Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove ReverseProxy authentication from the API #22219

Merged
merged 3 commits into from
Dec 27, 2022

Conversation

zeripath
Copy link
Contributor

@zeripath zeripath commented Dec 22, 2022

Since we changed the /api/v1/ routes to disallow session authentication we also removed their reliance on CSRF. However, we left the ReverseProxy authentication here - but this means that POSTs to the API are no longer protected by CSRF.

Now, ReverseProxy authentication is a kind of session authentication, and is therefore inconsistent with the removal of session from the API.

This PR proposes that we simply remove the ReverseProxy authentication from the API and therefore users of the API must explicitly use tokens or basic authentication.

Replace #22077
Close #22221
Close #22077

Signed-off-by: Andrew Thornton art27@cantab.net

Since we changed the /api/v1/ routes to disallow session authentication we also
removed their reliance on CSRF. However, we left the ReverseProxy authentication
here - but this means that POSTs to the API are no longer protected by CSRF.

Now, ReverseProxy authentication is a kind of session authentication, and is
therefore inconsistent with the removal of session from the API.

This PR proposes that we simply remove the ReverseProxy authentication from the
API and therefore users of the API must explicitly use tokens or basic authentication.

Replace go-gitea#22077

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath added type/bug outdated/backport/v1.18 This PR should be backported to Gitea 1.18 labels Dec 22, 2022
@zeripath zeripath added this to the 1.19.0 milestone Dec 22, 2022
@zeripath
Copy link
Contributor Author

I've also reopened #22077 but with a few fixes and in such a way that we can update and merge it.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Dec 22, 2022
Copy link
Member

@jolheiser jolheiser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with limiting to token auth (and basic...for now)

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Dec 22, 2022
@pboguslawski
Copy link
Contributor

pboguslawski commented Dec 22, 2022

What about protecting installations, where there is proxy between public and gitea that translates auth from say cookies/client certs/basic auths/... to auth method gitea understands (like token or basic auth after this PR is merged)? Seems that CSRF will still be possible and API auth methods removal is not a proper solution.

@delvh delvh added the pr/breaking Merging this PR means builds will break. Needs a description what exactly breaks, and how to fix it! label Dec 22, 2022
routers/api/v1/api.go Outdated Show resolved Hide resolved
Signed-off-by: Andrew Thornton <art27@cantab.net>
Copy link
Member

@delvh delvh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My (slightly uneducated) opinion on this topic:

What about protecting installations, where there is proxy between public and gitea that translates auth from say cookies/client certs/basic auths/... to auth method gitea understands (like token or basic auth after this PR is merged)?

I don't quite understand what you mean.
A malignant reverse proxy between the user and the gitea server that stores valid user credentials?
I doubt there is a way we can prevent that proxy from impersonating a user…
I mean, such a server can simply log in as the user, and make the call as the user themselves.
In this case, there is no point in securing anything because if this scenario happens, your entire credentials are compromised and your entire security is "on fire".

Additionally, we are talking about the API at the moment.
I first want to see the users that call the API from browsers, which is as far as I'm aware the main source of CSRF attacks.
If we removed this authentication from the web UI, this would be a completely different case.

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 26, 2022
@lunny lunny merged commit 83640c4 into go-gitea:main Dec 27, 2022
@lunny
Copy link
Member

lunny commented Dec 27, 2022

Please send back port

zjjhot added a commit to zjjhot/gitea that referenced this pull request Dec 27, 2022
* upstream/main:
  Remove deadcode (go-gitea#22245)
  Remove ReverseProxy authentication from the API (go-gitea#22219)
  Fix typo of Asia/Shanghai (go-gitea#22242)
@pboguslawski
Copy link
Contributor

pboguslawski commented Dec 27, 2022

I don't quite understand what you mean.

Reverse proxy may have more intelligent auth methods that gitea currently has and may authenticate user using it. After authentication it must pass user login somehow to gitea using protocol gitea understands (only login is important to pass between proxy and gitea). One can think of many different solutions here, i.e. header with login only (best for this scenario IHMO), basic auth (login with dummy pass), token maybe, etc.

your entire credentials are compromised and your entire security is "on fire".

Auth and user credentials management is proxys job in this scenario and credentials are NOT compromised (gitea does not use passwords/tokens and blindly trust login passed from proxy). Proxy must pass login to gitea in secure manner (i.e. disallowing user A to act as user B) = path bettween proxy and gitea must be secured and trusted (i.e. not possible to sniff/change traffic).

Removing header auth from API part of gitea effectively makes upstream version of gitea poor solution for environments, where proxy auth and API must be used. Sad to see such regress.

@wxiaoguang
Copy link
Contributor

Quote my comment from:

It's not ideal to use ReverseProxy for APIs. Security related mechanisms need complete designs.

I'd like to remind that this change may cause unexpected behaviors.

If I understand correctly, the reqBasicAuth was used to protect some privileged APIs like creating or deleting user's tokens. It was designed to require the API client (ex: GitNex) to force users to provide their password and OTP code for some privileged operations.

Normally, a GitNex client uses the access token to call APIs for daily usage. When it's going to do some privileged operations, the users should use user's password and OTP to verify that such operation is authorized to be done by the user themselves (double-verification).

After this change, the double-verification doesn't take affect for ReverseProxy. I am not sure whether it's expected, just share my opinions for reference.

@pboguslawski
Copy link
Contributor

It's not ideal to use ReverseProxy for APIs.

Why?

Normally, a GitNex client uses the access token to call APIs for daily usage.

Using GitNex is not obligatory, especially if it lacks more advanced auth methods that reverse proxy may implement.

@wxiaoguang
Copy link
Contributor

It's not ideal to use ReverseProxy for APIs.

Why?

It breaks the protection of the privileged APIs. By design (if I understand correctly), a user with 2FA must pass their 2FA to access the protected APIs, but the ReverseProxy auth knows nothing about it and can not provide such protection. Maybe it's not very serious in some cases, but since the mechanism exists, it should be a complete solution, or at least all edge cases should be documented first.

@pboguslawski
Copy link
Contributor

It breaks the protection of the privileged APIs. By design (if I understand correctly), a user with 2FA must pass their 2FA to access the protected APIs, but the ReverseProxy auth knows nothing about it and can not provide such protection.

Giteas 2FA and Giteas "privileged APIs" should be optional. ReverseProxy may be used without 2FA at gitea side. Some ReverseProxys may handle 2FA and extra "privileges" itself (i.e. based on URL path or request payload).

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Dec 27, 2022

It breaks the protection of the privileged APIs. By design (if I understand correctly), a user with 2FA must pass their 2FA to access the protected APIs, but the ReverseProxy auth knows nothing about it and can not provide such protection.

Giteas 2FA and Giteas "privileged APIs" should be optional. ReverseProxy may be used without 2FA at gitea side. Some ReverseProxys may handle 2FA and extra "privileges" itself (i.e. based on URL path or request payload).

I could agree if there are really some suitable ReverseProxys if they work properly. If a ReverseProxy could handle the extra "privileges", could it just use (let users provide) API access tokens when users access the APIs? It could be a more secure solution.

For me, personally I haven't understood why a user must call APIs without access token.

ps: I don't have strong preference since I am not using the ReverseProxy for Gitea either. Actually, I voted for allowing Gitea's web session to call API with CSRF protection before, and then it might be consistent to allow ReverseProxy auth to be used in API (the privileged part should also be re-designed). However at the moment, the API auth is designed to be different from web sessions, so I vote for keeping consistency (3rd auth for web, while access tokens for API). Just my opinion.

@pboguslawski
Copy link
Contributor

pboguslawski commented Dec 27, 2022

For me, personally I haven't understood why a user must call APIs without access token

There are many other auth and permission assignment solutions, not just 2FA and token stuff. You can for example use simple machine account (separate username in gitea) and authenticate it to reverse proxy with strong auth method. If API need "privileged" areas - should probably be protected with separate permission set in user config not hardcoded with forcing one or other auth method. Authentication and authorization areas should be configured separately probably. Removing existing API auth method (reverse proxy) to keep hardcoded permission stuff working does not sound good (separate permission configured for user sounds better IHMO).

lunny pushed a commit to lunny/gitea that referenced this pull request Dec 27, 2022
Since we changed the /api/v1/ routes to disallow session authentication
we also removed their reliance on CSRF. However, we left the
ReverseProxy authentication here - but this means that POSTs to the API
are no longer protected by CSRF.

Now, ReverseProxy authentication is a kind of session authentication,
and is therefore inconsistent with the removal of session from the API.

This PR proposes that we simply remove the ReverseProxy authentication
from the API and therefore users of the API must explicitly use tokens
or basic authentication.

Replace go-gitea#22077
Close go-gitea#22221 
Close go-gitea#22077 

Signed-off-by: Andrew Thornton <art27@cantab.net>
lunny pushed a commit to lunny/gitea that referenced this pull request Dec 27, 2022
Since we changed the /api/v1/ routes to disallow session authentication
we also removed their reliance on CSRF. However, we left the
ReverseProxy authentication here - but this means that POSTs to the API
are no longer protected by CSRF.

Now, ReverseProxy authentication is a kind of session authentication,
and is therefore inconsistent with the removal of session from the API.

This PR proposes that we simply remove the ReverseProxy authentication
from the API and therefore users of the API must explicitly use tokens
or basic authentication.

Replace go-gitea#22077
Close go-gitea#22221 
Close go-gitea#22077 

Signed-off-by: Andrew Thornton <art27@cantab.net>
@lunny lunny added the backport/done All backports for this PR have been created label Dec 27, 2022
KN4CK3R pushed a commit that referenced this pull request Dec 27, 2022
backport from #22219

Since we changed the /api/v1/ routes to disallow session authentication
we also removed their reliance on CSRF. However, we left the
ReverseProxy authentication here - but this means that POSTs to the API
are no longer protected by CSRF.

Now, ReverseProxy authentication is a kind of session authentication,
and is therefore inconsistent with the removal of session from the API.

This PR proposes that we simply remove the ReverseProxy authentication
from the API and therefore users of the API must explicitly use tokens
or basic authentication.

Replace #22077
Close #22221 
Close #22077 

Signed-off-by: Andrew Thornton <art27@cantab.net>

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: zeripath <art27@cantab.net>
@zeripath zeripath deleted the replace-22077-disable-reverse-proxy-api branch December 29, 2022 18:00
lafriks pushed a commit that referenced this pull request Dec 30, 2022
backport #22219

Since we changed the /api/v1/ routes to disallow session authentication
we also removed their reliance on CSRF. However, we left the
ReverseProxy authentication here - but this means that POSTs to the API
are no longer protected by CSRF.

Now, ReverseProxy authentication is a kind of session authentication,
and is therefore inconsistent with the removal of session from the API.

This PR proposes that we simply remove the ReverseProxy authentication
from the API and therefore users of the API must explicitly use tokens
or basic authentication.

Replace #22077
Close #22221 
Close #22077 

Signed-off-by: Andrew Thornton <art27@cantab.net>

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: zeripath <art27@cantab.net>
@vszakats
Copy link
Contributor

vszakats commented Jan 26, 2023

It took a fair bit of research to reach to this PR. I expected such change listed under BREAKING. There is no mention about it in the reverse proxy docs, or the config example, which lists ENABLE_REVERSE_PROXY_AUTHENTICATION as before.

Before this patch, the situation was clear cut, the reverse proxy doing all the auth work and passing around a username to Gitea, for both UI and API. After this, the API side is unconditionally gone. Not only the API side, but direct Git access, too, apparently. (Both falling back to Basic Auth instead.)

What is a suggested replacement solution/configuration for such scenario?

[ Tried Access Tokens, but could not make it work in this context. ]

@jolheiser
Copy link
Member

Ah, it looks like this PR is labeled breaking, but the backport wasn't, so it didn't end up in the breaking changes for the blog.
I will look at adding it to the blog, thanks for the reminder!

As for auth with git, you should be able to use basic auth with a token as the password if I'm remembering correctly.

@vszakats
Copy link
Contributor

vszakats commented Jan 26, 2023

@jolheiser I wonder how to go through the reverse proxy's auth first, then go through a second, basic auth in Gitea itself? All this with a standard Git command. Is this feasible, or practical?

Thanks for the blog update. I looked at the release notes here, maybe something to consider updating too.

Sh4kE added a commit to Sh4kE/k8s-projects that referenced this pull request Feb 28, 2023
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [gitea/gitea](https://github.com/go-gitea/gitea) | minor | `1.17.3-rootless` -> `1.18.5-rootless` |

---

### Release Notes

<details>
<summary>go-gitea/gitea</summary>

### [`v1.18.5`](https://github.com/go-gitea/gitea/blob/HEAD/CHANGELOG.md#&#8203;1185-httpsgithubcomgo-giteagiteareleasestagv1185---2023-02-21)

[Compare Source](go-gitea/gitea@v1.18.4...v1.18.5)

-   ENHANCEMENTS
    -   Hide 2FA status from other members in organization members list ([#&#8203;22999](go-gitea/gitea#22999)) ([#&#8203;23023](go-gitea/gitea#23023))
-   BUGFIXES
    -   Add force_merge to merge request and fix checking mergable ([#&#8203;23010](go-gitea/gitea#23010)) ([#&#8203;23032](go-gitea/gitea#23032))
    -   Use `--message=%s` for git commit message ([#&#8203;23028](go-gitea/gitea#23028)) ([#&#8203;23029](go-gitea/gitea#23029))
    -   Render access log template as text instead of HTML ([#&#8203;23013](go-gitea/gitea#23013)) ([#&#8203;23025](go-gitea/gitea#23025))
    -   Fix the Manually Merged form ([#&#8203;23015](go-gitea/gitea#23015)) ([#&#8203;23017](go-gitea/gitea#23017))
    -   Use beforeCommit instead of baseCommit ([#&#8203;22949](go-gitea/gitea#22949)) ([#&#8203;22996](go-gitea/gitea#22996))
    -   Display attachments of review comment when comment content is blank ([#&#8203;23035](go-gitea/gitea#23035)) ([#&#8203;23046](go-gitea/gitea#23046))
    -   Return empty url for submodule tree entries ([#&#8203;23043](go-gitea/gitea#23043)) ([#&#8203;23048](go-gitea/gitea#23048))

### [`v1.18.4`](https://github.com/go-gitea/gitea/blob/HEAD/CHANGELOG.md#&#8203;1184-httpsgithubcomgo-giteagiteareleasestag1184---2023-02-20)

[Compare Source](go-gitea/gitea@v1.18.3...v1.18.4)

-   SECURITY
    -   Provide the ability to set password hash algorithm parameters ([#&#8203;22942](go-gitea/gitea#22942)) ([#&#8203;22943](go-gitea/gitea#22943))
    -   Add command to bulk set must-change-password ([#&#8203;22823](go-gitea/gitea#22823)) ([#&#8203;22928](go-gitea/gitea#22928))
-   ENHANCEMENTS
    -   Use import of OCI structs ([#&#8203;22765](go-gitea/gitea#22765)) ([#&#8203;22805](go-gitea/gitea#22805))
    -   Fix color of tertiary button on dark theme ([#&#8203;22739](go-gitea/gitea#22739)) ([#&#8203;22744](go-gitea/gitea#22744))
    -   Link issue and pull requests status change in UI notifications directly to their event in the timelined view. ([#&#8203;22627](go-gitea/gitea#22627)) ([#&#8203;22642](go-gitea/gitea#22642))
-   BUGFIXES
    -   Notify on container image create ([#&#8203;22806](go-gitea/gitea#22806)) ([#&#8203;22965](go-gitea/gitea#22965))
    -   Fix blame view missing lines ([#&#8203;22826](go-gitea/gitea#22826)) ([#&#8203;22929](go-gitea/gitea#22929))
    -   Fix incorrect role labels for migrated issues and comments ([#&#8203;22914](go-gitea/gitea#22914)) ([#&#8203;22923](go-gitea/gitea#22923))
    -   Fix PR file tree folders no longer collapsing ([#&#8203;22864](go-gitea/gitea#22864)) ([#&#8203;22872](go-gitea/gitea#22872))
    -   Escape filename when assemble URL ([#&#8203;22850](go-gitea/gitea#22850)) ([#&#8203;22871](go-gitea/gitea#22871))
    -   Fix isAllowed of escapeStreamer ([#&#8203;22814](go-gitea/gitea#22814)) ([#&#8203;22837](go-gitea/gitea#22837))
    -   Load issue before accessing index in merge message ([#&#8203;22822](go-gitea/gitea#22822)) ([#&#8203;22830](go-gitea/gitea#22830))
    -   Improve trace logging for pulls and processes ([#&#8203;22633](go-gitea/gitea#22633)) ([#&#8203;22812](go-gitea/gitea#22812))
    -   Fix restore repo bug, clarify the problem of ForeignIndex ([#&#8203;22776](go-gitea/gitea#22776)) ([#&#8203;22794](go-gitea/gitea#22794))
    -   Add default user visibility to cli command "admin user create" ([#&#8203;22750](go-gitea/gitea#22750)) ([#&#8203;22760](go-gitea/gitea#22760))
    -   Escape path for the file list ([#&#8203;22741](go-gitea/gitea#22741)) ([#&#8203;22757](go-gitea/gitea#22757))
    -   Fix bugs with WebAuthn preventing sign in and registration. ([#&#8203;22651](go-gitea/gitea#22651)) ([#&#8203;22721](go-gitea/gitea#22721))
    -   Add missing close bracket in imagediff ([#&#8203;22710](go-gitea/gitea#22710)) ([#&#8203;22712](go-gitea/gitea#22712))
    -   Move code comments to a standalone file and fix the bug when adding a reply to an outdated review appears to not post([#&#8203;20821](go-gitea/gitea#20821)) ([#&#8203;22707](go-gitea/gitea#22707))
    -   Fix line spacing for plaintext previews ([#&#8203;22699](go-gitea/gitea#22699)) ([#&#8203;22701](go-gitea/gitea#22701))
    -   Fix wrong hint when deleting a branch successfully from pull request UI ([#&#8203;22673](go-gitea/gitea#22673)) ([#&#8203;22698](go-gitea/gitea#22698))
    -   Fix README TOC links ([#&#8203;22577](go-gitea/gitea#22577)) ([#&#8203;22677](go-gitea/gitea#22677))
    -   Fix missing message in git hook when pull requests disabled on fork ([#&#8203;22625](go-gitea/gitea#22625)) ([#&#8203;22658](go-gitea/gitea#22658))
    -   Improve checkIfPRContentChanged ([#&#8203;22611](go-gitea/gitea#22611)) ([#&#8203;22644](go-gitea/gitea#22644))
    -   Prevent duplicate labels when importing more than 99 ([#&#8203;22591](go-gitea/gitea#22591)) ([#&#8203;22598](go-gitea/gitea#22598))
    -   Don't return duplicated users who can create org repo ([#&#8203;22560](go-gitea/gitea#22560)) ([#&#8203;22562](go-gitea/gitea#22562))
-   BUILD
    -   Upgrade golangcilint to v1.51.0 ([#&#8203;22764](go-gitea/gitea#22764))
-   MISC
    -   Use proxy for pull mirror ([#&#8203;22771](go-gitea/gitea#22771)) ([#&#8203;22772](go-gitea/gitea#22772))
    -   Use `--index-url` in PyPi description ([#&#8203;22620](go-gitea/gitea#22620)) ([#&#8203;22636](go-gitea/gitea#22636))

### [`v1.18.3`](https://github.com/go-gitea/gitea/blob/HEAD/CHANGELOG.md#&#8203;1183-httpsgithubcomgo-giteagiteareleasestagv1183---2023-01-23)

[Compare Source](go-gitea/gitea@v1.18.2...v1.18.3)

-   SECURITY
    -   Prevent multiple `To` recipients ([#&#8203;22566](go-gitea/gitea#22566)) ([#&#8203;22569](go-gitea/gitea#22569))
-   BUGFIXES
    -   Truncate commit summary on repo files table. ([#&#8203;22551](go-gitea/gitea#22551)) ([#&#8203;22552](go-gitea/gitea#22552))
    -   Mute all links in issue timeline ([#&#8203;22534](go-gitea/gitea#22534))

### [`v1.18.2`](https://github.com/go-gitea/gitea/blob/HEAD/CHANGELOG.md#&#8203;1182-httpsgithubcomgo-giteagiteareleasestagv1182---2023-01-19)

[Compare Source](go-gitea/gitea@v1.18.1...v1.18.2)

-   BUGFIXES
    -   Fix issue not auto-closing when it includes a reference to a branch ([#&#8203;22514](go-gitea/gitea#22514)) ([#&#8203;22521](go-gitea/gitea#22521))
    -   Fix invalid issue branch reference if not specified in template ([#&#8203;22513](go-gitea/gitea#22513)) ([#&#8203;22520](go-gitea/gitea#22520))
    -   Fix 500 error viewing pull request when fork has pull requests disabled ([#&#8203;22512](go-gitea/gitea#22512)) ([#&#8203;22515](go-gitea/gitea#22515))
    -   Reliable selection of admin user ([#&#8203;22509](go-gitea/gitea#22509)) ([#&#8203;22511](go-gitea/gitea#22511))
    -   Set disable_gravatar/enable_federated_avatar when offline mode is true ([#&#8203;22479](go-gitea/gitea#22479)) ([#&#8203;22496](go-gitea/gitea#22496))
-   BUILD
    -   cgo cross-compile for freebsd ([#&#8203;22397](go-gitea/gitea#22397)) ([#&#8203;22519](go-gitea/gitea#22519))

### [`v1.18.1`](https://github.com/go-gitea/gitea/blob/HEAD/CHANGELOG.md#&#8203;1181-httpsgithubcomgo-giteagiteareleasestagv1181---2023-01-17)

[Compare Source](go-gitea/gitea@v1.18.0...v1.18.1)

-   API
    -   Add `sync_on_commit` option for push mirrors api ([#&#8203;22271](go-gitea/gitea#22271)) ([#&#8203;22292](go-gitea/gitea#22292))
-   BUGFIXES
    -   Update `github.com/zeripath/zapx/v15` ([#&#8203;22485](go-gitea/gitea#22485))
    -   Fix pull request API field `closed_at` always being `null` ([#&#8203;22482](go-gitea/gitea#22482)) ([#&#8203;22483](go-gitea/gitea#22483))
    -   Fix container blob mount ([#&#8203;22226](go-gitea/gitea#22226)) ([#&#8203;22476](go-gitea/gitea#22476))
    -   Fix error when calculating repository size ([#&#8203;22392](go-gitea/gitea#22392)) ([#&#8203;22474](go-gitea/gitea#22474))
    -   Fix Operator does not exist bug on explore page with ONLY_SHOW_RELEVANT_REPOS ([#&#8203;22454](go-gitea/gitea#22454)) ([#&#8203;22472](go-gitea/gitea#22472))
    -   Fix environments for KaTeX and error reporting ([#&#8203;22453](go-gitea/gitea#22453)) ([#&#8203;22473](go-gitea/gitea#22473))
    -   Remove the netgo tag for Windows build ([#&#8203;22467](go-gitea/gitea#22467)) ([#&#8203;22468](go-gitea/gitea#22468))
    -   Fix migration from GitBucket ([#&#8203;22477](go-gitea/gitea#22477)) ([#&#8203;22465](go-gitea/gitea#22465))
    -   Prevent panic on looking at api "git" endpoints for empty repos ([#&#8203;22457](go-gitea/gitea#22457)) ([#&#8203;22458](go-gitea/gitea#22458))
    -   Fix PR status layout on mobile ([#&#8203;21547](go-gitea/gitea#21547)) ([#&#8203;22441](go-gitea/gitea#22441))
    -   Fix wechatwork webhook sends empty content in PR review ([#&#8203;21762](go-gitea/gitea#21762)) ([#&#8203;22440](go-gitea/gitea#22440))
    -   Remove duplicate "Actions" label in mobile view ([#&#8203;21974](go-gitea/gitea#21974)) ([#&#8203;22439](go-gitea/gitea#22439))
    -   Fix leaving organization bug on user settings -> orgs ([#&#8203;21983](go-gitea/gitea#21983)) ([#&#8203;22438](go-gitea/gitea#22438))
    -   Fixed colour transparency regex matching in project board sorting ([#&#8203;22092](go-gitea/gitea#22092)) ([#&#8203;22437](go-gitea/gitea#22437))
    -   Correctly handle select on multiple channels in Queues ([#&#8203;22146](go-gitea/gitea#22146)) ([#&#8203;22428](go-gitea/gitea#22428))
    -   Prepend refs/heads/ to issue template refs ([#&#8203;20461](go-gitea/gitea#20461)) ([#&#8203;22427](go-gitea/gitea#22427))
    -   Restore function to "Show more" buttons ([#&#8203;22399](go-gitea/gitea#22399)) ([#&#8203;22426](go-gitea/gitea#22426))
    -   Continue GCing other repos on error in one repo ([#&#8203;22422](go-gitea/gitea#22422)) ([#&#8203;22425](go-gitea/gitea#22425))
    -   Allow HOST has no port ([#&#8203;22280](go-gitea/gitea#22280)) ([#&#8203;22409](go-gitea/gitea#22409))
    -   Fix omit avatar_url in discord payload when empty ([#&#8203;22393](go-gitea/gitea#22393)) ([#&#8203;22394](go-gitea/gitea#22394))
    -   Don't display stop watch top bar icon when disabled and hidden when click other place ([#&#8203;22374](go-gitea/gitea#22374)) ([#&#8203;22387](go-gitea/gitea#22387))
    -   Don't lookup mail server when using sendmail ([#&#8203;22300](go-gitea/gitea#22300)) ([#&#8203;22383](go-gitea/gitea#22383))
    -   Fix gravatar disable bug ([#&#8203;22337](go-gitea/gitea#22337))
    -   Fix update settings table on install ([#&#8203;22326](go-gitea/gitea#22326)) ([#&#8203;22327](go-gitea/gitea#22327))
    -   Fix sitemap ([#&#8203;22272](go-gitea/gitea#22272)) ([#&#8203;22320](go-gitea/gitea#22320))
    -   Fix code search title translation ([#&#8203;22285](go-gitea/gitea#22285)) ([#&#8203;22316](go-gitea/gitea#22316))
    -   Fix due date rendering the wrong date in issue ([#&#8203;22302](go-gitea/gitea#22302)) ([#&#8203;22306](go-gitea/gitea#22306))
    -   Fix get system setting bug when enabled redis cache ([#&#8203;22298](go-gitea/gitea#22298))
    -   Fix bug of DisableGravatar default value ([#&#8203;22297](go-gitea/gitea#22297))
    -   Fix key signature error page ([#&#8203;22229](go-gitea/gitea#22229)) ([#&#8203;22230](go-gitea/gitea#22230))
-   TESTING
    -   Remove test session cache to reduce possible concurrent problem ([#&#8203;22199](go-gitea/gitea#22199)) ([#&#8203;22429](go-gitea/gitea#22429))
-   MISC
    -   Restore previous official review when an official review is deleted ([#&#8203;22449](go-gitea/gitea#22449)) ([#&#8203;22460](go-gitea/gitea#22460))
    -   Log STDERR of external renderer when it fails ([#&#8203;22442](go-gitea/gitea#22442)) ([#&#8203;22444](go-gitea/gitea#22444))

### [`v1.18.0`](https://github.com/go-gitea/gitea/blob/HEAD/CHANGELOG.md#&#8203;1180-httpsgithubcomgo-giteagiteareleasestagv1180---2022-12-29)

[Compare Source](go-gitea/gitea@v1.17.4...v1.18.0)

-   SECURITY
    -   Remove ReverseProxy authentication from the API ([#&#8203;22219](go-gitea/gitea#22219)) ([#&#8203;22251](go-gitea/gitea#22251))
    -   Support Go Vulnerability Management ([#&#8203;21139](go-gitea/gitea#21139))
    -   Forbid HTML string tooltips ([#&#8203;20935](go-gitea/gitea#20935))
-   BREAKING
    -   Rework mailer settings ([#&#8203;18982](go-gitea/gitea#18982))
    -   Remove U2F support ([#&#8203;20141](go-gitea/gitea#20141))
    -   Refactor `i18n` to `locale` ([#&#8203;20153](go-gitea/gitea#20153))
    -   Enable contenthash in filename for dynamic assets ([#&#8203;20813](go-gitea/gitea#20813))
-   FEATURES
    -   Add color previews in markdown ([#&#8203;21474](go-gitea/gitea#21474))
    -   Allow package version sorting ([#&#8203;21453](go-gitea/gitea#21453))
    -   Add support for Chocolatey/NuGet v2 API ([#&#8203;21393](go-gitea/gitea#21393))
    -   Add API endpoint to get changed files of a PR ([#&#8203;21177](go-gitea/gitea#21177))
    -   Add filetree on left of diff view ([#&#8203;21012](go-gitea/gitea#21012))
    -   Support Issue forms and PR forms ([#&#8203;20987](go-gitea/gitea#20987))
    -   Add support for Vagrant packages ([#&#8203;20930](go-gitea/gitea#20930))
    -   Add support for `npm unpublish` ([#&#8203;20688](go-gitea/gitea#20688))
    -   Add badge capabilities to users ([#&#8203;20607](go-gitea/gitea#20607))
    -   Add issue filter for Author ([#&#8203;20578](go-gitea/gitea#20578))
    -   Add KaTeX rendering to Markdown. ([#&#8203;20571](go-gitea/gitea#20571))
    -   Add support for Pub packages ([#&#8203;20560](go-gitea/gitea#20560))
    -   Support localized README ([#&#8203;20508](go-gitea/gitea#20508))
    -   Add support mCaptcha as captcha provider ([#&#8203;20458](go-gitea/gitea#20458))
    -   Add team member invite by email ([#&#8203;20307](go-gitea/gitea#20307))
    -   Added email notification option to receive all own messages ([#&#8203;20179](go-gitea/gitea#20179))
    -   Switch Unicode Escaping to a VSCode-like system ([#&#8203;19990](go-gitea/gitea#19990))
    -   Add user/organization code search ([#&#8203;19977](go-gitea/gitea#19977))
    -   Only show relevant repositories on explore page ([#&#8203;19361](go-gitea/gitea#19361))
    -   User keypairs and HTTP signatures for ActivityPub federation using go-ap ([#&#8203;19133](go-gitea/gitea#19133))
    -   Add sitemap support ([#&#8203;18407](go-gitea/gitea#18407))
    -   Allow creation of OAuth2 applications for orgs ([#&#8203;18084](go-gitea/gitea#18084))
    -   Add system setting table with cache and also add cache supports for user setting ([#&#8203;18058](go-gitea/gitea#18058))
    -   Add pages to view watched repos and subscribed issues/PRs ([#&#8203;17156](go-gitea/gitea#17156))
    -   Support Proxy protocol ([#&#8203;12527](go-gitea/gitea#12527))
    -   Implement sync push mirror on commit ([#&#8203;19411](go-gitea/gitea#19411))
-   API
    -   Allow empty assignees on pull request edit ([#&#8203;22150](go-gitea/gitea#22150)) ([#&#8203;22214](go-gitea/gitea#22214))
    -   Make external issue tracker regexp configurable via API ([#&#8203;21338](go-gitea/gitea#21338))
    -   Add name field for org api ([#&#8203;21270](go-gitea/gitea#21270))
    -   Show teams with no members if user is admin ([#&#8203;21204](go-gitea/gitea#21204))
    -   Add latest commit's SHA to content response ([#&#8203;20398](go-gitea/gitea#20398))
    -   Add allow_rebase_update, default_delete_branch_after_merge to repository api response ([#&#8203;20079](go-gitea/gitea#20079))
    -   Add new endpoints for push mirrors management ([#&#8203;19841](go-gitea/gitea#19841))
-   ENHANCEMENTS
    -   Add setting to disable the git apply step in test patch ([#&#8203;22130](go-gitea/gitea#22130)) ([#&#8203;22170](go-gitea/gitea#22170))
    -   Multiple improvements for comment edit diff ([#&#8203;21990](go-gitea/gitea#21990)) ([#&#8203;22007](go-gitea/gitea#22007))
    -   Fix button in branch list, avoid unexpected page jump before restore branch actually done ([#&#8203;21562](go-gitea/gitea#21562)) ([#&#8203;21928](go-gitea/gitea#21928))
    -   Fix flex layout for repo list icons ([#&#8203;21896](go-gitea/gitea#21896)) ([#&#8203;21920](go-gitea/gitea#21920))
    -   Fix vertical align of committer avatar rendered by email address ([#&#8203;21884](go-gitea/gitea#21884)) ([#&#8203;21918](go-gitea/gitea#21918))
    -   Fix setting HTTP headers after write ([#&#8203;21833](go-gitea/gitea#21833)) ([#&#8203;21877](go-gitea/gitea#21877))
    -   Color and Style enhancements ([#&#8203;21784](go-gitea/gitea#21784), [#&#8203;21799](go-gitea/gitea#21799)) ([#&#8203;21868](go-gitea/gitea#21868))
    -   Ignore line anchor links with leading zeroes ([#&#8203;21728](go-gitea/gitea#21728)) ([#&#8203;21776](go-gitea/gitea#21776))
    -   Quick fixes monaco-editor error: "vs.editor.nullLanguage" ([#&#8203;21734](go-gitea/gitea#21734)) ([#&#8203;21738](go-gitea/gitea#21738))
    -   Use CSS color-scheme instead of invert ([#&#8203;21616](go-gitea/gitea#21616)) ([#&#8203;21623](go-gitea/gitea#21623))
    -   Respect user's locale when rendering the date range in the repo activity page ([#&#8203;21410](go-gitea/gitea#21410))
    -   Change `commits-table` column width ([#&#8203;21564](go-gitea/gitea#21564))
    -   Refactor git command arguments and make all arguments to be safe to be used ([#&#8203;21535](go-gitea/gitea#21535))
    -   CSS color enhancements ([#&#8203;21534](go-gitea/gitea#21534))
    -   Add link to user profile in markdown mention only if user exists ([#&#8203;21533](go-gitea/gitea#21533), [#&#8203;21554](go-gitea/gitea#21554))
    -   Add option to skip index dirs ([#&#8203;21501](go-gitea/gitea#21501))
    -   Diff file tree tweaks ([#&#8203;21446](go-gitea/gitea#21446))
    -   Localize all timestamps ([#&#8203;21440](go-gitea/gitea#21440))
    -   Add `code` highlighting in issue titles ([#&#8203;21432](go-gitea/gitea#21432))
    -   Use Name instead of DisplayName in LFS Lock ([#&#8203;21415](go-gitea/gitea#21415))
    -   Consolidate more CSS colors into variables ([#&#8203;21402](go-gitea/gitea#21402))
    -   Redirect to new repository owner ([#&#8203;21398](go-gitea/gitea#21398))
    -   Use ISO date format instead of hard-coded English date format for date range in repo activity page ([#&#8203;21396](go-gitea/gitea#21396))
    -   Use weighted algorithm for string matching when finding files in repo ([#&#8203;21370](go-gitea/gitea#21370))
    -   Show private data in feeds ([#&#8203;21369](go-gitea/gitea#21369))
    -   Refactor parseTreeEntries, speed up tree list ([#&#8203;21368](go-gitea/gitea#21368))
    -   Add GET and DELETE endpoints for Docker blob uploads ([#&#8203;21367](go-gitea/gitea#21367))
    -   Add nicer error handling on template compile errors ([#&#8203;21350](go-gitea/gitea#21350))
    -   Add `stat` to `ToCommit` function for speed ([#&#8203;21337](go-gitea/gitea#21337))
    -   Support instance-wide OAuth2 applications ([#&#8203;21335](go-gitea/gitea#21335))
    -   Record OAuth client type at registration ([#&#8203;21316](go-gitea/gitea#21316))
    -   Add new CSS variables --color-accent and --color-small-accent ([#&#8203;21305](go-gitea/gitea#21305))
    -   Improve error descriptions for unauthorized_client ([#&#8203;21292](go-gitea/gitea#21292))
    -   Case-insensitive "find files in repo" ([#&#8203;21269](go-gitea/gitea#21269))
    -   Consolidate more CSS rules, fix inline code on arc-green ([#&#8203;21260](go-gitea/gitea#21260))
    -   Log real ip of requests from ssh ([#&#8203;21216](go-gitea/gitea#21216))
    -   Save files in local storage as group readable ([#&#8203;21198](go-gitea/gitea#21198))
    -   Enable fluid page layout on medium size viewports ([#&#8203;21178](go-gitea/gitea#21178))
    -   File header tweaks ([#&#8203;21175](go-gitea/gitea#21175))
    -   Added missing headers on user packages page ([#&#8203;21172](go-gitea/gitea#21172))
    -   Display image digest for container packages ([#&#8203;21170](go-gitea/gitea#21170))
    -   Skip dirty check for team forms ([#&#8203;21154](go-gitea/gitea#21154))
    -   Keep path when creating a new branch ([#&#8203;21153](go-gitea/gitea#21153))
    -   Remove fomantic image module ([#&#8203;21145](go-gitea/gitea#21145))
    -   Make labels clickable in the comments section. ([#&#8203;21137](go-gitea/gitea#21137))
    -   Sort branches and tags by date descending ([#&#8203;21136](go-gitea/gitea#21136))
    -   Better repo API unit checks ([#&#8203;21130](go-gitea/gitea#21130))
    -   Improve commit status icons ([#&#8203;21124](go-gitea/gitea#21124))
    -   Limit length of repo description and repo url input fields ([#&#8203;21119](go-gitea/gitea#21119))
    -   Show .editorconfig errors in frontend ([#&#8203;21088](go-gitea/gitea#21088))
    -   Allow poster to choose reviewers ([#&#8203;21084](go-gitea/gitea#21084))
    -   Remove black labels and CSS cleanup ([#&#8203;21003](go-gitea/gitea#21003))
    -   Make e-mail sanity check more precise ([#&#8203;20991](go-gitea/gitea#20991))
    -   Use native inputs in whitespace dropdown ([#&#8203;20980](go-gitea/gitea#20980))
    -   Enhance package date display ([#&#8203;20928](go-gitea/gitea#20928))
    -   Display total blob size of a package version ([#&#8203;20927](go-gitea/gitea#20927))
    -   Show language name on hover ([#&#8203;20923](go-gitea/gitea#20923))
    -   Show instructions for all generic package files ([#&#8203;20917](go-gitea/gitea#20917))
    -   Refactor AssertExistsAndLoadBean to use generics ([#&#8203;20797](go-gitea/gitea#20797))
    -   Move the official website link at the footer of gitea ([#&#8203;20777](go-gitea/gitea#20777))
    -   Add support for full name in reverse proxy auth ([#&#8203;20776](go-gitea/gitea#20776))
    -   Remove useless JS operation for relative time tooltips ([#&#8203;20756](go-gitea/gitea#20756))
    -   Replace some icons with SVG ([#&#8203;20741](go-gitea/gitea#20741))
    -   Change commit status icons to SVG ([#&#8203;20736](go-gitea/gitea#20736))
    -   Improve single repo action for issue and pull requests ([#&#8203;20730](go-gitea/gitea#20730))
    -   Allow multiple files in generic packages ([#&#8203;20661](go-gitea/gitea#20661))
    -   Add option to create new issue from /issues page ([#&#8203;20650](go-gitea/gitea#20650))
    -   Background color of private list-items updated ([#&#8203;20630](go-gitea/gitea#20630))
    -   Added search input field to issue filter ([#&#8203;20623](go-gitea/gitea#20623))
    -   Increase default item listing size `ISSUE_PAGING_NUM` to 20 ([#&#8203;20547](go-gitea/gitea#20547))
    -   Modify milestone search keywords to be case insensitive again ([#&#8203;20513](go-gitea/gitea#20513))
    -   Show hint to link package to repo when viewing empty repo package list ([#&#8203;20504](go-gitea/gitea#20504))
    -   Add Tar ZSTD support ([#&#8203;20493](go-gitea/gitea#20493))
    -   Make code review checkboxes clickable ([#&#8203;20481](go-gitea/gitea#20481))
    -   Add "X-Gitea-Object-Type" header for GET `/raw/` & `/media/` API ([#&#8203;20438](go-gitea/gitea#20438))
    -   Display project in issue list ([#&#8203;20434](go-gitea/gitea#20434))
    -   Prepend commit message to template content when opening a new PR ([#&#8203;20429](go-gitea/gitea#20429))
    -   Replace fomantic popup module with tippy.js ([#&#8203;20428](go-gitea/gitea#20428))
    -   Allow to specify colors for text in markup ([#&#8203;20363](go-gitea/gitea#20363))
    -   Allow access to the Public Organization Member lists with minimal permissions ([#&#8203;20330](go-gitea/gitea#20330))
    -   Use default values when provided values are empty ([#&#8203;20318](go-gitea/gitea#20318))
    -   Vertical align navbar avatar at middle ([#&#8203;20302](go-gitea/gitea#20302))
    -   Delete cancel button in repo creation page ([#&#8203;21381](go-gitea/gitea#21381))
    -   Include login_name in adminCreateUser response ([#&#8203;20283](go-gitea/gitea#20283))
    -   fix: icon margin in user/settings/repos ([#&#8203;20281](go-gitea/gitea#20281))
    -   Remove blue text on migrate page ([#&#8203;20273](go-gitea/gitea#20273))
    -   Modify milestone search keywords to be case insensitive ([#&#8203;20266](go-gitea/gitea#20266))
    -   Move some files into models' sub packages ([#&#8203;20262](go-gitea/gitea#20262))
    -   Add tooltip to repo icons in explore page ([#&#8203;20241](go-gitea/gitea#20241))
    -   Remove deprecated licenses ([#&#8203;20222](go-gitea/gitea#20222))
    -   Webhook for Wiki changes ([#&#8203;20219](go-gitea/gitea#20219))
    -   Share HTML template renderers and create a watcher framework ([#&#8203;20218](go-gitea/gitea#20218))
    -   Allow enable LDAP source and disable user sync via CLI ([#&#8203;20206](go-gitea/gitea#20206))
    -   Adds a checkbox to select all issues/PRs ([#&#8203;20177](go-gitea/gitea#20177))
    -   Refactor `i18n` to `locale` ([#&#8203;20153](go-gitea/gitea#20153))
    -   Disable status checks in template if none found ([#&#8203;20088](go-gitea/gitea#20088))
    -   Allow manager logging to set SQL ([#&#8203;20064](go-gitea/gitea#20064))
    -   Add order by for assignee no sort issue ([#&#8203;20053](go-gitea/gitea#20053))
    -   Take a stab at porting existing components to Vue3 ([#&#8203;20044](go-gitea/gitea#20044))
    -   Add doctor command to write commit-graphs ([#&#8203;20007](go-gitea/gitea#20007))
    -   Add support for authentication based on reverse proxy email ([#&#8203;19949](go-gitea/gitea#19949))
    -   Enable spellcheck for EasyMDE, use contenteditable mode ([#&#8203;19776](go-gitea/gitea#19776))
    -   Allow specifying SECRET_KEY_URI, similar to INTERNAL_TOKEN_URI ([#&#8203;19663](go-gitea/gitea#19663))
    -   Rework mailer settings ([#&#8203;18982](go-gitea/gitea#18982))
    -   Add option to purge users ([#&#8203;18064](go-gitea/gitea#18064))
    -   Add author search input ([#&#8203;21246](go-gitea/gitea#21246))
    -   Make rss/atom identifier globally unique ([#&#8203;21550](go-gitea/gitea#21550))
-   BUGFIXES
    -   Auth interface return error when verify failure ([#&#8203;22119](go-gitea/gitea#22119)) ([#&#8203;22259](go-gitea/gitea#22259))
    -   Use complete SHA to create and query commit status ([#&#8203;22244](go-gitea/gitea#22244)) ([#&#8203;22257](go-gitea/gitea#22257))
    -   Update bleve and zapx to fix unaligned atomic ([#&#8203;22031](go-gitea/gitea#22031)) ([#&#8203;22218](go-gitea/gitea#22218))
    -   Prevent panic in doctor command when running default checks ([#&#8203;21791](go-gitea/gitea#21791)) ([#&#8203;21807](go-gitea/gitea#21807))
    -   Load GitRepo in API before deleting issue ([#&#8203;21720](go-gitea/gitea#21720)) ([#&#8203;21796](go-gitea/gitea#21796))
    -   Ignore line anchor links with leading zeroes ([#&#8203;21728](go-gitea/gitea#21728)) ([#&#8203;21776](go-gitea/gitea#21776))
    -   Set last login when activating account ([#&#8203;21731](go-gitea/gitea#21731)) ([#&#8203;21755](go-gitea/gitea#21755))
    -   Fix UI language switching bug ([#&#8203;21597](go-gitea/gitea#21597)) ([#&#8203;21749](go-gitea/gitea#21749))
    -   Quick fixes monaco-editor error: "vs.editor.nullLanguage" ([#&#8203;21734](go-gitea/gitea#21734)) ([#&#8203;21738](go-gitea/gitea#21738))
    -   Allow local package identifiers for PyPI packages ([#&#8203;21690](go-gitea/gitea#21690)) ([#&#8203;21727](go-gitea/gitea#21727))
    -   Deal with markdown template without metadata ([#&#8203;21639](go-gitea/gitea#21639)) ([#&#8203;21654](go-gitea/gitea#21654))
    -   Fix opaque background on mermaid diagrams ([#&#8203;21642](go-gitea/gitea#21642)) ([#&#8203;21652](go-gitea/gitea#21652))
    -   Fix repository adoption on Windows ([#&#8203;21646](go-gitea/gitea#21646)) ([#&#8203;21650](go-gitea/gitea#21650))
    -   Sync git hooks when config file path changed ([#&#8203;21619](go-gitea/gitea#21619)) ([#&#8203;21626](go-gitea/gitea#21626))
    -   Fix 500 on PR files API ([#&#8203;21602](go-gitea/gitea#21602)) ([#&#8203;21607](go-gitea/gitea#21607))
    -   Fix `Timestamp.IsZero` ([#&#8203;21593](go-gitea/gitea#21593)) ([#&#8203;21603](go-gitea/gitea#21603))
    -   Fix viewing user subscriptions ([#&#8203;21482](go-gitea/gitea#21482))
    -   Fix mermaid-related bugs ([#&#8203;21431](go-gitea/gitea#21431))
    -   Fix branch dropdown shifting on page load ([#&#8203;21428](go-gitea/gitea#21428))
    -   Fix default theme-auto selector when nologin ([#&#8203;21346](go-gitea/gitea#21346))
    -   Fix and improve incorrect error messages ([#&#8203;21342](go-gitea/gitea#21342))
    -   Fix formatted link for PR review notifications to matrix ([#&#8203;21319](go-gitea/gitea#21319))
    -   Center-aligning content of WebAuthN page ([#&#8203;21127](go-gitea/gitea#21127))
    -   Remove follow from commits by file ([#&#8203;20765](go-gitea/gitea#20765))
    -   Fix commit status popup ([#&#8203;20737](go-gitea/gitea#20737))
    -   Fix init mail render logic ([#&#8203;20704](go-gitea/gitea#20704))
    -   Use correct page size for link header pagination ([#&#8203;20546](go-gitea/gitea#20546))
    -   Preserve unix socket file ([#&#8203;20499](go-gitea/gitea#20499))
    -   Use tippy.js for context popup ([#&#8203;20393](go-gitea/gitea#20393))
    -   Add missing parameter for error in log message ([#&#8203;20144](go-gitea/gitea#20144))
    -   Do not allow organisation owners add themselves as collaborator ([#&#8203;20043](go-gitea/gitea#20043))
    -   Rework file highlight rendering and fix yaml copy-paste ([#&#8203;19967](go-gitea/gitea#19967))
    -   Improve code diff highlight, fix incorrect rendered diff result ([#&#8203;19958](go-gitea/gitea#19958))
-   TESTING
    -   Improve OAuth integration tests ([#&#8203;21390](go-gitea/gitea#21390))
    -   Add playwright tests ([#&#8203;20123](go-gitea/gitea#20123))
-   BUILD
    -   Switch to building with go1.19 ([#&#8203;20695](go-gitea/gitea#20695))
    -   Update JS dependencies, adjust eslint ([#&#8203;20659](go-gitea/gitea#20659))
    -   Add more linters to improve code readability ([#&#8203;19989](go-gitea/gitea#19989))

### [`v1.17.4`](https://github.com/go-gitea/gitea/blob/HEAD/CHANGELOG.md#&#8203;1174-httpsgithubcomgo-giteagiteareleasestagv1174---2022-12-21)

[Compare Source](go-gitea/gitea@v1.17.3...v1.17.4)

-   SECURITY
    -   Do not allow Ghost access to limited visible user/org ([#&#8203;21849](go-gitea/gitea#21849)) ([#&#8203;21875](go-gitea/gitea#21875))
    -   Fix package access for admins and inactive users ([#&#8203;21580](go-gitea/gitea#21580)) ([#&#8203;21592](go-gitea/gitea#21592))
-   ENHANCEMENTS
    -   Fix button in branch list, avoid unexpected page jump before restore branch actually done ([#&#8203;21562](go-gitea/gitea#21562)) ([#&#8203;21927](go-gitea/gitea#21927))
    -   Fix vertical align of committer avatar rendered by email address ([#&#8203;21884](go-gitea/gitea#21884)) ([#&#8203;21919](go-gitea/gitea#21919))
    -   Fix setting HTTP headers after write ([#&#8203;21833](go-gitea/gitea#21833)) ([#&#8203;21874](go-gitea/gitea#21874))
    -   Ignore line anchor links with leading zeroes ([#&#8203;21728](go-gitea/gitea#21728)) ([#&#8203;21777](go-gitea/gitea#21777))
    -   Enable Monaco automaticLayout ([#&#8203;21516](go-gitea/gitea#21516))
-   BUGFIXES
    -   Do not list active repositories as unadopted ([#&#8203;22034](go-gitea/gitea#22034)) ([#&#8203;22167](go-gitea/gitea#22167))
    -   Correctly handle moved files in apply patch ([#&#8203;22118](go-gitea/gitea#22118)) ([#&#8203;22136](go-gitea/gitea#22136))
    -   Fix condition for is_internal ([#&#8203;22095](go-gitea/gitea#22095)) ([#&#8203;22131](go-gitea/gitea#22131))
    -   Fix permission check on issue/pull lock ([#&#8203;22114](go-gitea/gitea#22114))
    -   Fix sorting admin user list by last login ([#&#8203;22081](go-gitea/gitea#22081)) ([#&#8203;22106](go-gitea/gitea#22106))
    -   Workaround for container registry push/pull errors ([#&#8203;21862](go-gitea/gitea#21862)) ([#&#8203;22069](go-gitea/gitea#22069))
    -   Fix issue/PR numbers ([#&#8203;22037](go-gitea/gitea#22037)) ([#&#8203;22045](go-gitea/gitea#22045))
    -   Handle empty author names ([#&#8203;21902](go-gitea/gitea#21902)) ([#&#8203;22028](go-gitea/gitea#22028))
    -   Fix ListBranches to handle empty case ([#&#8203;21921](go-gitea/gitea#21921)) ([#&#8203;22025](go-gitea/gitea#22025))
    -   Fix enabling partial clones on 1.17 ([#&#8203;21809](go-gitea/gitea#21809))
    -   Prevent panic in doctor command when running default checks ([#&#8203;21791](go-gitea/gitea#21791)) ([#&#8203;21808](go-gitea/gitea#21808))
    -   Upgrade golang.org/x/crypto ([#&#8203;21792](go-gitea/gitea#21792)) ([#&#8203;21794](go-gitea/gitea#21794))
    -   Init git module before database migration ([#&#8203;21764](go-gitea/gitea#21764)) ([#&#8203;21766](go-gitea/gitea#21766))
    -   Set last login when activating account ([#&#8203;21731](go-gitea/gitea#21731)) ([#&#8203;21754](go-gitea/gitea#21754))
    -   Add HEAD fix to gitea doctor ([#&#8203;21352](go-gitea/gitea#21352)) ([#&#8203;21751](go-gitea/gitea#21751))
    -   Fix UI language switching bug ([#&#8203;21597](go-gitea/gitea#21597)) ([#&#8203;21748](go-gitea/gitea#21748))
    -   Remove semver compatible flag and change pypi to an array of test cases ([#&#8203;21708](go-gitea/gitea#21708)) ([#&#8203;21729](go-gitea/gitea#21729))
    -   Allow local package identifiers for PyPI packages ([#&#8203;21690](go-gitea/gitea#21690)) ([#&#8203;21726](go-gitea/gitea#21726))
    -   Fix repository adoption on Windows ([#&#8203;21646](go-gitea/gitea#21646)) ([#&#8203;21651](go-gitea/gitea#21651))
    -   Sync git hooks when config file path changed ([#&#8203;21619](go-gitea/gitea#21619)) ([#&#8203;21625](go-gitea/gitea#21625))
    -   Added check for disabled Packages ([#&#8203;21540](go-gitea/gitea#21540)) ([#&#8203;21614](go-gitea/gitea#21614))
    -   Fix `Timestamp.IsZero` ([#&#8203;21593](go-gitea/gitea#21593)) ([#&#8203;21604](go-gitea/gitea#21604))
    -   Fix issues count bug ([#&#8203;21600](go-gitea/gitea#21600))
    -   Support binary deploy in npm packages ([#&#8203;21589](go-gitea/gitea#21589))
    -   Update milestone counters when issue is deleted ([#&#8203;21459](go-gitea/gitea#21459)) ([#&#8203;21586](go-gitea/gitea#21586))
    -   SessionUser protection against nil pointer dereference ([#&#8203;21581](go-gitea/gitea#21581))
    -   Case-insensitive NuGet symbol file GUID ([#&#8203;21409](go-gitea/gitea#21409)) ([#&#8203;21575](go-gitea/gitea#21575))
    -   Suppress `ExternalLoginUserNotExist` error ([#&#8203;21504](go-gitea/gitea#21504)) ([#&#8203;21572](go-gitea/gitea#21572))
    -   Prevent Authorization header for presigned LFS urls ([#&#8203;21531](go-gitea/gitea#21531)) ([#&#8203;21569](go-gitea/gitea#21569))
    -   Update binding to fix bugs ([#&#8203;21560](go-gitea/gitea#21560))
    -   Fix generating compare link ([#&#8203;21519](go-gitea/gitea#21519)) ([#&#8203;21530](go-gitea/gitea#21530))
    -   Ignore error when retrieving changed PR review files ([#&#8203;21487](go-gitea/gitea#21487)) ([#&#8203;21524](go-gitea/gitea#21524))
    -   Fix incorrect notification commit url ([#&#8203;21479](go-gitea/gitea#21479)) ([#&#8203;21483](go-gitea/gitea#21483))
    -   Display total commit count in hook message ([#&#8203;21400](go-gitea/gitea#21400)) ([#&#8203;21481](go-gitea/gitea#21481))
    -   Enforce grouped NuGet search results ([#&#8203;21442](go-gitea/gitea#21442)) ([#&#8203;21480](go-gitea/gitea#21480))
    -   Return 404 when user is not found on avatar ([#&#8203;21476](go-gitea/gitea#21476)) ([#&#8203;21477](go-gitea/gitea#21477))
    -   Normalize NuGet package version on upload ([#&#8203;22186](go-gitea/gitea#22186)) ([#&#8203;22201](go-gitea/gitea#22201))
-   MISC
    -   Check for zero time instant in TimeStamp.IsZero() ([#&#8203;22171](go-gitea/gitea#22171)) ([#&#8203;22173](go-gitea/gitea#22173))
    -   Fix warn in database structs sync ([#&#8203;22111](go-gitea/gitea#22111))
    -   Allow for resolution of NPM registry paths that match upstream ([#&#8203;21568](go-gitea/gitea#21568)) ([#&#8203;21723](go-gitea/gitea#21723))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xNTIuMiIsInVwZGF0ZWRJblZlciI6IjM0LjE1Mi4yIn0=-->

Co-authored-by: Michael Wittig <michael.wittig@posteo.de>
Reviewed-on: https://gitea.sh4ke.rocks/sh4ke/k8s-projects/pulls/85
Sh4kE added a commit to Sh4kE/k8s-projects that referenced this pull request Feb 28, 2023
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [gitea/gitea](https://github.com/go-gitea/gitea) | minor | `1.17.3-rootless` -> `1.18.5-rootless` |

---

### Release Notes

<details>
<summary>go-gitea/gitea</summary>

### [`v1.18.5`](https://github.com/go-gitea/gitea/blob/HEAD/CHANGELOG.md#&#8203;1185-httpsgithubcomgo-giteagiteareleasestagv1185---2023-02-21)

[Compare Source](go-gitea/gitea@v1.18.4...v1.18.5)

-   ENHANCEMENTS
    -   Hide 2FA status from other members in organization members list ([#&#8203;22999](go-gitea/gitea#22999)) ([#&#8203;23023](go-gitea/gitea#23023))
-   BUGFIXES
    -   Add force_merge to merge request and fix checking mergable ([#&#8203;23010](go-gitea/gitea#23010)) ([#&#8203;23032](go-gitea/gitea#23032))
    -   Use `--message=%s` for git commit message ([#&#8203;23028](go-gitea/gitea#23028)) ([#&#8203;23029](go-gitea/gitea#23029))
    -   Render access log template as text instead of HTML ([#&#8203;23013](go-gitea/gitea#23013)) ([#&#8203;23025](go-gitea/gitea#23025))
    -   Fix the Manually Merged form ([#&#8203;23015](go-gitea/gitea#23015)) ([#&#8203;23017](go-gitea/gitea#23017))
    -   Use beforeCommit instead of baseCommit ([#&#8203;22949](go-gitea/gitea#22949)) ([#&#8203;22996](go-gitea/gitea#22996))
    -   Display attachments of review comment when comment content is blank ([#&#8203;23035](go-gitea/gitea#23035)) ([#&#8203;23046](go-gitea/gitea#23046))
    -   Return empty url for submodule tree entries ([#&#8203;23043](go-gitea/gitea#23043)) ([#&#8203;23048](go-gitea/gitea#23048))

### [`v1.18.4`](https://github.com/go-gitea/gitea/blob/HEAD/CHANGELOG.md#&#8203;1184-httpsgithubcomgo-giteagiteareleasestag1184---2023-02-20)

[Compare Source](go-gitea/gitea@v1.18.3...v1.18.4)

-   SECURITY
    -   Provide the ability to set password hash algorithm parameters ([#&#8203;22942](go-gitea/gitea#22942)) ([#&#8203;22943](go-gitea/gitea#22943))
    -   Add command to bulk set must-change-password ([#&#8203;22823](go-gitea/gitea#22823)) ([#&#8203;22928](go-gitea/gitea#22928))
-   ENHANCEMENTS
    -   Use import of OCI structs ([#&#8203;22765](go-gitea/gitea#22765)) ([#&#8203;22805](go-gitea/gitea#22805))
    -   Fix color of tertiary button on dark theme ([#&#8203;22739](go-gitea/gitea#22739)) ([#&#8203;22744](go-gitea/gitea#22744))
    -   Link issue and pull requests status change in UI notifications directly to their event in the timelined view. ([#&#8203;22627](go-gitea/gitea#22627)) ([#&#8203;22642](go-gitea/gitea#22642))
-   BUGFIXES
    -   Notify on container image create ([#&#8203;22806](go-gitea/gitea#22806)) ([#&#8203;22965](go-gitea/gitea#22965))
    -   Fix blame view missing lines ([#&#8203;22826](go-gitea/gitea#22826)) ([#&#8203;22929](go-gitea/gitea#22929))
    -   Fix incorrect role labels for migrated issues and comments ([#&#8203;22914](go-gitea/gitea#22914)) ([#&#8203;22923](go-gitea/gitea#22923))
    -   Fix PR file tree folders no longer collapsing ([#&#8203;22864](go-gitea/gitea#22864)) ([#&#8203;22872](go-gitea/gitea#22872))
    -   Escape filename when assemble URL ([#&#8203;22850](go-gitea/gitea#22850)) ([#&#8203;22871](go-gitea/gitea#22871))
    -   Fix isAllowed of escapeStreamer ([#&#8203;22814](go-gitea/gitea#22814)) ([#&#8203;22837](go-gitea/gitea#22837))
    -   Load issue before accessing index in merge message ([#&#8203;22822](go-gitea/gitea#22822)) ([#&#8203;22830](go-gitea/gitea#22830))
    -   Improve trace logging for pulls and processes ([#&#8203;22633](go-gitea/gitea#22633)) ([#&#8203;22812](go-gitea/gitea#22812))
    -   Fix restore repo bug, clarify the problem of ForeignIndex ([#&#8203;22776](go-gitea/gitea#22776)) ([#&#8203;22794](go-gitea/gitea#22794))
    -   Add default user visibility to cli command "admin user create" ([#&#8203;22750](go-gitea/gitea#22750)) ([#&#8203;22760](go-gitea/gitea#22760))
    -   Escape path for the file list ([#&#8203;22741](go-gitea/gitea#22741)) ([#&#8203;22757](go-gitea/gitea#22757))
    -   Fix bugs with WebAuthn preventing sign in and registration. ([#&#8203;22651](go-gitea/gitea#22651)) ([#&#8203;22721](go-gitea/gitea#22721))
    -   Add missing close bracket in imagediff ([#&#8203;22710](go-gitea/gitea#22710)) ([#&#8203;22712](go-gitea/gitea#22712))
    -   Move code comments to a standalone file and fix the bug when adding a reply to an outdated review appears to not post([#&#8203;20821](go-gitea/gitea#20821)) ([#&#8203;22707](go-gitea/gitea#22707))
    -   Fix line spacing for plaintext previews ([#&#8203;22699](go-gitea/gitea#22699)) ([#&#8203;22701](go-gitea/gitea#22701))
    -   Fix wrong hint when deleting a branch successfully from pull request UI ([#&#8203;22673](go-gitea/gitea#22673)) ([#&#8203;22698](go-gitea/gitea#22698))
    -   Fix README TOC links ([#&#8203;22577](go-gitea/gitea#22577)) ([#&#8203;22677](go-gitea/gitea#22677))
    -   Fix missing message in git hook when pull requests disabled on fork ([#&#8203;22625](go-gitea/gitea#22625)) ([#&#8203;22658](go-gitea/gitea#22658))
    -   Improve checkIfPRContentChanged ([#&#8203;22611](go-gitea/gitea#22611)) ([#&#8203;22644](go-gitea/gitea#22644))
    -   Prevent duplicate labels when importing more than 99 ([#&#8203;22591](go-gitea/gitea#22591)) ([#&#8203;22598](go-gitea/gitea#22598))
    -   Don't return duplicated users who can create org repo ([#&#8203;22560](go-gitea/gitea#22560)) ([#&#8203;22562](go-gitea/gitea#22562))
-   BUILD
    -   Upgrade golangcilint to v1.51.0 ([#&#8203;22764](go-gitea/gitea#22764))
-   MISC
    -   Use proxy for pull mirror ([#&#8203;22771](go-gitea/gitea#22771)) ([#&#8203;22772](go-gitea/gitea#22772))
    -   Use `--index-url` in PyPi description ([#&#8203;22620](go-gitea/gitea#22620)) ([#&#8203;22636](go-gitea/gitea#22636))

### [`v1.18.3`](https://github.com/go-gitea/gitea/blob/HEAD/CHANGELOG.md#&#8203;1183-httpsgithubcomgo-giteagiteareleasestagv1183---2023-01-23)

[Compare Source](go-gitea/gitea@v1.18.2...v1.18.3)

-   SECURITY
    -   Prevent multiple `To` recipients ([#&#8203;22566](go-gitea/gitea#22566)) ([#&#8203;22569](go-gitea/gitea#22569))
-   BUGFIXES
    -   Truncate commit summary on repo files table. ([#&#8203;22551](go-gitea/gitea#22551)) ([#&#8203;22552](go-gitea/gitea#22552))
    -   Mute all links in issue timeline ([#&#8203;22534](go-gitea/gitea#22534))

### [`v1.18.2`](https://github.com/go-gitea/gitea/blob/HEAD/CHANGELOG.md#&#8203;1182-httpsgithubcomgo-giteagiteareleasestagv1182---2023-01-19)

[Compare Source](go-gitea/gitea@v1.18.1...v1.18.2)

-   BUGFIXES
    -   Fix issue not auto-closing when it includes a reference to a branch ([#&#8203;22514](go-gitea/gitea#22514)) ([#&#8203;22521](go-gitea/gitea#22521))
    -   Fix invalid issue branch reference if not specified in template ([#&#8203;22513](go-gitea/gitea#22513)) ([#&#8203;22520](go-gitea/gitea#22520))
    -   Fix 500 error viewing pull request when fork has pull requests disabled ([#&#8203;22512](go-gitea/gitea#22512)) ([#&#8203;22515](go-gitea/gitea#22515))
    -   Reliable selection of admin user ([#&#8203;22509](go-gitea/gitea#22509)) ([#&#8203;22511](go-gitea/gitea#22511))
    -   Set disable_gravatar/enable_federated_avatar when offline mode is true ([#&#8203;22479](go-gitea/gitea#22479)) ([#&#8203;22496](go-gitea/gitea#22496))
-   BUILD
    -   cgo cross-compile for freebsd ([#&#8203;22397](go-gitea/gitea#22397)) ([#&#8203;22519](go-gitea/gitea#22519))

### [`v1.18.1`](https://github.com/go-gitea/gitea/blob/HEAD/CHANGELOG.md#&#8203;1181-httpsgithubcomgo-giteagiteareleasestagv1181---2023-01-17)

[Compare Source](go-gitea/gitea@v1.18.0...v1.18.1)

-   API
    -   Add `sync_on_commit` option for push mirrors api ([#&#8203;22271](go-gitea/gitea#22271)) ([#&#8203;22292](go-gitea/gitea#22292))
-   BUGFIXES
    -   Update `github.com/zeripath/zapx/v15` ([#&#8203;22485](go-gitea/gitea#22485))
    -   Fix pull request API field `closed_at` always being `null` ([#&#8203;22482](go-gitea/gitea#22482)) ([#&#8203;22483](go-gitea/gitea#22483))
    -   Fix container blob mount ([#&#8203;22226](go-gitea/gitea#22226)) ([#&#8203;22476](go-gitea/gitea#22476))
    -   Fix error when calculating repository size ([#&#8203;22392](go-gitea/gitea#22392)) ([#&#8203;22474](go-gitea/gitea#22474))
    -   Fix Operator does not exist bug on explore page with ONLY_SHOW_RELEVANT_REPOS ([#&#8203;22454](go-gitea/gitea#22454)) ([#&#8203;22472](go-gitea/gitea#22472))
    -   Fix environments for KaTeX and error reporting ([#&#8203;22453](go-gitea/gitea#22453)) ([#&#8203;22473](go-gitea/gitea#22473))
    -   Remove the netgo tag for Windows build ([#&#8203;22467](go-gitea/gitea#22467)) ([#&#8203;22468](go-gitea/gitea#22468))
    -   Fix migration from GitBucket ([#&#8203;22477](go-gitea/gitea#22477)) ([#&#8203;22465](go-gitea/gitea#22465))
    -   Prevent panic on looking at api "git" endpoints for empty repos ([#&#8203;22457](go-gitea/gitea#22457)) ([#&#8203;22458](go-gitea/gitea#22458))
    -   Fix PR status layout on mobile ([#&#8203;21547](go-gitea/gitea#21547)) ([#&#8203;22441](go-gitea/gitea#22441))
    -   Fix wechatwork webhook sends empty content in PR review ([#&#8203;21762](go-gitea/gitea#21762)) ([#&#8203;22440](go-gitea/gitea#22440))
    -   Remove duplicate "Actions" label in mobile view ([#&#8203;21974](go-gitea/gitea#21974)) ([#&#8203;22439](go-gitea/gitea#22439))
    -   Fix leaving organization bug on user settings -> orgs ([#&#8203;21983](go-gitea/gitea#21983)) ([#&#8203;22438](go-gitea/gitea#22438))
    -   Fixed colour transparency regex matching in project board sorting ([#&#8203;22092](go-gitea/gitea#22092)) ([#&#8203;22437](go-gitea/gitea#22437))
    -   Correctly handle select on multiple channels in Queues ([#&#8203;22146](go-gitea/gitea#22146)) ([#&#8203;22428](go-gitea/gitea#22428))
    -   Prepend refs/heads/ to issue template refs ([#&#8203;20461](go-gitea/gitea#20461)) ([#&#8203;22427](go-gitea/gitea#22427))
    -   Restore function to "Show more" buttons ([#&#8203;22399](go-gitea/gitea#22399)) ([#&#8203;22426](go-gitea/gitea#22426))
    -   Continue GCing other repos on error in one repo ([#&#8203;22422](go-gitea/gitea#22422)) ([#&#8203;22425](go-gitea/gitea#22425))
    -   Allow HOST has no port ([#&#8203;22280](go-gitea/gitea#22280)) ([#&#8203;22409](go-gitea/gitea#22409))
    -   Fix omit avatar_url in discord payload when empty ([#&#8203;22393](go-gitea/gitea#22393)) ([#&#8203;22394](go-gitea/gitea#22394))
    -   Don't display stop watch top bar icon when disabled and hidden when click other place ([#&#8203;22374](go-gitea/gitea#22374)) ([#&#8203;22387](go-gitea/gitea#22387))
    -   Don't lookup mail server when using sendmail ([#&#8203;22300](go-gitea/gitea#22300)) ([#&#8203;22383](go-gitea/gitea#22383))
    -   Fix gravatar disable bug ([#&#8203;22337](go-gitea/gitea#22337))
    -   Fix update settings table on install ([#&#8203;22326](go-gitea/gitea#22326)) ([#&#8203;22327](go-gitea/gitea#22327))
    -   Fix sitemap ([#&#8203;22272](go-gitea/gitea#22272)) ([#&#8203;22320](go-gitea/gitea#22320))
    -   Fix code search title translation ([#&#8203;22285](go-gitea/gitea#22285)) ([#&#8203;22316](go-gitea/gitea#22316))
    -   Fix due date rendering the wrong date in issue ([#&#8203;22302](go-gitea/gitea#22302)) ([#&#8203;22306](go-gitea/gitea#22306))
    -   Fix get system setting bug when enabled redis cache ([#&#8203;22298](go-gitea/gitea#22298))
    -   Fix bug of DisableGravatar default value ([#&#8203;22297](go-gitea/gitea#22297))
    -   Fix key signature error page ([#&#8203;22229](go-gitea/gitea#22229)) ([#&#8203;22230](go-gitea/gitea#22230))
-   TESTING
    -   Remove test session cache to reduce possible concurrent problem ([#&#8203;22199](go-gitea/gitea#22199)) ([#&#8203;22429](go-gitea/gitea#22429))
-   MISC
    -   Restore previous official review when an official review is deleted ([#&#8203;22449](go-gitea/gitea#22449)) ([#&#8203;22460](go-gitea/gitea#22460))
    -   Log STDERR of external renderer when it fails ([#&#8203;22442](go-gitea/gitea#22442)) ([#&#8203;22444](go-gitea/gitea#22444))

### [`v1.18.0`](https://github.com/go-gitea/gitea/blob/HEAD/CHANGELOG.md#&#8203;1180-httpsgithubcomgo-giteagiteareleasestagv1180---2022-12-29)

[Compare Source](go-gitea/gitea@v1.17.4...v1.18.0)

-   SECURITY
    -   Remove ReverseProxy authentication from the API ([#&#8203;22219](go-gitea/gitea#22219)) ([#&#8203;22251](go-gitea/gitea#22251))
    -   Support Go Vulnerability Management ([#&#8203;21139](go-gitea/gitea#21139))
    -   Forbid HTML string tooltips ([#&#8203;20935](go-gitea/gitea#20935))
-   BREAKING
    -   Rework mailer settings ([#&#8203;18982](go-gitea/gitea#18982))
    -   Remove U2F support ([#&#8203;20141](go-gitea/gitea#20141))
    -   Refactor `i18n` to `locale` ([#&#8203;20153](go-gitea/gitea#20153))
    -   Enable contenthash in filename for dynamic assets ([#&#8203;20813](go-gitea/gitea#20813))
-   FEATURES
    -   Add color previews in markdown ([#&#8203;21474](go-gitea/gitea#21474))
    -   Allow package version sorting ([#&#8203;21453](go-gitea/gitea#21453))
    -   Add support for Chocolatey/NuGet v2 API ([#&#8203;21393](go-gitea/gitea#21393))
    -   Add API endpoint to get changed files of a PR ([#&#8203;21177](go-gitea/gitea#21177))
    -   Add filetree on left of diff view ([#&#8203;21012](go-gitea/gitea#21012))
    -   Support Issue forms and PR forms ([#&#8203;20987](go-gitea/gitea#20987))
    -   Add support for Vagrant packages ([#&#8203;20930](go-gitea/gitea#20930))
    -   Add support for `npm unpublish` ([#&#8203;20688](go-gitea/gitea#20688))
    -   Add badge capabilities to users ([#&#8203;20607](go-gitea/gitea#20607))
    -   Add issue filter for Author ([#&#8203;20578](go-gitea/gitea#20578))
    -   Add KaTeX rendering to Markdown. ([#&#8203;20571](go-gitea/gitea#20571))
    -   Add support for Pub packages ([#&#8203;20560](go-gitea/gitea#20560))
    -   Support localized README ([#&#8203;20508](go-gitea/gitea#20508))
    -   Add support mCaptcha as captcha provider ([#&#8203;20458](go-gitea/gitea#20458))
    -   Add team member invite by email ([#&#8203;20307](go-gitea/gitea#20307))
    -   Added email notification option to receive all own messages ([#&#8203;20179](go-gitea/gitea#20179))
    -   Switch Unicode Escaping to a VSCode-like system ([#&#8203;19990](go-gitea/gitea#19990))
    -   Add user/organization code search ([#&#8203;19977](go-gitea/gitea#19977))
    -   Only show relevant repositories on explore page ([#&#8203;19361](go-gitea/gitea#19361))
    -   User keypairs and HTTP signatures for ActivityPub federation using go-ap ([#&#8203;19133](go-gitea/gitea#19133))
    -   Add sitemap support ([#&#8203;18407](go-gitea/gitea#18407))
    -   Allow creation of OAuth2 applications for orgs ([#&#8203;18084](go-gitea/gitea#18084))
    -   Add system setting table with cache and also add cache supports for user setting ([#&#8203;18058](go-gitea/gitea#18058))
    -   Add pages to view watched repos and subscribed issues/PRs ([#&#8203;17156](go-gitea/gitea#17156))
    -   Support Proxy protocol ([#&#8203;12527](go-gitea/gitea#12527))
    -   Implement sync push mirror on commit ([#&#8203;19411](go-gitea/gitea#19411))
-   API
    -   Allow empty assignees on pull request edit ([#&#8203;22150](go-gitea/gitea#22150)) ([#&#8203;22214](go-gitea/gitea#22214))
    -   Make external issue tracker regexp configurable via API ([#&#8203;21338](go-gitea/gitea#21338))
    -   Add name field for org api ([#&#8203;21270](go-gitea/gitea#21270))
    -   Show teams with no members if user is admin ([#&#8203;21204](go-gitea/gitea#21204))
    -   Add latest commit's SHA to content response ([#&#8203;20398](go-gitea/gitea#20398))
    -   Add allow_rebase_update, default_delete_branch_after_merge to repository api response ([#&#8203;20079](go-gitea/gitea#20079))
    -   Add new endpoints for push mirrors management ([#&#8203;19841](go-gitea/gitea#19841))
-   ENHANCEMENTS
    -   Add setting to disable the git apply step in test patch ([#&#8203;22130](go-gitea/gitea#22130)) ([#&#8203;22170](go-gitea/gitea#22170))
    -   Multiple improvements for comment edit diff ([#&#8203;21990](go-gitea/gitea#21990)) ([#&#8203;22007](go-gitea/gitea#22007))
    -   Fix button in branch list, avoid unexpected page jump before restore branch actually done ([#&#8203;21562](go-gitea/gitea#21562)) ([#&#8203;21928](go-gitea/gitea#21928))
    -   Fix flex layout for repo list icons ([#&#8203;21896](go-gitea/gitea#21896)) ([#&#8203;21920](go-gitea/gitea#21920))
    -   Fix vertical align of committer avatar rendered by email address ([#&#8203;21884](go-gitea/gitea#21884)) ([#&#8203;21918](go-gitea/gitea#21918))
    -   Fix setting HTTP headers after write ([#&#8203;21833](go-gitea/gitea#21833)) ([#&#8203;21877](go-gitea/gitea#21877))
    -   Color and Style enhancements ([#&#8203;21784](go-gitea/gitea#21784), [#&#8203;21799](go-gitea/gitea#21799)) ([#&#8203;21868](go-gitea/gitea#21868))
    -   Ignore line anchor links with leading zeroes ([#&#8203;21728](go-gitea/gitea#21728)) ([#&#8203;21776](go-gitea/gitea#21776))
    -   Quick fixes monaco-editor error: "vs.editor.nullLanguage" ([#&#8203;21734](go-gitea/gitea#21734)) ([#&#8203;21738](go-gitea/gitea#21738))
    -   Use CSS color-scheme instead of invert ([#&#8203;21616](go-gitea/gitea#21616)) ([#&#8203;21623](go-gitea/gitea#21623))
    -   Respect user's locale when rendering the date range in the repo activity page ([#&#8203;21410](go-gitea/gitea#21410))
    -   Change `commits-table` column width ([#&#8203;21564](go-gitea/gitea#21564))
    -   Refactor git command arguments and make all arguments to be safe to be used ([#&#8203;21535](go-gitea/gitea#21535))
    -   CSS color enhancements ([#&#8203;21534](go-gitea/gitea#21534))
    -   Add link to user profile in markdown mention only if user exists ([#&#8203;21533](go-gitea/gitea#21533), [#&#8203;21554](go-gitea/gitea#21554))
    -   Add option to skip index dirs ([#&#8203;21501](go-gitea/gitea#21501))
    -   Diff file tree tweaks ([#&#8203;21446](go-gitea/gitea#21446))
    -   Localize all timestamps ([#&#8203;21440](go-gitea/gitea#21440))
    -   Add `code` highlighting in issue titles ([#&#8203;21432](go-gitea/gitea#21432))
    -   Use Name instead of DisplayName in LFS Lock ([#&#8203;21415](go-gitea/gitea#21415))
    -   Consolidate more CSS colors into variables ([#&#8203;21402](go-gitea/gitea#21402))
    -   Redirect to new repository owner ([#&#8203;21398](go-gitea/gitea#21398))
    -   Use ISO date format instead of hard-coded English date format for date range in repo activity page ([#&#8203;21396](go-gitea/gitea#21396))
    -   Use weighted algorithm for string matching when finding files in repo ([#&#8203;21370](go-gitea/gitea#21370))
    -   Show private data in feeds ([#&#8203;21369](go-gitea/gitea#21369))
    -   Refactor parseTreeEntries, speed up tree list ([#&#8203;21368](go-gitea/gitea#21368))
    -   Add GET and DELETE endpoints for Docker blob uploads ([#&#8203;21367](go-gitea/gitea#21367))
    -   Add nicer error handling on template compile errors ([#&#8203;21350](go-gitea/gitea#21350))
    -   Add `stat` to `ToCommit` function for speed ([#&#8203;21337](go-gitea/gitea#21337))
    -   Support instance-wide OAuth2 applications ([#&#8203;21335](go-gitea/gitea#21335))
    -   Record OAuth client type at registration ([#&#8203;21316](go-gitea/gitea#21316))
    -   Add new CSS variables --color-accent and --color-small-accent ([#&#8203;21305](go-gitea/gitea#21305))
    -   Improve error descriptions for unauthorized_client ([#&#8203;21292](go-gitea/gitea#21292))
    -   Case-insensitive "find files in repo" ([#&#8203;21269](go-gitea/gitea#21269))
    -   Consolidate more CSS rules, fix inline code on arc-green ([#&#8203;21260](go-gitea/gitea#21260))
    -   Log real ip of requests from ssh ([#&#8203;21216](go-gitea/gitea#21216))
    -   Save files in local storage as group readable ([#&#8203;21198](go-gitea/gitea#21198))
    -   Enable fluid page layout on medium size viewports ([#&#8203;21178](go-gitea/gitea#21178))
    -   File header tweaks ([#&#8203;21175](go-gitea/gitea#21175))
    -   Added missing headers on user packages page ([#&#8203;21172](go-gitea/gitea#21172))
    -   Display image digest for container packages ([#&#8203;21170](go-gitea/gitea#21170))
    -   Skip dirty check for team forms ([#&#8203;21154](go-gitea/gitea#21154))
    -   Keep path when creating a new branch ([#&#8203;21153](go-gitea/gitea#21153))
    -   Remove fomantic image module ([#&#8203;21145](go-gitea/gitea#21145))
    -   Make labels clickable in the comments section. ([#&#8203;21137](go-gitea/gitea#21137))
    -   Sort branches and tags by date descending ([#&#8203;21136](go-gitea/gitea#21136))
    -   Better repo API unit checks ([#&#8203;21130](go-gitea/gitea#21130))
    -   Improve commit status icons ([#&#8203;21124](go-gitea/gitea#21124))
    -   Limit length of repo description and repo url input fields ([#&#8203;21119](go-gitea/gitea#21119))
    -   Show .editorconfig errors in frontend ([#&#8203;21088](go-gitea/gitea#21088))
    -   Allow poster to choose reviewers ([#&#8203;21084](go-gitea/gitea#21084))
    -   Remove black labels and CSS cleanup ([#&#8203;21003](go-gitea/gitea#21003))
    -   Make e-mail sanity check more precise ([#&#8203;20991](go-gitea/gitea#20991))
    -   Use native inputs in whitespace dropdown ([#&#8203;20980](go-gitea/gitea#20980))
    -   Enhance package date display ([#&#8203;20928](go-gitea/gitea#20928))
    -   Display total blob size of a package version ([#&#8203;20927](go-gitea/gitea#20927))
    -   Show language name on hover ([#&#8203;20923](go-gitea/gitea#20923))
    -   Show instructions for all generic package files ([#&#8203;20917](go-gitea/gitea#20917))
    -   Refactor AssertExistsAndLoadBean to use generics ([#&#8203;20797](go-gitea/gitea#20797))
    -   Move the official website link at the footer of gitea ([#&#8203;20777](go-gitea/gitea#20777))
    -   Add support for full name in reverse proxy auth ([#&#8203;20776](go-gitea/gitea#20776))
    -   Remove useless JS operation for relative time tooltips ([#&#8203;20756](go-gitea/gitea#20756))
    -   Replace some icons with SVG ([#&#8203;20741](go-gitea/gitea#20741))
    -   Change commit status icons to SVG ([#&#8203;20736](go-gitea/gitea#20736))
    -   Improve single repo action for issue and pull requests ([#&#8203;20730](go-gitea/gitea#20730))
    -   Allow multiple files in generic packages ([#&#8203;20661](go-gitea/gitea#20661))
    -   Add option to create new issue from /issues page ([#&#8203;20650](go-gitea/gitea#20650))
    -   Background color of private list-items updated ([#&#8203;20630](go-gitea/gitea#20630))
    -   Added search input field to issue filter ([#&#8203;20623](go-gitea/gitea#20623))
    -   Increase default item listing size `ISSUE_PAGING_NUM` to 20 ([#&#8203;20547](go-gitea/gitea#20547))
    -   Modify milestone search keywords to be case insensitive again ([#&#8203;20513](go-gitea/gitea#20513))
    -   Show hint to link package to repo when viewing empty repo package list ([#&#8203;20504](go-gitea/gitea#20504))
    -   Add Tar ZSTD support ([#&#8203;20493](go-gitea/gitea#20493))
    -   Make code review checkboxes clickable ([#&#8203;20481](go-gitea/gitea#20481))
    -   Add "X-Gitea-Object-Type" header for GET `/raw/` & `/media/` API ([#&#8203;20438](go-gitea/gitea#20438))
    -   Display project in issue list ([#&#8203;20434](go-gitea/gitea#20434))
    -   Prepend commit message to template content when opening a new PR ([#&#8203;20429](go-gitea/gitea#20429))
    -   Replace fomantic popup module with tippy.js ([#&#8203;20428](go-gitea/gitea#20428))
    -   Allow to specify colors for text in markup ([#&#8203;20363](go-gitea/gitea#20363))
    -   Allow access to the Public Organization Member lists with minimal permissions ([#&#8203;20330](go-gitea/gitea#20330))
    -   Use default values when provided values are empty ([#&#8203;20318](go-gitea/gitea#20318))
    -   Vertical align navbar avatar at middle ([#&#8203;20302](go-gitea/gitea#20302))
    -   Delete cancel button in repo creation page ([#&#8203;21381](go-gitea/gitea#21381))
    -   Include login_name in adminCreateUser response ([#&#8203;20283](go-gitea/gitea#20283))
    -   fix: icon margin in user/settings/repos ([#&#8203;20281](go-gitea/gitea#20281))
    -   Remove blue text on migrate page ([#&#8203;20273](go-gitea/gitea#20273))
    -   Modify milestone search keywords to be case insensitive ([#&#8203;20266](go-gitea/gitea#20266))
    -   Move some files into models' sub packages ([#&#8203;20262](go-gitea/gitea#20262))
    -   Add tooltip to repo icons in explore page ([#&#8203;20241](go-gitea/gitea#20241))
    -   Remove deprecated licenses ([#&#8203;20222](go-gitea/gitea#20222))
    -   Webhook for Wiki changes ([#&#8203;20219](go-gitea/gitea#20219))
    -   Share HTML template renderers and create a watcher framework ([#&#8203;20218](go-gitea/gitea#20218))
    -   Allow enable LDAP source and disable user sync via CLI ([#&#8203;20206](go-gitea/gitea#20206))
    -   Adds a checkbox to select all issues/PRs ([#&#8203;20177](go-gitea/gitea#20177))
    -   Refactor `i18n` to `locale` ([#&#8203;20153](go-gitea/gitea#20153))
    -   Disable status checks in template if none found ([#&#8203;20088](go-gitea/gitea#20088))
    -   Allow manager logging to set SQL ([#&#8203;20064](go-gitea/gitea#20064))
    -   Add order by for assignee no sort issue ([#&#8203;20053](go-gitea/gitea#20053))
    -   Take a stab at porting existing components to Vue3 ([#&#8203;20044](go-gitea/gitea#20044))
    -   Add doctor command to write commit-graphs ([#&#8203;20007](go-gitea/gitea#20007))
    -   Add support for authentication based on reverse proxy email ([#&#8203;19949](go-gitea/gitea#19949))
    -   Enable spellcheck for EasyMDE, use contenteditable mode ([#&#8203;19776](go-gitea/gitea#19776))
    -   Allow specifying SECRET_KEY_URI, similar to INTERNAL_TOKEN_URI ([#&#8203;19663](go-gitea/gitea#19663))
    -   Rework mailer settings ([#&#8203;18982](go-gitea/gitea#18982))
    -   Add option to purge users ([#&#8203;18064](go-gitea/gitea#18064))
    -   Add author search input ([#&#8203;21246](go-gitea/gitea#21246))
    -   Make rss/atom identifier globally unique ([#&#8203;21550](go-gitea/gitea#21550))
-   BUGFIXES
    -   Auth interface return error when verify failure ([#&#8203;22119](go-gitea/gitea#22119)) ([#&#8203;22259](go-gitea/gitea#22259))
    -   Use complete SHA to create and query commit status ([#&#8203;22244](go-gitea/gitea#22244)) ([#&#8203;22257](go-gitea/gitea#22257))
    -   Update bleve and zapx to fix unaligned atomic ([#&#8203;22031](go-gitea/gitea#22031)) ([#&#8203;22218](go-gitea/gitea#22218))
    -   Prevent panic in doctor command when running default checks ([#&#8203;21791](go-gitea/gitea#21791)) ([#&#8203;21807](go-gitea/gitea#21807))
    -   Load GitRepo in API before deleting issue ([#&#8203;21720](go-gitea/gitea#21720)) ([#&#8203;21796](go-gitea/gitea#21796))
    -   Ignore line anchor links with leading zeroes ([#&#8203;21728](go-gitea/gitea#21728)) ([#&#8203;21776](go-gitea/gitea#21776))
    -   Set last login when activating account ([#&#8203;21731](go-gitea/gitea#21731)) ([#&#8203;21755](go-gitea/gitea#21755))
    -   Fix UI language switching bug ([#&#8203;21597](go-gitea/gitea#21597)) ([#&#8203;21749](go-gitea/gitea#21749))
    -   Quick fixes monaco-editor error: "vs.editor.nullLanguage" ([#&#8203;21734](go-gitea/gitea#21734)) ([#&#8203;21738](go-gitea/gitea#21738))
    -   Allow local package identifiers for PyPI packages ([#&#8203;21690](go-gitea/gitea#21690)) ([#&#8203;21727](go-gitea/gitea#21727))
    -   Deal with markdown template without metadata ([#&#8203;21639](go-gitea/gitea#21639)) ([#&#8203;21654](go-gitea/gitea#21654))
    -   Fix opaque background on mermaid diagrams ([#&#8203;21642](go-gitea/gitea#21642)) ([#&#8203;21652](go-gitea/gitea#21652))
    -   Fix repository adoption on Windows ([#&#8203;21646](go-gitea/gitea#21646)) ([#&#8203;21650](go-gitea/gitea#21650))
    -   Sync git hooks when config file path changed ([#&#8203;21619](go-gitea/gitea#21619)) ([#&#8203;21626](go-gitea/gitea#21626))
    -   Fix 500 on PR files API ([#&#8203;21602](go-gitea/gitea#21602)) ([#&#8203;21607](go-gitea/gitea#21607))
    -   Fix `Timestamp.IsZero` ([#&#8203;21593](go-gitea/gitea#21593)) ([#&#8203;21603](go-gitea/gitea#21603))
    -   Fix viewing user subscriptions ([#&#8203;21482](go-gitea/gitea#21482))
    -   Fix mermaid-related bugs ([#&#8203;21431](go-gitea/gitea#21431))
    -   Fix branch dropdown shifting on page load ([#&#8203;21428](go-gitea/gitea#21428))
    -   Fix default theme-auto selector when nologin ([#&#8203;21346](go-gitea/gitea#21346))
    -   Fix and improve incorrect error messages ([#&#8203;21342](go-gitea/gitea#21342))
    -   Fix formatted link for PR review notifications to matrix ([#&#8203;21319](go-gitea/gitea#21319))
    -   Center-aligning content of WebAuthN page ([#&#8203;21127](go-gitea/gitea#21127))
    -   Remove follow from commits by file ([#&#8203;20765](go-gitea/gitea#20765))
    -   Fix commit status popup ([#&#8203;20737](go-gitea/gitea#20737))
    -   Fix init mail render logic ([#&#8203;20704](go-gitea/gitea#20704))
    -   Use correct page size for link header pagination ([#&#8203;20546](go-gitea/gitea#20546))
    -   Preserve unix socket file ([#&#8203;20499](go-gitea/gitea#20499))
    -   Use tippy.js for context popup ([#&#8203;20393](go-gitea/gitea#20393))
    -   Add missing parameter for error in log message ([#&#8203;20144](go-gitea/gitea#20144))
    -   Do not allow organisation owners add themselves as collaborator ([#&#8203;20043](go-gitea/gitea#20043))
    -   Rework file highlight rendering and fix yaml copy-paste ([#&#8203;19967](go-gitea/gitea#19967))
    -   Improve code diff highlight, fix incorrect rendered diff result ([#&#8203;19958](go-gitea/gitea#19958))
-   TESTING
    -   Improve OAuth integration tests ([#&#8203;21390](go-gitea/gitea#21390))
    -   Add playwright tests ([#&#8203;20123](go-gitea/gitea#20123))
-   BUILD
    -   Switch to building with go1.19 ([#&#8203;20695](go-gitea/gitea#20695))
    -   Update JS dependencies, adjust eslint ([#&#8203;20659](go-gitea/gitea#20659))
    -   Add more linters to improve code readability ([#&#8203;19989](go-gitea/gitea#19989))

### [`v1.17.4`](https://github.com/go-gitea/gitea/blob/HEAD/CHANGELOG.md#&#8203;1174-httpsgithubcomgo-giteagiteareleasestagv1174---2022-12-21)

[Compare Source](go-gitea/gitea@v1.17.3...v1.17.4)

-   SECURITY
    -   Do not allow Ghost access to limited visible user/org ([#&#8203;21849](go-gitea/gitea#21849)) ([#&#8203;21875](go-gitea/gitea#21875))
    -   Fix package access for admins and inactive users ([#&#8203;21580](go-gitea/gitea#21580)) ([#&#8203;21592](go-gitea/gitea#21592))
-   ENHANCEMENTS
    -   Fix button in branch list, avoid unexpected page jump before restore branch actually done ([#&#8203;21562](go-gitea/gitea#21562)) ([#&#8203;21927](go-gitea/gitea#21927))
    -   Fix vertical align of committer avatar rendered by email address ([#&#8203;21884](go-gitea/gitea#21884)) ([#&#8203;21919](go-gitea/gitea#21919))
    -   Fix setting HTTP headers after write ([#&#8203;21833](go-gitea/gitea#21833)) ([#&#8203;21874](go-gitea/gitea#21874))
    -   Ignore line anchor links with leading zeroes ([#&#8203;21728](go-gitea/gitea#21728)) ([#&#8203;21777](go-gitea/gitea#21777))
    -   Enable Monaco automaticLayout ([#&#8203;21516](go-gitea/gitea#21516))
-   BUGFIXES
    -   Do not list active repositories as unadopted ([#&#8203;22034](go-gitea/gitea#22034)) ([#&#8203;22167](go-gitea/gitea#22167))
    -   Correctly handle moved files in apply patch ([#&#8203;22118](go-gitea/gitea#22118)) ([#&#8203;22136](go-gitea/gitea#22136))
    -   Fix condition for is_internal ([#&#8203;22095](go-gitea/gitea#22095)) ([#&#8203;22131](go-gitea/gitea#22131))
    -   Fix permission check on issue/pull lock ([#&#8203;22114](go-gitea/gitea#22114))
    -   Fix sorting admin user list by last login ([#&#8203;22081](go-gitea/gitea#22081)) ([#&#8203;22106](go-gitea/gitea#22106))
    -   Workaround for container registry push/pull errors ([#&#8203;21862](go-gitea/gitea#21862)) ([#&#8203;22069](go-gitea/gitea#22069))
    -   Fix issue/PR numbers ([#&#8203;22037](go-gitea/gitea#22037)) ([#&#8203;22045](go-gitea/gitea#22045))
    -   Handle empty author names ([#&#8203;21902](go-gitea/gitea#21902)) ([#&#8203;22028](go-gitea/gitea#22028))
    -   Fix ListBranches to handle empty case ([#&#8203;21921](go-gitea/gitea#21921)) ([#&#8203;22025](go-gitea/gitea#22025))
    -   Fix enabling partial clones on 1.17 ([#&#8203;21809](go-gitea/gitea#21809))
    -   Prevent panic in doctor command when running default checks ([#&#8203;21791](go-gitea/gitea#21791)) ([#&#8203;21808](go-gitea/gitea#21808))
    -   Upgrade golang.org/x/crypto ([#&#8203;21792](go-gitea/gitea#21792)) ([#&#8203;21794](go-gitea/gitea#21794))
    -   Init git module before database migration ([#&#8203;21764](go-gitea/gitea#21764)) ([#&#8203;21766](go-gitea/gitea#21766))
    -   Set last login when activating account ([#&#8203;21731](go-gitea/gitea#21731)) ([#&#8203;21754](go-gitea/gitea#21754))
    -   Add HEAD fix to gitea doctor ([#&#8203;21352](go-gitea/gitea#21352)) ([#&#8203;21751](go-gitea/gitea#21751))
    -   Fix UI language switching bug ([#&#8203;21597](go-gitea/gitea#21597)) ([#&#8203;21748](go-gitea/gitea#21748))
    -   Remove semver compatible flag and change pypi to an array of test cases ([#&#8203;21708](go-gitea/gitea#21708)) ([#&#8203;21729](go-gitea/gitea#21729))
    -   Allow local package identifiers for PyPI packages ([#&#8203;21690](go-gitea/gitea#21690)) ([#&#8203;21726](go-gitea/gitea#21726))
    -   Fix repository adoption on Windows ([#&#8203;21646](go-gitea/gitea#21646)) ([#&#8203;21651](go-gitea/gitea#21651))
    -   Sync git hooks when config file path changed ([#&#8203;21619](go-gitea/gitea#21619)) ([#&#8203;21625](go-gitea/gitea#21625))
    -   Added check for disabled Packages ([#&#8203;21540](go-gitea/gitea#21540)) ([#&#8203;21614](go-gitea/gitea#21614))
    -   Fix `Timestamp.IsZero` ([#&#8203;21593](go-gitea/gitea#21593)) ([#&#8203;21604](go-gitea/gitea#21604))
    -   Fix issues count bug ([#&#8203;21600](go-gitea/gitea#21600))
    -   Support binary deploy in npm packages ([#&#8203;21589](go-gitea/gitea#21589))
    -   Update milestone counters when issue is deleted ([#&#8203;21459](go-gitea/gitea#21459)) ([#&#8203;21586](go-gitea/gitea#21586))
    -   SessionUser protection against nil pointer dereference ([#&#8203;21581](go-gitea/gitea#21581))
    -   Case-insensitive NuGet symbol file GUID ([#&#8203;21409](go-gitea/gitea#21409)) ([#&#8203;21575](go-gitea/gitea#21575))
    -   Suppress `ExternalLoginUserNotExist` error ([#&#8203;21504](go-gitea/gitea#21504)) ([#&#8203;21572](go-gitea/gitea#21572))
    -   Prevent Authorization header for presigned LFS urls ([#&#8203;21531](go-gitea/gitea#21531)) ([#&#8203;21569](go-gitea/gitea#21569))
    -   Update binding to fix bugs ([#&#8203;21560](go-gitea/gitea#21560))
    -   Fix generating compare link ([#&#8203;21519](go-gitea/gitea#21519)) ([#&#8203;21530](go-gitea/gitea#21530))
    -   Ignore error when retrieving changed PR review files ([#&#8203;21487](go-gitea/gitea#21487)) ([#&#8203;21524](go-gitea/gitea#21524))
    -   Fix incorrect notification commit url ([#&#8203;21479](go-gitea/gitea#21479)) ([#&#8203;21483](go-gitea/gitea#21483))
    -   Display total commit count in hook message ([#&#8203;21400](go-gitea/gitea#21400)) ([#&#8203;21481](go-gitea/gitea#21481))
    -   Enforce grouped NuGet search results ([#&#8203;21442](go-gitea/gitea#21442)) ([#&#8203;21480](go-gitea/gitea#21480))
    -   Return 404 when user is not found on avatar ([#&#8203;21476](go-gitea/gitea#21476)) ([#&#8203;21477](go-gitea/gitea#21477))
    -   Normalize NuGet package version on upload ([#&#8203;22186](go-gitea/gitea#22186)) ([#&#8203;22201](go-gitea/gitea#22201))
-   MISC
    -   Check for zero time instant in TimeStamp.IsZero() ([#&#8203;22171](go-gitea/gitea#22171)) ([#&#8203;22173](go-gitea/gitea#22173))
    -   Fix warn in database structs sync ([#&#8203;22111](go-gitea/gitea#22111))
    -   Allow for resolution of NPM registry paths that match upstream ([#&#8203;21568](go-gitea/gitea#21568)) ([#&#8203;21723](go-gitea/gitea#21723))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xNTIuMiIsInVwZGF0ZWRJblZlciI6IjM0LjE1Mi4yIn0=-->

Co-authored-by: Michael Wittig <michael.wittig@posteo.de>
Reviewed-on: https://gitea.sh4ke.rocks/sh4ke/k8s-projects/pulls/84
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. outdated/backport/v1.18 This PR should be backported to Gitea 1.18 pr/breaking Merging this PR means builds will break. Needs a description what exactly breaks, and how to fix it! type/bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants