Refactor git command package to improve security and maintainability #22678

wxiaoguang · 2023-01-31T08:10:18Z

This PR follows #21535 (and replace #22592)

Review without space diff

https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1

Purpose of this PR

Make git module command completely safe (risky user inputs won't be passed as argument option anymore)
Avoid low-level mistakes like Use git command instead of exec.Cmd in blame #22098 (comment)
Remove deprecated and dirty CmdArgCheck function, hide the CmdArg type
Simplify code when using git command

The main idea of this PR

Move the git.CmdArg to the internal package, then no other package except git could use it. Then developers could never do AddArguments(git.CmdArg(userInput)) any more.
Introduce git.ToTrustedCmdArgs, it's for user-provided and already trusted arguments. It's only used in a few cases, for example: use git arguments from config file, help unit test with some arguments.
Introduce AddOptionValues and AddOptionFormat, they make code more clear and simple:
- Before: AddArguments("-m").AddDynamicArguments(message)
- After: AddOptionValues("-m", message)
- Before: AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'", sig.Name, sig.Email)))
- After: AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)

FAQ

Why these changes were not done in #21535 ?

#21535 is mainly a search&replace, it did its best to not change too much logic.

Making the framework better needs a lot of changes, so this separate PR is needed as the second step.

The naming of `AddOptionXxx`

According to git's manual, the --xxx part is called option.

How can it guarantee that `internal.CmdArg` won't be not misused?

Go's specification guarantees that. Trying to access other package's internal package causes compilation error.

And, golangci-lint also denies the git/internal package. Only the git/command.go can use it carefully.

There is still a `ToTrustedCmdArgs`, will it still allow developers to make mistakes and pass untrusted arguments?

Generally speaking, no. Because when using ToTrustedCmdArgs, the code will be very complex (see the changes for examples). Then developers and reviewers can know that something might be unreasonable.

Why there was a `CmdArgCheck` and why it's removed?

At the moment of #21535, to reduce unnecessary changes, CmdArgCheck was introduced as a hacky patch. Now, almost all code could be written as cmd := NewCommand(); cmd.AddXxx(...), then there is no need for CmdArgCheck anymore.

Why many codes for `signArg == ""` is deleted?

Because in the old code, signArg could never be empty string, it's either -S[key-id] or --no-gpg-sign. So the signArg == "" is just dead code.

modules/git/repo_branch_nogogit.go

delvh

So, if I've seen that correctly, this PR can be classified as less performant, but more secure and readable?

services/pull/merge.go

modules/git/repo_attribute.go

modules/repository/init.go

modules/git/repo_tag.go

wxiaoguang · 2023-02-04T01:10:04Z

So, if I've seen that correctly, this PR can be classified as less performant, but more secure and readable?

I don't see why it's less performant. Some more function calls won't affect performance -- at least, you won't feel it in daily usage, and won't see your CPU usage gets any higher.

codecov-commenter · 2023-02-04T02:01:36Z

Codecov Report

Merging #22678 (b9455b3) into main (3c5655c) will increase coverage by 47.21%.
The diff coverage is 61.61%.

❗ Current head b9455b3 differs from pull request most recent head 123144e. Consider uploading reports for the commit 123144e to get more accurate results

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff            @@
##           main   #22678       +/-   ##
=========================================
+ Coverage      0   47.21%   +47.21%     
=========================================
  Files         0     1106     +1106     
  Lines         0   148779   +148779     
=========================================
+ Hits          0    70249    +70249     
- Misses        0    70177    +70177     
- Partials      0     8353     +8353

Impacted Files	Coverage Δ
modules/git/git.go	`44.62% <0.00%> (ø)`
modules/git/repo_tree.go	`85.00% <0.00%> (ø)`
routers/web/repo/compare.go	`45.41% <ø> (ø)`
routers/web/repo/lfs.go	`0.00% <0.00%> (ø)`
services/cron/tasks_basic.go	`90.22% <0.00%> (ø)`
services/cron/tasks_extended.go	`70.71% <0.00%> (ø)`
services/mirror/mirror_push.go	`44.69% <0.00%> (ø)`
services/pull/patch.go	`33.64% <0.00%> (ø)`
services/repository/check.go	`0.00% <0.00%> (ø)`
services/repository/files/patch.go	`0.00% <0.00%> (ø)`
... and 1130 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

delvh · 2023-02-04T10:37:19Z

Well, what I meant was: We've replaced a ton of string concatenation with fmt.Sprintf which apparently can be much slower.
Additionally, the list of arguments needs to be copied more often as it is often as it isn't initialized with all arguments anymore, more arguments are added afterwards from what I've seen.

wxiaoguang · 2023-02-04T11:31:17Z

We've replaced a ton of string concatenation with fmt.Sprintf

No, only a few. Most refactored codes are: git.CmdArg(fmt.Sprintf(...)) => AddOptionFormat

(OK, maybe a ton and most are just personal opinions, indeed if you do benchmark for the whole git operation, the affect is very very trivial, I do not think there would be noticeable difference)

If it's proved that the performance is really affected, there could be a AddOptionConcat("--xxx=", val) to optimize it.

the list of arguments needs to be copied more often

It won't affect the performance too much. You can try to benchmark the whole git operation to see whether it really matters.

And I wouldn't agree with code like below:

Even if it would be proved that the slice affects performance (it's impossible indeed), you can still add something like NewCommand(ctx).GrowArgsCap(100) to optimize it -- there are always feasible methods in the new framework.

* giteaoffical/main: (23 commits) Add Cargo package registry (go-gitea#21888) Add new captcha: cloudflare turnstile (go-gitea#22369) add default user visibility to cli command "admin user create" (go-gitea#22750) Show all projects, not just repo projects and open/closed projects (go-gitea#22640) Remove ONLY_SHOW_RELEVANT_REPOS setting (go-gitea#21962) Escape path for the file list (go-gitea#22741) Repositories: by default disable all units except code and pulls on forks (go-gitea#22541) Fix color of tertiary button on dark theme (go-gitea#22739) Refactor git command package to improve security and maintainability (go-gitea#22678) Improve trace logging for pulls and processes (go-gitea#22633) Remove 'primary' class from tab counter labels (go-gitea#22687) Use native error checking with `exec.ErrDot` (go-gitea#22735) update to build with go1.20 (go-gitea#22732) Add missed reverse proxy authentication documentation (go-gitea#22250) Update button is shown when a Pull Request is marked WIP - Issue go-gitea#21740 (go-gitea#22683) Do not overwrite empty DefaultBranch (go-gitea#22708) Improve error report when user passes a private key (go-gitea#22726) Add some comments for recent code (go-gitea#22725) Fix actions workflow branches match bug (go-gitea#22724) Fix group filter for ldap source sync (go-gitea#22506) ...

Follow #22568 * Remove unnecessary ToTrustedCmdArgs calls * the FAQ in #22678 * Quote: When using ToTrustedCmdArgs, the code will be very complex (see the changes for examples). Then developers and reviewers can know that something might be unreasonable. * The `signArg` couldn't be empty, it's either `-S{keyID}` or `--no-gpg-sign`. * Use `signKeyID` instead, add comment "empty for no-sign, non-empty to sign" * 5-line code could be extracted to a common `NewGitCommandCommit()` to handle the `signKeyID`, but I think it's not a must, current code is clear enough.

Follow go-gitea#22568 * Remove unnecessary ToTrustedCmdArgs calls * the FAQ in go-gitea#22678 * Quote: When using ToTrustedCmdArgs, the code will be very complex (see the changes for examples). Then developers and reviewers can know that something might be unreasonable. * The `signArg` couldn't be empty, it's either `-S{keyID}` or `--no-gpg-sign`. * Use `signKeyID` instead, add comment "empty for no-sign, non-empty to sign" * 5-line code could be extracted to a common `NewGitCommandCommit()` to handle the `signKeyID`, but I think it's not a must, current code is clear enough.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [gitea/gitea](https://github.com/go-gitea/gitea) | minor | `1.18.5-rootless` -> `1.19.0-rootless` | --- ### Release Notes <details> <summary>go-gitea/gitea</summary> ### [`v1.19.0`](https://github.com/go-gitea/gitea/blob/HEAD/CHANGELOG.md#1190-httpsgithubcomgo-giteagiteareleasestag1190---2023-03-19) [Compare Source](go-gitea/gitea@v1.18.5...v1.19.0) - BREAKING - Add loading yaml label template files ([#22976](go-gitea/gitea#22976)) ([#23232](go-gitea/gitea#23232)) - Make issue and code search support camel case for Bleve ([#22829](go-gitea/gitea#22829)) - Repositories: by default disable all units except code and pulls on forks ([#22541](go-gitea/gitea#22541)) - Support template for merge message description ([#22248](go-gitea/gitea#22248)) - Remove ONLY_SHOW_RELEVANT_REPOS setting ([#21962](go-gitea/gitea#21962)) - Implement actions ([#21937](go-gitea/gitea#21937)) - Remove deprecated DSA host key from Docker Container ([#21522](go-gitea/gitea#21522)) - Improve valid user name check ([#20136](go-gitea/gitea#20136)) - SECURITY - Return 404 instead of 403 if user can not access the repo ([#23155](go-gitea/gitea#23155)) ([#23158](go-gitea/gitea#23158)) - Support scoped access tokens ([#20908](go-gitea/gitea#20908)) - FEATURES - Add support for commit cross references ([#22645](go-gitea/gitea#22645)) - Scoped labels ([#22585](go-gitea/gitea#22585)) - Add Chef package registry ([#22554](go-gitea/gitea#22554)) - Support asciicast files as new markup ([#22448](go-gitea/gitea#22448)) - cgo cross-compile for freebsd ([#22397](go-gitea/gitea#22397)) - Add cron method to gc LFS MetaObjects ([#22385](go-gitea/gitea#22385)) - Add new captcha: cloudflare turnstile ([#22369](go-gitea/gitea#22369)) - Enable `@<user>`- completion popup on the release description textarea ([#22359](go-gitea/gitea#22359)) - make /{username}.png redirect to user/org avatar ([#22356](go-gitea/gitea#22356)) - Add Conda package registry ([#22262](go-gitea/gitea#22262)) - Support org/user level projects ([#22235](go-gitea/gitea#22235)) - Add Mermaid copy button ([#22225](go-gitea/gitea#22225)) - Add user secrets ([#22191](go-gitea/gitea#22191)) - Secrets storage with SecretKey encrypted ([#22142](go-gitea/gitea#22142)) - Preview images for Issue cards in Project Board view ([#22112](go-gitea/gitea#22112)) - Add support for incoming emails ([#22056](go-gitea/gitea#22056)) - Add Cargo package registry ([#21888](go-gitea/gitea#21888)) - Add option to prohibit fork if user reached maximum limit of repositories ([#21848](go-gitea/gitea#21848)) - Add attention blocks within quote blocks for `Note` and `Warning` ([#21711](go-gitea/gitea#21711)) - Add Feed for Releases and Tags ([#21696](go-gitea/gitea#21696)) - Add package registry cleanup rules ([#21658](go-gitea/gitea#21658)) - Add "Copy" button to file view of raw text ([#21629](go-gitea/gitea#21629)) - Allow disable sitemap ([#21617](go-gitea/gitea#21617)) - Add package registry quota limits ([#21584](go-gitea/gitea#21584)) - Map OIDC groups to Orgs/Teams ([#21441](go-gitea/gitea#21441)) - Keep languages defined in .gitattributes ([#21403](go-gitea/gitea#21403)) - Add Webhook authorization header ([#20926](go-gitea/gitea#20926)) - Supports wildcard protected branch ([#20825](go-gitea/gitea#20825)) - Copy citation file content, in APA and BibTex format, on repo home page ([#19999](go-gitea/gitea#19999)) - API - Match api migration behavior to web behavior ([#23552](go-gitea/gitea#23552)) ([#23573](go-gitea/gitea#23573)) - Purge API comment ([#23451](go-gitea/gitea#23451)) ([#23452](go-gitea/gitea#23452)) - User creation API: allow custom "created" timestamps ([#22549](go-gitea/gitea#22549)) - Add `updated_at` field to PullReview API object ([#21812](go-gitea/gitea#21812)) - Add API management for issue/pull and comment attachments ([#21783](go-gitea/gitea#21783)) - Add API endpoint to get latest release ([#21267](go-gitea/gitea#21267)) - Support system hook API ([#14537](go-gitea/gitea#14537)) - ENHANCEMENTS - Add `.patch` to `attachment.ALLOWED_TYPES` ([#23580](go-gitea/gitea#23580)) ([#23582](go-gitea/gitea#23582)) - Fix sticky header in diff view ([#23554](go-gitea/gitea#23554)) ([#23568](go-gitea/gitea#23568)) - Refactor merge/update git command calls ([#23366](go-gitea/gitea#23366)) ([#23544](go-gitea/gitea#23544)) - Fix review comment context menu clipped bug ([#23523](go-gitea/gitea#23523)) ([#23543](go-gitea/gitea#23543)) - Imrove scroll behavior to hash issuecomment(scroll position, auto expand if file is folded, and on refreshing) ([#23513](go-gitea/gitea#23513)) ([#23540](go-gitea/gitea#23540)) - Increase horizontal page padding ([#23507](go-gitea/gitea#23507)) ([#23537](go-gitea/gitea#23537)) - Use octicon-verified for gpg signatures ([#23529](go-gitea/gitea#23529)) ([#23536](go-gitea/gitea#23536)) - Make time tooltips interactive ([#23526](go-gitea/gitea#23526)) ([#23527](go-gitea/gitea#23527)) - Replace Less with CSS ([#23508](go-gitea/gitea#23508)) - Fix 'View File' button in code search ([#23478](go-gitea/gitea#23478)) ([#23483](go-gitea/gitea#23483)) - Convert GitHub event on actions and fix some pull_request events. ([#23037](go-gitea/gitea#23037)) ([#23471](go-gitea/gitea#23471)) - Support reflogs ([#22451](go-gitea/gitea#22451)) ([#23438](go-gitea/gitea#23438)) - Fix actions frontend bugs (pagination, long name alignment) and small simplify ([#23370](go-gitea/gitea#23370)) ([#23436](go-gitea/gitea#23436)) - Scoped label display and documentation tweaks ([#23430](go-gitea/gitea#23430)) ([#23433](go-gitea/gitea#23433)) - Add missing tabs to org projects page ([#22705](go-gitea/gitea#22705)) ([#23412](go-gitea/gitea#23412)) - Fix and move "Use this template" button ([#23398](go-gitea/gitea#23398)) ([#23408](go-gitea/gitea#23408)) - Handle OpenID discovery URL errors a little nicer when creating/editing sources ([#23397](go-gitea/gitea#23397)) ([#23403](go-gitea/gitea#23403)) - Rename `canWriteUnit` to `canWriteProjects` ([#23386](go-gitea/gitea#23386)) ([#23399](go-gitea/gitea#23399)) - Refactor and tidy-up the merge/update branch code ([#22568](go-gitea/gitea#22568)) ([#23365](go-gitea/gitea#23365)) - Refactor `setting.Database.UseXXX` to methods ([#23354](go-gitea/gitea#23354)) ([#23356](go-gitea/gitea#23356)) - Fix incorrect project links and use symlink icon for org-wide projects ([#23325](go-gitea/gitea#23325)) ([#23336](go-gitea/gitea#23336)) - Fix PR view misalignment caused by long name file ([#23321](go-gitea/gitea#23321)) ([#23335](go-gitea/gitea#23335)) - Scoped labels: don't require holding alt key to remove ([#23303](go-gitea/gitea#23303)) ([#23331](go-gitea/gitea#23331)) - Add context when rendering labels or emojis ([#23281](go-gitea/gitea#23281)) ([#23319](go-gitea/gitea#23319)) - Change interactiveBorder to fix popup preview ([#23169](go-gitea/gitea#23169)) ([#23314](go-gitea/gitea#23314)) - Scoped labels: set aria-disabled on muted Exclusive option for a11y ([#23306](go-gitea/gitea#23306)) ([#23311](go-gitea/gitea#23311)) - update to mermaid v10 ([#23178](go-gitea/gitea#23178)) ([#23299](go-gitea/gitea#23299)) - Fix code wrap for unbroken lines ([#23268](go-gitea/gitea#23268)) ([#23293](go-gitea/gitea#23293)) - Use async await to fix empty quote reply at first time ([#23168](go-gitea/gitea#23168)) ([#23256](go-gitea/gitea#23256)) - Fix switched citation format ([#23250](go-gitea/gitea#23250)) ([#23253](go-gitea/gitea#23253)) - Allow `<video>` in MarkDown ([#22892](go-gitea/gitea#22892)) ([#23236](go-gitea/gitea#23236)) - Order pull request conflict checking by recently updated, for each push ([#23220](go-gitea/gitea#23220)) ([#23225](go-gitea/gitea#23225)) - Fix Fomantic UI's `touchstart` fastclick, always use `click` for click events ([#23065](go-gitea/gitea#23065)) ([#23195](go-gitea/gitea#23195)) - Add word-break to sidebar-item-link ([#23146](go-gitea/gitea#23146)) ([#23180](go-gitea/gitea#23180)) - Add InsecureSkipVerify to Minio Client for Storage ([#23166](go-gitea/gitea#23166)) ([#23177](go-gitea/gitea#23177)) - Fix height for sticky head on large screen on PR page ([#23111](go-gitea/gitea#23111)) ([#23123](go-gitea/gitea#23123)) - Change style to improve whitespaces trimming inside inline markdown code ([#23093](go-gitea/gitea#23093)) ([#23120](go-gitea/gitea#23120)) - Avoid warning for system setting when start up ([#23054](go-gitea/gitea#23054)) ([#23116](go-gitea/gitea#23116)) - Add accessibility to the menu on the navbar ([#23059](go-gitea/gitea#23059)) ([#23095](go-gitea/gitea#23095)) - Improve accessibility for issue comments ([#22612](go-gitea/gitea#22612)) ([#23083](go-gitea/gitea#23083)) - Remove delete button for review comment ([#23036](go-gitea/gitea#23036)) - Remove dashes between organization member avatars on hover ([#23034](go-gitea/gitea#23034)) - Use `gt-relative` class instead of the ambiguous `gt-pr` class ([#23008](go-gitea/gitea#23008)) - handle deprecated settings ([#22992](go-gitea/gitea#22992)) - Add scopes to API to create token and display them ([#22989](go-gitea/gitea#22989)) - Improve PR Review Box UI ([#22986](go-gitea/gitea#22986)) - Improve issues.LoadProject ([#22982](go-gitea/gitea#22982)) - Add all units to the units permission list in org team members sidebar ([#22971](go-gitea/gitea#22971)) - Rename `GetUnits` to `LoadUnits` ([#22970](go-gitea/gitea#22970)) - Rename `repo.GetOwner` to `repo.LoadOwner` ([#22967](go-gitea/gitea#22967)) - Rename "People" to "Members" in organization page and use a better icon ([#22960](go-gitea/gitea#22960)) - Fix avatar misalignment ([#22955](go-gitea/gitea#22955)) - Sort issues and pulls by recently updated in user and organization home ([#22925](go-gitea/gitea#22925)) - Add `title` to PR file tree items ([#22918](go-gitea/gitea#22918)) - First step to refactor the `.hide` to `.gt-hidden` ([#22916](go-gitea/gitea#22916)) - Add tooltip to issue reference ([#22913](go-gitea/gitea#22913)) - Always show the `command line instructions` button even if there are conflicts ([#22909](go-gitea/gitea#22909)) - Fix dark-colored description text in arc-green theme ([#22908](go-gitea/gitea#22908)) - Remove Fomantic-UI's `.hidden` CSS class for menu elements ([#22895](go-gitea/gitea#22895)) - Move helpers to be prefixed with `gt-` ([#22879](go-gitea/gitea#22879)) - Move `IsReadmeFile*` from `modules/markup/` to `modules/util` ([#22877](go-gitea/gitea#22877)) - Highlight focused diff file ([#22870](go-gitea/gitea#22870)) - Add some headings to repo views ([#22869](go-gitea/gitea#22869)) - Fix milestone title font problem ([#22863](go-gitea/gitea#22863)) - Pull Requests: setting to allow edits by maintainers by default, tweak UI ([#22862](go-gitea/gitea#22862)) - Introduce customized HTML elements, fix incorrect AppUrl usages in templates ([#22861](go-gitea/gitea#22861)) - Add `/$count` endpoints for NuGet v2 ([#22855](go-gitea/gitea#22855)) - Remove Fomantic-UI's `.hidden` CSS class for checkbox elements ([#22851](go-gitea/gitea#22851)) - Fix notification and stopwatch empty states ([#22845](go-gitea/gitea#22845)) - Always go full width in PR view ([#22844](go-gitea/gitea#22844)) - Improve AppUrl/ROOT_URL checking ([#22836](go-gitea/gitea#22836)) - Fix style of actions rerun button ([#22835](go-gitea/gitea#22835)) - Fix more HTMLURL in templates ([#22831](go-gitea/gitea#22831)) - Fix inconsistent Filter Project name in issue list ([#22827](go-gitea/gitea#22827)) - include build info in Prometheus metrics ([#22819](go-gitea/gitea#22819)) - Make clone URL use current page's host ([#22808](go-gitea/gitea#22808)) - Refactor legacy strange git operations ([#22756](go-gitea/gitea#22756)) - Improve error report when user passes a private key ([#22726](go-gitea/gitea#22726)) - set user dashboard org visibility to basic ([#22706](go-gitea/gitea#22706)) - Fix diff UI for unexpandable items ([#22700](go-gitea/gitea#22700)) - Remove 'primary' class from tab counter labels ([#22687](go-gitea/gitea#22687)) - Add more events details supports for actions ([#22680](go-gitea/gitea#22680)) - Refactor git command package to improve security and maintainability ([#22678](go-gitea/gitea#22678)) - Use relative url in actions view ([#22675](go-gitea/gitea#22675)) - set user visibility class to basic ([#22674](go-gitea/gitea#22674)) - Add repository setting to enable/disable releases unit ([#22671](go-gitea/gitea#22671)) - Remove label color from global issue filters ([#22660](go-gitea/gitea#22660)) - Fix poor alignment of organization description on organization home page ([#22656](go-gitea/gitea#22656)) - Small refactor for loading PRs ([#22652](go-gitea/gitea#22652)) - Allow setting access token scope by CLI ([#22648](go-gitea/gitea#22648)) - Improve accessibility of navigation bar and footer ([#22635](go-gitea/gitea#22635)) - Fixes accessibility behavior of Watching, Staring and Fork buttons ([#22634](go-gitea/gitea#22634)) - Fixes accessibility of empty repository commit status ([#22632](go-gitea/gitea#22632)) - Pull request yaml template support for including commit body in a field ([#22629](go-gitea/gitea#22629)) - Show migration validation error ([#22619](go-gitea/gitea#22619)) - set org visibility class to basic in header ([#22605](go-gitea/gitea#22605)) - Fix cache-control header clearing comment text when editing issue ([#22604](go-gitea/gitea#22604)) - Add ARIA support for Fomantic UI checkboxes ([#22599](go-gitea/gitea#22599)) - Add templates to customize text when creating and migrating repositories ([#22597](go-gitea/gitea#22597)) - Allow setting `redirect_to` cookie on OAuth login ([#22594](go-gitea/gitea#22594)) - Improve checkbox accessibility a bit by adding the title attribute ([#22593](go-gitea/gitea#22593)) - Allow issue templates to not render title ([#22589](go-gitea/gitea#22589)) - Webhooks: for issue close/reopen action, add commit ID that caused it ([#22583](go-gitea/gitea#22583)) - Fix missing title and filter in issue sidebar project menu ([#22557](go-gitea/gitea#22557)) - Issues: support setting issue template field values with query ([#22545](go-gitea/gitea#22545)) - Issues: add Project filter to issues list and search ([#22544](go-gitea/gitea#22544)) - Pull Requests: add color to approved/reject icon in pull requests list ([#22543](go-gitea/gitea#22543)) - Mute all links in issue timeline ([#22533](go-gitea/gitea#22533)) - Dropzone: Add "Copy link" button for new uploads ([#22517](go-gitea/gitea#22517)) - Support importing comment types ([#22510](go-gitea/gitea#22510)) - Load asciicast css async ([#22502](go-gitea/gitea#22502)) - Move delete user to service ([#22478](go-gitea/gitea#22478)) - Change use of Walk to WalkDir to improve disk performance ([#22462](go-gitea/gitea#22462)) - Add reply hint to mail text ([#22459](go-gitea/gitea#22459)) - fix wrong theme class when logged out if default theme is changed ([#22408](go-gitea/gitea#22408)) - Refactor the setting to make unit test easier ([#22405](go-gitea/gitea#22405)) - Improve utils of slices ([#22379](go-gitea/gitea#22379)) - Use context parameter in models/git ([#22367](go-gitea/gitea#22367)) - Always reuse transaction ([#22362](go-gitea/gitea#22362)) - Fix unstable emoji sort ([#22346](go-gitea/gitea#22346)) - Add context cache as a request level cache ([#22294](go-gitea/gitea#22294)) - Reminder for no more logs to console ([#22282](go-gitea/gitea#22282)) - Support estimated count with multiple schemas ([#22276](go-gitea/gitea#22276)) - Move `convert` package to services ([#22264](go-gitea/gitea#22264)) - Use dynamic package type list ([#22263](go-gitea/gitea#22263)) - Hide file borders on sticky diff box ([#22217](go-gitea/gitea#22217)) - Improve notification and stopwatch styles ([#22169](go-gitea/gitea#22169)) - Fixed Project view .board-column height for tall screens. ([#22108](go-gitea/gitea#22108)) - Use multi reader instead to concat strings ([#22099](go-gitea/gitea#22099)) - Use git command instead of exec.Cmd in blame ([#22098](go-gitea/gitea#22098)) - Fix autofilled text visibility in dark mode ([#22088](go-gitea/gitea#22088)) - Rename almost all Ctx functions ([#22071](go-gitea/gitea#22071)) - Rename actions to operations on UI ([#22067](go-gitea/gitea#22067)) - refactor bind functions based on generics ([#22055](go-gitea/gitea#22055)) - Support disabling database auto migration ([#22053](go-gitea/gitea#22053)) - remove duplicated read file code ([#22042](go-gitea/gitea#22042)) - Use link in UI which returned a relative url but not html_url which contains an absolute url ([#21986](go-gitea/gitea#21986)) - Skip initing disabled storages ([#21985](go-gitea/gitea#21985)) - Add doctor command for full GC of LFS ([#21978](go-gitea/gitea#21978)) - Util type to parse ref name ([#21969](go-gitea/gitea#21969)) - Replace fmt.Sprintf with hex.EncodeToString ([#21960](go-gitea/gitea#21960)) - Use random bytes to generate access token ([#21959](go-gitea/gitea#21959)) - Add index for access_token ([#21908](go-gitea/gitea#21908)) - Move all remaining colors into CSS variables ([#21903](go-gitea/gitea#21903)) - Webhook list enhancements ([#21893](go-gitea/gitea#21893)) - Embed Matrix icon as SVG ([#21890](go-gitea/gitea#21890)) - Remove useless "Cancel" buttons ([#21872](go-gitea/gitea#21872)) - fix(web): keep the pages of the navigation in the center ([#21867](go-gitea/gitea#21867)) - fix(web): reduce page jitter on browsers that support overlay scrollbar ([#21850](go-gitea/gitea#21850)) - Improvements for Content Copy ([#21842](go-gitea/gitea#21842)) - Tweak katex options ([#21828](go-gitea/gitea#21828)) - Show syntax lexer name in file view/blame ([#21814](go-gitea/gitea#21814)) - Remove `href="javascript:;"` in "save topics (Done)" button ([#21813](go-gitea/gitea#21813)) - Render number of commits in repo page in a user friendly way ([#21786](go-gitea/gitea#21786)) - Adjust clone timeout error to suggest increasing timeout ([#21769](go-gitea/gitea#21769)) - Update message of reach_limit_of_creation ([#21757](go-gitea/gitea#21757)) - Allow detect whether it's in a database transaction for a context.Context ([#21756](go-gitea/gitea#21756)) - Add configuration for CORS allowed headers ([#21747](go-gitea/gitea#21747)) - Move svg html render to modules/svg ([#21716](go-gitea/gitea#21716)) - Release and Tag List tweaks ([#21712](go-gitea/gitea#21712)) - Remove template previewer ([#21701](go-gitea/gitea#21701)) - Clean up formatting on install page ([#21668](go-gitea/gitea#21668)) - Configure update checker on installation page ([#21655](go-gitea/gitea#21655)) - Merge db.Iterate and IterateObjects ([#21641](go-gitea/gitea#21641)) - Add option to enable CAPTCHA validation for login ([#21638](go-gitea/gitea#21638)) - Allow disable RSS/Atom feed ([#21622](go-gitea/gitea#21622)) - Use CSS color-scheme instead of invert ([#21616](go-gitea/gitea#21616)) - Localize time units on activity heatmap ([#21570](go-gitea/gitea#21570)) - Fix UI column width, button overflow Fomantic's grid ([#21559](go-gitea/gitea#21559)) - feat: notify doers of a merge when automerging ([#21553](go-gitea/gitea#21553)) - Split migrations folder ([#21549](go-gitea/gitea#21549)) - feat: add button to quickly clear merge message ([#21548](go-gitea/gitea#21548)) - Add `context.Context` to more methods ([#21546](go-gitea/gitea#21546)) - Add index for hook_task table ([#21545](go-gitea/gitea#21545)) - Allow disable code tab ([#20805](go-gitea/gitea#20805)) - BUGFIXES - Fix template error when reference Project ([#23584](go-gitea/gitea#23584)) - Fix dropdown icon misalignment when using fomantic icon ([#23558](go-gitea/gitea#23558)) ([#23577](go-gitea/gitea#23577)) - Fix diff detail buttons wrapping, use tippy for review box ([#23271](go-gitea/gitea#23271)) ([#23546](go-gitea/gitea#23546)) - Handle missing `README` in create repos API ([#23387](go-gitea/gitea#23387)) ([#23510](go-gitea/gitea#23510)) - Disable sending email after push a commit to a closed PR ([#23462](go-gitea/gitea#23462)) ([#23492](go-gitea/gitea#23492)) - Fix aria.js bugs: incorrect role element problem, mobile focus problem, tippy problem ([#23450](go-gitea/gitea#23450)) ([#23486](go-gitea/gitea#23486)) - Fix due date being wrong on issue list ([#23475](go-gitea/gitea#23475)) ([#23477](go-gitea/gitea#23477)) - Remove wrongly added column on migration test fixtures ([#23456](go-gitea/gitea#23456)) ([#23470](go-gitea/gitea#23470)) - Make branches list page operations remember current page ([#23420](go-gitea/gitea#23420)) ([#23460](go-gitea/gitea#23460)) - Fix missing commit status in PR which from forked repo ([#23351](go-gitea/gitea#23351)) ([#23453](go-gitea/gitea#23453)) - Show edit/close/delete button on organization wide repositories ([#23388](go-gitea/gitea#23388)) ([#23429](go-gitea/gitea#23429)) - Preserve file size when creating attachments ([#23406](go-gitea/gitea#23406)) ([#23426](go-gitea/gitea#23426)) - Fix broken Chroma CSS styles ([#23174](go-gitea/gitea#23174)) ([#23402](go-gitea/gitea#23402)) - Fix incorrect NotFound conditions in org/projects.go ([#23384](go-gitea/gitea#23384)) ([#23395](go-gitea/gitea#23395)) - Set `X-Gitea-Debug` header once ([#23361](go-gitea/gitea#23361)) ([#23381](go-gitea/gitea#23381)) - Pass context to avatar for projects view ([#23359](go-gitea/gitea#23359)) ([#23378](go-gitea/gitea#23378)) - Fix panic when getting notes by ref ([#23372](go-gitea/gitea#23372)) ([#23377](go-gitea/gitea#23377)) - Do not recognize text files as audio ([#23355](go-gitea/gitea#23355)) ([#23368](go-gitea/gitea#23368)) - Fix adding of empty class name ([#23352](go-gitea/gitea#23352)) ([#23360](go-gitea/gitea#23360)) - Fix various ImageDiff/SVG bugs ([#23312](go-gitea/gitea#23312)) ([#23358](go-gitea/gitea#23358)) - Fix incorrect display for comment context menu ([#23343](go-gitea/gitea#23343)) ([#23344](go-gitea/gitea#23344)) - Remove unnecessary space on link ([#23334](go-gitea/gitea#23334)) ([#23340](go-gitea/gitea#23340)) - Fix incorrect redirect link of delete org project ([#23327](go-gitea/gitea#23327)) ([#23339](go-gitea/gitea#23339)) - Fix cannot reopen after pushing commits to a closed PR ([#23189](go-gitea/gitea#23189)) ([#23324](go-gitea/gitea#23324)) - Fix broken code editor diff preview ([#23307](go-gitea/gitea#23307)) ([#23320](go-gitea/gitea#23320)) - Support sanitising the URL by removing extra slashes in the URL ([#21333](go-gitea/gitea#21333)) ([#23300](go-gitea/gitea#23300)) - Avoid panic caused by broken payload when creating commit status ([#23216](go-gitea/gitea#23216)) ([#23294](go-gitea/gitea#23294)) - Fill head commit to in payload when notifying push commits for mirroring ([#23215](go-gitea/gitea#23215)) ([#23292](go-gitea/gitea#23292)) - Fix various bugs for "install" page ([#23194](go-gitea/gitea#23194)) ([#23286](go-gitea/gitea#23286)) - Fix GetFilesChangedBetween if the file name may be escaped ([#23272](go-gitea/gitea#23272)) ([#23279](go-gitea/gitea#23279)) - Revert relative links to absolute links in mail templates ([#23267](go-gitea/gitea#23267)) ([#23269](go-gitea/gitea#23269)) - Fix commit retrieval by tag ([#21804](go-gitea/gitea#21804)) ([#23266](go-gitea/gitea#23266)) - Use correct README link to render the README ([#23152](go-gitea/gitea#23152)) ([#23264](go-gitea/gitea#23264)) - Close the temp file when dumping database to make the temp file can be deleted on Windows ([#23249](go-gitea/gitea#23249)) ([#23251](go-gitea/gitea#23251)) - Use the correct selector to hide the checkmark of selected labels on clear ([#23224](go-gitea/gitea#23224)) ([#23228](go-gitea/gitea#23228)) - Fix incorrect checkbox behaviors in the dashboard repolist's filter ([#23147](go-gitea/gitea#23147)) ([#23205](go-gitea/gitea#23205)) - Properly flush unique queues on startup ([#23154](go-gitea/gitea#23154)) ([#23201](go-gitea/gitea#23201)) - Pass `--global` when calling `git config --get`, for consistency with `git config --set` ([#23157](go-gitea/gitea#23157)) ([#23199](go-gitea/gitea#23199)) - Make `gitea serv` respect git binary home ([#23138](go-gitea/gitea#23138)) ([#23197](go-gitea/gitea#23197)) - Change button text for commenting and closing an issue at the same time ([#23135](go-gitea/gitea#23135)) ([#23182](go-gitea/gitea#23182)) - Fix DBConsistency checks on MSSQL ([#23132](go-gitea/gitea#23132)) ([#23134](go-gitea/gitea#23134)) - Show empty repos in Admin Repository Management page ([#23114](go-gitea/gitea#23114)) ([#23130](go-gitea/gitea#23130)) - Redirect to the commit page after applying patch ([#23056](go-gitea/gitea#23056)) ([#23127](go-gitea/gitea#23127)) - Fix nil context in RenderMarkdownToHtml ([#23092](go-gitea/gitea#23092)) ([#23108](go-gitea/gitea#23108)) - Make issue meta dropdown support Enter, confirm before reloading ([#23014](go-gitea/gitea#23014)) ([#23102](go-gitea/gitea#23102)) - Fix SyncOnCommit always return false in API of push_mirrors ([#23088](go-gitea/gitea#23088)) ([#23100](go-gitea/gitea#23100)) - Fix commit name in Apply Patch page ([#23086](go-gitea/gitea#23086)) ([#23099](go-gitea/gitea#23099)) - Fix some more hidden problems ([#23074](go-gitea/gitea#23074)) ([#23075](go-gitea/gitea#23075)) - Bump golang.org/x/net from 0.4.0 to 0.7.0 ([#22980](go-gitea/gitea#22980)) - Get rules by id when editing branch protection rule ([#22932](go-gitea/gitea#22932)) - Fix panic when call api (/repos/{owner}/{repo}/pulls/{index}/files) ([#22921](go-gitea/gitea#22921)) - Increase Content field size of gpg_import_key to MEDIUMTEXT ([#22897](go-gitea/gitea#22897)) - Fix hidden commit status on multiple checks ([#22889](go-gitea/gitea#22889)) - Fix update by rebase being wrongly disabled by protected base branch ([#22825](go-gitea/gitea#22825)) - Make issue title edit buttons focusable and fix incorrect ajax requests ([#22807](go-gitea/gitea#22807)) - Fix rerun button of Actions ([#22798](go-gitea/gitea#22798)) - remove update language in ProfilePost ([#22748](go-gitea/gitea#22748)) - Do not overwrite empty DefaultBranch ([#22708](go-gitea/gitea#22708)) - Fix ref to trigger Actions ([#22679](go-gitea/gitea#22679)) - Fix time to NotifyPullRequestSynchronized ([#22650](go-gitea/gitea#22650)) - Show all projects, not just repo projects and open/closed projects ([#22640](go-gitea/gitea#22640)) - Project links should use parent link methods ([#22587](go-gitea/gitea#22587)) - Fix group filter for ldap source sync ([#22506](go-gitea/gitea#22506)) - Check quota limits for container uploads ([#22450](go-gitea/gitea#22450)) - Fix halfCommitter and WithTx ([#22366](go-gitea/gitea#22366)) - Attempt to fix TestExportUserGPGKeys ([#22159](go-gitea/gitea#22159)) - Fix heatmap first color being unused ([#22157](go-gitea/gitea#22157)) - Fix scroll over mermaid frame ([#21925](go-gitea/gitea#21925)) - Move migration test fixtures to the correct directories ([#21901](go-gitea/gitea#21901)) - fix(web): add `alt` for logo in home page ([#21887](go-gitea/gitea#21887)) - Fix webhook attachment text is not set in review comment ([#21763](go-gitea/gitea#21763)) - Alter package_version.metadata_json to LONGTEXT ([#21667](go-gitea/gitea#21667)) - Ensure that Webhook tasks are not double delivered ([#21558](go-gitea/gitea#21558)) - TESTING - Make CI use a dummy password hasher for all tests ([#22983](go-gitea/gitea#22983)) - Disable test for incoming email ([#22686](go-gitea/gitea#22686)) - Move fuzz tests into tests/fuzz ([#22376](go-gitea/gitea#22376)) - Test views of LFS files ([#22196](go-gitea/gitea#22196)) - Specify ID in `TestAPITeam` ([#22192](go-gitea/gitea#22192)) - verify nodeinfo response by schema ([#22137](go-gitea/gitea#22137)) - Skip GitHub migration tests if the API token is undefined ([#21824](go-gitea/gitea#21824)) - Add a simple test for external renderer ([#20033](go-gitea/gitea#20033)) - TRANSLATION - Use "Title Case" for text "Reference in new issue" ([#22936](go-gitea/gitea#22936)) - BUILD - Wrap unless-check in docker manifests ([#23079](go-gitea/gitea#23079)) ([#23081](go-gitea/gitea#23081)) - Adjust manifest to prevent tagging latest on rcs ([#22811](go-gitea/gitea#22811)) - update to build with go1.20 ([#22732](go-gitea/gitea#22732)) - Add Bash and Zsh completion scripts ([#22646](go-gitea/gitea#22646)) - Add Contributed backport command ([#22643](go-gitea/gitea#22643)) - Remove deprecated packages & staticcheck fixes ([#22012](go-gitea/gitea#22012)) - Update to Alpine 3.17 ([#21904](go-gitea/gitea#21904)) - Fix webpack license warning ([#21815](go-gitea/gitea#21815)) - DOCS - Update documentation for the new YAML label file format ([#23020](go-gitea/gitea#23020)) ([#23341](go-gitea/gitea#23341)) - Update hacking-on-gitea-zh_cn documentation ([#23315](go-gitea/gitea#23315)) ([#23323](go-gitea/gitea#23323)) - Add basic documentation for labels, including scoped labels ([#23304](go-gitea/gitea#23304)) ([#23309](go-gitea/gitea#23309)) - Re-add accidentally removed `hacking-on-gitea.zh-cn.md` ([#23297](go-gitea/gitea#23297)) ([#23305](go-gitea/gitea#23305)) - Fix secrets overview page missing from docs sidebar ([#23143](go-gitea/gitea#23143)) ([#23145](go-gitea/gitea#23145)) - Add some guidelines for refactoring ([#22880](go-gitea/gitea#22880)) - Explain that the no-access team unit does not affect public repositories ([#22661](go-gitea/gitea#22661)) - Fix incorrect Redis URL snippets in the example app.ini ([#22573](go-gitea/gitea#22573)) - docs: add swagger.json file location to FAQ ([#22489](go-gitea/gitea#22489)) - Update index.de-de.md ([#22363](go-gitea/gitea#22363)) - Update Gmail mailer configuration ([#22291](go-gitea/gitea#22291)) - Add missed reverse proxy authentication documentation ([#22250](go-gitea/gitea#22250)) - Add plural definitions for German translations ([#21802](go-gitea/gitea#21802)) - Attempt clarify AppWorkPath etc. ([#21656](go-gitea/gitea#21656)) - Add some documentation to packages ([#21648](go-gitea/gitea#21648)) - MISC - Use `<nav>` instead of `<div>` in the global navbar ([#23125](go-gitea/gitea#23125)) ([#23533](go-gitea/gitea#23533)) - Do not create commit graph for temporary repos ([#23219](go-gitea/gitea#23219)) ([#23229](go-gitea/gitea#23229)) - Update button is shown when a Pull Request is marked WIP - Issue [#21740](go-gitea/gitea#21740) ([#22683](go-gitea/gitea#22683)) - Add main landmark to templates and adjust titles ([#22670](go-gitea/gitea#22670)) - Fix error on account activation with wrong passwd ([#22609](go-gitea/gitea#22609)) - Update JS dependencies ([#22538](go-gitea/gitea#22538)) - Display unreferenced packages total size in package admin panel ([#22498](go-gitea/gitea#22498)) - Mobile fix for Project view: Add delay to Sortable.js on mobile, to ensure scrolling is possible. ([#22152](go-gitea/gitea#22152)) - Update chroma to v2.4.0 ([#22000](go-gitea/gitea#22000)) - Hide collapse icon in diff with no lines ([#21094](go-gitea/gitea#21094)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Co-authored-by: Michael Wittig <michael.wittig@posteo.de> Reviewed-on: https://gitea.sh4ke.rocks/sh4ke/k8s-projects/pulls/115

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [gitea/gitea](https://github.com/go-gitea/gitea) | minor | `1.18.5-rootless` -> `1.19.0-rootless` | --- ### Release Notes <details> <summary>go-gitea/gitea</summary> ### [`v1.19.0`](https://github.com/go-gitea/gitea/blob/HEAD/CHANGELOG.md#1190-httpsgithubcomgo-giteagiteareleasestag1190---2023-03-19) [Compare Source](go-gitea/gitea@v1.18.5...v1.19.0) - BREAKING - Add loading yaml label template files ([#22976](go-gitea/gitea#22976)) ([#23232](go-gitea/gitea#23232)) - Make issue and code search support camel case for Bleve ([#22829](go-gitea/gitea#22829)) - Repositories: by default disable all units except code and pulls on forks ([#22541](go-gitea/gitea#22541)) - Support template for merge message description ([#22248](go-gitea/gitea#22248)) - Remove ONLY_SHOW_RELEVANT_REPOS setting ([#21962](go-gitea/gitea#21962)) - Implement actions ([#21937](go-gitea/gitea#21937)) - Remove deprecated DSA host key from Docker Container ([#21522](go-gitea/gitea#21522)) - Improve valid user name check ([#20136](go-gitea/gitea#20136)) - SECURITY - Return 404 instead of 403 if user can not access the repo ([#23155](go-gitea/gitea#23155)) ([#23158](go-gitea/gitea#23158)) - Support scoped access tokens ([#20908](go-gitea/gitea#20908)) - FEATURES - Add support for commit cross references ([#22645](go-gitea/gitea#22645)) - Scoped labels ([#22585](go-gitea/gitea#22585)) - Add Chef package registry ([#22554](go-gitea/gitea#22554)) - Support asciicast files as new markup ([#22448](go-gitea/gitea#22448)) - cgo cross-compile for freebsd ([#22397](go-gitea/gitea#22397)) - Add cron method to gc LFS MetaObjects ([#22385](go-gitea/gitea#22385)) - Add new captcha: cloudflare turnstile ([#22369](go-gitea/gitea#22369)) - Enable `@<user>`- completion popup on the release description textarea ([#22359](go-gitea/gitea#22359)) - make /{username}.png redirect to user/org avatar ([#22356](go-gitea/gitea#22356)) - Add Conda package registry ([#22262](go-gitea/gitea#22262)) - Support org/user level projects ([#22235](go-gitea/gitea#22235)) - Add Mermaid copy button ([#22225](go-gitea/gitea#22225)) - Add user secrets ([#22191](go-gitea/gitea#22191)) - Secrets storage with SecretKey encrypted ([#22142](go-gitea/gitea#22142)) - Preview images for Issue cards in Project Board view ([#22112](go-gitea/gitea#22112)) - Add support for incoming emails ([#22056](go-gitea/gitea#22056)) - Add Cargo package registry ([#21888](go-gitea/gitea#21888)) - Add option to prohibit fork if user reached maximum limit of repositories ([#21848](go-gitea/gitea#21848)) - Add attention blocks within quote blocks for `Note` and `Warning` ([#21711](go-gitea/gitea#21711)) - Add Feed for Releases and Tags ([#21696](go-gitea/gitea#21696)) - Add package registry cleanup rules ([#21658](go-gitea/gitea#21658)) - Add "Copy" button to file view of raw text ([#21629](go-gitea/gitea#21629)) - Allow disable sitemap ([#21617](go-gitea/gitea#21617)) - Add package registry quota limits ([#21584](go-gitea/gitea#21584)) - Map OIDC groups to Orgs/Teams ([#21441](go-gitea/gitea#21441)) - Keep languages defined in .gitattributes ([#21403](go-gitea/gitea#21403)) - Add Webhook authorization header ([#20926](go-gitea/gitea#20926)) - Supports wildcard protected branch ([#20825](go-gitea/gitea#20825)) - Copy citation file content, in APA and BibTex format, on repo home page ([#19999](go-gitea/gitea#19999)) - API - Match api migration behavior to web behavior ([#23552](go-gitea/gitea#23552)) ([#23573](go-gitea/gitea#23573)) - Purge API comment ([#23451](go-gitea/gitea#23451)) ([#23452](go-gitea/gitea#23452)) - User creation API: allow custom "created" timestamps ([#22549](go-gitea/gitea#22549)) - Add `updated_at` field to PullReview API object ([#21812](go-gitea/gitea#21812)) - Add API management for issue/pull and comment attachments ([#21783](go-gitea/gitea#21783)) - Add API endpoint to get latest release ([#21267](go-gitea/gitea#21267)) - Support system hook API ([#14537](go-gitea/gitea#14537)) - ENHANCEMENTS - Add `.patch` to `attachment.ALLOWED_TYPES` ([#23580](go-gitea/gitea#23580)) ([#23582](go-gitea/gitea#23582)) - Fix sticky header in diff view ([#23554](go-gitea/gitea#23554)) ([#23568](go-gitea/gitea#23568)) - Refactor merge/update git command calls ([#23366](go-gitea/gitea#23366)) ([#23544](go-gitea/gitea#23544)) - Fix review comment context menu clipped bug ([#23523](go-gitea/gitea#23523)) ([#23543](go-gitea/gitea#23543)) - Imrove scroll behavior to hash issuecomment(scroll position, auto expand if file is folded, and on refreshing) ([#23513](go-gitea/gitea#23513)) ([#23540](go-gitea/gitea#23540)) - Increase horizontal page padding ([#23507](go-gitea/gitea#23507)) ([#23537](go-gitea/gitea#23537)) - Use octicon-verified for gpg signatures ([#23529](go-gitea/gitea#23529)) ([#23536](go-gitea/gitea#23536)) - Make time tooltips interactive ([#23526](go-gitea/gitea#23526)) ([#23527](go-gitea/gitea#23527)) - Replace Less with CSS ([#23508](go-gitea/gitea#23508)) - Fix 'View File' button in code search ([#23478](go-gitea/gitea#23478)) ([#23483](go-gitea/gitea#23483)) - Convert GitHub event on actions and fix some pull_request events. ([#23037](go-gitea/gitea#23037)) ([#23471](go-gitea/gitea#23471)) - Support reflogs ([#22451](go-gitea/gitea#22451)) ([#23438](go-gitea/gitea#23438)) - Fix actions frontend bugs (pagination, long name alignment) and small simplify ([#23370](go-gitea/gitea#23370)) ([#23436](go-gitea/gitea#23436)) - Scoped label display and documentation tweaks ([#23430](go-gitea/gitea#23430)) ([#23433](go-gitea/gitea#23433)) - Add missing tabs to org projects page ([#22705](go-gitea/gitea#22705)) ([#23412](go-gitea/gitea#23412)) - Fix and move "Use this template" button ([#23398](go-gitea/gitea#23398)) ([#23408](go-gitea/gitea#23408)) - Handle OpenID discovery URL errors a little nicer when creating/editing sources ([#23397](go-gitea/gitea#23397)) ([#23403](go-gitea/gitea#23403)) - Rename `canWriteUnit` to `canWriteProjects` ([#23386](go-gitea/gitea#23386)) ([#23399](go-gitea/gitea#23399)) - Refactor and tidy-up the merge/update branch code ([#22568](go-gitea/gitea#22568)) ([#23365](go-gitea/gitea#23365)) - Refactor `setting.Database.UseXXX` to methods ([#23354](go-gitea/gitea#23354)) ([#23356](go-gitea/gitea#23356)) - Fix incorrect project links and use symlink icon for org-wide projects ([#23325](go-gitea/gitea#23325)) ([#23336](go-gitea/gitea#23336)) - Fix PR view misalignment caused by long name file ([#23321](go-gitea/gitea#23321)) ([#23335](go-gitea/gitea#23335)) - Scoped labels: don't require holding alt key to remove ([#23303](go-gitea/gitea#23303)) ([#23331](go-gitea/gitea#23331)) - Add context when rendering labels or emojis ([#23281](go-gitea/gitea#23281)) ([#23319](go-gitea/gitea#23319)) - Change interactiveBorder to fix popup preview ([#23169](go-gitea/gitea#23169)) ([#23314](go-gitea/gitea#23314)) - Scoped labels: set aria-disabled on muted Exclusive option for a11y ([#23306](go-gitea/gitea#23306)) ([#23311](go-gitea/gitea#23311)) - update to mermaid v10 ([#23178](go-gitea/gitea#23178)) ([#23299](go-gitea/gitea#23299)) - Fix code wrap for unbroken lines ([#23268](go-gitea/gitea#23268)) ([#23293](go-gitea/gitea#23293)) - Use async await to fix empty quote reply at first time ([#23168](go-gitea/gitea#23168)) ([#23256](go-gitea/gitea#23256)) - Fix switched citation format ([#23250](go-gitea/gitea#23250)) ([#23253](go-gitea/gitea#23253)) - Allow `<video>` in MarkDown ([#22892](go-gitea/gitea#22892)) ([#23236](go-gitea/gitea#23236)) - Order pull request conflict checking by recently updated, for each push ([#23220](go-gitea/gitea#23220)) ([#23225](go-gitea/gitea#23225)) - Fix Fomantic UI's `touchstart` fastclick, always use `click` for click events ([#23065](go-gitea/gitea#23065)) ([#23195](go-gitea/gitea#23195)) - Add word-break to sidebar-item-link ([#23146](go-gitea/gitea#23146)) ([#23180](go-gitea/gitea#23180)) - Add InsecureSkipVerify to Minio Client for Storage ([#23166](go-gitea/gitea#23166)) ([#23177](go-gitea/gitea#23177)) - Fix height for sticky head on large screen on PR page ([#23111](go-gitea/gitea#23111)) ([#23123](go-gitea/gitea#23123)) - Change style to improve whitespaces trimming inside inline markdown code ([#23093](go-gitea/gitea#23093)) ([#23120](go-gitea/gitea#23120)) - Avoid warning for system setting when start up ([#23054](go-gitea/gitea#23054)) ([#23116](go-gitea/gitea#23116)) - Add accessibility to the menu on the navbar ([#23059](go-gitea/gitea#23059)) ([#23095](go-gitea/gitea#23095)) - Improve accessibility for issue comments ([#22612](go-gitea/gitea#22612)) ([#23083](go-gitea/gitea#23083)) - Remove delete button for review comment ([#23036](go-gitea/gitea#23036)) - Remove dashes between organization member avatars on hover ([#23034](go-gitea/gitea#23034)) - Use `gt-relative` class instead of the ambiguous `gt-pr` class ([#23008](go-gitea/gitea#23008)) - handle deprecated settings ([#22992](go-gitea/gitea#22992)) - Add scopes to API to create token and display them ([#22989](go-gitea/gitea#22989)) - Improve PR Review Box UI ([#22986](go-gitea/gitea#22986)) - Improve issues.LoadProject ([#22982](go-gitea/gitea#22982)) - Add all units to the units permission list in org team members sidebar ([#22971](go-gitea/gitea#22971)) - Rename `GetUnits` to `LoadUnits` ([#22970](go-gitea/gitea#22970)) - Rename `repo.GetOwner` to `repo.LoadOwner` ([#22967](go-gitea/gitea#22967)) - Rename "People" to "Members" in organization page and use a better icon ([#22960](go-gitea/gitea#22960)) - Fix avatar misalignment ([#22955](go-gitea/gitea#22955)) - Sort issues and pulls by recently updated in user and organization home ([#22925](go-gitea/gitea#22925)) - Add `title` to PR file tree items ([#22918](go-gitea/gitea#22918)) - First step to refactor the `.hide` to `.gt-hidden` ([#22916](go-gitea/gitea#22916)) - Add tooltip to issue reference ([#22913](go-gitea/gitea#22913)) - Always show the `command line instructions` button even if there are conflicts ([#22909](go-gitea/gitea#22909)) - Fix dark-colored description text in arc-green theme ([#22908](go-gitea/gitea#22908)) - Remove Fomantic-UI's `.hidden` CSS class for menu elements ([#22895](go-gitea/gitea#22895)) - Move helpers to be prefixed with `gt-` ([#22879](go-gitea/gitea#22879)) - Move `IsReadmeFile*` from `modules/markup/` to `modules/util` ([#22877](go-gitea/gitea#22877)) - Highlight focused diff file ([#22870](go-gitea/gitea#22870)) - Add some headings to repo views ([#22869](go-gitea/gitea#22869)) - Fix milestone title font problem ([#22863](go-gitea/gitea#22863)) - Pull Requests: setting to allow edits by maintainers by default, tweak UI ([#22862](go-gitea/gitea#22862)) - Introduce customized HTML elements, fix incorrect AppUrl usages in templates ([#22861](go-gitea/gitea#22861)) - Add `/$count` endpoints for NuGet v2 ([#22855](go-gitea/gitea#22855)) - Remove Fomantic-UI's `.hidden` CSS class for checkbox elements ([#22851](go-gitea/gitea#22851)) - Fix notification and stopwatch empty states ([#22845](go-gitea/gitea#22845)) - Always go full width in PR view ([#22844](go-gitea/gitea#22844)) - Improve AppUrl/ROOT_URL checking ([#22836](go-gitea/gitea#22836)) - Fix style of actions rerun button ([#22835](go-gitea/gitea#22835)) - Fix more HTMLURL in templates ([#22831](go-gitea/gitea#22831)) - Fix inconsistent Filter Project name in issue list ([#22827](go-gitea/gitea#22827)) - include build info in Prometheus metrics ([#22819](go-gitea/gitea#22819)) - Make clone URL use current page's host ([#22808](go-gitea/gitea#22808)) - Refactor legacy strange git operations ([#22756](go-gitea/gitea#22756)) - Improve error report when user passes a private key ([#22726](go-gitea/gitea#22726)) - set user dashboard org visibility to basic ([#22706](go-gitea/gitea#22706)) - Fix diff UI for unexpandable items ([#22700](go-gitea/gitea#22700)) - Remove 'primary' class from tab counter labels ([#22687](go-gitea/gitea#22687)) - Add more events details supports for actions ([#22680](go-gitea/gitea#22680)) - Refactor git command package to improve security and maintainability ([#22678](go-gitea/gitea#22678)) - Use relative url in actions view ([#22675](go-gitea/gitea#22675)) - set user visibility class to basic ([#22674](go-gitea/gitea#22674)) - Add repository setting to enable/disable releases unit ([#22671](go-gitea/gitea#22671)) - Remove label color from global issue filters ([#22660](go-gitea/gitea#22660)) - Fix poor alignment of organization description on organization home page ([#22656](go-gitea/gitea#22656)) - Small refactor for loading PRs ([#22652](go-gitea/gitea#22652)) - Allow setting access token scope by CLI ([#22648](go-gitea/gitea#22648)) - Improve accessibility of navigation bar and footer ([#22635](go-gitea/gitea#22635)) - Fixes accessibility behavior of Watching, Staring and Fork buttons ([#22634](go-gitea/gitea#22634)) - Fixes accessibility of empty repository commit status ([#22632](go-gitea/gitea#22632)) - Pull request yaml template support for including commit body in a field ([#22629](go-gitea/gitea#22629)) - Show migration validation error ([#22619](go-gitea/gitea#22619)) - set org visibility class to basic in header ([#22605](go-gitea/gitea#22605)) - Fix cache-control header clearing comment text when editing issue ([#22604](go-gitea/gitea#22604)) - Add ARIA support for Fomantic UI checkboxes ([#22599](go-gitea/gitea#22599)) - Add templates to customize text when creating and migrating repositories ([#22597](go-gitea/gitea#22597)) - Allow setting `redirect_to` cookie on OAuth login ([#22594](go-gitea/gitea#22594)) - Improve checkbox accessibility a bit by adding the title attribute ([#22593](go-gitea/gitea#22593)) - Allow issue templates to not render title ([#22589](go-gitea/gitea#22589)) - Webhooks: for issue close/reopen action, add commit ID that caused it ([#22583](go-gitea/gitea#22583)) - Fix missing title and filter in issue sidebar project menu ([#22557](go-gitea/gitea#22557)) - Issues: support setting issue template field values with query ([#22545](go-gitea/gitea#22545)) - Issues: add Project filter to issues list and search ([#22544](go-gitea/gitea#22544)) - Pull Requests: add color to approved/reject icon in pull requests list ([#22543](go-gitea/gitea#22543)) - Mute all links in issue timeline ([#22533](go-gitea/gitea#22533)) - Dropzone: Add "Copy link" button for new uploads ([#22517](go-gitea/gitea#22517)) - Support importing comment types ([#22510](go-gitea/gitea#22510)) - Load asciicast css async ([#22502](go-gitea/gitea#22502)) - Move delete user to service ([#22478](go-gitea/gitea#22478)) - Change use of Walk to WalkDir to improve disk performance ([#22462](go-gitea/gitea#22462)) - Add reply hint to mail text ([#22459](go-gitea/gitea#22459)) - fix wrong theme class when logged out if default theme is changed ([#22408](go-gitea/gitea#22408)) - Refactor the setting to make unit test easier ([#22405](go-gitea/gitea#22405)) - Improve utils of slices ([#22379](go-gitea/gitea#22379)) - Use context parameter in models/git ([#22367](go-gitea/gitea#22367)) - Always reuse transaction ([#22362](go-gitea/gitea#22362)) - Fix unstable emoji sort ([#22346](go-gitea/gitea#22346)) - Add context cache as a request level cache ([#22294](go-gitea/gitea#22294)) - Reminder for no more logs to console ([#22282](go-gitea/gitea#22282)) - Support estimated count with multiple schemas ([#22276](go-gitea/gitea#22276)) - Move `convert` package to services ([#22264](go-gitea/gitea#22264)) - Use dynamic package type list ([#22263](go-gitea/gitea#22263)) - Hide file borders on sticky diff box ([#22217](go-gitea/gitea#22217)) - Improve notification and stopwatch styles ([#22169](go-gitea/gitea#22169)) - Fixed Project view .board-column height for tall screens. ([#22108](go-gitea/gitea#22108)) - Use multi reader instead to concat strings ([#22099](go-gitea/gitea#22099)) - Use git command instead of exec.Cmd in blame ([#22098](go-gitea/gitea#22098)) - Fix autofilled text visibility in dark mode ([#22088](go-gitea/gitea#22088)) - Rename almost all Ctx functions ([#22071](go-gitea/gitea#22071)) - Rename actions to operations on UI ([#22067](go-gitea/gitea#22067)) - refactor bind functions based on generics ([#22055](go-gitea/gitea#22055)) - Support disabling database auto migration ([#22053](go-gitea/gitea#22053)) - remove duplicated read file code ([#22042](go-gitea/gitea#22042)) - Use link in UI which returned a relative url but not html_url which contains an absolute url ([#21986](go-gitea/gitea#21986)) - Skip initing disabled storages ([#21985](go-gitea/gitea#21985)) - Add doctor command for full GC of LFS ([#21978](go-gitea/gitea#21978)) - Util type to parse ref name ([#21969](go-gitea/gitea#21969)) - Replace fmt.Sprintf with hex.EncodeToString ([#21960](go-gitea/gitea#21960)) - Use random bytes to generate access token ([#21959](go-gitea/gitea#21959)) - Add index for access_token ([#21908](go-gitea/gitea#21908)) - Move all remaining colors into CSS variables ([#21903](go-gitea/gitea#21903)) - Webhook list enhancements ([#21893](go-gitea/gitea#21893)) - Embed Matrix icon as SVG ([#21890](go-gitea/gitea#21890)) - Remove useless "Cancel" buttons ([#21872](go-gitea/gitea#21872)) - fix(web): keep the pages of the navigation in the center ([#21867](go-gitea/gitea#21867)) - fix(web): reduce page jitter on browsers that support overlay scrollbar ([#21850](go-gitea/gitea#21850)) - Improvements for Content Copy ([#21842](go-gitea/gitea#21842)) - Tweak katex options ([#21828](go-gitea/gitea#21828)) - Show syntax lexer name in file view/blame ([#21814](go-gitea/gitea#21814)) - Remove `href="javascript:;"` in "save topics (Done)" button ([#21813](go-gitea/gitea#21813)) - Render number of commits in repo page in a user friendly way ([#21786](go-gitea/gitea#21786)) - Adjust clone timeout error to suggest increasing timeout ([#21769](go-gitea/gitea#21769)) - Update message of reach_limit_of_creation ([#21757](go-gitea/gitea#21757)) - Allow detect whether it's in a database transaction for a context.Context ([#21756](go-gitea/gitea#21756)) - Add configuration for CORS allowed headers ([#21747](go-gitea/gitea#21747)) - Move svg html render to modules/svg ([#21716](go-gitea/gitea#21716)) - Release and Tag List tweaks ([#21712](go-gitea/gitea#21712)) - Remove template previewer ([#21701](go-gitea/gitea#21701)) - Clean up formatting on install page ([#21668](go-gitea/gitea#21668)) - Configure update checker on installation page ([#21655](go-gitea/gitea#21655)) - Merge db.Iterate and IterateObjects ([#21641](go-gitea/gitea#21641)) - Add option to enable CAPTCHA validation for login ([#21638](go-gitea/gitea#21638)) - Allow disable RSS/Atom feed ([#21622](go-gitea/gitea#21622)) - Use CSS color-scheme instead of invert ([#21616](go-gitea/gitea#21616)) - Localize time units on activity heatmap ([#21570](go-gitea/gitea#21570)) - Fix UI column width, button overflow Fomantic's grid ([#21559](go-gitea/gitea#21559)) - feat: notify doers of a merge when automerging ([#21553](go-gitea/gitea#21553)) - Split migrations folder ([#21549](go-gitea/gitea#21549)) - feat: add button to quickly clear merge message ([#21548](go-gitea/gitea#21548)) - Add `context.Context` to more methods ([#21546](go-gitea/gitea#21546)) - Add index for hook_task table ([#21545](go-gitea/gitea#21545)) - Allow disable code tab ([#20805](go-gitea/gitea#20805)) - BUGFIXES - Fix template error when reference Project ([#23584](go-gitea/gitea#23584)) - Fix dropdown icon misalignment when using fomantic icon ([#23558](go-gitea/gitea#23558)) ([#23577](go-gitea/gitea#23577)) - Fix diff detail buttons wrapping, use tippy for review box ([#23271](go-gitea/gitea#23271)) ([#23546](go-gitea/gitea#23546)) - Handle missing `README` in create repos API ([#23387](go-gitea/gitea#23387)) ([#23510](go-gitea/gitea#23510)) - Disable sending email after push a commit to a closed PR ([#23462](go-gitea/gitea#23462)) ([#23492](go-gitea/gitea#23492)) - Fix aria.js bugs: incorrect role element problem, mobile focus problem, tippy problem ([#23450](go-gitea/gitea#23450)) ([#23486](go-gitea/gitea#23486)) - Fix due date being wrong on issue list ([#23475](go-gitea/gitea#23475)) ([#23477](go-gitea/gitea#23477)) - Remove wrongly added column on migration test fixtures ([#23456](go-gitea/gitea#23456)) ([#23470](go-gitea/gitea#23470)) - Make branches list page operations remember current page ([#23420](go-gitea/gitea#23420)) ([#23460](go-gitea/gitea#23460)) - Fix missing commit status in PR which from forked repo ([#23351](go-gitea/gitea#23351)) ([#23453](go-gitea/gitea#23453)) - Show edit/close/delete button on organization wide repositories ([#23388](go-gitea/gitea#23388)) ([#23429](go-gitea/gitea#23429)) - Preserve file size when creating attachments ([#23406](go-gitea/gitea#23406)) ([#23426](go-gitea/gitea#23426)) - Fix broken Chroma CSS styles ([#23174](go-gitea/gitea#23174)) ([#23402](go-gitea/gitea#23402)) - Fix incorrect NotFound conditions in org/projects.go ([#23384](go-gitea/gitea#23384)) ([#23395](go-gitea/gitea#23395)) - Set `X-Gitea-Debug` header once ([#23361](go-gitea/gitea#23361)) ([#23381](go-gitea/gitea#23381)) - Pass context to avatar for projects view ([#23359](go-gitea/gitea#23359)) ([#23378](go-gitea/gitea#23378)) - Fix panic when getting notes by ref ([#23372](go-gitea/gitea#23372)) ([#23377](go-gitea/gitea#23377)) - Do not recognize text files as audio ([#23355](go-gitea/gitea#23355)) ([#23368](go-gitea/gitea#23368)) - Fix adding of empty class name ([#23352](go-gitea/gitea#23352)) ([#23360](go-gitea/gitea#23360)) - Fix various ImageDiff/SVG bugs ([#23312](go-gitea/gitea#23312)) ([#23358](go-gitea/gitea#23358)) - Fix incorrect display for comment context menu ([#23343](go-gitea/gitea#23343)) ([#23344](go-gitea/gitea#23344)) - Remove unnecessary space on link ([#23334](go-gitea/gitea#23334)) ([#23340](go-gitea/gitea#23340)) - Fix incorrect redirect link of delete org project ([#23327](go-gitea/gitea#23327)) ([#23339](go-gitea/gitea#23339)) - Fix cannot reopen after pushing commits to a closed PR ([#23189](go-gitea/gitea#23189)) ([#23324](go-gitea/gitea#23324)) - Fix broken code editor diff preview ([#23307](go-gitea/gitea#23307)) ([#23320](go-gitea/gitea#23320)) - Support sanitising the URL by removing extra slashes in the URL ([#21333](go-gitea/gitea#21333)) ([#23300](go-gitea/gitea#23300)) - Avoid panic caused by broken payload when creating commit status ([#23216](go-gitea/gitea#23216)) ([#23294](go-gitea/gitea#23294)) - Fill head commit to in payload when notifying push commits for mirroring ([#23215](go-gitea/gitea#23215)) ([#23292](go-gitea/gitea#23292)) - Fix various bugs for "install" page ([#23194](go-gitea/gitea#23194)) ([#23286](go-gitea/gitea#23286)) - Fix GetFilesChangedBetween if the file name may be escaped ([#23272](go-gitea/gitea#23272)) ([#23279](go-gitea/gitea#23279)) - Revert relative links to absolute links in mail templates ([#23267](go-gitea/gitea#23267)) ([#23269](go-gitea/gitea#23269)) - Fix commit retrieval by tag ([#21804](go-gitea/gitea#21804)) ([#23266](go-gitea/gitea#23266)) - Use correct README link to render the README ([#23152](go-gitea/gitea#23152)) ([#23264](go-gitea/gitea#23264)) - Close the temp file when dumping database to make the temp file can be deleted on Windows ([#23249](go-gitea/gitea#23249)) ([#23251](go-gitea/gitea#23251)) - Use the correct selector to hide the checkmark of selected labels on clear ([#23224](go-gitea/gitea#23224)) ([#23228](go-gitea/gitea#23228)) - Fix incorrect checkbox behaviors in the dashboard repolist's filter ([#23147](go-gitea/gitea#23147)) ([#23205](go-gitea/gitea#23205)) - Properly flush unique queues on startup ([#23154](go-gitea/gitea#23154)) ([#23201](go-gitea/gitea#23201)) - Pass `--global` when calling `git config --get`, for consistency with `git config --set` ([#23157](go-gitea/gitea#23157)) ([#23199](go-gitea/gitea#23199)) - Make `gitea serv` respect git binary home ([#23138](go-gitea/gitea#23138)) ([#23197](go-gitea/gitea#23197)) - Change button text for commenting and closing an issue at the same time ([#23135](go-gitea/gitea#23135)) ([#23182](go-gitea/gitea#23182)) - Fix DBConsistency checks on MSSQL ([#23132](go-gitea/gitea#23132)) ([#23134](go-gitea/gitea#23134)) - Show empty repos in Admin Repository Management page ([#23114](go-gitea/gitea#23114)) ([#23130](go-gitea/gitea#23130)) - Redirect to the commit page after applying patch ([#23056](go-gitea/gitea#23056)) ([#23127](go-gitea/gitea#23127)) - Fix nil context in RenderMarkdownToHtml ([#23092](go-gitea/gitea#23092)) ([#23108](go-gitea/gitea#23108)) - Make issue meta dropdown support Enter, confirm before reloading ([#23014](go-gitea/gitea#23014)) ([#23102](go-gitea/gitea#23102)) - Fix SyncOnCommit always return false in API of push_mirrors ([#23088](go-gitea/gitea#23088)) ([#23100](go-gitea/gitea#23100)) - Fix commit name in Apply Patch page ([#23086](go-gitea/gitea#23086)) ([#23099](go-gitea/gitea#23099)) - Fix some more hidden problems ([#23074](go-gitea/gitea#23074)) ([#23075](go-gitea/gitea#23075)) - Bump golang.org/x/net from 0.4.0 to 0.7.0 ([#22980](go-gitea/gitea#22980)) - Get rules by id when editing branch protection rule ([#22932](go-gitea/gitea#22932)) - Fix panic when call api (/repos/{owner}/{repo}/pulls/{index}/files) ([#22921](go-gitea/gitea#22921)) - Increase Content field size of gpg_import_key to MEDIUMTEXT ([#22897](go-gitea/gitea#22897)) - Fix hidden commit status on multiple checks ([#22889](go-gitea/gitea#22889)) - Fix update by rebase being wrongly disabled by protected base branch ([#22825](go-gitea/gitea#22825)) - Make issue title edit buttons focusable and fix incorrect ajax requests ([#22807](go-gitea/gitea#22807)) - Fix rerun button of Actions ([#22798](go-gitea/gitea#22798)) - remove update language in ProfilePost ([#22748](go-gitea/gitea#22748)) - Do not overwrite empty DefaultBranch ([#22708](go-gitea/gitea#22708)) - Fix ref to trigger Actions ([#22679](go-gitea/gitea#22679)) - Fix time to NotifyPullRequestSynchronized ([#22650](go-gitea/gitea#22650)) - Show all projects, not just repo projects and open/closed projects ([#22640](go-gitea/gitea#22640)) - Project links should use parent link methods ([#22587](go-gitea/gitea#22587)) - Fix group filter for ldap source sync ([#22506](go-gitea/gitea#22506)) - Check quota limits for container uploads ([#22450](go-gitea/gitea#22450)) - Fix halfCommitter and WithTx ([#22366](go-gitea/gitea#22366)) - Attempt to fix TestExportUserGPGKeys ([#22159](go-gitea/gitea#22159)) - Fix heatmap first color being unused ([#22157](go-gitea/gitea#22157)) - Fix scroll over mermaid frame ([#21925](go-gitea/gitea#21925)) - Move migration test fixtures to the correct directories ([#21901](go-gitea/gitea#21901)) - fix(web): add `alt` for logo in home page ([#21887](go-gitea/gitea#21887)) - Fix webhook attachment text is not set in review comment ([#21763](go-gitea/gitea#21763)) - Alter package_version.metadata_json to LONGTEXT ([#21667](go-gitea/gitea#21667)) - Ensure that Webhook tasks are not double delivered ([#21558](go-gitea/gitea#21558)) - TESTING - Make CI use a dummy password hasher for all tests ([#22983](go-gitea/gitea#22983)) - Disable test for incoming email ([#22686](go-gitea/gitea#22686)) - Move fuzz tests into tests/fuzz ([#22376](go-gitea/gitea#22376)) - Test views of LFS files ([#22196](go-gitea/gitea#22196)) - Specify ID in `TestAPITeam` ([#22192](go-gitea/gitea#22192)) - verify nodeinfo response by schema ([#22137](go-gitea/gitea#22137)) - Skip GitHub migration tests if the API token is undefined ([#21824](go-gitea/gitea#21824)) - Add a simple test for external renderer ([#20033](go-gitea/gitea#20033)) - TRANSLATION - Use "Title Case" for text "Reference in new issue" ([#22936](go-gitea/gitea#22936)) - BUILD - Wrap unless-check in docker manifests ([#23079](go-gitea/gitea#23079)) ([#23081](go-gitea/gitea#23081)) - Adjust manifest to prevent tagging latest on rcs ([#22811](go-gitea/gitea#22811)) - update to build with go1.20 ([#22732](go-gitea/gitea#22732)) - Add Bash and Zsh completion scripts ([#22646](go-gitea/gitea#22646)) - Add Contributed backport command ([#22643](go-gitea/gitea#22643)) - Remove deprecated packages & staticcheck fixes ([#22012](go-gitea/gitea#22012)) - Update to Alpine 3.17 ([#21904](go-gitea/gitea#21904)) - Fix webpack license warning ([#21815](go-gitea/gitea#21815)) - DOCS - Update documentation for the new YAML label file format ([#23020](go-gitea/gitea#23020)) ([#23341](go-gitea/gitea#23341)) - Update hacking-on-gitea-zh_cn documentation ([#23315](go-gitea/gitea#23315)) ([#23323](go-gitea/gitea#23323)) - Add basic documentation for labels, including scoped labels ([#23304](go-gitea/gitea#23304)) ([#23309](go-gitea/gitea#23309)) - Re-add accidentally removed `hacking-on-gitea.zh-cn.md` ([#23297](go-gitea/gitea#23297)) ([#23305](go-gitea/gitea#23305)) - Fix secrets overview page missing from docs sidebar ([#23143](go-gitea/gitea#23143)) ([#23145](go-gitea/gitea#23145)) - Add some guidelines for refactoring ([#22880](go-gitea/gitea#22880)) - Explain that the no-access team unit does not affect public repositories ([#22661](go-gitea/gitea#22661)) - Fix incorrect Redis URL snippets in the example app.ini ([#22573](go-gitea/gitea#22573)) - docs: add swagger.json file location to FAQ ([#22489](go-gitea/gitea#22489)) - Update index.de-de.md ([#22363](go-gitea/gitea#22363)) - Update Gmail mailer configuration ([#22291](go-gitea/gitea#22291)) - Add missed reverse proxy authentication documentation ([#22250](go-gitea/gitea#22250)) - Add plural definitions for German translations ([#21802](go-gitea/gitea#21802)) - Attempt clarify AppWorkPath etc. ([#21656](go-gitea/gitea#21656)) - Add some documentation to packages ([#21648](go-gitea/gitea#21648)) - MISC - Use `<nav>` instead of `<div>` in the global navbar ([#23125](go-gitea/gitea#23125)) ([#23533](go-gitea/gitea#23533)) - Do not create commit graph for temporary repos ([#23219](go-gitea/gitea#23219)) ([#23229](go-gitea/gitea#23229)) - Update button is shown when a Pull Request is marked WIP - Issue [#21740](go-gitea/gitea#21740) ([#22683](go-gitea/gitea#22683)) - Add main landmark to templates and adjust titles ([#22670](go-gitea/gitea#22670)) - Fix error on account activation with wrong passwd ([#22609](go-gitea/gitea#22609)) - Update JS dependencies ([#22538](go-gitea/gitea#22538)) - Display unreferenced packages total size in package admin panel ([#22498](go-gitea/gitea#22498)) - Mobile fix for Project view: Add delay to Sortable.js on mobile, to ensure scrolling is possible. ([#22152](go-gitea/gitea#22152)) - Update chroma to v2.4.0 ([#22000](go-gitea/gitea#22000)) - Hide collapse icon in diff with no lines ([#21094](go-gitea/gitea#21094)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Co-authored-by: Michael Wittig <michael.wittig@posteo.de> Reviewed-on: https://gitea.sh4ke.rocks/sh4ke/k8s-projects/pulls/113

wxiaoguang mentioned this pull request Jan 31, 2023

Improve naming of methods to add arguments to git calls #22592

Closed

wxiaoguang force-pushed the refactor-git-cmd branch 2 times, most recently from bae15b3 to 9053697 Compare January 31, 2023 10:05

wxiaoguang changed the title ~~WIP: Refactor git cmd~~ Refactor git command package to improve security and maintainability Jan 31, 2023

yardenshoham added the type/refactoring Existing code has been cleaned up. There should be no new functionality. label Jan 31, 2023

wxiaoguang force-pushed the refactor-git-cmd branch 2 times, most recently from 13ab385 to 912189b Compare January 31, 2023 14:54

refactor

ef29872

wxiaoguang force-pushed the refactor-git-cmd branch from 912189b to ef29872 Compare January 31, 2023 17:10

zeripath reviewed Jan 31, 2023

View reviewed changes

modules/git/repo_branch_nogogit.go Outdated Show resolved Hide resolved

GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jan 31, 2023

wxiaoguang added 3 commits February 1, 2023 09:41

Merge branch 'main' into refactor-git-cmd

e6580dc

quote argument names in comment to avoid spelling-check errors

36194cc

clarify the concept about "argument option/value"

01d79d0

wxiaoguang force-pushed the refactor-git-cmd branch from 0d05e0a to 01d79d0 Compare February 1, 2023 02:43

improve AddOptionFormat to avoid low-level mistakes

4db2bde

wolfogre approved these changes Feb 3, 2023

View reviewed changes

GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Feb 3, 2023

lunny approved these changes Feb 3, 2023

View reviewed changes

GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Feb 3, 2023

lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Feb 3, 2023

lunny added this to the 1.19.0 milestone Feb 3, 2023

Merge branch 'main' into refactor-git-cmd

eb12e65

delvh reviewed Feb 4, 2023

View reviewed changes

services/pull/merge.go Show resolved Hide resolved

services/pull/merge.go Show resolved Hide resolved

modules/git/repo_attribute.go Show resolved Hide resolved

modules/repository/init.go Show resolved Hide resolved

modules/git/repo_tag.go Show resolved Hide resolved

wxiaoguang added 2 commits February 4, 2023 09:16

Merge branch 'main' into refactor-git-cmd

b9455b3

add comment for empty "--"

123144e

lunny merged commit 6bc3079 into go-gitea:main Feb 4, 2023

lunny removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Feb 4, 2023

wxiaoguang deleted the refactor-git-cmd branch February 4, 2023 02:40

wxiaoguang mentioned this pull request Mar 8, 2023

Refactor merge/update git command calls #23366

Merged

wxiaoguang mentioned this pull request Mar 19, 2023

Use a general approach to show tooltip, fix temporary tooltip bug #23574

Merged

go-gitea locked and limited conversation to collaborators May 3, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Refactor git command package to improve security and maintainability #22678

Refactor git command package to improve security and maintainability #22678

wxiaoguang commented Jan 31, 2023 •

edited

delvh left a comment

wxiaoguang commented Feb 4, 2023

codecov-commenter commented Feb 4, 2023

delvh commented Feb 4, 2023

wxiaoguang commented Feb 4, 2023 •

edited

Refactor git command package to improve security and maintainability #22678

Refactor git command package to improve security and maintainability #22678

Conversation

wxiaoguang commented Jan 31, 2023 • edited

Review without space diff

Purpose of this PR

The main idea of this PR

FAQ

Why these changes were not done in #21535 ?

The naming of AddOptionXxx

How can it guarantee that internal.CmdArg won't be not misused?

There is still a ToTrustedCmdArgs, will it still allow developers to make mistakes and pass untrusted arguments?

Why there was a CmdArgCheck and why it's removed?

Why many codes for signArg == "" is deleted?

delvh left a comment

Choose a reason for hiding this comment

wxiaoguang commented Feb 4, 2023

codecov-commenter commented Feb 4, 2023

Codecov Report

delvh commented Feb 4, 2023

wxiaoguang commented Feb 4, 2023 • edited

wxiaoguang commented Jan 31, 2023 •

edited

The naming of `AddOptionXxx`

How can it guarantee that `internal.CmdArg` won't be not misused?

There is still a `ToTrustedCmdArgs`, will it still allow developers to make mistakes and pass untrusted arguments?

Why there was a `CmdArgCheck` and why it's removed?

Why many codes for `signArg == ""` is deleted?

wxiaoguang commented Feb 4, 2023 •

edited