fix: loading action logs on a task that isn't fetched yet, fails when the job is fetched (#9293 )

Discovered a regression caused by #9017. Steps to reproduce: - Disable the forgejo-runner that will pick up a workflow - Trigger any workflow to run - Through the Actions list, click on the new workflow that is pending a runner to fetch it - You'll be redirected to /user/repo/actions/runs/73/jobs/0/attempt/0 (attempt = 0) - The UI will appear normal with the job "Waiting"... - Startup the forgejo-runner to pick up the workflow - The UI will begin to have errors: - JavaScript promise rejection: JSON.parse: unexpected keyword at line 1 column 1 of the JSON data. Open browser console to see more details. (5) The cause is that the redirect to `/attempt/0` occurs for a job that hasn't been started, but once the job is started attempt 0 is not a valid attempt and errors will occur when polling for data. This fix corrects the problem by redirecting to the attempt that will be present (attempt 1) when the job is fetched. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9293 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
feat: Add converting mirror repos to normal to the API (#8932 )
2025-09-14 14:57:21 +00:00 · 2025-09-14 14:30:02 +02:00 · 2025-09-14 14:25:05 +02:00 · 2025-09-14 13:22:15 +02:00 · 2025-09-14 08:55:41 +02:00 · 2025-09-14 06:06:25 +02:00
1420 changed files with 40333 additions and 17201 deletions
--- a/.deadcode-out
+++ b/.deadcode-out
@ -13,13 +13,6 @@ forgejo.org/models
 	IsErrSHANotFound
 	IsErrMergeDivergingFastForwardOnly

-forgejo.org/models/activities
-	GetActivityByID
-	NewFederatedUserActivity
-	CreateUserActivity
-	GetFollowingFeeds
-	FederatedUserActivity.loadActor
-
 forgejo.org/models/auth
 	WebAuthnCredentials

@ -27,15 +20,13 @@ forgejo.org/models/db
 	TruncateBeans
 	InTransaction
 	DumpTables
+	GetTableNames

 forgejo.org/models/dbfs
 	file.renameTo
 	Create
 	Rename

-forgejo.org/models/forgefed
-	GetFederationHost
-
 forgejo.org/models/forgejo/semver
 	GetVersion
 	SetVersionString
@ -61,17 +52,10 @@ forgejo.org/models/user
 	IsErrExternalLoginUserAlreadyExist
 	IsErrExternalLoginUserNotExist
 	NewFederatedUser
-	NewFederatedUserFollower
 	IsErrUserSettingIsNotExist
 	GetUserAllSettings
 	DeleteUserSetting
 	GetFederatedUser
-	GetFederatedUserByUserID
-	UpdateFederatedUser
-	GetFollowersForUser
-	AddFollower
-	RemoveFollower
-	IsFollowingAp

 forgejo.org/modules/activitypub
 	NewContext
@ -102,24 +86,14 @@ forgejo.org/modules/eventsource
 	Event.String

 forgejo.org/modules/forgefed
-	NewForgeFollowFromAp
 	NewForgeFollow
-	ForgeFollow.MarshalJSON
-	ForgeFollow.UnmarshalJSON
-	ForgeFollow.Validate
 	NewForgeUndoLike
 	ForgeUndoLike.UnmarshalJSON
 	ForgeUndoLike.Validate
-	NewForgeUserActivityFromAp
-	NewForgeUserActivity
-	ForgeUserActivity.Validate
 	NewPersonIDFromModel
 	GetItemByType
 	JSONUnmarshalerFn
 	NotEmpty
-	NewForgeUserActivityNoteFromAp
-	newNote
-	ForgeUserActivityNote.Validate
 	ToRepository
 	OnRepository

@ -231,7 +205,6 @@ forgejo.org/modules/util/filebuffer

 forgejo.org/modules/validation
 	IsErrNotValid
-	ValidateIDExists

 forgejo.org/modules/web
 	RouteMock
@ -248,6 +221,9 @@ forgejo.org/routers/web/org
 forgejo.org/services/context
 	GetPrivateContext

+forgejo.org/services/federation
+	FollowRemoteActor
+
 forgejo.org/services/repository
 	IsErrForkAlreadyExist

--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -6,7 +6,7 @@
    "ghcr.io/devcontainers/features/node:1": {
      "version": "22"
    },
-    "ghcr.io/devcontainers/features/git-lfs:1.2.4": {},
+    "ghcr.io/devcontainers/features/git-lfs:1.2.5": {},
    "ghcr.io/warrenbuckley/codespace-features/sqlite:1": {}
  },
  "customizations": {
--- a/.forgejo/issue_template/bug-report-ui.yaml
+++ b/.forgejo/issue_template/bug-report-ui.yaml
@ -23,8 +23,9 @@ body:
      It is running the latest development branch and will confirm the problem is not already fixed.
      If you can reproduce it, provide a URL in the description.
    options:
-    - "Yes"
-    - "No"
+    - "Yes, I've linked the repository below"
+    - "No, I've tried it and the problem is not present there"
+    - "No, I can't try it on the test instance for some reason"
  validations:
    required: true
 - type: textarea
--- a/.forgejo/issue_template/bug-report.yaml
+++ b/.forgejo/issue_template/bug-report.yaml
@ -23,8 +23,9 @@ body:
      It is running the latest development branch and will confirm the problem is not already fixed.
      If you can reproduce it, provide a URL in the description.
    options:
-    - "Yes"
-    - "No"
+    - "Yes, I've linked the repository below"
+    - "No, I've tried it and the problem is not present there"
+    - "No, I can't try it on the test instance for some reason"
  validations:
    required: true
 - type: textarea
--- a/.forgejo/workflows-composite/install-minimum-git-version/action.yaml
+++ b/.forgejo/workflows-composite/install-minimum-git-version/action.yaml
@ -0,0 +1,22 @@
+#
+# Install the minimal version of Git supported by Forgejo
+#
+runs:
+  using: "composite"
+  steps:
+    - name: install git and git-lfs
+      run: |
+        set -x
+
+        export DEBIAN_FRONTEND=noninteractive
+
+        apt-get update -qq
+        apt-get -q install -y -qq curl ca-certificates
+
+        curl -sS -o /tmp/git-man.deb http://archive.ubuntu.com/ubuntu/pool/main/g/git/git-man_2.34.1-1ubuntu1_all.deb
+        curl -sS -o /tmp/git.deb https://archive.ubuntu.com/ubuntu/pool/main/g/git/git_2.34.1-1ubuntu1_amd64.deb
+        curl -sS -o /tmp/git-lfs.deb https://archive.ubuntu.com/ubuntu/pool/universe/g/git-lfs/git-lfs_3.0.2-1_amd64.deb
+
+        apt-get -q install --allow-downgrades -y -qq /tmp/git-man.deb
+        apt-get -q install --allow-downgrades -y -qq /tmp/git.deb
+        apt-get -q install --allow-downgrades -y -qq /tmp/git-lfs.deb
--- a/.forgejo/workflows/build-release-integration.yml
+++ b/.forgejo/workflows/build-release-integration.yml
@ -28,7 +28,7 @@ jobs:
      - uses: https://data.forgejo.org/actions/checkout@v4

      - id: forgejo
-        uses: https://data.forgejo.org/actions/setup-forgejo@v2.0.4
+        uses: https://data.forgejo.org/actions/setup-forgejo@v3.0.3
        with:
          user: root
          password: admin1234
--- a/.forgejo/workflows/build-release.yml
+++ b/.forgejo/workflows/build-release.yml
@ -164,7 +164,7 @@ jobs:

      - name: build container & release
        if: ${{ secrets.TOKEN != '' }}
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.3.5
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.4.1
        with:
          forgejo: "${{ env.GITHUB_SERVER_URL }}"
          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
@ -183,7 +183,7 @@ jobs:

      - name: build rootless container
        if: ${{ secrets.TOKEN != '' }}
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.3.5
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.4.1
        with:
          forgejo: "${{ env.GITHUB_SERVER_URL }}"
          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
@ -201,7 +201,7 @@ jobs:

      - name: end-to-end tests
        if: ${{ secrets.TOKEN != '' && vars.ROLE == 'forgejo-integration' && vars.SKIP_END_TO_END != 'true' }}
-        uses: https://data.forgejo.org/actions/cascading-pr@v2.2.0
+        uses: https://data.forgejo.org/actions/cascading-pr@v2.3.0
        with:
          origin-url: ${{ env.GITHUB_SERVER_URL }}
          origin-repo: ${{ github.repository }}
@ -212,6 +212,7 @@ jobs:
          destination-repo: forgejo/end-to-end
          destination-branch: main
          destination-token: ${{ secrets.CASCADE_DESTINATION_TOKEN }}
+          close: true
          update: .forgejo/cascading-release-end-to-end

      - name: copy to experimental
--- a/.forgejo/workflows/cascade-setup-end-to-end.yml
+++ b/.forgejo/workflows/cascade-setup-end-to-end.yml
@ -41,7 +41,7 @@ jobs:
        with:
          fetch-depth: '0'
          show-progress: 'false'
-      - uses: https://data.forgejo.org/actions/cascading-pr@v2.2.0
+      - uses: https://data.forgejo.org/actions/cascading-pr@v2.3.0
        with:
          origin-url: ${{ env.GITHUB_SERVER_URL }}
          origin-repo: ${{ github.repository }}
@ -53,5 +53,5 @@ jobs:
          destination-repo: forgejo/end-to-end
          destination-branch: main
          destination-token: ${{ secrets.END_TO_END_CASCADING_PR_DESTINATION }}
-          close-merge: true
+          close: true
          update: .forgejo/cascading-pr-end-to-end
--- a/.forgejo/workflows/coverage.yml
+++ b/.forgejo/workflows/coverage.yml
@ -0,0 +1,89 @@
+name: coverage
+
+on:
+  workflow_dispatch:
+    inputs:
+      repository:
+        description: 'repository'
+        type: string
+      ref:
+        description: 'ref'
+        type: string
+      unit-tests-env:
+        description: 'COVERAGE_TEST_PACKAGES=forgejo.org/modules/actions'
+        type: string
+      integration-tests-env:
+        description: 'COVERAGE_TEST_ARGS=-run=TestAPIListRepoComments'
+        type: string
+
+jobs:
+  all:
+    runs-on: docker
+    container:
+      image: 'data.forgejo.org/oci/ci:1'
+      options: --tmpfs /tmp:exec,noatime
+    services:
+      elasticsearch:
+        image: data.forgejo.org/oci/bitnami/elasticsearch:7
+        options: --tmpfs /bitnami/elasticsearch/data
+        env:
+          discovery.type: single-node
+          ES_JAVA_OPTS: "-Xms512m -Xmx512m"
+      minio:
+        image: data.forgejo.org/oci/bitnami/minio:2024.8.17
+        options: >-
+          --hostname gitea.minio --tmpfs /bitnami/minio/data:noatime
+        env:
+          MINIO_DOMAIN: minio
+          MINIO_ROOT_USER: 123456
+          MINIO_ROOT_PASSWORD: 12345678
+      mysql:
+        image: 'data.forgejo.org/oci/bitnami/mysql:8.4'
+        env:
+          ALLOW_EMPTY_PASSWORD: yes
+          MYSQL_DATABASE: testgitea
+          #
+          # See also https://codeberg.org/forgejo/forgejo/issues/976
+          #
+          MYSQL_EXTRA_FLAGS: --innodb-adaptive-flushing=OFF --innodb-buffer-pool-size=4G --innodb-log-buffer-size=128M --innodb-flush-log-at-trx-commit=0 --innodb-flush-log-at-timeout=30 --innodb-flush-method=nosync --innodb-fsync-threshold=1000000000 --disable-log-bin
+        options: --tmpfs /bitnami/mysql/data:noatime
+      ldap:
+        image: data.forgejo.org/oci/test-openldap:latest
+      pgsql:
+        image: data.forgejo.org/oci/bitnami/postgresql:16
+        env:
+          POSTGRESQL_DATABASE: test
+          POSTGRESQL_PASSWORD: postgres
+          POSTGRESQL_FSYNC: off
+          POSTGRESQL_EXTRA_FLAGS: -c full_page_writes=off
+        options: --tmpfs /bitnami/postgresql
+      cacher:
+        image: registry.redict.io/redict:7.3.5-scratch
+        options: --tmpfs /data:noatime
+    steps:
+      - uses: https://data.forgejo.org/actions/checkout@v4
+        with:
+          repository: ${{ inputs.repository }}
+          ref: ${{ inputs.ref }}
+      - uses: ./.forgejo/workflows-composite/setup-env
+      - name: install git >= 2.42
+        uses: ./.forgejo/workflows-composite/apt-install-from
+        with:
+          packages: git
+      - uses: ./.forgejo/workflows-composite/build-backend
+      - run: |
+          su forgejo -c '${{ inputs.unit-tests-env }} make coverage-run'
+          su forgejo -c '${{ inputs.integration-tests-env }} make coverage-run-pgsql'
+          su forgejo -c '${{ inputs.integration-tests-env }} make coverage-run-mysql'
+          su forgejo -c '${{ inputs.integration-tests-env }} make coverage-run-sqlite'
+          su forgejo -c 'make coverage-merge'
+        timeout-minutes: 180
+        env:
+          TEST_ELASTICSEARCH_URL: http://elasticsearch:9200
+          TEST_MINIO_ENDPOINT: minio:9000
+          TEST_LDAP: 1
+          TEST_REDIS_SERVER: cacher:6379
+      - uses: https://code.forgejo.org/forgejo/upload-artifact@v4
+        with:
+          name: coverage
+          path: ${{ forge.workspace }}/coverage/merged
--- a/.forgejo/workflows/merge-requirements.yml
+++ b/.forgejo/workflows/merge-requirements.yml
@ -1,4 +1,4 @@
-# Copyright 2024 The Forgejo Authors
+# Copyright 2025 The Forgejo Authors
 # SPDX-License-Identifier: MIT

 name: requirements
@ -13,7 +13,8 @@ on:

 jobs:
  merge-conditions:
-    if: vars.ROLE == 'forgejo-coding'
+    if: >
+      vars.ROLE == 'forgejo-coding' && forge.event.pull_request.head.repo.full_name != 'forgejo-cascading-pr/forgejo'
    runs-on: docker
    container:
      image: 'data.forgejo.org/oci/node:22-bookworm'
@ -26,9 +27,9 @@ jobs:
      - name: Missing test label
        if: >
          !(
-            contains(toJSON(github.event.pull_request.labels), 'test/present')
-            || contains(toJSON(github.event.pull_request.labels), 'test/not-needed')
-            || contains(toJSON(github.event.pull_request.labels), 'test/manual')
+            contains(toJSON(forge.event.pull_request.labels), 'test/present')
+            || contains(toJSON(forge.event.pull_request.labels), 'test/not-needed')
+            || contains(toJSON(forge.event.pull_request.labels), 'test/manual')
          )
        run: |
          echo "A team member must set the label to either 'present', 'not-needed' or 'manual'."
@ -36,8 +37,8 @@ jobs:
      - name: Missing manual test instructions
        if: >
          (
-            contains(toJSON(github.event.pull_request.labels), 'test/manual')
-            && !contains(toJSON(github.event.pull_request.body), '# Test')
+            contains(toJSON(forge.event.pull_request.labels), 'test/manual')
+            && !contains(toJSON(forge.event.pull_request.body), '# Test')
          )
        run: |
          echo "Manual test label is set. The PR description needs to contain test steps introduced by a heading like:"
--- a/.forgejo/workflows/publish-release.yml
+++ b/.forgejo/workflows/publish-release.yml
@ -44,7 +44,7 @@ jobs:
      - uses: https://data.forgejo.org/actions/checkout@v4

      - name: copy & sign
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/publish@v5.3.5
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/publish@v5.4.1
        with:
          from-forgejo: ${{ vars.FORGEJO }}
          to-forgejo: ${{ vars.FORGEJO }}
@ -80,7 +80,7 @@ jobs:
          label: trigger

      - name: upgrade v*.next.forgejo.org
-        uses: https://data.forgejo.org/infrastructure/next-digest@v1.1.0
+        uses: https://data.forgejo.org/infrastructure/next-digest@v1.2.2
        with:
          url: https://placeholder:${{ secrets.TOKEN_NEXT_DIGEST }}@invisible.forgejo.org/infrastructure/next-digest
          ref_name: '${{ github.ref_name }}'
--- a/.forgejo/workflows/release-notes-assistant-milestones.yml
+++ b/.forgejo/workflows/release-notes-assistant-milestones.yml
@ -5,32 +5,34 @@ on:
    - cron: '@daily'

 env:
-  RNA_VERSION: v1.2.5 # renovate: datasource=gitea-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
+  RNA_WORKDIR: /srv/rna
+  RNA_VERSION: v1.4.1 # renovate: datasource=gitea-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org

 jobs:
  release-notes:
    if: vars.ROLE == 'forgejo-coding'
    runs-on: docker
    container:
-      image: 'data.forgejo.org/oci/node:22-bookworm'
+      image: 'data.forgejo.org/oci/ci:1'
    steps:
      - uses: https://data.forgejo.org/actions/checkout@v4

-      - uses: https://data.forgejo.org/actions/setup-go@v5
+      - uses: https://data.forgejo.org/actions/cache@v4
        with:
-          go-version-file: "go.mod"
-          cache: false
+          key: rna-${{ env.RNA_VERSION }}
+          path: ${{ env.RNA_WORKDIR }}

-      - name: apt install jq
+      - name: install release-notes-assistant
        run: |
-          export DEBIAN_FRONTEND=noninteractive
-          apt-get update -qq
-          apt-get -q install -y -qq jq
+          set -x
+          wget -O /usr/local/bin/rna https://code.forgejo.org/forgejo/release-notes-assistant/releases/download/${{ env.RNA_VERSION}}/release-notes-assistant
+          chmod +x /usr/local/bin/rna

      - name: update open milestones
        run: |
          set -x
-          curl -sS $GITHUB_SERVER_URL/api/v1/repos/$GITHUB_REPOSITORY/milestones?state=open | jq -r '.[] | .title' | while read forgejo version ; do
+          mkdir -p ${{ env.RNA_WORKDIR }}
+          curl -sS $FORGEJO_SERVER_URL/api/v1/repos/$FORGEJO_REPOSITORY/milestones?state=open | jq -r '.[] | .title' | while read forgejo version ; do
            milestone="$forgejo $version"
-            go run code.forgejo.org/forgejo/release-notes-assistant@$RNA_VERSION --config .release-notes-assistant.yaml --storage milestone --storage-location "$milestone"  --forgejo-url $GITHUB_SERVER_URL --repository $GITHUB_REPOSITORY --token ${{ secrets.RELEASE_NOTES_ASSISTANT_TOKEN }} release $version
+            rna --workdir ${{ env.RNA_WORKDIR }} --config .release-notes-assistant.yaml --storage milestone --storage-location "$milestone" --forgejo-url $FORGEJO_SERVER_URL --repository $FORGEJO_REPOSITORY --token ${{ secrets.RELEASE_NOTES_ASSISTANT_TOKEN }} release $version
          done
--- a/.forgejo/workflows/release-notes-assistant.yml
+++ b/.forgejo/workflows/release-notes-assistant.yml
@ -8,7 +8,7 @@ on:
      - labeled

 env:
-  RNA_VERSION: v1.2.5 # renovate: datasource=gitea-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
+  RNA_VERSION: v1.4.1 # renovate: datasource=gitea-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org

 jobs:
  release-notes:
--- a/.forgejo/workflows/renovate.yml
+++ b/.forgejo/workflows/renovate.yml
@ -28,7 +28,7 @@ jobs:

    runs-on: docker
    container:
-      image: data.forgejo.org/renovate/renovate:41.1.4
+      image: data.forgejo.org/renovate/renovate:41.76.0

    steps:
      - name: Load renovate repo cache
@ -49,7 +49,7 @@ jobs:
          LOG_LEVEL: debug
          RENOVATE_BASE_DIR: ${{ github.workspace }}/.tmp
          RENOVATE_ENDPOINT: ${{ github.server_url }}
-          RENOVATE_PLATFORM: gitea
+          RENOVATE_PLATFORM: forgejo
          RENOVATE_REPOSITORY_CACHE: 'enabled'
          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
          RENOVATE_GIT_AUTHOR: 'Renovate Bot <forgejo-renovate-action@forgejo.org>'
@ -63,6 +63,10 @@ jobs:

          OSV_OFFLINE_ROOT_DIR: ${{ github.workspace }}/.tmp/osv

+          # use direct connection for these domains for renovate go datasource instead of the go proxy
+          # allows faster lookups
+          GONOPROXY: code.forgejo.org
+
      - name: Save renovate repo cache
        if: always() && env.RENOVATE_DRY_RUN != 'full'
        uses: https://data.forgejo.org/actions/cache/save@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
--- a/.forgejo/workflows/testing-integration.yml
+++ b/.forgejo/workflows/testing-integration.yml
@ -1,7 +1,8 @@
 #
 # Additional integration tests designed to run once a day when
 # `mirror.yml` pushes to https://codeberg.org/forgejo-integration/forgejo
-# and send a notification via email should they fail.
+# and send a notification via email to the contact email of the
+# organization should they fail.
 #
 # For debug purposes:
 #
@ -22,6 +23,8 @@ on:
      - 'forgejo'
      - 'v*/forgejo'

+enable-email-notifications: true
+
 jobs:
  test-unit:
 #    if: vars.ROLE == 'forgejo-coding'
@ -33,11 +36,8 @@ jobs:
    steps:
      - uses: https://data.forgejo.org/actions/checkout@v4
      - uses: ./.forgejo/workflows-composite/setup-env
-      - name: install git 2.30
-        uses: ./.forgejo/workflows-composite/apt-install-from
-        with:
-          packages: git/bullseye git-lfs/bullseye
-          release: bullseye
+      - name: install git 2.34.1 and git-lfs 3.0.2
+        uses: ./.forgejo/workflows-composite/install-minimum-git-version
      - uses: ./.forgejo/workflows-composite/build-backend
      - run: |
          su forgejo -c 'make test-backend test-check'
@ -55,11 +55,8 @@ jobs:
    steps:
      - uses: https://data.forgejo.org/actions/checkout@v4
      - uses: ./.forgejo/workflows-composite/setup-env
-      - name: install git 2.30
-        uses: ./.forgejo/workflows-composite/apt-install-from
-        with:
-          packages: git/bullseye git-lfs/bullseye
-          release: bullseye
+      - name: install git 2.34.1 and git-lfs 3.0.2
+        uses: ./.forgejo/workflows-composite/install-minimum-git-version
      - uses: ./.forgejo/workflows-composite/build-backend
      - run: |
          su forgejo -c 'make test-sqlite-migration test-sqlite'
@ -69,3 +66,34 @@ jobs:
          RACE_ENABLED: true
          TEST_TAGS: sqlite sqlite_unlock_notify
          USE_REPO_TEST_DIR: 1
+  test-mariadb:
+#    if: vars.ROLE == 'forgejo-coding'
+    if: vars.ROLE == 'forgejo-integration'
+    runs-on: docker
+    name: ${{ format('test-mariadb (v{0})', matrix.version) }}
+    strategy:
+      matrix:
+        version: ['10.6', '11.8']
+    container:
+      image: 'data.forgejo.org/oci/node:22-bookworm'
+      options: --tmpfs /tmp:exec,noatime
+    services:
+      mysql:
+        image: ${{ format('data.forgejo.org/oci/mariadb:{0}', matrix.version) }}
+        env:
+          MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: yes
+          MARIADB_DATABASE: testgitea
+        options: --tmpfs /var/lib/mysql:noatime
+    steps:
+      - uses: https://data.forgejo.org/actions/checkout@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
+      - name: install dependencies & git >= 2.42
+        uses: ./.forgejo/workflows-composite/apt-install-from
+        with:
+          packages: git git-lfs
+      - uses: ./.forgejo/workflows-composite/build-backend
+      - run: |
+          su forgejo -c 'make test-mysql-migration test-mysql'
+        timeout-minutes: 120
+        env:
+          USE_REPO_TEST_DIR: 1
--- a/.forgejo/workflows/testing.yml
+++ b/.forgejo/workflows/testing.yml
@ -37,7 +37,11 @@ jobs:
      - run: make deps-frontend
      - run: make lint-frontend
      - run: make checks-frontend
-      - run: make test-frontend-coverage
+      - run: |
+          # Usage of `dayjs` can be impacted by local system timezone and can be sensitive to DST differences; since
+          # frontend tests are very short they're run twice with varying DST rules to reduce regression risk.
+          TZ=Europe/Berlin make test-frontend-coverage
+          TZ=America/Edmonton make test-frontend-coverage
      - run: make frontend
      - name: Install zstd for cache saving
        # works around https://github.com/actions/cache/issues/1169, because the
--- a/.gitignore
+++ b/.gitignore
@ -37,6 +37,8 @@ _testmain.go

 *coverage.out
 coverage.all
+coverage.html
+coverage.html.gz
 coverage/
 cpu.out

@ -53,6 +55,8 @@ cpu.out
 *.log
 *.log.*.gz

+/build/lint-locale/lint-locale
+/build/lint-locale-usage/lint-locale-usage
 /gitea
 /gitea-vet
 /debug
@ -129,3 +133,4 @@ prime/

 # Manpage
 /man
+tests/integration/api_activitypub_person_inbox_useractivity_test.go
--- a/.golangci.yml
+++ b/.golangci.yml
@ -42,6 +42,10 @@ linters:
              desc: do not use the ini package, use gitea's config system instead
            - pkg: github.com/minio/sha256-simd
              desc: use crypto/sha256 instead, see https://codeberg.org/forgejo/forgejo/pulls/1528
+            - pkg: github.com/go-git/go-git
+              desc: use forgejo.org/modules/git instead, see https://codeberg.org/forgejo/forgejo/pulls/4941
+            - pkg: gopkg.in/yaml.v3
+              desc: use go.yaml.in/yaml instead, see https://codeberg.org/forgejo/forgejo/pulls/8956
    gocritic:
      disabled-checks:
        - ifElseChain
@ -79,6 +83,10 @@ linters:
        - name: unreachable-code
        - name: var-declaration
        - name: var-naming
+          arguments:
+            - []
+            - []
+            - - skip-package-name-checks: true
        - name: redefines-builtin-id
          disabled: true
    staticcheck:
--- a/1
+++ b/1
@ -39,4 +39,5 @@ options/locale/.* @0ko
 options/locale_next/.* @0ko

 # Personal interest
+build/lint-locale-usage/.* @fogti
 .*/webhook.* @oliverpool
--- a/108
+++ b/108
@ -39,15 +39,15 @@ XGO_VERSION := go-1.21.x
 AIR_PACKAGE ?= github.com/air-verse/air@v1 # renovate: datasource=go
 EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3.3.0 # renovate: datasource=go
 GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.8.0 # renovate: datasource=go
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.6 # renovate: datasource=go
-GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.11 # renovate: datasource=go
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.3.1 # renovate: datasource=go
+GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.15 # renovate: datasource=go
 SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.31.0 # renovate: datasource=go
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
 GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.6.0 # renovate: datasource=go
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasource=go
-DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.34.0 # renovate: datasource=go
-GOMOCK_PACKAGE ?= go.uber.org/mock/mockgen@v0.5.2 # renovate: datasource=go
-RENOVATE_NPM_PACKAGE ?= renovate@41.1.4 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
+DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.36.0 # renovate: datasource=go
+GOMOCK_PACKAGE ?= go.uber.org/mock/mockgen@v0.6.0 # renovate: datasource=go
+RENOVATE_NPM_PACKAGE ?= renovate@41.76.0 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate

 # https://github.com/disposable-email-domains/disposable-email-domains/commits/main/
 DISPOSABLE_EMAILS_SHA ?= 0c27e671231d27cf66370034d7f6818037416989 # renovate: ...
@ -115,9 +115,6 @@ LDFLAGS := $(LDFLAGS) -X "main.ReleaseVersion=$(RELEASE_VERSION)" -X "main.MakeV

 LINUX_ARCHS ?= linux/amd64,linux/386,linux/arm-5,linux/arm-6,linux/arm64

-ifeq ($(HAS_GO), yes)
-	GO_TEST_PACKAGES ?= $(filter-out $(shell $(GO) list forgejo.org/models/migrations/...) $(shell $(GO) list forgejo.org/models/forgejo_migrations/...) forgejo.org/tests/integration/migration-test forgejo.org/tests forgejo.org/tests/integration forgejo.org/tests/e2e,$(shell $(GO) list ./...))
-endif
 REMOTE_CACHER_MODULES ?= cache nosql session queue
 GO_TEST_REMOTE_CACHER_PACKAGES ?= $(addprefix forgejo.org/modules/,$(REMOTE_CACHER_MODULES))

@ -159,9 +156,6 @@ GO_SOURCES += $(shell find $(GO_DIRS) -type f -name "*.go" ! -path modules/optio
 GO_SOURCES += $(GENERATED_GO_DEST)
 GO_SOURCES_NO_BINDATA := $(GO_SOURCES)

-ifeq ($(HAS_GO), yes)
-	MIGRATION_PACKAGES := $(shell $(GO) list forgejo.org/models/migrations/... forgejo.org/models/forgejo_migrations/...)
-endif

 ifeq ($(filter $(TAGS_SPLIT),bindata),bindata)
 	GO_SOURCES += $(BINDATA_DEST)
@ -238,6 +232,9 @@ help:
 	@echo " - test-frontend-coverage           test frontend files and display code coverage"
 	@echo " - test-backend                     test backend files"
 	@echo " - test-remote-cacher               test backend files that use a remote cache"
+	@echo " - coverage-run*                    test and collect coverages in the coverage/data directory"
+	@echo " - coverage-show-html               display coverage-run results in an HTML page"
+	@echo " - coverage-show-percent            display coverage-run per package coverage percentage"
 	@echo " - test-e2e-sqlite[\#name.test.e2e] test end to end using playwright and sqlite"
 	@echo " - webpack                          build webpack files"
 	@echo " - svg                              build svg files"
@ -282,6 +279,24 @@ show-version-minor: verify-version
 show-version-api: verify-version
 	@echo ${FORGEJO_VERSION_API}

+###
+# Package computation targets
+###
+
+# Target to compute GO_TEST_PACKAGES - only runs when needed
+.PHONY: compute-go-test-packages
+compute-go-test-packages:
+ifeq ($(HAS_GO), yes)
+	$(eval GO_TEST_PACKAGES ?= $(filter-out $(shell $(GO) list forgejo.org/models/migrations/...) $(shell $(GO) list forgejo.org/models/forgejo_migrations/...) forgejo.org/tests/integration/migration-test forgejo.org/tests forgejo.org/tests/integration forgejo.org/tests/e2e,$(shell $(GO) list ./...)))
+endif
+
+# Target to compute MIGRATION_PACKAGES - only runs when needed
+.PHONY: compute-migration-packages
+compute-migration-packages:
+ifeq ($(HAS_GO), yes)
+	$(eval MIGRATION_PACKAGES := $(shell $(GO) list forgejo.org/models/migrations/... forgejo.org/models/forgejo_migrations/...))
+endif
+
 ###
 # Check system and environment requirements
 ###
@ -460,7 +475,7 @@ lint-locale:

 .PHONY: lint-locale-usage
 lint-locale-usage:
-	$(GO) run build/lint-locale-usage/lint-locale-usage.go
+	$(GO) run ./build/lint-locale-usage --allow-masked-usages-from=build/lint-locale-usage/allowed-masked-usage.txt

 .PHONY: lint-md
 lint-md: node_modules
@ -522,9 +537,9 @@ watch-backend: go-check
 test: test-frontend test-backend

 .PHONY: test-backend
-test-backend:
+test-backend: | compute-go-test-packages
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)
+	@TZ=UTC $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)

 .PHONY: test-remote-cacher
 test-remote-cacher:
@ -552,20 +567,39 @@ test-check:
 	fi

 .PHONY: test\#%
-test\#%:
+test\#%: | compute-go-test-packages
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)
+	@TZ=UTC $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)

-.PHONY: coverage
-coverage:
-	grep '^\(mode: .*\)\|\(.*:[0-9]\+\.[0-9]\+,[0-9]\+\.[0-9]\+ [0-9]\+ [0-9]\+\)$$' coverage.out > coverage-bodged.out
-	grep '^\(mode: .*\)\|\(.*:[0-9]\+\.[0-9]\+,[0-9]\+\.[0-9]\+ [0-9]\+ [0-9]\+\)$$' integration.coverage.out > integration.coverage-bodged.out
-	$(GO) run build/gocovmerge.go integration.coverage-bodged.out coverage-bodged.out > coverage.all
+coverage-merge:
+	rm -fr coverage/merged ; mkdir -p coverage/merged
+	$(GO) tool covdata merge -i `find coverage/data -name 'covmeta.*' | sed -e 's|/covmeta.*|,|' | tr -d '\n' | sed -e 's/,$$//'` -o coverage/merged

-.PHONY: unit-test-coverage
-unit-test-coverage:
-	@echo "Running unit-test-coverage $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@$(GOTEST) $(GOTESTFLAGS) -timeout=20m -tags='$(TEST_TAGS)' -cover -coverprofile coverage.out $(GO_TEST_PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1
+coverage-convert: coverage-merge
+	$(GO) tool covdata textfmt -i=coverage/merged -o=coverage/textfmt.out
+
+coverage-show-html: coverage-convert
+	( cd coverage ; $(GO) tool cover -html=textfmt.out -o coverage.html )
+	xdg-open coverage/coverage.html
+
+coverage-show-percentage: coverage-convert
+	go tool cover -func=coverage/textfmt.out
+
+coverage-run: | compute-go-test-packages
+	contrib/coverage-helper.sh test_packages $(COVERAGE_TEST_PACKAGES)
+
+coverage-run-%: generate-ini-% | compute-migration-packages
+  #
+  # Migration tests go first
+  #
+	$(MAKE) GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/$*.ini COVERAGE_TEST_ARGS= COVERAGE_TEST_PACKAGES=forgejo.org/tests/integration/migration-test coverage-run
+	for pkg in $(MIGRATION_PACKAGES); do \
+		$(MAKE) GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/$*.ini COVERAGE_TEST_DATABASE=$* COVERAGE_TEST_ARGS= COVERAGE_TEST_PACKAGES=$$pkg coverage-run ; \
+	done
+  #
+  # All other integration tests follow
+  #
+	$(MAKE) GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/$*.ini COVERAGE_TEST_DATABASE=$* COVERAGE_TEST_PACKAGES=forgejo.org/tests/integration coverage-run

 .PHONY: tidy
 tidy:
@ -638,6 +672,7 @@ generate-ini-pgsql:
 		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
 		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
 		-e 's|{{TEST_STORAGE_TYPE}}|$(or $(TEST_STORAGE_TYPE),minio)|g' \
+		-e 's|{{TEST_S3_HOST}}|$(or $(TEST_S3_HOST),minio:9000)|g' \
 			tests/pgsql.ini.tmpl > tests/pgsql.ini

 .PHONY: test-pgsql
@ -684,7 +719,7 @@ test-e2e-mysql\#%: playwright e2e.mysql.test generate-ini-mysql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.mysql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e/$*

 .PHONY: test-e2e-pgsql
-test-e2e-pgsql: playwright e2e.pgsql.test generate-ini-pgsql
+GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.initest-e2e-pgsql: playwright e2e.pgsql.test generate-ini-pgsql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e

 .PHONY: test-e2e-pgsql\#%
@ -707,14 +742,6 @@ bench-mysql: integrations.mysql.test generate-ini-mysql
 bench-pgsql: integrations.pgsql.test generate-ini-pgsql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./integrations.pgsql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .

-.PHONY: integration-test-coverage
-integration-test-coverage: integrations.cover.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.cover.test -test.coverprofile=integration.coverage.out
-
-.PHONY: integration-test-coverage-sqlite
-integration-test-coverage-sqlite: integrations.cover.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.cover.sqlite.test -test.coverprofile=integration.coverage.out
-
 integrations.mysql.test: git-check $(GO_SOURCES)
 	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -o integrations.mysql.test

@ -724,12 +751,6 @@ integrations.pgsql.test: git-check $(GO_SOURCES)
 integrations.sqlite.test: git-check $(GO_SOURCES)
 	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -o integrations.sqlite.test -tags '$(TEST_TAGS)'

-integrations.cover.test: git-check $(GO_SOURCES)
-	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.test
-
-integrations.cover.sqlite.test: git-check $(GO_SOURCES)
-	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.sqlite.test -tags '$(TEST_TAGS)'
-
 .PHONY: migrations.mysql.test
 migrations.mysql.test: $(GO_SOURCES) generate-ini-mysql
 	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration/migration-test -o migrations.mysql.test
@ -746,7 +767,7 @@ migrations.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./migrations.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX)

 .PHONY: migrations.individual.mysql.test
-migrations.individual.mysql.test: $(GO_SOURCES)
+migrations.individual.mysql.test: $(GO_SOURCES) | compute-migration-packages
 	for pkg in $(MIGRATION_PACKAGES); do \
 		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
 	done
@ -756,7 +777,7 @@ migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' forgejo.org/models/migrations/$*

 .PHONY: migrations.individual.pgsql.test
-migrations.individual.pgsql.test: $(GO_SOURCES)
+migrations.individual.pgsql.test: $(GO_SOURCES) | compute-migration-packages
 	for pkg in $(MIGRATION_PACKAGES); do \
 		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1;\
 	done
@ -766,7 +787,7 @@ migrations.individual.pgsql.test\#%: $(GO_SOURCES) generate-ini-pgsql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' forgejo.org/models/migrations/$*

 .PHONY: migrations.individual.sqlite.test
-migrations.individual.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
+migrations.individual.sqlite.test: $(GO_SOURCES) generate-ini-sqlite | compute-migration-packages
 	for pkg in $(MIGRATION_PACKAGES); do \
 		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
 	done
@ -940,6 +961,7 @@ fomantic:
 	cd $(FOMANTIC_WORK_DIR) && npm install --no-save
 	cp -f $(FOMANTIC_WORK_DIR)/theme.config.less $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/theme.config
 	cp -rf $(FOMANTIC_WORK_DIR)/_site $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/
+	rm -rf $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/themes/default/modules/dropdown.overrides
 	$(SED_INPLACE) -e 's/  overrideBrowserslist\r/  overrideBrowserslist: ["defaults"]\r/g' $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/tasks/config/tasks.js
 	cd $(FOMANTIC_WORK_DIR) && npx gulp -f node_modules/fomantic-ui/gulpfile.js build
 	# fomantic uses "touchstart" as click event for some browsers, it's not ideal, so we force fomantic to always use "click" as click event
--- a/README.md
+++ b/README.md
@ -6,7 +6,7 @@
 Hi there! Tired of big platforms playing monopoly?
 Providing Git hosting for your project, friends, company or community?
 **Forgejo** (/for'd&#865;ʒe.jo/ inspired by forĝejo – the Esperanto word for *forge*) has you covered with its intuitive interface,
-light and easy hosting and a lot of builtin functionality.
+light and easy hosting and a lot of built-in functionality.

 Forgejo was [created in 2022](https://forgejo.org/2022-12-15-hello-forgejo/)
 because we think that the project should be owned by an independent community.
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@ -4,7 +4,7 @@ A minor or major Forgejo release is published every [three months](https://forge

 A [patch or minor release](https://semver.org/spec/v2.0.0.html) (e.g. upgrading from v7.0.0 to v7.0.1 or v7.1.0) does not require manual intervention. But [major releases](https://semver.org/spec/v2.0.0.html#spec-item-8) where the first version number changes (e.g. upgrading from v1.21 to v7.0) contain breaking changes and the release notes explain how to deal with them.

-The release notes of each release [are available in the release-notes-published directory of this repository](release-notes-published), starting with [Forgejo 7.0.7](release-notes-published/7.0.7.md) and [Forgejo 8.0.1](release-notes-published/8.0.1.md).
+The release notes of each release [are available in the release-notes-published directory of this repository](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published), starting with [Forgejo 7.0.7](release-notes-published/7.0.7.md) and [Forgejo 8.0.1](release-notes-published/8.0.1.md).

 ## 9.0.2

--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
--- a/build/lint-locale-usage/allowed-masked-usage.txt
+++ b/build/lint-locale-usage/allowed-masked-usage.txt
@ -0,0 +1,54 @@
+# translation tooling test keys
+meta.last_line
+translation_meta.test
+
+# models/admin/task.go: instances of $TranslatableMessage.Format
+# this also gets instantiated as a Messenger once
+repo.migrate.migrating_failed.error
+
+# models/asymkey/gpg_key_object_verification.go: $ObjectVerification.Reason
+# unfortunately, it is non-trivial to parse all the occurences
+gpg.error.extract_sign
+gpg.error.failed_retrieval_gpg_keys
+gpg.error.generate_hash
+gpg.error.no_committer_account
+
+# models/system/notice.go: func (n *Notice) TrStr() string
+admin.notices.type_1
+admin.notices.type_2
+
+# modules/setting/ui.go
+themes.names.
+
+# services/context/context.go
+relativetime.
+
+# templates/mail/issue/default.tmpl: $.locale.Tr
+mail.issue.in_tree_path
+
+# templates/package/metadata/arch.tmpl: $.locale.Tr
+packages.details.license
+
+# templates/repo/issue/view_content.tmpl: indirection via $closeTranslationKey
+repo.issues.close
+repo.pulls.close
+
+# templates/repo/issue/view_content/comments.tmpl: indirection via $refTr
+repo.issues.ref_closing_from
+repo.issues.ref_issue_from
+repo.issues.ref_pull_from
+repo.issues.ref_reopening_from
+
+# templates/repo/issue/view_content/comments.tmpl: ctx.Locale.Tr (printf "projects.type-%d.display_name" .OldProject.Type)
+projects.
+projects.type-1.display_name
+projects.type-2.display_name
+projects.type-3.display_name
+
+# templates/repo/settings/webhook/link_menu.tmpl, templates/webhook/new.tmpl: repo.settings.web_hook_name_
+# tests/integration/repo_archive_text_test.go
+repo.settings.
+
+# services/migrations/migrate.go: messenger calls
+# ToDo: give them a unique prefix
+repo.migrate.
--- a/build/lint-locale-usage/handle-go.go
+++ b/build/lint-locale-usage/handle-go.go
@ -0,0 +1,217 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package main
+
+import (
+	"fmt"
+	"go/ast"
+	goParser "go/parser"
+	"go/token"
+	"strconv"
+	"strings"
+)
+
+func (handler Handler) handleGoTrBasicLit(fset *token.FileSet, argLit *ast.BasicLit, prefix string) {
+	if argLit.Kind == token.STRING {
+		// extract string content
+		arg, err := strconv.Unquote(argLit.Value)
+		if err != nil {
+			return
+		}
+		// found interesting strings
+		arg = prefix + arg
+		if strings.HasSuffix(arg, ".") || strings.HasSuffix(arg, "_") {
+			prep, trunc := PrepareMsgidPrefix(arg)
+			if trunc {
+				handler.OnWarning(fset, argLit.ValuePos, fmt.Sprintf("needed to truncate message id prefix: %s", arg))
+			}
+			handler.OnMsgidPrefix(fset, argLit.ValuePos, prep, trunc)
+		} else {
+			handler.OnMsgid(fset, argLit.ValuePos, arg)
+		}
+	}
+}
+
+func (handler Handler) handleGoTrArgument(fset *token.FileSet, n ast.Expr, prefix string) {
+	if argLit, ok := n.(*ast.BasicLit); ok {
+		handler.handleGoTrBasicLit(fset, argLit, prefix)
+	} else if argBinExpr, ok := n.(*ast.BinaryExpr); ok {
+		if argBinExpr.Op != token.ADD {
+			// pass
+		} else if argLit, ok := argBinExpr.X.(*ast.BasicLit); ok && argLit.Kind == token.STRING {
+			// extract string content
+			arg, err := strconv.Unquote(argLit.Value)
+			if err != nil {
+				return
+			}
+			// found interesting strings
+			arg = prefix + arg
+			prep, trunc := PrepareMsgidPrefix(arg)
+			if trunc {
+				handler.OnWarning(fset, argLit.ValuePos, fmt.Sprintf("needed to truncate message id prefix: %s", arg))
+			}
+			handler.OnMsgidPrefix(fset, argLit.ValuePos, prep, trunc)
+		}
+	}
+}
+
+func (handler Handler) handleGoCommentGroup(fset *token.FileSet, cg *ast.CommentGroup, commentPrefix string) *string {
+	if cg == nil {
+		return nil
+	}
+	var matches []token.Pos
+	matchInsPrefix := ""
+	commentPrefix = "//" + commentPrefix
+	for _, comment := range cg.List {
+		ctxt := strings.TrimSpace(comment.Text)
+		if ctxt == commentPrefix {
+			matches = append(matches, comment.Slash)
+		} else if after, found := strings.CutPrefix(ctxt, commentPrefix+"Suffix "); found {
+			matches = append(matches, comment.Slash)
+			matchInsPrefix = strings.TrimSpace(after)
+		}
+	}
+	switch len(matches) {
+	case 0:
+		return nil
+	case 1:
+		return &matchInsPrefix
+	default:
+		handler.OnWarning(
+			fset,
+			matches[0],
+			fmt.Sprintf("encountered multiple %s... directives, ignoring", strings.TrimSpace(commentPrefix)),
+		)
+		return &matchInsPrefix
+	}
+}
+
+// the `Handle*File` functions follow the following calling convention:
+// * `fname` is the name of the input file
+// * `src` is either `nil` (then the function invokes `ReadFile` to read the file)
+//   or the contents of the file as {`[]byte`, or a `string`}
+
+func (handler Handler) HandleGoFile(fname string, src any) error {
+	fset := token.NewFileSet()
+	node, err := goParser.ParseFile(fset, fname, src, goParser.SkipObjectResolution|goParser.ParseComments)
+	if err != nil {
+		return LocatedError{
+			Location: fname,
+			Kind:     "Go parser",
+			Err:      err,
+		}
+	}
+
+	ast.Inspect(node, func(n ast.Node) bool {
+		// search for function calls of the form `anything.Tr(any-string-lit, ...)`
+
+		switch n2 := n.(type) {
+		case *ast.CallExpr:
+			if len(n2.Args) == 0 {
+				return true
+			}
+			funSel, ok := n2.Fun.(*ast.SelectorExpr)
+			if !ok {
+				return true
+			}
+
+			ltf, ok := handler.LocaleTrFunctions[funSel.Sel.Name]
+			if !ok {
+				return true
+			}
+
+			var gotUnexpectedInvoke *int
+
+			for _, argNum := range ltf {
+				if len(n2.Args) <= int(argNum) {
+					argc := len(n2.Args)
+					gotUnexpectedInvoke = &argc
+				} else {
+					handler.handleGoTrArgument(fset, n2.Args[int(argNum)], "")
+				}
+			}
+
+			if gotUnexpectedInvoke != nil {
+				handler.OnUnexpectedInvoke(fset, funSel.Sel.NamePos, funSel.Sel.Name, *gotUnexpectedInvoke)
+			}
+		case *ast.CompositeLit:
+			ident, ok := n2.Type.(*ast.Ident)
+			if !ok {
+				return true
+			}
+
+			// special case: models/unit/unit.go
+			if strings.HasSuffix(fname, "unit.go") && ident.Name == "Unit" {
+				if len(n2.Elts) != 6 {
+					handler.OnWarning(fset, n2.Pos(), "unexpected initialization of 'Unit' (unexpected number of arguments)")
+				}
+				// NameKey has index 2
+				//   invoked like '{{ctx.Locale.Tr $unit.NameKey}}'
+				nameKey, ok := n2.Elts[2].(*ast.BasicLit)
+				if !ok || nameKey.Kind != token.STRING {
+					handler.OnWarning(fset, n2.Elts[2].Pos(), "unexpected initialization of 'Unit' (expected string literal as NameKey)")
+					return true
+				}
+
+				// extract string content
+				arg, err := strconv.Unquote(nameKey.Value)
+				if err == nil {
+					// found interesting strings
+					handler.OnMsgid(fset, nameKey.ValuePos, arg)
+				}
+			}
+		case *ast.FuncDecl:
+			matchInsPrefix := handler.handleGoCommentGroup(fset, n2.Doc, "llu:returnsTrKey")
+			if matchInsPrefix == nil {
+				return true
+			}
+			results := n2.Type.Results.List
+			if len(results) != 1 {
+				handler.OnWarning(fset, n2.Type.Func, fmt.Sprintf("function %s has unexpected return type; expected single return value", n2.Name.Name))
+				return true
+			}
+
+			ast.Inspect(n2.Body, func(n ast.Node) bool {
+				// search for return stmts
+				// TODO: what about nested functions?
+				if ret, ok := n.(*ast.ReturnStmt); ok {
+					for _, res := range ret.Results {
+						ast.Inspect(res, func(n ast.Node) bool {
+							if expr, ok := n.(ast.Expr); ok {
+								handler.handleGoTrArgument(fset, expr, *matchInsPrefix)
+							}
+							return true
+						})
+					}
+					return false
+				}
+				return true
+			})
+			return true
+		case *ast.GenDecl:
+			if !(n2.Tok == token.CONST || n2.Tok == token.VAR) {
+				return true
+			}
+			matchInsPrefix := handler.handleGoCommentGroup(fset, n2.Doc, " llu:TrKeys")
+			if matchInsPrefix == nil {
+				return true
+			}
+			for _, spec := range n2.Specs {
+				// interpret all contained strings as message IDs
+				ast.Inspect(spec, func(n ast.Node) bool {
+					if argLit, ok := n.(*ast.BasicLit); ok {
+						handler.handleGoTrBasicLit(fset, argLit, *matchInsPrefix)
+						return false
+					}
+					return true
+				})
+			}
+		}
+
+		return true
+	})
+
+	return nil
+}
--- a/build/lint-locale-usage/handle-tmpl.go
+++ b/build/lint-locale-usage/handle-tmpl.go
@ -0,0 +1,233 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package main
+
+import (
+	"fmt"
+	"go/token"
+	"os"
+	"strings"
+	"text/template"
+	tmplParser "text/template/parse"
+
+	fjTemplates "forgejo.org/modules/templates"
+	"forgejo.org/modules/util"
+)
+
+// derived from source: modules/templates/scopedtmpl/scopedtmpl.go, L169-L213
+func (handler Handler) handleTemplateNode(fset *token.FileSet, node tmplParser.Node) {
+	switch node.Type() {
+	case tmplParser.NodeAction:
+		handler.handleTemplatePipeNode(fset, node.(*tmplParser.ActionNode).Pipe)
+	case tmplParser.NodeList:
+		nodeList := node.(*tmplParser.ListNode)
+		handler.handleTemplateFileNodes(fset, nodeList.Nodes)
+	case tmplParser.NodePipe:
+		handler.handleTemplatePipeNode(fset, node.(*tmplParser.PipeNode))
+	case tmplParser.NodeTemplate:
+		handler.handleTemplatePipeNode(fset, node.(*tmplParser.TemplateNode).Pipe)
+	case tmplParser.NodeIf:
+		nodeIf := node.(*tmplParser.IfNode)
+		handler.handleTemplateBranchNode(fset, nodeIf.BranchNode)
+	case tmplParser.NodeRange:
+		nodeRange := node.(*tmplParser.RangeNode)
+		handler.handleTemplateBranchNode(fset, nodeRange.BranchNode)
+	case tmplParser.NodeWith:
+		nodeWith := node.(*tmplParser.WithNode)
+		handler.handleTemplateBranchNode(fset, nodeWith.BranchNode)
+
+	case tmplParser.NodeCommand:
+		nodeCommand := node.(*tmplParser.CommandNode)
+
+		handler.handleTemplateFileNodes(fset, nodeCommand.Args)
+
+		if len(nodeCommand.Args) < 2 {
+			return
+		}
+
+		funcname := ""
+		if nodeChain, ok := nodeCommand.Args[0].(*tmplParser.ChainNode); ok {
+			if nodeIdent, ok := nodeChain.Node.(*tmplParser.IdentifierNode); ok {
+				if nodeIdent.Ident != "ctx" || len(nodeChain.Field) != 2 || nodeChain.Field[0] != "Locale" {
+					return
+				}
+				funcname = nodeChain.Field[1]
+			}
+		} else if nodeField, ok := nodeCommand.Args[0].(*tmplParser.FieldNode); ok {
+			if len(nodeField.Ident) != 2 || !(nodeField.Ident[0] == "locale" || nodeField.Ident[0] == "Locale") {
+				return
+			}
+			funcname = nodeField.Ident[1]
+		}
+
+		var gotUnexpectedInvoke *int
+		ltf, ok := handler.LocaleTrFunctions[funcname]
+		if !ok {
+			return
+		}
+
+		for _, argNum := range ltf {
+			if len(nodeCommand.Args) >= int(argNum+2) {
+				handler.handleTemplateMsgid(fset, nodeCommand.Args[int(argNum+1)])
+			} else {
+				argc := len(nodeCommand.Args) - 1
+				gotUnexpectedInvoke = &argc
+			}
+		}
+
+		if gotUnexpectedInvoke != nil {
+			handler.OnUnexpectedInvoke(fset, token.Pos(nodeCommand.Pos), funcname, *gotUnexpectedInvoke)
+		}
+
+	default:
+	}
+}
+
+func (handler Handler) handleTemplateMsgid(fset *token.FileSet, node tmplParser.Node) {
+	// the column numbers are a bit "off", but much better than nothing
+	pos := token.Pos(node.Position())
+
+	switch node.Type() {
+	case tmplParser.NodeString:
+		nodeString := node.(*tmplParser.StringNode)
+		// found interesting strings
+		handler.OnMsgid(fset, pos, nodeString.Text)
+
+	case tmplParser.NodePipe:
+		nodePipe := node.(*tmplParser.PipeNode)
+		handler.handleTemplatePipeNode(fset, nodePipe)
+
+		if len(nodePipe.Cmds) == 0 {
+			handler.OnWarning(fset, pos, fmt.Sprintf("unsupported invocation of locate function (no commands): %s", node.String()))
+		} else if len(nodePipe.Cmds) != 1 {
+			handler.OnWarning(fset, pos, fmt.Sprintf("unsupported invocation of locate function (too many commands): %s", node.String()))
+			return
+		}
+		nodeCommand := nodePipe.Cmds[0]
+		if len(nodeCommand.Args) < 2 {
+			handler.OnWarning(fset, pos, fmt.Sprintf("unsupported invocation of locate function (not enough arguments): %s", node.String()))
+			return
+		}
+
+		nodeIdent, ok := nodeCommand.Args[0].(*tmplParser.IdentifierNode)
+		if !ok || (nodeIdent.Ident != "print" && nodeIdent.Ident != "printf") {
+			// handler.OnWarning(fset, pos, fmt.Sprintf("unsupported invocation of locate function (bad command): %s", node.String()))
+			return
+		}
+
+		nodeString, ok := nodeCommand.Args[1].(*tmplParser.StringNode)
+		if !ok {
+			//handler.OnWarning(
+			//	fset,
+			//	pos,
+			//	fmt.Sprintf("unsupported invocation of locate function (string should be first argument to %s): %s", nodeIdent.Ident, node.String()),
+			//)
+			return
+		}
+
+		msgidPrefix := nodeString.Text
+		stringPos := token.Pos(nodeString.Pos)
+
+		if len(nodeCommand.Args) == 2 {
+			// found interesting strings
+			handler.OnMsgid(fset, stringPos, msgidPrefix)
+		} else {
+			if nodeIdent.Ident == "printf" {
+				parts := strings.SplitN(msgidPrefix, "%", 2)
+				if len(parts) != 2 {
+					handler.OnWarning(
+						fset,
+						stringPos,
+						fmt.Sprintf("unsupported invocation of locate function (format string doesn't match \"prefix%%smth\" pattern): %s", nodeString.String()),
+					)
+					return
+				}
+				msgidPrefix = parts[0]
+			}
+
+			msgidPrefixFin, truncated := PrepareMsgidPrefix(msgidPrefix)
+			if truncated {
+				handler.OnWarning(fset, stringPos, fmt.Sprintf("needed to truncate message id prefix: %s", msgidPrefix))
+			}
+
+			// found interesting strings
+			handler.OnMsgidPrefix(fset, stringPos, msgidPrefixFin, truncated)
+		}
+
+	default:
+		// handler.OnWarning(fset, pos, fmt.Sprintf("unknown invocation of locate function: %s", node.String()))
+	}
+}
+
+func (handler Handler) handleTemplatePipeNode(fset *token.FileSet, pipeNode *tmplParser.PipeNode) {
+	if pipeNode == nil {
+		return
+	}
+
+	// NOTE: we can't pass `pipeNode.Cmds` to handleTemplateFileNodes due to incompatible argument types
+	for _, node := range pipeNode.Cmds {
+		handler.handleTemplateNode(fset, node)
+	}
+}
+
+func (handler Handler) handleTemplateBranchNode(fset *token.FileSet, branchNode tmplParser.BranchNode) {
+	handler.handleTemplatePipeNode(fset, branchNode.Pipe)
+	handler.handleTemplateFileNodes(fset, branchNode.List.Nodes)
+	if branchNode.ElseList != nil {
+		handler.handleTemplateFileNodes(fset, branchNode.ElseList.Nodes)
+	}
+}
+
+func (handler Handler) handleTemplateFileNodes(fset *token.FileSet, nodes []tmplParser.Node) {
+	for _, node := range nodes {
+		handler.handleTemplateNode(fset, node)
+	}
+}
+
+// the `Handle*File` functions follow the following calling convention:
+// * `fname` is the name of the input file
+// * `src` is either `nil` (then the function invokes `ReadFile` to read the file)
+//   or the contents of the file as {`[]byte`, or a `string`}
+
+func (handler Handler) HandleTemplateFile(fname string, src any) error {
+	var tmplContent []byte
+	switch src2 := src.(type) {
+	case nil:
+		var err error
+		tmplContent, err = os.ReadFile(fname)
+		if err != nil {
+			return LocatedError{
+				Location: fname,
+				Kind:     "ReadFile",
+				Err:      err,
+			}
+		}
+	case []byte:
+		tmplContent = src2
+	case string:
+		// SAFETY: we do not modify tmplContent below
+		tmplContent = util.UnsafeStringToBytes(src2)
+	default:
+		panic("invalid type for 'src'")
+	}
+
+	fset := token.NewFileSet()
+	fset.AddFile(fname, 1, len(tmplContent)).SetLinesForContent(tmplContent)
+	// SAFETY: we do not modify tmplContent2 below
+	tmplContent2 := util.UnsafeBytesToString(tmplContent)
+
+	tmpl := template.New(fname)
+	tmpl.Funcs(fjTemplates.NewFuncMap())
+	tmplParsed, err := tmpl.Parse(tmplContent2)
+	if err != nil {
+		return LocatedError{
+			Location: fname,
+			Kind:     "Template parser",
+			Err:      err,
+		}
+	}
+	handler.handleTemplateFileNodes(fset, tmplParsed.Root.Nodes)
+	return nil
+}
--- a/build/lint-locale-usage/lint-locale-usage.go
+++ b/build/lint-locale-usage/lint-locale-usage.go
@ -5,22 +5,19 @@
 package main

 import (
+	"bufio"
+	"errors"
+	"flag"
 	"fmt"
-	"go/ast"
-	goParser "go/parser"
 	"go/token"
 	"io/fs"
 	"os"
 	"path/filepath"
-	"strconv"
+	"sort"
 	"strings"
-	"text/template"
-	tmplParser "text/template/parse"

 	"forgejo.org/modules/container"
-	fjTemplates "forgejo.org/modules/templates"
 	"forgejo.org/modules/translation/localeiter"
-	"forgejo.org/modules/util"
 )

 // this works by first gathering all valid source string IDs from `en-US` reference files
@ -63,241 +60,180 @@ func InitLocaleTrFunctions() map[string][]uint {

 type Handler struct {
 	OnMsgid            func(fset *token.FileSet, pos token.Pos, msgid string)
+	OnMsgidPrefix      func(fset *token.FileSet, pos token.Pos, msgidPrefix string, truncated bool)
 	OnUnexpectedInvoke func(fset *token.FileSet, pos token.Pos, funcname string, argc int)
+	OnWarning          func(fset *token.FileSet, pos token.Pos, msg string)
 	LocaleTrFunctions  map[string][]uint
 }

-// the `Handle*File` functions follow the following calling convention:
-// * `fname` is the name of the input file
-// * `src` is either `nil` (then the function invokes `ReadFile` to read the file)
-//   or the contents of the file as {`[]byte`, or a `string`}
+type StringTrie interface {
+	Matches(key []string) bool
+}

-func (handler Handler) HandleGoFile(fname string, src any) error {
-	fset := token.NewFileSet()
-	node, err := goParser.ParseFile(fset, fname, src, goParser.SkipObjectResolution)
-	if err != nil {
-		return LocatedError{
-			Location: fname,
-			Kind:     "Go parser",
-			Err:      err,
-		}
-	}
-
-	ast.Inspect(node, func(n ast.Node) bool {
-		// search for function calls of the form `anything.Tr(any-string-lit, ...)`
-
-		call, ok := n.(*ast.CallExpr)
-		if !ok || len(call.Args) < 1 {
-			return true
-		}
-
-		funSel, ok := call.Fun.(*ast.SelectorExpr)
-		if !ok {
-			return true
-		}
-
-		ltf, ok := handler.LocaleTrFunctions[funSel.Sel.Name]
-		if !ok {
-			return true
-		}
-
-		var gotUnexpectedInvoke *int
-
-		for _, argNum := range ltf {
-			if len(call.Args) >= int(argNum+1) {
-				argLit, ok := call.Args[int(argNum)].(*ast.BasicLit)
-				if !ok || argLit.Kind != token.STRING {
-					continue
-				}
-
-				// extract string content
-				arg, err := strconv.Unquote(argLit.Value)
-				if err == nil {
-					// found interesting strings
-					handler.OnMsgid(fset, argLit.ValuePos, arg)
-				}
-			} else {
-				argc := len(call.Args)
-				gotUnexpectedInvoke = &argc
-			}
-		}
-
-		if gotUnexpectedInvoke != nil {
-			handler.OnUnexpectedInvoke(fset, funSel.Sel.NamePos, funSel.Sel.Name, *gotUnexpectedInvoke)
-		}
+type StringTrieMap map[string]StringTrie

+func (m StringTrieMap) Matches(key []string) bool {
+	if len(key) == 0 || m == nil {
 		return true
-	})
-
-	return nil
-}
-
-// derived from source: modules/templates/scopedtmpl/scopedtmpl.go, L169-L213
-func (handler Handler) handleTemplateNode(fset *token.FileSet, node tmplParser.Node) {
-	switch node.Type() {
-	case tmplParser.NodeAction:
-		handler.handleTemplatePipeNode(fset, node.(*tmplParser.ActionNode).Pipe)
-	case tmplParser.NodeList:
-		nodeList := node.(*tmplParser.ListNode)
-		handler.handleTemplateFileNodes(fset, nodeList.Nodes)
-	case tmplParser.NodePipe:
-		handler.handleTemplatePipeNode(fset, node.(*tmplParser.PipeNode))
-	case tmplParser.NodeTemplate:
-		handler.handleTemplatePipeNode(fset, node.(*tmplParser.TemplateNode).Pipe)
-	case tmplParser.NodeIf:
-		nodeIf := node.(*tmplParser.IfNode)
-		handler.handleTemplateBranchNode(fset, nodeIf.BranchNode)
-	case tmplParser.NodeRange:
-		nodeRange := node.(*tmplParser.RangeNode)
-		handler.handleTemplateBranchNode(fset, nodeRange.BranchNode)
-	case tmplParser.NodeWith:
-		nodeWith := node.(*tmplParser.WithNode)
-		handler.handleTemplateBranchNode(fset, nodeWith.BranchNode)
-
-	case tmplParser.NodeCommand:
-		nodeCommand := node.(*tmplParser.CommandNode)
-
-		handler.handleTemplateFileNodes(fset, nodeCommand.Args)
-
-		if len(nodeCommand.Args) < 2 {
-			return
-		}
-
-		nodeChain, ok := nodeCommand.Args[0].(*tmplParser.ChainNode)
-		if !ok {
-			return
-		}
-
-		nodeIdent, ok := nodeChain.Node.(*tmplParser.IdentifierNode)
-		if !ok || nodeIdent.Ident != "ctx" || len(nodeChain.Field) != 2 || nodeChain.Field[0] != "Locale" {
-			return
-		}
-
-		ltf, ok := handler.LocaleTrFunctions[nodeChain.Field[1]]
-		if !ok {
-			return
-		}
-
-		var gotUnexpectedInvoke *int
-
-		for _, argNum := range ltf {
-			if len(nodeCommand.Args) >= int(argNum+2) {
-				nodeString, ok := nodeCommand.Args[int(argNum+1)].(*tmplParser.StringNode)
-				if ok {
-					// found interesting strings
-					// the column numbers are a bit "off", but much better than nothing
-					handler.OnMsgid(fset, token.Pos(nodeString.Pos), nodeString.Text)
-				}
-			} else {
-				argc := len(nodeCommand.Args) - 1
-				gotUnexpectedInvoke = &argc
-			}
-		}
-
-		if gotUnexpectedInvoke != nil {
-			handler.OnUnexpectedInvoke(fset, token.Pos(nodeChain.Pos), nodeChain.Field[1], *gotUnexpectedInvoke)
-		}
-
-	default:
 	}
+	value, ok := m[key[0]]
+	if !ok {
+		return false
+	}
+	if value == nil {
+		return true
+	}
+	return value.Matches(key[1:])
 }

-func (handler Handler) handleTemplatePipeNode(fset *token.FileSet, pipeNode *tmplParser.PipeNode) {
-	if pipeNode == nil {
+func (m StringTrieMap) Insert(key []string) {
+	if m == nil {
 		return
 	}

-	// NOTE: we can't pass `pipeNode.Cmds` to handleTemplateFileNodes due to incompatible argument types
-	for _, node := range pipeNode.Cmds {
-		handler.handleTemplateNode(fset, node)
-	}
-}
+	switch len(key) {
+	case 0:
+		return

-func (handler Handler) handleTemplateBranchNode(fset *token.FileSet, branchNode tmplParser.BranchNode) {
-	handler.handleTemplatePipeNode(fset, branchNode.Pipe)
-	handler.handleTemplateFileNodes(fset, branchNode.List.Nodes)
-	if branchNode.ElseList != nil {
-		handler.handleTemplateFileNodes(fset, branchNode.ElseList.Nodes)
-	}
-}
+	case 1:
+		m[key[0]] = nil

-func (handler Handler) handleTemplateFileNodes(fset *token.FileSet, nodes []tmplParser.Node) {
-	for _, node := range nodes {
-		handler.handleTemplateNode(fset, node)
-	}
-}
-
-func (handler Handler) HandleTemplateFile(fname string, src any) error {
-	var tmplContent []byte
-	switch src2 := src.(type) {
-	case nil:
-		var err error
-		tmplContent, err = os.ReadFile(fname)
-		if err != nil {
-			return LocatedError{
-				Location: fname,
-				Kind:     "ReadFile",
-				Err:      err,
-			}
-		}
-	case []byte:
-		tmplContent = src2
-	case string:
-		// SAFETY: we do not modify tmplContent below
-		tmplContent = util.UnsafeStringToBytes(src2)
 	default:
-		panic("invalid type for 'src'")
+		if value, ok := m[key[0]]; ok {
+			if value == nil {
+				return
+			}
+		} else {
+			m[key[0]] = make(StringTrieMap)
+		}
+		m[key[0]].(StringTrieMap).Insert(key[1:])
 	}
+}

-	fset := token.NewFileSet()
-	fset.AddFile(fname, 1, len(tmplContent)).SetLinesForContent(tmplContent)
-	// SAFETY: we do not modify tmplContent2 below
-	tmplContent2 := util.UnsafeBytesToString(tmplContent)
-
-	tmpl := template.New(fname)
-	tmpl.Funcs(fjTemplates.NewFuncMap())
-	tmplParsed, err := tmpl.Parse(tmplContent2)
+func ParseAllowedMaskedUsages(fname string, usedMsgids container.Set[string], allowedMaskedPrefixes StringTrieMap, chkMsgid func(msgid string) bool) error {
+	file, err := os.Open(fname)
 	if err != nil {
 		return LocatedError{
 			Location: fname,
-			Kind:     "Template parser",
+			Kind:     "Open",
+			Err:      err,
+		}
+	}
+	defer file.Close()
+
+	scanner := bufio.NewScanner(file)
+	lno := 0
+	for scanner.Scan() {
+		lno++
+		line := strings.TrimSpace(scanner.Text())
+		if line == "" || strings.HasPrefix(line, "#") {
+			continue
+		}
+		if linePrefix, found := strings.CutSuffix(line, "."); found {
+			allowedMaskedPrefixes.Insert(strings.Split(linePrefix, "."))
+		} else {
+			if !chkMsgid(line) {
+				return LocatedError{
+					Location: fmt.Sprintf("%s: line %d", fname, lno),
+					Kind:     "undefined msgid",
+					Err:      errors.New(line),
+				}
+			}
+			usedMsgids.Add(line)
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		return LocatedError{
+			Location: fname,
+			Kind:     "Scanner",
 			Err:      err,
 		}
 	}
-	handler.handleTemplateFileNodes(fset, tmplParsed.Root.Nodes)
 	return nil
 }

-// This command assumes that we get started from the project root directory
-//
-// Possible command line flags:
-//
-//	--allow-missing-msgids        don't return an error code if missing message IDs are found
-//
-// EXIT CODES:
-//
-//	0  success, no issues found
-//	1  unable to walk directory tree
-//	2  unable to parse locale ini/json files
-//	3  unable to parse go or text/template files
-//	4  found missing message IDs
-//
+// Truncating a message id prefix to the last dot
+func PrepareMsgidPrefix(s string) (string, bool) {
+	index := strings.LastIndexByte(s, 0x2e)
+	if index == -1 {
+		return "", true
+	}
+	return s[:index], index != len(s)-1
+}
+
+func Usage() {
+	outp := flag.CommandLine.Output()
+	fmt.Fprintf(outp, "Usage of %s:\n", os.Args[0])
+	flag.PrintDefaults()
+
+	fmt.Fprintf(outp, "\nThis command assumes that it gets started from the project root directory.\n")
+
+	fmt.Fprintf(outp, "\nExit codes:\n")
+	for _, i := range []string{
+		"0\tsuccess, no issues found",
+		"1\tunable to walk directory tree",
+		"2\tunable to parse locale ini/json files",
+		"3\tunable to parse go or text/template files",
+		"4\tfound missing message IDs",
+		"5\tfound unused message IDs",
+	} {
+		fmt.Fprintf(outp, "\t%s\n", i)
+	}
+
+	fmt.Fprintf(outp, "\nSpecial Go doc comments:\n")
+	for _, i := range []string{
+		"//llu:returnsTrKey",
+		"\tcan be used in front of functions to indicate",
+		"\tthat the function returns message IDs",
+		"\tWARNING: this currently doesn't support nested functions properly",
+		"",
+		"//llu:returnsTrKeySuffix prefix.",
+		"\tsimilar to llu:returnsTrKey, but the given prefix is prepended",
+		"\tto the found strings before interpreting them as msgids",
+		"",
+		"// llu:TrKeys",
+		"\tcan be used in front of 'const' and 'var' blocks",
+		"\tin order to mark all contained strings as message IDs",
+		"",
+		"// llu:TrKeysSuffix prefix.",
+		"\tlike llu:returnsTrKeySuffix, but for 'const' and 'var' blocks",
+	} {
+		if i == "" {
+			fmt.Fprintf(outp, "\n")
+		} else {
+			fmt.Fprintf(outp, "\t%s\n", i)
+		}
+	}
+}
+
 //nolint:forbidigo
 func main() {
 	allowMissingMsgids := false
-	for _, arg := range os.Args[1:] {
-		if arg == "--allow-missing-msgids" {
-			allowMissingMsgids = true
-		}
-	}
+	allowUnusedMsgids := false
+	usedMsgids := make(container.Set[string])
+	allowedMaskedPrefixes := make(StringTrieMap)

-	onError := func(err error) {
-		if err == nil {
-			return
-		}
-		fmt.Println(err.Error())
-		os.Exit(3)
+	// It's possible for execl to hand us an empty os.Args.
+	if len(os.Args) == 0 {
+		flag.CommandLine = flag.NewFlagSet("lint-locale-usage", flag.ExitOnError)
+	} else {
+		flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
 	}
+	flag.CommandLine.Usage = Usage
+	flag.Usage = Usage
+
+	flag.BoolVar(
+		&allowMissingMsgids,
+		"allow-missing-msgids",
+		false,
+		"don't return an error code if missing message IDs are found",
+	)
+	flag.BoolVar(
+		&allowUnusedMsgids,
+		"allow-unused-msgids",
+		false,
+		"don't return an error code if unused message IDs are found",
+	)

 	msgids := make(container.Set[string])

@ -334,17 +270,50 @@ func main() {

 	gotAnyMsgidError := false

+	flag.Func(
+		"allow-masked-usages-from",
+		"supply a file containing a newline-separated list of allowed masked usages",
+		func(argval string) error {
+			return ParseAllowedMaskedUsages(argval, usedMsgids, allowedMaskedPrefixes, func(msgid string) bool {
+				return msgids.Contains(msgid)
+			})
+		},
+	)
+	flag.Parse()
+
+	onError := func(err error) {
+		if err == nil {
+			return
+		}
+		fmt.Println(err.Error())
+		os.Exit(3)
+	}
+
 	handler := Handler{
+		OnMsgidPrefix: func(fset *token.FileSet, pos token.Pos, msgidPrefix string, truncated bool) {
+			msgidPrefixSplit := strings.Split(msgidPrefix, ".")
+			if !truncated {
+				allowedMaskedPrefixes.Insert(msgidPrefixSplit)
+			} else if !allowedMaskedPrefixes.Matches(msgidPrefixSplit) {
+				gotAnyMsgidError = true
+				fmt.Printf("%s:\tmissing msgid prefix: %s\n", fset.Position(pos).String(), msgidPrefix)
+			}
+		},
 		OnMsgid: func(fset *token.FileSet, pos token.Pos, msgid string) {
 			if !msgids.Contains(msgid) {
 				gotAnyMsgidError = true
 				fmt.Printf("%s:\tmissing msgid: %s\n", fset.Position(pos).String(), msgid)
+			} else {
+				usedMsgids.Add(msgid)
 			}
 		},
 		OnUnexpectedInvoke: func(fset *token.FileSet, pos token.Pos, funcname string, argc int) {
 			gotAnyMsgidError = true
 			fmt.Printf("%s:\tunexpected invocation of %s with %d arguments\n", fset.Position(pos).String(), funcname, argc)
 		},
+		OnWarning: func(fset *token.FileSet, pos token.Pos, msg string) {
+			fmt.Printf("%s:\tWARNING: %s\n", fset.Position(pos).String(), msg)
+		},
 		LocaleTrFunctions: InitLocaleTrFunctions(),
 	}

@ -377,7 +346,27 @@ func main() {
 		os.Exit(1)
 	}

+	unusedMsgids := []string{}
+
+	for msgid := range msgids {
+		if !usedMsgids.Contains(msgid) && !allowedMaskedPrefixes.Matches(strings.Split(msgid, ".")) {
+			unusedMsgids = append(unusedMsgids, msgid)
+		}
+	}
+
+	sort.Strings(unusedMsgids)
+
+	if len(unusedMsgids) != 0 {
+		fmt.Printf("=== unused msgids (%d): ===\n", len(unusedMsgids))
+		for _, msgid := range unusedMsgids {
+			fmt.Printf("- %s\n", msgid)
+		}
+	}
+
 	if !allowMissingMsgids && gotAnyMsgidError {
 		os.Exit(4)
 	}
+	if !allowUnusedMsgids && len(unusedMsgids) != 0 {
+		os.Exit(5)
+	}
 }
--- a/cmd/admin_auth.go
+++ b/cmd/admin_auth.go
@ -17,6 +17,15 @@ import (
 	"github.com/urfave/cli/v3"
 )

+type (
+	authService struct {
+		initDB            func(ctx context.Context) error
+		createAuthSource  func(context.Context, *auth_model.Source) error
+		updateAuthSource  func(context.Context, *auth_model.Source) error
+		getAuthSourceByID func(ctx context.Context, id int64) (*auth_model.Source, error)
+	}
+)
+
 func microcmdAuthDelete() *cli.Command {
 	return &cli.Command{
 		Name:   "delete",
@ -60,6 +69,16 @@ func microcmdAuthList() *cli.Command {
 	}
 }

+// newAuthService creates a service with default functions.
+func newAuthService() *authService {
+	return &authService{
+		initDB:            initDB,
+		createAuthSource:  auth_model.CreateSource,
+		updateAuthSource:  auth_model.UpdateSource,
+		getAuthSourceByID: auth_model.GetSourceByID,
+	}
+}
+
 func runListAuth(ctx context.Context, c *cli.Command) error {
 	ctx, cancel := installSignals(ctx)
 	defer cancel()
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@ -14,15 +14,6 @@ import (
 	"github.com/urfave/cli/v3"
 )

-type (
-	authService struct {
-		initDB            func(ctx context.Context) error
-		createAuthSource  func(context.Context, *auth.Source) error
-		updateAuthSource  func(context.Context, *auth.Source) error
-		getAuthSourceByID func(ctx context.Context, id int64) (*auth.Source, error)
-	}
-)
-
 func commonLdapCLIFlags() []cli.Flag {
 	return []cli.Flag{
 		&cli.StringFlag{
@ -184,16 +175,6 @@ func microcmdAuthUpdateLdapSimpleAuth() *cli.Command {
 	}
 }

-// newAuthService creates a service with default functions.
-func newAuthService() *authService {
-	return &authService{
-		initDB:            initDB,
-		createAuthSource:  auth.CreateSource,
-		updateAuthSource:  auth.UpdateSource,
-		getAuthSourceByID: auth.GetSourceByID,
-	}
-}
-
 // parseAuthSource assigns values on authSource according to command line flags.
 func parseAuthSource(c *cli.Command, authSource *auth.Source) {
 	if c.IsSet("name") {
--- a/cmd/admin_auth_oauth.go
+++ b/cmd/admin_auth_oauth.go
@ -86,6 +86,11 @@ func oauthCLIFlags() []cli.Flag {
 			Value: nil,
 			Usage: "Scopes to request when to authenticate against this OAuth2 source",
 		},
+		&cli.StringFlag{
+			Name:  "attribute-ssh-public-key",
+			Value: "",
+			Usage: "Claim name providing SSH public keys for this source",
+		},
 		&cli.StringFlag{
 			Name:  "required-claim-name",
 			Value: "",
@ -120,6 +125,10 @@ func oauthCLIFlags() []cli.Flag {
 			Name:  "group-team-map-removal",
 			Usage: "Activate automatic team membership removal depending on groups",
 		},
+		&cli.BoolFlag{
+			Name:  "allow-username-change",
+			Usage: "Allow users to change their username",
+		},
 	}
 }

@ -127,7 +136,7 @@ func microcmdAuthAddOauth() *cli.Command {
 	return &cli.Command{
 		Name:   "add-oauth",
 		Usage:  "Add new Oauth authentication source",
-		Action: runAddOauth,
+		Action: newAuthService().addOauth,
 		Flags:  oauthCLIFlags(),
 	}
 }
@ -136,7 +145,7 @@ func microcmdAuthUpdateOauth() *cli.Command {
 	return &cli.Command{
 		Name:   "update-oauth",
 		Usage:  "Update existing Oauth authentication source",
-		Action: runUpdateOauth,
+		Action: newAuthService().updateOauth,
 		Flags:  append(oauthCLIFlags()[:1], append([]cli.Flag{idFlag()}, oauthCLIFlags()[1:]...)...),
 	}
 }
@ -163,6 +172,7 @@ func parseOAuth2Config(_ context.Context, c *cli.Command) *oauth2.Source {
 		IconURL:                       c.String("icon-url"),
 		SkipLocalTwoFA:                c.Bool("skip-local-2fa"),
 		Scopes:                        c.StringSlice("scopes"),
+		AttributeSSHPublicKey:         c.String("attribute-ssh-public-key"),
 		RequiredClaimName:             c.String("required-claim-name"),
 		RequiredClaimValue:            c.String("required-claim-value"),
 		GroupClaimName:                c.String("group-claim-name"),
@ -170,14 +180,15 @@ func parseOAuth2Config(_ context.Context, c *cli.Command) *oauth2.Source {
 		RestrictedGroup:               c.String("restricted-group"),
 		GroupTeamMap:                  c.String("group-team-map"),
 		GroupTeamMapRemoval:           c.Bool("group-team-map-removal"),
+		AllowUsernameChange:           c.Bool("allow-username-change"),
 	}
 }

-func runAddOauth(ctx context.Context, c *cli.Command) error {
+func (a *authService) addOauth(ctx context.Context, c *cli.Command) error {
 	ctx, cancel := installSignals(ctx)
 	defer cancel()

-	if err := initDB(ctx); err != nil {
+	if err := a.initDB(ctx); err != nil {
 		return err
 	}

@ -189,7 +200,7 @@ func runAddOauth(ctx context.Context, c *cli.Command) error {
 		}
 	}

-	return auth_model.CreateSource(ctx, &auth_model.Source{
+	return a.createAuthSource(ctx, &auth_model.Source{
 		Type:     auth_model.OAuth2,
 		Name:     c.String("name"),
 		IsActive: true,
@ -197,7 +208,7 @@ func runAddOauth(ctx context.Context, c *cli.Command) error {
 	})
 }

-func runUpdateOauth(ctx context.Context, c *cli.Command) error {
+func (a *authService) updateOauth(ctx context.Context, c *cli.Command) error {
 	if !c.IsSet("id") {
 		return errors.New("--id flag is missing")
 	}
@ -205,11 +216,11 @@ func runUpdateOauth(ctx context.Context, c *cli.Command) error {
 	ctx, cancel := installSignals(ctx)
 	defer cancel()

-	if err := initDB(ctx); err != nil {
+	if err := a.initDB(ctx); err != nil {
 		return err
 	}

-	source, err := auth_model.GetSourceByID(ctx, c.Int64("id"))
+	source, err := a.getAuthSourceByID(ctx, c.Int64("id"))
 	if err != nil {
 		return err
 	}
@ -244,6 +255,10 @@ func runUpdateOauth(ctx context.Context, c *cli.Command) error {
 		oAuth2Config.Scopes = c.StringSlice("scopes")
 	}

+	if c.IsSet("attribute-ssh-public-key") {
+		oAuth2Config.AttributeSSHPublicKey = c.String("attribute-ssh-public-key")
+	}
+
 	if c.IsSet("required-claim-name") {
 		oAuth2Config.RequiredClaimName = c.String("required-claim-name")
 	}
@ -267,6 +282,10 @@ func runUpdateOauth(ctx context.Context, c *cli.Command) error {
 		oAuth2Config.GroupTeamMapRemoval = c.Bool("group-team-map-removal")
 	}

+	if c.IsSet("allow-username-change") {
+		oAuth2Config.AllowUsernameChange = c.Bool("allow-username-change")
+	}
+
 	// update custom URL mapping
 	customURLMapping := &oauth2.CustomURLMapping{}

@ -300,5 +319,5 @@ func runUpdateOauth(ctx context.Context, c *cli.Command) error {
 	oAuth2Config.CustomURLMapping = customURLMapping
 	source.Cfg = oAuth2Config

-	return auth_model.UpdateSource(ctx, source)
+	return a.updateAuthSource(ctx, source)
 }
--- a/cmd/admin_auth_oauth_test.go
+++ b/cmd/admin_auth_oauth_test.go
@ -0,0 +1,706 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package cmd
+
+import (
+	"context"
+	"testing"
+
+	"forgejo.org/models/auth"
+	"forgejo.org/modules/test"
+	"forgejo.org/services/auth/source/oauth2"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/urfave/cli/v3"
+)
+
+func TestAddOauth(t *testing.T) {
+	// Mock cli functions to do not exit on error
+	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
+
+	// Test cases
+	cases := []struct {
+		args   []string
+		source *auth.Source
+		errMsg string
+	}{
+		// case 0
+		{
+			args: []string{
+				"oauth-test",
+				"--name", "oauth2 (via openidConnect) source full",
+				"--provider", "openidConnect",
+				"--key", "client id",
+				"--secret", "client secret",
+				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
+				"--use-custom-urls", "",
+				"--custom-tenant-id", "tenant id",
+				"--custom-auth-url", "https://example.com/auth",
+				"--custom-token-url", "https://example.com/token",
+				"--custom-profile-url", "https://example.com/profile",
+				"--custom-email-url", "https://example.com/email",
+				"--icon-url", "https://example.com/icon.svg",
+				"--skip-local-2fa",
+				"--scopes", "address",
+				"--scopes", "email",
+				"--scopes", "phone",
+				"--scopes", "profile",
+				"--attribute-ssh-public-key", "ssh_public_key",
+				"--required-claim-name", "can_access",
+				"--required-claim-value", "yes",
+				"--group-claim-name", "groups",
+				"--admin-group", "admin",
+				"--restricted-group", "restricted",
+				"--group-team-map", `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
+				"--group-team-map-removal",
+				"--allow-username-change",
+			},
+			source: &auth.Source{
+				Type:     auth.OAuth2,
+				Name:     "oauth2 (via openidConnect) source full",
+				IsActive: true,
+				Cfg: &oauth2.Source{
+					Provider:                      "openidConnect",
+					ClientID:                      "client id",
+					ClientSecret:                  "client secret",
+					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
+					CustomURLMapping: &oauth2.CustomURLMapping{
+						AuthURL:    "https://example.com/auth",
+						TokenURL:   "https://example.com/token",
+						ProfileURL: "https://example.com/profile",
+						EmailURL:   "https://example.com/email",
+						Tenant:     "tenant id",
+					},
+					IconURL:               "https://example.com/icon.svg",
+					Scopes:                []string{"address", "email", "phone", "profile"},
+					AttributeSSHPublicKey: "ssh_public_key",
+					RequiredClaimName:     "can_access",
+					RequiredClaimValue:    "yes",
+					GroupClaimName:        "groups",
+					AdminGroup:            "admin",
+					GroupTeamMap:          `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
+					GroupTeamMapRemoval:   true,
+					RestrictedGroup:       "restricted",
+					SkipLocalTwoFA:        true,
+					AllowUsernameChange:   true,
+				},
+			},
+		},
+		// case 1
+		{
+			args: []string{
+				"oauth-test",
+				"--name", "oauth2 (via openidConnect) source min",
+				"--provider", "openidConnect",
+				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
+			},
+			source: &auth.Source{
+				Type:     auth.OAuth2,
+				Name:     "oauth2 (via openidConnect) source min",
+				IsActive: true,
+				Cfg: &oauth2.Source{
+					Provider:                      "openidConnect",
+					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
+					Scopes:                        []string{},
+				},
+			},
+		},
+		// case 2
+		{
+			args: []string{
+				"oauth-test",
+				"--name", "oauth2 (via openidConnect) source `--use-custom-urls` required for `--custom-*` flags",
+				"--custom-tenant-id", "tenant id",
+				"--custom-auth-url", "https://example.com/auth",
+				"--custom-token-url", "https://example.com/token",
+				"--custom-profile-url", "https://example.com/profile",
+				"--custom-email-url", "https://example.com/email",
+			},
+			source: &auth.Source{
+				Type:     auth.OAuth2,
+				Name:     "oauth2 (via openidConnect) source `--use-custom-urls` required for `--custom-*` flags",
+				IsActive: true,
+				Cfg: &oauth2.Source{
+					Scopes: []string{},
+				},
+			},
+		},
+		// case 3
+		{
+			args: []string{
+				"oauth-test",
+				"--name", "oauth2 (via openidConnect) source `--scopes` aggregates multiple uses",
+				"--provider", "openidConnect",
+				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
+				"--scopes", "address",
+				"--scopes", "email",
+				"--scopes", "phone",
+				"--scopes", "profile",
+			},
+			source: &auth.Source{
+				Type:     auth.OAuth2,
+				Name:     "oauth2 (via openidConnect) source `--scopes` aggregates multiple uses",
+				IsActive: true,
+				Cfg: &oauth2.Source{
+					Provider:                      "openidConnect",
+					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
+					Scopes:                        []string{"address", "email", "phone", "profile"},
+				},
+			},
+		},
+		// case 4
+		{
+			args: []string{
+				"oauth-test",
+				"--name", "oauth2 (via openidConnect) source `--scopes` supports commas as separators",
+				"--provider", "openidConnect",
+				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
+				"--scopes", "address,email,phone,profile",
+			},
+			source: &auth.Source{
+				Type:     auth.OAuth2,
+				Name:     "oauth2 (via openidConnect) source `--scopes` supports commas as separators",
+				IsActive: true,
+				Cfg: &oauth2.Source{
+					Provider:                      "openidConnect",
+					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
+					Scopes:                        []string{"address", "email", "phone", "profile"},
+				},
+			},
+		},
+		// case 5
+		{
+			args: []string{
+				"oauth-test",
+				"--name", "oauth2 (via openidConnect) source",
+				"--provider", "openidConnect",
+			},
+			errMsg: "invalid Auto Discovery URL:  (this must be a valid URL starting with http:// or https://)",
+		},
+		// case 6
+		{
+			args: []string{
+				"oauth-test",
+				"--name", "oauth2 (via openidConnect) source",
+				"--provider", "openidConnect",
+				"--auto-discover-url", "example.com",
+			},
+			errMsg: "invalid Auto Discovery URL: example.com (this must be a valid URL starting with http:// or https://)",
+		},
+	}
+
+	for n, c := range cases {
+		// Mock functions.
+		var createdAuthSource *auth.Source
+		service := &authService{
+			initDB: func(context.Context) error {
+				return nil
+			},
+			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {
+				createdAuthSource = authSource
+				return nil
+			},
+			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
+				assert.FailNow(t, "should not call updateAuthSource", "case: %d", n)
+				return nil
+			},
+			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
+				assert.FailNow(t, "should not call getAuthSourceByID", "case: %d", n)
+				return nil, nil
+			},
+		}
+
+		// Create a copy of command to test
+		app := cli.Command{}
+		app.Flags = microcmdAuthAddOauth().Flags
+		app.Action = service.addOauth
+
+		// Run it
+		err := app.Run(t.Context(), c.args)
+		if c.errMsg != "" {
+			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
+		} else {
+			require.NoError(t, err, "case %d: should have no errors", n)
+			assert.Equal(t, c.source, createdAuthSource, "case %d: wrong authSource", n)
+		}
+	}
+}
+
+func TestUpdateOauth(t *testing.T) {
+	// Mock cli functions to do not exit on error
+	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
+
+	// Test cases
+	cases := []struct {
+		args               []string
+		id                 int64
+		existingAuthSource *auth.Source
+		authSource         *auth.Source
+		errMsg             string
+	}{
+		// case 0
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "23",
+				"--name", "oauth2 (via openidConnect) source full",
+				"--provider", "openidConnect",
+				"--key", "client id",
+				"--secret", "client secret",
+				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
+				"--use-custom-urls", "",
+				"--custom-tenant-id", "tenant id",
+				"--custom-auth-url", "https://example.com/auth",
+				"--custom-token-url", "https://example.com/token",
+				"--custom-profile-url", "https://example.com/profile",
+				"--custom-email-url", "https://example.com/email",
+				"--icon-url", "https://example.com/icon.svg",
+				"--skip-local-2fa",
+				"--scopes", "address",
+				"--scopes", "email",
+				"--scopes", "phone",
+				"--scopes", "profile",
+				"--attribute-ssh-public-key", "ssh_public_key",
+				"--required-claim-name", "can_access",
+				"--required-claim-value", "yes",
+				"--group-claim-name", "groups",
+				"--admin-group", "admin",
+				"--restricted-group", "restricted",
+				"--group-team-map", `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
+				"--group-team-map-removal",
+			},
+			id: 23,
+			existingAuthSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg:  &oauth2.Source{},
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Name: "oauth2 (via openidConnect) source full",
+				Cfg: &oauth2.Source{
+					Provider:                      "openidConnect",
+					ClientID:                      "client id",
+					ClientSecret:                  "client secret",
+					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
+					CustomURLMapping: &oauth2.CustomURLMapping{
+						AuthURL:    "https://example.com/auth",
+						TokenURL:   "https://example.com/token",
+						ProfileURL: "https://example.com/profile",
+						EmailURL:   "https://example.com/email",
+						Tenant:     "tenant id",
+					},
+					IconURL:               "https://example.com/icon.svg",
+					Scopes:                []string{"address", "email", "phone", "profile"},
+					AttributeSSHPublicKey: "ssh_public_key",
+					RequiredClaimName:     "can_access",
+					RequiredClaimValue:    "yes",
+					GroupClaimName:        "groups",
+					AdminGroup:            "admin",
+					GroupTeamMap:          `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
+					GroupTeamMapRemoval:   true,
+					RestrictedGroup:       "restricted",
+					// `--skip-local-2fa` is currently ignored.
+					// SkipLocalTwoFA:        true,
+				},
+			},
+		},
+		// case 1
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					CustomURLMapping: &oauth2.CustomURLMapping{},
+				},
+			},
+		},
+		// case 2
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--name", "oauth2 (via openidConnect) source full",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Name: "oauth2 (via openidConnect) source full",
+				Cfg: &oauth2.Source{
+					CustomURLMapping: &oauth2.CustomURLMapping{},
+				},
+			},
+		},
+		// case 3
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--provider", "openidConnect",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					Provider:         "openidConnect",
+					CustomURLMapping: &oauth2.CustomURLMapping{},
+				},
+			},
+		},
+		// case 4
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--key", "client id",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					ClientID:         "client id",
+					CustomURLMapping: &oauth2.CustomURLMapping{},
+				},
+			},
+		},
+		// case 5
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--secret", "client secret",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					ClientSecret:     "client secret",
+					CustomURLMapping: &oauth2.CustomURLMapping{},
+				},
+			},
+		},
+		// case 6
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
+					CustomURLMapping:              &oauth2.CustomURLMapping{},
+				},
+			},
+		},
+		// case 7
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--use-custom-urls", "",
+				"--custom-tenant-id", "tenant id",
+				"--custom-auth-url", "https://example.com/auth",
+				"--custom-token-url", "https://example.com/token",
+				"--custom-profile-url", "https://example.com/profile",
+				"--custom-email-url", "https://example.com/email",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					CustomURLMapping: &oauth2.CustomURLMapping{
+						AuthURL:    "https://example.com/auth",
+						TokenURL:   "https://example.com/token",
+						ProfileURL: "https://example.com/profile",
+						EmailURL:   "https://example.com/email",
+						Tenant:     "tenant id",
+					},
+				},
+			},
+		},
+		// case 8
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--name", "oauth2 (via openidConnect) source `--use-custom-urls` required for `--custom-*` flags",
+				"--custom-tenant-id", "tenant id",
+				"--custom-auth-url", "https://example.com/auth",
+				"--custom-token-url", "https://example.com/token",
+				"--custom-profile-url", "https://example.com/profile",
+				"--custom-email-url", "https://example.com/email",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Name: "oauth2 (via openidConnect) source `--use-custom-urls` required for `--custom-*` flags",
+				Cfg: &oauth2.Source{
+					CustomURLMapping: &oauth2.CustomURLMapping{},
+				},
+			},
+		},
+		// case 9
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--icon-url", "https://example.com/icon.svg",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					CustomURLMapping: &oauth2.CustomURLMapping{},
+					IconURL:          "https://example.com/icon.svg",
+				},
+			},
+		},
+		// case 10
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--name", "oauth2 (via openidConnect) source `--skip-local-2fa` is currently ignored",
+				"--skip-local-2fa",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Name: "oauth2 (via openidConnect) source `--skip-local-2fa` is currently ignored",
+				Cfg: &oauth2.Source{
+					CustomURLMapping: &oauth2.CustomURLMapping{},
+					// `--skip-local-2fa` is currently ignored.
+					// SkipLocalTwoFA: true,
+				},
+			},
+		},
+		// case 11
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--name", "oauth2 (via openidConnect) source `--scopes` aggregates multiple uses",
+				"--scopes", "address",
+				"--scopes", "email",
+				"--scopes", "phone",
+				"--scopes", "profile",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Name: "oauth2 (via openidConnect) source `--scopes` aggregates multiple uses",
+				Cfg: &oauth2.Source{
+					CustomURLMapping: &oauth2.CustomURLMapping{},
+					Scopes:           []string{"address", "email", "phone", "profile"},
+				},
+			},
+		},
+		// case 12
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--name", "oauth2 (via openidConnect) source `--scopes` supports commas as separators",
+				"--scopes", "address,email,phone,profile",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Name: "oauth2 (via openidConnect) source `--scopes` supports commas as separators",
+				Cfg: &oauth2.Source{
+					CustomURLMapping: &oauth2.CustomURLMapping{},
+					Scopes:           []string{"address", "email", "phone", "profile"},
+				},
+			},
+		},
+		// case 13
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--attribute-ssh-public-key", "ssh_public_key",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					CustomURLMapping:      &oauth2.CustomURLMapping{},
+					AttributeSSHPublicKey: "ssh_public_key",
+				},
+			},
+		},
+		// case 14
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--required-claim-name", "can_access",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					CustomURLMapping:  &oauth2.CustomURLMapping{},
+					RequiredClaimName: "can_access",
+				},
+			},
+		},
+		// case 15
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--required-claim-value", "yes",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					CustomURLMapping:   &oauth2.CustomURLMapping{},
+					RequiredClaimValue: "yes",
+				},
+			},
+		},
+		// case 16
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--group-claim-name", "groups",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					CustomURLMapping: &oauth2.CustomURLMapping{},
+					GroupClaimName:   "groups",
+				},
+			},
+		},
+		// case 17
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--admin-group", "admin",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					CustomURLMapping: &oauth2.CustomURLMapping{},
+					AdminGroup:       "admin",
+				},
+			},
+		},
+		// case 18
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--restricted-group", "restricted",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					CustomURLMapping: &oauth2.CustomURLMapping{},
+					RestrictedGroup:  "restricted",
+				},
+			},
+		},
+		// case 19
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--group-team-map", `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					CustomURLMapping: &oauth2.CustomURLMapping{},
+					GroupTeamMap:     `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
+				},
+			},
+		},
+		// case 20
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "1",
+				"--group-team-map-removal",
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					CustomURLMapping:    &oauth2.CustomURLMapping{},
+					GroupTeamMapRemoval: true,
+				},
+			},
+		},
+		// case 21
+		{
+			args: []string{
+				"oauth-test",
+				"--id", "23",
+				"--group-team-map-removal=false",
+			},
+			id: 23,
+			existingAuthSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					GroupTeamMapRemoval: true,
+				},
+			},
+			authSource: &auth.Source{
+				Type: auth.OAuth2,
+				Cfg: &oauth2.Source{
+					CustomURLMapping:    &oauth2.CustomURLMapping{},
+					GroupTeamMapRemoval: false,
+				},
+			},
+		},
+		// case 22
+		{
+			args: []string{
+				"oauth-test",
+			},
+			errMsg: "--id flag is missing",
+		},
+	}
+
+	for n, c := range cases {
+		// Mock functions.
+		var updatedAuthSource *auth.Source
+		service := &authService{
+			initDB: func(context.Context) error {
+				return nil
+			},
+			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {
+				assert.FailNow(t, "should not call createAuthSource", "case: %d", n)
+				return nil
+			},
+			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
+				updatedAuthSource = authSource
+				return nil
+			},
+			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
+				if c.id != 0 {
+					assert.Equal(t, c.id, id, "case %d: wrong id", n)
+				}
+				if c.existingAuthSource != nil {
+					return c.existingAuthSource, nil
+				}
+				return &auth.Source{
+					Type: auth.OAuth2,
+					Cfg:  &oauth2.Source{},
+				}, nil
+			},
+		}
+
+		// Create a copy of command to test
+		app := cli.Command{}
+		app.Flags = microcmdAuthUpdateOauth().Flags
+		app.Action = service.updateOauth
+
+		// Run it
+		err := app.Run(t.Context(), c.args)
+		if c.errMsg != "" {
+			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
+		} else {
+			require.NoError(t, err, "case %d: should have no errors", n)
+			assert.Equal(t, c.authSource, updatedAuthSource, "case %d: wrong authSource", n)
+		}
+	}
+}
--- a/cmd/dump.go
+++ b/cmd/dump.go
@ -8,11 +8,12 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"io"
+	"io/fs"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
+	"sync"
 	"time"

 	"forgejo.org/models/db"
@ -23,36 +24,43 @@ import (
 	"forgejo.org/modules/util"

 	"code.forgejo.org/go-chi/session"
-	"github.com/mholt/archiver/v3"
+	"github.com/mholt/archives"
 	"github.com/urfave/cli/v3"
 )

-func addReader(w archiver.Writer, r io.ReadCloser, info os.FileInfo, customName string, verbose bool) error {
+func addObject(archiveJobs chan archives.ArchiveAsyncJob, object fs.File, customName string, verbose bool) error {
 	if verbose {
 		log.Info("Adding file %s", customName)
 	}

-	return w.Write(archiver.File{
-		FileInfo: archiver.FileInfo{
-			FileInfo:   info,
-			CustomName: customName,
+	info, err := object.Stat()
+	if err != nil {
+		return err
+	}
+
+	ch := make(chan error)
+
+	archiveJobs <- archives.ArchiveAsyncJob{
+		File: archives.FileInfo{
+			FileInfo:      info,
+			NameInArchive: customName,
+			Open: func() (fs.File, error) {
+				return object, nil
+			},
 		},
-		ReadCloser: r,
-	})
+		Result: ch,
+	}
+
+	return <-ch
 }

-func addFile(w archiver.Writer, filePath, absPath string, verbose bool) error {
-	file, err := os.Open(absPath)
-	if err != nil {
-		return err
-	}
-	defer file.Close()
-	fileInfo, err := file.Stat()
+func addFile(archiveJobs chan archives.ArchiveAsyncJob, filePath, absPath string, verbose bool) error {
+	file, err := os.Open(absPath) // Closed by archiver
 	if err != nil {
 		return err
 	}

-	return addReader(w, file, fileInfo, filePath, verbose)
+	return addObject(archiveJobs, file, filePath, verbose)
 }

 func isSubdir(upper, lower string) (bool, error) {
@ -101,6 +109,54 @@ var outputTypeEnum = &outputType{
 	Default: "zip",
 }

+func getArchiverByType(outType string) (archives.ArchiverAsync, error) {
+	var archiver archives.ArchiverAsync
+	switch outType {
+	case "zip":
+		archiver = archives.Zip{}
+	case "tar":
+		archiver = archives.Tar{}
+	case "tar.sz":
+		archiver = archives.CompressedArchive{
+			Archival:    archives.Tar{},
+			Compression: archives.Sz{},
+		}
+	case "tar.gz":
+		archiver = archives.CompressedArchive{
+			Archival:    archives.Tar{},
+			Compression: archives.Gz{},
+		}
+	case "tar.xz":
+		archiver = archives.CompressedArchive{
+			Archival:    archives.Tar{},
+			Compression: archives.Xz{},
+		}
+	case "tar.bz2":
+		archiver = archives.CompressedArchive{
+			Archival:    archives.Tar{},
+			Compression: archives.Bz2{},
+		}
+	case "tar.br":
+		archiver = archives.CompressedArchive{
+			Archival:    archives.Tar{},
+			Compression: archives.Brotli{},
+		}
+	case "tar.lz4":
+		archiver = archives.CompressedArchive{
+			Archival:    archives.Tar{},
+			Compression: archives.Lz4{},
+		}
+	case "tar.zst":
+		archiver = archives.CompressedArchive{
+			Archival:    archives.Tar{},
+			Compression: archives.Zstd{},
+		}
+	default:
+		return nil, fmt.Errorf("unsupported output type: %s", outType)
+	}
+	return archiver, nil
+}
+
 // CmdDump represents the available dump sub-command.
 func cmdDump() *cli.Command {
 	return &cli.Command{
@ -254,46 +310,185 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 		return err
 	}

-	var iface any
-	if fileName == "-" {
-		iface, err = archiver.ByExtension(fmt.Sprintf(".%s", outType))
-	} else {
-		iface, err = archiver.ByExtension(fileName)
-	}
+	archiveJobs := make(chan archives.ArchiveAsyncJob)
+	wg := sync.WaitGroup{}
+	archiver, err := getArchiverByType(outType)
 	if err != nil {
 		fatal("Failed to get archiver for extension: %v", err)
 	}

-	w, _ := iface.(archiver.Writer)
-	if err := w.Create(file); err != nil {
-		fatal("Creating archiver.Writer failed: %v", err)
-	}
-	defer w.Close()
-
 	if ctx.IsSet("skip-repository") && ctx.Bool("skip-repository") {
 		log.Info("Skipping local repositories")
 	} else {
 		log.Info("Dumping local repositories... %s", setting.RepoRootPath)
-		if err := addRecursiveExclude(w, "repos", setting.RepoRootPath, []string{absFileName}, verbose); err != nil {
-			fatal("Failed to include repositories: %v", err)
-		}
+		wg.Add(1)
+		go dumpRepos(ctx, archiveJobs, &wg, absFileName, verbose)
+	}

-		if ctx.IsSet("skip-lfs-data") && ctx.Bool("skip-lfs-data") {
-			log.Info("Skipping LFS data")
-		} else if !setting.LFS.StartServer {
-			log.Info("LFS not enabled - skipping")
-		} else if err := storage.LFS.IterateObjects("", func(objPath string, object storage.Object) error {
-			info, err := object.Stat()
-			if err != nil {
-				return err
+	wg.Add(1)
+	go dumpDatabase(ctx, archiveJobs, &wg, verbose)
+
+	if len(setting.CustomConf) > 0 {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			log.Info("Adding custom configuration file from %s", setting.CustomConf)
+			if err := addFile(archiveJobs, "app.ini", setting.CustomConf, verbose); err != nil {
+				fatal("Failed to include specified app.ini: %v", err)
 			}
+		}()
+	}

-			return addReader(w, object, info, path.Join("data", "lfs", objPath), verbose)
-		}); err != nil {
-			fatal("Failed to dump LFS objects: %v", err)
+	if ctx.IsSet("skip-custom-dir") && ctx.Bool("skip-custom-dir") {
+		log.Info("Skipping custom directory")
+	} else {
+		wg.Add(1)
+		go dumpCustom(archiveJobs, &wg, absFileName, verbose)
+	}
+
+	isExist, err := util.IsExist(setting.AppDataPath)
+	if err != nil {
+		log.Error("Failed to check if %s exists: %v", setting.AppDataPath, err)
+	}
+	if isExist {
+		log.Info("Packing data directory...%s", setting.AppDataPath)
+
+		wg.Add(1)
+		go dumpData(ctx, archiveJobs, &wg, absFileName, verbose)
+	}
+
+	if ctx.IsSet("skip-attachment-data") && ctx.Bool("skip-attachment-data") {
+		log.Info("Skipping attachment data")
+	} else {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			if err := storage.Attachments.IterateObjects("", func(objPath string, object storage.Object) error {
+				return addObject(archiveJobs, object, path.Join("data", "attachments", objPath), verbose)
+			}); err != nil {
+				fatal("Failed to dump attachments: %v", err)
+			}
+		}()
+	}
+
+	if ctx.IsSet("skip-package-data") && ctx.Bool("skip-package-data") {
+		log.Info("Skipping package data")
+	} else if !setting.Packages.Enabled {
+		log.Info("Package registry not enabled - skipping")
+	} else {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			if err := storage.Packages.IterateObjects("", func(objPath string, object storage.Object) error {
+				return addObject(archiveJobs, object, path.Join("data", "packages", objPath), verbose)
+			}); err != nil {
+				fatal("Failed to dump packages: %v", err)
+			}
+		}()
+	}
+
+	// Doesn't check if LogRootPath exists before processing --skip-log intentionally,
+	// ensuring that it's clear the dump is skipped whether the directory's initialized
+	// yet or not.
+	if ctx.IsSet("skip-log") && ctx.Bool("skip-log") {
+		log.Info("Skipping log files")
+	} else {
+		isExist, err := util.IsExist(setting.Log.RootPath)
+		if err != nil {
+			log.Error("Failed to check if %s exists: %v", setting.Log.RootPath, err)
+		}
+		if isExist {
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
+				if err := addRecursiveExclude(archiveJobs, "log", setting.Log.RootPath, []string{absFileName}, verbose); err != nil {
+					fatal("Failed to include log: %v", err)
+				}
+			}()
 		}
 	}

+	// Wait for all jobs to finish before closing the channel
+	// ArchiveAsync will only return after the channel is closed
+	go func() {
+		wg.Wait()
+		close(archiveJobs)
+	}()
+
+	if err := archiver.ArchiveAsync(stdCtx, file, archiveJobs); err != nil {
+		_ = util.Remove(fileName)
+
+		fatal("Archiving failed: %v", err)
+	}
+
+	if fileName != "-" {
+		if err := os.Chmod(fileName, 0o600); err != nil {
+			log.Info("Can't change file access permissions mask to 0600: %v", err)
+		}
+
+		log.Info("Finished dumping in file %s", fileName)
+	} else {
+		log.Info("Finished dumping to stdout")
+	}
+
+	return nil
+}
+
+func dumpData(ctx *cli.Command, archiveJobs chan archives.ArchiveAsyncJob, wg *sync.WaitGroup, absFileName string, verbose bool) {
+	defer wg.Done()
+
+	var excludes []string
+	if setting.SessionConfig.OriginalProvider == "file" {
+		var opts session.Options
+		if err := json.Unmarshal([]byte(setting.SessionConfig.ProviderConfig), &opts); err != nil {
+			fatal("Failed to parse session config: %v", err)
+		}
+		excludes = append(excludes, opts.ProviderConfig)
+	}
+
+	if ctx.IsSet("skip-index") && ctx.Bool("skip-index") {
+		log.Info("Skipping bleve index data")
+		excludes = append(excludes, setting.Indexer.RepoPath)
+		excludes = append(excludes, setting.Indexer.IssuePath)
+	}
+
+	if ctx.IsSet("skip-repo-archives") && ctx.Bool("skip-repo-archives") {
+		log.Info("Skipping repository archives data")
+		excludes = append(excludes, setting.RepoArchive.Storage.Path)
+	}
+
+	excludes = append(excludes, setting.RepoRootPath)
+	excludes = append(excludes, setting.LFS.Storage.Path)
+	excludes = append(excludes, setting.Attachment.Storage.Path)
+	excludes = append(excludes, setting.Packages.Storage.Path)
+	excludes = append(excludes, setting.Log.RootPath)
+	excludes = append(excludes, absFileName)
+	if err := addRecursiveExclude(archiveJobs, "data", setting.AppDataPath, excludes, verbose); err != nil {
+		fatal("Failed to include data directory: %v", err)
+	}
+}
+
+func dumpCustom(archiveJobs chan archives.ArchiveAsyncJob, wg *sync.WaitGroup, absFileName string, verbose bool) {
+	defer wg.Done()
+
+	customDir, err := os.Stat(setting.CustomPath)
+	if err == nil && customDir.IsDir() {
+		if is, _ := isSubdir(setting.AppDataPath, setting.CustomPath); !is {
+			if err := addRecursiveExclude(archiveJobs, "custom", setting.CustomPath, []string{absFileName}, verbose); err != nil {
+				fatal("Failed to include custom: %v", err)
+			}
+		} else {
+			log.Info("Custom dir %s is inside data dir %s, skipping", setting.CustomPath, setting.AppDataPath)
+		}
+	} else {
+		log.Info("Custom dir %s does not exist, skipping", setting.CustomPath)
+	}
+}
+
+func dumpDatabase(ctx *cli.Command, archiveJobs chan archives.ArchiveAsyncJob, wg *sync.WaitGroup, verbose bool) {
+	defer wg.Done()
+
+	var err error
 	tmpDir := ctx.String("tempdir")
 	if tmpDir == "" {
 		tmpDir, err = os.MkdirTemp("", "forgejo-dump-*")
@ -334,139 +529,32 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 		fatal("Failed to dump database: %v", err)
 	}

-	if err := addFile(w, "forgejo-db.sql", dbDump.Name(), verbose); err != nil {
+	if err := addFile(archiveJobs, "forgejo-db.sql", dbDump.Name(), verbose); err != nil {
 		fatal("Failed to include forgejo-db.sql: %v", err)
 	}
+}

-	if len(setting.CustomConf) > 0 {
-		log.Info("Adding custom configuration file from %s", setting.CustomConf)
-		if err := addFile(w, "app.ini", setting.CustomConf, verbose); err != nil {
-			fatal("Failed to include specified app.ini: %v", err)
-		}
+func dumpRepos(ctx *cli.Command, archiveJobs chan archives.ArchiveAsyncJob, wg *sync.WaitGroup, absFileName string, verbose bool) {
+	defer wg.Done()
+
+	if err := addRecursiveExclude(archiveJobs, "repos", setting.RepoRootPath, []string{absFileName}, verbose); err != nil {
+		fatal("Failed to include repositories: %v", err)
 	}

-	if ctx.IsSet("skip-custom-dir") && ctx.Bool("skip-custom-dir") {
-		log.Info("Skipping custom directory")
-	} else {
-		customDir, err := os.Stat(setting.CustomPath)
-		if err == nil && customDir.IsDir() {
-			if is, _ := isSubdir(setting.AppDataPath, setting.CustomPath); !is {
-				if err := addRecursiveExclude(w, "custom", setting.CustomPath, []string{absFileName}, verbose); err != nil {
-					fatal("Failed to include custom: %v", err)
-				}
-			} else {
-				log.Info("Custom dir %s is inside data dir %s, skipping", setting.CustomPath, setting.AppDataPath)
-			}
-		} else {
-			log.Info("Custom dir %s does not exist, skipping", setting.CustomPath)
-		}
-	}
-
-	isExist, err := util.IsExist(setting.AppDataPath)
-	if err != nil {
-		log.Error("Failed to check if %s exists: %v", setting.AppDataPath, err)
-	}
-	if isExist {
-		log.Info("Packing data directory...%s", setting.AppDataPath)
-
-		var excludes []string
-		if setting.SessionConfig.OriginalProvider == "file" {
-			var opts session.Options
-			if err = json.Unmarshal([]byte(setting.SessionConfig.ProviderConfig), &opts); err != nil {
-				return err
-			}
-			excludes = append(excludes, opts.ProviderConfig)
-		}
-
-		if ctx.IsSet("skip-index") && ctx.Bool("skip-index") {
-			log.Info("Skipping bleve index data")
-			excludes = append(excludes, setting.Indexer.RepoPath)
-			excludes = append(excludes, setting.Indexer.IssuePath)
-		}
-
-		if ctx.IsSet("skip-repo-archives") && ctx.Bool("skip-repo-archives") {
-			log.Info("Skipping repository archives data")
-			excludes = append(excludes, setting.RepoArchive.Storage.Path)
-		}
-
-		excludes = append(excludes, setting.RepoRootPath)
-		excludes = append(excludes, setting.LFS.Storage.Path)
-		excludes = append(excludes, setting.Attachment.Storage.Path)
-		excludes = append(excludes, setting.Packages.Storage.Path)
-		excludes = append(excludes, setting.Log.RootPath)
-		excludes = append(excludes, absFileName)
-		if err := addRecursiveExclude(w, "data", setting.AppDataPath, excludes, verbose); err != nil {
-			fatal("Failed to include data directory: %v", err)
-		}
-	}
-
-	if ctx.IsSet("skip-attachment-data") && ctx.Bool("skip-attachment-data") {
-		log.Info("Skipping attachment data")
-	} else if err := storage.Attachments.IterateObjects("", func(objPath string, object storage.Object) error {
-		info, err := object.Stat()
-		if err != nil {
-			return err
-		}
-
-		return addReader(w, object, info, path.Join("data", "attachments", objPath), verbose)
+	if ctx.IsSet("skip-lfs-data") && ctx.Bool("skip-lfs-data") {
+		log.Info("Skipping LFS data")
+	} else if !setting.LFS.StartServer {
+		log.Info("LFS not enabled - skipping")
+	} else if err := storage.LFS.IterateObjects("", func(objPath string, object storage.Object) error {
+		return addObject(archiveJobs, object, path.Join("data", "lfs", objPath), verbose)
 	}); err != nil {
-		fatal("Failed to dump attachments: %v", err)
+		fatal("Failed to dump LFS objects: %v", err)
 	}
-
-	if ctx.IsSet("skip-package-data") && ctx.Bool("skip-package-data") {
-		log.Info("Skipping package data")
-	} else if !setting.Packages.Enabled {
-		log.Info("Package registry not enabled - skipping")
-	} else if err := storage.Packages.IterateObjects("", func(objPath string, object storage.Object) error {
-		info, err := object.Stat()
-		if err != nil {
-			return err
-		}
-
-		return addReader(w, object, info, path.Join("data", "packages", objPath), verbose)
-	}); err != nil {
-		fatal("Failed to dump packages: %v", err)
-	}
-
-	// Doesn't check if LogRootPath exists before processing --skip-log intentionally,
-	// ensuring that it's clear the dump is skipped whether the directory's initialized
-	// yet or not.
-	if ctx.IsSet("skip-log") && ctx.Bool("skip-log") {
-		log.Info("Skipping log files")
-	} else {
-		isExist, err := util.IsExist(setting.Log.RootPath)
-		if err != nil {
-			log.Error("Failed to check if %s exists: %v", setting.Log.RootPath, err)
-		}
-		if isExist {
-			if err := addRecursiveExclude(w, "log", setting.Log.RootPath, []string{absFileName}, verbose); err != nil {
-				fatal("Failed to include log: %v", err)
-			}
-		}
-	}
-
-	if fileName != "-" {
-		if err = w.Close(); err != nil {
-			_ = util.Remove(fileName)
-			fatal("Failed to save %s: %v", fileName, err)
-		}
-
-		if err := os.Chmod(fileName, 0o600); err != nil {
-			log.Info("Can't change file access permissions mask to 0600: %v", err)
-		}
-	}
-
-	if fileName != "-" {
-		log.Info("Finish dumping in file %s", fileName)
-	} else {
-		log.Info("Finish dumping to stdout")
-	}
-
-	return nil
 }

 // addRecursiveExclude zips absPath to specified insidePath inside writer excluding excludeAbsPath
-func addRecursiveExclude(w archiver.Writer, insidePath, absPath string, excludeAbsPath []string, verbose bool) error {
+// archives.FilesFromDisk doesn't support excluding files, so we have to do it manually
+func addRecursiveExclude(archiveJobs chan archives.ArchiveAsyncJob, insidePath, absPath string, excludeAbsPath []string, verbose bool) error {
 	absPath, err := filepath.Abs(absPath)
 	if err != nil {
 		return err
@ -491,10 +579,11 @@ func addRecursiveExclude(w archiver.Writer, insidePath, absPath string, excludeA
 		}

 		if file.IsDir() {
-			if err := addFile(w, currentInsidePath, currentAbsPath, false); err != nil {
+			if err := addFile(archiveJobs, currentInsidePath, currentAbsPath, false); err != nil {
 				return err
 			}
-			if err = addRecursiveExclude(w, currentInsidePath, currentAbsPath, excludeAbsPath, verbose); err != nil {
+
+			if err := addRecursiveExclude(archiveJobs, currentInsidePath, currentAbsPath, excludeAbsPath, verbose); err != nil {
 				return err
 			}
 		} else {
@ -512,7 +601,7 @@ func addRecursiveExclude(w archiver.Writer, insidePath, absPath string, excludeA
 				shouldAdd = targetStat.Mode().IsRegular()
 			}
 			if shouldAdd {
-				if err = addFile(w, currentInsidePath, currentAbsPath, verbose); err != nil {
+				if err := addFile(archiveJobs, currentInsidePath, currentAbsPath, verbose); err != nil {
 					return err
 				}
 			}
--- a/cmd/dump_repo.go
+++ b/cmd/dump_repo.go
@ -82,6 +82,11 @@ wiki, issues, labels, releases, release_assets, milestones, pull_requests, comme
 }

 func runDumpRepository(stdCtx context.Context, ctx *cli.Command) error {
+	setupConsoleLogger(log.INFO, log.CanColorStderr, os.Stderr)
+
+	// setting.DisableLoggerInit()
+	setting.LoadSettings() // cannot access skip_tls_verify settings otherwise
+
 	stdCtx, cancel := installSignals(stdCtx)
 	defer cancel()

--- a/cmd/dump_test.go
+++ b/cmd/dump_test.go
@ -4,40 +4,32 @@
 package cmd

 import (
-	"io"
 	"os"
 	"testing"

-	"github.com/mholt/archiver/v3"
+	"github.com/mholt/archives"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

-type mockArchiver struct {
-	addedFiles []string
-}
-
-func (mockArchiver) Create(out io.Writer) error {
-	return nil
-}
-
-func (m *mockArchiver) Write(f archiver.File) error {
-	m.addedFiles = append(m.addedFiles, f.Name())
-	return nil
-}
-
-func (mockArchiver) Close() error {
-	return nil
+func mockArchiverAsync(ch chan archives.ArchiveAsyncJob, files *[]string) {
+	for job := range ch {
+		*files = append(*files, job.File.NameInArchive)
+		job.Result <- nil
+	}
 }

 func TestAddRecursiveExclude(t *testing.T) {
 	t.Run("Empty", func(t *testing.T) {
-		dir := t.TempDir()
-		archiver := &mockArchiver{}
+		ch := make(chan archives.ArchiveAsyncJob)
+		var files []string
+		go mockArchiverAsync(ch, &files)

-		err := addRecursiveExclude(archiver, "", dir, []string{}, false)
+		dir := t.TempDir()
+
+		err := addRecursiveExclude(ch, "", dir, []string{}, false)
 		require.NoError(t, err)
-		assert.Empty(t, archiver.addedFiles)
+		assert.Empty(t, files)
 	})

 	t.Run("Single file", func(t *testing.T) {
@ -46,20 +38,25 @@ func TestAddRecursiveExclude(t *testing.T) {
 		require.NoError(t, err)

 		t.Run("No exclude", func(t *testing.T) {
-			archiver := &mockArchiver{}
+			ch := make(chan archives.ArchiveAsyncJob)
+			var files []string
+			go mockArchiverAsync(ch, &files)

-			err = addRecursiveExclude(archiver, "", dir, nil, false)
+			err := addRecursiveExclude(ch, "", dir, nil, false)
 			require.NoError(t, err)
-			assert.Len(t, archiver.addedFiles, 1)
-			assert.Contains(t, archiver.addedFiles, "example")
+
+			assert.Len(t, files, 1)
+			assert.Contains(t, files, "example")
 		})

 		t.Run("With exclude", func(t *testing.T) {
-			archiver := &mockArchiver{}
+			ch := make(chan archives.ArchiveAsyncJob)
+			var files []string
+			go mockArchiverAsync(ch, &files)

-			err = addRecursiveExclude(archiver, "", dir, []string{dir + "/example"}, false)
+			err := addRecursiveExclude(ch, "", dir, []string{dir + "/example"}, false)
 			require.NoError(t, err)
-			assert.Empty(t, archiver.addedFiles)
+			assert.Empty(t, files)
 		})
 	})

@ -73,46 +70,57 @@ func TestAddRecursiveExclude(t *testing.T) {
 		require.NoError(t, err)

 		t.Run("No exclude", func(t *testing.T) {
-			archiver := &mockArchiver{}
+			ch := make(chan archives.ArchiveAsyncJob)
+			var files []string
+			go mockArchiverAsync(ch, &files)

-			err = addRecursiveExclude(archiver, "", dir, nil, false)
+			err := addRecursiveExclude(ch, "", dir, nil, false)
 			require.NoError(t, err)
-			assert.Len(t, archiver.addedFiles, 5)
-			assert.Contains(t, archiver.addedFiles, "deep")
-			assert.Contains(t, archiver.addedFiles, "deep/nested")
-			assert.Contains(t, archiver.addedFiles, "deep/nested/folder")
-			assert.Contains(t, archiver.addedFiles, "deep/nested/folder/example")
-			assert.Contains(t, archiver.addedFiles, "deep/nested/folder/another-file")
+			assert.Len(t, files, 5)
+
+			assert.Contains(t, files, "deep")
+			assert.Contains(t, files, "deep/nested")
+			assert.Contains(t, files, "deep/nested/folder")
+			assert.Contains(t, files, "deep/nested/folder/example")
+			assert.Contains(t, files, "deep/nested/folder/another-file")
 		})

 		t.Run("Exclude first directory", func(t *testing.T) {
-			archiver := &mockArchiver{}
+			ch := make(chan archives.ArchiveAsyncJob)
+			var files []string
+			go mockArchiverAsync(ch, &files)

-			err = addRecursiveExclude(archiver, "", dir, []string{dir + "/deep"}, false)
+			err := addRecursiveExclude(ch, "", dir, []string{dir + "/deep"}, false)
 			require.NoError(t, err)
-			assert.Empty(t, archiver.addedFiles)
+			assert.Empty(t, files)
 		})

 		t.Run("Exclude nested directory", func(t *testing.T) {
-			archiver := &mockArchiver{}
+			ch := make(chan archives.ArchiveAsyncJob)
+			var files []string
+			go mockArchiverAsync(ch, &files)

-			err = addRecursiveExclude(archiver, "", dir, []string{dir + "/deep/nested/folder"}, false)
+			err := addRecursiveExclude(ch, "", dir, []string{dir + "/deep/nested/folder"}, false)
 			require.NoError(t, err)
-			assert.Len(t, archiver.addedFiles, 2)
-			assert.Contains(t, archiver.addedFiles, "deep")
-			assert.Contains(t, archiver.addedFiles, "deep/nested")
+			assert.Len(t, files, 2)
+
+			assert.Contains(t, files, "deep")
+			assert.Contains(t, files, "deep/nested")
 		})

 		t.Run("Exclude file", func(t *testing.T) {
-			archiver := &mockArchiver{}
+			ch := make(chan archives.ArchiveAsyncJob)
+			var files []string
+			go mockArchiverAsync(ch, &files)

-			err = addRecursiveExclude(archiver, "", dir, []string{dir + "/deep/nested/folder/example"}, false)
+			err := addRecursiveExclude(ch, "", dir, []string{dir + "/deep/nested/folder/example"}, false)
 			require.NoError(t, err)
-			assert.Len(t, archiver.addedFiles, 4)
-			assert.Contains(t, archiver.addedFiles, "deep")
-			assert.Contains(t, archiver.addedFiles, "deep/nested")
-			assert.Contains(t, archiver.addedFiles, "deep/nested/folder")
-			assert.Contains(t, archiver.addedFiles, "deep/nested/folder/another-file")
+			assert.Len(t, files, 4)
+
+			assert.Contains(t, files, "deep")
+			assert.Contains(t, files, "deep/nested")
+			assert.Contains(t, files, "deep/nested/folder")
+			assert.Contains(t, files, "deep/nested/folder/another-file")
 		})
 	})
 }
--- a/cmd/hook.go
+++ b/cmd/hook.go
@ -231,8 +231,6 @@ Forgejo or set your environment appropriately.`, "")
 		}
 	}

-	supportProcReceive := git.CheckGitVersionAtLeast("2.29") == nil
-
 	for scanner.Scan() {
 		// TODO: support news feeds for wiki
 		if isWiki {
@ -250,31 +248,25 @@ Forgejo or set your environment appropriately.`, "")
 		total++
 		lastline++

-		// If the ref is a branch or tag, check if it's protected
-		// if supportProcReceive all ref should be checked because
-		// permission check was delayed
-		if supportProcReceive || refFullName.IsBranch() || refFullName.IsTag() {
-			oldCommitIDs[count] = oldCommitID
-			newCommitIDs[count] = newCommitID
-			refFullNames[count] = refFullName
-			count++
-			fmt.Fprint(out, "*")
+		// All references should be checked because permission check was delayed.
+		oldCommitIDs[count] = oldCommitID
+		newCommitIDs[count] = newCommitID
+		refFullNames[count] = refFullName
+		count++
+		fmt.Fprint(out, "*")

-			if count >= hookBatchSize {
-				fmt.Fprintf(out, " Checking %d references\n", count)
+		if count >= hookBatchSize {
+			fmt.Fprintf(out, " Checking %d references\n", count)

-				hookOptions.OldCommitIDs = oldCommitIDs
-				hookOptions.NewCommitIDs = newCommitIDs
-				hookOptions.RefFullNames = refFullNames
-				extra := private.HookPreReceive(ctx, username, reponame, hookOptions)
-				if extra.HasError() {
-					return fail(ctx, extra.UserMsg, "HookPreReceive(batch) failed: %v", extra.Error)
-				}
-				count = 0
-				lastline = 0
+			hookOptions.OldCommitIDs = oldCommitIDs
+			hookOptions.NewCommitIDs = newCommitIDs
+			hookOptions.RefFullNames = refFullNames
+			extra := private.HookPreReceive(ctx, username, reponame, hookOptions)
+			if extra.HasError() {
+				return fail(ctx, extra.UserMsg, "HookPreReceive(batch) failed: %v", extra.Error)
 			}
-		} else {
-			fmt.Fprint(out, ".")
+			count = 0
+			lastline = 0
 		}
 		if lastline >= hookBatchSize {
 			fmt.Fprint(out, "\n")
@ -513,10 +505,6 @@ Forgejo or set your environment appropriately.`, "")
 		return nil
 	}

-	if git.CheckGitVersionAtLeast("2.29") != nil {
-		return fail(ctx, "No proc-receive support", "current git version doesn't support proc-receive.")
-	}
-
 	reader := bufio.NewReader(os.Stdin)
 	repoUser := os.Getenv(repo_module.EnvRepoUsername)
 	repoName := os.Getenv(repo_module.EnvRepoName)
--- a/cmd/manager_logging.go
+++ b/cmd/manager_logging.go
@ -44,6 +44,11 @@ func defaultLoggingFlags() []cli.Flag {
 			Aliases: []string{"e"},
 			Usage:   "Matching expression for the logger",
 		},
+		&cli.StringFlag{
+			Name:    "exclusion",
+			Aliases: []string{"x"},
+			Usage:   "Exclusion for the logger",
+		},
 		&cli.StringFlag{
 			Name:    "prefix",
 			Aliases: []string{"p"},
@ -286,6 +291,9 @@ func commonAddLogger(ctx context.Context, c *cli.Command, mode string, vals map[
 	if len(c.String("expression")) > 0 {
 		vals["expression"] = c.String("expression")
 	}
+	if len(c.String("exclusion")) > 0 {
+		vals["exclusion"] = c.String("exclusion")
+	}
 	if len(c.String("prefix")) > 0 {
 		vals["prefix"] = c.String("prefix")
 	}
--- a/cmd/serv.go
+++ b/cmd/serv.go
@ -88,6 +88,14 @@ var (
 	alphaDashDotPattern = regexp.MustCompile(`[^\w-\.]`)
 )

+func sshLog(ctx context.Context, level log.Level, message string) error {
+	if testing.Testing() || setting.InternalToken == "" {
+		return nil
+	}
+
+	return private.SSHLog(ctx, level, message)
+}
+
 // fail prints message to stdout, it's mainly used for git serv and git hook commands.
 // The output will be passed to git client and shown to user.
 func fail(ctx context.Context, userMessage, logMsgFmt string, args ...any) error {
@ -112,10 +120,7 @@ func fail(ctx context.Context, userMessage, logMsgFmt string, args ...any) error
 				logMsg = userMessage + ". " + logMsg
 			}
 		}
-		// Don't send an log if this is done in a test and no InternalToken is set.
-		if !testing.Testing() || setting.InternalToken != "" {
-			_ = private.SSHLog(ctx, true, logMsg)
-		}
+		_ = sshLog(ctx, log.ERROR, logMsg)
 	}
 	return cli.Exit("", 1)
 }
@ -193,12 +198,10 @@ func runServ(ctx context.Context, c *cli.Command) error {
 	}

 	if len(words) < 2 {
-		if git.CheckGitVersionAtLeast("2.29") == nil {
-			// for AGit Flow
-			if cmd == "ssh_info" {
-				fmt.Print(`{"type":"agit","version":1}`)
-				return nil
-			}
+		// for AGit Flow
+		if cmd == "ssh_info" {
+			fmt.Print(`{"type":"agit","version":1}`)
+			return nil
 		}
 		return fail(ctx, "Too few arguments", "Too few arguments in cmd: %s", cmd)
 	}
--- a/cmd/web_acme.go
+++ b/cmd/web_acme.go
@ -15,6 +15,7 @@ import (
 	"forgejo.org/modules/graceful"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/process"
+	"forgejo.org/modules/proxy"
 	"forgejo.org/modules/setting"

 	"github.com/caddyserver/certmagic"
@ -76,6 +77,12 @@ func runACME(listenAddr string, m http.Handler) error {
 		ListenHost:              setting.HTTPAddr,
 		AltTLSALPNPort:          altTLSALPNPort,
 		AltHTTPPort:             altHTTPPort,
+		HTTPProxy:               proxy.Proxy(),
+	}
+
+	// Preserve behavior to use Let's encrypt test CA when Let's encrypt is CA.
+	if certmagic.DefaultACME.CA == certmagic.LetsEncryptProductionCA {
+		certmagic.DefaultACME.TestCA = certmagic.LetsEncryptStagingCA
 	}

 	magic := certmagic.NewDefault()
--- a/contrib/coverage-helper.sh
+++ b/contrib/coverage-helper.sh
@ -0,0 +1,50 @@
+#!/bin/bash
+
+set -e
+#set -x
+PS4='${BASH_SOURCE[0]}:$LINENO: ${FUNCNAME[0]}:  '
+
+#
+# Those must be explicitly required and are excluded from the full list of packages because they
+# would interfere with the testing fixtures.
+#
+excluded+='forgejo.org/models/migrations|'                # must be run before database specific tests
+excluded+='forgejo.org/models/forgejo_migrations|'        # must be run before database specific tests
+excluded+='forgejo.org/tests/integration/migration-test|' # must be run before database specific tests
+excluded+='forgejo.org/tests|'                            # only tests, no coverage to get there
+excluded+='forgejo.org/tests/e2e|'                        # JavaScript is not in scope here and if it adds coverage it should not be counted
+excluded+='FAKETERMINATOR'                                # do not modify
+
+: ${COVERAGEDIR:=$(pwd)/coverage/data}
+: ${GO:=$(go env GOROOT)/bin/go}
+
+DEFAULT_TEST_PACKAGES=$($GO list ./... | grep -E -v "$excluded")
+
+COVERED_PACKAGES=$($GO list ./...)
+COVERED_PACKAGES=$(echo $COVERED_PACKAGES | sed -e 's/ /,/g')
+
+function run_test() {
+  local package="$1"
+  if echo "$package" | grep --quiet --fixed-string ".."; then
+    echo "$package contains a suspicious .."
+    return 1
+  fi
+
+  local coverage="$COVERAGEDIR/$COVERAGE_TEST_DATABASE/$package"
+  rm -fr $coverage
+  mkdir -p $coverage
+
+  #
+  # -race cannot be used because it requires -covermode atomic which is
+  # different from the end-to-end tests and would cause issues wen merging
+  #
+  $GO test -timeout=20m -tags='sqlite sqlite_unlock_notify' -cover $package -coverpkg $COVERED_PACKAGES $COVERAGE_TEST_ARGS -args -test.gocoverdir=$coverage |& grep -v 'warning: no packages being tested depend on matches for pattern'
+}
+
+function test_packages() {
+  for package in ${@:-$DEFAULT_TEST_PACKAGES}; do
+    run_test $package
+  done
+}
+
+"$@"
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@ -449,6 +449,9 @@ INTERNAL_TOKEN =
 ;; How long to remember that a user is logged in before requiring relogin (in days)
 ;LOGIN_REMEMBER_DAYS = 31
 ;;
+;; Require 2FA globally for none|all|admin.
+;GLOBAL_TWO_FACTOR_REQUIREMENT = none
+;;
 ;; Name of cookie used to store authentication information.
 ;COOKIE_REMEMBER_NAME = gitea_incredible
 ;;
@ -592,13 +595,10 @@ LEVEL = Info
 ;BUFFER_LEN = 10000
 ;;
 ;; Sub logger modes, a single comma means use default MODE above, empty means disable it
-;logger.access.MODE=
-;logger.router.MODE=,
-;logger.xorm.MODE=,
-;;
-;; Collect SSH logs (Creates log from ssh git request)
-;;
-;ENABLE_SSH_LOG = false
+;LOGGER_ACCESS_MODE=
+;LOGGER_ROUTER_MODE=,
+;LOGGER_XORM_MODE=,
+;LOGGER_SSH_MODE= ;; SSH logs from ssh git request
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@ -631,6 +631,7 @@ LEVEL = Info
 ;LEVEL=
 ;FLAGS = stdflags or journald
 ;EXPRESSION =
+;EXCLUSION =
 ;PREFIX =
 ;COLORIZE = false
 ;;
@ -1585,6 +1586,11 @@ LEVEL = Info
 ;; If enabled it will be possible for users to report abusive content (new actions are added in the UI and /report_abuse route will be enabled) and a new Moderation section will be added to Admin settings where the reports can be reviewed.
 ;ENABLED = false

+;; How long to keep resolved abuse reports for.
+;; Applies to reports that have been marked as ignored or handled
+;; Can be 1 hour, 7 days etc
+;KEEP_RESOLVED_REPORTS_FOR = 0
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[openid]
@ -1767,6 +1773,9 @@ LEVEL = Info
 ;; Use PASSWD = `your password` for quoting if you use special characters in the password.
 ;PASSWD =
 ;;
+;; Alternative location to specify mailer password. You cannot specify both this and PASSWD, and must pick one
+;PASSWD_URI = file:/etc/forgejo/mailer_passwd
+;;
 ;; Send mails only in plain text, without HTML alternative
 ;SEND_AS_PLAIN_TEXT = false
 ;;
@ -1819,6 +1828,9 @@ LEVEL = Info
 ;; Password of the receiving account
 ;PASSWORD =
 ;;
+;; Alternative location to specify password of the receiving account. You cannot specify both this and PASSWORD, and must pick one
+;PASSWORD_URI = file:/etc/forgejo/email_incoming_password
+;;
 ;; Whether the IMAP server uses TLS.
 ;USE_TLS = false
 ;;
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@ -153,7 +153,7 @@ export default tseslint.config(

      '@stylistic/quotes': [2, 'single', {
        avoidEscape: true,
-        allowTemplateLiterals: true,
+        allowTemplateLiterals: 'always',
      }],

      '@stylistic/rest-spread-spacing': [2, 'never'],
@ -799,6 +799,7 @@ export default tseslint.config(
      'unicorn/prefer-array-some': [2],
      'unicorn/prefer-at': [0],
      'unicorn/prefer-blob-reading-methods': [2],
+      'unicorn/prefer-classlist-toggle': [2],
      'unicorn/prefer-code-point': [0],
      'unicorn/prefer-date-now': [2],
      'unicorn/prefer-default-parameters': [0],
--- a/go.mod
+++ b/go.mod
@ -1,8 +1,8 @@
 module forgejo.org

-go 1.24
+go 1.24.0

-toolchain go1.24.4
+toolchain go1.24.7

 require (
 	code.forgejo.org/f3/gof3/v3 v3.11.0
@ -10,6 +10,7 @@ require (
 	code.forgejo.org/forgejo/go-rpmutils v1.0.0
 	code.forgejo.org/forgejo/levelqueue v1.0.0
 	code.forgejo.org/forgejo/reply v1.0.2
+	code.forgejo.org/forgejo/runner/v11 v11.0.0
 	code.forgejo.org/go-chi/binding v1.0.1
 	code.forgejo.org/go-chi/cache v1.0.1
 	code.forgejo.org/go-chi/captcha v1.0.2
@ -24,11 +25,11 @@ require (
 	github.com/ProtonMail/go-crypto v1.3.0
 	github.com/PuerkitoBio/goquery v1.10.3
 	github.com/SaveTheRbtz/zstd-seekable-format-go/pkg v0.7.2
-	github.com/alecthomas/chroma/v2 v2.18.0
+	github.com/alecthomas/chroma/v2 v2.20.0
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb
 	github.com/blevesearch/bleve/v2 v2.5.2
 	github.com/buildkite/terminal-to-html/v3 v3.16.8
-	github.com/caddyserver/certmagic v0.23.0
+	github.com/caddyserver/certmagic v0.24.0
 	github.com/chi-middleware/proxy v1.1.1
 	github.com/djherbis/buffer v1.2.0
 	github.com/djherbis/nio/v3 v3.0.1
@ -40,46 +41,44 @@ require (
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/gliderlabs/ssh v0.3.8
 	github.com/go-ap/activitypub v0.0.0-20231114162308-e219254dc5c9
-	github.com/go-ap/jsonld v0.0.0-20221030091449-f2a191312c73
-	github.com/go-chi/chi/v5 v5.2.2
-	github.com/go-chi/cors v1.2.1
+	github.com/go-ap/jsonld v0.0.0-20250905102310-8480b0fe24d9
+	github.com/go-chi/chi/v5 v5.2.3
+	github.com/go-chi/cors v1.2.2
 	github.com/go-co-op/gocron v1.37.0
 	github.com/go-enry/go-enry/v2 v2.9.2
-	github.com/go-git/go-git/v5 v5.13.2
 	github.com/go-ldap/ldap/v3 v3.4.6
 	github.com/go-openapi/spec v0.21.0
 	github.com/go-sql-driver/mysql v1.9.3
-	github.com/go-webauthn/webauthn v0.13.0
+	github.com/go-webauthn/webauthn v0.13.4
 	github.com/gobwas/glob v0.2.3
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f
 	github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85
-	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0
 	github.com/google/go-github/v64 v64.0.0
-	github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e
+	github.com/google/pprof v0.0.0-20250630185457-6e76a2b096b5
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/feeds v1.2.0
 	github.com/gorilla/sessions v1.4.0
 	github.com/hashicorp/go-version v1.7.0
 	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/huandu/xstrings v1.5.0
-	github.com/jaytaylor/html2text v0.0.0-20230321000545-74c2419ad056
-	github.com/jhillyerd/enmime/v2 v2.1.0
+	github.com/inbucket/html2text v0.9.0
+	github.com/jhillyerd/enmime/v2 v2.2.0
 	github.com/json-iterator/go v1.1.12
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
 	github.com/klauspost/compress v1.18.0
-	github.com/klauspost/cpuid/v2 v2.2.10
+	github.com/klauspost/cpuid/v2 v2.2.11
 	github.com/lib/pq v1.10.9
 	github.com/markbates/goth v1.80.0
 	github.com/mattn/go-isatty v0.0.20
-	github.com/mattn/go-sqlite3 v1.14.28
-	github.com/meilisearch/meilisearch-go v0.31.0
-	github.com/mholt/archiver/v3 v3.5.1
+	github.com/mattn/go-sqlite3 v1.14.32
+	github.com/meilisearch/meilisearch-go v0.34.0
+	github.com/mholt/archives v0.1.3
 	github.com/microcosm-cc/bluemonday v1.0.27
-	github.com/minio/minio-go/v7 v7.0.94
+	github.com/minio/minio-go/v7 v7.0.95
 	github.com/msteinert/pam/v2 v2.1.0
-	github.com/nektos/act v0.2.52
-	github.com/niklasfasching/go-org v1.8.0
+	github.com/niklasfasching/go-org v1.9.1
 	github.com/olivere/elastic/v7 v7.0.32
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
@ -89,27 +88,27 @@ require (
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
 	github.com/sergi/go-diff v1.4.0
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	github.com/syndtr/goleveldb v1.0.0
-	github.com/ulikunitz/xz v0.5.12
-	github.com/urfave/cli/v3 v3.3.3
+	github.com/ulikunitz/xz v0.5.15
+	github.com/urfave/cli/v3 v3.4.1
 	github.com/valyala/fastjson v1.6.4
 	github.com/yohcop/openid-go v1.0.1
-	github.com/yuin/goldmark v1.7.12
+	github.com/yuin/goldmark v1.7.13
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	gitlab.com/gitlab-org/api/client-go v0.130.1
-	go.uber.org/mock v0.5.2
-	golang.org/x/crypto v0.39.0
-	golang.org/x/image v0.27.0
-	golang.org/x/net v0.41.0
-	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.15.0
-	golang.org/x/sys v0.33.0
-	golang.org/x/text v0.26.0
-	google.golang.org/protobuf v1.36.4
+	go.uber.org/mock v0.6.0
+	go.yaml.in/yaml/v3 v3.0.4
+	golang.org/x/crypto v0.42.0
+	golang.org/x/image v0.31.0
+	golang.org/x/net v0.44.0
+	golang.org/x/oauth2 v0.31.0
+	golang.org/x/sync v0.17.0
+	golang.org/x/sys v0.36.0
+	golang.org/x/text v0.29.0
+	google.golang.org/protobuf v1.36.9
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	gopkg.in/ini.v1 v1.67.0
-	gopkg.in/yaml.v3 v3.0.1
 	mvdan.cc/xurls/v2 v2.5.0
 	xorm.io/builder v0.3.13
 	xorm.io/xorm v1.3.9
@ -117,12 +116,13 @@ require (

 require (
 	cloud.google.com/go/compute/metadata v0.6.0 // indirect
-	dario.cat/mergo v1.0.0 // indirect
+	dario.cat/mergo v1.0.2 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/RoaringBitmap/roaring/v2 v2.4.5 // indirect
-	github.com/andybalholm/brotli v1.1.1 // indirect
+	github.com/STARRY-S/zip v0.2.1 // indirect
+	github.com/andybalholm/brotli v1.1.2-0.20250424173009-453214e765f3 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
@ -145,35 +145,40 @@ require (
 	github.com/blevesearch/zapx/v14 v14.4.2 // indirect
 	github.com/blevesearch/zapx/v15 v15.4.2 // indirect
 	github.com/blevesearch/zapx/v16 v16.2.4 // indirect
+	github.com/bmatcuk/doublestar/v4 v4.8.0 // indirect
+	github.com/bodgit/plumbing v1.3.0 // indirect
+	github.com/bodgit/sevenzip v1.6.0 // indirect
+	github.com/bodgit/windows v1.0.1 // indirect
 	github.com/boombuler/barcode v1.0.1 // indirect
 	github.com/bradfitz/gomemcache v0.0.0-20250403215159-8d39553ac7cf // indirect
 	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
-	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
+	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/davidmz/go-pageant v1.0.2 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dlclark/regexp2 v1.11.5 // indirect
 	github.com/emersion/go-sasl v0.0.0-20231106173351-e73c9f7bad43 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/fatih/color v1.16.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-ap/errors v0.0.0-20231003111023-183eef4b31b7 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-enry/go-oniguruma v1.2.1 // indirect
 	github.com/go-fed/httpsig v1.1.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
+	github.com/go-git/go-git/v5 v5.16.2 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.1 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.1 // indirect
-	github.com/go-webauthn/x v0.1.21 // indirect
+	github.com/go-webauthn/x v0.1.23 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.1.2 // indirect
@ -183,31 +188,38 @@ require (
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
-	github.com/libdns/libdns v1.0.0-beta.1 // indirect
+	github.com/libdns/libdns v1.0.0 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/markbates/going v1.0.3 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mattn/go-shellwords v1.0.12 // indirect
 	github.com/mholt/acmez/v3 v3.1.2 // indirect
 	github.com/miekg/dns v1.1.63 // indirect
-	github.com/minio/crc64nvme v1.0.1 // indirect
+	github.com/mikelolasagasti/xz v1.0.1 // indirect
+	github.com/minio/crc64nvme v1.0.2 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
+	github.com/minio/minlz v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mrjones/oauth v0.0.0-20190623134757-126b35219450 // indirect
 	github.com/mschoch/smat v0.2.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/nwaples/rardecode v1.1.3 // indirect
-	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	github.com/nwaples/rardecode/v2 v2.1.0 // indirect
+	github.com/olekukonko/errors v1.1.0 // indirect
+	github.com/olekukonko/ll v0.0.9 // indirect
+	github.com/olekukonko/tablewriter v1.0.7 // indirect
 	github.com/onsi/ginkgo v1.16.5 // indirect
-	github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c // indirect
+	github.com/philhofer/fwd v1.2.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
@ -215,35 +227,34 @@ require (
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/rhysd/actionlint v1.6.27 // indirect
+	github.com/rhysd/actionlint v1.7.7 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	github.com/rs/xid v1.6.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/skeema/knownhosts v1.3.0 // indirect
+	github.com/skeema/knownhosts v1.3.1 // indirect
+	github.com/sorairolake/lzip-go v0.3.5 // indirect
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
 	github.com/tinylib/msgp v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
-	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	github.com/zeebo/assert v1.3.0 // indirect
 	github.com/zeebo/blake3 v0.2.4 // indirect
-	go.etcd.io/bbolt v1.4.0 // indirect
+	go.etcd.io/bbolt v1.4.3 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	go.uber.org/zap/exp v0.3.0 // indirect
-	golang.org/x/mod v0.25.0 // indirect
-	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.34.0 // indirect
+	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
+	golang.org/x/mod v0.27.0 // indirect
+	golang.org/x/time v0.13.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

 replace github.com/hashicorp/go-version => github.com/6543/go-version v1.3.1

-replace github.com/nektos/act => code.forgejo.org/forgejo/act v1.28.0
-
 replace github.com/mholt/archiver/v3 => code.forgejo.org/forgejo/archiver/v3 v3.5.1

 replace github.com/gliderlabs/ssh => code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616
--- a/go.sum
+++ b/go.sum
@ -1,13 +1,25 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
+cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
+cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
+cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
+cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
+cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
+cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
+cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
+cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I=
 cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
+cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
+cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
+cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
+cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
+cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
 code.forgejo.org/f3/gof3/v3 v3.11.0 h1:f/xToKwqTgxG6PYxvewywjDQyCcyHEEJ6sZqUitFsAE=
 code.forgejo.org/f3/gof3/v3 v3.11.0/go.mod h1:4FaRUNSQGBiD1M0DuB0yNv+Z2wMtlOeckgygHSSq4KQ=
 code.forgejo.org/forgejo-contrib/go-libravatar v0.0.0-20191008002943-06d1c002b251 h1:HTZl3CBk3ABNYtFI6TPLvJgGKFIhKT5CBk0sbOtkDKU=
 code.forgejo.org/forgejo-contrib/go-libravatar v0.0.0-20191008002943-06d1c002b251/go.mod h1:PphB88CPbx601QrWPMZATeorACeVmQlyv3u+uUMbSaM=
-code.forgejo.org/forgejo/act v1.28.0 h1:96njNC7C1YNyjWq5OWvLZMF/nw0PMthzIA8Nwbnn7jo=
-code.forgejo.org/forgejo/act v1.28.0/go.mod h1:dFuiwAmD5vyrzecysHB2kL/GM3wRpoVPl+WdbCTC8Bs=
-code.forgejo.org/forgejo/archiver/v3 v3.5.1 h1:UmmbA7D5550uf71SQjarmrn6yKwOGxtEjb3jaYYtmSE=
-code.forgejo.org/forgejo/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4=
 code.forgejo.org/forgejo/go-rpmutils v1.0.0 h1:RZGGeKt70p/WaIEL97pyT6uiiEIoN8/aLmS5Z6WmX0M=
 code.forgejo.org/forgejo/go-rpmutils v1.0.0/go.mod h1:cg+VbgLXfrDPza9T+kBsMb3TVmmzPN4XseT6gDGLSUk=
 code.forgejo.org/forgejo/go-xsd-duration v0.0.0-20220703122237-02e73435a078 h1:RArF5AsF9LH4nEoJxqRxcP5r8hhRfWcId84G82YbqzA=
@ -16,6 +28,8 @@ code.forgejo.org/forgejo/levelqueue v1.0.0 h1:9krYpU6BM+j/1Ntj6m+VCAIu0UNnne1/Uf
 code.forgejo.org/forgejo/levelqueue v1.0.0/go.mod h1:fmG6zhVuqim2rxSFOoasgXO8V2W/k9U31VVYqLIRLhQ=
 code.forgejo.org/forgejo/reply v1.0.2 h1:dMhQCHV6/O3L5CLWNTol+dNzDAuyCK88z4J/lCdgFuQ=
 code.forgejo.org/forgejo/reply v1.0.2/go.mod h1:RyZUfzQLc+fuLIGjTSQWDAJWPiL4WtKXB/FifT5fM7U=
+code.forgejo.org/forgejo/runner/v11 v11.0.0 h1:PDChRbwPzoflwP05QHn8YyvRDvnU5yVq/X3sdZojXr8=
+code.forgejo.org/forgejo/runner/v11 v11.0.0/go.mod h1:ZJokNf9nZItjsfSjC/9zHbUvf5LXYUi+On+1Bg/pO3g=
 code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616 h1:kEZL84+02jY9RxXM4zHBWZ3Fml0B09cmP1LGkDsCfIA=
 code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616/go.mod h1:zpHEXBstFnQYtGnB8k8kQLol82umzn/2/snG7alWVD8=
 code.forgejo.org/go-chi/binding v1.0.1 h1:coKNI+X1NzRN7X85LlrpvBRqk0TXpJ+ja28vusQWEuY=
@ -34,8 +48,9 @@ codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570 h1:TXbikPqa7YRtf
 codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570/go.mod h1:IIAjsijsd8q1isWX8MACefDEgTQslQ4stk2AeeTt3kM=
 connectrpc.com/connect v1.18.1 h1:PAg7CjSAGvscaf6YZKUefjoih5Z/qYkyaTrBW8xvYPw=
 connectrpc.com/connect v1.18.1/go.mod h1:0292hj1rnx8oFrStN7cB4jjVBeqs+Yx5yDIC2prWDO8=
-dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
-dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
+dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
+dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 gitea.com/xorm/sqlfiddle v0.0.0-20180821085327-62ce714f951a h1:lSA0F4e9A2NcQSqGqTOXqu2aRi/XEQxDCBwM8yJtE6s=
@ -48,6 +63,8 @@ github.com/6543/go-version v1.3.1 h1:HvOp+Telns7HWJ2Xo/05YXQSB2bE0WmVgbHqwMPZT4U
 github.com/6543/go-version v1.3.1/go.mod h1:oqFAHCwtLVUTLdhQmVZWYvaHXTdsbB4SY85at64SQEo=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
@ -57,21 +74,22 @@ github.com/PuerkitoBio/goquery v1.10.3 h1:pFYcNSqHxBD06Fpj/KsbStFRsgRATgnf3LeXiU
 github.com/PuerkitoBio/goquery v1.10.3/go.mod h1:tMUX0zDMHXYlAQk6p35XxQMqMweEKB7iK7iLNd4RH4Y=
 github.com/RoaringBitmap/roaring/v2 v2.4.5 h1:uGrrMreGjvAtTBobc0g5IrW1D5ldxDQYe2JW2gggRdg=
 github.com/RoaringBitmap/roaring/v2 v2.4.5/go.mod h1:FiJcsfkGje/nZBZgCu0ZxCPOKD/hVXDS2dXi7/eUFE0=
+github.com/STARRY-S/zip v0.2.1 h1:pWBd4tuSGm3wtpoqRZZ2EAwOmcHK6XFf7bU9qcJXyFg=
+github.com/STARRY-S/zip v0.2.1/go.mod h1:xNvshLODWtC4EJ702g7cTYn13G53o1+X9BWnPFpcWV4=
 github.com/SaveTheRbtz/zstd-seekable-format-go/pkg v0.7.2 h1:cSXom2MoKJ9KPPw29RoZtHvUETY4F4n/kXl8m9btnQ0=
 github.com/SaveTheRbtz/zstd-seekable-format-go/pkg v0.7.2/go.mod h1:JitQWJ8JuV4Y87l8VsHiiwhb3cgdyn68mX40s7NT6PA=
 github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
 github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
 github.com/alecthomas/chroma/v2 v2.2.0/go.mod h1:vf4zrexSH54oEjJ7EdB65tGNHmH3pGZmVkgTP5RHvAs=
-github.com/alecthomas/chroma/v2 v2.18.0 h1:6h53Q4hW83SuF+jcsp7CVhLsMozzvQvO8HBbKQW+gn4=
-github.com/alecthomas/chroma/v2 v2.18.0/go.mod h1:RVX6AvYm4VfYe/zsk7mjHueLDZor3aWCNE14TFlepBk=
+github.com/alecthomas/chroma/v2 v2.20.0 h1:sfIHpxPyR07/Oylvmcai3X/exDlE8+FA820NTz+9sGw=
+github.com/alecthomas/chroma/v2 v2.20.0/go.mod h1:e7tViK0xh/Nf4BYHl00ycY6rV7b8iXBksI9E359yNmA=
 github.com/alecthomas/repr v0.0.0-20220113201626-b1b626ac65ae/go.mod h1:2kn6fqh/zIyPLmm3ugklbEi5hg5wS435eygvNfaDQL8=
-github.com/alecthomas/repr v0.4.0 h1:GhI2A8MACjfegCPVq9f1FLvIBS+DrQ2KQBFZP1iFzXc=
-github.com/alecthomas/repr v0.4.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
+github.com/alecthomas/repr v0.5.1 h1:E3G4t2QbHTSNpPKBgMTln5KLkZHLOcU7r37J4pXBuIg=
+github.com/alecthomas/repr v0.5.1/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
 github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
 github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
-github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
-github.com/andybalholm/brotli v1.1.1 h1:PR2pgnyFznKEugtsUo0xLdDop5SKXd5Qf5ysW+7XdTA=
-github.com/andybalholm/brotli v1.1.1/go.mod h1:05ib4cKhjx3OQYUY22hTVd34Bc8upXjOLL2rKwwZBoA=
+github.com/andybalholm/brotli v1.1.2-0.20250424173009-453214e765f3 h1:8PmGpDEZl9yDpcdEr6Odf23feCxK3LNUNMxjXg41pZQ=
+github.com/andybalholm/brotli v1.1.2-0.20250424173009-453214e765f3/go.mod h1:05ib4cKhjx3OQYUY22hTVd34Bc8upXjOLL2rKwwZBoA=
 github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM=
 github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
@ -123,6 +141,14 @@ github.com/blevesearch/zapx/v15 v15.4.2 h1:sWxpDE0QQOTjyxYbAVjt3+0ieu8NCE0fDRaFx
 github.com/blevesearch/zapx/v15 v15.4.2/go.mod h1:1pssev/59FsuWcgSnTa0OeEpOzmhtmr/0/11H0Z8+Nw=
 github.com/blevesearch/zapx/v16 v16.2.4 h1:tGgfvleXTAkwsD5mEzgM3zCS/7pgocTCnO1oyAUjlww=
 github.com/blevesearch/zapx/v16 v16.2.4/go.mod h1:Rti/REtuuMmzwsI8/C/qIzRaEoSK/wiFYw5e5ctUKKs=
+github.com/bmatcuk/doublestar/v4 v4.8.0 h1:DSXtrypQddoug1459viM9X9D3dp1Z7993fw36I2kNcQ=
+github.com/bmatcuk/doublestar/v4 v4.8.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
+github.com/bodgit/plumbing v1.3.0 h1:pf9Itz1JOQgn7vEOE7v7nlEfBykYqvUYioC61TwWCFU=
+github.com/bodgit/plumbing v1.3.0/go.mod h1:JOTb4XiRu5xfnmdnDJo6GmSbSbtSyufrsyZFByMtKEs=
+github.com/bodgit/sevenzip v1.6.0 h1:a4R0Wu6/P1o1pP/3VV++aEOcyeBxeO/xE2Y9NSTrr6A=
+github.com/bodgit/sevenzip v1.6.0/go.mod h1:zOBh9nJUof7tcrlqJFv1koWRrhz3LbDbUNngkuZxLMc=
+github.com/bodgit/windows v1.0.1 h1:tF7K6KOluPYygXa3Z2594zxlkbKPAOvqr97etrGNIz4=
+github.com/bodgit/windows v1.0.1/go.mod h1:a6JLwrB4KrTR5hBpp8FI9/9W9jJfeQ2h4XDXU74ZCdM=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/boombuler/barcode v1.0.1 h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs=
 github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
@ -134,10 +160,11 @@ github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
 github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
 github.com/buildkite/terminal-to-html/v3 v3.16.8 h1:QN/daUob6cmK8GcdKnwn9+YTlPr1vNj+oeAIiJK6fPc=
 github.com/buildkite/terminal-to-html/v3 v3.16.8/go.mod h1:+k1KVKROZocrTLsEQ9PEf9A+8+X8uaVV5iO1ZIOwKYM=
-github.com/caddyserver/certmagic v0.23.0 h1:CfpZ/50jMfG4+1J/u2LV6piJq4HOfO6ppOnOf7DkFEU=
-github.com/caddyserver/certmagic v0.23.0/go.mod h1:9mEZIWqqWoI+Gf+4Trh04MOVPD0tGSxtqsxg87hAIH4=
+github.com/caddyserver/certmagic v0.24.0 h1:EfXTWpxHAUKgDfOj6MHImJN8Jm4AMFfMT6ITuKhrDF0=
+github.com/caddyserver/certmagic v0.24.0/go.mod h1:xPT7dC1DuHHnS2yuEQCEyks+b89sUkMENh8dJF+InLE=
 github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA=
 github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a h1:MISbI8sU/PSK/ztvmWKFcI7UGb5/HQT7B+i3a2myKgI=
 github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a/go.mod h1:2GxOXOlEPAMFPfp014mK1SWq8G8BN8o7/dfYqJrVGn8=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@ -147,14 +174,18 @@ github.com/chi-middleware/proxy v1.1.1/go.mod h1:jQwMEJct2tz9VmtCELxvnXoMfa+SOdi
 github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs=
 github.com/chromedp/chromedp v0.9.2/go.mod h1:LkSXJKONWTCHAfQasKFUZI+mxqS4tZqhmtGzzhLsnLs=
 github.com/chromedp/sysutil v1.0.0/go.mod h1:kgWmDdq8fTzXYcKIBqIYvRRTnYb9aNS9moAV0xufSww=
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/logex v1.2.1/go.mod h1:JLbx6lG2kDbNRFnfkgvh4eRJRPX1QCoOIWomwysCBrQ=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObkaSkeBlk=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
 github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/cyphar/filepath-securejoin v0.3.6 h1:4d9N5ykBnSp5Xn2JkhocYDkOpURL/18CYMpo6xB9uWM=
-github.com/cyphar/filepath-securejoin v0.3.6/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
+github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
+github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@ -173,7 +204,6 @@ github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55k
 github.com/dlclark/regexp2 v1.7.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ=
 github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
-github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj60/X5sZFNxpG4HBPDHVqxNm4DfnCKgrbZOT+s=
 github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 h1:2tV76y6Q9BB+NEBasnqvs7e49aEBFI8ejC89PSnWH+4=
 github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707/go.mod h1:qssHWj60/X5sZFNxpG4HBPDHVqxNm4DfnCKgrbZOT+s=
 github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY=
@ -181,8 +211,8 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/editorconfig/editorconfig-core-go/v2 v2.6.3 h1:XVUp6qW3BIkmM3/1EkrHpa6bL56APOynfXcZEmIgOhs=
 github.com/editorconfig/editorconfig-core-go/v2 v2.6.3/go.mod h1:ThHVc+hqbUsmE1wmK/MASpQEhCleWu1JDJDNhUOMy0c=
-github.com/elazarl/goproxy v1.4.0 h1:4GyuSbFa+s26+3rmYNSuUVsx+HgPrV1bk1jXI0l9wjM=
-github.com/elazarl/goproxy v1.4.0/go.mod h1:X/5W/t+gzDyLfHW4DrMdpjqYjpXsURlBt9lpBDxZZZQ=
+github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=
+github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
 github.com/emersion/go-imap v1.2.1 h1:+s9ZjMEjOB8NzZMVTM3cCenz2JrQIGGo5j1df19WjTA=
 github.com/emersion/go-imap v1.2.1/go.mod h1:Qlx1FSx2FTxjnjWpIlVNEuX+ylerZQNFE5NsmKFSejY=
 github.com/emersion/go-message v0.15.0/go.mod h1:wQUEfE+38+7EW8p8aZ96ptg6bAb1iwdgej19uXASlE4=
@ -192,8 +222,10 @@ github.com/emersion/go-sasl v0.0.0-20231106173351-e73c9f7bad43/go.mod h1:iL2twTe
 github.com/emersion/go-textwrapper v0.0.0-20200911093747-65d896831594/go.mod h1:aqO8z8wPrjkscevZJFVE1wXJrLpC5LtJG7fqLOsPb2U=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
-github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
-github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/felixge/fgprof v0.9.5 h1:8+vR6yu2vvSKn08urWyEuxx75NWPEvybbkBirEpsbVY=
 github.com/felixge/fgprof v0.9.5/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM=
 github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
@ -202,21 +234,22 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU=
-github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
+github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-ap/activitypub v0.0.0-20231114162308-e219254dc5c9 h1:j2TrkUG/NATGi/EQS+MvEoF79CxiRUmT16ErFroNcKI=
 github.com/go-ap/activitypub v0.0.0-20231114162308-e219254dc5c9/go.mod h1:cJ9Ye0ZNSMN7RzZDBRY3E+8M3Bpf/R1JX22Ir9yX6WI=
 github.com/go-ap/errors v0.0.0-20231003111023-183eef4b31b7 h1:I2nuhyVI/48VXoRCCZR2hYBgnSXa+EuDJf/VyX06TC0=
 github.com/go-ap/errors v0.0.0-20231003111023-183eef4b31b7/go.mod h1:5x8a6P/dhmMGFxWLcyYlyOuJ2lRNaHGhRv+yu8BaTSI=
-github.com/go-ap/jsonld v0.0.0-20221030091449-f2a191312c73 h1:GMKIYXyXPGIp+hYiWOhfqK4A023HdgisDT4YGgf99mw=
 github.com/go-ap/jsonld v0.0.0-20221030091449-f2a191312c73/go.mod h1:jyveZeGw5LaADntW+UEsMjl3IlIwk+DxlYNsbofQkGA=
+github.com/go-ap/jsonld v0.0.0-20250905102310-8480b0fe24d9 h1:gaBrU/E+usPHIafDIC2EwvZbehvgAEuu78Jk0zjxw5w=
+github.com/go-ap/jsonld v0.0.0-20250905102310-8480b0fe24d9/go.mod h1:4h93IBxgfnE/DEleMLgJ/XCeu/RtQ+MUh3ucANseeXA=
 github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
 github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-chi/chi/v5 v5.0.1/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
-github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618=
-github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
-github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
-github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
+github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
+github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/go-chi/cors v1.2.2 h1:Jmey33TE+b+rB7fT8MUy1u0I4L+NARQlK6LhzKPSyQE=
+github.com/go-chi/cors v1.2.2/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-co-op/gocron v1.37.0 h1:ZYDJGtQ4OMhTLKOKMIch+/CY70Brbb1dGdooLEhh7b0=
 github.com/go-co-op/gocron v1.37.0/go.mod h1:3L/n6BkO7ABj+TrfSVXLRzsP26zmikL4ISkLQ0O8iNY=
 github.com/go-enry/go-enry/v2 v2.9.2 h1:giOQAtCgBX08kosrX818DCQJTCNtKwoPBGu0qb6nKTY=
@ -231,8 +264,10 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN
 github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.13.2 h1:7O7xvsK7K+rZPKW6AQR1YyNhfywkv7B8/FsP3ki6Zv0=
-github.com/go-git/go-git/v5 v5.13.2/go.mod h1:hWdW5P4YZRjmpGHwRH2v3zkWcNl6HeXaXQEMGb3NJ9A=
+github.com/go-git/go-git/v5 v5.16.2 h1:fT6ZIOjE5iEnkzKyxTHK1W4HGAsPhqEqiSAssSO77hM=
+github.com/go-git/go-git/v5 v5.16.2/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
+github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
 github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
 github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A=
@ -250,10 +285,10 @@ github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI6
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
-github.com/go-webauthn/webauthn v0.13.0 h1:cJIL1/1l+22UekVhipziAaSgESJxokYkowUqAIsWs0Y=
-github.com/go-webauthn/webauthn v0.13.0/go.mod h1:Oy9o2o79dbLKRPZWWgRIOdtBGAhKnDIaBp2PFkICRHs=
-github.com/go-webauthn/x v0.1.21 h1:nFbckQxudvHEJn2uy1VEi713MeSpApoAv9eRqsb9AdQ=
-github.com/go-webauthn/x v0.1.21/go.mod h1:sEYohtg1zL4An1TXIUIQ5csdmoO+WO0R4R2pGKaHYKA=
+github.com/go-webauthn/webauthn v0.13.4 h1:q68qusWPcqHbg9STSxBLBHnsKaLxNO0RnVKaAqMuAuQ=
+github.com/go-webauthn/webauthn v0.13.4/go.mod h1:MglN6OH9ECxvhDqoq1wMoF6P6JRYDiQpC9nc5OomQmI=
+github.com/go-webauthn/x v0.1.23 h1:9lEO0s+g8iTyz5Vszlg/rXTGrx3CjcD0RZQ1GPZCaxI=
+github.com/go-webauthn/x v0.1.23/go.mod h1:AJd3hI7NfEp/4fI6T4CHD753u91l510lglU7/NMN6+E=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
@ -265,16 +300,26 @@ github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f h1:3BSP1Tbs2djlpprl7w
 github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f/go.mod h1:Pcatq5tYkCW2Q6yrR2VRHlbHpZ/R4/7qyL1TCF7vl14=
 github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85 h1:UjoPNDAQ5JPCjlxoJd6K8ALZqSDDhk2ymieAZOVaDg0=
 github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85/go.mod h1:fR6z1Ie6rtF7kl/vBYMfgD5/G5B1blui7z426/sj2DU=
-github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
-github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 h1:DACJavvAHhabrF08vX0COfcOBJRhZ8lUbR+ZWIs0Y5g=
 github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
+github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
@ -284,11 +329,13 @@ github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/golang/snappy v0.0.2/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
@ -306,13 +353,20 @@ github.com/google/go-tpm v0.9.5/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
-github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
-github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
+github.com/google/pprof v0.0.0-20250630185457-6e76a2b096b5 h1:xhMrHhTJ6zxu3gA4enFM9MLn9AY7613teCdFnlUVbSQ=
+github.com/google/pprof v0.0.0-20250630185457-6e76a2b096b5/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA=
+github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
@ -327,12 +381,19 @@ github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kX
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
 github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
+github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
 github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
 github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
+github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
@ -340,30 +401,32 @@ github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSo
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw=
-github.com/jaytaylor/html2text v0.0.0-20230321000545-74c2419ad056 h1:iCHtR9CQyktQ5+f3dMVZfwD2KWJUgm7M0gdL9NGr8KA=
-github.com/jaytaylor/html2text v0.0.0-20230321000545-74c2419ad056/go.mod h1:CVKlgaMiht+LXvHG173ujK6JUhZXKb2u/BQtjPDIvyk=
+github.com/inbucket/html2text v0.9.0 h1:ULJmVcBEMAcmLE+/rN815KG1Fx6+a4HhbUxiDiN+qks=
+github.com/inbucket/html2text v0.9.0/go.mod h1:QDaumzl+/OzlSVbNohhmg+yAy5pKjUjzCKW2BMvztKE=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
-github.com/jhillyerd/enmime/v2 v2.1.0 h1:c8Qwi5Xq5EdtMN6byQWoZ/8I2RMTo6OJ7Xay+s1oPO0=
-github.com/jhillyerd/enmime/v2 v2.1.0/go.mod h1:EJ74dcRbBcqHSP2TBu08XRoy6y3Yx0cevwb1YkGMEmQ=
+github.com/jhillyerd/enmime/v2 v2.2.0 h1:Pe35MB96eZK5Q0XjlvPftOgWypQpd1gcbfJKAt7rsB8=
+github.com/jhillyerd/enmime/v2 v2.2.0/go.mod h1:SOBXlCemjhiV2DvHhAKnJiWrtJGS/Ffuw4Iy7NjBTaI=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
-github.com/klauspost/compress v1.11.4/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
 github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
-github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
-github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
+github.com/klauspost/cpuid/v2 v2.2.11 h1:0OwqZRYI2rFrjS4kvkDnqJkKHdHaRnCm68/DY4OxRzU=
+github.com/klauspost/cpuid/v2 v2.2.11/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
 github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@ -380,8 +443,8 @@ github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+
 github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80/go.mod h1:imJHygn/1yfhB7XSJJKlFZKl/J+dCPAknuiaGOshXAs=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/libdns/libdns v1.0.0-beta.1 h1:KIf4wLfsrEpXpZ3vmc/poM8zCATXT2klbdPe6hyOBjQ=
-github.com/libdns/libdns v1.0.0-beta.1/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
+github.com/libdns/libdns v1.0.0 h1:IvYaz07JNz6jUQ4h/fv2R4sVnRnm77J/aOuC9B+TQTA=
+github.com/libdns/libdns v1.0.0/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
 github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
@ -389,30 +452,36 @@ github.com/markbates/going v1.0.3 h1:mY45T5TvW+Xz5A6jY7lf4+NLg9D8+iuStIHyR7M8qsE
 github.com/markbates/going v1.0.3/go.mod h1:fQiT6v6yQar9UD6bd/D4Z5Afbk9J6BBVBtLiyY4gp2o=
 github.com/markbates/goth v1.80.0 h1:NnvatczZDzOs1hn9Ug+dVYf2Viwwkp/ZDX5K+GLjan8=
 github.com/markbates/goth v1.80.0/go.mod h1:4/GYHo+W6NWisrMPZnq0Yr2Q70UntNLn7KXEFhrIdAY=
-github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/mattn/go-sqlite3 v1.14.28 h1:ThEiQrnbtumT+QMknw63Befp/ce/nUPgBPMlRFEum7A=
-github.com/mattn/go-sqlite3 v1.14.28/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
-github.com/meilisearch/meilisearch-go v0.31.0 h1:yZRhY1qJqdH8h6GFZALGtkDLyj8f9v5aJpsNMyrUmnY=
-github.com/meilisearch/meilisearch-go v0.31.0/go.mod h1:aNtyuwurDg/ggxQIcKqWH6G9g2ptc8GyY7PLY4zMn/g=
+github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
+github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
+github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
+github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/meilisearch/meilisearch-go v0.34.0 h1:P+Ohdx4/PCxXaoI5wNi0LMwPkuiNrF/kGIzBrKYS4tw=
+github.com/meilisearch/meilisearch-go v0.34.0/go.mod h1:cUVJZ2zMqTvvwIMEEAdsWH+zrHsrLpAw6gm8Lt1MXK0=
 github.com/mholt/acmez/v3 v3.1.2 h1:auob8J/0FhmdClQicvJvuDavgd5ezwLBfKuYmynhYzc=
 github.com/mholt/acmez/v3 v3.1.2/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
+github.com/mholt/archives v0.1.3 h1:aEAaOtNra78G+TvV5ohmXrJOAzf++dIlYeDW3N9q458=
+github.com/mholt/archives v0.1.3/go.mod h1:LUCGp++/IbV/I0Xq4SzcIR6uwgeh2yjnQWamjRQfLTU=
 github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk=
 github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA=
 github.com/miekg/dns v1.1.63 h1:8M5aAw6OMZfFXTT7K5V0Eu5YiiL8l7nUAkyN6C9YwaY=
 github.com/miekg/dns v1.1.63/go.mod h1:6NGHfjhpmr5lt3XPLuyfDJi5AXbNIPM9PY6H6sF1Nfs=
-github.com/minio/crc64nvme v1.0.1 h1:DHQPrYPdqK7jQG/Ls5CTBZWeex/2FMS3G5XGkycuFrY=
-github.com/minio/crc64nvme v1.0.1/go.mod h1:eVfm2fAzLlxMdUGc0EEBGSMmPwmXD5XiNRpnu9J3bvg=
+github.com/mikelolasagasti/xz v1.0.1 h1:Q2F2jX0RYJUG3+WsM+FJknv+6eVjsjXNDV0KJXZzkD0=
+github.com/mikelolasagasti/xz v1.0.1/go.mod h1:muAirjiOUxPRXwm9HdDtB3uoRPrGnL85XHtokL9Hcgc=
+github.com/minio/crc64nvme v1.0.2 h1:6uO1UxGAD+kwqWWp7mBFsi5gAse66C4NXO8cmcVculg=
+github.com/minio/crc64nvme v1.0.2/go.mod h1:eVfm2fAzLlxMdUGc0EEBGSMmPwmXD5XiNRpnu9J3bvg=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
 github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
-github.com/minio/minio-go/v7 v7.0.94 h1:1ZoksIKPyaSt64AVOyaQvhDOgVC3MfZsWM6mZXRUGtM=
-github.com/minio/minio-go/v7 v7.0.94/go.mod h1:71t2CqDt3ThzESgZUlU1rBN54mksGGlkLcFgguDnnAc=
+github.com/minio/minio-go/v7 v7.0.95 h1:ywOUPg+PebTMTzn9VDsoFJy32ZuARN9zhB+K3IYEvYU=
+github.com/minio/minio-go/v7 v7.0.95/go.mod h1:wOOX3uxS334vImCNRVyIDdXX9OsXDm89ToynKgqUKlo=
+github.com/minio/minlz v1.0.0 h1:Kj7aJZ1//LlTP1DM8Jm7lNKvvJS2m74gyyXXn3+uJWQ=
+github.com/minio/minlz v1.0.0/go.mod h1:qT0aEB35q79LLornSzeDH75LBf3aH1MV+jB5w9Wasec=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@ -428,16 +497,19 @@ github.com/msteinert/pam/v2 v2.1.0 h1:er5F9TKV5nGFuTt12ubtqPHEUdeBwReP7vd3wovidG
 github.com/msteinert/pam/v2 v2.1.0/go.mod h1:KT28NNIcDFf3PcBmNI2mIGO4zZJ+9RSs/At2PB3IDVc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/niklasfasching/go-org v1.8.0 h1:WyGLaajLLp8JbQzkmapZ1y0MOzKuKV47HkZRloi+HGY=
-github.com/niklasfasching/go-org v1.8.0/go.mod h1:e2A9zJs7cdONrEGs3gvxCcaAEpwwPNPG7csDpXckMNg=
-github.com/nwaples/rardecode v1.1.0/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0=
-github.com/nwaples/rardecode v1.1.3 h1:cWCaZwfM5H7nAD6PyEdcVnczzV8i/JtotnyW/dD9lEc=
-github.com/nwaples/rardecode v1.1.3/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0=
+github.com/niklasfasching/go-org v1.9.1 h1:/3s4uTPOF06pImGa2Yvlp24yKXZoTYM+nsIlMzfpg/0=
+github.com/niklasfasching/go-org v1.9.1/go.mod h1:ZAGFFkWvUQcpazmi/8nHqwvARpr1xpb+Es67oUGX/48=
+github.com/nwaples/rardecode/v2 v2.1.0 h1:JQl9ZoBPDy+nIZGb1mx8+anfHp/LV3NE2MjMiv0ct/U=
+github.com/nwaples/rardecode/v2 v2.1.0/go.mod h1:7uz379lSxPe6j9nvzxUZ+n7mnJNgjsRNb6IbvGVHRmw=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
-github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
-github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
+github.com/olekukonko/errors v1.1.0 h1:RNuGIh15QdDenh+hNvKrJkmxxjV4hcS50Db478Ou5sM=
+github.com/olekukonko/errors v1.1.0/go.mod h1:ppzxA5jBKcO1vIpCXQ9ZqgDh8iwODz6OXIGKU8r5m4Y=
+github.com/olekukonko/ll v0.0.9 h1:Y+1YqDfVkqMWuEQMclsF9HUR5+a82+dxJuL1HHSRpxI=
+github.com/olekukonko/ll v0.0.9/go.mod h1:En+sEW0JNETl26+K8eZ6/W4UQ7CYSrrgg/EdIYT2H8g=
+github.com/olekukonko/tablewriter v1.0.7 h1:HCC2e3MM+2g72M81ZcJU11uciw6z/p82aEnm4/ySDGw=
+github.com/olekukonko/tablewriter v1.0.7/go.mod h1:H428M+HzoUXC6JU2Abj9IT9ooRmdq9CxuDmKMtrOCMs=
 github.com/olivere/elastic/v7 v7.0.32 h1:R7CXvbu8Eq+WlsLgxmKVKPox0oOwAE/2T9Si5BnvK6E=
 github.com/olivere/elastic/v7 v7.0.32/go.mod h1:c7PVmLe3Fxq77PIfY/bZmxY/TAamBhCzZ8xDOE09a9k=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
@ -455,9 +527,8 @@ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3I
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
-github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c h1:dAMKvw0MlJT1GshSTtih8C2gDs04w8dReiOGXrGLNoY=
-github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
-github.com/pierrec/lz4/v4 v4.1.2/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/philhofer/fwd v1.2.0 h1:e6DnBTl7vGY+Gz322/ASL4Gyp1FspeMvx1RNDoToZuM=
+github.com/philhofer/fwd v1.2.0/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
 github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
@ -472,6 +543,7 @@ github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg=
 github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/prometheus/client_golang v1.21.1 h1:DOvXXTqVzvkIewV/CDPFdejpMCGeMcbGCQ8YOmu+Ibk=
 github.com/prometheus/client_golang v1.21.1/go.mod h1:U9NM32ykUErtVBxdvD3zfi+EuFkkaBvMb09mIfe0Zgg=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
 github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
@ -482,19 +554,21 @@ github.com/redis/go-redis/v9 v9.8.0 h1:q3nRvjrlge/6UD7eTu/DSg2uYiU2mCL0G/uzBWqhi
 github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
 github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 h1:OdAsTTz6OkFY5QxjkYwrChwuRruF69c169dPK26NUlk=
 github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
-github.com/rhysd/actionlint v1.6.27 h1:xxwe8YmveBcC8lydW6GoHMGmB6H/MTqUU60F2p10wjw=
-github.com/rhysd/actionlint v1.6.27/go.mod h1:m2nFUjAnOrxCMXuOMz9evYBRCLUsMnKY2IJl/N5umbk=
+github.com/rhysd/actionlint v1.7.7 h1:0KgkoNTrYY7vmOCs9BW2AHxLvvpoY9nEUzgBHiPUr0k=
+github.com/rhysd/actionlint v1.7.7/go.mod h1:AE6I6vJEkNaIfWqC2GNE5spIJNhxf8NCtLEKU4NnUXg=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
+github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/xid v1.6.0 h1:fV591PaemRlL6JfRxGDEPl69wICngIQ3shQtzfy2gxU=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
+github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd/go.mod h1:hPqNNc0+uJM6H+SuU8sEs5K5IQeKccPqeSjfgcKGgPk=
 github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 h1:KRzFb2m7YtdldCEkzs6KqmJw4nqEVZGK7IN2kJkjTuQ=
 github.com/santhosh-tekuri/jsonschema/v6 v6.0.2/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
 github.com/serenize/snaker v0.0.0-20171204205717-a683aaf2d516/go.mod h1:Yow6lPLSAXx2ifx470yD/nUe22Dv5vBvxK/UK9UUTVs=
@ -503,8 +577,10 @@ github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepq
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/skeema/knownhosts v1.3.0 h1:AM+y0rI04VksttfwjkSTNQorvGqmwATnvnAHpSgc0LY=
-github.com/skeema/knownhosts v1.3.0/go.mod h1:sPINvnADmT/qYH1kfv+ePMmOBTH6Tbl7b5LvTDjFK7M=
+github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
+github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
+github.com/sorairolake/lzip-go v0.3.5 h1:ms5Xri9o1JBIWvOFAorYtUNik6HI3HgBTkISiqu0Cwg=
+github.com/sorairolake/lzip-go v0.3.5/go.mod h1:N0KYq5iWrMXI0ZEXKXaS9hCyOjZUQdBDEIbXfoUwbdk=
 github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf h1:pvbZ0lM0XWPBqUKqFU8cmavspvIl9nulOYwdy6IFRRo=
 github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf/go.mod h1:RJID2RhlZKId02nZ62WenDCkgHFerpIOmW0iT7GKmXM=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@ -519,26 +595,23 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE=
 github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
 github.com/tinylib/msgp v1.3.0 h1:ULuf7GPooDaIlbyvgAxBV/FI7ynli6LZ1/nVUNu+0ww=
 github.com/tinylib/msgp v1.3.0/go.mod h1:ykjzy2wzgrlvpDCRc4LA8UXy6D8bzMSuAF3WD57Gok0=
 github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
-github.com/ulikunitz/xz v0.5.9/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
-github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc=
-github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
-github.com/urfave/cli/v3 v3.3.3 h1:byCBaVdIXuLPIDm5CYZRVG6NvT7tv1ECqdU4YzlEa3I=
-github.com/urfave/cli/v3 v3.3.3/go.mod h1:FJSKtM/9AiiTOJL4fJ6TbMUkxBXn7GO9guZqoZtpYpo=
+github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
+github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
+github.com/urfave/cli/v3 v3.4.1 h1:1M9UOCy5bLmGnuu1yn3t3CB4rG79Rtoxuv1sPhnm6qM=
+github.com/urfave/cli/v3 v3.4.1/go.mod h1:FJSKtM/9AiiTOJL4fJ6TbMUkxBXn7GO9guZqoZtpYpo=
 github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ=
 github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
 github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
-github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo=
-github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
 github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
 github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
 github.com/yohcop/openid-go v1.0.1 h1:DPRd3iPO5F6O5zX2e62XpVAbPT6wV51cuucH0z9g3js=
@ -546,8 +619,8 @@ github.com/yohcop/openid-go v1.0.1/go.mod h1:b/AvD03P0KHj4yuihb+VtLD6bYYgsy0zqBz
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/goldmark v1.4.15/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/yuin/goldmark v1.7.12 h1:YwGP/rrea2/CnCtUHgjuolG/PnMxdQtPMO5PvaE2/nY=
-github.com/yuin/goldmark v1.7.12/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
+github.com/yuin/goldmark v1.7.13 h1:GPddIs617DnBLFFVJFgpo1aBfe/4xcvMc3SB5t/D0pA=
+github.com/yuin/goldmark v1.7.13/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
 github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc h1:+IAOyRda+RLrxa1WC7umKOZRsGq4QrFFMYApOeHzQwQ=
 github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc/go.mod h1:ovIvrum6DQJA4QsJSovrkC4saKHQVs7TvcaeO8AIl5I=
 github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ=
@ -558,22 +631,32 @@ github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
 gitlab.com/gitlab-org/api/client-go v0.130.1 h1:1xF5C5Zq3sFeNg3PzS2z63oqrxifne3n/OnbI7nptRc=
 gitlab.com/gitlab-org/api/client-go v0.130.1/go.mod h1:ZhSxLAWadqP6J9lMh40IAZOlOxBLPRh7yFOXR/bMJWM=
-go.etcd.io/bbolt v1.4.0 h1:TU77id3TnN/zKr7CO/uk+fBCwF2jGcMuw2B/FMAzYIk=
-go.etcd.io/bbolt v1.4.0/go.mod h1:AsD+OCi/qPN1giOX1aiLAha3o1U8rAz65bvN4j0sRuk=
+go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
+go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
+go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
+go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
+go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
-go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
+go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
+go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U=
 go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+go4.org v0.0.0-20230225012048-214862532bf5 h1:nifaUDeh+rPaBCMPMQHZmvJf+QdpLFnuQPwx+LxVmtc=
+go4.org v0.0.0-20230225012048-214862532bf5/go.mod h1:F57wTi5Lrj6WLyswp5EYV1ncrEbFGHD4hhz6S1ZYeaU=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
@ -583,23 +666,59 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
-golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
+golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
+golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
+golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
+golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
-golang.org/x/image v0.27.0 h1:C8gA4oWU/tKkdCfYT6T2u4faJu3MeNS5O8UPWlPF61w=
-golang.org/x/image v0.27.0/go.mod h1:xbdrClrAUway1MUTEZDq9mz/UpRwYAkFFNUslZtcB+g=
+golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
+golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/image v0.31.0 h1:mLChjE2MV6g1S7oqbXC0/UcKijjm5fnJLUYKIYrLESA=
+golang.org/x/image v0.31.0/go.mod h1:R9ec5Lcp96v9FTF+ajwaH3uGxPH4fKfHHAVbUILxghA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
+golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
+golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
+golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
+golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@ -612,12 +731,21 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
-golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I=
+golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.31.0 h1:8Fq0yVZLh4j4YA47vHKFTa9Ew5XIrCP8LC6UeNZnLxo=
+golang.org/x/oauth2 v0.31.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -625,15 +753,25 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -645,7 +783,6 @@ golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@ -653,8 +790,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@ -664,9 +801,12 @@ golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
-golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
+golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
+golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@ -676,31 +816,88 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
-golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
-golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.13.0 h1:eUlYslOIt32DgYD6utsuUeHs4d7AsEYLuIAdg7FlYgI=
+golang.org/x/time v0.13.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
-golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
+google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
+google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
+google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
+google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
+google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
-google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw=
+google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@ -728,6 +925,11 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 lukechampine.com/uint128 v1.2.0 h1:mBi/5l91vocEN8otkC5bDLhi2KdCticRiwbdB0O+rjI=
 lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
 modernc.org/cc/v3 v3.40.0 h1:P3g79IUS/93SYhtoeaHW+kRCIrYaxJ27MFPv+7kaTOw=
@ -750,6 +952,9 @@ modernc.org/token v1.0.1 h1:A3qvTqOwexpfZZeyI0FeGPDlSWX5pjZu9hF4lU+EKWg=
 modernc.org/token v1.0.1/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
 mvdan.cc/xurls/v2 v2.5.0 h1:lyBNOm8Wo71UknhUs4QTFUNNMyxy2JEIaKKo0RWOh+8=
 mvdan.cc/xurls/v2 v2.5.0/go.mod h1:yQgaGQ1rFtJUzkmKiHYSSfuQxqfYmd//X6PxvholpeE=
+rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
+rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 xorm.io/builder v0.3.13 h1:a3jmiVVL19psGeXx8GIurTp7p0IIgqeDmwhcR6BAOAo=
 xorm.io/builder v0.3.13/go.mod h1:aUW0S9eb9VCaPohFCH3j7czOx1PMW3i1HrSzbLYGBSE=
 xorm.io/xorm v1.3.9 h1:TUovzS0ko+IQ1XnNLfs5dqK1cJl1H5uHpWbWqAQ04nU=
--- a/models/actions/artifact.go
+++ b/models/actions/artifact.go
@ -108,6 +108,7 @@ func UpdateArtifactByID(ctx context.Context, id int64, art *ActionArtifact) erro

 type FindArtifactsOptions struct {
 	db.ListOptions
+	ID           int64
 	RepoID       int64
 	RunID        int64
 	ArtifactName string
@ -116,6 +117,9 @@ type FindArtifactsOptions struct {

 func (opts FindArtifactsOptions) ToConds() builder.Cond {
 	cond := builder.NewCond()
+	if opts.ID > 0 {
+		cond = cond.And(builder.Eq{"id": opts.ID})
+	}
 	if opts.RepoID > 0 {
 		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
 	}
@ -132,6 +136,13 @@ func (opts FindArtifactsOptions) ToConds() builder.Cond {
 	return cond
 }

+var _ db.FindOptionsOrder = FindArtifactsOptions{}
+
+// ToOrders implements db.FindOptionsOrder, to have a stable order
+func (opts FindArtifactsOptions) ToOrders() string {
+	return "id"
+}
+
 // ActionArtifactMeta is the meta data of an artifact
 type ActionArtifactMeta struct {
 	ArtifactName string
--- a/models/actions/main_test.go
+++ b/models/actions/main_test.go
@ -15,6 +15,10 @@ func TestMain(m *testing.M) {
 			"action_runner.yml",
 			"repository.yml",
 			"action_runner_token.yml",
+			"user.yml",
+			"action_run.yml",
+			"action_run_job.yml",
+			"action_task.yml",
 		},
 	})
 }
--- a/models/actions/run.go
+++ b/models/actions/run.go
@ -21,7 +21,7 @@ import (
 	"forgejo.org/modules/util"
 	webhook_module "forgejo.org/modules/webhook"

-	"github.com/nektos/act/pkg/jobparser"
+	"code.forgejo.org/forgejo/runner/v11/act/jobparser"
 	"xorm.io/builder"
 )

@ -284,16 +284,10 @@ func GetLatestRun(ctx context.Context, repoID int64) (*ActionRun, error) {
 	return &run, nil
 }

-// GetRunBefore returns the last run that completed a given timestamp (not inclusive).
-func GetRunBefore(ctx context.Context, repoID int64, timestamp timeutil.TimeStamp) (*ActionRun, error) {
-	var run ActionRun
-	has, err := db.GetEngine(ctx).Where("repo_id=? AND stopped IS NOT NULL AND stopped<?", repoID, timestamp).OrderBy("stopped DESC").Limit(1).Get(&run)
-	if err != nil {
-		return nil, err
-	} else if !has {
-		return nil, fmt.Errorf("run before: %w", util.ErrNotExist)
-	}
-	return &run, nil
+func GetRunBefore(ctx context.Context, _ *ActionRun) (*ActionRun, error) {
+	// TODO return the most recent run related to the run given in argument
+	// see https://codeberg.org/forgejo/user-research/issues/63 for context
+	return nil, nil
 }

 func GetLatestRunForBranchAndWorkflow(ctx context.Context, repoID int64, branch, workflowFile, event string) (*ActionRun, error) {
@ -315,15 +309,26 @@ func GetLatestRunForBranchAndWorkflow(ctx context.Context, repoID int64, branch,
 }

 func GetRunByID(ctx context.Context, id int64) (*ActionRun, error) {
-	var run ActionRun
-	has, err := db.GetEngine(ctx).Where("id=?", id).Get(&run)
+	run, has, err := GetRunByIDWithHas(ctx, id)
 	if err != nil {
 		return nil, err
 	} else if !has {
 		return nil, fmt.Errorf("run with id %d: %w", id, util.ErrNotExist)
 	}

-	return &run, nil
+	return run, nil
+}
+
+func GetRunByIDWithHas(ctx context.Context, id int64) (*ActionRun, bool, error) {
+	var run ActionRun
+	has, err := db.GetEngine(ctx).Where("id=?", id).Get(&run)
+	if err != nil {
+		return nil, false, err
+	} else if !has {
+		return nil, false, nil
+	}
+
+	return &run, true, nil
 }

 func GetRunByIndex(ctx context.Context, repoID, index int64) (*ActionRun, error) {
--- a/models/actions/run_job.go
+++ b/models/actions/run_job.go
@ -44,6 +44,38 @@ func init() {
 	db.RegisterModel(new(ActionRunJob))
 }

+func (job *ActionRunJob) HTMLURL(ctx context.Context) (string, error) {
+	if job.Run == nil || job.Run.Repo == nil {
+		return "", fmt.Errorf("action_run_job: load run and repo before accessing HTMLURL")
+	}
+
+	// Find the "index" of the currently selected job... kinda ugly that the URL uses the index rather than some other
+	// unique identifier of the job which could actually be stored upon it.  But hard to change that now.
+	allJobs, err := GetRunJobsByRunID(ctx, job.RunID)
+	if err != nil {
+		return "", err
+	}
+	jobIndex := -1
+	for i, otherJob := range allJobs {
+		if job.ID == otherJob.ID {
+			jobIndex = i
+			break
+		}
+	}
+	if jobIndex == -1 {
+		return "", fmt.Errorf("action_run_job: unable to find job on run: %d", job.ID)
+	}
+
+	attempt := job.Attempt
+	// If a job has never been fetched by a runner yet, it will have attempt 0 -- but this attempt will never have a
+	// valid UI since attempt is incremented to 1 if it is picked up by a runner.
+	if attempt == 0 {
+		attempt = 1
+	}
+
+	return fmt.Sprintf("%s/actions/runs/%d/jobs/%d/attempt/%d", job.Run.Repo.HTMLURL(), job.Run.Index, jobIndex, attempt), nil
+}
+
 func (job *ActionRunJob) Duration() time.Duration {
 	return calculateDuration(job.Started, job.Stopped, job.Status)
 }
--- a/models/actions/run_job_test.go
+++ b/models/actions/run_job_test.go
@ -3,9 +3,14 @@
 package actions

 import (
+	"fmt"
 	"testing"

+	"forgejo.org/models/db"
+	"forgejo.org/models/unittest"
+
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestActionRunJob_ItRunsOn(t *testing.T) {
@ -27,3 +32,41 @@ func TestActionRunJob_ItRunsOn(t *testing.T) {

 	assert.False(t, actionJob.ItRunsOn(agentLabels))
 }
+
+func TestActionRunJob_HTMLURL(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	tests := []struct {
+		id       int64
+		expected string
+	}{
+		{
+			id:       192,
+			expected: "https://try.gitea.io/user5/repo4/actions/runs/187/jobs/0/attempt/1",
+		},
+		{
+			id:       393,
+			expected: "https://try.gitea.io/user2/repo1/actions/runs/187/jobs/1/attempt/1",
+		},
+		{
+			id:       394,
+			expected: "https://try.gitea.io/user2/repo1/actions/runs/187/jobs/2/attempt/2",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(fmt.Sprintf("id=%d", tt.id), func(t *testing.T) {
+			var job ActionRunJob
+			has, err := db.GetEngine(t.Context()).Where("id=?", tt.id).Get(&job)
+			require.NoError(t, err)
+			require.True(t, has, "load ActionRunJob from fixture")
+
+			err = job.LoadAttributes(t.Context())
+			require.NoError(t, err)
+
+			url, err := job.HTMLURL(t.Context())
+			require.NoError(t, err)
+			assert.Equal(t, tt.expected, url)
+		})
+	}
+}
--- a/models/actions/run_test.go
+++ b/models/actions/run_test.go
@ -5,92 +5,7 @@ package actions

 import (
 	"testing"
-	"time"
-
-	"forgejo.org/models/db"
-	"forgejo.org/models/unittest"
-	"forgejo.org/modules/timeutil"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

 func TestGetRunBefore(t *testing.T) {
-	require.NoError(t, unittest.PrepareTestDatabase())
-
-	// this repo is part of the test database requiring loading "repository.yml" in main_test.go
-	var repoID int64 = 1
-
-	workflowID := "test_workflow"
-
-	// third completed run
-	time1, err := time.Parse(time.RFC3339, "2024-07-31T15:47:55+08:00")
-	require.NoError(t, err)
-	timeutil.MockSet(time1)
-	run1 := ActionRun{
-		ID:         1,
-		Index:      1,
-		RepoID:     repoID,
-		Stopped:    timeutil.TimeStampNow(),
-		WorkflowID: workflowID,
-	}
-
-	// fourth completed run
-	time2, err := time.Parse(time.RFC3339, "2024-08-31T15:47:55+08:00")
-	require.NoError(t, err)
-	timeutil.MockSet(time2)
-	run2 := ActionRun{
-		ID:         2,
-		Index:      2,
-		RepoID:     repoID,
-		Stopped:    timeutil.TimeStampNow(),
-		WorkflowID: workflowID,
-	}
-
-	// second completed run
-	time3, err := time.Parse(time.RFC3339, "2024-07-31T15:47:54+08:00")
-	require.NoError(t, err)
-	timeutil.MockSet(time3)
-	run3 := ActionRun{
-		ID:         3,
-		Index:      3,
-		RepoID:     repoID,
-		Stopped:    timeutil.TimeStampNow(),
-		WorkflowID: workflowID,
-	}
-
-	// first completed run
-	time4, err := time.Parse(time.RFC3339, "2024-06-30T15:47:54+08:00")
-	require.NoError(t, err)
-	timeutil.MockSet(time4)
-	run4 := ActionRun{
-		ID:         4,
-		Index:      4,
-		RepoID:     repoID,
-		Stopped:    timeutil.TimeStampNow(),
-		WorkflowID: workflowID,
-	}
-	require.NoError(t, db.Insert(db.DefaultContext, &run1))
-	runBefore, err := GetRunBefore(db.DefaultContext, repoID, run1.Stopped)
-	// there is no run before run1
-	require.Error(t, err)
-	require.Nil(t, runBefore)
-
-	// now there is only run3 before run1
-	require.NoError(t, db.Insert(db.DefaultContext, &run3))
-	runBefore, err = GetRunBefore(db.DefaultContext, repoID, run1.Stopped)
-	require.NoError(t, err)
-	assert.Equal(t, run3.ID, runBefore.ID)
-
-	// there still is only run3 before run1
-	require.NoError(t, db.Insert(db.DefaultContext, &run2))
-	runBefore, err = GetRunBefore(db.DefaultContext, repoID, run1.Stopped)
-	require.NoError(t, err)
-	assert.Equal(t, run3.ID, runBefore.ID)
-
-	// run4 is further away from run1
-	require.NoError(t, db.Insert(db.DefaultContext, &run4))
-	runBefore, err = GetRunBefore(db.DefaultContext, repoID, run1.Stopped)
-	require.NoError(t, err)
-	assert.Equal(t, run3.ID, runBefore.ID)
 }
--- a/models/actions/task.go
+++ b/models/actions/task.go
@ -17,8 +17,8 @@ import (
 	"forgejo.org/modules/timeutil"
 	"forgejo.org/modules/util"

+	"code.forgejo.org/forgejo/runner/v11/act/jobparser"
 	lru "github.com/hashicorp/golang-lru/v2"
-	"github.com/nektos/act/pkg/jobparser"
 	"xorm.io/builder"
 )

@ -148,6 +148,21 @@ func (task *ActionTask) GenerateToken() (err error) {
 	return err
 }

+// Retrieve all the attempts from the same job as the target `ActionTask`.  Limited fields are queried to avoid loading
+// the LogIndexes blob when not needed.
+func (task *ActionTask) GetAllAttempts(ctx context.Context) ([]*ActionTask, error) {
+	var attempts []*ActionTask
+	err := db.GetEngine(ctx).
+		Cols("id", "attempt", "status", "started").
+		Where("job_id=?", task.JobID).
+		Desc("attempt").
+		Find(&attempts)
+	if err != nil {
+		return nil, err
+	}
+	return attempts, nil
+}
+
 func GetTaskByID(ctx context.Context, id int64) (*ActionTask, error) {
 	var task ActionTask
 	has, err := db.GetEngine(ctx).Where("id=?", id).Get(&task)
@ -160,6 +175,18 @@ func GetTaskByID(ctx context.Context, id int64) (*ActionTask, error) {
 	return &task, nil
 }

+func GetTaskByJobAttempt(ctx context.Context, jobID, attempt int64) (*ActionTask, error) {
+	var task ActionTask
+	has, err := db.GetEngine(ctx).Where("job_id=?", jobID).Where("attempt=?", attempt).Get(&task)
+	if err != nil {
+		return nil, err
+	} else if !has {
+		return nil, fmt.Errorf("task with job_id %d and attempt %d: %w", jobID, attempt, util.ErrNotExist)
+	}
+
+	return &task, nil
+}
+
 func GetRunningTaskByToken(ctx context.Context, token string) (*ActionTask, error) {
 	errNotExist := fmt.Errorf("task with token %q: %w", token, util.ErrNotExist)
 	if token == "" {
@ -275,7 +302,7 @@ func CreateTaskForRunner(ctx context.Context, runner *ActionRunner) (*ActionTask
 	}

 	var workflowJob *jobparser.Job
-	if gots, err := jobparser.Parse(job.WorkflowPayload); err != nil {
+	if gots, err := jobparser.Parse(job.WorkflowPayload, false); err != nil {
 		return nil, false, fmt.Errorf("parse workflow of job %d: %w", job.ID, err)
 	} else if len(gots) != 1 {
 		return nil, false, fmt.Errorf("workflow of job %d: not single workflow", job.ID)
--- a/models/actions/task_test.go
+++ b/models/actions/task_test.go
@ -0,0 +1,48 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package actions
+
+import (
+	"testing"
+
+	"forgejo.org/models/db"
+	"forgejo.org/models/unittest"
+	"forgejo.org/modules/timeutil"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestActionTask_GetAllAttempts(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	var task ActionTask
+	has, err := db.GetEngine(t.Context()).Where("id=?", 47).Get(&task)
+	require.NoError(t, err)
+	require.True(t, has, "load ActionTask from fixture")
+
+	allAttempts, err := task.GetAllAttempts(t.Context())
+	require.NoError(t, err)
+	require.Len(t, allAttempts, 3)
+	assert.EqualValues(t, 47, allAttempts[0].ID, "ordered by attempt, 1")
+	assert.EqualValues(t, 53, allAttempts[1].ID, "ordered by attempt, 2")
+	assert.EqualValues(t, 52, allAttempts[2].ID, "ordered by attempt, 3")
+
+	// GetAllAttempts doesn't populate all fields; so check expected fields from one of the records
+	assert.EqualValues(t, 3, allAttempts[0].Attempt, "read Attempt field")
+	assert.Equal(t, StatusRunning, allAttempts[0].Status, "read Status field")
+	assert.Equal(t, timeutil.TimeStamp(1683636528), allAttempts[0].Started, "read Started field")
+}
+
+func TestActionTask_GetTaskByJobAttempt(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	task, err := GetTaskByJobAttempt(t.Context(), 192, 2)
+	require.NoError(t, err)
+	assert.EqualValues(t, 192, task.JobID)
+	assert.EqualValues(t, 2, task.Attempt)
+
+	_, err = GetTaskByJobAttempt(t.Context(), 192, 100)
+	assert.ErrorContains(t, err, "task with job_id 192 and attempt 100: resource does not exist")
+}
--- a/models/activities/action.go
+++ b/models/activities/action.go
@ -26,6 +26,7 @@ import (
 	"forgejo.org/modules/base"
 	"forgejo.org/modules/container"
 	"forgejo.org/modules/git"
+	"forgejo.org/modules/json"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/structs"
@ -386,8 +387,21 @@ func (a *Action) IsIssueEvent() bool {

 // GetIssueInfos returns a list of associated information with the action.
 func (a *Action) GetIssueInfos() []string {
+	// Previously multiple pieces of data used to be encoded into a.Content by pipe-separating them, but this doesn't
+	// work well if some of the user-entered pieces of content (issue titles, comments, etc.) contain pipes.  The newer
+	// storage format is to json-encode a string array, which we check for and prefer... then fallback to assuming old.
+	var ret []string
+	if strings.HasPrefix(a.Content, "[") && strings.HasSuffix(a.Content, "]") {
+		ret = make([]string, 0, 3)
+		err := json.Unmarshal([]byte(a.Content), &ret)
+		if err != nil {
+			log.Error("GetIssueInfos json decoding error: %v", err)
+		}
+	} else {
+		ret = strings.SplitN(a.Content, "|", 3)
+	}
+
 	// make sure it always returns 3 elements, because there are some access to the a[1] and a[2] without checking the length
-	ret := strings.SplitN(a.Content, "|", 3)
 	for len(ret) < 3 {
 		ret = append(ret, "")
 	}
@ -473,8 +487,11 @@ func GetFeeds(ctx context.Context, opts GetFeedsOptions) (ActionList, int64, err
 		return nil, 0, err
 	}

+	sess := db.GetEngine(ctx).Where(cond).
+		Select("`action`.*"). // this line will avoid select other joined table's columns
+		Join("INNER", "repository", "`repository`.id = `action`.repo_id")
+
 	opts.SetDefaultValues()
-	sess := db.GetEngine(ctx).Where(cond)
 	sess = db.SetSessionPagination(sess, &opts)

 	actions := make([]*Action, 0, opts.PageSize)
@ -767,7 +784,9 @@ func DeleteIssueActions(ctx context.Context, repoID, issueID, issueIndex int64)

 	_, err := e.Where("repo_id = ?", repoID).
 		In("op_type", ActionCreateIssue, ActionCreatePullRequest).
-		Where("content LIKE ?", strconv.FormatInt(issueIndex, 10)+"|%"). // "IssueIndex|content..."
+		Where(builder.Or(
+			builder.Like{"content", strconv.FormatInt(issueIndex, 10) + "|%"},            // "IssueIndex|content..."
+			builder.Like{"content", "[\"" + strconv.FormatInt(issueIndex, 10) + "\"%"})). // JSON, ["IssueIndex"...
 		Delete(&Action{})
 	return err
 }
--- a/models/activities/action_test.go
+++ b/models/activities/action_test.go
@ -227,6 +227,24 @@ func TestNotifyWatchers(t *testing.T) {
 	})
 }

+func TestGetFeedsCorrupted(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	unittest.AssertExistsAndLoadBean(t, &activities_model.Action{
+		ID:     8,
+		RepoID: 1700,
+	})
+
+	actions, count, err := activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
+		RequestedUser:  user,
+		Actor:          user,
+		IncludePrivate: true,
+	})
+	require.NoError(t, err)
+	assert.Empty(t, actions)
+	assert.Equal(t, int64(0), count)
+}
+
 func TestConsistencyUpdateAction(t *testing.T) {
 	if !setting.Database.Type.IsSQLite3() {
 		t.Skip("Test is only for SQLite database.")
@ -290,14 +308,69 @@ func TestDeleteIssueActions(t *testing.T) {
 	})
 	require.NoError(t, err)
 	err = db.Insert(db.DefaultContext, &activities_model.Action{
-		OpType:  activities_model.ActionCreateIssue,
-		RepoID:  issue.RepoID,
+		OpType: activities_model.ActionCreateIssue,
+		RepoID: issue.RepoID,
+		// Older Content format...
 		Content: fmt.Sprintf("%d|content...", issue.Index),
 	})
 	require.NoError(t, err)
+	err = db.Insert(db.DefaultContext, &activities_model.Action{
+		OpType: activities_model.ActionCreateIssue,
+		RepoID: issue.RepoID,
+		// JSON-encoded Content format...
+		Content: fmt.Sprintf("[\"%d\",\"content...\"]", issue.Index),
+	})
+	require.NoError(t, err)

 	// assert that the actions exist, then delete them
-	unittest.AssertCount(t, &activities_model.Action{}, 2)
+	unittest.AssertCount(t, &activities_model.Action{}, 3)
 	require.NoError(t, activities_model.DeleteIssueActions(db.DefaultContext, issue.RepoID, issue.ID, issue.Index))
 	unittest.AssertCount(t, &activities_model.Action{}, 0)
 }
+
+func TestGetIssueInfos(t *testing.T) {
+	tt := []struct {
+		content string
+		field1  string
+		field2  string
+		field3  string
+	}{
+		{
+			content: "4|",
+			field1:  "4",
+		},
+		{
+			content: "2|docs: Add README w/ template sections",
+			field1:  "2",
+			field2:  "docs: Add README w/ template sections",
+		},
+		{
+			content: "2|docs: Add README w/ template sections|Some comment...",
+			field1:  "2",
+			field2:  "docs: Add README w/ template sections",
+			field3:  "Some comment...",
+		},
+		{
+			content: "[\"4\"]",
+			field1:  "4",
+		},
+		{
+			content: "[\"2\", \"docs: Add README w/ | template sections\"]",
+			field1:  "2",
+			field2:  "docs: Add README w/ | template sections",
+		},
+		{
+			content: "[\"2\", \"docs: Add README w/ | template sections\", \"Some | comment...\"]",
+			field1:  "2",
+			field2:  "docs: Add README w/ | template sections",
+			field3:  "Some | comment...",
+		},
+	}
+	for _, test := range tt {
+		action := &activities_model.Action{Content: test.content}
+		issueInfos := action.GetIssueInfos()
+		assert.Equal(t, test.field1, issueInfos[0])
+		assert.Equal(t, test.field2, issueInfos[1])
+		assert.Equal(t, test.field3, issueInfos[2])
+	}
+}
--- a/models/asymkey/gpg_key_object_verification.go
+++ b/models/asymkey/gpg_key_object_verification.go
@ -36,6 +36,7 @@ type ObjectVerification struct {
 	TrustStatus    string
 }

+// llu:TrKeys
 const (
 	// BadSignature is used as the reason when the signature has a KeyID that is in the db
 	// but no key that has that ID verifies the signature. This is a suspicious failure.
--- a/models/asymkey/main_test.go
+++ b/models/asymkey/main_test.go
@ -15,8 +15,6 @@ func TestMain(m *testing.M) {
 			"gpg_key.yml",
 			"public_key.yml",
 			"TestParseCommitWithSSHSignature/public_key.yml",
-			"deploy_key.yml",
-			"gpg_key_import.yml",
 			"user.yml",
 			"email_address.yml",
 		},
--- a/models/db/context.go
+++ b/models/db/context.go
@ -141,7 +141,7 @@ func TxContext(parentCtx context.Context) (*Context, Committer, error) {
 		return nil, nil, err
 	}

-	return newContext(DefaultContext, sess, true), sess, nil
+	return newContext(parentCtx, sess, true), sess, nil
 }

 // WithTx represents executing database operations on a transaction, if the transaction exist,
--- a/models/db/context_test.go
+++ b/models/db/context_test.go
@ -84,4 +84,16 @@ func TestTxContext(t *testing.T) {
 			return nil
 		}))
 	}
+
+	t.Run("Reuses parent context", func(t *testing.T) {
+		type unique struct{}
+
+		ctx := context.WithValue(db.DefaultContext, unique{}, "yes!")
+		assert.False(t, db.InTransaction(ctx))
+
+		require.NoError(t, db.WithTx(ctx, func(ctx context.Context) error {
+			assert.Equal(t, "yes!", ctx.Value(unique{}))
+			return nil
+		}))
+	})
 }
--- a/models/db/engine.go
+++ b/models/db/engine.go
@ -15,6 +15,7 @@ import (
 	"strings"
 	"time"

+	"forgejo.org/modules/container"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"

@ -385,6 +386,15 @@ func (TracingHook) BeforeProcess(c *contexts.ContextHook) (context.Context, erro
 }

 func (TracingHook) AfterProcess(c *contexts.ContextHook) error {
+	if c.Result != nil {
+		if rowsAffected, err := c.Result.RowsAffected(); err == nil {
+			trace.Logf(c.Ctx, "rows affected", "%d", rowsAffected)
+		}
+		if lastID, err := c.Result.LastInsertId(); err == nil {
+			trace.Logf(c.Ctx, "last insert id", "%d", lastID)
+		}
+	}
+
 	c.Ctx.Value(sqlTask{}).(*trace.Task).End()
 	return nil
 }
@ -438,3 +448,12 @@ func GetMasterEngine(x Engine) (*xorm.Engine, error) {

 	return engine, nil
 }
+
+// GetTableNames returns the table name of all registered models.
+func GetTableNames() container.Set[string] {
+	names := make(container.Set[string])
+	for _, table := range tables {
+		names.Add(x.TableName(table))
+	}
+	return names
+}
--- a/models/db/index.go
+++ b/models/db/index.go
@ -72,14 +72,19 @@ func postgresGetNextResourceIndex(ctx context.Context, tableName string, groupID
 }

 func mysqlGetNextResourceIndex(ctx context.Context, tableName string, groupID int64) (int64, error) {
-	if _, err := GetEngine(ctx).Exec(fmt.Sprintf("INSERT INTO %s (group_id, max_index) "+
-		"VALUES (?,1) ON DUPLICATE KEY UPDATE max_index = max_index+1",
-		tableName), groupID); err != nil {
+	res, err := GetEngine(ctx).Query(fmt.Sprintf("INSERT INTO %s (group_id, max_index) "+
+		"VALUES (?,1) ON DUPLICATE KEY UPDATE max_index = max_index+1 /*M!100500 RETURNING max_index */",
+		tableName), groupID)
+	if err != nil {
 		return 0, err
 	}

+	if len(res) > 0 {
+		return strconv.ParseInt(string(res[0]["max_index"]), 10, 64)
+	}
+
 	var idx int64
-	_, err := GetEngine(ctx).SQL(fmt.Sprintf("SELECT max_index FROM %s WHERE group_id = ?", tableName), groupID).Get(&idx)
+	_, err = GetEngine(ctx).SQL(fmt.Sprintf("SELECT max_index FROM %s WHERE group_id = ?", tableName), groupID).Get(&idx)
 	if err != nil {
 		return 0, err
 	}
--- a/models/db/table_names_test.go
+++ b/models/db/table_names_test.go
@ -0,0 +1,40 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package db
+
+import (
+	"slices"
+	"testing"
+
+	"forgejo.org/modules/test"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetTableNames(t *testing.T) {
+	t.Run("Simple", func(t *testing.T) {
+		defer test.MockVariableValue(&tables, []any{new(GPGKey)})()
+
+		assert.Equal(t, []string{"gpg_key"}, GetTableNames().Values())
+	})
+
+	t.Run("Multiple tables", func(t *testing.T) {
+		defer test.MockVariableValue(&tables, []any{new(GPGKey), new(User), new(BlockedUser)})()
+
+		tableNames := GetTableNames().Values()
+		slices.Sort(tableNames)
+
+		assert.Equal(t, []string{"forgejo_blocked_user", "gpg_key", "user"}, tableNames)
+	})
+}
+
+type GPGKey struct{}
+
+type User struct{}
+
+type BlockedUser struct{}
+
+func (*BlockedUser) TableName() string {
+	return "forgejo_blocked_user"
+}
--- a/models/error.go
+++ b/models/error.go
@ -121,6 +121,7 @@ type ErrInvalidCloneAddr struct {
 	IsInvalidPath      bool
 	IsProtocolInvalid  bool
 	IsPermissionDenied bool
+	HasCredentials     bool
 	LocalPath          bool
 }

@ -143,6 +144,9 @@ func (err *ErrInvalidCloneAddr) Error() string {
 	if err.IsURLError {
 		return fmt.Sprintf("migration/cloning from '%s' is not allowed: the provided url is invalid", err.Host)
 	}
+	if err.HasCredentials {
+		return fmt.Sprintf("migration/cloning from '%s' is not allowed: the provided url contains credentials", err.Host)
+	}

 	return fmt.Sprintf("migration/cloning from '%s' is not allowed", err.Host)
 }
--- a/models/fixtures/ModerationFeatures/abuse_report.yml
+++ b/models/fixtures/ModerationFeatures/abuse_report.yml
@ -0,0 +1,21 @@
+-
+  id: 1
+  status: 1
+  reporter_id: 2  # @user2
+  content_type: 4 # Comment
+  content_id: 18  # user2/repo2/issues/2#issuecomment-18
+  category: 2     # Spam
+  remarks: The comment I'm reporting is pure SPAM.
+  shadow_copy_id: null
+  created_unix: 1752697980 # 2025-07-16 20:33:00
+
+-
+  id: 2
+  status: 1        # Open
+  reporter_id: 2   # @user2
+  content_type: 1  # User (users or organizations)
+  content_id: 1002 # @alexsmith
+  category: 2      # Spam
+  remarks: This user just posted a spammy comment on my issue.
+  shadow_copy_id: null
+  created_unix: 1752698010 # 2025-07-16 20:33:30
--- a/models/fixtures/ModerationFeatures/comment.yml
+++ b/models/fixtures/ModerationFeatures/comment.yml
@ -0,0 +1,7 @@
+- # This is a spam comment (abusive content), created for testing moderation functionalities.
+  id: 18
+  type: 0 # Standard comment
+  poster_id: 1002 # @alexsmith
+  issue_id: 7 # user2/repo2#2
+  content: If anyone needs help for promoting their business online using SEO, just contact me (check my profile page).
+  created_unix: 1752697860 # 2025-07-16 20:31:00
--- a/models/fixtures/ModerationFeatures/user.yml
+++ b/models/fixtures/ModerationFeatures/user.yml
@ -0,0 +1,22 @@
+- # This user is a spammer and will create abusive content (for testing moderation functionalities).
+  id: 1002
+  lower_name: alexsmith
+  name: alexsmith
+  full_name: Alex Smith
+  email: alexsmith@example.org
+  keep_email_private: false
+  passwd: passwdSalt:password
+  passwd_hash_algo: dummy
+  type: 0
+  location: '@master@seo.net'
+  website: http://promote-your-business.biz
+  pronouns: SEO
+  salt: passwdSalt
+  description: I can help you promote your business online using SEO.
+  created_unix: 1752697800 # 2025-07-16 20:30:00
+  is_active: true
+  is_admin: false
+  is_restricted: false
+  avatar: avatar-hash-1002
+  avatar_email: alexsmith@example.org
+  use_custom_avatar: false
--- a/models/fixtures/TestActivateUserEmail/email_address.yml
+++ b/models/fixtures/TestActivateUserEmail/email_address.yml
@ -0,0 +1,7 @@
+-
+  id: 1001
+  uid: 1001
+  email: AnotherTestUserWithUpperCaseEmail@otto.splvs.net
+  lower_email: anothertestuserwithuppercaseemail@otto.splvs.net
+  is_activated: false
+  is_primary: true
--- a/models/fixtures/TestActivateUserEmail/user.yml
+++ b/models/fixtures/TestActivateUserEmail/user.yml
@ -0,0 +1,12 @@
+-
+  id: 1001
+  lower_name: user1001
+  name: user1001
+  full_name: User That loves Upper Cases
+  email: AnotherTestUserWithUpperCaseEmail@otto.splvs.net
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
+  avatar: ''
+  avatar_email: anothertestuserwithuppercaseemail@otto.splvs.net
+  login_name: user1
+  created_unix: 1672578000
--- a/models/fixtures/TestAddTeamReviewRequest/issue.yml
+++ b/models/fixtures/TestAddTeamReviewRequest/issue.yml
@ -0,0 +1,16 @@
+-
+  id: 23
+  repo_id: 2
+  index: 3
+  poster_id: 2
+  original_author_id: 0
+  name: protected branch pull
+  content: pull request to a protected branch
+  milestone_id: 0
+  priority: 0
+  is_pull: true
+  is_closed: false
+  num_comments: 0
+  created_unix: 1707270422
+  updated_unix: 1707270422
+  is_locked: false
--- a/models/fixtures/TestAddTeamReviewRequest/protected_branch.yml
+++ b/models/fixtures/TestAddTeamReviewRequest/protected_branch.yml
@ -0,0 +1,28 @@
+- id: 1
+  repo_id: 2
+  branch_name: protected-main
+  can_push: false
+  enable_whitelist: true
+  whitelist_user_i_ds: [1]
+  whitelist_team_i_ds: []
+  enable_merge_whitelist: true
+  whitelist_deploy_keys: false
+  merge_whitelist_user_i_ds: [1]
+  merge_whitelist_team_i_ds: []
+  enable_status_check: false
+  status_check_contexts: []
+  enable_approvals_whitelist: true
+  approvals_whitelist_user_i_ds: []
+  approvals_whitelist_team_i_ds: [1]
+  required_approvals: 1
+  block_on_rejected_reviews: true
+  block_on_official_review_requests: true
+  block_on_outdated_branch: true
+  dismiss_stale_approvals: true
+  ignore_stale_approvals: false
+  require_signed_commits: false
+  protected_file_patterns: ""
+  unprotected_file_patterns: ""
+  apply_to_admins: true
+  created_unix: 1752513073
+  updated_unix: 1752513073
--- a/models/fixtures/TestAddTeamReviewRequest/pull_request.yml
+++ b/models/fixtures/TestAddTeamReviewRequest/pull_request.yml
@ -0,0 +1,12 @@
+-
+  id: 11
+  type: 0 # gitea pull request
+  status: 2 # mergeable
+  issue_id: 23
+  index: 3
+  head_repo_id: 2
+  base_repo_id: 2
+  head_branch: feature/protected-branch-pr
+  base_branch: protected-main
+  merge_base: 4a357436d925b5c974181ff12a994538ddc5a269
+  has_merged: false
--- a/models/fixtures/action.yml
+++ b/models/fixtures/action.yml
@ -59,6 +59,14 @@
  created_unix: 1603011540 # grouped with id:7

 - id: 8
+  user_id: 1
+  op_type: 12 # close issue
+  act_user_id: 1
+  repo_id: 1700 # dangling intentional
+  is_private: false
+  created_unix: 1603011541
+
+- id: 9
  user_id: 34
  op_type: 12 # close issue
  act_user_id: 34
--- a/models/fixtures/action_artifact.yml
+++ b/models/fixtures/action_artifact.yml
@ -57,7 +57,7 @@
  run_id: 792
  runner_id: 1
  repo_id: 4
-  owner_id: 1
+  owner_id: 5
  commit_sha: c2d72f548424103f01ee1dc02889c1e2bff816b0
  storage_path: "27/5/1730330775594233150.chunk"
  file_size: 1024
--- a/models/fixtures/action_run_job.yml
+++ b/models/fixtures/action_run_job.yml
@ -106,7 +106,7 @@
  commit_sha: 985f0301dba5e7b34be866819cd15ad3d8f508ee
  is_fork_pull_request: 0
  name: job_2
-  attempt: 1
+  attempt: 2
  job_id: job_2
  task_id: 47
  status: 5
@ -128,3 +128,18 @@
  runs_on: '["fedora"]'
  started: 1683636528
  stopped: 1683636626
+-
+  id: 396
+  run_id: 794
+  repo_id: 4
+  owner_id: 1
+  commit_sha: 985f0301dba5e7b34be866819cd15ad3d8f508ee
+  is_fork_pull_request: 0
+  name: job_2
+  attempt: 0
+  job_id: job_2
+  task_id: null
+  status: 5
+  runs_on: '["fedora"]'
+  started: 1683636528
+  stopped: 1683636626
--- a/models/fixtures/action_task.yml
+++ b/models/fixtures/action_task.yml
@ -117,3 +117,43 @@
  log_length: 707
  log_size: 90179
  log_expired: 0
+-
+  id: 52
+  job_id: 192
+  attempt: 1
+  runner_id: 1
+  status: 1 # success
+  started: 1683636528
+  stopped: 1683636626
+  repo_id: 4
+  owner_id: 1
+  commit_sha: c2d72f548424103f01ee1dc02889c1e2bff816b0
+  is_fork_pull_request: 0
+  token_hash: b8d3962425466b6709b9ac51446f93260c54afe8e7b6d3686e34f991fb8a8953822b0deed86fe41a103f34bc48dbc4784223
+  token_salt: ffffffffff
+  token_last_eight: ffffffff
+  log_filename: artifact-test2/2f/47.log
+  log_in_storage: 1
+  log_length: 707
+  log_size: 90179
+  log_expired: 0
+-
+  id: 53
+  job_id: 192
+  attempt: 2
+  runner_id: 1
+  status: 1 # success
+  started: 1683636528
+  stopped: 1683636626
+  repo_id: 4
+  owner_id: 1
+  commit_sha: c2d72f548424103f01ee1dc02889c1e2bff816b0
+  is_fork_pull_request: 0
+  token_hash: b8d3962425466b6709b9ac51446f93260c54afe8e7b6d3686e34f991fb8a8953822b0deed86fe41a103f34bc48dbc4784224
+  token_salt: ffffffffff
+  token_last_eight: ffffffff
+  log_filename: artifact-test2/2f/47.log
+  log_in_storage: 1
+  log_length: 707
+  log_size: 90179
+  log_expired: 0
--- a/models/fixtures/action_variable.yml
+++ b/models/fixtures/action_variable.yml
@ -1 +0,0 @@
-[] # empty
--- a/models/fixtures/comment.yml
+++ b/models/fixtures/comment.yml
@ -186,10 +186,46 @@
  type: 8 # milestone
  poster_id: 1
  issue_id: 1 # in repo_id 1
-  milestone_id: 10 # not exsting milestone
+  milestone_id: 10 # not existing milestone
  old_milestone_id: 0
  created_unix: 946685080

+-
+  id: 2004
+  type: 8 # milestone
+  poster_id: 1
+  issue_id: 1 # in repo_id 1
+  milestone_id: 1
+  old_milestone_id: 10 # not existing (ghost) milestone
+  created_unix: 946685085
+
+-
+  id: 2005
+  type: 8 # milestone
+  poster_id: 1
+  issue_id: 1 # in repo_id 1
+  milestone_id: 10 # not existing (ghost) milestone
+  old_milestone_id: 1
+  created_unix: 946685090
+
+-
+  id: 2006
+  type: 8 # milestone
+  poster_id: 1
+  issue_id: 1 # in repo_id 1
+  milestone_id: 11 # not existing (ghost) milestone
+  old_milestone_id: 10 # not existing (ghost) milestone
+  created_unix: 946685095
+
+-
+  id: 2007
+  type: 8 # milestone
+  poster_id: 1
+  issue_id: 1 # in repo_id 1
+  milestone_id: 0
+  old_milestone_id: 11 # not existing (ghost) milestone
+  created_unix: 946685100
+
 -
  id: 2010
  type: 30 # project
--- a/models/fixtures/deploy_key.yml
+++ b/models/fixtures/deploy_key.yml
@ -1 +0,0 @@
-[] # empty
--- a/models/fixtures/external_login_user.yml
+++ b/models/fixtures/external_login_user.yml
@ -1 +0,0 @@
-[] # empty
--- a/models/fixtures/federated_user.yml
+++ b/models/fixtures/federated_user.yml
@ -1 +0,0 @@
-[] # empty
--- a/models/fixtures/federation_host.yml
+++ b/models/fixtures/federation_host.yml
@ -1 +0,0 @@
-[] # empty
--- a/models/fixtures/gpg_key_import.yml
+++ b/models/fixtures/gpg_key_import.yml
@ -1 +0,0 @@
-[] # empty
--- a/models/fixtures/label.yml
+++ b/models/fixtures/label.yml
@ -3,6 +3,7 @@
  repo_id: 1
  org_id: 0
  name: label1
+  description: 'First label'
  color: '#abcdef'
  exclusive: false
  num_issues: 2
@ -107,3 +108,26 @@
  num_issues: 0
  num_closed_issues: 0
  archived_unix: 0
+
+-
+  id: 11
+  repo_id: 3
+  org_id: 0
+  name: "  <script>malicious</script> /'?&"
+  description: "Malicious label ' <script>malicious</script>"
+  color: '#000000'
+  exclusive: true
+  num_issues: 0
+  num_closed_issues: 0
+  archived_unix: 0
+
+-
+  id: 12
+  repo_id: 3
+  org_id: 0
+  name: 'archived label<>'
+  color: '#000000'
+  exclusive: false
+  num_issues: 0
+  num_closed_issues: 0
+  archived_unix: 2991092130
--- a/models/fixtures/login_source.yml
+++ b/models/fixtures/login_source.yml
@ -1 +0,0 @@
-[] # empty
--- a/models/fixtures/protected_branch.yml
+++ b/models/fixtures/protected_branch.yml
@ -1 +0,0 @@
-[] # empty
--- a/models/fixtures/pull_auto_merge.yml
+++ b/models/fixtures/pull_auto_merge.yml
@ -1 +0,0 @@
-[] # empty
--- a/models/fixtures/push_mirror.yml
+++ b/models/fixtures/push_mirror.yml
@ -1 +0,0 @@
-[] # empty
--- a/models/fixtures/repo_archiver.yml
+++ b/models/fixtures/repo_archiver.yml
@ -1 +0,0 @@
-[] # empty
--- a/models/fixtures/repo_indexer_status.yml
+++ b/models/fixtures/repo_indexer_status.yml
@ -1 +0,0 @@
-[] # empty
--- a/models/fixtures/repo_redirect.yml
+++ b/models/fixtures/repo_redirect.yml
@ -3,3 +3,9 @@
  owner_id: 2
  lower_name: oldrepo1
  redirect_repo_id: 1
+
+-
+  id: 2
+  owner_id: 17
+  lower_name: oldrepo24
+  redirect_repo_id: 24
--- a/models/fixtures/repository.yml
+++ b/models/fixtures/repository.yml
@ -32,7 +32,7 @@
  created_unix: 1731254961
  updated_unix: 1731254961
  topics: '[]'
-  
+
 -
  id: 2
  owner_id: 2
--- a/models/fixtures/secret.yml
+++ b/models/fixtures/secret.yml
@ -1 +0,0 @@
-[] # empty
--- a/models/fixtures/user_redirect.yml
+++ b/models/fixtures/user_redirect.yml
@ -3,3 +3,15 @@
  lower_name: olduser1
  redirect_user_id: 1
  created_unix: 1730000000
+
+-
+  id: 2
+  lower_name: oldorg22
+  redirect_user_id: 22
+  created_unix: 1730000000
+
+-
+  id: 3
+  lower_name: oldorg23
+  redirect_user_id: 23
+  created_unix: 1730000000
--- a/models/forgejo_migrations/main_test.go
+++ b/models/forgejo_migrations/main_test.go
@ -1,7 +1,7 @@
 // Copyright 2023 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT

-package forgejo_migrations //nolint:revive
+package forgejo_migrations

 import (
 	"testing"
--- a/models/forgejo_migrations/migrate.go
+++ b/models/forgejo_migrations/migrate.go
@ -1,7 +1,7 @@
 // Copyright 2023 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT

-package forgejo_migrations //nolint:revive
+package forgejo_migrations

 import (
 	"context"
@ -108,7 +108,17 @@ var migrations = []*Migration{
 	// v33 -> v34
 	NewMigration("Add `notify-email` column to `action_run` table", AddNotifyEmailToActionRun),
 	// v34 -> v35
-	NewMigration("Add index to `stopped` column in `action_run` table", AddIndexToActionRunStopped),
+	NewMigration("Noop because of https://codeberg.org/forgejo/forgejo/issues/8373", NoopAddIndexToActionRunStopped),
+	// v35 -> v36
+	NewMigration("Fix wiki unit default permission", FixWikiUnitDefaultPermission),
+	// v36 -> v37
+	NewMigration("Add `branch_filter` to `push_mirror` table", AddPushMirrorBranchFilter),
+	// v37 -> v38
+	NewMigration("Add `resolved_unix` column to `abuse_report` table", AddResolvedUnixToAbuseReport),
+	// v38 -> v39
+	NewMigration("Migrate `data` column of `secret` table to store keying material", MigrateActionSecretsToKeying),
+	// v39 -> v40
+	NewMigration("Add index for release sha1", AddIndexForReleaseSha1),
 }

 // GetCurrentDBVersion returns the current Forgejo database version.
--- a/models/forgejo_migrations/migrate_test.go
+++ b/models/forgejo_migrations/migrate_test.go
@ -1,7 +1,7 @@
 // Copyright 2023 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT

-package forgejo_migrations //nolint:revive
+package forgejo_migrations

 import (
 	"testing"
--- a/models/forgejo_migrations/v13.go
+++ b/models/forgejo_migrations/v13.go
@ -1,7 +1,7 @@
 // Copyright 2024 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT

-package forgejo_migrations //nolint:revive
+package forgejo_migrations

 import "xorm.io/xorm"

--- a/models/forgejo_migrations/v14.go
+++ b/models/forgejo_migrations/v14.go
@ -1,7 +1,7 @@
 // Copyright 2024 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT

-package forgejo_migrations //nolint:revive
+package forgejo_migrations

 import (
 	"forgejo.org/models/migrations/base"
--- a/models/forgejo_migrations/v15.go
+++ b/models/forgejo_migrations/v15.go
@ -1,7 +1,7 @@
 // Copyright 2024 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT

-package forgejo_migrations //nolint:revive
+package forgejo_migrations

 import (
 	"time"
--- a/models/forgejo_migrations/v16.go
+++ b/models/forgejo_migrations/v16.go
@ -1,7 +1,7 @@
 // Copyright 2024 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT

-package forgejo_migrations //nolint:revive
+package forgejo_migrations

 import "xorm.io/xorm"

--- a/models/forgejo_migrations/v17.go
+++ b/models/forgejo_migrations/v17.go
@ -1,7 +1,7 @@
 // Copyright 2024 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT

-package forgejo_migrations //nolint:revive
+package forgejo_migrations

 import "xorm.io/xorm"

--- a/models/forgejo_migrations/v18.go
+++ b/models/forgejo_migrations/v18.go
@ -1,7 +1,7 @@
 // Copyright 2024 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT

-package forgejo_migrations //nolint:revive
+package forgejo_migrations

 import "xorm.io/xorm"

--- a/Show more
+++ b/Show more