Merge remote-tracking branch 'giteaofficial/main'

* giteaofficial/main:
  Use `CryptoRandomBytes` instead of `CryptoRandomString` (go-gitea#18439)
  Remove the spurious space in the .ui.right additional selector (go-gitea#18605)
  Ensure commit-statuses box is sized correctly in headers (go-gitea#18538)
  [skip ci] Updated translations via Crowdin
  Prevent merge messages from being sorted to the top of email chains (go-gitea#18566)
  Fix pushing to 1-x-dev docker tag (go-gitea#18578)
  Replace `sync.Map` with normal maps (go-gitea#18584)
  Fix oauth docs usage for 2fa (go-gitea#18581)
  Update .gitattributes for .tmpl files (go-gitea#18576)
  Prevent panic on prohibited user login with oauth2 (go-gitea#18562)
  Fix manifest.tmpl (go-gitea#18573)
  Make docker gitea/gitea:v1.16-dev etc refer to the latest build on that branch (go-gitea#18551)
  Add dropdown icon to template loading dropdown (go-gitea#18564)

.drone.yml

@@ -854,6 +854,67 @@ steps:
         exclude:
         - pull_request
 
+---
+kind: pipeline
+name: docker-linux-amd64-release-branch
+
+platform:
+  os: linux
+  arch: amd64
+
+depends_on:
+  - testing-amd64
+  - testing-arm64
+
+trigger:
+  ref:
+  - "refs/heads/release/v*"
+  event:
+    exclude:
+    - cron
+
+steps:
+  - name: fetch-tags
+    image: docker:git
+    commands:
+      - git fetch --tags --force
+
+  - name: publish
+    pull: always
+    image: techknowlogick/drone-docker:latest
+    settings:
+      auto_tag: false
+      tags: ${DRONE_BRANCH##release/v}-dev-linux-amd64
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=https://goproxy.cn
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    when:
+      event:
+        exclude:
+        - pull_request
+
+  - name: publish-rootless
+    image: techknowlogick/drone-docker:latest
+    settings:
+      dockerfile: Dockerfile.rootless
+      auto_tag: false
+      tags: ${DRONE_BRANCH##release/v}-dev-linux-amd64-rootless
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=https://goproxy.cn
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    when:
+      event:
+        exclude:
+        - pull_request
+
 ---
 kind: pipeline
 type: docker
@@ -1010,6 +1071,68 @@ steps:
       event:
         exclude:
         - pull_request
+
+---
+kind: pipeline
+name: docker-linux-arm64-release-branch
+
+platform:
+  os: linux
+  arch: arm64
+
+depends_on:
+  - testing-amd64
+  - testing-arm64
+
+trigger:
+  ref:
+  - "refs/heads/release/v*"
+  event:
+    exclude:
+    - cron
+
+steps:
+  - name: fetch-tags
+    image: docker:git
+    commands:
+      - git fetch --tags --force
+
+  - name: publish
+    pull: always
+    image: techknowlogick/drone-docker:latest
+    settings:
+      auto_tag: false
+      tags: ${DRONE_BRANCH##release/v}-dev-linux-arm64
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=https://goproxy.cn
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    when:
+      event:
+        exclude:
+        - pull_request
+
+  - name: publish-rootless
+    image: techknowlogick/drone-docker:latest
+    settings:
+      dockerfile: Dockerfile.rootless
+      auto_tag: false
+      tags: ${DRONE_BRANCH##release/v}-dev-linux-arm64-rootless
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=https://goproxy.cn
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    when:
+      event:
+        exclude:
+        - pull_request
+
 ---
 kind: pipeline
 type: docker
@@ -1090,13 +1213,16 @@ steps:
 trigger:
   ref:
   - refs/heads/main
+  - "refs/heads/release/v*"
   event:
     exclude:
     - cron
 
 depends_on:
   - docker-linux-amd64-release
   - docker-linux-arm64-release
+  - docker-linux-amd64-release-branch
+  - docker-linux-arm64-release-branch
 
 ---
 kind: pipeline
@@ -1130,6 +1256,8 @@ depends_on:
   - docker-linux-arm64-release
   - docker-linux-amd64-release-version
   - docker-linux-arm64-release-version
+  - docker-linux-amd64-release-branch
+  - docker-linux-arm64-release-branch
   - docker-manifest
   - docker-manifest-version
   - docs

.gitattributes

@@ -1,9 +1,9 @@
 * text=auto eol=lf
-/vendor/** -text -eol linguist-vendored
-/public/vendor/** -text -eol linguist-vendored
-/web_src/js/vendor/** -text -eol linguist-vendored
-/templates/**/*.tmpl linguist-language=Handlebars
+*.tmpl linguist-language=Handlebars
 /.eslintrc linguist-language=YAML
 /.stylelintrc linguist-language=YAML
+/public/vendor/** -text -eol linguist-vendored
+/vendor/** -text -eol linguist-vendored
 /web_src/fomantic/build/** linguist-generated
+/web_src/js/vendor/** -text -eol linguist-vendored
 Dockerfile.* linguist-language=Dockerfile

docker/manifest.rootless.tmpl

@@ -1,4 +1,4 @@
-image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}dev{{/if}}-rootless
+image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}{{#if (hasPrefix "refs/heads/release/v" build.ref)}}{{trimPrefix "refs/heads/release/v" build.ref}}-{{/if}}dev{{/if}}-rootless
 {{#if build.tags}}
 tags:
 {{#each build.tags}}
@@ -8,12 +8,12 @@ tags:
 {{/if}}
 manifests:
   -
-    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}dev{{/if}}-linux-amd64-rootless
+    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}{{#if (hasPrefix "refs/heads/release/v" build.ref)}}{{trimPrefix "refs/heads/release/v" build.ref}}-{{/if}}dev{{/if}}-linux-amd64-rootless
     platform:
       architecture: amd64
       os: linux
   -
-    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}dev{{/if}}-linux-arm64-rootless
+    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}{{#if (hasPrefix "refs/heads/release/v" build.ref)}}{{trimPrefix "refs/heads/release/v" build.ref}}-{{/if}}dev{{/if}}-linux-arm64-rootless
     platform:
       architecture: arm64
       os: linux

docker/manifest.tmpl

@@ -1,4 +1,4 @@
-image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}dev{{/if}}
+image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}{{#if (hasPrefix "refs/heads/release/v" build.ref)}}{{trimPrefix "refs/heads/release/v" build.ref}}-{{/if}}dev{{/if}}
 {{#if build.tags}}
 tags:
 {{#each build.tags}}
@@ -8,13 +8,13 @@ tags:
 {{/if}}
 manifests:
   -
-    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{else}}dev-{{/if}}linux-amd64
+    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}{{#if (hasPrefix "refs/heads/release/v" build.ref)}}{{trimPrefix "refs/heads/release/v" build.ref}}-{{/if}}dev{{/if}}-linux-amd64
     platform:
       architecture: amd64
       os: linux
   -
-    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{else}}dev-{{/if}}linux-arm64
+    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}{{#if (hasPrefix "refs/heads/release/v" build.ref)}}{{trimPrefix "refs/heads/release/v" build.ref}}-{{/if}}dev{{/if}}-linux-arm64
     platform:
       architecture: arm64
       os: linux
-      variant: v8
+      variant: v8

docs/content/doc/installation/with-docker-rootless.en-us.md

@@ -32,7 +32,7 @@ image as a service. Since there is no database available, one can be initialized
 Create a directory for `data` and `config` then paste the following content into a file named `docker-compose.yml`.
 Note that the volume should be owned by the user/group with the UID/GID specified in the config file. By default Gitea in docker will use uid:1000 gid:1000. If needed you can set ownership on those folders with the command: `sudo chown 1000:1000 config/ data/`
 If you don't give the volume correct permissions, the container may not start.
-For a stable release you could use `:latest-rootless`, `:1-rootless` or specify a certain release like `:{{< version >}}-rootless`, but if you'd like to use the latest development version then `:dev-rootless` would be an appropriate tag.
+For a stable release you could use `:latest-rootless`, `:1-rootless` or specify a certain release like `:{{< version >}}-rootless`, but if you'd like to use the latest development version then `:dev-rootless` would be an appropriate tag. If you'd like to run the latest commit from a release branch you can use the `:1.x-dev-rootless` tag, where x is the minor version of Gitea. (e.g. `:1.16-dev-rootless`)
 
 ```yaml
 version: "2"

docs/content/doc/installation/with-docker.en-us.md

@@ -34,7 +34,7 @@ image as a service. Since there is no database available, one can be initialized
 Create a directory like `gitea` and paste the following content into a file named `docker-compose.yml`.
 Note that the volume should be owned by the user/group with the UID/GID specified in the config file.
 If you don't give the volume correct permissions, the container may not start.
-For a stable release you can use `:latest`, `:1` or specify a certain release like `:{{< version >}}`, but if you'd like to use the latest development version of Gitea then you could use the `:dev` tag.
+For a stable release you can use `:latest`, `:1` or specify a certain release like `:{{< version >}}`, but if you'd like to use the latest development version of Gitea then you could use the `:dev` tag. If you'd like to run the latest commit from a release branch you can use the `:1.x-dev` tag, where x is the minor version of Gitea. (e.g. `:1.16-dev`)
 
 ```yaml
 version: "3"

docs/content/doc/usage/command-line.en-us.md

@@ -129,7 +129,7 @@ Admin operations:
         - `--custom-profile-url`: Use a custom Profile URL (option for GitLab/GitHub).
         - `--custom-email-url`: Use a custom Email URL (option for GitHub).
         - `--icon-url`: Custom icon URL for OAuth2 login source.
-        - `--override-local-2fa`: Allow source to override local 2FA. (Optional)
+        - `--skip-local-2fa`: Allow source to override local 2FA. (Optional)
         - `--scopes`: Additional scopes to request for this OAuth2 source. (Optional)
         - `--required-claim-name`: Claim name that has to be set to allow users to login with this source. (Optional)
         - `--required-claim-value`: Claim value that has to be set to allow users to login with this source. (Optional)
@@ -152,7 +152,7 @@ Admin operations:
         - `--custom-profile-url`: Use a custom Profile URL (option for GitLab/GitHub).
         - `--custom-email-url`: Use a custom Email URL (option for GitHub).
         - `--icon-url`: Custom icon URL for OAuth2 login source.
-        - `--override-local-2fa`: Allow source to override local 2FA. (Optional)
+        - `--skip-local-2fa`: Allow source to override local 2FA. (Optional)
         - `--scopes`: Additional scopes to request for this OAuth2 source.
         - `--required-claim-name`: Claim name that has to be set to allow users to login with this source. (Optional)
         - `--required-claim-value`: Claim value that has to be set to allow users to login with this source. (Optional)

integrations/api_oauth2_apps_test.go

@@ -43,7 +43,7 @@ func testAPICreateOAuth2Application(t *testing.T) {
 	DecodeJSON(t, resp, &createdApp)
 
 	assert.EqualValues(t, appBody.Name, createdApp.Name)
-	assert.Len(t, createdApp.ClientSecret, 44)
+	assert.Len(t, createdApp.ClientSecret, 56)
 	assert.Len(t, createdApp.ClientID, 36)
 	assert.NotEmpty(t, createdApp.Created)
 	assert.EqualValues(t, appBody.RedirectURIs[0], createdApp.RedirectURIs[0])

models/auth/oauth2.go

@@ -6,13 +6,13 @@ package auth
 
 import (
 	"crypto/sha256"
+	"encoding/base32"
 	"encoding/base64"
 	"fmt"
 	"net/url"
 	"strings"
 
 	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/modules/secret"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 
@@ -57,12 +57,22 @@ func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {
 	return util.IsStringInSlice(redirectURI, app.RedirectURIs, true)
 }
 
+// Base32 characters, but lowercased.
+const lowerBase32Chars = "abcdefghijklmnopqrstuvwxyz234567"
+
+// base32 encoder that uses lowered characters without padding.
+var base32Lower = base32.NewEncoding(lowerBase32Chars).WithPadding(base32.NoPadding)
+
 // GenerateClientSecret will generate the client secret and returns the plaintext and saves the hash at the database
 func (app *OAuth2Application) GenerateClientSecret() (string, error) {
-	clientSecret, err := secret.New()
+	rBytes, err := util.CryptoRandomBytes(32)
 	if err != nil {
 		return "", err
 	}
+	// Add a prefix to the base32, this is in order to make it easier
+	// for code scanners to grab sensitive tokens.
+	clientSecret := "gto_" + base32Lower.EncodeToString(rBytes)
+
 	hashedSecret, err := bcrypt.GenerateFromPassword([]byte(clientSecret), bcrypt.DefaultCost)
 	if err != nil {
 		return "", err
@@ -394,10 +404,14 @@ func (grant *OAuth2Grant) GenerateNewAuthorizationCode(redirectURI, codeChalleng
 }
 
 func (grant *OAuth2Grant) generateNewAuthorizationCode(e db.Engine, redirectURI, codeChallenge, codeChallengeMethod string) (code *OAuth2AuthorizationCode, err error) {
-	var codeSecret string
-	if codeSecret, err = secret.New(); err != nil {
+	rBytes, err := util.CryptoRandomBytes(32)
+	if err != nil {
 		return &OAuth2AuthorizationCode{}, err
 	}
+	// Add a prefix to the base32, this is in order to make it easier
+	// for code scanners to grab sensitive tokens.
+	codeSecret := "gta_" + base32Lower.EncodeToString(rBytes)
+
 	code = &OAuth2AuthorizationCode{
 		Grant:               grant,
 		GrantID:             grant.ID,

modules/secret/secret.go

@@ -13,20 +13,8 @@ import (
 	"encoding/hex"
 	"errors"
 	"io"
-
-	"code.gitea.io/gitea/modules/util"
 )
 
-// New creates a new secret
-func New() (string, error) {
-	return NewWithLength(44)
-}
-
-// NewWithLength creates a new secret for a given length
-func NewWithLength(length int64) (string, error) {
-	return util.CryptoRandomString(length)
-}
-
 // AesEncrypt encrypts text and given key with AES.
 func AesEncrypt(key, text []byte) ([]byte, error) {
 	block, err := aes.NewCipher(key)

modules/secret/secret_test.go

@@ -10,17 +10,6 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestNew(t *testing.T) {
-	result, err := New()
-	assert.NoError(t, err)
-	assert.True(t, len(result) == 44)
-
-	result2, err := New()
-	assert.NoError(t, err)
-	// check if secrets
-	assert.NotEqual(t, result, result2)
-}
-
 func TestEncryptDecrypt(t *testing.T) {
 	var hex string
 	var str string

options/locale/locale_ja-JP.ini

@@ -268,6 +268,7 @@ search=検索
 code=コード
 search.fuzzy=あいまい
 search.match=一致
+code_search_unavailable=現在コード検索は利用できません。 サイト管理者にお問い合わせください。
 repo_no_results=一致するリポジトリが見つかりません。
 user_no_results=一致するユーザーが見つかりません。
 org_no_results=一致する組織が見つかりません。
@@ -1262,6 +1263,7 @@ issues.filter_sort.moststars=スターが多い順
 issues.filter_sort.feweststars=スターが少ない順
 issues.filter_sort.mostforks=フォークが多い順
 issues.filter_sort.fewestforks=フォークが少ない順
+issues.keyword_search_unavailable=現在キーワード検索は利用できません。 サイト管理者にお問い合わせください。
 issues.action_open=オープン
 issues.action_close=クローズ
 issues.action_label=ラベル
@@ -1707,6 +1709,8 @@ search.search_repo=リポジトリを検索
 search.fuzzy=あいまい
 search.match=一致
 search.results=<a href="%[2]s">%[3]s</a> 内での "%[1]s" の検索結果
+search.code_no_results=検索ワードに一致するソースコードが見つかりません。
+search.code_search_unavailable=現在コード検索は利用できません。 サイト管理者にお問い合わせください。
 
 settings=設定
 settings.desc=設定では、リポジトリの設定を管理することができます。

routers/web/auth/oauth.go

@@ -822,7 +822,7 @@ func SignInOAuthCallback(ctx *context.Context) {
 	u, gothUser, err := oAuth2UserLoginCallback(authSource, ctx.Req, ctx.Resp)
 	if err != nil {
 		if user_model.IsErrUserProhibitLogin(err) {
-			uplerr := err.(*user_model.ErrUserProhibitLogin)
+			uplerr := err.(user_model.ErrUserProhibitLogin)
 			log.Info("Failed authentication attempt for %s from %s: %v", uplerr.Name, ctx.RemoteAddr(), err)
 			ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
 			ctx.HTML(http.StatusOK, "user/auth/prohibit_login")