mirror of
https://github.com/go-gitea/gitea.git
synced 2026-06-17 19:10:22 +03:00
76f8d122fe6de71695335f45d3c7860dcb75fbda
20994 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 Giteabot
|
76f8d122fe |
fix(deps): update npm dependencies (#38123)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/lint | [`6.9.6` → `6.9.7`](https://renovatebot.com/diffs/npm/@codemirror%2flint/6.9.6/6.9.7) |  |  | | @​codemirror/view | [`6.43.0` → `6.43.1`](https://renovatebot.com/diffs/npm/@codemirror%2fview/6.43.0/6.43.1) |  |  | | [@primer/octicons](https://primer.style/octicons) ([source](https://redirect.github.com/primer/octicons)) | [`19.28.0` → `19.28.1`](https://renovatebot.com/diffs/npm/@primer%2focticons/19.28.0/19.28.1) |  |  | | [@types/jquery](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/jquery) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jquery)) | [`4.0.0` → `4.0.1`](https://renovatebot.com/diffs/npm/@types%2fjquery/4.0.0/4.0.1) |  |  | | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`25.9.1` → `25.9.2`](https://renovatebot.com/diffs/npm/@types%2fnode/25.9.1/25.9.2) |  |  | | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | [`8.60.1` → `8.61.0`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.60.1/8.61.0) |  |  | | [@vitest/eslint-plugin](https://redirect.github.com/vitest-dev/eslint-plugin-vitest) | [`1.6.19` → `1.6.20`](https://renovatebot.com/diffs/npm/@vitest%2feslint-plugin/1.6.19/1.6.20) |  |  | | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.10.1` → `20.10.2`](https://renovatebot.com/diffs/npm/happy-dom/20.10.1/20.10.2) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.5.1` → `11.5.2`](https://renovatebot.com/diffs/npm/pnpm/11.5.1/11.5.2) |  |  | | [stylelint](https://stylelint.io) ([source](https://redirect.github.com/stylelint/stylelint)) | [`17.12.0` → `17.13.0`](https://renovatebot.com/diffs/npm/stylelint/17.12.0/17.13.0) |  |  | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.60.1` → `8.61.0`](https://renovatebot.com/diffs/npm/typescript-eslint/8.60.1/8.61.0) |  |  | | [updates](https://redirect.github.com/silverwind/updates) | [`17.17.3` → `17.18.0`](https://renovatebot.com/diffs/npm/updates/17.17.3/17.18.0) |  |  | | [vue-tsc](https://redirect.github.com/vuejs/language-tools) ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc)) | [`3.3.3` → `3.3.4`](https://renovatebot.com/diffs/npm/vue-tsc/3.3.3/3.3.4) |  |  | --- ### Release Notes <details> <summary>primer/octicons (@​primer/octicons)</summary> ### [`v19.28.1`](https://redirect.github.com/primer/octicons/blob/HEAD/CHANGELOG.md#19281) [Compare Source](https://redirect.github.com/primer/octicons/compare/v19.28.0...v19.28.1) ##### Patch Changes - [#​1215](https://redirect.github.com/primer/octicons/pull/1215) [`378d7af0`](https://redirect.github.com/primer/octicons/commit/378d7af0e343d23fb7df31202d21032bfca0d2c7) Thanks [@​ktravers](https://redirect.github.com/ktravers)! - Remove fill from StackRemove and StackCheck icons * [#​1221](https://redirect.github.com/primer/octicons/pull/1221) [`9d7b366a`](https://redirect.github.com/primer/octicons/commit/9d7b366a6ecfbbf8d632053a639b5400a3aecbb9) Thanks [@​CameronFoxly](https://redirect.github.com/CameronFoxly)! - Add stack-add-16.svg </details> <details> <summary>typescript-eslint/typescript-eslint (@​typescript-eslint/parser)</summary> ### [`v8.61.0`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8610-2026-06-08) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.60.1...v8.61.0) This was a version bump only for parser to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.61.0) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>vitest-dev/eslint-plugin-vitest (@​vitest/eslint-plugin)</summary> ### [`v1.6.20`](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/releases/tag/v1.6.20) [Compare Source](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.19...v1.6.20) ##### 🐞 Bug Fixes - **hoisted-apis-on-top**: Detect vitest.mock and aliased vi/vitest mock calls - by [@​spokodev](https://redirect.github.com/spokodev) in [#​909](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/909) [<samp>(8fff9)</samp>](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/commit/8fff969) - **require-test-timeout**: Treat imported bindings as explicit timeouts - by [@​spokodev](https://redirect.github.com/spokodev) in [#​906](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/906) [<samp>(bd82c)</samp>](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/commit/bd82c7d) - **valid-expect**: Treat .finally() as part of async assertion promise chains - by [@​spokodev](https://redirect.github.com/spokodev) in [#​908](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/908) [<samp>(7c697)</samp>](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/commit/7c697f8) ##### [View changes on GitHub](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.19...v1.6.20) </details> <details> <summary>capricorn86/happy-dom (happy-dom)</summary> ### [`v20.10.2`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.10.2) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.1...v20.10.2) ##### :construction\_worker\_man: Patch fixes - Updates external dependencies - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​2163](https://redirect.github.com/capricorn86/happy-dom/issues/2163) </details> <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.5.2`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1152) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.5.1...v11.5.2) ##### Patch Changes - Peer dependency resolution now reuses the peer contexts already recorded in the lockfile when those providers are still present in the dependency graph and still satisfy the peer ranges. This avoids unnecessary peer-context rewrites during lockfile regeneration. Current manifest choices remain authoritative: a newly added, explicitly updated, or aliased direct provider, a changed nested provider, or a locked version that no longer satisfies the range still takes precedence. - The lockfile verifier now checks that a registry entry pinning an explicit `tarball` URL points at the artifact the registry's own metadata lists for that `name@version`. Previously a tampered lockfile could pair a trusted `name@version` with an attacker-chosen tarball URL (and a matching integrity for those bytes), so the install fetched the attacker's bytes. A mismatch — or any entry that can't be confirmed against the registry — is rejected with `ERR_PNPM_TARBALL_URL_MISMATCH`. Non-registry resolutions (`file:`, git-hosted, etc.) and registry entries without an explicit tarball URL (the URL is reconstructed from name+version+registry, so it is inherently bound) are unaffected; non-standard registry tarball URLs (npm Enterprise, GitHub Packages) still pass because they match the metadata. - Fix `pnpm update --recursive --lockfile-only <pkg>@​<version>` crashing with `Invalid Version` when the catalog entry for `<pkg>` is a version range (e.g. `^21.2.10`) and `catalogMode` is `strict` or `prefer`. The catalog–version comparison now skips the equality check when either side is a range rather than passing a range to `semver.eq()`, so range specifiers fall through to the existing mismatch handling instead of throwing [#​11570](https://redirect.github.com/pnpm/pnpm/issues/11570). - Avoided a Node.js crash when pnpm exits after network requests on Windows. - Fixed packages being materialized into the virtual store without their root-level files (`package.json`, `LICENSE`, README, root entrypoints) when multiple `pnpm install` processes ran against the same store/workspace concurrently. The fast import path used to destructively empty the shared target directory, so a concurrent importer could wipe files another importer had already written; if the surviving files included the `package.json` completion marker, every later install treated the broken directory as complete and never repaired it. The fast path now imports directly only when it can create the target directory exclusively, and otherwise builds the package in a private temp directory and atomically renames it into place [#​12197](https://redirect.github.com/pnpm/pnpm/issues/12197). - Fix dependency build scripts not running under the global virtual store (`enableGlobalVirtualStore`). In a workspace install, dependency build scripts are deferred to a single `rebuild` pass (`buildProjects`). That pass resolved each package's location from the classic `node_modules/.pnpm/<depPathToFilename>` layout, which does not exist under the global virtual store — so native dependencies (e.g. packages using `node-gyp` / `prebuild-install`) were never built and failed to load at runtime (`Cannot find module .../build/Release/*.node`). `buildProjects` now resolves the global-virtual-store projection directory (`<storeDir>/links/<hash>`, computed with the same graph hash the installer uses) when `enableGlobalVirtualStore` is set, and serializes concurrent builds of the same shared projection so parallel workspace projects don't race on the same directory. - Don't promote a `runtime:` dependency (such as the Node.js version from `devEngines.runtime` or `pnpm runtime set`) into a catalog when `catalogMode` is `strict` or `prefer`. A `runtime:` dependency round-trips to `devEngines.runtime`, which only recognizes the `runtime:` protocol; cataloging it rewrote the manifest entry to `catalog:`, which broke that round-trip, stranded it in `devDependencies`, and left `devEngines.runtime` untouched. - Skip lockfile `minimumReleaseAge`/`trustPolicy` verification for non-registry tarball protocols (for example `file:`), so local tarball dependencies are not incorrectly checked against npm registry metadata. </details> <details> <summary>stylelint/stylelint (stylelint)</summary> ### [`v17.13.0`](https://redirect.github.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#17130---2026-06-06) [Compare Source](https://redirect.github.com/stylelint/stylelint/compare/17.12.0...17.13.0) It fixes 3 bugs, including a false negative one. - Fixed: `declaration-block-no-duplicate-properties` false negatives for interleaved non-consecutive duplicates with `ignore: ["consecutive-duplicates(-*)"]` ([#​9324](https://redirect.github.com/stylelint/stylelint/pull/9324)) ([@​sarathfrancis90](https://redirect.github.com/sarathfrancis90)). - Fixed: `selector-max-type` false positives for nested selectors ([#​9319](https://redirect.github.com/stylelint/stylelint/pull/9319)) ([@​romainmenke](https://redirect.github.com/romainmenke)). - Fixed: `selector-type-no-unknown` false positives for `install` ([#​9308](https://redirect.github.com/stylelint/stylelint/pull/9308)) ([@​Mouvedia](https://redirect.github.com/Mouvedia)). </details> <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.61.0`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8610-2026-06-08) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.60.1...v8.61.0) This was a version bump only for typescript-eslint to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.61.0) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>silverwind/updates (updates)</summary> ### [`v17.18.0`](https://redirect.github.com/silverwind/updates/releases/tag/17.18.0) [Compare Source](https://redirect.github.com/silverwind/updates/compare/17.17.3...17.18.0) - Remove debug logging from test default route (silverwind) - update deps (silverwind) - fix a batch of correctness bugs across modes, parsing and CLI (silverwind) - Document make mode in modes list and package metadata (silverwind) - Support docker images in make mode (silverwind) - Add make mode for go tool versions in Makefiles (silverwind) - simplify control flow and drop redundant guards (silverwind) - fix a batch of correctness bugs in version resolution and parsing (silverwind) - skip redundant version filtering and replace-free go.mod scans (silverwind) - fix -t comma split, multiline toml strings, and prerelease ordering (silverwind) - make: collapse patch/minor/major into one rule (silverwind) - simplify matchesAny contract, toml parser, misc cleanups (silverwind) </details> <details> <summary>vuejs/language-tools (vue-tsc)</summary> ### [`v3.3.4`](https://redirect.github.com/vuejs/language-tools/blob/HEAD/CHANGELOG.md#334-2026-06-08) [Compare Source](https://redirect.github.com/vuejs/language-tools/compare/v3.3.3...v3.3.4) ##### language-core - **fix:** only exclude already-set props from inherited attrs when `checkRequiredFallthroughAttributes` is enabled ([#​6088](https://redirect.github.com/vuejs/language-tools/issues/6088)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **fix:** camelize slot props regardless of `htmlAttributes` option ([#​6089](https://redirect.github.com/vuejs/language-tools/issues/6089)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **fix:** detect duplicate event listeners across name formats ([#​6094](https://redirect.github.com/vuejs/language-tools/issues/6094)) - Thanks to [@​whysopaul](https://redirect.github.com/whysopaul)! ##### language-service - **fix:** respect var hoisting for destructured props hints ([#​6092](https://redirect.github.com/vuejs/language-tools/issues/6092)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ##### typescript-plugin - **fix:** do not treat `class` and `style` as a boolean property ([#​6081](https://redirect.github.com/vuejs/language-tools/issues/6081)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: bircni <bircni@icloud.com> |
||
|
Giteabot
|
4ca706d6a9 |
chore(deps): update dependency djlint to v1.39.0 (#38124)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [djlint](https://redirect.github.com/djlint/djLint) | `==1.36.4` → `==1.39.0` |  |  | --- ### Release Notes <details> <summary>djlint/djLint (djlint)</summary> ### [`v1.39.0`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1390---2026-06-05) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.38.2...v1.39.0) ##### Feature - Add `preserve_class_newlines` / `--preserve-class-newlines` to keep authored line breaks inside multiline `class` attributes. ##### Fix - Fix Django 6.0 `{% partialdef %}` block indentation so `{% endpartialdef %}` aligns with its opener. - Preserve multiline Django/Jinja control-flow blocks instead of condensing short bodies onto one line. - Preserve single-line inline HTML and template tag bodies during expansion, even when they exceed `max_line_length`. ### [`v1.38.2`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1382---2026-06-05) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.38.1...v1.38.2) ##### Fix - Fix `python -m djlint` not working due to mypyc compilation. ### [`v1.38.1`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1381---2026-06-04) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.38.0...v1.38.1) ##### Fix - Match exclude paths on path boundaries. ### [`v1.38.0`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1380---2026-06-04) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.37.0...v1.38.0) ##### Feature - Add support for `.djlint.toml` project and global config files. ##### Fix - Preserve single-line inline HTML tag bodies when they fit within `max_line_length`. - Avoid evaluating template expressions while formatting tag contents. ##### Packaging - Fix npm publish workflow. ### [`v1.37.0`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1370---2026-06-04) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.36.4...v1.37.0) ##### Feature - Add `--format-attribute-js-json` for formatting JavaScript and JSON inside HTML attributes. It also supports `format_attribute_js_json_pattern` and `format_attribute_js_json_min_props` for tuning which attributes are formatted. Thanks, [@​oliverhaas](https://redirect.github.com/oliverhaas). - Add `--github-output` for GitHub Actions annotations. Thanks, [@​iloveitaly](https://redirect.github.com/iloveitaly). ##### Fix - Fix `ignore_blocks` matching when ignored blocks are indented. Thanks, [@​tdryer](https://redirect.github.com/tdryer). - Use relative paths for `--exclude` and `--use-gitignore` matching so path filters work consistently from nested directories. Thanks, [@​satya-waylit](https://redirect.github.com/satya-waylit). - Stop D018/J018 from flagging root links such as `href="/"`. Thanks, [@​SAY-5](https://redirect.github.com/SAY-5). - Do not treat soft hyphen entities as text for H023. Thanks, [@​kotutuloro](https://redirect.github.com/kotutuloro). - Fix Handlebars `{{#unless}}` indentation. Thanks, [@​S1mplePixels](https://redirect.github.com/S1mplePixels). - Fix formatting when `/>` appears inside an HTML attribute value. Thanks, [@​novucs](https://redirect.github.com/novucs). - Improve CPU count handling for worker setup. ##### Performance - Improve formatter caching and reduce cache memory usage. Formatting is about 19% faster. ##### Documentation - Add Chinese translation. Thanks, [@​Twisuki](https://redirect.github.com/Twisuki). - Add Homebrew installation instructions. Thanks, [@​alfawal](https://redirect.github.com/alfawal). - Add EFM Neovim integration documentation. Thanks, [@​danielebra](https://redirect.github.com/danielebra). - Add copy-pastable pre-commit YAML to the README. Thanks, [@​Pierre-Sassoulas](https://redirect.github.com/Pierre-Sassoulas). - Polish linter and CLI documentation. Thanks, [@​jasonaowen](https://redirect.github.com/jasonaowen) and [@​dotWee](https://redirect.github.com/dotWee). ##### Packaging - Drop Python 3.9 support. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: bircni <bircni@icloud.com> |
||
 bircni
|
bce6df24b7 | feat(actions): show run status on browser tab favicon (#38071) | ||
 Karthik Bhandary
|
e70b91d8ec |
chore: center info message for unsupported jupyter notebook versions (#38114)
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
 Lunny Xiao
|
a77edc7ba4 |
chore(actions): Add icon for status filter (#38082)
<img width="352" height="391" alt="image" src="https://github.com/user-attachments/assets/261dd567-49c2-4fc6-a646-5f8641e08192" /> --------- Co-authored-by: bircni <bircni@icloud.com> |
||
|
bircni
|
55250407dd |
feat(org): add team visibility so org members can discover teams (#37680)
Closes #37670. Today, org members in Gitea only see teams they're a member of. In larger orgs that hurts onboarding and discoverability — there's no way to look up which team owns what without asking around. GitHub solves this with a per-team visibility setting; this PR brings the same model to Gitea. ## What changes - Every team gets a `visibility` setting: - `private` *(default)* — only team members and org owners can see the team. Same as today's behavior. - `limited` — listable by any member of the organization. Members and the repos the team has access to are visible too. Non-org-members still see nothing. - `public` — listable by any signed-in user. - The Owners team visibility is fixed and cannot be changed via settings. - Existing teams default to `private`, so this is a no-op for anyone who doesn't change anything. ## API - `Team`, `CreateTeamOption`, `EditTeamOption` all gain a `visibility` field (string enum: `private` | `limited` | `public`). - `GET /orgs/{org}/teams` and `/orgs/{org}/teams/search` now apply the same visibility rules as the web UI: - site admins and org owners still see every team - other org members see their own teams plus any `limited` or `public` team - `private` teams are no longer leaked through these endpoints - Swagger/OpenAPI specs regenerated. ## UI View from admin2 (not an owner): <img width="1669" height="726" src="https://github.com/user-attachments/assets/daf4bccb-644b-4426-b178-71963aeaf73b" /> View from admin (owner): <img width="2559" height="863" src="https://github.com/user-attachments/assets/4f22cebc-e9df-4fd2-8ed4-724d31fadb7a" /> --------- Signed-off-by: bircni <bircni@icloud.com> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
 techknowlogick
|
80ca22a9ef | chore(deps): bump dockerfile to use Alpine 3.24 (#38077) | ||
 wxiaoguang
|
47d48eb208 | chore: fix form string abuse (#38106) | ||
 delvh
|
3417bc8979 | docs: Clarify criteria for becoming a merger (#38113) | ||
 TheFox0x7
|
c6167d1ff5 |
feat(api): add token introspection and self-deletion endpoint (#37995)
Adds a /api/v1/token endpoint that allows tokens to introspect and delete themselves. partially fixes: https://github.com/go-gitea/gitea/issues/33583 Assisted-by: Mistral Vibe:mistral-medium-3.5 --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bircni
|
b8ef6a91e6 |
docs: Publish TOC Election Result 2026 (#38111)
- Adjusted the wording for what happens on a draw (somehow we managed to get a draw) The new members are: - @delvh - @bircni - @TheFox0x7 Closes #37551 |
||
 Pycub
|
c7af379672 |
fix(api): nil pointer panic when filtering tracked times by a non-existent user (#38112)
## Problem
`GET /repos/{owner}/{repo}/times` and `GET
/repos/{owner}/{repo}/issues/{index}/times` crash with a nil pointer
dereference when the `user` query filter names a user that does not
exist.
## Root cause
In `ListTrackedTimes` and `ListTrackedTimesByRepository`, the
`IsErrUserNotExist` branch sends the 404 but is missing a `return`, so
execution falls through to `opts.UserID = user.ID` with a nil `user`.
---------
Co-authored-by: bircni <bircni@icloud.com>
|
||
|
Karthik Bhandary
|
e82352f156 |
feat(web): Add Jupyter Notebook (.ipynb) Rendering Support (#37433)
### Summary Closes #37308 Adds native rendering support for Jupyter notebook files (`.ipynb`) in Gitea using backend rendering, allowing users to view formatted notebooks with code cells, markdown, outputs, and visualizations directly in the repository browser. ### Motivation Jupyter notebooks are widely used in data science, machine learning, and scientific computing. Currently, Gitea displays `.ipynb` files as raw JSON, making them difficult to read. This feature enables users to view notebooks in a formatted, readable way similar to GitHub and GitLab. ### Implementation Approach **Evolution:** Initially implemented frontend rendering using `marked` and `Shiki` libraries. After review feedback, migrated to backend rendering for better performance, security, and consistency with Gitea architecture. #### Backend Rendering Advantages - Server-side HTML generation eliminates client-side parsing overhead - Integrates with Gitea existing markup sanitizer for security - Uses Chroma for syntax highlighting (consistent with code files) - Uses Goldmark for markdown rendering (consistent with `.md` files) - No additional frontend dependencies required - Better performance for large notebooks ### Features #### Supported Cell Types - **Markdown cells:** Rendered with Goldmark (tables, lists, links, code blocks, etc.) - **Code cells:** Syntax-highlighted with Chroma, execution counts, language detection from notebook metadata - **Output cells:** Multiple output types in a single cell #### Supported Output Types - ✅ Text/plain outputs - ✅ Images (PNG, JPEG, SVG) with base64 data URIs - ✅ HTML outputs (tables, DataFrames, formatted text) - ✅ LaTeX/math equations (rendered as code blocks) - ✅ Error outputs with traceback (styled in red) - ✅ Stream outputs (`stdout`/`stderr`) - ⚠️ Interactive widgets (Plotly, ipywidgets) show informative messages - ⚠️ JavaScript outputs show security warning (disabled for safety) #### Edge Cases Handled - Empty notebooks or notebooks with no outputs - Corrupted JSON with graceful error display - Mixed output types in single cell - Large base64-encoded images - Execution count of `null` or `0` - `nbformat` version compatibility (only renders `nbformat 4+`, shows message for older versions) ### Changes #### Backend (Go) - `modules/markup/jupyter/jupyter.go` (**NEW**) - Jupyter notebook renderer implementation - Parses `.ipynb` JSON structure and generates HTML - Integrates Chroma for code syntax highlighting - Integrates Goldmark for markdown cell rendering - Dynamic language detection from notebook metadata - Handles all standard Jupyter output types - Comprehensive error handling with user-friendly messages - `modules/markup/renderer.go` (**MODIFIED**) - Registered Jupyter renderer in markup system - `main.go` (**MODIFIED**) - Import Jupyter renderer package for initialization #### Styling (CSS) - `web_src/css/markup/jupyter.css` (**NEW**) - Comprehensive styling for notebook cells, code, outputs - Uses Gitea CSS variables for consistent theming - Responsive layout with proper spacing - Table styling for DataFrame outputs - Removed parent container padding for consistency with other renderers #### Sanitizer Rules - `modules/markup/jupyter/jupyter.go` → `SanitizerRules()` - Configured HTML sanitization rules for safe rendering: - Cell structure (markdown, code, input/output wrappers) - Code highlighting (Chroma classes) - Images (base64 data URIs only) - Tables (DataFrames) - Markdown elements (headers, lists, links, etc.) ### Security Considerations - Server-side rendering: No client-side JavaScript execution - HTML sanitization: Strict allowlist for HTML elements and attributes - Image security: Only base64 data URIs allowed (no external URLs) - JavaScript disabled: `application/javascript` outputs show warning - XSS protection: Gitea markup sanitizer handles all HTML output ### Testing Manual testing performed with various notebooks: - Markdown rendering (headers, lists, tables, links, code blocks) - Code cells with execution counts and syntax highlighting - Multiple output types (text, images, HTML, LaTeX, errors, streams) - Error handling for edge cases - Theme compatibility (light/dark mode) ### Screenshots <img width="1080" height="553" alt="image" src="https://github.com/user-attachments/assets/aef9afa7-ed96-434d-98b0-b160565fc967" /> <img width="1092" height="552" alt="image" src="https://github.com/user-attachments/assets/6e61e792-4737-41c1-851e-5c375c1f932a" /> <img width="1104" height="622" alt="image" src="https://github.com/user-attachments/assets/4ac630c1-3a75-4e1c-9bba-c0a27484d001" /> <img width="1104" height="529" alt="image" src="https://github.com/user-attachments/assets/33750c47-70de-4ab2-893d-e5d09fa8d9c4" /> <img width="1111" height="343" alt="image" src="https://github.com/user-attachments/assets/52107d9f-0e06-420b-9ab4-1603dcd676b1" /> <img width="1091" height="650" alt="image" src="https://github.com/user-attachments/assets/0addae21-efa4-44bb-a56e-0418e3d4d227" /> <img width="1077" height="298" alt="image" src="https://github.com/user-attachments/assets/a3a8c5be-638c-45ff-82f3-816264254ead" /> ### Dependencies No new dependencies required: - Chroma (existing) - Syntax highlighting - Goldmark (existing) - Markdown rendering - Standard library - JSON parsing ### Key Design Decisions - Backend rendering for performance and security - Reuses existing Gitea infrastructure (Chroma, Goldmark, sanitizer) - Consistent styling with other markup renderers - Graceful degradation for unsupported features --- **Development Note:** This PR was developed with assistance from Amazon Q Developer and Claude AI for implementation, debugging, and testing. --------- Signed-off-by: Karthik Bhandary <34509856+karthikbhandary2@users.noreply.github.com> Co-authored-by: karthik.bhandary <karthik.bhandary@kfintech.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: bircni <bircni@icloud.com> |
||
|
bircni
|
aab9737651 |
fix(ui): prevent commit status popup overflowing its row (#38081)
Fixes #38079 ## Regression path The layout previously had `.commit-status-item .status-context { flex: 1 }`, which let the context fill remaining space and ellipsize. That rule was dropped in #37517 ("Refactor pull request view (5)") when the row markup moved to nested `.flex-text-block` wrappers, so nothing constrained the left block anymore. After: <img width="832" height="242" alt="image" src="https://github.com/user-attachments/assets/a20019f8-6016-40f7-8901-2808280dc093" /> --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
Giteabot
|
a68ee6a405 | fix(deps): update dependency esbuild to v0.28.1 [security] (#38097) | ||
|
wxiaoguang
|
1b3b4bdd03 |
fix: git push hook post receive (#38089)
* fix incorrect delayWriter call (there is already a defer call) * split HookPostReceive into small functions * fix incorrect HookPostReceiveResult response for errors * fix incorrect AddRepoToLicenseUpdaterQueue call * make sure repo home and branches page can work without default branch * make sure default branch is always synchronized between database and git repo, and fix FIXME |
||
|
bircni
|
9608cc212d |
fix: allow git clone of private repos with anonymous code access (#38074)
Fixes #38062. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
GiteaBot
|
275dee5bda | [skip ci] Updated translations via Crowdin | ||
|
wxiaoguang
|
ae49f65692 |
fix: parse HEAD ref (#38088)
fix #38086 |
||
|
bircni
|
15ae1bfc8c | fix: keep literal "false" value displayed in workflow_dispatch choice dropdowns (#38080) | ||
|
wxiaoguang
|
f5a97b7518 | fix: git cmd (#38084) | ||
|
wxiaoguang
|
4f4a0a79ac |
fix: csp regressions (#38047)
fix #37257 , all details are in the comments |
||
|
bircni
|
e473505d64 |
ci: Remove agent-scan (#38073)
As we saw, the agent scan is not as useful as we thought - so lets remove it again Signed-off-by: bircni <bircni@icloud.com> |
||
 puni9869
|
6a7e232f1e |
chore(deps): Update go to 1.26.4 and bump go dependencies (#38023)
New go version addressed multiple vulns as below. <img width="1217" height="818" alt="image" src="https://github.com/user-attachments/assets/f1738003-8b19-4fac-a200-6903d93f48ad" /> Dependencies affected: ``` gitea.com/gitea/runner - v1.0.6 → v1.0.8 gitea.dev/sdk - v1.0.1 → v1.1.0 github.com/Azure/azure-sdk-for-go/sdk/azcore - v1.20.0 → v1.22.0 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob - v1.6.3 → v1.7.0 github.com/alecthomas/chroma/v2 - v2.25.0 → v2.26.1 github.com/aws/aws-sdk-go-v2/credentials - v1.19.17 → v1.19.24 github.com/aws/aws-sdk-go-v2/service/codecommit - v1.33.14 → v1.34.4 github.com/dlclark/regexp2/v2 - v2.1.0 → v2.2.1 github.com/getkin/kin-openapi - v0.139.0 → v0.140.0 github.com/google/pprof - v0.0.0-20260507013755-92041b743c96 → v0.0.0-20260604005048-7023385849c0 github.com/jhillyerd/enmime/v2 - v2.4.0 → v2.4.1 github.com/mattn/go-sqlite3 - v1.14.44 → v1.14.45 github.com/meilisearch/meilisearch-go - v0.36.2 → v0.36.3 github.com/microsoft/go-mssqldb - v1.9.7 → v1.10.0 github.com/redis/go-redis/v9 - v9.19.0 → v9.20.0 github.com/urfave/cli/v3 - v3.9.0 → v3.9.1 gitlab.com/gitlab-org/api/client-go/v2 - v2.34.0 → v2.38.0 go.yaml.in/yaml/v4 - v4.0.0-rc.3 → v4.0.0-rc.5 golang.org/x/crypto - v0.52.0 → v0.53.0 golang.org/x/image - v0.41.0 → v0.42.0 golang.org/x/net - v0.55.0 → v0.56.0 golang.org/x/sync - v0.20.0 → v0.21.0 golang.org/x/sys - v0.45.0 → v0.46.0 golang.org/x/text - v0.37.0 → v0.38.0 golang.org/x/tools - v0.44.0 → v0.45.0 gopkg.in/ini.v1 - v1.67.2 → v1.67.3 modernc.org/sqlite - v1.50.1 → v1.52.0 ``` --------- Signed-off-by: puni9869 <80308335+puni9869@users.noreply.github.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
wxiaoguang
|
d3d092f65d |
chore: fix git commit "rev-list" (#38069)
Fix the copied & pasted messy code, fix #38067 Now, "limit=-1" means "no limit" |
||
|
bircni
|
5a24438698 |
chore: various trivial fixes (#38070)
Follow-up to #37987, addressing the unresolved review comments on the org members search form. And fix more trivial problems together (see the commit titles) --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
 bn-zr
|
fefb6f3219 |
feat(api): Add GET /repos/{owner}/{repo}/actions/workflows/{workflow_id}/runs (#37196)
- Add GET /repos/{owner}/{repo}/actions/workflows/{workflow_id}/runs
endpoint, matching the
https://docs.github.com/en/rest/actions/workflow-runs?apiVersion=2026-03-10#list-workflow-runs-for-a-workflow
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: bircni <bircni@icloud.com>
|
||
|
wxiaoguang
|
250a38abb5 | chore: migrate unescaped-html-literal eslint rule to our repo and fix more cases (#38072) | ||
 silverwind
|
360f34d7fa |
ci: bound seeded Go cache size and speed up disk cleanup (#38048)
Reduces the CI cache growth and disk pressure behind the flaky `No space left on device` failures in https://github.com/go-gitea/gitea/issues/37974. **`go-cache`** — the cache-seeder saved with a `restore-keys` prefix fallback, so every `go.sum` change restored the previous cache and re-saved the union; old module versions and stale build objects accumulated (~3 GB → ~7 GB) and overflowed disk on smaller runners. Drop `restore-keys` from the seeder **save** branches so each `go.sum` seeds a clean, size-bounded cache. PR runs keep `restore-keys` for warm-start fallback. **`free-disk-space`** — delete the unused preinstalled toolchains in parallel (~86 s → ~54 s) and log `df -h /` before/after. Measured during review: the hosted `ubuntu-latest` fleet is heterogeneous — most runners have ~89 GB free on `/` (a full pgsql integration shard peaks at ~17 GB used), but a minority arrive nearly full and fail mid cache-restore. The toolchain deletion is the headroom that keeps those runners green, so it stays; the cache bound shrinks the footprint for every runner. Authored with assistance from Claude (Opus 4.8). --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: bircni <bircni@icloud.com> |
||
|
bircni
|
bc2fbe77b1 |
refactor(actions): read runner capabilities from proto field (#38068)
[actions-proto-go v0.6.0](https://gitea.com/gitea/actions-proto-go) adds a `capabilities` field to `RegisterRequest` and `DeclareRequest`. This lets a runner advertise the transitional `cancelling` capability directly in the proto message instead of through the out-of-band mechanism we used while the proto bump was pending. This PR: - Bumps `gitea.dev/actions-proto-go` to `v0.6.0`. - Drops the forward-compat `capabilityGetter` type-assertion shim and the `runnerRequestHasCancellingCapability` helper, reading `GetCapabilities()` directly (now part of the `declareRequest` interface). - Removes the "capability state unknown → preserve existing value" branch. ## Why the behaviour change is correct The shim and the `(hasSupport, known)` two-value return only existed because the old proto had no `capabilities` field, so we couldn't tell "runner doesn't support it" from "we can't see the field." With v0.6.0 the field is always present. Since proto3 repeated fields have no presence, "no capabilities sent" now unambiguously means the runner does not advertise the capability, so a runner that omits `cancelling` is correctly recorded as `HasCancellingSupport = false`. There is no regression: prior to this bump Gitea was on `v0.5.0`, where the type assertion always failed and `HasCancellingSupport` was therefore never set from requests — so no runner relied on the preserved-unknown path. ## Compatibility The change is wire-compatible in both directions of version skew, because the new field uses a previously unused field number (8 on `RegisterRequest`, 3 on `DeclareRequest`) and the transport uses the binary protobuf codec: - **Old runner → new Gitea:** the runner omits the field; it decodes to an empty capability list. Registration/declaration succeed; the runner simply doesn't get the cancelling feature. - **New runner → old Gitea:** the runner sends the field; the old server's generated code doesn't know the field number and silently ignores it. Registration/declaration succeed. The feature only activates once both server and runner are on `v0.6.0`. |
||
|
wxiaoguang
|
442f5e7d06 | chore: fine tune pull request merge box and commit status item (#38060) | ||
 metsw24-max
|
988f0ea54a |
fix: validate gem name in rubygems parseMetadataFile (#38061)
The registry writes the stored gem name straight into its line-based
compact index, both the shared `/versions` listing (one `GEMNAME
versions md5` line per gem) and the per-package `info/{name}` file. The
parser only rejected an empty name or one containing a slash, so a
`.gem` whose gemspec `name` carries a newline was accepted and persisted
as the package name, letting an authenticated uploader forge extra lines
in the shared index and so spoof additional gem names, versions and
checksums to clients. The name is now checked against the upstream
RubyGems name pattern in the parser, which is the layer that already
validates the version.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
|
||
 Eugenio Paolantonio
|
fa89785d33 |
feat(api): add Link header in ListForks (#38052)
Fixes #38051. Disclosure: writing of the integration test was AI assisted. --------- Signed-off-by: Eugenio Paolantonio <eugenio.paolantonio@suse.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
silverwind
|
19d1e1d334 |
test: enable WAL for sqlite integration tests (#37861)
Enable `SQLITE_JOURNAL_MODE = WAL` for the sqlite integration test config. With modernc as the default driver, concurrent writers serialize on SQLite's single write lock and the tail of the queue can exceed the 20s busy timeout under CI load. WAL drains the queue fast enough to stay inside the timeout (removes rollback's fsync-per-commit and reader-vs-commit blocking) and covers all sqlite integration tests in one change. --- This PR was written with the help of Claude Opus 4.7 --------- Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
bircni
|
920b3f8cb6 | fix(hostmatcher): block reserved IP ranges from external/private filters (#38039) | ||
|
wxiaoguang
|
4ba0a545f2 |
chore: js html (#38056)
remove unnecessary "eslint-disable-line" rules |
||
|
wxiaoguang
|
a51781527b |
fix: commit display name (#38057)
fix #38054 |
||
|
metsw24-max
|
7134c1f845 |
fix: bound debian ParseControlFile to a single control stanza (#38044)
**Packages-index stanza injection via Debian control file** A `.deb` whose `control` file appends extra paragraphs after a blank line was still accepted, and `ParseControlFile` stored the whole multi-stanza blob in `p.Control`. That blob is re-emitted verbatim into the generated `Packages` index, so the embedded blank line splits it into separate stanzas and an uploader can smuggle a package entry with an attacker-chosen `Filename` into the shared index. A binary control file only holds one stanza, so parsing now stops at the blank line that terminates it; well-formed packages are unaffected and the new subtest covers the trailing-stanza case. --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bircni
|
7b4a1a1a11 | fix(lfs): require Code-unit access for cross-repo LFS object reuse (#38006) | ||
|
bircni
|
63df886ba8 |
fix(actions): keep distinct commit statuses for workflows sharing a name (#37834)
## Summary Two Gitea Actions workflow files that share the same `name:` and same job name produced identical commit-status `Context` strings. Because `GetLatestCommitStatus` groups by `context_hash` (derived from `Context`), only one row was shown on the PR page — see #35699. GitHub displays both rows even though they look identical. This change does the same: the displayed `Context` is unchanged, but `ContextHash` now mixes in the workflow file path so the two statuses remain distinct in the dedupe query. ## Notes - Workflows that omit `name:` now use the workflow file name in the `Context` (e.g. `ci.yaml / build (push)`) instead of an empty `/ build (push)`. This changes the `Context` string for unnamed workflows, so any required-status-check rule that referenced the old string must be updated after upgrade. - For statuses created before this change (hashed from `Context` alone), `createCommitStatus` reuses that legacy hash when a matching row is still present, so in-flight pending statuses are superseded rather than orphaned on upgrade. Fixes #35699 --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: silverwind <me@silverwind.io> |
||
|
Giteabot
|
5fe77ad309 |
fix(deps): update go dependencies (#37967)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [gitea.com/gitea/runner](https://gitea.com/gitea/runner) | `v1.0.5` → `v1.0.6` |  |  | | [github.com/aws/aws-sdk-go-v2/credentials](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.19.16` → `v1.19.17` |  |  | | [github.com/getkin/kin-openapi](https://redirect.github.com/getkin/kin-openapi) | `v0.138.0` → `v0.139.0` |  |  | | [github.com/go-chi/chi/v5](https://redirect.github.com/go-chi/chi) | `v5.2.5` → `v5.3.0` |  |  | | [github.com/go-webauthn/webauthn](https://redirect.github.com/go-webauthn/webauthn) | `v0.17.3` → `v0.17.4` |  |  | | [github.com/minio/minio-go/v7](https://redirect.github.com/minio/minio-go) | `v7.1.0` → `v7.2.0` |  |  | | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.30.0` → `v2.34.0` |  |  | --- ### Release Notes <details> <summary>gitea/runner (gitea.com/gitea/runner)</summary> ### [`v1.0.6`](https://gitea.com/gitea/runner/releases/tag/v1.0.6) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.5...v1.0.6) #### Changelog - fix(deps): update module github.com/opencontainers/selinux to v1.15.0 ([#​990](https://redirect.github.com/gitea/runner/issues/990)) - chore: pin Docker base images to explicit versions ([#​992](https://redirect.github.com/gitea/runner/issues/992)) - chore(deps): update actions/setup-node action to v6 ([#​991](https://redirect.github.com/gitea/runner/issues/991)) - test: make TestRunEvent integration suite runnable locally ([#​987](https://redirect.github.com/gitea/runner/issues/987)) - ci: add PR title linting against Conventional Commits ([#​988](https://redirect.github.com/gitea/runner/issues/988)) - fix: clean up job network and container when container start fails ([#​986](https://redirect.github.com/gitea/runner/issues/986)) </details> <details> <summary>getkin/kin-openapi (github.com/getkin/kin-openapi)</summary> ### [`v0.139.0`](https://redirect.github.com/getkin/kin-openapi/releases/tag/v0.139.0) [Compare Source](https://redirect.github.com/getkin/kin-openapi/compare/v0.138.0...v0.139.0) #### What's Changed - feat(openapi3): batch-convert long-tail RequiredFieldError sites by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1170](https://redirect.github.com/getkin/kin-openapi/pull/1170) - feat(openapi3): typed validation error clusters (combined: [#​1171](https://redirect.github.com/getkin/kin-openapi/issues/1171)-[#​1179](https://redirect.github.com/getkin/kin-openapi/issues/1179)) by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1180](https://redirect.github.com/getkin/kin-openapi/pull/1180) - openapi3gen: skip component export for anonymous types by [@​0-don](https://redirect.github.com/0-don) in [#​1163](https://redirect.github.com/getkin/kin-openapi/pull/1163) - feat: migrate to oasdiff/yaml v0.1.0 single Unmarshal API + enable DisableTimestamps by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1181](https://redirect.github.com/getkin/kin-openapi/pull/1181) - openapi3: typed context errors for Validate() wrapper chain by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1183](https://redirect.github.com/getkin/kin-openapi/pull/1183) - openapi3: track Origin on the document root (T) by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1184](https://redirect.github.com/getkin/kin-openapi/pull/1184) - openapi3: tests flakiness corrected by [@​fenollp](https://redirect.github.com/fenollp) in [#​1159](https://redirect.github.com/getkin/kin-openapi/pull/1159) - openapi3: aggregate independent validation errors via EnableMultiError by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1185](https://redirect.github.com/getkin/kin-openapi/pull/1185) - openapi3: fix validation of duplicated path templates by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1189](https://redirect.github.com/getkin/kin-openapi/pull/1189) - openapi3: type the remaining bare-error validation sites by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1187](https://redirect.github.com/getkin/kin-openapi/pull/1187) **Full Changelog**: <https://github.com/getkin/kin-openapi/compare/v0.138.0...v0.139.0> </details> <details> <summary>go-chi/chi (github.com/go-chi/chi/v5)</summary> ### [`v5.3.0`](https://redirect.github.com/go-chi/chi/releases/tag/v5.3.0) [Compare Source](https://redirect.github.com/go-chi/chi/compare/v5.2.5...v5.3.0) #### What's Changed - Use strings.ReplaceAll where applicable by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1046](https://redirect.github.com/go-chi/chi/pull/1046) - Propagate inline middlewares across mounted subrouters by [@​LukasJenicek](https://redirect.github.com/LukasJenicek) in [#​1049](https://redirect.github.com/go-chi/chi/pull/1049) - add go 1.26 to ci by [@​pkieltyka](https://redirect.github.com/pkieltyka) in [#​1052](https://redirect.github.com/go-chi/chi/pull/1052) - Remove last uses of io/ioutil by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1054](https://redirect.github.com/go-chi/chi/pull/1054) - Simplify chi.walk with slices.Concat by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1053](https://redirect.github.com/go-chi/chi/pull/1053) - Apply the stringscutprefix modernizer by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1051](https://redirect.github.com/go-chi/chi/pull/1051) - Bump minimum Go to 1.23, always use request.Pattern by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1048](https://redirect.github.com/go-chi/chi/pull/1048) - middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by [@​alliasgher](https://redirect.github.com/alliasgher) in [#​1085](https://redirect.github.com/go-chi/chi/pull/1085) - Fix typo in Route doc comment by [@​gouwazi](https://redirect.github.com/gouwazi) in [#​1073](https://redirect.github.com/go-chi/chi/pull/1073) - fix: set Request.Pattern from RoutePattern() by [@​leno23](https://redirect.github.com/leno23) in [#​1097](https://redirect.github.com/go-chi/chi/pull/1097) - feat: middleware.ClientIP, a replacement for middleware.RealIP by [@​VojtechVitek](https://redirect.github.com/VojtechVitek) in [#​967](https://redirect.github.com/go-chi/chi/pull/967) #### New Contributors - [@​LukasJenicek](https://redirect.github.com/LukasJenicek) made their first contribution in [#​1049](https://redirect.github.com/go-chi/chi/pull/1049) - [@​alliasgher](https://redirect.github.com/alliasgher) made their first contribution in [#​1085](https://redirect.github.com/go-chi/chi/pull/1085) - [@​gouwazi](https://redirect.github.com/gouwazi) made their first contribution in [#​1073](https://redirect.github.com/go-chi/chi/pull/1073) - [@​leno23](https://redirect.github.com/leno23) made their first contribution in [#​1097](https://redirect.github.com/go-chi/chi/pull/1097) #### SECURITY: middleware.ClientIP, a replacement for middleware.RealIP [@​VojtechVitek](https://redirect.github.com/VojtechVitek) submitted PR [#​967](https://redirect.github.com/go-chi/chi/issues/967), which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories: - [GHSA-9g5q-2w5x-hmxf](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-9g5q-2w5x-hmxf) — IP spoofing via XFF in `RemoteAddr` resolution (convto) - [GHSA-rjr7-jggh-pgcp](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-rjr7-jggh-pgcp) — RealIP allows IP spoofing via unvalidated XFF (rezmoss) - [GHSA-3fxj-6jh8-hvhx](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-3fxj-6jh8-hvhx) — IP spoofing in `middleware.RealIP` (Saku0512, Critical / 9.3) It also addresses issues outlined at: - [#​708](https://redirect.github.com/go-chi/chi/issues/708) - <https://adam-p.ca/blog/2022/03/x-forwarded-for/> - [#​711](https://redirect.github.com/go-chi/chi/issues/711) - [#​453](https://redirect.github.com/go-chi/chi/issues/453) - [#​908](https://redirect.github.com/go-chi/chi/pull/908) `middleware.RealIP` is deprecated in this PR with pointers to the new API. The deprecation only adds a `// Deprecated:` doc comment; the function keeps working for backward compatibility. ##### Why a new middleware (not "fix RealIP in place") `RealIP` has two unfixable design choices: it mutates `r.RemoteAddr`, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per [adam-p's "The perils of the 'real' client IP"](https://adam-p.ca/blog/2022/03/x-forwarded-for/) (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly. ##### The new API Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors: ```go // One of the four. There is no safe default — pick exactly one. func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler func ClientIPFromRemoteAddr(h http.Handler) http.Handler // Read the result. func GetClientIP(ctx context.Context) string // for logs, rate-limit keys func GetClientIPAddr(ctx context.Context) netip.Addr // for typed work ``` #### Example usage: ```go // Pick a single ClientIP middleware based on your deployment // Cloudflare. r.Use(middleware.ClientIPFromHeader("CF-Connecting-IP")) // Nginx with ngx_http_realip_module. r.Use(middleware.ClientIPFromHeader("X-Real-IP")) // Apache with mod_remoteip. r.Use(middleware.ClientIPFromHeader("X-Client-IP")) // AWS CloudFront, or any proxy fleet with known CIDRs. r.Use(middleware.ClientIPFromXFF( "13.32.0.0/15", // CloudFront IPv4 "52.46.0.0/18", // CloudFront IPv4 "2600:9000::/28", // CloudFront IPv6 )) // Behind exactly 2 trusted proxies with dynamic IPs (autoscaling pools, // ephemeral containers, dynamic CDN edges). r.Use(middleware.ClientIPFromXFFTrustedProxies(2)) // Server directly on the public internet, no proxy in front. r.Use(middleware.ClientIPFromRemoteAddr) ``` And in your handler or downstream middleware: ```go clientIP := middleware.GetClientIP(r.Context()) // log it, use it as a rate-limit key, etc. ``` *** Thanks to [@​adam-p](https://redirect.github.com/adam-p), [@​c2h5oh](https://redirect.github.com/c2h5oh), [@​rezmoss](https://redirect.github.com/rezmoss), [@​Saku0512](https://redirect.github.com/Saku0512), [@​convto](https://redirect.github.com/convto), [@​Dirbaio](https://redirect.github.com/Dirbaio), [@​jawnsy](https://redirect.github.com/jawnsy), [@​lrstanley](https://redirect.github.com/lrstanley), [@​mfridman](https://redirect.github.com/mfridman), [@​n33pm](https://redirect.github.com/n33pm), [@​pkieltyka](https://redirect.github.com/pkieltyka) for the prior discussions, detailed reviews, advisory reports, and test contributions that shaped this PR. **Full Changelog**: <https://github.com/go-chi/chi/compare/v5.2.5...v5.3.0> </details> <details> <summary>go-webauthn/webauthn (github.com/go-webauthn/webauthn)</summary> ### [`v0.17.4`](https://redirect.github.com/go-webauthn/webauthn/blob/HEAD/CHANGELOG.md#v0174-2026-05-22) [Compare Source](https://redirect.github.com/go-webauthn/webauthn/compare/v0.17.3...v0.17.4) ##### Dependency Updates This release just contains updates to dependencies. </details> <details> <summary>minio/minio-go (github.com/minio/minio-go/v7)</summary> ### [`v7.2.0`](https://redirect.github.com/minio/minio-go/releases/tag/v7.2.0) [Compare Source](https://redirect.github.com/minio/minio-go/compare/v7.1.0...v7.2.0) #### What's Changed - Use go tool for ci-lint check by [@​klauspost](https://redirect.github.com/klauspost) in [#​2229](https://redirect.github.com/minio/minio-go/pull/2229) - Rename github.com/go-ini/ini to gopkg.in/ini.v1 by [@​ramondeklein](https://redirect.github.com/ramondeklein) in [#​2232](https://redirect.github.com/minio/minio-go/pull/2232) - Add RDMA / NVIDIA GPU Direct Storage support by [@​harshavardhana](https://redirect.github.com/harshavardhana) in [#​2233](https://redirect.github.com/minio/minio-go/pull/2233) **Full Changelog**: <https://github.com/minio/minio-go/compare/v7.1.0...v7.2.0> </details> <details> <summary>gitlab-org/api/client-go (gitlab.com/gitlab-org/api/client-go/v2)</summary> ### [`v2.34.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.34.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.33.0...v2.34.0) #### 2.34.0 ##### 🚀 Features - Extend DeploymentDeployablePipeline with web_url ([!2902](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2902)) by [Jan Berge Sommerdahl](https://gitlab.com/sommerdahl) ##### 🔄 Other Changes - chore(deps): update docker docker tag to v29.5.1 ([!2903](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2903)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.34.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.33.0...v2.34.0) (2026-05-27) ### [`v2.33.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.33.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.32.0...v2.33.0) #### 2.33.0 ##### 🚀 Features - feat(work-items): add ListWorkItemTypes to WorkItemsService ([!2864](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2864)) by [Emmanuel 326](https://gitlab.com/Emmanuel326) ##### 🔄 Other Changes - chore(deps): update module cel.dev/expr to v0.25.2 ([!2881](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2881)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.33.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.32.0...v2.33.0) (2026-05-27) ##### Features * **work-items:** add ListWorkItemTypes to WorkItemsService ([e71cb99](https://gitlab.com/gitlab-org/api/client-go/commit/e71cb994482aa882eb8eb9fc4140ca1e4aac25ab)) ### [`v2.32.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.32.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.31.0...v2.32.0) #### 2.32.0 ##### 🚀 Features - feat(ci-job-cancel): force cancel ([!2872](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2872)) by [Filip Aleksic](https://gitlab.com/faleksic) ### [2.32.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.31.0...v2.32.0) (2026-05-23) ##### Features * **ci-job-cancel:** force cancel ([aa46bd1](https://gitlab.com/gitlab-org/api/client-go/commit/aa46bd18428834eebdb42622f2523c64686021e8)) ### [`v2.31.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.31.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.30.0...v2.31.0) #### 2.31.0 ##### 🚀 Features - Adds project service accounts API ([!2899](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2899)) by [Jimmy Spagnola](https://gitlab.com/jspagnola) - feat(gitlaboauth2): support ephemeral ports in CallbackServer ([!2877](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2877)) by [Raphael Rösch](https://gitlab.com/raphael.roesch) ### [2.31.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.30.0...v2.31.0) (2026-05-22) ##### Features * **gitlaboauth2:** support ephemeral ports in CallbackServer ([c8c388d](https://gitlab.com/gitlab-org/api/client-go/commit/c8c388d56663a8f2e27b4c74f1323d3671a6bbaf)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: silverwind <me@silverwind.io> |
||
|
Giteabot
|
a91c88428b |
chore(deps): update dependency happy-dom to v20.10.1 (#38043)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.9.0` → `20.10.1`](https://renovatebot.com/diffs/npm/happy-dom/20.9.0/20.10.1) |  |  | --- ### Release Notes <details> <summary>capricorn86/happy-dom (happy-dom)</summary> ### [`v20.10.1`](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.0...v20.10.1) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.0...v20.10.1) ### [`v20.10.0`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.10.0) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.9.0...v20.10.0) ##### 🎨 Features - Adds support for setting a canvas adapter for handling the canvas rendering using the browser setting [canvasAdapter](https://redirect.github.com/capricorn86/happy-dom/wiki/IOptionalBrowserSettings) - By **[@​RAprogramm](https://redirect.github.com/RAprogramm)** and **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds new package [@​happy-dom/node-canvas-adapter](https://redirect.github.com/capricorn86/happy-dom/tree/master/packages/%40happy-dom/node-canvas-adapter) - By **[@​RAprogramm](https://redirect.github.com/RAprogramm)** and **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - [@​happy-dom/node-canvas-adapter](https://redirect.github.com/capricorn86/happy-dom/tree/master/packages/%40happy-dom/node-canvas-adapter) is a pluggable canvas adapter for Happy DOM using [node-canvas](https://redirect.github.com/Automattic/node-canvas). - Adds support for loading image files when enabling the browser setting [enableImageFileLoading](https://redirect.github.com/capricorn86/happy-dom/wiki/IOptionalBrowserSettings) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for loading image data URLs - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for [ImageData](https://developer.mozilla.org/en-US/docs/Web/API/ImageData) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for [ImageBitmap](https://developer.mozilla.org/en-US/docs/Web/API/ImageBitmap) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for [Window.createImageBitmap()](https://developer.mozilla.org/en-US/docs/Web/API/Window/createImageBitmap) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Lunny Xiao
|
49a0d19fa3 |
feat(api): Add assignees APIs (#37330)
Follow https://docs.github.com/en/enterprise-server@3.20/rest/issues/assignees?apiVersion=2022-11-28 Fix #33576 And it also fixed some possible dead-lock problem. --------- Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: Zettat123 <zettat123@gmail.com> |
||
|
Lunny Xiao
|
611dfc9496 | fix: Fix some wrong code and follow 37347 (#37987) | ||
|
bircni
|
72c1e4c621 | docs: update community governance document (#38038) | ||
|
Giteabot
|
60abea17a2 |
chore(deps): update module github.com/go-swagger/go-swagger to v0.34.0 (#38028)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-swagger/go-swagger](https://redirect.github.com/go-swagger/go-swagger) | `v0.33.2` → `v0.34.0` |  |  | --- ### Release Notes <details> <summary>go-swagger/go-swagger (github.com/go-swagger/go-swagger)</summary> ### [`v0.34.0`](https://redirect.github.com/go-swagger/go-swagger/releases/tag/v0.34.0) [Compare Source](https://redirect.github.com/go-swagger/go-swagger/compare/v0.33.2...v0.34.0) go-swagger release 0.34.0 *** Released on 2026 May 29 ##### [0.34.0](https://redirect.github.com/go-swagger/go-swagger/tree/v0.34.0) - 2026-05-28 Major refactoring. Focus on improving runtime (e.g.generated client) and codescan (e.g. generated spec). **Full Changelog**: <https://github.com/go-swagger/go-swagger/compare/v0.33.2...v0.34.0> 42 commits in this release. *** ##### <!-- 00 -->Implemented enhancements - feat(client): added method to configure client-side custom producers/consumers by [@​fredbi](https://redirect.github.com/fredbi) in [#​3351](https://redirect.github.com/go-swagger/go-swagger/pull/3351) [...](https://redirect.github.com/go-swagger/go-swagger/commit/4068f65b0403f90092e78269f89ef7cb26d6eb2f) ##### <!-- 01 -->Fixed bugs - fix(client): moved internal fields in generated Params (timeout, Context) to their own struct. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3349](https://redirect.github.com/go-swagger/go-swagger/pull/3349) [...](https://redirect.github.com/go-swagger/go-swagger/commit/a81068f5d52d4b560654f8e17748b6a79ec1425e) - fix(client): added operation with context to client interface. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3348](https://redirect.github.com/go-swagger/go-swagger/pull/3348) [...](https://redirect.github.com/go-swagger/go-swagger/commit/d5e5d3020b83f4a9b895ae31a93cb121f989e4a6) - fix(codescan): upgraded codescan for swagger generate spec. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3347](https://redirect.github.com/go-swagger/go-swagger/pull/3347) [...](https://redirect.github.com/go-swagger/go-swagger/commit/971f2aa56ad48d927ab9d21de794edf1c43d22b7) - fix(client): generated client uses more idiomatic SubmitContext by [@​fredbi](https://redirect.github.com/fredbi) in [#​3342](https://redirect.github.com/go-swagger/go-swagger/pull/3342) [...](https://redirect.github.com/go-swagger/go-swagger/commit/01d8f1358f8ab94c4b7c3a1caf50e1d0b11b26c6) - fix: adapted to runtime v0.32.x by [@​fredbi](https://redirect.github.com/fredbi) in [#​3341](https://redirect.github.com/go-swagger/go-swagger/pull/3341) [...](https://redirect.github.com/go-swagger/go-swagger/commit/ba25bfa2cc0822973d9f48f5976721ffc8c499fc) - fix: handle operator characters in enum constants (fixes [#​1047](https://redirect.github.com/go-swagger/go-swagger/issues/1047)) by [@​Abzaek](https://redirect.github.com/Abzaek) in [#​3330](https://redirect.github.com/go-swagger/go-swagger/pull/3330) [...](https://redirect.github.com/go-swagger/go-swagger/commit/4856feb230eba01352d2bb310f03b26827d34a5e) ##### <!-- 02 -->Refactor - refact(codegen): more concise server binding of form parameters. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3339](https://redirect.github.com/go-swagger/go-swagger/pull/3339) [...](https://redirect.github.com/go-swagger/go-swagger/commit/036e31515a687b8a237bcf2d938a7ae36dc55fd1) - refact(generator): split template repository, funcmaps and langage by [@​fredbi](https://redirect.github.com/fredbi) in [#​3316](https://redirect.github.com/go-swagger/go-swagger/pull/3316) [...](https://redirect.github.com/go-swagger/go-swagger/commit/4d659c0b5e0724cb78b413a564619792fe4dd23e) ##### <!-- 03 -->Documentation - doc: announcements before cutting v0.34.0 by [@​fredbi](https://redirect.github.com/fredbi) in [#​3352](https://redirect.github.com/go-swagger/go-swagger/pull/3352) [...](https://redirect.github.com/go-swagger/go-swagger/commit/9b15dfe858b6b20747fb24b672707ee817481f11) - doc(faq): added explanations about why mixin can't support yaml anchors by [@​fredbi](https://redirect.github.com/fredbi) in [#​3340](https://redirect.github.com/go-swagger/go-swagger/pull/3340) [...](https://redirect.github.com/go-swagger/go-swagger/commit/0dd20f7852a35f3ebf4ea552cef66ae7296801a2) - codegen(cli): fixed missing dependencies in CLI doc template by [@​fredbi](https://redirect.github.com/fredbi) in [#​3309](https://redirect.github.com/go-swagger/go-swagger/pull/3309) [...](https://redirect.github.com/go-swagger/go-swagger/commit/b1cc87b266a8351b4fc4534d5116c11a1daadbc1) ##### <!-- 05 -->Code quality - chore: move generated code to use the new swag api. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3336](https://redirect.github.com/go-swagger/go-swagger/pull/3336) [...](https://redirect.github.com/go-swagger/go-swagger/commit/ba47cff06d55b38579a1f2e34a2e4e8691dd90b0) - chore(generator): migrated to the new go-openapi/swag api. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3335](https://redirect.github.com/go-swagger/go-swagger/pull/3335) [...](https://redirect.github.com/go-swagger/go-swagger/commit/83bced44f9c028141dd698838da0e5409d0ed49b) - chore(lint): relint code base (pass 1) by [@​fredbi](https://redirect.github.com/fredbi) in [#​3331](https://redirect.github.com/go-swagger/go-swagger/pull/3331) [...](https://redirect.github.com/go-swagger/go-swagger/commit/8a020f05985758bcb2535e36984ab03c62109fed) - ci: reenact linting (was temporarily disabled to swallow large diffs) by [@​fredbi](https://redirect.github.com/fredbi) in [#​3304](https://redirect.github.com/go-swagger/go-swagger/pull/3304) [...](https://redirect.github.com/go-swagger/go-swagger/commit/8cd187ba00b80a021c0493e55906b6835a985458) - doc: post-release by [@​fredbi](https://redirect.github.com/fredbi) in [#​3302](https://redirect.github.com/go-swagger/go-swagger/pull/3302) [...](https://redirect.github.com/go-swagger/go-swagger/commit/746308f71fe2d5e722b151a0ede49f84ecfaa3ea) ##### <!-- 07 -->Miscellaneous tasks - test: fix fake flaky test reporting by [@​fredbi](https://redirect.github.com/fredbi) in [#​3350](https://redirect.github.com/go-swagger/go-swagger/pull/3350) [...](https://redirect.github.com/go-swagger/go-swagger/commit/747db03403e881e53baecd5c2f40a074e15697bf) - ci: drop peter-evans sign-commits to avoid per-file API uploads by [@​fredbi](https://redirect.github.com/fredbi) in [#​3346](https://redirect.github.com/go-swagger/go-swagger/pull/3346) [...](https://redirect.github.com/go-swagger/go-swagger/commit/480a0bdbf54484562cef642132b929a9e5c03d4a) - ci: checkout examples before configuring bot credentials by [@​fredbi](https://redirect.github.com/fredbi) in [#​3345](https://redirect.github.com/go-swagger/go-swagger/pull/3345) [...](https://redirect.github.com/go-swagger/go-swagger/commit/6dda1280feee830fadbed93e6c896000fe92acdf) - ci: fix cross-workflow artifact download permission by [@​fredbi](https://redirect.github.com/fredbi) in [#​3344](https://redirect.github.com/go-swagger/go-swagger/pull/3344) [...](https://redirect.github.com/go-swagger/go-swagger/commit/5981d75858c489b8f82974c47f7fa7089deb66d2) - ci: fix examples regeneration auto-PR by [@​fredbi](https://redirect.github.com/fredbi) in [#​3343](https://redirect.github.com/go-swagger/go-swagger/pull/3343) [...](https://redirect.github.com/go-swagger/go-swagger/commit/f50d895b3a304b8a0657a4e8612fc53e6ff370dc) - chore(diff): moved cmd/swagger/commands/diff to its own package by [@​fredbi](https://redirect.github.com/fredbi) in [#​3308](https://redirect.github.com/go-swagger/go-swagger/pull/3308) [...](https://redirect.github.com/go-swagger/go-swagger/commit/6e059188a45c84e64591b7cb915f4205d6f7a8a1) - chore(codescan): moved the codescan package in a separate repo by [@​fredbi](https://redirect.github.com/fredbi) in [#​3307](https://redirect.github.com/go-swagger/go-swagger/pull/3307) [...](https://redirect.github.com/go-swagger/go-swagger/commit/eeca5fc9ff118d7be5d76d52855a082b04f13d91) - ci: added workflow to regen examples and push the changes to the exam… by [@​fredbi](https://redirect.github.com/fredbi) in [#​3305](https://redirect.github.com/go-swagger/go-swagger/pull/3305) [...](https://redirect.github.com/go-swagger/go-swagger/commit/9203e37e731b131c5d89a78209d549960b7c0a1c) ##### <!-- 08 -->Security - docs: add comprehensive documentation for API Browser (issue [#​2401](https://redirect.github.com/go-swagger/go-swagger/issues/2401)) by [@​dashitongzhi](https://redirect.github.com/dashitongzhi) in [#​3338](https://redirect.github.com/go-swagger/go-swagger/pull/3338) [...](https://redirect.github.com/go-swagger/go-swagger/commit/b594d144ef999cb830cc9cb32d1c3617d5d93a36) - ci: enhanced regen examples workflow by [@​fredbi](https://redirect.github.com/fredbi) in [#​3306](https://redirect.github.com/go-swagger/go-swagger/pull/3306) [...](https://redirect.github.com/go-swagger/go-swagger/commit/e1c611ed9e0739d0395b8e08922ddfb48a6e257d) - doc: move examples by [@​fredbi](https://redirect.github.com/fredbi) in [#​3303](https://redirect.github.com/go-swagger/go-swagger/pull/3303) [...](https://redirect.github.com/go-swagger/go-swagger/commit/c32e2d574a1272c97c18aaddbeed294f62fdca31) ##### <!-- 0A -->Updates - chore(deps): bump the development-dependencies group with 10 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3337](https://redirect.github.com/go-swagger/go-swagger/pull/3337) [...](https://redirect.github.com/go-swagger/go-swagger/commit/9f68bcccf8a6ab943fa954764e749bd8e3b67684) - chore(deps): bump the development-dependencies group with 2 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3329](https://redirect.github.com/go-swagger/go-swagger/pull/3329) [...](https://redirect.github.com/go-swagger/go-swagger/commit/9286ac262e487f54fbeea64798790b463f27a7cc) - chore(deps): bump golang from `f853308` to `91eda97` in the development-dependencies group across 1 directory by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3328](https://redirect.github.com/go-swagger/go-swagger/pull/3328) [...](https://redirect.github.com/go-swagger/go-swagger/commit/a4f355cfded251a4d9fc4a3f06b0aed72314c2a4) - chore(deps): bump the development-dependencies group with 4 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3327](https://redirect.github.com/go-swagger/go-swagger/pull/3327) [...](https://redirect.github.com/go-swagger/go-swagger/commit/1078819e42db2fdf56b7fd724f911b5b32f0ed42) - chore(deps): bump the development-dependencies group with 3 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3326](https://redirect.github.com/go-swagger/go-swagger/pull/3326) [...](https://redirect.github.com/go-swagger/go-swagger/commit/e4b5c8fe1fe5869e2da495e9e363032cfee9b85f) - chore(deps): bump the development-dependencies group with 5 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3325](https://redirect.github.com/go-swagger/go-swagger/pull/3325) [...](https://redirect.github.com/go-swagger/go-swagger/commit/30da59f48a8baf6a04a667191355c5aacbb1f6f1) - chore(deps): bump golang from `27f8293` to `f853308` in the development-dependencies group across 1 directory by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3324](https://redirect.github.com/go-swagger/go-swagger/pull/3324) [...](https://redirect.github.com/go-swagger/go-swagger/commit/faffaccee8fc0843fa35ce757b19643b15b20551) - chore(deps): bump the development-dependencies group with 6 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3323](https://redirect.github.com/go-swagger/go-swagger/pull/3323) [...](https://redirect.github.com/go-swagger/go-swagger/commit/5bbf90b257203d40a28d40d68f38411b0b0ab06e) - chore(deps): bump golang from `c2a1f7b` to `27f8293` in the development-dependencies group across 1 directory by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3322](https://redirect.github.com/go-swagger/go-swagger/pull/3322) [...](https://redirect.github.com/go-swagger/go-swagger/commit/d25d6f2da06f02c38565d2bed1a4c45c41b4b539) - chore(deps): bump the development-dependencies group with 2 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3321](https://redirect.github.com/go-swagger/go-swagger/pull/3321) [...](https://redirect.github.com/go-swagger/go-swagger/commit/cedb38213dc4bfeb6c6f2fccb0211e596c777faf) - chore(deps): bump golang from `2389ebf` to `c2a1f7b` in the development-dependencies group across 1 directory by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3320](https://redirect.github.com/go-swagger/go-swagger/pull/3320) [...](https://redirect.github.com/go-swagger/go-swagger/commit/3815953bf63523fd72c9f9dad337f3d7990fd7bd) - chore(deps): bump the development-dependencies group with 4 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3318](https://redirect.github.com/go-swagger/go-swagger/pull/3318) [...](https://redirect.github.com/go-swagger/go-swagger/commit/126ceeb6180966caba0429435d94b0fb1a1e8c14) - chore(deps): bump the development-dependencies group with 6 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3317](https://redirect.github.com/go-swagger/go-swagger/pull/3317) [...](https://redirect.github.com/go-swagger/go-swagger/commit/af43211eec84e29e817f3e990cf8084fb45ebec0) - chore(deps): bump the development-dependencies group with 4 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3315](https://redirect.github.com/go-swagger/go-swagger/pull/3315) [...](https://redirect.github.com/go-swagger/go-swagger/commit/0f32c03e4982ed564cfd9d9593a4cfa1c1304d40) *** ##### People who contributed to this release - [@​Abzaek](https://redirect.github.com/Abzaek) - [@​dashitongzhi](https://redirect.github.com/dashitongzhi) - [@​fredbi](https://redirect.github.com/fredbi) *** ##### New Contributors - [@​dashitongzhi](https://redirect.github.com/dashitongzhi) made their first contribution in [#​3338](https://redirect.github.com/go-swagger/go-swagger/pull/3338) - [@​Abzaek](https://redirect.github.com/Abzaek) made their first contribution in [#​3330](https://redirect.github.com/go-swagger/go-swagger/pull/3330) *** **[go-swagger](https://redirect.github.com/go-swagger/go-swagger) license terms** [![License][license-badge]][license-url] [license-badge]: http://img.shields.io/badge/license-Apache%20v2-orange.svg [license-url]: https://redirect.github.com/go-swagger/go-swagger/?tab=Apache-2.0-1-ov-file#readme *** Released by [GoReleaser](https://redirect.github.com/goreleaser/goreleaser). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
bircni
|
699fe2ef43 |
fix(actions)!: require merged PR to bypass fork PR approval gate (#38010)
`ifNeedApproval` in `services/actions/notifier_helper.go` decided whether a fork PR's workflow run had to wait for maintainer approval. The bypass clause counted any prior `approved_by > 0` run for `(repo_id, trigger_user_id)`, so the very first Approve-and-run click on a contributor's fork PR permanently trusted that user for every future fork PR in the same repository — including PRs whose only change is the workflow YAML itself. Approving a workflow *run* is not the same as merging *code*. This change aligns the gate with GitHub Actions' first-time-contributor model: trust is granted only after the user has had a pull request merged in the repo. ## Behavior change - **Before**: one approval = permanent trust for that user in that repo. - **After**: every fork PR is gated until the contributor has at least one merged PR in the repo. Existing already-approved runs and merged PRs continue to work; only the trust criterion for *future* fork PRs changes. Maintainers who rely on the implicit "approve once" trust will see the approval banner reappear until they merge a PR from that contributor. |
||
|
Giteabot
|
ee9f31e9c9 |
chore(deps): update dependency @eslint/json to v2 (#38030)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@eslint/json](https://redirect.github.com/eslint/json) | [`1.2.0` →
`2.0.0`](https://renovatebot.com/diffs/npm/@eslint%2fjson/1.2.0/2.0.0) |
|
|
---
### Release Notes
<details>
<summary>eslint/json (@​eslint/json)</summary>
###
[`v2.0.0`](https://redirect.github.com/eslint/json/blob/HEAD/CHANGELOG.md#200-2026-05-28)
[Compare
Source](https://redirect.github.com/eslint/json/compare/72eb947ec708d1326047977c165670582ce58a26...804ffc4911bf489cea025a829f65ee98c975b7ee)
##### ⚠ BREAKING CHANGES
- add `meta.languages` to JSON rules
([#​238](https://redirect.github.com/eslint/json/issues/238))
##### Features
- add `meta.languages` to JSON rules
([#​238](https://redirect.github.com/eslint/json/issues/238))
([
|
||
|
bircni
|
3b1e75764e |
feat(actions): add job summaries (GITHUB_STEP_SUMMARY) (#37500)
- Add GitHub-style Actions **job summaries** support
(`GITHUB_STEP_SUMMARY` / `workflow/SUMMARY.md`) and render them on the
run Summary view.
- Store uploaded summaries internally in the DB (not as downloadable
artifacts).
- Add runtime-token endpoint for runners to upload summaries:
- `PUT
/api/actions_pipeline/_apis/pipelines/workflows/{run_id}/jobs/{job_id}/summary`
- Advertise support to runners via `RunnerService.Declare` response
header:
- `X-Gitea-Actions-Capabilities: job-summary`
- Devtest: extend `/devtest/repo-action-view/...` to include mock
`jobSummaries` for previewing UI rendering.
## Compatibility
- New Gitea + old runner: no summary upload → UI shows nothing (no
behavior change)
- New runner + old Gitea: capability not advertised → runner skips
upload (no behavior change)
## Screenshot:
<img width="2017" height="729"
src="https://github.com/user-attachments/assets/31f8b945-50c4-40e1-9f40-382901a53013"
/>
Fixes #23721
PR on gitea-runner https://gitea.com/gitea/runner/pulls/917
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
|
||
|
bircni
|
b1c088e9cf |
enhance(actions): Make Summary UI more beautiful with more infos (#37824)
## Summary - Redesign the Actions run summary header to follow GitHub Actions layout: trigger info on the left, Status / Total duration / Artifacts columns inline on the right - Expose trigger user avatar, pull request link, and PR head branch info from the run view API - Update the workflow graph header to show the workflow filename (linked to the run workflow file) and `on: <event>`, while keeping the jobs/dependencies/success stats line - Remove the redundant commit/workflow metadata row below the run title; that information now lives in the summary bar New: <img width="1564" height="639" src="https://github.com/user-attachments/assets/e6bc1623-c5fc-4e97-abc9-fde7f3c6aef9" /> Old: <img width="2038" height="1038" src="https://github.com/user-attachments/assets/0857f19a-8d3a-4da2-82fd-e9ebeb200062" /> Replaces https://github.com/go-gitea/gitea/pull/36721 --------- Co-authored-by: Giteabot <teabot@gitea.io> |
