, err := runTestApp(app, "./gitea", "test-cmd")
 	require.Error(t, err)
 	assert.Equal(t, 1, r.ExitCode)
-	assert.Empty(t, r.Stdout)
+	assert.Equal(t, "", r.Stdout)
 	assert.Equal(t, "Command error: normal error\n", r.Stderr)

-	app = newTestApp(func(_ context.Context, ctx *cli.Command) error { return cli.Exit("exit error", 2) })
+	app = newTestApp(func(ctx *cli.Context) error { return cli.Exit("exit error", 2) })
 	r, err = runTestApp(app, "./gitea", "test-cmd")
 	require.Error(t, err)
 	assert.Equal(t, 2, r.ExitCode)
-	assert.Empty(t, r.Stdout)
+	assert.Equal(t, "", r.Stdout)
 	assert.Equal(t, "exit error\n", r.Stderr)

-	app = newTestApp(func(_ context.Context, ctx *cli.Command) error { return nil })
+	app = newTestApp(func(ctx *cli.Context) error { return nil })
 	r, err = runTestApp(app, "./gitea", "test-cmd", "--no-such")
 	require.Error(t, err)
 	assert.Equal(t, 1, r.ExitCode)
-	assert.Equal(t, "Incorrect Usage: flag provided but not defined: -no-such\n\n", r.Stderr)
-	assert.Empty(t, r.Stdout)
+	assert.Equal(t, "Incorrect Usage: flag provided but not defined: -no-such\n\n", r.Stdout)
+	assert.Equal(t, "", r.Stderr) // the cli package's strange behavior, the error message is not in stderr ....

-	app = newTestApp(func(_ context.Context, ctx *cli.Command) error { return nil })
+	app = newTestApp(func(ctx *cli.Context) error { return nil })
 	r, err = runTestApp(app, "./gitea", "test-cmd")
 	require.NoError(t, err)
 	assert.Equal(t, -1, r.ExitCode) // the cli.OsExiter is not called
-	assert.Empty(t, r.Stdout)
-	assert.Empty(t, r.Stderr)
+	assert.Equal(t, "", r.Stdout)
+	assert.Equal(t, "", r.Stderr)
 }
--- a/cmd/manager.go
+++ b/cmd/manager.go
@ -4,34 +4,30 @@
 package cmd

 import (
-	"context"
 	"os"
 	"time"

 	"forgejo.org/modules/private"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-// CmdManager represents the manager command
-func cmdManager() *cli.Command {
-	return &cli.Command{
+var (
+	// CmdManager represents the manager command
+	CmdManager = &cli.Command{
 		Name:        "manager",
 		Usage:       "Manage the running forgejo process",
 		Description: "This is a command for managing the running forgejo process",
-		Commands: []*cli.Command{
-			subcmdShutdown(),
-			subcmdRestart(),
-			subcmdReloadTemplates(),
-			subcmdFlushQueues(),
-			subcmdLogging(),
-			subCmdProcesses(),
+		Subcommands: []*cli.Command{
+			subcmdShutdown,
+			subcmdRestart,
+			subcmdReloadTemplates,
+			subcmdFlushQueues,
+			subcmdLogging,
+			subCmdProcesses,
 		},
 	}
-}
-
-func subcmdShutdown() *cli.Command {
-	return &cli.Command{
+	subcmdShutdown = &cli.Command{
 		Name:  "shutdown",
 		Usage: "Gracefully shutdown the running process",
 		Flags: []cli.Flag{
@ -41,10 +37,7 @@ func subcmdShutdown() *cli.Command {
 		},
 		Action: runShutdown,
 	}
-}
-
-func subcmdRestart() *cli.Command {
-	return &cli.Command{
+	subcmdRestart = &cli.Command{
 		Name:  "restart",
 		Usage: "Gracefully restart the running process - (not implemented for windows servers)",
 		Flags: []cli.Flag{
@ -54,10 +47,7 @@ func subcmdRestart() *cli.Command {
 		},
 		Action: runRestart,
 	}
-}
-
-func subcmdReloadTemplates() *cli.Command {
-	return &cli.Command{
+	subcmdReloadTemplates = &cli.Command{
 		Name:  "reload-templates",
 		Usage: "Reload template files in the running process",
 		Flags: []cli.Flag{
@ -67,10 +57,7 @@ func subcmdReloadTemplates() *cli.Command {
 		},
 		Action: runReloadTemplates,
 	}
-}
-
-func subcmdFlushQueues() *cli.Command {
-	return &cli.Command{
+	subcmdFlushQueues = &cli.Command{
 		Name:   "flush-queues",
 		Usage:  "Flush queues in the running process",
 		Action: runFlushQueues,
@ -89,10 +76,7 @@ func subcmdFlushQueues() *cli.Command {
 			},
 		},
 	}
-}
-
-func subCmdProcesses() *cli.Command {
-	return &cli.Command{
+	subCmdProcesses = &cli.Command{
 		Name:   "processes",
 		Usage:  "Display running processes within the current process",
 		Action: runProcesses,
@ -122,49 +106,49 @@ func subCmdProcesses() *cli.Command {
 			},
 		},
 	}
-}
+)

-func runShutdown(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runShutdown(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

-	setup(ctx, c.Bool("debug"), false)
+	setup(ctx, c.Bool("debug"))
 	extra := private.Shutdown(ctx)
 	return handleCliResponseExtra(extra)
 }

-func runRestart(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runRestart(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

-	setup(ctx, c.Bool("debug"), false)
+	setup(ctx, c.Bool("debug"))
 	extra := private.Restart(ctx)
 	return handleCliResponseExtra(extra)
 }

-func runReloadTemplates(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runReloadTemplates(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

-	setup(ctx, c.Bool("debug"), false)
+	setup(ctx, c.Bool("debug"))
 	extra := private.ReloadTemplates(ctx)
 	return handleCliResponseExtra(extra)
 }

-func runFlushQueues(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runFlushQueues(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

-	setup(ctx, c.Bool("debug"), false)
+	setup(ctx, c.Bool("debug"))
 	extra := private.FlushQueues(ctx, c.Duration("timeout"), c.Bool("non-blocking"))
 	return handleCliResponseExtra(extra)
 }

-func runProcesses(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runProcesses(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

-	setup(ctx, c.Bool("debug"), false)
+	setup(ctx, c.Bool("debug"))
 	extra := private.Processes(ctx, os.Stdout, c.Bool("flat"), c.Bool("no-system"), c.Bool("stacktraces"), c.Bool("json"), c.String("cancel"))
 	return handleCliResponseExtra(extra)
 }
--- a/cmd/manager_logging.go
+++ b/cmd/manager_logging.go
@ -4,7 +4,6 @@
 package cmd

 import (
-	"context"
 	"errors"
 	"fmt"
 	"os"
@ -12,11 +11,11 @@ import (
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/private"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

-func defaultLoggingFlags() []cli.Flag {
-	return []cli.Flag{
+var (
+	defaultLoggingFlags = []cli.Flag{
 		&cli.StringFlag{
 			Name:  "logger",
 			Usage: `Logger name - will default to "default"`,
@ -44,11 +43,6 @@ func defaultLoggingFlags() []cli.Flag {
 			Aliases: []string{"e"},
 			Usage:   "Matching expression for the logger",
 		},
-		&cli.StringFlag{
-			Name:    "exclusion",
-			Aliases: []string{"x"},
-			Usage:   "Exclusion for the logger",
-		},
 		&cli.StringFlag{
 			Name:    "prefix",
 			Aliases: []string{"p"},
@ -62,13 +56,11 @@ func defaultLoggingFlags() []cli.Flag {
 			Name: "debug",
 		},
 	}
-}

-func subcmdLogging() *cli.Command {
-	return &cli.Command{
+	subcmdLogging = &cli.Command{
 		Name:  "logging",
 		Usage: "Adjust logging commands",
-		Commands: []*cli.Command{
+		Subcommands: []*cli.Command{
 			{
 				Name:  "pause",
 				Usage: "Pause logging (Forgejo will buffer logs up to a certain point and will drop them after that point)",
@ -112,11 +104,11 @@ func subcmdLogging() *cli.Command {
 			}, {
 				Name:  "add",
 				Usage: "Add a logger",
-				Commands: []*cli.Command{
+				Subcommands: []*cli.Command{
 					{
 						Name:  "file",
 						Usage: "Add a file logger",
-						Flags: append(defaultLoggingFlags(), []cli.Flag{
+						Flags: append(defaultLoggingFlags, []cli.Flag{
 							&cli.StringFlag{
 								Name:    "filename",
 								Aliases: []string{"f"},
@ -160,7 +152,7 @@ func subcmdLogging() *cli.Command {
 					}, {
 						Name:  "conn",
 						Usage: "Add a net conn logger",
-						Flags: append(defaultLoggingFlags(), []cli.Flag{
+						Flags: append(defaultLoggingFlags, []cli.Flag{
 							&cli.BoolFlag{
 								Name:    "reconnect-on-message",
 								Aliases: []string{"R"},
@ -201,13 +193,13 @@ func subcmdLogging() *cli.Command {
 			},
 		},
 	}
-}
+)

-func runRemoveLogger(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runRemoveLogger(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

-	setup(ctx, c.Bool("debug"), false)
+	setup(ctx, c.Bool("debug"))
 	logger := c.String("logger")
 	if len(logger) == 0 {
 		logger = log.DEFAULT
@ -218,11 +210,11 @@ func runRemoveLogger(ctx context.Context, c *cli.Command) error {
 	return handleCliResponseExtra(extra)
 }

-func runAddConnLogger(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runAddConnLogger(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

-	setup(ctx, c.Bool("debug"), false)
+	setup(ctx, c.Bool("debug"))
 	vals := map[string]any{}
 	mode := "conn"
 	vals["net"] = "tcp"
@ -245,14 +237,14 @@ func runAddConnLogger(ctx context.Context, c *cli.Command) error {
 	if c.IsSet("reconnect-on-message") {
 		vals["reconnectOnMsg"] = c.Bool("reconnect-on-message")
 	}
-	return commonAddLogger(ctx, c, mode, vals)
+	return commonAddLogger(c, mode, vals)
 }

-func runAddFileLogger(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runAddFileLogger(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

-	setup(ctx, c.Bool("debug"), false)
+	setup(ctx, c.Bool("debug"))
 	vals := map[string]any{}
 	mode := "file"
 	if c.IsSet("filename") {
@ -278,10 +270,10 @@ func runAddFileLogger(ctx context.Context, c *cli.Command) error {
 	if c.IsSet("compression-level") {
 		vals["compressionLevel"] = c.Int("compression-level")
 	}
-	return commonAddLogger(ctx, c, mode, vals)
+	return commonAddLogger(c, mode, vals)
 }

-func commonAddLogger(ctx context.Context, c *cli.Command, mode string, vals map[string]any) error {
+func commonAddLogger(c *cli.Context, mode string, vals map[string]any) error {
 	if len(c.String("level")) > 0 {
 		vals["level"] = log.LevelFromString(c.String("level")).String()
 	}
@ -291,9 +283,6 @@ func commonAddLogger(ctx context.Context, c *cli.Command, mode string, vals map[
 	if len(c.String("expression")) > 0 {
 		vals["expression"] = c.String("expression")
 	}
-	if len(c.String("exclusion")) > 0 {
-		vals["exclusion"] = c.String("exclusion")
-	}
 	if len(c.String("prefix")) > 0 {
 		vals["prefix"] = c.String("prefix")
 	}
@ -311,47 +300,47 @@ func commonAddLogger(ctx context.Context, c *cli.Command, mode string, vals map[
 	if c.IsSet("writer") {
 		writer = c.String("writer")
 	}
-	ctx, cancel := installSignals(ctx)
+	ctx, cancel := installSignals()
 	defer cancel()

 	extra := private.AddLogger(ctx, logger, writer, mode, vals)
 	return handleCliResponseExtra(extra)
 }

-func runPauseLogging(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runPauseLogging(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

-	setup(ctx, c.Bool("debug"), false)
+	setup(ctx, c.Bool("debug"))
 	userMsg := private.PauseLogging(ctx)
 	_, _ = fmt.Fprintln(os.Stdout, userMsg)
 	return nil
 }

-func runResumeLogging(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runResumeLogging(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

-	setup(ctx, c.Bool("debug"), false)
+	setup(ctx, c.Bool("debug"))
 	userMsg := private.ResumeLogging(ctx)
 	_, _ = fmt.Fprintln(os.Stdout, userMsg)
 	return nil
 }

-func runReleaseReopenLogging(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runReleaseReopenLogging(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

-	setup(ctx, c.Bool("debug"), false)
+	setup(ctx, c.Bool("debug"))
 	userMsg := private.ReleaseReopenLogging(ctx)
 	_, _ = fmt.Fprintln(os.Stdout, userMsg)
 	return nil
 }

-func runSetLogSQL(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runSetLogSQL(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()
-	setup(ctx, c.Bool("debug"), false)
+	setup(ctx, c.Bool("debug"))

 	extra := private.SetLogSQL(ctx, !c.Bool("off"))
 	return handleCliResponseExtra(extra)
--- a/cmd/migrate.go
+++ b/cmd/migrate.go
@ -11,21 +11,19 @@ import (
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 // CmdMigrate represents the available migrate sub-command.
-func cmdMigrate() *cli.Command {
-	return &cli.Command{
-		Name:        "migrate",
-		Usage:       "Migrate the database",
-		Description: "This is a command for migrating the database, so that you can run 'forgejo admin user create' before starting the server.",
-		Action:      runMigrate,
-	}
+var CmdMigrate = &cli.Command{
+	Name:        "migrate",
+	Usage:       "Migrate the database",
+	Description: "This is a command for migrating the database, so that you can run 'forgejo admin user create' before starting the server.",
+	Action:      runMigrate,
 }

-func runMigrate(stdCtx context.Context, ctx *cli.Command) error {
-	stdCtx, cancel := installSignals(stdCtx)
+func runMigrate(ctx *cli.Context) error {
+	stdCtx, cancel := installSignals()
 	defer cancel()

 	if err := initDB(stdCtx); err != nil {
@ -38,13 +36,7 @@ func runMigrate(stdCtx context.Context, ctx *cli.Command) error {
 	log.Info("Log path: %s", setting.Log.RootPath)
 	log.Info("Configuration file: %s", setting.CustomConf)

-	if err := db.InitEngineWithMigration(context.Background(), func(dbEngine db.Engine) error {
-		masterEngine, err := db.GetMasterEngine(dbEngine)
-		if err != nil {
-			return err
-		}
-		return migrations.Migrate(masterEngine)
-	}); err != nil {
+	if err := db.InitEngineWithMigration(context.Background(), migrations.Migrate); err != nil {
 		log.Fatal("Failed to initialize ORM engine: %v", err)
 		return err
 	}
--- a/cmd/migrate_storage.go
+++ b/cmd/migrate_storage.go
@ -22,81 +22,78 @@ import (
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/storage"

-	"github.com/urfave/cli/v3"
-	"xorm.io/xorm"
+	"github.com/urfave/cli/v2"
 )

 // CmdMigrateStorage represents the available migrate storage sub-command.
-func cmdMigrateStorage() *cli.Command {
-	return &cli.Command{
-		Name:        "migrate-storage",
-		Usage:       "Migrate the storage",
-		Description: "Copies stored files from storage configured in app.ini to parameter-configured storage",
-		Action:      runMigrateStorage,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:    "type",
-				Aliases: []string{"t"},
-				Value:   "",
-				Usage:   "Type of stored files to copy.  Allowed types: 'attachments', 'lfs', 'avatars', 'repo-avatars', 'repo-archivers', 'packages', 'actions-log', 'actions-artifacts'",
-			},
-			&cli.StringFlag{
-				Name:    "storage",
-				Aliases: []string{"s"},
-				Value:   "",
-				Usage:   "New storage type: local (default) or minio",
-			},
-			&cli.StringFlag{
-				Name:    "path",
-				Aliases: []string{"p"},
-				Value:   "",
-				Usage:   "New storage placement if store is local (leave blank for default)",
-			},
-			&cli.StringFlag{
-				Name:  "minio-endpoint",
-				Value: "",
-				Usage: "Minio storage endpoint",
-			},
-			&cli.StringFlag{
-				Name:  "minio-access-key-id",
-				Value: "",
-				Usage: "Minio storage accessKeyID",
-			},
-			&cli.StringFlag{
-				Name:  "minio-secret-access-key",
-				Value: "",
-				Usage: "Minio storage secretAccessKey",
-			},
-			&cli.StringFlag{
-				Name:  "minio-bucket",
-				Value: "",
-				Usage: "Minio storage bucket",
-			},
-			&cli.StringFlag{
-				Name:  "minio-location",
-				Value: "",
-				Usage: "Minio storage location to create bucket",
-			},
-			&cli.StringFlag{
-				Name:  "minio-base-path",
-				Value: "",
-				Usage: "Minio storage base path on the bucket",
-			},
-			&cli.BoolFlag{
-				Name:  "minio-use-ssl",
-				Usage: "Enable SSL for minio",
-			},
-			&cli.BoolFlag{
-				Name:  "minio-insecure-skip-verify",
-				Usage: "Skip SSL verification",
-			},
-			&cli.StringFlag{
-				Name:  "minio-checksum-algorithm",
-				Value: "",
-				Usage: "Minio checksum algorithm (default/md5)",
-			},
+var CmdMigrateStorage = &cli.Command{
+	Name:        "migrate-storage",
+	Usage:       "Migrate the storage",
+	Description: "Copies stored files from storage configured in app.ini to parameter-configured storage",
+	Action:      runMigrateStorage,
+	Flags: []cli.Flag{
+		&cli.StringFlag{
+			Name:    "type",
+			Aliases: []string{"t"},
+			Value:   "",
+			Usage:   "Type of stored files to copy.  Allowed types: 'attachments', 'lfs', 'avatars', 'repo-avatars', 'repo-archivers', 'packages', 'actions-log', 'actions-artifacts'",
 		},
-	}
+		&cli.StringFlag{
+			Name:    "storage",
+			Aliases: []string{"s"},
+			Value:   "",
+			Usage:   "New storage type: local (default) or minio",
+		},
+		&cli.StringFlag{
+			Name:    "path",
+			Aliases: []string{"p"},
+			Value:   "",
+			Usage:   "New storage placement if store is local (leave blank for default)",
+		},
+		&cli.StringFlag{
+			Name:  "minio-endpoint",
+			Value: "",
+			Usage: "Minio storage endpoint",
+		},
+		&cli.StringFlag{
+			Name:  "minio-access-key-id",
+			Value: "",
+			Usage: "Minio storage accessKeyID",
+		},
+		&cli.StringFlag{
+			Name:  "minio-secret-access-key",
+			Value: "",
+			Usage: "Minio storage secretAccessKey",
+		},
+		&cli.StringFlag{
+			Name:  "minio-bucket",
+			Value: "",
+			Usage: "Minio storage bucket",
+		},
+		&cli.StringFlag{
+			Name:  "minio-location",
+			Value: "",
+			Usage: "Minio storage location to create bucket",
+		},
+		&cli.StringFlag{
+			Name:  "minio-base-path",
+			Value: "",
+			Usage: "Minio storage base path on the bucket",
+		},
+		&cli.BoolFlag{
+			Name:  "minio-use-ssl",
+			Usage: "Enable SSL for minio",
+		},
+		&cli.BoolFlag{
+			Name:  "minio-insecure-skip-verify",
+			Usage: "Skip SSL verification",
+		},
+		&cli.StringFlag{
+			Name:  "minio-checksum-algorithm",
+			Value: "",
+			Usage: "Minio checksum algorithm (default/md5)",
+		},
+	},
 }

 func migrateAttachments(ctx context.Context, dstStorage storage.ObjectStorage) error {
@ -184,8 +181,8 @@ func migrateActionsArtifacts(ctx context.Context, dstStorage storage.ObjectStora
 	})
 }

-func runMigrateStorage(stdCtx context.Context, ctx *cli.Command) error {
-	stdCtx, cancel := installSignals(stdCtx)
+func runMigrateStorage(ctx *cli.Context) error {
+	stdCtx, cancel := installSignals()
 	defer cancel()

 	if err := initDB(stdCtx); err != nil {
@ -198,9 +195,7 @@ func runMigrateStorage(stdCtx context.Context, ctx *cli.Command) error {
 	log.Info("Log path: %s", setting.Log.RootPath)
 	log.Info("Configuration file: %s", setting.CustomConf)

-	if err := db.InitEngineWithMigration(context.Background(), func(e db.Engine) error {
-		return migrations.Migrate(e.(*xorm.Engine))
-	}); err != nil {
+	if err := db.InitEngineWithMigration(context.Background(), migrations.Migrate); err != nil {
 		log.Fatal("Failed to initialize ORM engine: %v", err)
 		return err
 	}
--- a/cmd/migrate_storage_test.go
+++ b/cmd/migrate_storage_test.go
@ -81,8 +81,8 @@ func TestMigratePackages(t *testing.T) {
 	entries, err := os.ReadDir(p)
 	require.NoError(t, err)
 	assert.Len(t, entries, 2)
-	assert.Equal(t, "01", entries[0].Name())
-	assert.Equal(t, "tmp", entries[1].Name())
+	assert.EqualValues(t, "01", entries[0].Name())
+	assert.EqualValues(t, "tmp", entries[1].Name())
 }

 func TestMigrateActionsArtifacts(t *testing.T) {
--- a/cmd/restore_repo.go
+++ b/cmd/restore_repo.go
@ -4,55 +4,52 @@
 package cmd

 import (
-	"context"
 	"strings"

 	"forgejo.org/modules/private"
 	"forgejo.org/modules/setting"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 // CmdRestoreRepository represents the available restore a repository sub-command.
-func cmdRestoreRepository() *cli.Command {
-	return &cli.Command{
-		Name:        "restore-repo",
-		Usage:       "Restore the repository from disk",
-		Description: "This is a command for restoring the repository data.",
-		Action:      runRestoreRepository,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:    "repo_dir",
-				Aliases: []string{"r"},
-				Value:   "./data",
-				Usage:   "Repository dir path to restore from",
-			},
-			&cli.StringFlag{
-				Name:  "owner_name",
-				Value: "",
-				Usage: "Restore destination owner name",
-			},
-			&cli.StringFlag{
-				Name:  "repo_name",
-				Value: "",
-				Usage: "Restore destination repository name",
-			},
-			&cli.StringFlag{
-				Name:  "units",
-				Value: "",
-				Usage: `Which items will be restored, one or more units should be separated as comma.
-wiki, issues, labels, releases, release_assets, milestones, pull_requests, comments are allowed. Empty means all units.`,
-			},
-			&cli.BoolFlag{
-				Name:  "validation",
-				Usage: "Sanity check the content of the files before trying to load them",
-			},
+var CmdRestoreRepository = &cli.Command{
+	Name:        "restore-repo",
+	Usage:       "Restore the repository from disk",
+	Description: "This is a command for restoring the repository data.",
+	Action:      runRestoreRepository,
+	Flags: []cli.Flag{
+		&cli.StringFlag{
+			Name:    "repo_dir",
+			Aliases: []string{"r"},
+			Value:   "./data",
+			Usage:   "Repository dir path to restore from",
 		},
-	}
+		&cli.StringFlag{
+			Name:  "owner_name",
+			Value: "",
+			Usage: "Restore destination owner name",
+		},
+		&cli.StringFlag{
+			Name:  "repo_name",
+			Value: "",
+			Usage: "Restore destination repository name",
+		},
+		&cli.StringFlag{
+			Name:  "units",
+			Value: "",
+			Usage: `Which items will be restored, one or more units should be separated as comma.
+wiki, issues, labels, releases, release_assets, milestones, pull_requests, comments are allowed. Empty means all units.`,
+		},
+		&cli.BoolFlag{
+			Name:  "validation",
+			Usage: "Sanity check the content of the files before trying to load them",
+		},
+	},
 }

-func runRestoreRepository(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runRestoreRepository(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

 	setting.MustInstalled()
--- a/cmd/serv.go
+++ b/cmd/serv.go
@ -33,7 +33,7 @@ import (

 	"github.com/golang-jwt/jwt/v5"
 	"github.com/kballard/go-shellquote"
-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 const (
@ -41,40 +41,35 @@ const (
 )

 // CmdServ represents the available serv sub-command.
-func cmdServ() *cli.Command {
-	return &cli.Command{
-		Name:        "serv",
-		Usage:       "(internal) Should only be called by SSH shell",
-		Description: "Serv provides access auth for repositories",
-		Before:      PrepareConsoleLoggerLevel(log.FATAL),
-		Action:      runServ,
-		Flags: []cli.Flag{
-			&cli.BoolFlag{
-				Name: "enable-pprof",
-			},
-			&cli.BoolFlag{
-				Name: "debug",
-			},
+var CmdServ = &cli.Command{
+	Name:        "serv",
+	Usage:       "(internal) Should only be called by SSH shell",
+	Description: "Serv provides access auth for repositories",
+	Before:      PrepareConsoleLoggerLevel(log.FATAL),
+	Action:      runServ,
+	Flags: []cli.Flag{
+		&cli.BoolFlag{
+			Name: "enable-pprof",
 		},
-	}
+		&cli.BoolFlag{
+			Name: "debug",
+		},
+	},
 }

-func setup(ctx context.Context, debug, gitNeeded bool) {
+func setup(ctx context.Context, debug bool) {
 	if debug {
 		setupConsoleLogger(log.TRACE, false, os.Stderr)
 	} else {
 		setupConsoleLogger(log.FATAL, false, os.Stderr)
 	}
 	setting.MustInstalled()
-	// Sanity check to ensure path is not relative, see: https://github.com/go-gitea/gitea/pull/19317
 	if _, err := os.Stat(setting.RepoRootPath); err != nil {
 		_ = fail(ctx, "Unable to access repository path", "Unable to access repository path %q, err: %v", setting.RepoRootPath, err)
 		return
 	}
-	if gitNeeded {
-		if err := git.InitSimple(context.Background()); err != nil {
-			_ = fail(ctx, "Failed to init git", "Failed to init git, err: %v", err)
-		}
+	if err := git.InitSimple(context.Background()); err != nil {
+		_ = fail(ctx, "Failed to init git", "Failed to init git, err: %v", err)
 	}
 }

@ -88,14 +83,6 @@ var (
 	alphaDashDotPattern = regexp.MustCompile(`[^\w-\.]`)
 )

-func sshLog(ctx context.Context, level log.Level, message string) error {
-	if testing.Testing() || setting.InternalToken == "" {
-		return nil
-	}
-
-	return private.SSHLog(ctx, level, message)
-}
-
 // fail prints message to stdout, it's mainly used for git serv and git hook commands.
 // The output will be passed to git client and shown to user.
 func fail(ctx context.Context, userMessage, logMsgFmt string, args ...any) error {
@ -120,7 +107,10 @@ func fail(ctx context.Context, userMessage, logMsgFmt string, args ...any) error
 				logMsg = userMessage + ". " + logMsg
 			}
 		}
-		_ = sshLog(ctx, log.ERROR, logMsg)
+		// Don't send an log if this is done in a test and no InternalToken is set.
+		if !testing.Testing() || setting.InternalToken != "" {
+			_ = private.SSHLog(ctx, true, logMsg)
+		}
 	}
 	return cli.Exit("", 1)
 }
@ -138,12 +128,12 @@ func handleCliResponseExtra(extra private.ResponseExtra) error {
 	return nil
 }

-func runServ(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
+func runServ(c *cli.Context) error {
+	ctx, cancel := installSignals()
 	defer cancel()

 	// FIXME: This needs to internationalised
-	setup(ctx, c.Bool("debug"), true)
+	setup(ctx, c.Bool("debug"))

 	if setting.SSH.Disabled {
 		fmt.Println("Forgejo: SSH has been disabled")
@ -198,10 +188,12 @@ func runServ(ctx context.Context, c *cli.Command) error {
 	}

 	if len(words) < 2 {
-		// for AGit Flow
-		if cmd == "ssh_info" {
-			fmt.Print(`{"type":"agit","version":1}`)
-			return nil
+		if git.CheckGitVersionAtLeast("2.29") == nil {
+			// for AGit Flow
+			if cmd == "ssh_info" {
+				fmt.Print(`{"type":"gitea","version":1}`)
+				return nil
+			}
 		}
 		return fail(ctx, "Too few arguments", "Too few arguments in cmd: %s", cmd)
 	}
@ -261,12 +253,11 @@ func runServ(ctx context.Context, c *cli.Command) error {
 	}

 	if verb == lfsAuthenticateVerb {
-		switch lfsVerb {
-		case "upload":
+		if lfsVerb == "upload" {
 			requestedMode = perm.AccessModeWrite
-		case "download":
+		} else if lfsVerb == "download" {
 			requestedMode = perm.AccessModeRead
-		default:
+		} else {
 			return fail(ctx, "Unknown LFS verb", "Unknown lfs verb %s", lfsVerb)
 		}
 	}
--- a/cmd/web.go
+++ b/cmd/web.go
@ -26,50 +26,48 @@ import (
 	"forgejo.org/routers/install"

 	"github.com/felixge/fgprof"
-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 // PIDFile could be set from build tag
 var PIDFile = "/run/gitea.pid"

 // CmdWeb represents the available web sub-command.
-func cmdWeb() *cli.Command {
-	return &cli.Command{
-		Name:  "web",
-		Usage: "Start the Forgejo web server",
-		Description: `The Forgejo web server is the only thing you need to run,
+var CmdWeb = &cli.Command{
+	Name:  "web",
+	Usage: "Start the Forgejo web server",
+	Description: `The Forgejo web server is the only thing you need to run,
 and it takes care of all the other things for you`,
-		Before: PrepareConsoleLoggerLevel(log.INFO),
-		Action: runWeb,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:    "port",
-				Aliases: []string{"p"},
-				Value:   "3000",
-				Usage:   "Temporary port number to prevent conflict",
-			},
-			&cli.StringFlag{
-				Name:  "install-port",
-				Value: "3000",
-				Usage: "Temporary port number to run the install page on to prevent conflict",
-			},
-			&cli.StringFlag{
-				Name:    "pid",
-				Aliases: []string{"P"},
-				Value:   PIDFile,
-				Usage:   "Custom pid file path",
-			},
-			&cli.BoolFlag{
-				Name:    "quiet",
-				Aliases: []string{"q"},
-				Usage:   "Only display Fatal logging errors until logging is set-up",
-			},
-			&cli.BoolFlag{
-				Name:  "verbose",
-				Usage: "Set initial logging to TRACE level until logging is properly set-up",
-			},
+	Before: PrepareConsoleLoggerLevel(log.INFO),
+	Action: runWeb,
+	Flags: []cli.Flag{
+		&cli.StringFlag{
+			Name:    "port",
+			Aliases: []string{"p"},
+			Value:   "3000",
+			Usage:   "Temporary port number to prevent conflict",
 		},
-	}
+		&cli.StringFlag{
+			Name:  "install-port",
+			Value: "3000",
+			Usage: "Temporary port number to run the install page on to prevent conflict",
+		},
+		&cli.StringFlag{
+			Name:    "pid",
+			Aliases: []string{"P"},
+			Value:   PIDFile,
+			Usage:   "Custom pid file path",
+		},
+		&cli.BoolFlag{
+			Name:    "quiet",
+			Aliases: []string{"q"},
+			Usage:   "Only display Fatal logging errors until logging is set-up",
+		},
+		&cli.BoolFlag{
+			Name:  "verbose",
+			Usage: "Set initial logging to TRACE level until logging is properly set-up",
+		},
+	},
 }

 func runHTTPRedirector() {
@ -130,7 +128,7 @@ func showWebStartupMessage(msg string) {
 	}
 }

-func serveInstall(_ context.Context, ctx *cli.Command) error {
+func serveInstall(ctx *cli.Context) error {
 	showWebStartupMessage("Prepare to run install page")

 	routers.InitWebInstallPage(graceful.GetManager().HammerContext())
@ -163,7 +161,7 @@ func serveInstall(_ context.Context, ctx *cli.Command) error {
 	return nil
 }

-func serveInstalled(_ context.Context, ctx *cli.Command) error {
+func serveInstalled(ctx *cli.Context) error {
 	setting.InitCfgProvider(setting.CustomConf)
 	setting.LoadCommonSettings()
 	setting.MustInstalled()
@ -200,6 +198,9 @@ func serveInstalled(_ context.Context, ctx *cli.Command) error {
 	for fn := range publicFilesSet.Seq() {
 		log.Error("Found legacy public asset %q in CustomPath. Please move it to %s/public/assets/%s", fn, setting.CustomPath, fn)
 	}
+	if _, err := os.Stat(filepath.Join(setting.CustomPath, "robots.txt")); err == nil {
+		log.Error(`Found legacy public asset "robots.txt" in CustomPath. Please move it to %s/public/robots.txt`, setting.CustomPath)
+	}

 	routers.InitWebInstalled(graceful.GetManager().HammerContext())

@ -235,7 +236,7 @@ func servePprof() {
 	finished()
 }

-func runWeb(ctx context.Context, cli *cli.Command) error {
+func runWeb(ctx *cli.Context) error {
 	defer func() {
 		if panicked := recover(); panicked != nil {
 			log.Fatal("PANIC: %v\n%s", panicked, log.Stack(2))
@ -253,12 +254,12 @@ func runWeb(ctx context.Context, cli *cli.Command) error {
 	}

 	// Set pid file setting
-	if cli.IsSet("pid") {
-		createPIDFile(cli.String("pid"))
+	if ctx.IsSet("pid") {
+		createPIDFile(ctx.String("pid"))
 	}

 	if !setting.InstallLock {
-		if err := serveInstall(ctx, cli); err != nil {
+		if err := serveInstall(ctx); err != nil {
 			return err
 		}
 	} else {
@ -269,7 +270,7 @@ func runWeb(ctx context.Context, cli *cli.Command) error {
 		go servePprof()
 	}

-	return serveInstalled(ctx, cli)
+	return serveInstalled(ctx)
 }

 func setPort(port string) error {
--- a/cmd/web_acme.go
+++ b/cmd/web_acme.go
@ -15,7 +15,6 @@ import (
 	"forgejo.org/modules/graceful"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/process"
-	"forgejo.org/modules/proxy"
 	"forgejo.org/modules/setting"

 	"github.com/caddyserver/certmagic"
@ -55,8 +54,8 @@ func runACME(listenAddr string, m http.Handler) error {
 		altTLSALPNPort = p
 	}

-	certmagic.Default.Storage = &certmagic.FileStorage{Path: setting.AcmeLiveDirectory}
-
+	magic := certmagic.NewDefault()
+	magic.Storage = &certmagic.FileStorage{Path: setting.AcmeLiveDirectory}
 	// Try to use private CA root if provided, otherwise defaults to system's trust
 	var certPool *x509.CertPool
 	if setting.AcmeCARoot != "" {
@ -66,8 +65,7 @@ func runACME(listenAddr string, m http.Handler) error {
 			log.Warn("Failed to parse CA Root certificate, using default CA trust: %v", err)
 		}
 	}
-
-	certmagic.DefaultACME = certmagic.ACMEIssuer{
+	myACME := certmagic.NewACMEIssuer(magic, certmagic.ACMEIssuer{
 		CA:                      setting.AcmeURL,
 		TrustedRoots:            certPool,
 		Email:                   setting.AcmeEmail,
@ -77,17 +75,7 @@ func runACME(listenAddr string, m http.Handler) error {
 		ListenHost:              setting.HTTPAddr,
 		AltTLSALPNPort:          altTLSALPNPort,
 		AltHTTPPort:             altHTTPPort,
-		HTTPProxy:               proxy.Proxy(),
-	}
-
-	// Preserve behavior to use Let's encrypt test CA when Let's encrypt is CA.
-	if certmagic.DefaultACME.CA == certmagic.LetsEncryptProductionCA {
-		certmagic.DefaultACME.TestCA = certmagic.LetsEncryptStagingCA
-	}
-
-	magic := certmagic.NewDefault()
-
-	myACME := certmagic.NewACMEIssuer(magic, certmagic.DefaultACME)
+	})

 	magic.Issuers = []certmagic.Issuer{myACME}

--- a/contrib/autocompletion/bash_autocomplete
+++ b/contrib/autocompletion/bash_autocomplete
@ -1,3 +1,4 @@
+#! /bin/bash
 # Heavily inspired by https://github.com/urfave/cli

 _cli_bash_autocomplete() {
@ -6,9 +7,9 @@ _cli_bash_autocomplete() {
    COMPREPLY=()
    cur="${COMP_WORDS[COMP_CWORD]}"
    if [[ "$cur" == "-"* ]]; then
-      opts=$( ${COMP_WORDS[@]:0:$COMP_CWORD} ${cur} --generate-shell-completion )
+      opts=$( ${COMP_WORDS[@]:0:$COMP_CWORD} ${cur} --generate-bash-completion )
    else
-      opts=$( ${COMP_WORDS[@]:0:$COMP_CWORD} --generate-shell-completion )
+      opts=$( ${COMP_WORDS[@]:0:$COMP_CWORD} --generate-bash-completion )
    fi
    COMPREPLY=( $(compgen -W "${opts}" -- ${cur}) )
    return 0
--- a/contrib/autocompletion/zsh_autocomplete
+++ b/contrib/autocompletion/zsh_autocomplete
@ -9,9 +9,9 @@ _cli_zsh_autocomplete() {
  local cur
  cur=${words[-1]}
  if [[ "$cur" == "-"* ]]; then
-    opts=("${(@f)$(_CLI_ZSH_AUTOCOMPLETE_HACK=1 ${words[@]:0:#words[@]-1} ${cur} --generate-shell-completion)}")
+    opts=("${(@f)$(_CLI_ZSH_AUTOCOMPLETE_HACK=1 ${words[@]:0:#words[@]-1} ${cur} --generate-bash-completion)}")
  else
-    opts=("${(@f)$(_CLI_ZSH_AUTOCOMPLETE_HACK=1 ${words[@]:0:#words[@]-1} --generate-shell-completion)}")
+    opts=("${(@f)$(_CLI_ZSH_AUTOCOMPLETE_HACK=1 ${words[@]:0:#words[@]-1} --generate-bash-completion)}")
  fi

  if [[ "${opts[1]}" != "" ]]; then
--- a/contrib/backport/README
+++ b/contrib/backport/README
@ -0,0 +1,41 @@
+`backport`
+==========
+
+`backport` is a command to help create backports of PRs. It backports a
+provided PR from main on to a released version.
+
+It will create a backport branch, cherry-pick the PR's merge commit, adjust
+the commit message and then push this back up to your fork's remote.
+
+The default version will read from `docs/config.yml`. You can override this
+using the option `--version`.
+
+The upstream branches will be fetched, using the remote `origin`. This can
+be overridden using `--upstream`, and fetching can be avoided using
+`--no-fetch`.
+
+By default the branch created will be called `backport-$PR-$VERSION`. You
+can override this using the option `--backport-branch`. This branch will
+be created from `--release-branch` which is `release/$(VERSION)`
+by default and will be pulled from `$(UPSTREAM)`.
+
+The merge-commit as determined by the github API will be used as the SHA to
+cherry-pick. You can override this using `--cherry-pick`.
+
+The commit message will be amended to add the `Backport` header.
+`--no-amend-message` can be set to stop this from happening.
+
+If cherry-pick is successful the backported branch will be pushed up to your
+fork using your remote. These will be determined using `git remote -v`. You
+can set your fork name using `--fork-user` and your remote name using
+`--remote`. You can avoid pushing using `--no-push`.
+
+If the push is successful, `xdg-open` will be called to open a backport url.
+You can stop this using `--no-xdg-open`.
+
+Installation
+============
+
+```bash
+go install contrib/backport/backport.go
+```
--- a/contrib/backport/backport.go
+++ b/contrib/backport/backport.go
@ -0,0 +1,474 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//nolint:forbidigo
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"github.com/google/go-github/v64/github"
+	"github.com/urfave/cli/v2"
+	"gopkg.in/yaml.v3"
+)
+
+const defaultVersion = "v1.18" // to backport to
+
+func main() {
+	app := cli.NewApp()
+	app.Name = "backport"
+	app.Usage = "Backport provided PR-number on to the current or previous released version"
+	app.Description = `Backport will look-up the PR in Gitea's git log and attempt to cherry-pick it on the current version`
+	app.ArgsUsage = "<PR-to-backport>"
+
+	app.Flags = []cli.Flag{
+		&cli.StringFlag{
+			Name:  "version",
+			Usage: "Version branch to backport on to",
+		},
+		&cli.StringFlag{
+			Name:  "upstream",
+			Value: "origin",
+			Usage: "Upstream remote for the Gitea upstream",
+		},
+		&cli.StringFlag{
+			Name:  "release-branch",
+			Value: "",
+			Usage: "Release branch to backport on. Will default to release/<version>",
+		},
+		&cli.StringFlag{
+			Name:  "cherry-pick",
+			Usage: "SHA to cherry-pick as backport",
+		},
+		&cli.StringFlag{
+			Name:  "backport-branch",
+			Usage: "Backport branch to backport on to (default: backport-<pr>-<version>",
+		},
+		&cli.StringFlag{
+			Name:  "remote",
+			Value: "",
+			Usage: "Remote for your fork of the Gitea upstream",
+		},
+		&cli.StringFlag{
+			Name:  "fork-user",
+			Value: "",
+			Usage: "Forked user name on Github",
+		},
+		&cli.BoolFlag{
+			Name:  "no-fetch",
+			Usage: "Set this flag to prevent fetch of remote branches",
+		},
+		&cli.BoolFlag{
+			Name:  "no-amend-message",
+			Usage: "Set this flag to prevent automatic amendment of the commit message",
+		},
+		&cli.BoolFlag{
+			Name:  "no-push",
+			Usage: "Set this flag to prevent pushing the backport up to your fork",
+		},
+		&cli.BoolFlag{
+			Name:  "no-xdg-open",
+			Usage: "Set this flag to not use xdg-open to open the PR URL",
+		},
+		&cli.BoolFlag{
+			Name:  "continue",
+			Usage: "Set this flag to continue from a git cherry-pick that has broken",
+		},
+	}
+	cli.AppHelpTemplate = `NAME:
+	{{.Name}} - {{.Usage}}
+USAGE:
+	{{.HelpName}} {{if .VisibleFlags}}[options]{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}[arguments...]{{end}}
+	{{if len .Authors}}
+AUTHOR:
+	{{range .Authors}}{{ . }}{{end}}
+	{{end}}{{if .Commands}}
+OPTIONS:
+	{{range .VisibleFlags}}{{.}}
+	{{end}}{{end}}
+`
+
+	app.Action = runBackport
+
+	if err := app.Run(os.Args); err != nil {
+		fmt.Fprintf(os.Stderr, "Unable to backport: %v\n", err)
+	}
+}
+
+func runBackport(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	continuing := c.Bool("continue")
+
+	var pr string
+
+	version := c.String("version")
+	if version == "" && continuing {
+		// determine version from current branch name
+		var err error
+		pr, version, err = readCurrentBranch(ctx)
+		if err != nil {
+			return err
+		}
+	}
+	if version == "" {
+		version = readVersion()
+	}
+	if version == "" {
+		version = defaultVersion
+	}
+
+	upstream := c.String("upstream")
+	if upstream == "" {
+		upstream = "origin"
+	}
+
+	forkUser := c.String("fork-user")
+	remote := c.String("remote")
+	if remote == "" && !c.Bool("--no-push") {
+		var err error
+		remote, forkUser, err = determineRemote(ctx, forkUser)
+		if err != nil {
+			return err
+		}
+	}
+
+	upstreamReleaseBranch := c.String("release-branch")
+	if upstreamReleaseBranch == "" {
+		upstreamReleaseBranch = path.Join("release", version)
+	}
+
+	localReleaseBranch := path.Join(upstream, upstreamReleaseBranch)
+
+	args := c.Args().Slice()
+	if len(args) == 0 && pr == "" {
+		return fmt.Errorf("no PR number provided\nProvide a PR number to backport")
+	} else if len(args) != 1 && pr == "" {
+		return fmt.Errorf("multiple PRs provided %v\nOnly a single PR can be backported at a time", args)
+	}
+	if pr == "" {
+		pr = args[0]
+	}
+
+	backportBranch := c.String("backport-branch")
+	if backportBranch == "" {
+		backportBranch = "backport-" + pr + "-" + version
+	}
+
+	fmt.Printf("* Backporting %s to %s as %s\n", pr, localReleaseBranch, backportBranch)
+
+	sha := c.String("cherry-pick")
+	if sha == "" {
+		var err error
+		sha, err = determineSHAforPR(ctx, pr)
+		if err != nil {
+			return err
+		}
+	}
+	if sha == "" {
+		return fmt.Errorf("unable to determine sha for cherry-pick of %s", pr)
+	}
+
+	if !c.Bool("no-fetch") {
+		if err := fetchRemoteAndMain(ctx, upstream, upstreamReleaseBranch); err != nil {
+			return err
+		}
+	}
+
+	if !continuing {
+		if err := checkoutBackportBranch(ctx, backportBranch, localReleaseBranch); err != nil {
+			return err
+		}
+	}
+
+	if err := cherrypick(ctx, sha); err != nil {
+		return err
+	}
+
+	if !c.Bool("no-amend-message") {
+		if err := amendCommit(ctx, pr); err != nil {
+			return err
+		}
+	}
+
+	if !c.Bool("no-push") {
+		url := "https://github.com/go-gitea/gitea/compare/" + upstreamReleaseBranch + "..." + forkUser + ":" + backportBranch
+
+		if err := gitPushUp(ctx, remote, backportBranch); err != nil {
+			return err
+		}
+
+		if !c.Bool("no-xdg-open") {
+			if err := xdgOpen(ctx, url); err != nil {
+				return err
+			}
+		} else {
+			fmt.Printf("* Navigate to %s to open PR\n", url)
+		}
+	}
+	return nil
+}
+
+func xdgOpen(ctx context.Context, url string) error {
+	fmt.Printf("* `xdg-open %s`\n", url)
+	out, err := exec.CommandContext(ctx, "xdg-open", url).Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "%s", string(out))
+		return fmt.Errorf("unable to xdg-open to %s: %w", url, err)
+	}
+	return nil
+}
+
+func gitPushUp(ctx context.Context, remote, backportBranch string) error {
+	fmt.Printf("* `git push -u %s %s`\n", remote, backportBranch)
+	out, err := exec.CommandContext(ctx, "git", "push", "-u", remote, backportBranch).Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "%s", string(out))
+		return fmt.Errorf("unable to push up to %s: %w", remote, err)
+	}
+	return nil
+}
+
+func amendCommit(ctx context.Context, pr string) error {
+	fmt.Printf("* Amending commit to prepend `Backport #%s` to body\n", pr)
+	out, err := exec.CommandContext(ctx, "git", "log", "-1", "--pretty=format:%B").Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "%s", string(out))
+		return fmt.Errorf("unable to get last log message: %w", err)
+	}
+
+	parts := strings.SplitN(string(out), "\n", 2)
+
+	if len(parts) != 2 {
+		return fmt.Errorf("unable to interpret log message:\n%s", string(out))
+	}
+	subject, body := parts[0], parts[1]
+	if !strings.HasSuffix(subject, " (#"+pr+")") {
+		subject = subject + " (#" + pr + ")"
+	}
+
+	out, err = exec.CommandContext(ctx, "git", "commit", "--amend", "-m", subject+"\n\nBackport #"+pr+"\n"+body).Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "%s", string(out))
+		return fmt.Errorf("unable to amend last log message: %w", err)
+	}
+	return nil
+}
+
+func cherrypick(ctx context.Context, sha string) error {
+	// Check if a CHERRY_PICK_HEAD exists
+	if _, err := os.Stat(".git/CHERRY_PICK_HEAD"); err == nil {
+		// Assume that we are in the middle of cherry-pick - continue it
+		fmt.Println("* Attempting git cherry-pick --continue")
+		out, err := exec.CommandContext(ctx, "git", "cherry-pick", "--continue").Output()
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "git cherry-pick --continue failed:\n%s\n", string(out))
+			return fmt.Errorf("unable to continue cherry-pick: %w", err)
+		}
+		return nil
+	}
+
+	fmt.Printf("* Attempting git cherry-pick %s\n", sha)
+	out, err := exec.CommandContext(ctx, "git", "cherry-pick", sha).Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "git cherry-pick %s failed:\n%s\n", sha, string(out))
+		return fmt.Errorf("git cherry-pick %s failed: %w", sha, err)
+	}
+	return nil
+}
+
+func checkoutBackportBranch(ctx context.Context, backportBranch, releaseBranch string) error {
+	out, err := exec.CommandContext(ctx, "git", "branch", "--show-current").Output()
+	if err != nil {
+		return fmt.Errorf("unable to check current branch %w", err)
+	}
+
+	currentBranch := strings.TrimSpace(string(out))
+	fmt.Printf("* Current branch is %s\n", currentBranch)
+	if currentBranch == backportBranch {
+		fmt.Printf("* Current branch is %s - not checking out\n", currentBranch)
+		return nil
+	}
+
+	if _, err := exec.CommandContext(ctx, "git", "rev-list", "-1", backportBranch).Output(); err == nil {
+		fmt.Printf("* Branch %s already exists. Checking it out...\n", backportBranch)
+		return exec.CommandContext(ctx, "git", "checkout", "-f", backportBranch).Run()
+	}
+
+	fmt.Printf("* `git checkout -b %s %s`\n", backportBranch, releaseBranch)
+	return exec.CommandContext(ctx, "git", "checkout", "-b", backportBranch, releaseBranch).Run()
+}
+
+func fetchRemoteAndMain(ctx context.Context, remote, releaseBranch string) error {
+	fmt.Printf("* `git fetch %s main`\n", remote)
+	out, err := exec.CommandContext(ctx, "git", "fetch", remote, "main").Output()
+	if err != nil {
+		fmt.Println(string(out))
+		return fmt.Errorf("unable to fetch %s from %s: %w", "main", remote, err)
+	}
+	fmt.Println(string(out))
+
+	fmt.Printf("* `git fetch %s %s`\n", remote, releaseBranch)
+	out, err = exec.CommandContext(ctx, "git", "fetch", remote, releaseBranch).Output()
+	if err != nil {
+		fmt.Println(string(out))
+		return fmt.Errorf("unable to fetch %s from %s: %w", releaseBranch, remote, err)
+	}
+	fmt.Println(string(out))
+
+	return nil
+}
+
+func determineRemote(ctx context.Context, forkUser string) (string, string, error) {
+	out, err := exec.CommandContext(ctx, "git", "remote", "-v").Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Unable to list git remotes:\n%s\n", string(out))
+		return "", "", fmt.Errorf("unable to determine forked remote: %w", err)
+	}
+	lines := strings.Split(string(out), "\n")
+	for _, line := range lines {
+		fields := strings.Split(line, "\t")
+		name, remote := fields[0], fields[1]
+		// only look at pushers
+		if !strings.HasSuffix(remote, " (push)") {
+			continue
+		}
+		// only look at github.com pushes
+		if !strings.Contains(remote, "github.com") {
+			continue
+		}
+		// ignore go-gitea/gitea
+		if strings.Contains(remote, "go-gitea/gitea") {
+			continue
+		}
+		if !strings.Contains(remote, forkUser) {
+			continue
+		}
+		if strings.HasPrefix(remote, "git@github.com:") {
+			forkUser = strings.TrimPrefix(remote, "git@github.com:")
+		} else if strings.HasPrefix(remote, "https://github.com/") {
+			forkUser = strings.TrimPrefix(remote, "https://github.com/")
+		} else if strings.HasPrefix(remote, "https://www.github.com/") {
+			forkUser = strings.TrimPrefix(remote, "https://www.github.com/")
+		} else if forkUser == "" {
+			return "", "", fmt.Errorf("unable to extract forkUser from remote %s: %s", name, remote)
+		}
+		idx := strings.Index(forkUser, "/")
+		if idx >= 0 {
+			forkUser = forkUser[:idx]
+		}
+		return name, forkUser, nil
+	}
+	return "", "", fmt.Errorf("unable to find appropriate remote in:\n%s", string(out))
+}
+
+func readCurrentBranch(ctx context.Context) (pr, version string, err error) {
+	out, err := exec.CommandContext(ctx, "git", "branch", "--show-current").Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Unable to read current git branch:\n%s\n", string(out))
+		return "", "", fmt.Errorf("unable to read current git branch: %w", err)
+	}
+	parts := strings.Split(strings.TrimSpace(string(out)), "-")
+
+	if len(parts) != 3 || parts[0] != "backport" {
+		fmt.Fprintf(os.Stderr, "Unable to continue from git branch:\n%s\n", string(out))
+		return "", "", fmt.Errorf("unable to continue from git branch:\n%s", string(out))
+	}
+
+	return parts[1], parts[2], nil
+}
+
+func readVersion() string {
+	bs, err := os.ReadFile("docs/config.yaml")
+	if err != nil {
+		if err == os.ErrNotExist {
+			log.Println("`docs/config.yaml` not present")
+			return ""
+		}
+		fmt.Fprintf(os.Stderr, "Unable to read `docs/config.yaml`: %v\n", err)
+		return ""
+	}
+
+	type params struct {
+		Version string
+	}
+	type docConfig struct {
+		Params params
+	}
+	dc := &docConfig{}
+	if err := yaml.Unmarshal(bs, dc); err != nil {
+		fmt.Fprintf(os.Stderr, "Unable to read `docs/config.yaml`: %v\n", err)
+		return ""
+	}
+
+	if dc.Params.Version == "" {
+		fmt.Fprintf(os.Stderr, "No version in `docs/config.yaml`")
+		return ""
+	}
+
+	version := dc.Params.Version
+	if version[0] != 'v' {
+		version = "v" + version
+	}
+
+	split := strings.SplitN(version, ".", 3)
+
+	return strings.Join(split[:2], ".")
+}
+
+func determineSHAforPR(ctx context.Context, prStr string) (string, error) {
+	prNum, err := strconv.Atoi(prStr)
+	if err != nil {
+		return "", err
+	}
+
+	client := github.NewClient(http.DefaultClient)
+
+	pr, _, err := client.PullRequests.Get(ctx, "go-gitea", "gitea", prNum)
+	if err != nil {
+		return "", err
+	}
+
+	if pr.Merged == nil || !*pr.Merged {
+		return "", fmt.Errorf("PR #%d is not yet merged - cannot determine sha to backport", prNum)
+	}
+
+	if pr.MergeCommitSHA != nil {
+		return *pr.MergeCommitSHA, nil
+	}
+
+	return "", nil
+}
+
+func installSignals() (context.Context, context.CancelFunc) {
+	ctx, cancel := context.WithCancel(context.Background())
+	go func() {
+		// install notify
+		signalChannel := make(chan os.Signal, 1)
+
+		signal.Notify(
+			signalChannel,
+			syscall.SIGINT,
+			syscall.SIGTERM,
+		)
+		select {
+		case <-signalChannel:
+		case <-ctx.Done():
+		}
+		cancel()
+		signal.Reset()
+	}()
+
+	return ctx, cancel
+}
--- a/contrib/coverage-helper.sh
+++ b/contrib/coverage-helper.sh
@ -1,50 +0,0 @@
-#!/bin/bash
-
-set -e
-#set -x
-PS4='${BASH_SOURCE[0]}:$LINENO: ${FUNCNAME[0]}:  '
-
-#
-# Those must be explicitly required and are excluded from the full list of packages because they
-# would interfere with the testing fixtures.
-#
-excluded+='forgejo.org/models/migrations|'                # must be run before database specific tests
-excluded+='forgejo.org/models/forgejo_migrations|'        # must be run before database specific tests
-excluded+='forgejo.org/tests/integration/migration-test|' # must be run before database specific tests
-excluded+='forgejo.org/tests|'                            # only tests, no coverage to get there
-excluded+='forgejo.org/tests/e2e|'                        # JavaScript is not in scope here and if it adds coverage it should not be counted
-excluded+='FAKETERMINATOR'                                # do not modify
-
-: ${COVERAGEDIR:=$(pwd)/coverage/data}
-: ${GO:=$(go env GOROOT)/bin/go}
-
-DEFAULT_TEST_PACKAGES=$($GO list ./... | grep -E -v "$excluded")
-
-COVERED_PACKAGES=$($GO list ./...)
-COVERED_PACKAGES=$(echo $COVERED_PACKAGES | sed -e 's/ /,/g')
-
-function run_test() {
-  local package="$1"
-  if echo "$package" | grep --quiet --fixed-string ".."; then
-    echo "$package contains a suspicious .."
-    return 1
-  fi
-
-  local coverage="$COVERAGEDIR/$COVERAGE_TEST_DATABASE/$package"
-  rm -fr $coverage
-  mkdir -p $coverage
-
-  #
-  # -race cannot be used because it requires -covermode atomic which is
-  # different from the end-to-end tests and would cause issues wen merging
-  #
-  $GO test -timeout=20m -tags='sqlite sqlite_unlock_notify' -cover $package -coverpkg $COVERED_PACKAGES $COVERAGE_TEST_ARGS -args -test.gocoverdir=$coverage |& grep -v 'warning: no packages being tested depend on matches for pattern'
-}
-
-function test_packages() {
-  for package in ${@:-$DEFAULT_TEST_PACKAGES}; do
-    run_test $package
-  done
-}
-
-"$@"
--- a/contrib/environment-to-ini/README
+++ b/contrib/environment-to-ini/README
@ -1,46 +1,45 @@
 Environment To Ini
 ==================

-This tool allows defining Forgejo's entire configuration via environment
-variables, mostly geared towards usage in Docker.
+Multiple docker users have requested that the Gitea docker is changed
+to permit arbitrary configuration via environment variables.

-Forgejo needs to use an INI file for configuration because the running
-environment that starts the container may not be the same as the one used
-by the hooks. An INI file also gives a good default and means that
-users do not have to provide the entire set of environment variables.
+Gitea needs to use an ini file for configuration because the running
+environment that starts the docker may not be the same as that used
+by the hooks. An ini file also gives a good default and means that
+users do not have to completely provide a full environment.

 With those caveats above, this command provides a generic way of
 converting suitably structured environment variables into any ini
 value.

-When run, `environment-to-ini` will write the config files based on the
-environment variables provided.
-Check with the `-h` flag for several options to alter this behaviour.
+To use the command is very simple just run it and the default gitea
+app.ini will be rewritten to take account of the variables provided,
+however there are various options to give slightly different
+behavior and these can be interrogated with the `-h` option.

-Environment variables of the form "FORGEJO__SECTION_NAME__KEY_NAME"
-will be mapped to the ini section "[section_name]" and the key
-"KEY_NAME" with the value as provided.
+The environment variables should be of the form:

-Environment variables of the form "FORGEJO__SECTION_NAME__KEY_NAME__FILE"
-will be mapped to the ini section "[section_name]" and the key
-"KEY_NAME" with the value loaded from the specified file.
+	GITEA__SECTION_NAME__KEY_NAME
+
+Note, SECTION_NAME in the notation above is case-insensitive.

 Environment variables are usually restricted to a reduced character
 set "0-9A-Z_" - in order to allow the setting of sections with
 characters outside of that set, they should be escaped as following:
-"_0X2E_" for ".". The entire section and key names can be escaped as
-a UTF8 byte string if necessary. E.g. to configure:
+"_0X2E_" for "." and "_0X2D_" for "-". The entire section and key names 
+can be escaped as a UTF8 byte string if necessary. E.g. to configure:

-  """
-  ...
-  [log.console]
-  COLORIZE=false
-  STDERR=true
-  ...
-  """
+	"""
+	...
+	[log.console]
+	COLORIZE=false
+	STDERR=true
+	...
+	"""

-You would set the environment variables: "FORGEJO__LOG_0x2E_CONSOLE__COLORIZE=false"
-and "FORGEJO__LOG_0x2E_CONSOLE__STDERR=false". Other examples can be found
+You would set the environment variables: "GITEA__LOG_0x2E_CONSOLE__COLORIZE=false"
+and "GITEA__LOG_0x2E_CONSOLE__STDERR=false". Other examples can be found
 on the configuration cheat sheet.

 To build locally, run:
--- a/contrib/environment-to-ini/environment-to-ini.go
+++ b/contrib/environment-to-ini/environment-to-ini.go
@ -4,17 +4,16 @@
 package main

 import (
-	"context"
 	"os"

 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"

-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli/v2"
 )

 func main() {
-	app := cli.Command{}
+	app := cli.NewApp()
 	app.Name = "environment-to-ini"
 	app.Usage = "Use provided environment to update configuration ini"
 	app.Description = `As a helper to allow docker users to update the forgejo configuration
@ -73,13 +72,13 @@ func main() {
 		},
 	}
 	app.Action = runEnvironmentToIni
-	err := app.Run(context.Background(), os.Args)
+	err := app.Run(os.Args)
 	if err != nil {
 		log.Fatal("Failed to run app with %s: %v", os.Args, err)
 	}
 }

-func runEnvironmentToIni(ctx context.Context, c *cli.Command) error {
+func runEnvironmentToIni(c *cli.Context) error {
 	// the config system may change the environment variables, so get a copy first, to be used later
 	env := append([]string{}, os.Environ()...)
 	setting.InitWorkPathAndCfgProvider(os.Getenv, setting.ArgWorkPathAndCustomConf{
--- a/contrib/gitea-monitoring-mixin/dashboards/overview.libsonnet
+++ b/contrib/gitea-monitoring-mixin/dashboards/overview.libsonnet
@ -408,7 +408,7 @@ local addIssueLabelsOverrides(labels) =
          regex: '',
          type: 'query',
          multi: true,
-          allValue: '.+',
+          allValue: '.+'
        },
      )
      .addTemplate(
@ -423,7 +423,7 @@ local addIssueLabelsOverrides(labels) =
          regex: '',
          type: 'query',
          multi: true,
-          allValue: '.+',
+          allValue: '.+'
        },
      )
      .addTemplate(
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@ -183,7 +183,7 @@ RUN_USER = ; git
 ;;
 ;; For the built-in SSH server, choose the key exchange algorithms to support for SSH connections,
 ;; for system SSH this setting has no effect
-;SSH_SERVER_KEY_EXCHANGES = mlkem768x25519-sha256, curve25519-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+;SSH_SERVER_KEY_EXCHANGES = curve25519-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
 ;;
 ;; For the built-in SSH server, choose the MACs to support for SSH connections,
 ;; for system SSH this setting has no effect
@ -449,9 +449,6 @@ INTERNAL_TOKEN =
 ;; How long to remember that a user is logged in before requiring relogin (in days)
 ;LOGIN_REMEMBER_DAYS = 31
 ;;
-;; Require 2FA globally for none|all|admin.
-;GLOBAL_TWO_FACTOR_REQUIREMENT = none
-;;
 ;; Name of cookie used to store authentication information.
 ;COOKIE_REMEMBER_NAME = gitea_incredible
 ;;
@ -595,10 +592,13 @@ LEVEL = Info
 ;BUFFER_LEN = 10000
 ;;
 ;; Sub logger modes, a single comma means use default MODE above, empty means disable it
-;LOGGER_ACCESS_MODE=
-;LOGGER_ROUTER_MODE=,
-;LOGGER_XORM_MODE=,
-;LOGGER_SSH_MODE= ;; SSH logs from ssh git request
+;logger.access.MODE=
+;logger.router.MODE=,
+;logger.xorm.MODE=,
+;;
+;; Collect SSH logs (Creates log from ssh git request)
+;;
+;ENABLE_SSH_LOG = false
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@ -631,7 +631,6 @@ LEVEL = Info
 ;LEVEL=
 ;FLAGS = stdflags or journald
 ;EXPRESSION =
-;EXCLUSION =
 ;PREFIX =
 ;COLORIZE = false
 ;;
@ -1026,10 +1025,6 @@ LEVEL = Info
 ;; The set of allowed values and rules are the same as DEFAULT_REPO_UNITS.
 ;DEFAULT_FORK_REPO_UNITS = repo.code,repo.pulls
 ;;
-;; Comma separated list of default mirror repo units.
-;; The set of allowed values and rules are the same as DEFAULT_REPO_UNITS.
-;DEFAULT_MIRROR_REPO_UNITS = repo.code,repo.releases,repo.issues,repo.wiki,repo.projects,repo.packages
-;;
 ;; Prefix archive files by placing them in a directory named after the repository
 ;PREFIX_ARCHIVE_FILES = true
 ;;
@ -1136,6 +1131,9 @@ LEVEL = Info
 ;; Add co-authored-by and co-committed-by trailers if committer does not match author
 ;ADD_CO_COMMITTER_TRAILERS = true
 ;;
+;; In addition to testing patches using the three-way merge method, re-test conflicting patches with git apply
+;TEST_CONFLICTING_PATCHES_WITH_GIT_APPLY = false
+;;
 ;; Retarget child pull requests to the parent pull request branch target on merge of parent pull request. It only works on merged PRs where the head and base branch target the same repo.
 ;RETARGET_CHILDREN_ON_MERGE = true

@ -1165,13 +1163,9 @@ LEVEL = Info
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
-;; Signing format that Forgejo should use, openpgp uses GPG and ssh uses OpenSSH.
-;FORMAT = openpgp
-;;
 ;; GPG key to use to sign commits, Defaults to the default - that is the value of git config --get user.signingkey
 ;; run in the context of the RUN_USER
-;; Switch to none to stop signing completely.
-;; If `FORMAT` is set to **ssh** this should be set to an absolute path to an public OpenSSH key.
+;; Switch to none to stop signing completely
 ;SIGNING_KEY = default
 ;;
 ;; If a SIGNING_KEY ID is provided and is not set to default, use the provided Name and Email address as the signer.
@ -1577,20 +1571,6 @@ LEVEL = Info
 ;; - manage_gpg_keys: a user cannot configure gpg keys
 ;;EXTERNAL_USER_DISABLE_FEATURES =

-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[moderation]
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;; When true enables moderation capabilities; default is false.
-;; If enabled it will be possible for users to report abusive content (new actions are added in the UI and /report_abuse route will be enabled) and a new Moderation section will be added to Admin settings where the reports can be reviewed.
-;ENABLED = false
-
-;; How long to keep resolved abuse reports for.
-;; Applies to reports that have been marked as ignored or handled
-;; Can be 1 hour, 7 days etc
-;KEEP_RESOLVED_REPORTS_FOR = 0
-
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[openid]
@ -1773,9 +1753,6 @@ LEVEL = Info
 ;; Use PASSWD = `your password` for quoting if you use special characters in the password.
 ;PASSWD =
 ;;
-;; Alternative location to specify mailer password. You cannot specify both this and PASSWD, and must pick one
-;PASSWD_URI = file:/etc/forgejo/mailer_passwd
-;;
 ;; Send mails only in plain text, without HTML alternative
 ;SEND_AS_PLAIN_TEXT = false
 ;;
@ -1828,9 +1805,6 @@ LEVEL = Info
 ;; Password of the receiving account
 ;PASSWORD =
 ;;
-;; Alternative location to specify password of the receiving account. You cannot specify both this and PASSWORD, and must pick one
-;PASSWORD_URI = file:/etc/forgejo/email_incoming_password
-;;
 ;; Whether the IMAP server uses TLS.
 ;USE_TLS = false
 ;;
@ -2466,7 +2440,7 @@ LEVEL = Info
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Set the maximum number of characters in a mermaid source. (Set to -1 to disable limits)
-;MERMAID_MAX_SOURCE_CHARACTERS = 50000
+;MERMAID_MAX_SOURCE_CHARACTERS = 5000
 ;; Set the maximum number of lines allowed for a filepreview. (Set to -1 to disable limits; set to 0 to disable the feature)
 ;FILEPREVIEW_MAX_LINES = 50

--- a/docker/root/etc/s6/openssh/setup
+++ b/docker/root/etc/s6/openssh/setup
@ -31,21 +31,6 @@ if [ -e /data/ssh/ssh_host_ecdsa_cert ]; then
  SSH_ECDSA_CERT=${SSH_ECDSA_CERT:-"/data/ssh/ssh_host_ecdsa_cert"}
 fi

-# In case someone wants to sign the `{keyname}.pub` key by `ssh-keygen -s ca -I identity ...` to
-# make use of the ssh-key certificate authority feature (see ssh-keygen CERTIFICATES section),
-# the generated key file name is `{keyname}-cert.pub`
-if [ -e /data/ssh/ssh_host_ed25519_key-cert.pub ]; then
-  SSH_ED25519_CERT=${SSH_ED25519_CERT:-"/data/ssh/ssh_host_ed25519_key-cert.pub"}
-fi
-
-if [ -e /data/ssh/ssh_host_rsa_key-cert.pub ]; then
-  SSH_RSA_CERT=${SSH_RSA_CERT:-"/data/ssh/ssh_host_rsa_key-cert.pub"}
-fi
-
-if [ -e /data/ssh/ssh_host_ecdsa_key-cert.pub ]; then
-  SSH_ECDSA_CERT=${SSH_ECDSA_CERT:-"/data/ssh/ssh_host_ecdsa_key-cert.pub"}
-fi
-
 if [ -d /etc/ssh ]; then
    SSH_PORT=${SSH_PORT:-"22"} \
    SSH_LISTEN_PORT=${SSH_LISTEN_PORT:-"${SSH_PORT}"} \
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@ -1,5 +1,5 @@
 import eslintCommunityEslintPluginEslintComments from '@eslint-community/eslint-plugin-eslint-comments';
-import stylisticEslintPlugin from '@stylistic/eslint-plugin';
+import stylisticEslintPluginJs from '@stylistic/eslint-plugin-js';
 import vitest from '@vitest/eslint-plugin';
 import arrayFunc from 'eslint-plugin-array-func';
 import eslintPluginImportX from 'eslint-plugin-import-x';
@ -26,7 +26,7 @@ export default tseslint.config(
  {
    plugins: {
      '@eslint-community/eslint-comments': eslintCommunityEslintPluginEslintComments,
-      '@stylistic': stylisticEslintPlugin,
+      '@stylistic/js': stylisticEslintPluginJs,
      '@vitest': vitest,
      'array-func': arrayFunc,
      'no-jquery': noJquery,
@ -69,62 +69,62 @@ export default tseslint.config(
      '@eslint-community/eslint-comments/no-unused-enable': [2],
      '@eslint-community/eslint-comments/no-use': [0],
      '@eslint-community/eslint-comments/require-description': [0],
-      '@stylistic/array-bracket-newline': [0],
-      '@stylistic/array-bracket-spacing': [2, 'never'],
-      '@stylistic/array-element-newline': [0],
-      '@stylistic/arrow-parens': [2, 'always'],
+      '@stylistic/js/array-bracket-newline': [0],
+      '@stylistic/js/array-bracket-spacing': [2, 'never'],
+      '@stylistic/js/array-element-newline': [0],
+      '@stylistic/js/arrow-parens': [2, 'always'],

-      '@stylistic/arrow-spacing': [2, {
+      '@stylistic/js/arrow-spacing': [2, {
        before: true,
        after: true,
      }],

-      '@stylistic/block-spacing': [0],
+      '@stylistic/js/block-spacing': [0],

-      '@stylistic/brace-style': [2, '1tbs', {
+      '@stylistic/js/brace-style': [2, '1tbs', {
        allowSingleLine: true,
      }],

-      '@stylistic/comma-dangle': [2, 'always-multiline'],
+      '@stylistic/js/comma-dangle': [2, 'always-multiline'],

-      '@stylistic/comma-spacing': [2, {
+      '@stylistic/js/comma-spacing': [2, {
        before: false,
        after: true,
      }],

-      '@stylistic/comma-style': [2, 'last'],
-      '@stylistic/computed-property-spacing': [2, 'never'],
-      '@stylistic/dot-location': [2, 'property'],
-      '@stylistic/eol-last': [2],
-      '@stylistic/function-call-spacing': [2, 'never'],
-      '@stylistic/function-call-argument-newline': [0],
-      '@stylistic/function-paren-newline': [0],
-      '@stylistic/generator-star-spacing': [0],
-      '@stylistic/implicit-arrow-linebreak': [0],
+      '@stylistic/js/comma-style': [2, 'last'],
+      '@stylistic/js/computed-property-spacing': [2, 'never'],
+      '@stylistic/js/dot-location': [2, 'property'],
+      '@stylistic/js/eol-last': [2],
+      '@stylistic/js/function-call-spacing': [2, 'never'],
+      '@stylistic/js/function-call-argument-newline': [0],
+      '@stylistic/js/function-paren-newline': [0],
+      '@stylistic/js/generator-star-spacing': [0],
+      '@stylistic/js/implicit-arrow-linebreak': [0],

-      '@stylistic/indent': [2, 2, {
+      '@stylistic/js/indent': [2, 2, {
        ignoreComments: true,
        SwitchCase: 1,
      }],

-      '@stylistic/key-spacing': [2],
-      '@stylistic/keyword-spacing': [2],
-      '@stylistic/linebreak-style': [2, 'unix'],
-      '@stylistic/lines-around-comment': [0],
-      '@stylistic/lines-between-class-members': [0],
-      '@stylistic/max-len': [0],
-      '@stylistic/max-statements-per-line': [0],
-      '@stylistic/multiline-ternary': [0],
-      '@stylistic/new-parens': [2],
-      '@stylistic/newline-per-chained-call': [0],
-      '@stylistic/no-confusing-arrow': [0],
-      '@stylistic/no-extra-parens': [0],
-      '@stylistic/no-extra-semi': [2],
-      '@stylistic/no-floating-decimal': [0],
-      '@stylistic/no-mixed-operators': [0],
-      '@stylistic/no-mixed-spaces-and-tabs': [2],
+      '@stylistic/js/key-spacing': [2],
+      '@stylistic/js/keyword-spacing': [2],
+      '@stylistic/js/linebreak-style': [2, 'unix'],
+      '@stylistic/js/lines-around-comment': [0],
+      '@stylistic/js/lines-between-class-members': [0],
+      '@stylistic/js/max-len': [0],
+      '@stylistic/js/max-statements-per-line': [0],
+      '@stylistic/js/multiline-ternary': [0],
+      '@stylistic/js/new-parens': [2],
+      '@stylistic/js/newline-per-chained-call': [0],
+      '@stylistic/js/no-confusing-arrow': [0],
+      '@stylistic/js/no-extra-parens': [0],
+      '@stylistic/js/no-extra-semi': [2],
+      '@stylistic/js/no-floating-decimal': [0],
+      '@stylistic/js/no-mixed-operators': [0],
+      '@stylistic/js/no-mixed-spaces-and-tabs': [2],

-      '@stylistic/no-multi-spaces': [2, {
+      '@stylistic/js/no-multi-spaces': [2, {
        ignoreEOLComments: true,

        exceptions: {
@ -132,60 +132,60 @@ export default tseslint.config(
        },
      }],

-      '@stylistic/no-multiple-empty-lines': [2, {
+      '@stylistic/js/no-multiple-empty-lines': [2, {
        max: 1,
        maxEOF: 0,
        maxBOF: 0,
      }],

-      '@stylistic/no-tabs': [2],
-      '@stylistic/no-trailing-spaces': [2],
-      '@stylistic/no-whitespace-before-property': [2],
-      '@stylistic/nonblock-statement-body-position': [2],
-      '@stylistic/object-curly-newline': [0],
-      '@stylistic/object-curly-spacing': [2, 'never'],
-      '@stylistic/object-property-newline': [0],
-      '@stylistic/one-var-declaration-per-line': [0],
-      '@stylistic/operator-linebreak': [2, 'after'],
-      '@stylistic/padded-blocks': [2, 'never'],
-      '@stylistic/padding-line-between-statements': [0],
-      '@stylistic/quote-props': [0],
+      '@stylistic/js/no-tabs': [2],
+      '@stylistic/js/no-trailing-spaces': [2],
+      '@stylistic/js/no-whitespace-before-property': [2],
+      '@stylistic/js/nonblock-statement-body-position': [2],
+      '@stylistic/js/object-curly-newline': [0],
+      '@stylistic/js/object-curly-spacing': [2, 'never'],
+      '@stylistic/js/object-property-newline': [0],
+      '@stylistic/js/one-var-declaration-per-line': [0],
+      '@stylistic/js/operator-linebreak': [2, 'after'],
+      '@stylistic/js/padded-blocks': [2, 'never'],
+      '@stylistic/js/padding-line-between-statements': [0],
+      '@stylistic/js/quote-props': [0],

-      '@stylistic/quotes': [2, 'single', {
+      '@stylistic/js/quotes': [2, 'single', {
        avoidEscape: true,
-        allowTemplateLiterals: 'always',
+        allowTemplateLiterals: true,
      }],

-      '@stylistic/rest-spread-spacing': [2, 'never'],
+      '@stylistic/js/rest-spread-spacing': [2, 'never'],

-      '@stylistic/semi': [2, 'always', {
+      '@stylistic/js/semi': [2, 'always', {
        omitLastInOneLineBlock: true,
      }],

-      '@stylistic/semi-spacing': [2, {
+      '@stylistic/js/semi-spacing': [2, {
        before: false,
        after: true,
      }],

-      '@stylistic/semi-style': [2, 'last'],
-      '@stylistic/space-before-blocks': [2, 'always'],
+      '@stylistic/js/semi-style': [2, 'last'],
+      '@stylistic/js/space-before-blocks': [2, 'always'],

-      '@stylistic/space-before-function-paren': [2, {
+      '@stylistic/js/space-before-function-paren': [2, {
        anonymous: 'ignore',
        named: 'never',
        asyncArrow: 'always',
      }],

-      '@stylistic/space-in-parens': [2, 'never'],
-      '@stylistic/space-infix-ops': [2],
-      '@stylistic/space-unary-ops': [2],
-      '@stylistic/spaced-comment': [2, 'always'],
-      '@stylistic/switch-colon-spacing': [2],
-      '@stylistic/template-curly-spacing': [2, 'never'],
-      '@stylistic/template-tag-spacing': [2, 'never'],
-      '@stylistic/wrap-iife': [2, 'inside'],
-      '@stylistic/wrap-regex': [0],
-      '@stylistic/yield-star-spacing': [2, 'after'],
+      '@stylistic/js/space-in-parens': [2, 'never'],
+      '@stylistic/js/space-infix-ops': [2],
+      '@stylistic/js/space-unary-ops': [2],
+      '@stylistic/js/spaced-comment': [2, 'always'],
+      '@stylistic/js/switch-colon-spacing': [2],
+      '@stylistic/js/template-curly-spacing': [2, 'never'],
+      '@stylistic/js/template-tag-spacing': [2, 'never'],
+      '@stylistic/js/wrap-iife': [2, 'inside'],
+      '@stylistic/js/wrap-regex': [0],
+      '@stylistic/js/yield-star-spacing': [2, 'after'],
      'accessor-pairs': [2],

      'array-callback-return': [2, {
@ -318,9 +318,8 @@ export default tseslint.config(
      'no-jquery/no-data': [0],
      'no-jquery/no-deferred': [2],
      'no-jquery/no-delegate': [2],
-      'no-jquery/no-done-fail': [2],
      'no-jquery/no-each-collection': [0],
-      'no-jquery/no-each-util': [2],
+      'no-jquery/no-each-util': [0],
      'no-jquery/no-each': [0],
      'no-jquery/no-error-shorthand': [2],
      'no-jquery/no-error': [2],
@ -332,7 +331,6 @@ export default tseslint.config(
      'no-jquery/no-find-collection': [0],
      'no-jquery/no-find-util': [2],
      'no-jquery/no-find': [0],
-      'no-jquery/no-fx': [2],
      'no-jquery/no-fx-interval': [2],
      'no-jquery/no-global-eval': [2],
      'no-jquery/no-global-selector': [0],
@ -352,7 +350,7 @@ export default tseslint.config(
      'no-jquery/no-live': [2],
      'no-jquery/no-load-shorthand': [2],
      'no-jquery/no-load': [2],
-      'no-jquery/no-map-collection': [2],
+      'no-jquery/no-map-collection': [0],
      'no-jquery/no-map-util': [2],
      'no-jquery/no-map': [2],
      'no-jquery/no-merge': [2],
@ -376,12 +374,12 @@ export default tseslint.config(
      'no-jquery/no-selector-prop': [2],
      'no-jquery/no-serialize': [2],
      'no-jquery/no-size': [2],
-      'no-jquery/no-sizzle': [2],
+      'no-jquery/no-sizzle': [0],
      'no-jquery/no-slide': [2],
      'no-jquery/no-sub': [2],
      'no-jquery/no-support': [2],
      'no-jquery/no-text': [0],
-      'no-jquery/no-trigger': [2],
+      'no-jquery/no-trigger': [0],
      'no-jquery/no-trim': [2],
      'no-jquery/no-type': [2],
      'no-jquery/no-unique': [2],
@ -746,6 +744,7 @@ export default tseslint.config(
      'unicorn/no-array-callback-reference': [0],
      'unicorn/no-array-for-each': [2],
      'unicorn/no-array-method-this-argument': [2],
+      'unicorn/no-array-push-push': [2],
      'unicorn/no-array-reduce': [2],
      'unicorn/no-await-expression-member': [0],
      'unicorn/no-await-in-promise-methods': [2],
@ -758,6 +757,7 @@ export default tseslint.config(
      'unicorn/no-invalid-fetch-options': [2],
      'unicorn/no-invalid-remove-event-listener': [2],
      'unicorn/no-keyword-prefix': [0],
+      'unicorn/no-length-as-slice-end': [2],
      'unicorn/no-lonely-if': [2],
      'unicorn/no-magic-array-flat-depth': [0],
      'unicorn/no-named-default': [2],
@ -774,11 +774,8 @@ export default tseslint.config(
      'unicorn/no-thenable': [2],
      'unicorn/no-this-assignment': [2],
      'unicorn/no-typeof-undefined': [2],
-      'unicorn/no-unnecessary-array-flat-depth': [2],
-      'unicorn/no-unnecessary-array-splice-count': [2],
      'unicorn/no-unnecessary-await': [2],
      'unicorn/no-unnecessary-polyfills': [2],
-      'unicorn/no-unnecessary-slice-end': [2],
      'unicorn/no-unreadable-array-destructuring': [0],
      'unicorn/no-unreadable-iife': [2],
      'unicorn/no-unused-properties': [2],
@ -799,7 +796,6 @@ export default tseslint.config(
      'unicorn/prefer-array-some': [2],
      'unicorn/prefer-at': [0],
      'unicorn/prefer-blob-reading-methods': [2],
-      'unicorn/prefer-classlist-toggle': [2],
      'unicorn/prefer-code-point': [0],
      'unicorn/prefer-date-now': [2],
      'unicorn/prefer-default-parameters': [0],
@ -810,7 +806,6 @@ export default tseslint.config(
      'unicorn/prefer-event-target': [2],
      'unicorn/prefer-export-from': [0],
      'unicorn/prefer-global-this': [0],
-      'unicorn/prefer-import-meta-properties': [2],
      'unicorn/prefer-includes': [2],
      'unicorn/prefer-json-parse-buffer': [0],
      'unicorn/prefer-keyboard-event-key': [2],
@ -833,7 +828,6 @@ export default tseslint.config(
      'unicorn/prefer-regexp-test': [2],
      'unicorn/prefer-set-has': [0],
      'unicorn/prefer-set-size': [2],
-      'unicorn/prefer-single-call': [2],
      'unicorn/prefer-spread': [0],
      'unicorn/prefer-string-raw': [0],
      'unicorn/prefer-string-replace-all': [0],
--- a/flake.lock
+++ b/flake.lock
@ -20,11 +20,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1749285348,
-        "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=",
+        "lastModified": 1733392399,
+        "narHash": "sha256-kEsTJTUQfQFIJOcLYFt/RvNxIK653ZkTBIs4DG+cBns=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f",
+        "rev": "d0797a04b81caeae77bcff10a9dde78bc17f5661",
        "type": "github"
      },
      "original": {
--- a/Show more
+++ b/Show more