Skip to content

fix(webhook): prevent tag events from bypassing branch filters targets #35449 #35567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Oct 3, 2025
Merged

fix(webhook): prevent tag events from bypassing branch filters targets #35449 #35567

merged 10 commits into from
Oct 3, 2025
+83 −34

Conversation

Exgene
Copy link
Contributor

@Exgene Exgene commented Oct 2, 2025

Tag creation/deletion was triggering push webhooks even when branch
filters were configured, causing unintended pipeline executions.

This change modifies the branch filter logic to check the full ref
name directly instead of first determining if it's a "branch" event.

Fixes: Tag events now properly respect branch filters

  • Add getPayloadRef() function to extract full ref names
  • Update PrepareWebhook() to use direct ref matching
  • Prevents refs/tags/* from matching refs/heads/* filters

Closes #35449

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Oct 2, 2025
@github-actions github-actions bot added the modifies/go Pull requests that update Go code label Oct 2, 2025
@Exgene
Copy link
Contributor Author

Exgene commented Oct 2, 2025

Im working on adding integration tests for these to check both

  • Branch based filters
  • Tags

@wxiaoguang
Copy link
Contributor

I did some refactoring to use "git.RefName" type , to avoid abuses.

Now, we have a new problem, see the FIXME

wxiaoguang
wxiaoguang reviewed Oct 2, 2025
View reviewed changes
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Oct 2, 2025
edited
Loading

Made some changes in b9484cf and added some tests:

Now, branch name and full git ref are all supported.

image

@wxiaoguang wxiaoguang added this to the 1.26.0 milestone Oct 2, 2025
@Exgene
Copy link
Contributor Author

Exgene commented Oct 2, 2025
edited
Loading

Yeah cool i was thinking something along the same lines ig

Thanks i would love to contribute more.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Oct 2, 2025
@silverwind
Copy link
Member

silverwind commented Oct 2, 2025
edited
Loading

image

Can we make contrast of the <code> text a bit better? e.g. use a more intense shade of --color-text-*. Maybe there are also suitable label text colors.

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Oct 2, 2025
edited
Loading

Can we make contrast of the <code> text a bit better? e.g. use a more intense shade of --color-text-*. Maybe there are also suitable label text colors.

They are already using label colors. If you don't like, please edit directly.

image

@wxiaoguang
Copy link
Contributor

Can we make contrast of the <code> text a bit better? e.g. use a more intense shade of --color-text-*. Maybe there are also suitable label text colors.

They are already using label colors. If you don't like, please edit directly.

I think the current styles are right. Because ".form .help" has its own text color, intentionally we don't want much contrast here.

@silverwind
Copy link
Member

Can we make contrast of the <code> text a bit better? e.g. use a more intense shade of --color-text-*. Maybe there are also suitable label text colors.

They are already using label colors. If you don't like, please edit directly.

I think the current styles are right. Because ".form .help" has its own text color, intentionally we don't want much contrast here.

I changed it because current colors surely won't pass WICG contrast requirements. I've added label foreground color which I think looks alright:

image

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Oct 2, 2025
edited
Loading

Not sure whether it looks good to you. It's up to you.

image image

@silverwind
Copy link
Member

It looks acceptable. The only other idea is to introduce a new color with a slightly less intense color.

@silverwind
Copy link
Member

Slightly tweaked it for these help texts:

image

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Oct 2, 2025
@silverwind silverwind merged commit c453210 into go-gitea:main Oct 3, 2025
26 checks passed
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Oct 3, 2025
@Exgene @wxiaoguang
@silverwind @GiteaBot
fix(webhook): prevent tag events from bypassing branch filters targets
aec2f51 
…go-gitea#35449 (go-gitea#35567)

Tag creation/deletion was triggering push webhooks even when branch
filters were configured, causing unintended pipeline executions.

This change modifies the branch filter logic to check the full ref
name directly instead of first determining if it's a "branch" event.

Fixes: Tag events now properly respect branch filters
- Add getPayloadRef() function to extract full ref names
- Update PrepareWebhook() to use direct ref matching
- Prevents refs/tags/* from matching refs/heads/* filters

Closes go-gitea#35449

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
@GiteaBot GiteaBot mentioned this pull request Oct 3, 2025
Merged
@GiteaBot GiteaBot added the backport/done All backports for this PR have been created label Oct 3, 2025
wxiaoguang added a commit that referenced this pull request Oct 3, 2025
@GiteaBot @Exgene
@wxiaoguang @silverwind
fix(webhook): prevent tag events from bypassing branch filters targets (
d94faf6 
#35567) (#35577)

Backport #35567 by Exgene

Co-authored-by: Kausthubh J Rao <105716675+Exgene@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
rossigee pushed a commit to rossigee/gitea that referenced this pull request Oct 4, 2025
@Exgene @wxiaoguang
@silverwind @rossigee
fix(webhook): prevent tag events from bypassing branch filters targets
b7ca3bc 
…go-gitea#35449 (go-gitea#35567)

Tag creation/deletion was triggering push webhooks even when branch
filters were configured, causing unintended pipeline executions.

This change modifies the branch filter logic to check the full ref
name directly instead of first determining if it's a "branch" event.

Fixes: Tag events now properly respect branch filters
- Add getPayloadRef() function to extract full ref names
- Update PrepareWebhook() to use direct ref matching
- Prevents refs/tags/* from matching refs/heads/* filters

Closes go-gitea#35449

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
rossigee pushed a commit to rossigee/gitea that referenced this pull request Oct 4, 2025
@Exgene @wxiaoguang
@silverwind @rossigee
fix(webhook): prevent tag events from bypassing branch filters targets
549b27d 
…go-gitea#35449 (go-gitea#35567)

Tag creation/deletion was triggering push webhooks even when branch
filters were configured, causing unintended pipeline executions.

This change modifies the branch filter logic to check the full ref
name directly instead of first determining if it's a "branch" event.

Fixes: Tag events now properly respect branch filters
- Add getPayloadRef() function to extract full ref names
- Update PrepareWebhook() to use direct ref matching
- Prevents refs/tags/* from matching refs/heads/* filters

Closes go-gitea#35449

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
zjjhot added a commit to zjjhot/gitea that referenced this pull request Oct 5, 2025
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
06198a4 
* giteaofficial/main:
  fix: auto-expand and auto-scroll for actions logs (go-gitea#35570) (go-gitea#35583)
  [skip ci] Updated translations via Crowdin
  [skip ci] Updated translations via Crowdin
  Fix creating pull request failure when the target branch name is the same as some tag (go-gitea#35552)
  Use bundled version of spectral (go-gitea#35573)
  Add rebase push display wrong comments bug (go-gitea#35560)
  Address some CodeQL security concerns (go-gitea#35572)
  fix(webhook): prevent tag events from bypassing branch filters targets go-gitea#35449 (go-gitea#35567)
  Added button to copy file name in PR files (go-gitea#35509)
  Update JS and PY deps (go-gitea#35565)
  Enable a few more tsconfig options (go-gitea#35553)
  Bump github.com/wneessen/go-mail from 0.6.2 to 0.7.1 (go-gitea#35557)
  add more routes to the "expensive" list (go-gitea#35547)
  Drop json-iterator dependency (go-gitea#35544)
  Add proper error message if session provider can not be created (go-gitea#35520)
  use experimental go json v2 library (go-gitea#35392)
  Use global lock instead of status pool for cron lock (go-gitea#35507)
  Move some functions to gitrepo package (go-gitea#35503)
  Move GetDiverging functions to gitrepo (go-gitea#35524)
  [skip ci] Updated translations via Crowdin
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lunny lunny lunny approved these changes

@wxiaoguang wxiaoguang wxiaoguang approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created backport/v1.25 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/frontend modifies/go Pull requests that update Go code modifies/templates This PR modifies the template files modifies/translation type/bug
Projects
None yet
Milestone
1.26.0
Development

Successfully merging this pull request may close these issues.

Tag creation/deletion incorrectly triggers Push webhook (should only emit Create/Delete event)
5 participants
@Exgene @wxiaoguang @silverwind @lunny @GiteaBot