- It was only used to parse old U2F data to webauthn credentials. We
only used the public key and keyhandle. This functiontionality was
reworked to `parseU2FRegistration`.
- Tests are already present, `Test_RemigrateU2FCredentials`.
- Remove `gitea.com/lunny/dingtalk_webhook` as dependency, we only use
two structs which are small enough to be recreated in Forgejo and don't
need to rely on the dependency.
- Existing tests (thanks @oliverpool) prove that this has no effect.
- Update github.com/bufbuild/connect-go to
https://github.com/connectrpc/connect-go.
- This is a fork that's actively maintained and is recommend by the
original library. Looking at the recent release notes, it looks like
going in the right direction what one would expect of a library, no
strange features being added, lots of improvements.
- There's still an indirect dependency by
`code.gitea.io/actions-proto-go` on a old version of `connect-go`.
- https://github.com/NYTimes/gziphandler doesn't seems to be maintained
anymore and Forgejo already includes
https://github.com/klauspost/compress which provides a maintained and
faster gzip handler fork.
- Enables Jitter to prevent BREACH attacks, as this *seems* to be
possible in the context of Forgejo.
(cherry picked from commit cc2847241d82001babd8d40c87d03169f21c14cd)
(cherry picked from commit 99ba56a8761dd08e08d9499cab2ded1a6b7b970f)
Conflicts:
go.sum
https://codeberg.org/forgejo/forgejo/pulls/1581
(cherry picked from commit 711638193daa2311e2ead6249a47dcec47b4e335)
(cherry picked from commit 9c12a37fde6fa84414bf332ff4a066facdb92d38)
(cherry picked from commit d13065345431a499f9e0b7a3c2043d7487b8aa5b)
(cherry picked from commit 45a16f8c3c6f7d5e4aab8fdde6a621cf36e4801c)
(cherry picked from commit a497acb31f76d580c8b0567f9461274bd78080f4)
(cherry picked from commit fe87fd828973945192b98310c5c3b2001c6e0f86)
(cherry picked from commit 6ac12e6693cf45cb12109028dabd868957c4b74c)
(cherry picked from commit 981ec37e1e72ab19c20067ff4d2a7e20a60d3305)
(cherry picked from commit 5d6892ec10086f0ba63f26693faa82d0fd4e3f4a)
(cherry picked from commit 9df7968f4fc72de9788d84ca3f349e4c98ee630e)
(cherry picked from commit 7d588d183329cd760053663ea2e1e82e62958409)
Conflicts:
routers/web/web.go
https://codeberg.org/forgejo/forgejo/pulls/2075
(cherry picked from commit defb101281f5a6ba410abc763674bafa7b63dffd)
(cherry picked from commit 5830f204a17767fda3e45d16dbf3af8c32e7f387)
(cherry picked from commit 029f4e98636a7776f430684e9d7142d69a444f96)
(cherry picked from commit 816fe558126d0ecce969fdf2a196fa6afdcca792)
Conflicts:
go.sum
https://codeberg.org/forgejo/forgejo/pulls/2249
(cherry picked from commit 99866d804560b415b6158371eb0efd17d097cfe0)
(cherry picked from commit f42622c7d5a28859f535e0d86ece06101baad1ef)
(cherry picked from commit a39e7f2a79f6527d45439f21bd88378264160c3a)
(cherry picked from commit afa2a31bb99c0fd9cd25c3c0279e6c49695b1900)
(cherry picked from commit 276e8856e594ad7e73414382d34fdf0278cbca6a)
(cherry picked from commit 68e3bd469f2e8190db70d4e1564fb46d01feb5f4)
(cherry picked from commit af124b9ccbb0b699ea5d1bf1530613cb9a96f205)
(cherry picked from commit b89ab4874d403c784c92e579f4f6a854621c0078)
(cherry picked from commit 0f2a2f0d0ff9851428d6899e307f3547d7651f87)
(cherry picked from commit 80999363c73e4e01cbf9116491743c87baa952af)
(cherry picked from commit f8880b5463aa1db047d89080d21e7a69979eb4a6)
(cherry picked from commit 5f4cf4f6e143237c81da3e80875727cef4b76343)
(cherry picked from commit b38e26bc1a8bb117f571672961a8445cfc02c953)
(cherry picked from commit d839e0033244b63df16c8b548cc52106fc693629)
(cherry picked from commit 32ffe2e4f12c16a44a759c906078d40731c1a0c7)
(cherry picked from commit f1fd0504add78ae3fb5c710ab5a9ada20321afac)
(cherry picked from commit 6d77ea4d60a193d9d4175c4943b34077228e5964)
(cherry picked from commit 61a0a4a276303c3fd56f93fd109e3416cfdf7c60)
(cherry picked from commit a90b4126fdd55feef43f45d1dc3e3400806a476b)
(cherry picked from commit 9a20538fb4e88682e213a20813b77cc0f602fbfd)
(cherry picked from commit ce0fc02f0fbaa45b146fed175ce68bd02c507f3e)
(cherry picked from commit 541f7cb026f976d078ecb6da3a6c9e13cc4336f2)
(cherry picked from commit d6d0c2ab78a14d7aac8d7b6b0d007149de2f7295)
(cherry picked from commit 2c28f5ad2496cf30eb15d6caf9171b79e5017141)
(cherry picked from commit 9571bddb3308e3c1f0383e60f972ca61a0a467b7)
(cherry picked from commit c83ba08d01f149ecd52d983eec76bd60822c1ddd)
(cherry picked from commit 30e7d567ede79c015d0d115d9a2d535e6c681cb9)
(cherry picked from commit a8b8c3eba75511449dc97fa27b37db1076ce95f0)
(cherry picked from commit 8e053e1ade4710ade3b6e4bc6aa04fe9281243d7)
(cherry picked from commit 9e3b0f7520a56e5eb22cd0e33e231ea9063f0e1f)
(cherry picked from commit 2343b9bd09cda3e474b36842fae419f9fe32b134)
(cherry picked from commit 56572d4156050c2beb62f63a871375fdc2424271)
(cherry picked from commit 9b09eda1680282f8114f752e52afd544ef30350c)
(cherry picked from commit 86a8b7b4904158ea80d259d7a1846528a9b3c403)
(cherry picked from commit 99a550c0e3de3bd8d17a610b849da0c04f776dbd)
(cherry picked from commit bdcf3f51e07c9f5f067fca7501ad69c42f925197)
(cherry picked from commit cec8f2d31e1cd9237120ee57af80b17e4abf026e)
(cherry picked from commit 25aa22ba2b8b8bdb215c14002ebc137e2e70cad4)
(cherry picked from commit 31510249a01fad40cc001277f5bcbe57248b0330)
(cherry picked from commit 95dc569227ac57c2efe7817edb6749fcead0ec24)
(cherry picked from commit f6caf5f1b9f8f560fcfef29247525c018976dcde)
(cherry picked from commit aba34fbf70dce183907083593cab7716597575a3)
(cherry picked from commit 41b816fdac30cfca311d5c24c155301de5d08a40)
(cherry picked from commit c98e79b89f5a12b50b6eb1ff1d0afc2cbd756ca3)
(cherry picked from commit d33d4f193cd79493e3d206e0c73395aea5bd305c)
(cherry picked from commit 4e5bb41cbe9823f8c198a54b56f0ee66b9cf8bf8)
(cherry picked from commit 3aa8ddb8cb4cb836b98c465342b106d027868606)
(cherry picked from commit e8057040bb751d1bdcb0e7412495da353189a02f)
(cherry picked from commit f3bf61e51e8c44ac098dca03532507bae5b65fc1)
(cherry picked from commit e9d08aad76cc38a81e9489871e1116819f84052e)
- The [rupture](https://github.com/ethantkoenig/rupture) dependency was
essentially outdated in the sense it was using old version of
dependencies.
- The usage by Forgejo was rather a small portion, so that portion is
now vendored (with its tests).
- Removes old dependencies from go.sum (less dependencies is better for
reviewing what the heck we're importing). Just to note that they were
likely not being used by Go's build process (according to
https://go.dev/ref/mod#minimal-version-selection), so it's really a
matter of formal cleaning up dependencies we don't use and therefor
don't want to download and be in our go.sum.
(cherry picked from commit aa72a5f009b5027b2324106343f91b466ba46293)
Conflicts:
go.sum
https://codeberg.org/forgejo/forgejo/pulls/2148
(cherry picked from commit fbe8d65f0b1836b2e771991b4d5d12f1bfa938ed)
(cherry picked from commit e18debcb6a9476f60d364e847265b4ac7fb76c8e)
Conflicts:
go.sum
https://codeberg.org/forgejo/forgejo/pulls/2245
(cherry picked from commit 8c43c2ada82102a0df44fd874c4f5fe3a36ef758)
Update golang.org/x/crypto for CVE-2023-48795 and update other packages.
`go-git` is not updated because it needs time to figure out why some
tests fail.
Replace `github.com/gogs/cron` with `github.com/go-co-op/gocron` as the
former package is not maintained for many years.
---------
Co-authored-by: delvh <dev.lh@web.de>
Replace #10912
And there are many new tests to cover the CLI behavior
There were some concerns about the "option order in hook scripts"
(https://github.com/go-gitea/gitea/pull/10912#issuecomment-1137543314),
it's not a problem now. Because the hook script uses `/gitea hook
--config=/app.ini pre-receive` format. The "config" is a global option,
it can appear anywhere.
----
## ⚠️ BREAKING ⚠️
This PR does it best to avoid breaking anything. The major changes are:
* `gitea` itself won't accept web's options: `--install-port` / `--pid`
/ `--port` / `--quiet` / `--verbose` .... They are `web` sub-command's
options.
* Use `./gitea web --pid ....` instead
* `./gitea` can still run the `web` sub-command as shorthand, with
default options
* The sub-command's options must follow the sub-command
* Before: `./gitea --sub-opt subcmd` might equal to `./gitea subcmd
--sub-opt` (well, might not ...)
* After: only `./gitea subcmd --sub-opt` could be used
* The global options like `--config` are not affected
The package `github.com/nfnt/resize` is deprecated and archived by the
author. `github.com/oliamb/cutter` is not maintained since 2018. We
could use `golang.org/x/image/draw` instead.
Bumping `github.com/golang-jwt/jwt` from v4 to v5.
`github.com/golang-jwt/jwt` v5 is bringing some breaking changes:
- standard `Valid()` method on claims is removed. It's replaced by
`ClaimsValidator` interface implementing `Validator()` method instead,
which is called after standard validation. Gitea doesn't seem to be
using this logic.
- `jwt.Token` has a field `Valid`, so it's checked in `ParseToken`
function in `services/auth/source/oauth2/token.go`
---------
Co-authored-by: Giteabot <teabot@gitea.io>
Co-authored-by: @awkwardbunny
This PR adds a Debian package registry. You can follow [this
tutorial](https://www.baeldung.com/linux/create-debian-package) to build
a *.deb package for testing. Source packages are not supported at the
moment and I did not find documentation of the architecture "all" and
how these packages should be treated.
---------
Co-authored-by: Brian Hong <brian@hongs.me>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
This will ensure that the file always has a final newline. I'm not sure
where this bug with inconsistent final newline actually comes from, it
is likely Windows-related.
---------
Co-authored-by: delvh <dev.lh@web.de>
Users can now upload `webp` images.
Browsers supporting webp images then display this as the avatar of this
user (every major browser except IE).
---------
Co-authored-by: silverwind <me@silverwind.io>
None of the features of `unrolled/render` package is used.
The Golang builtin "html/template" just works well. Then we can improve
our HTML render to resolve the "$.root.locale.Tr" problem as much as
possible.
Next step: we can have a template render pool (by Clone), then we can
inject global functions with dynamic context to every `Execute` calls.
Then we can use `{{Locale.Tr ....}}` directly in all templates , no need
to pass the `$.root.locale` again and again.
Update replace:
```diff
- replace github.com/nektos/act => gitea.com/gitea/act v0.234.2-0.20230131074955-e46ede1b1744
+ replace github.com/nektos/act => gitea.com/gitea/act v0.243.1
```
Update require:
```diff
- github.com/nektos/act v0.0.0
+ github.com/nektos/act v0.2.43
```
Actually, `v0.2.43` doesn't work, it will be replaced by `gitea/act`, so
it's OK to put any version here. But `gitea/act` is based on
`nektos/act`, so keeping the right upstream version will make security
dependabot help.
BTW, the [security
report](https://github.com/go-gitea/gitea/security/dependabot/20) is
false positive, we don't use the artifact server in act, see #22738.
This PR does a bulk update of a lot of our go deps.
I have not included nektos/act and xorm for the following reasons:
* Xorm updates can sometimes be complex and I'd rather do that in a
separate PR
* I think people more update with the actions code should double check
that the latest nektos/act library works correctly.
---------
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
This PR just consumes the
[hcaptcha](https://gitea.com/jolheiser/hcaptcha) and
[haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into
Gitea.
Also let this serve as a notice that I'm fine with transferring my
license (which was already MIT) from my own name to "The Gitea Authors".
Signed-off-by: jolheiser <john.olheiser@gmail.com>
closes#13585fixes#9067fixes#2386
ref #6226
ref #6219fixes#745
This PR adds support to process incoming emails to perform actions.
Currently I added handling of replies and unsubscribing from
issues/pulls. In contrast to #13585 the IMAP IDLE command is used
instead of polling which results (in my opinion 😉) in cleaner code.
Procedure:
- When sending an issue/pull reply email, a token is generated which is
present in the Reply-To and References header.
- IMAP IDLE waits until a new email arrives
- The token tells which action should be performed
A possible signature and/or reply gets stripped from the content.
I added a new service to the drone pipeline to test the receiving of
incoming mails. If we keep this in, we may test our outgoing emails too
in future.
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Gitea emoji dataset was out of date because it gets manually built and
hasn't been rebuilt since it was added. This means Gitea doesn't
recognize some newer emoji or changes to existing ones.
After changing the max unicode version to 14 I just ran: `go run
build/generate-emoji.go`
This should address the initial issue seen in #22153 where Gitea doesn't
recognize a standard alias used elsewhere when importing content.
14 is the latest supported version from the upstream source as 15 is not
widely supported (in their opinion) yet
Adds the settings pages to create OAuth2 apps also to the org settings
and allows to create apps for orgs.
Refactoring: the oauth2 related templates are shared for
instance-wide/org/user, and the backend code uses `OAuth2CommonHandlers`
to share code for instance-wide/org/user.
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
At the moment, this is only used to replace the color of the `viewed`
checkbox and of the `has changed` label.
Previously, the used variable accentuated always either darker or
lighter, which meant that one theme looked good while the other didn't.
Co-authored-by: silverwind <me@silverwind.io>
The problem was that many PR review components loaded by `Show more`
received the same ID as previous batches, which confuses browsers (when
clicked). All such occurrences should now be fixed.
Additionally improved the background of the `viewed` checkbox.
Lastly, the `go-licenses.json` was automatically updated.
Fixes#21228.
Fixes#20681.
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>