chore(ui): always use primary button color inside modals (#7161 )

Followup to https://codeberg.org/forgejo/forgejo/pulls/3002 Related to https://codeberg.org/forgejo/forgejo/pulls/6126 This deimplements `ModalButtonColors`. Nowhere in the UI except for one devtest page modal dialogs paint this button any other color and we don't want new UIs to do that. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7161 Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Update module google.golang.org/grpc to v1.71.0 (forgejo) (#7158 )
2025-03-09 16:02:06 +01:00 · 2025-03-09 07:45:58 +00:00 · 2025-03-08 15:28:58 +00:00 · 2025-03-08 14:52:32 +00:00 · 2025-03-08 14:42:14 +00:00 · 2025-03-08 14:19:36 +00:00
1534 changed files with 65455 additions and 24249 deletions
--- a/.deadcode-out
+++ b/.deadcode-out
@ -10,26 +10,10 @@ code.gitea.io/gitea/cmd/forgejo
 	ContextSetStdin

 code.gitea.io/gitea/models
-	IsErrUpdateTaskNotExist
-	ErrUpdateTaskNotExist.Error
-	ErrUpdateTaskNotExist.Unwrap
 	IsErrSHANotFound
 	IsErrMergeDivergingFastForwardOnly
-	GetYamlFixturesAccess
-
-code.gitea.io/gitea/models/actions
-	ScheduleList.GetUserIDs
-	ScheduleList.GetRepoIDs
-	ScheduleList.LoadTriggerUser
-	ScheduleList.LoadRepos
-
-code.gitea.io/gitea/models/asymkey
-	ErrGPGKeyAccessDenied.Error
-	ErrGPGKeyAccessDenied.Unwrap
-	HasDeployKey

 code.gitea.io/gitea/models/auth
-	GetSourceByName
 	WebAuthnCredentials

 code.gitea.io/gitea/models/db
@ -55,43 +39,24 @@ code.gitea.io/gitea/models/git

 code.gitea.io/gitea/models/issues
 	IsErrUnknownDependencyType
-	ErrNewIssueInsert.Error
 	IsErrIssueWasClosed
-	ChangeMilestoneStatus

 code.gitea.io/gitea/models/organization
-	GetTeamNamesByID
-	UpdateTeamUnits
 	SearchMembersOptions.ToConds
-	UsersInTeamsCount

 code.gitea.io/gitea/models/perm/access
 	GetRepoWriters

-code.gitea.io/gitea/models/project
-	UpdateColumnSorting
-	ChangeProjectStatus
-
 code.gitea.io/gitea/models/repo
-	DeleteAttachmentsByIssue
-	FindReposMapByIDs
-	IsErrTopicNotExist
-	ErrTopicNotExist.Error
-	ErrTopicNotExist.Unwrap
-	GetTopicByName
 	WatchRepoMode

 code.gitea.io/gitea/models/user
-	ErrUserInactive.Error
-	ErrUserInactive.Unwrap
 	IsErrExternalLoginUserAlreadyExist
 	IsErrExternalLoginUserNotExist
 	NewFederatedUser
 	IsErrUserSettingIsNotExist
 	GetUserAllSettings
 	DeleteUserSetting
-	GetUserEmailsByNames
-	GetUserNamesByIDs

 code.gitea.io/gitea/modules/activitypub
 	NewContext
@ -115,9 +80,6 @@ code.gitea.io/gitea/modules/cache
 	WithNoCacheContext
 	RemoveContextData

-code.gitea.io/gitea/modules/charset
-	BreakWriter.Write
-
 code.gitea.io/gitea/modules/emoji
 	ReplaceCodes

@ -125,6 +87,9 @@ code.gitea.io/gitea/modules/eventsource
 	Event.String

 code.gitea.io/gitea/modules/forgefed
+	NewForgeUndoLike
+	ForgeUndoLike.UnmarshalJSON
+	ForgeUndoLike.Validate
 	GetItemByType
 	JSONUnmarshalerFn
 	NotEmpty
@ -137,18 +102,9 @@ code.gitea.io/gitea/modules/git
 	AddChangesWithArgs
 	CommitChanges
 	CommitChangesWithArgs
-	IsErrExecTimeout
-	ErrExecTimeout.Error
-	ErrUnsupportedVersion.Error
 	SetUpdateHook
 	openRepositoryWithDefaultContext
-	IsTagExist
 	ToEntryMode
-	LimitedReaderCloser.Read
-	LimitedReaderCloser.Close
-
-code.gitea.io/gitea/modules/gitgraph
-	Parser.Reset

 code.gitea.io/gitea/modules/gitrepo
 	GetBranchCommitID
@ -173,6 +129,9 @@ code.gitea.io/gitea/modules/json
 	StdJSON.NewDecoder
 	StdJSON.Indent

+code.gitea.io/gitea/modules/log
+	NewEventWriterBuffer
+
 code.gitea.io/gitea/modules/markup
 	GetRendererByType
 	RenderString
@ -183,16 +142,8 @@ code.gitea.io/gitea/modules/markup/console
 	RenderString

 code.gitea.io/gitea/modules/markup/markdown
-	IsDetails
-	IsSummary
-	IsTaskCheckBoxListItem
-	IsIcon
 	RenderRawString

-code.gitea.io/gitea/modules/markup/markdown/math
-	WithInlineDollarParser
-	WithBlockDollarParser
-
 code.gitea.io/gitea/modules/markup/mdstripper
 	stripRenderer.AddOptions
 	StripMarkdown
@ -200,9 +151,6 @@ code.gitea.io/gitea/modules/markup/mdstripper
 code.gitea.io/gitea/modules/markup/orgmode
 	RenderString

-code.gitea.io/gitea/modules/private
-	ActionsRunnerRegister
-
 code.gitea.io/gitea/modules/process
 	Manager.ExecTimeout

@ -225,14 +173,6 @@ code.gitea.io/gitea/modules/setting
 	GitConfigType.GetOption
 	InitLoggersForTest

-code.gitea.io/gitea/modules/storage
-	ErrInvalidConfiguration.Error
-	IsErrInvalidConfiguration
-
-code.gitea.io/gitea/modules/structs
-	ParseCreateHook
-	ParsePushHook
-
 code.gitea.io/gitea/modules/sync
 	StatusTable.Start
 	StatusTable.IsRunning
@ -247,9 +187,13 @@ code.gitea.io/gitea/modules/translation
 	MockLocale.TrString
 	MockLocale.Tr
 	MockLocale.TrN
+	MockLocale.TrPluralString
 	MockLocale.TrSize
 	MockLocale.PrettyNumber

+code.gitea.io/gitea/modules/util
+	OptionalArg
+
 code.gitea.io/gitea/modules/util/filebuffer
 	CreateFromReader

@ -260,9 +204,6 @@ code.gitea.io/gitea/modules/web
 	RouteMock
 	RouteMockReset

-code.gitea.io/gitea/modules/web/middleware
-	DeleteLocaleCookie
-
 code.gitea.io/gitea/modules/zstd
 	NewWriter
 	Writer.Write
@ -277,26 +218,14 @@ code.gitea.io/gitea/routers/web/org
 code.gitea.io/gitea/services/context
 	GetPrivateContext

-code.gitea.io/gitea/services/convert
-	ToSecret
-
-code.gitea.io/gitea/services/forms
-	DeadlineForm.Validate
-
-code.gitea.io/gitea/services/pull
-	IsCommitStatusContextSuccess
-
 code.gitea.io/gitea/services/repository
 	IsErrForkAlreadyExist

-code.gitea.io/gitea/services/repository/archiver
-	ArchiveRepository
-
 code.gitea.io/gitea/services/repository/files
 	ContentType.String
-	GetFileResponseFromCommit
-	TemporaryUploadRepository.GetLastCommit
-	TemporaryUploadRepository.GetLastCommitByRef
+
+code.gitea.io/gitea/services/repository/gitgraph
+	Parser.Reset

 code.gitea.io/gitea/services/webhook
 	NewNotifier
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -6,7 +6,7 @@
    "ghcr.io/devcontainers/features/node:1": {
      "version": "20"
    },
-    "ghcr.io/devcontainers/features/git-lfs:1.2.1": {},
+    "ghcr.io/devcontainers/features/git-lfs:1.2.3": {},
    "ghcr.io/devcontainers-contrib/features/poetry:2": {},
    "ghcr.io/devcontainers/features/python:1": {
      "version": "3.12"
--- a/.dockerignore
+++ b/.dockerignore
@ -34,6 +34,7 @@ _testmain.go

 *coverage.out
 coverage.all
+coverage/
 cpu.out

 /modules/migration/bindata.go
--- a/.envrc.example
+++ b/.envrc.example
--- a/.eslintrc.yaml
+++ b/.eslintrc.yaml
@ -1,803 +0,0 @@
-root: true
-reportUnusedDisableDirectives: true
-
-ignorePatterns:
-  - /web_src/js/vendor
-  - /web_src/fomantic
-  - /public/assets/js
-
-parserOptions:
-  sourceType: module
-  ecmaVersion: latest
-
-plugins:
-  - "@eslint-community/eslint-plugin-eslint-comments"
-  - "@stylistic/eslint-plugin-js"
-  - "@vitest"
-  - eslint-plugin-array-func
-  - eslint-plugin-github
-  - eslint-plugin-i
-  - eslint-plugin-no-jquery
-  - eslint-plugin-no-use-extend-native
-  - eslint-plugin-regexp
-  - eslint-plugin-sonarjs
-  - eslint-plugin-unicorn
-  - eslint-plugin-vitest-globals
-  - eslint-plugin-wc
-
-env:
-  es2024: true
-  node: true
-
-overrides:
-  - files: ["web_src/**/*"]
-    globals:
-      __webpack_public_path__: true
-      process: false # https://github.com/webpack/webpack/issues/15833
-  - files: ["web_src/**/*", "docs/**/*"]
-    env:
-      browser: true
-      node: false
-  - files: ["web_src/**/*worker.*"]
-    env:
-      worker: true
-    rules:
-      no-restricted-globals: [2, addEventListener, blur, close, closed, confirm, defaultStatus, defaultstatus, error, event, external, find, focus, frameElement, frames, history, innerHeight, innerWidth, isFinite, isNaN, length, locationbar, menubar, moveBy, moveTo, name, onblur, onerror, onfocus, onload, onresize, onunload, open, opener, opera, outerHeight, outerWidth, pageXOffset, pageYOffset, parent, print, removeEventListener, resizeBy, resizeTo, screen, screenLeft, screenTop, screenX, screenY, scroll, scrollbars, scrollBy, scrollTo, scrollX, scrollY, status, statusbar, stop, toolbar, top]
-  - files: ["*.config.*"]
-    rules:
-      i/no-unused-modules: [0]
-  - files: ["**/*.test.*", "web_src/js/test/setup.js"]
-    env:
-      vitest-globals/env: true
-    rules:
-      "@vitest/consistent-test-filename": [0]
-      "@vitest/consistent-test-it": [0]
-      "@vitest/expect-expect": [0]
-      "@vitest/max-expects": [0]
-      "@vitest/max-nested-describe": [0]
-      "@vitest/no-alias-methods": [0]
-      "@vitest/no-commented-out-tests": [0]
-      "@vitest/no-conditional-expect": [0]
-      "@vitest/no-conditional-in-test": [0]
-      "@vitest/no-conditional-tests": [0]
-      "@vitest/no-disabled-tests": [0]
-      "@vitest/no-done-callback": [0]
-      "@vitest/no-duplicate-hooks": [0]
-      "@vitest/no-focused-tests": [0]
-      "@vitest/no-hooks": [0]
-      "@vitest/no-identical-title": [2]
-      "@vitest/no-interpolation-in-snapshots": [0]
-      "@vitest/no-large-snapshots": [0]
-      "@vitest/no-mocks-import": [0]
-      "@vitest/no-restricted-matchers": [0]
-      "@vitest/no-restricted-vi-methods": [0]
-      "@vitest/no-standalone-expect": [0]
-      "@vitest/no-test-prefixes": [0]
-      "@vitest/no-test-return-statement": [0]
-      "@vitest/prefer-called-with": [0]
-      "@vitest/prefer-comparison-matcher": [0]
-      "@vitest/prefer-each": [0]
-      "@vitest/prefer-equality-matcher": [0]
-      "@vitest/prefer-expect-resolves": [0]
-      "@vitest/prefer-hooks-in-order": [0]
-      "@vitest/prefer-hooks-on-top": [2]
-      "@vitest/prefer-lowercase-title": [0]
-      "@vitest/prefer-mock-promise-shorthand": [0]
-      "@vitest/prefer-snapshot-hint": [0]
-      "@vitest/prefer-spy-on": [0]
-      "@vitest/prefer-strict-equal": [0]
-      "@vitest/prefer-to-be": [0]
-      "@vitest/prefer-to-be-falsy": [0]
-      "@vitest/prefer-to-be-object": [0]
-      "@vitest/prefer-to-be-truthy": [0]
-      "@vitest/prefer-to-contain": [0]
-      "@vitest/prefer-to-have-length": [0]
-      "@vitest/prefer-todo": [0]
-      "@vitest/require-hook": [0]
-      "@vitest/require-to-throw-message": [0]
-      "@vitest/require-top-level-describe": [0]
-      "@vitest/valid-describe-callback": [2]
-      "@vitest/valid-expect": [2]
-      "@vitest/valid-title": [2]
-  - files: ["web_src/js/modules/fetch.js", "web_src/js/standalone/**/*"]
-    rules:
-      no-restricted-syntax: [2, WithStatement, ForInStatement, LabeledStatement, SequenceExpression]
-
-rules:
-  "@eslint-community/eslint-comments/disable-enable-pair": [2]
-  "@eslint-community/eslint-comments/no-aggregating-enable": [2]
-  "@eslint-community/eslint-comments/no-duplicate-disable": [2]
-  "@eslint-community/eslint-comments/no-restricted-disable": [0]
-  "@eslint-community/eslint-comments/no-unlimited-disable": [2]
-  "@eslint-community/eslint-comments/no-unused-disable": [2]
-  "@eslint-community/eslint-comments/no-unused-enable": [2]
-  "@eslint-community/eslint-comments/no-use": [0]
-  "@eslint-community/eslint-comments/require-description": [0]
-  "@stylistic/js/array-bracket-newline": [0]
-  "@stylistic/js/array-bracket-spacing": [2, never]
-  "@stylistic/js/array-element-newline": [0]
-  "@stylistic/js/arrow-parens": [2, always]
-  "@stylistic/js/arrow-spacing": [2, {before: true, after: true}]
-  "@stylistic/js/block-spacing": [0]
-  "@stylistic/js/brace-style": [2, 1tbs, {allowSingleLine: true}]
-  "@stylistic/js/comma-dangle": [2, always-multiline]
-  "@stylistic/js/comma-spacing": [2, {before: false, after: true}]
-  "@stylistic/js/comma-style": [2, last]
-  "@stylistic/js/computed-property-spacing": [2, never]
-  "@stylistic/js/dot-location": [2, property]
-  "@stylistic/js/eol-last": [2]
-  "@stylistic/js/function-call-spacing": [2, never]
-  "@stylistic/js/function-call-argument-newline": [0]
-  "@stylistic/js/function-paren-newline": [0]
-  "@stylistic/js/generator-star-spacing": [0]
-  "@stylistic/js/implicit-arrow-linebreak": [0]
-  "@stylistic/js/indent": [2, 2, {ignoreComments: true, SwitchCase: 1}]
-  "@stylistic/js/key-spacing": [2]
-  "@stylistic/js/keyword-spacing": [2]
-  "@stylistic/js/linebreak-style": [2, unix]
-  "@stylistic/js/lines-around-comment": [0]
-  "@stylistic/js/lines-between-class-members": [0]
-  "@stylistic/js/max-len": [0]
-  "@stylistic/js/max-statements-per-line": [0]
-  "@stylistic/js/multiline-ternary": [0]
-  "@stylistic/js/new-parens": [2]
-  "@stylistic/js/newline-per-chained-call": [0]
-  "@stylistic/js/no-confusing-arrow": [0]
-  "@stylistic/js/no-extra-parens": [0]
-  "@stylistic/js/no-extra-semi": [2]
-  "@stylistic/js/no-floating-decimal": [0]
-  "@stylistic/js/no-mixed-operators": [0]
-  "@stylistic/js/no-mixed-spaces-and-tabs": [2]
-  "@stylistic/js/no-multi-spaces": [2, {ignoreEOLComments: true, exceptions: {Property: true}}]
-  "@stylistic/js/no-multiple-empty-lines": [2, {max: 1, maxEOF: 0, maxBOF: 0}]
-  "@stylistic/js/no-tabs": [2]
-  "@stylistic/js/no-trailing-spaces": [2]
-  "@stylistic/js/no-whitespace-before-property": [2]
-  "@stylistic/js/nonblock-statement-body-position": [2]
-  "@stylistic/js/object-curly-newline": [0]
-  "@stylistic/js/object-curly-spacing": [2, never]
-  "@stylistic/js/object-property-newline": [0]
-  "@stylistic/js/one-var-declaration-per-line": [0]
-  "@stylistic/js/operator-linebreak": [2, after]
-  "@stylistic/js/padded-blocks": [2, never]
-  "@stylistic/js/padding-line-between-statements": [0]
-  "@stylistic/js/quote-props": [0]
-  "@stylistic/js/quotes": [2, single, {avoidEscape: true, allowTemplateLiterals: true}]
-  "@stylistic/js/rest-spread-spacing": [2, never]
-  "@stylistic/js/semi": [2, always, {omitLastInOneLineBlock: true}]
-  "@stylistic/js/semi-spacing": [2, {before: false, after: true}]
-  "@stylistic/js/semi-style": [2, last]
-  "@stylistic/js/space-before-blocks": [2, always]
-  "@stylistic/js/space-before-function-paren": [2, {anonymous: ignore, named: never, asyncArrow: always}]
-  "@stylistic/js/space-in-parens": [2, never]
-  "@stylistic/js/space-infix-ops": [2]
-  "@stylistic/js/space-unary-ops": [2]
-  "@stylistic/js/spaced-comment": [2, always]
-  "@stylistic/js/switch-colon-spacing": [2]
-  "@stylistic/js/template-curly-spacing": [2, never]
-  "@stylistic/js/template-tag-spacing": [2, never]
-  "@stylistic/js/wrap-iife": [2, inside]
-  "@stylistic/js/wrap-regex": [0]
-  "@stylistic/js/yield-star-spacing": [2, after]
-  accessor-pairs: [2]
-  array-callback-return: [2, {checkForEach: true}]
-  array-func/avoid-reverse: [2]
-  array-func/from-map: [2]
-  array-func/no-unnecessary-this-arg: [2]
-  array-func/prefer-array-from: [2]
-  array-func/prefer-flat-map: [0] # handled by unicorn/prefer-array-flat-map
-  array-func/prefer-flat: [0] # handled by unicorn/prefer-array-flat
-  arrow-body-style: [0]
-  block-scoped-var: [2]
-  camelcase: [0]
-  capitalized-comments: [0]
-  class-methods-use-this: [0]
-  complexity: [0]
-  consistent-return: [0]
-  consistent-this: [0]
-  constructor-super: [2]
-  curly: [0]
-  default-case-last: [2]
-  default-case: [0]
-  default-param-last: [0]
-  dot-notation: [0]
-  eqeqeq: [2]
-  for-direction: [2]
-  func-name-matching: [2]
-  func-names: [0]
-  func-style: [0]
-  getter-return: [2]
-  github/a11y-aria-label-is-well-formatted: [0]
-  github/a11y-no-title-attribute: [0]
-  github/a11y-no-visually-hidden-interactive-element: [0]
-  github/a11y-role-supports-aria-props: [0]
-  github/a11y-svg-has-accessible-name: [0]
-  github/array-foreach: [0]
-  github/async-currenttarget: [2]
-  github/async-preventdefault: [2]
-  github/authenticity-token: [0]
-  github/get-attribute: [0]
-  github/js-class-name: [0]
-  github/no-blur: [0]
-  github/no-d-none: [0]
-  github/no-dataset: [2]
-  github/no-dynamic-script-tag: [2]
-  github/no-implicit-buggy-globals: [2]
-  github/no-inner-html: [0]
-  github/no-innerText: [2]
-  github/no-then: [2]
-  github/no-useless-passive: [2]
-  github/prefer-observers: [2]
-  github/require-passive-events: [2]
-  github/unescaped-html-literal: [0]
-  grouped-accessor-pairs: [2]
-  guard-for-in: [0]
-  id-blacklist: [0]
-  id-length: [0]
-  id-match: [0]
-  i/consistent-type-specifier-style: [0]
-  i/default: [0]
-  i/dynamic-import-chunkname: [0]
-  i/export: [2]
-  i/exports-last: [0]
-  i/extensions: [2, always, {ignorePackages: true}]
-  i/first: [2]
-  i/group-exports: [0]
-  i/max-dependencies: [0]
-  i/named: [2]
-  i/namespace: [0]
-  i/newline-after-import: [0]
-  i/no-absolute-path: [0]
-  i/no-amd: [2]
-  i/no-anonymous-default-export: [0]
-  i/no-commonjs: [2]
-  i/no-cycle: [2, {ignoreExternal: true, maxDepth: 1}]
-  i/no-default-export: [0]
-  i/no-deprecated: [0]
-  i/no-dynamic-require: [0]
-  i/no-empty-named-blocks: [2]
-  i/no-extraneous-dependencies: [2]
-  i/no-import-module-exports: [0]
-  i/no-internal-modules: [0]
-  i/no-mutable-exports: [0]
-  i/no-named-as-default-member: [0]
-  i/no-named-as-default: [2]
-  i/no-named-default: [0]
-  i/no-named-export: [0]
-  i/no-namespace: [0]
-  i/no-nodejs-modules: [0]
-  i/no-relative-packages: [0]
-  i/no-relative-parent-imports: [0]
-  i/no-restricted-paths: [0]
-  i/no-self-import: [2]
-  i/no-unassigned-import: [0]
-  i/no-unresolved: [2, {commonjs: true, ignore: ["\\?.+$", ^vitest/]}]
-  i/no-unused-modules: [2, {unusedExports: true}]
-  i/no-useless-path-segments: [2, {commonjs: true}]
-  i/no-webpack-loader-syntax: [2]
-  i/order: [0]
-  i/prefer-default-export: [0]
-  i/unambiguous: [0]
-  init-declarations: [0]
-  line-comment-position: [0]
-  logical-assignment-operators: [0]
-  max-classes-per-file: [0]
-  max-depth: [0]
-  max-lines-per-function: [0]
-  max-lines: [0]
-  max-nested-callbacks: [0]
-  max-params: [0]
-  max-statements: [0]
-  multiline-comment-style: [2, separate-lines]
-  new-cap: [0]
-  no-alert: [0]
-  no-array-constructor: [2]
-  no-async-promise-executor: [0]
-  no-await-in-loop: [0]
-  no-bitwise: [0]
-  no-buffer-constructor: [0]
-  no-caller: [2]
-  no-case-declarations: [2]
-  no-class-assign: [2]
-  no-compare-neg-zero: [2]
-  no-cond-assign: [2, except-parens]
-  no-console: [1, {allow: [debug, info, warn, error]}]
-  no-const-assign: [2]
-  no-constant-binary-expression: [2]
-  no-constant-condition: [0]
-  no-constructor-return: [2]
-  no-continue: [0]
-  no-control-regex: [0]
-  no-debugger: [1]
-  no-delete-var: [2]
-  no-div-regex: [0]
-  no-dupe-args: [2]
-  no-dupe-class-members: [2]
-  no-dupe-else-if: [2]
-  no-dupe-keys: [2]
-  no-duplicate-case: [2]
-  no-duplicate-imports: [2]
-  no-else-return: [2]
-  no-empty-character-class: [2]
-  no-empty-function: [0]
-  no-empty-pattern: [2]
-  no-empty-static-block: [2]
-  no-empty: [2, {allowEmptyCatch: true}]
-  no-eq-null: [2]
-  no-eval: [2]
-  no-ex-assign: [2]
-  no-extend-native: [2]
-  no-extra-bind: [2]
-  no-extra-boolean-cast: [2]
-  no-extra-label: [0]
-  no-fallthrough: [2]
-  no-func-assign: [2]
-  no-global-assign: [2]
-  no-implicit-coercion: [2]
-  no-implicit-globals: [0]
-  no-implied-eval: [2]
-  no-import-assign: [2]
-  no-inline-comments: [0]
-  no-inner-declarations: [2]
-  no-invalid-regexp: [2]
-  no-invalid-this: [0]
-  no-irregular-whitespace: [2]
-  no-iterator: [2]
-  no-jquery/no-ajax-events: [2]
-  no-jquery/no-ajax: [2]
-  no-jquery/no-and-self: [2]
-  no-jquery/no-animate-toggle: [2]
-  no-jquery/no-animate: [2]
-  no-jquery/no-append-html: [2]
-  no-jquery/no-attr: [2]
-  no-jquery/no-bind: [2]
-  no-jquery/no-box-model: [2]
-  no-jquery/no-browser: [2]
-  no-jquery/no-camel-case: [2]
-  no-jquery/no-class-state: [2]
-  no-jquery/no-class: [0]
-  no-jquery/no-clone: [2]
-  no-jquery/no-closest: [0]
-  no-jquery/no-constructor-attributes: [2]
-  no-jquery/no-contains: [2]
-  no-jquery/no-context-prop: [2]
-  no-jquery/no-css: [2]
-  no-jquery/no-data: [0]
-  no-jquery/no-deferred: [2]
-  no-jquery/no-delegate: [2]
-  no-jquery/no-each-collection: [0]
-  no-jquery/no-each-util: [0]
-  no-jquery/no-each: [0]
-  no-jquery/no-error-shorthand: [2]
-  no-jquery/no-error: [2]
-  no-jquery/no-escape-selector: [2]
-  no-jquery/no-event-shorthand: [2]
-  no-jquery/no-extend: [2]
-  no-jquery/no-fade: [2]
-  no-jquery/no-filter: [0]
-  no-jquery/no-find-collection: [0]
-  no-jquery/no-find-util: [2]
-  no-jquery/no-find: [0]
-  no-jquery/no-fx-interval: [2]
-  no-jquery/no-global-eval: [2]
-  no-jquery/no-global-selector: [0]
-  no-jquery/no-grep: [2]
-  no-jquery/no-has: [2]
-  no-jquery/no-hold-ready: [2]
-  no-jquery/no-html: [0]
-  no-jquery/no-in-array: [2]
-  no-jquery/no-is-array: [2]
-  no-jquery/no-is-empty-object: [2]
-  no-jquery/no-is-function: [2]
-  no-jquery/no-is-numeric: [2]
-  no-jquery/no-is-plain-object: [2]
-  no-jquery/no-is-window: [2]
-  no-jquery/no-is: [2]
-  no-jquery/no-jquery-constructor: [0]
-  no-jquery/no-live: [2]
-  no-jquery/no-load-shorthand: [2]
-  no-jquery/no-load: [2]
-  no-jquery/no-map-collection: [0]
-  no-jquery/no-map-util: [2]
-  no-jquery/no-map: [2]
-  no-jquery/no-merge: [2]
-  no-jquery/no-node-name: [2]
-  no-jquery/no-noop: [2]
-  no-jquery/no-now: [2]
-  no-jquery/no-on-ready: [2]
-  no-jquery/no-other-methods: [0]
-  no-jquery/no-other-utils: [2]
-  no-jquery/no-param: [2]
-  no-jquery/no-parent: [0]
-  no-jquery/no-parents: [2]
-  no-jquery/no-parse-html-literal: [2]
-  no-jquery/no-parse-html: [2]
-  no-jquery/no-parse-json: [2]
-  no-jquery/no-parse-xml: [2]
-  no-jquery/no-prop: [2]
-  no-jquery/no-proxy: [2]
-  no-jquery/no-ready-shorthand: [2]
-  no-jquery/no-ready: [2]
-  no-jquery/no-selector-prop: [2]
-  no-jquery/no-serialize: [2]
-  no-jquery/no-size: [2]
-  no-jquery/no-sizzle: [0]
-  no-jquery/no-slide: [2]
-  no-jquery/no-sub: [2]
-  no-jquery/no-support: [2]
-  no-jquery/no-text: [0]
-  no-jquery/no-trigger: [0]
-  no-jquery/no-trim: [2]
-  no-jquery/no-type: [2]
-  no-jquery/no-unique: [2]
-  no-jquery/no-unload-shorthand: [2]
-  no-jquery/no-val: [0]
-  no-jquery/no-visibility: [2]
-  no-jquery/no-when: [2]
-  no-jquery/no-wrap: [2]
-  no-jquery/variable-pattern: [2]
-  no-label-var: [2]
-  no-labels: [0] # handled by no-restricted-syntax
-  no-lone-blocks: [2]
-  no-lonely-if: [0]
-  no-loop-func: [0]
-  no-loss-of-precision: [2]
-  no-magic-numbers: [0]
-  no-misleading-character-class: [2]
-  no-multi-assign: [0]
-  no-multi-str: [2]
-  no-negated-condition: [0]
-  no-nested-ternary: [0]
-  no-new-func: [2]
-  no-new-native-nonconstructor: [2]
-  no-new-object: [2]
-  no-new-symbol: [2]
-  no-new-wrappers: [2]
-  no-new: [0]
-  no-nonoctal-decimal-escape: [2]
-  no-obj-calls: [2]
-  no-octal-escape: [2]
-  no-octal: [2]
-  no-param-reassign: [0]
-  no-plusplus: [0]
-  no-promise-executor-return: [0]
-  no-proto: [2]
-  no-prototype-builtins: [2]
-  no-redeclare: [2]
-  no-regex-spaces: [2]
-  no-restricted-exports: [0]
-  no-restricted-globals: [2, addEventListener, blur, close, closed, confirm, defaultStatus, defaultstatus, error, event, external, find, focus, frameElement, frames, history, innerHeight, innerWidth, isFinite, isNaN, length, location, locationbar, menubar, moveBy, moveTo, name, onblur, onerror, onfocus, onload, onresize, onunload, open, opener, opera, outerHeight, outerWidth, pageXOffset, pageYOffset, parent, print, removeEventListener, resizeBy, resizeTo, screen, screenLeft, screenTop, screenX, screenY, scroll, scrollbars, scrollBy, scrollTo, scrollX, scrollY, self, status, statusbar, stop, toolbar, top, __dirname, __filename]
-  no-restricted-imports: [0]
-  no-restricted-syntax: [2, WithStatement, ForInStatement, LabeledStatement, SequenceExpression, {selector: "CallExpression[callee.name='fetch']", message: "use modules/fetch.js instead"}]
-  no-return-assign: [0]
-  no-script-url: [2]
-  no-self-assign: [2, {props: true}]
-  no-self-compare: [2]
-  no-sequences: [2]
-  no-setter-return: [2]
-  no-shadow-restricted-names: [2]
-  no-shadow: [0]
-  no-sparse-arrays: [2]
-  no-template-curly-in-string: [2]
-  no-ternary: [0]
-  no-this-before-super: [2]
-  no-throw-literal: [2]
-  no-undef-init: [2]
-  no-undef: [2, {typeof: true}]
-  no-undefined: [0]
-  no-underscore-dangle: [0]
-  no-unexpected-multiline: [2]
-  no-unmodified-loop-condition: [2]
-  no-unneeded-ternary: [2]
-  no-unreachable-loop: [2]
-  no-unreachable: [2]
-  no-unsafe-finally: [2]
-  no-unsafe-negation: [2]
-  no-unused-expressions: [2]
-  no-unused-labels: [2]
-  no-unused-private-class-members: [2]
-  no-unused-vars: [2, {args: all, argsIgnorePattern: ^_, varsIgnorePattern: ^_, caughtErrorsIgnorePattern: ^_, destructuredArrayIgnorePattern: ^_, ignoreRestSiblings: false}]
-  no-use-before-define: [2, {functions: false, classes: true, variables: true, allowNamedExports: true}]
-  no-use-extend-native/no-use-extend-native: [2]
-  no-useless-backreference: [2]
-  no-useless-call: [2]
-  no-useless-catch: [2]
-  no-useless-computed-key: [2]
-  no-useless-concat: [2]
-  no-useless-constructor: [2]
-  no-useless-escape: [2]
-  no-useless-rename: [2]
-  no-useless-return: [2]
-  no-var: [2]
-  no-void: [2]
-  no-warning-comments: [0]
-  no-with: [0] # handled by no-restricted-syntax
-  object-shorthand: [2, always]
-  one-var-declaration-per-line: [0]
-  one-var: [0]
-  operator-assignment: [2, always]
-  operator-linebreak: [2, after]
-  prefer-arrow-callback: [2, {allowNamedFunctions: true, allowUnboundThis: true}]
-  prefer-const: [2, {destructuring: all, ignoreReadBeforeAssign: true}]
-  prefer-destructuring: [0]
-  prefer-exponentiation-operator: [2]
-  prefer-named-capture-group: [0]
-  prefer-numeric-literals: [2]
-  prefer-object-has-own: [2]
-  prefer-object-spread: [2]
-  prefer-promise-reject-errors: [2, {allowEmptyReject: false}]
-  prefer-regex-literals: [2]
-  prefer-rest-params: [2]
-  prefer-spread: [2]
-  prefer-template: [2]
-  radix: [2, as-needed]
-  regexp/confusing-quantifier: [2]
-  regexp/control-character-escape: [2]
-  regexp/hexadecimal-escape: [0]
-  regexp/letter-case: [0]
-  regexp/match-any: [2]
-  regexp/negation: [2]
-  regexp/no-contradiction-with-assertion: [0]
-  regexp/no-control-character: [0]
-  regexp/no-dupe-characters-character-class: [2]
-  regexp/no-dupe-disjunctions: [2]
-  regexp/no-empty-alternative: [2]
-  regexp/no-empty-capturing-group: [2]
-  regexp/no-empty-character-class: [0]
-  regexp/no-empty-group: [2]
-  regexp/no-empty-lookarounds-assertion: [2]
-  regexp/no-empty-string-literal: [2]
-  regexp/no-escape-backspace: [2]
-  regexp/no-extra-lookaround-assertions: [0]
-  regexp/no-invalid-regexp: [2]
-  regexp/no-invisible-character: [2]
-  regexp/no-lazy-ends: [2]
-  regexp/no-legacy-features: [2]
-  regexp/no-misleading-capturing-group: [0]
-  regexp/no-misleading-unicode-character: [0]
-  regexp/no-missing-g-flag: [2]
-  regexp/no-non-standard-flag: [2]
-  regexp/no-obscure-range: [2]
-  regexp/no-octal: [2]
-  regexp/no-optional-assertion: [2]
-  regexp/no-potentially-useless-backreference: [2]
-  regexp/no-standalone-backslash: [2]
-  regexp/no-super-linear-backtracking: [0]
-  regexp/no-super-linear-move: [0]
-  regexp/no-trivially-nested-assertion: [2]
-  regexp/no-trivially-nested-quantifier: [2]
-  regexp/no-unused-capturing-group: [0]
-  regexp/no-useless-assertions: [2]
-  regexp/no-useless-backreference: [2]
-  regexp/no-useless-character-class: [2]
-  regexp/no-useless-dollar-replacements: [2]
-  regexp/no-useless-escape: [2]
-  regexp/no-useless-flag: [2]
-  regexp/no-useless-lazy: [2]
-  regexp/no-useless-non-capturing-group: [2]
-  regexp/no-useless-quantifier: [2]
-  regexp/no-useless-range: [2]
-  regexp/no-useless-set-operand: [2]
-  regexp/no-useless-string-literal: [2]
-  regexp/no-useless-two-nums-quantifier: [2]
-  regexp/no-zero-quantifier: [2]
-  regexp/optimal-lookaround-quantifier: [2]
-  regexp/optimal-quantifier-concatenation: [0]
-  regexp/prefer-character-class: [0]
-  regexp/prefer-d: [0]
-  regexp/prefer-escape-replacement-dollar-char: [0]
-  regexp/prefer-lookaround: [0]
-  regexp/prefer-named-backreference: [0]
-  regexp/prefer-named-capture-group: [0]
-  regexp/prefer-named-replacement: [0]
-  regexp/prefer-plus-quantifier: [2]
-  regexp/prefer-predefined-assertion: [2]
-  regexp/prefer-quantifier: [0]
-  regexp/prefer-question-quantifier: [2]
-  regexp/prefer-range: [2]
-  regexp/prefer-regexp-exec: [2]
-  regexp/prefer-regexp-test: [2]
-  regexp/prefer-result-array-groups: [0]
-  regexp/prefer-set-operation: [2]
-  regexp/prefer-star-quantifier: [2]
-  regexp/prefer-unicode-codepoint-escapes: [2]
-  regexp/prefer-w: [0]
-  regexp/require-unicode-regexp: [0]
-  regexp/simplify-set-operations: [2]
-  regexp/sort-alternatives: [0]
-  regexp/sort-character-class-elements: [0]
-  regexp/sort-flags: [0]
-  regexp/strict: [2]
-  regexp/unicode-escape: [0]
-  regexp/use-ignore-case: [0]
-  require-atomic-updates: [0]
-  require-await: [0]
-  require-unicode-regexp: [0]
-  require-yield: [2]
-  sonarjs/cognitive-complexity: [0]
-  sonarjs/elseif-without-else: [0]
-  sonarjs/max-switch-cases: [0]
-  sonarjs/no-all-duplicated-branches: [2]
-  sonarjs/no-collapsible-if: [0]
-  sonarjs/no-collection-size-mischeck: [2]
-  sonarjs/no-duplicate-string: [0]
-  sonarjs/no-duplicated-branches: [0]
-  sonarjs/no-element-overwrite: [2]
-  sonarjs/no-empty-collection: [2]
-  sonarjs/no-extra-arguments: [2]
-  sonarjs/no-gratuitous-expressions: [2]
-  sonarjs/no-identical-conditions: [2]
-  sonarjs/no-identical-expressions: [2]
-  sonarjs/no-identical-functions: [2, 5]
-  sonarjs/no-ignored-return: [2]
-  sonarjs/no-inverted-boolean-check: [2]
-  sonarjs/no-nested-switch: [0]
-  sonarjs/no-nested-template-literals: [0]
-  sonarjs/no-one-iteration-loop: [2]
-  sonarjs/no-redundant-boolean: [2]
-  sonarjs/no-redundant-jump: [2]
-  sonarjs/no-same-line-conditional: [2]
-  sonarjs/no-small-switch: [0]
-  sonarjs/no-unused-collection: [2]
-  sonarjs/no-use-of-empty-return-value: [2]
-  sonarjs/no-useless-catch: [2]
-  sonarjs/non-existent-operator: [2]
-  sonarjs/prefer-immediate-return: [0]
-  sonarjs/prefer-object-literal: [0]
-  sonarjs/prefer-single-boolean-return: [0]
-  sonarjs/prefer-while: [2]
-  sort-imports: [0]
-  sort-keys: [0]
-  sort-vars: [0]
-  strict: [0]
-  symbol-description: [2]
-  unicode-bom: [2, never]
-  unicorn/better-regex: [0]
-  unicorn/catch-error-name: [0]
-  unicorn/consistent-destructuring: [2]
-  unicorn/consistent-empty-array-spread: [2]
-  unicorn/consistent-function-scoping: [2]
-  unicorn/custom-error-definition: [0]
-  unicorn/empty-brace-spaces: [2]
-  unicorn/error-message: [0]
-  unicorn/escape-case: [0]
-  unicorn/expiring-todo-comments: [0]
-  unicorn/explicit-length-check: [0]
-  unicorn/filename-case: [0]
-  unicorn/import-index: [0]
-  unicorn/import-style: [0]
-  unicorn/new-for-builtins: [2]
-  unicorn/no-abusive-eslint-disable: [0]
-  unicorn/no-anonymous-default-export: [0]
-  unicorn/no-array-callback-reference: [0]
-  unicorn/no-array-for-each: [2]
-  unicorn/no-array-method-this-argument: [2]
-  unicorn/no-array-push-push: [2]
-  unicorn/no-array-reduce: [2]
-  unicorn/no-await-expression-member: [0]
-  unicorn/no-await-in-promise-methods: [2]
-  unicorn/no-console-spaces: [0]
-  unicorn/no-document-cookie: [2]
-  unicorn/no-empty-file: [2]
-  unicorn/no-for-loop: [0]
-  unicorn/no-hex-escape: [0]
-  unicorn/no-instanceof-array: [0]
-  unicorn/no-invalid-fetch-options: [2]
-  unicorn/no-invalid-remove-event-listener: [2]
-  unicorn/no-keyword-prefix: [0]
-  unicorn/no-length-as-slice-end: [2]
-  unicorn/no-lonely-if: [2]
-  unicorn/no-magic-array-flat-depth: [0]
-  unicorn/no-negated-condition: [0]
-  unicorn/no-negation-in-equality-check: [2]
-  unicorn/no-nested-ternary: [0]
-  unicorn/no-new-array: [0]
-  unicorn/no-new-buffer: [0]
-  unicorn/no-null: [0]
-  unicorn/no-object-as-default-parameter: [0]
-  unicorn/no-process-exit: [0]
-  unicorn/no-single-promise-in-promise-methods: [2]
-  unicorn/no-static-only-class: [2]
-  unicorn/no-thenable: [2]
-  unicorn/no-this-assignment: [2]
-  unicorn/no-typeof-undefined: [2]
-  unicorn/no-unnecessary-await: [2]
-  unicorn/no-unnecessary-polyfills: [2]
-  unicorn/no-unreadable-array-destructuring: [0]
-  unicorn/no-unreadable-iife: [2]
-  unicorn/no-unused-properties: [2]
-  unicorn/no-useless-fallback-in-spread: [2]
-  unicorn/no-useless-length-check: [2]
-  unicorn/no-useless-promise-resolve-reject: [2]
-  unicorn/no-useless-spread: [2]
-  unicorn/no-useless-switch-case: [2]
-  unicorn/no-useless-undefined: [0]
-  unicorn/no-zero-fractions: [2]
-  unicorn/number-literal-case: [0]
-  unicorn/numeric-separators-style: [0]
-  unicorn/prefer-add-event-listener: [2]
-  unicorn/prefer-array-find: [2]
-  unicorn/prefer-array-flat-map: [2]
-  unicorn/prefer-array-flat: [2]
-  unicorn/prefer-array-index-of: [2]
-  unicorn/prefer-array-some: [2]
-  unicorn/prefer-at: [0]
-  unicorn/prefer-blob-reading-methods: [2]
-  unicorn/prefer-code-point: [0]
-  unicorn/prefer-date-now: [2]
-  unicorn/prefer-default-parameters: [0]
-  unicorn/prefer-dom-node-append: [2]
-  unicorn/prefer-dom-node-dataset: [0]
-  unicorn/prefer-dom-node-remove: [2]
-  unicorn/prefer-dom-node-text-content: [2]
-  unicorn/prefer-event-target: [2]
-  unicorn/prefer-export-from: [0]
-  unicorn/prefer-includes: [2]
-  unicorn/prefer-json-parse-buffer: [0]
-  unicorn/prefer-keyboard-event-key: [2]
-  unicorn/prefer-logical-operator-over-ternary: [2]
-  unicorn/prefer-math-trunc: [2]
-  unicorn/prefer-modern-dom-apis: [0]
-  unicorn/prefer-modern-math-apis: [2]
-  unicorn/prefer-module: [2]
-  unicorn/prefer-native-coercion-functions: [2]
-  unicorn/prefer-negative-index: [2]
-  unicorn/prefer-node-protocol: [2]
-  unicorn/prefer-number-properties: [0]
-  unicorn/prefer-object-from-entries: [2]
-  unicorn/prefer-object-has-own: [0]
-  unicorn/prefer-optional-catch-binding: [2]
-  unicorn/prefer-prototype-methods: [0]
-  unicorn/prefer-query-selector: [0]
-  unicorn/prefer-reflect-apply: [0]
-  unicorn/prefer-regexp-test: [2]
-  unicorn/prefer-set-has: [0]
-  unicorn/prefer-set-size: [2]
-  unicorn/prefer-spread: [0]
-  unicorn/prefer-string-raw: [0]
-  unicorn/prefer-string-replace-all: [0]
-  unicorn/prefer-string-slice: [0]
-  unicorn/prefer-string-starts-ends-with: [2]
-  unicorn/prefer-string-trim-start-end: [2]
-  unicorn/prefer-structured-clone: [2]
-  unicorn/prefer-switch: [0]
-  unicorn/prefer-ternary: [0]
-  unicorn/prefer-text-content: [2]
-  unicorn/prefer-top-level-await: [0]
-  unicorn/prefer-type-error: [0]
-  unicorn/prevent-abbreviations: [0]
-  unicorn/relative-url-style: [2]
-  unicorn/require-array-join-separator: [2]
-  unicorn/require-number-to-fixed-digits-argument: [2]
-  unicorn/require-post-message-target-origin: [0]
-  unicorn/string-content: [0]
-  unicorn/switch-case-braces: [0]
-  unicorn/template-indent: [2]
-  unicorn/text-encoding-identifier-case: [0]
-  unicorn/throw-new-error: [2]
-  use-isnan: [2]
-  valid-typeof: [2, {requireStringLiterals: true}]
-  vars-on-top: [0]
-  wc/attach-shadow-constructor: [2]
-  wc/define-tag-after-class-definition: [0]
-  wc/expose-class-on-global: [0]
-  wc/file-name-matches-element: [2]
-  wc/guard-define-call: [0]
-  wc/guard-super-call: [2]
-  wc/max-elements-per-file: [0]
-  wc/no-child-traversal-in-attributechangedcallback: [2]
-  wc/no-child-traversal-in-connectedcallback: [2]
-  wc/no-closed-shadow-root: [2]
-  wc/no-constructor-attributes: [2]
-  wc/no-constructor-params: [2]
-  wc/no-constructor: [2]
-  wc/no-customized-built-in-elements: [2]
-  wc/no-exports-with-element: [0]
-  wc/no-invalid-element-name: [2]
-  wc/no-invalid-extends: [2]
-  wc/no-method-prefixed-with-on: [2]
-  wc/no-self-class: [2]
-  wc/no-typos: [2]
-  wc/require-listener-teardown: [2]
-  wc/tag-name-matches-class: [2]
-  yoda: [2, never]
--- a/.forgejo/issue_template/config.yml
+++ b/.forgejo/issue_template/config.yml
@ -1,7 +1,7 @@
 contact_links:
  - name: 🔓 Security Reports
    url: mailto:security@forgejo.org
-    about: "Please email <security@forgejo.org> (GPG: `A4676E79`) instead of opening a public issue."
+    about: "Please email <security@forgejo.org> (See https://forgejo.org/.well-known/security.txt)."
  - name: 💬 Matrix Chat Room
    url: https://matrix.to/#/#forgejo-chat:matrix.org
    about: Please ask questions and discuss configuration or deployment problems here.
--- a/.forgejo/testdata/build-release/Dockerfile
+++ b/.forgejo/testdata/build-release/Dockerfile
@ -1,4 +1,4 @@
-FROM code.forgejo.org/oci/alpine:3.20
+FROM data.forgejo.org/oci/alpine:3.21
 ARG RELEASE_VERSION=unkown
 LABEL maintainer="contact@forgejo.org" \
      org.opencontainers.image.version="${RELEASE_VERSION}"
--- a/.forgejo/testdata/build-release/go.mod
+++ b/.forgejo/testdata/build-release/go.mod
@ -1,3 +1,3 @@
 module code.gitea.io/gitea

-go 1.23.2
+go 1.23.3
--- a/.forgejo/workflows-composite/apt-install-from/action.yaml
+++ b/.forgejo/workflows-composite/apt-install-from/action.yaml
@ -0,0 +1,29 @@
+inputs:
+  packages:
+    description: 'Packages to install'
+    required: true
+  release:
+    description: 'Release to install from'
+    default: testing
+
+runs:
+  using: "composite"
+  steps:
+    - name: setup apt package source
+      run: |
+        export DEBIAN_FRONTEND=noninteractive
+        echo "deb http://deb.debian.org/debian/ ${RELEASE} main" > "/etc/apt/sources.list.d/${RELEASE}.list"
+      env:
+        RELEASE: ${{inputs.release}}
+    - name: install packages
+      run: |
+        apt-get update -qq
+        apt-get -q install -qq -y ${PACKAGES}
+      env:
+        PACKAGES: ${{inputs.packages}}
+    - name: remove temporary package list to prevent using it in other steps
+      run: |
+        rm "/etc/apt/sources.list.d/${RELEASE}.list"
+        apt-get update -qq
+      env:
+        RELEASE: ${{inputs.release}}
--- a/.forgejo/workflows-composite/build-backend/action.yaml
+++ b/.forgejo/workflows-composite/build-backend/action.yaml
@ -0,0 +1,15 @@
+runs:
+  using: "composite"
+  steps:
+    - run: |
+        su forgejo -c 'make deps-backend'
+    - uses: https://data.forgejo.org/actions/cache@v4
+      id: cache-backend
+      with:
+        path: ${{github.workspace}}/gitea
+        key: backend-build-${{ github.sha }}
+    - if: steps.cache-backend.outputs.cache-hit != 'true'
+      run: |
+        su forgejo -c 'make backend'
+      env:
+        TAGS: bindata
--- a/.forgejo/workflows-composite/setup-cache-go/action.yaml
+++ b/.forgejo/workflows-composite/setup-cache-go/action.yaml
@ -0,0 +1,61 @@
+# SPDX-License-Identifier: MIT
+name: 'Forgejo Actions to setup Go and cache dependencies'
+author: 'Forgejo authors'
+description: |
+  Wrap the setup-go with improved dependency caching.
+inputs:
+  username:
+    description: 'User for which to manage the dependency cache'
+    default: root
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Install zstd for faster caching"
+      run: |
+        apt-get update -qq
+        apt-get -q install -qq -y zstd
+
+    - name: "Set up Go using setup-go"
+      uses: https://data.forgejo.org/actions/setup-go@v5
+      id: go-version
+      with:
+        go-version-file: "go.mod"
+        # do not cache dependencies, we do this manually
+        cache: false
+
+    - name: "Get go environment information"
+      id: go-environment
+      run: |
+        chmod 755 $HOME # ensure ${RUN_AS_USER} has permission when go is located in $HOME
+        export GOROOT="$(go env GOROOT)"
+        echo "modcache=$(su ${RUN_AS_USER} -c '${GOROOT}/bin/go env GOMODCACHE')" >> "$GITHUB_OUTPUT"
+        echo "cache=$(su ${RUN_AS_USER} -c '${GOROOT}/bin/go env GOCACHE')" >> "$GITHUB_OUTPUT"
+      env:
+        RUN_AS_USER: ${{ inputs.username }}
+        GO_VERSION: ${{ steps.go-version.outputs.go-version }}
+
+    - name: "Create cache folders with correct permissions (for non-root users)"
+      if: inputs.username != 'root'
+      # when the cache is restored, only the permissions of the last part are restored
+      # so assuming that /home/user exists and we are restoring /home/user/go/pkg/mod,
+      # both folders will have the correct permissions, but
+      # /home/user/go and /home/user/go/pkg might be owned by root
+      run: |
+        su ${RUN_AS_USER} -c 'mkdir -p "${MODCACHE_DIR}" "${CACHE_DIR}"'
+      env:
+        RUN_AS_USER: ${{ inputs.username }}
+        MODCACHE_DIR: ${{ steps.go-environment.outputs.modcache }}
+        CACHE_DIR: ${{ steps.go-environment.outputs.cache }}
+
+    - name: "Restore Go dependencies from cache or mark for later caching"
+      id: cache-deps
+      uses: https://data.forgejo.org/actions/cache@v4
+      with:
+        key: setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-${{ steps.go-version.outputs.go_version }}-${{ hashFiles('go.sum', 'go.mod') }}
+        restore-keys: |
+          setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-${{ steps.go-version.outputs.go_version }}-
+          setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-
+        path: |
+          ${{ steps.go-environment.outputs.modcache }}
+          ${{ steps.go-environment.outputs.cache }}
--- a/.forgejo/workflows-composite/setup-env/action.yaml
+++ b/.forgejo/workflows-composite/setup-env/action.yaml
@ -0,0 +1,25 @@
+# TODO:
+# - [ ] prepare a forgejo ci image with the necessary tools and forgejo user
+runs:
+  using: "composite"
+  steps:
+    - name: setup user and permissions
+      run: |
+        git config --add safe.directory '*'
+        # ignore if the user already exists (like with the playwright image)
+        adduser --quiet --comment forgejo --disabled-password forgejo || true
+        chown -R forgejo:forgejo .
+
+    - uses: ./.forgejo/workflows-composite/setup-cache-go
+      with:
+        username: forgejo
+
+    - name: validate go version
+      run: |
+        set -ex
+        toolchain=$(grep -oP '(?<=toolchain ).+' go.mod)
+        version=$(go version | cut -d' ' -f3)
+        if dpkg --compare-versions ${version#go} lt ${toolchain#go}; then
+          echo "go version too low: $toolchain >= $version"
+          exit 1
+        fi
--- a/.forgejo/workflows/backport.yml
+++ b/.forgejo/workflows/backport.yml
@ -22,6 +22,8 @@
 #    `backport/v1.21` label on a merged pull request that can be backported
 #    without conflict.
 #
+name: issue-labels
+
 on:
  pull_request_target:
    types:
@ -31,21 +33,21 @@ on:
 jobs:
  backporting:
    if: >
-      !startsWith(vars.ROLE, 'forgejo-') && (
+      ( vars.ROLE == 'forgejo-coding' ) && (
        github.event.pull_request.merged
        &&
        contains(toJSON(github.event.pull_request.labels), 'backport/v')
      )
    runs-on: docker
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
    steps:
      - name: event info
        run: |
          cat <<'EOF'
          ${{ toJSON(github) }}
          EOF
-      - uses: https://code.forgejo.org/actions/git-backporting@v4.8.0
+      - uses: https://data.forgejo.org/actions/git-backporting@v4.8.4
        with:
          target-branch-pattern: "^backport/(?<target>(v.*))$"
          strategy: ort
--- a/.forgejo/workflows/build-release-integration.yml
+++ b/.forgejo/workflows/build-release-integration.yml
@ -22,13 +22,13 @@ on:

 jobs:
  release-simulation:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
-    runs-on: self-hosted
+    if: vars.ROLE == 'forgejo-coding'
+    runs-on: lxc-bookworm
    steps:
-      - uses: actions/checkout@v4
+      - uses: https://data.forgejo.org/actions/checkout@v4

      - id: forgejo
-        uses: https://code.forgejo.org/actions/setup-forgejo@v1
+        uses: https://data.forgejo.org/actions/setup-forgejo@v2.0.4
        with:
          user: root
          password: admin1234
--- a/.forgejo/workflows/build-release.yml
+++ b/.forgejo/workflows/build-release.yml
@ -14,6 +14,12 @@
 #  secrets.CASCADE_DESTINATION_TOKEN: <generated from code.forgejo.org/forgejo-ci> scope read:user, write:repository, write:issue
 #  vars.CASCADE_DESTINATION_DOER: forgejo-ci
 #
+#  vars.SKIP_END_TO_END: `true` or `false`
+#    It must be `false` (or absent) so https://code.forgejo.org/forgejo/end-to-end is run
+#    with the newly built release.
+#    It must be set to `true` when a release is missing, for instance because it was
+#    removed and failed to upload.
+#
 on:
  push:
    tags: 'v[0-9]+.[0-9]+.*'
@ -23,11 +29,11 @@ on:

 jobs:
  release:
-    runs-on: self-hosted
+    runs-on: lxc-bookworm
    # root is used for testing, allow it
    if: vars.ROLE == 'forgejo-integration' || github.repository_owner == 'root'
    steps:
-      - uses: actions/checkout@v4
+      - uses: https://data.forgejo.org/actions/checkout@v4
        with:
          fetch-depth: 0

@ -37,11 +43,11 @@ jobs:
          repository="${{ github.repository }}"
          echo "value=${repository##*/}" >> "$GITHUB_OUTPUT"

-      - uses: https://code.forgejo.org/actions/setup-node@v4
+      - uses: https://data.forgejo.org/actions/setup-node@v4
        with:
          node-version: 20

-      - uses: https://code.forgejo.org/actions/setup-go@v4
+      - uses: https://data.forgejo.org/actions/setup-go@v5
        with:
          go-version-file: "go.mod"

@ -87,7 +93,7 @@ jobs:

      - name: cache node_modules
        id: node
-        uses: https://code.forgejo.org/actions/cache@v4
+        uses: https://data.forgejo.org/actions/cache@v4
        with:
          path: |
            node_modules
@ -158,7 +164,7 @@ jobs:

      - name: build container & release
        if: ${{ secrets.TOKEN != '' }}
-        uses: https://code.forgejo.org/forgejo/forgejo-build-publish/build@v5.1.1
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.3.4
        with:
          forgejo: "${{ env.GITHUB_SERVER_URL }}"
          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
@ -177,7 +183,7 @@ jobs:

      - name: build rootless container
        if: ${{ secrets.TOKEN != '' }}
-        uses: https://code.forgejo.org/forgejo/forgejo-build-publish/build@v5.1.1
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.3.4
        with:
          forgejo: "${{ env.GITHUB_SERVER_URL }}"
          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
@ -195,7 +201,7 @@ jobs:

      - name: end-to-end tests
        if: ${{ secrets.TOKEN != '' && vars.ROLE == 'forgejo-integration' && vars.SKIP_END_TO_END != 'true' }}
-        uses: https://code.forgejo.org/actions/cascading-pr@v2
+        uses: https://data.forgejo.org/actions/cascading-pr@v2.2.0
        with:
          origin-url: ${{ env.GITHUB_SERVER_URL }}
          origin-repo: ${{ github.repository }}
--- a/.forgejo/workflows/cascade-setup-end-to-end.yml
+++ b/.forgejo/workflows/cascade-setup-end-to-end.yml
@ -12,8 +12,10 @@
 #    whatever is in the default branch instead
 #
 #  - after it is merged, double check it works by setting the
-#    run-end-to-end-test on a pull request (any pull request will doe
+#    run-end-to-end-test on a pull request (any pull request will do)
 #
+name: issue-labels
+
 on:
  push:
    branches:
@ -23,42 +25,23 @@ on:
      - labeled

 jobs:
-  info:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
-    runs-on: docker
-    container:
-      image: code.forgejo.org/oci/node:20-bookworm
-    steps:
-      - name: event
-        run: |
-          echo github.event.pull_request.head.repo.fork = ${{ github.event.pull_request.head.repo.fork }}
-          echo github.event.action = ${{ github.event.action }}
-          echo github.event.pull_request.merged = ${{ github.event.pull_request.merged }}
-          echo github.event.pull_request.labels.*.name
-          cat <<'EOF'
-          ${{ toJSON(github.event.pull_request.labels.*.name) }}
-          EOF
-          cat <<'EOF'
-          ${{ toJSON(github.event) }}
-          EOF
-
  cascade:
    if: >
-      !startsWith(vars.ROLE, 'forgejo-') && (
+      vars.ROLE == 'forgejo-coding' && (
        github.event_name == 'push' ||
        (
-          github.event.action == 'label_updated' && contains(github.event.pull_request.labels.*.name, 'run-end-to-end-tests')
+          github.event.action == 'label_updated' && github.event.label.name == 'run-end-to-end-tests'
        )
      )
    runs-on: docker
    container:
-      image: code.forgejo.org/oci/node:20-bookworm
+      image: data.forgejo.org/oci/node:20-bookworm
    steps:
-      - uses: actions/checkout@v4
+      - uses: https://data.forgejo.org/actions/checkout@v4
        with:
          fetch-depth: '0'
          show-progress: 'false'
-      - uses: actions/cascading-pr@v2
+      - uses: https://data.forgejo.org/actions/cascading-pr@v2.2.0
        with:
          origin-url: ${{ env.GITHUB_SERVER_URL }}
          origin-repo: ${{ github.repository }}
--- a/.forgejo/workflows/e2e.yml
+++ b/.forgejo/workflows/e2e.yml
@ -1,37 +0,0 @@
-name: e2e
-
-on:
-  pull_request:
-    paths:
-      - Makefile
-      - playwright.config.js
-      - .forgejo/workflows/e2e.yml
-      - tests/e2e/**
-      - web_src/js/**
-      - web_src/css/form.css
-      - templates/webhook/shared-settings.tmpl
-      - templates/org/team/new.tmpl
-
-jobs:
-  test-e2e:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
-    runs-on: docker
-    container:
-      image: 'code.forgejo.org/oci/playwright:latest'
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
-        with:
-          go-version-file: "go.mod"
-      - run: |
-          git config --add safe.directory '*'
-          chown -R forgejo:forgejo .
-      - run: |
-          su forgejo -c 'make deps-frontend frontend deps-backend'
-      - run: |
-          su forgejo -c 'make backend'
-      - run: |
-          su forgejo -c 'make generate test-e2e-sqlite'
-        timeout-minutes: 40
-        env:
-          USE_REPO_TEST_DIR: 1
--- a/.forgejo/workflows/forgejo-integration-cleanup.yml
+++ b/.forgejo/workflows/forgejo-integration-cleanup.yml
@ -9,7 +9,7 @@ jobs:
    if: vars.ROLE == 'forgejo-integration'
    runs-on: docker
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
    steps:

      - name: apt install curl jq
--- a/.forgejo/workflows/merge-requirements.yml
+++ b/.forgejo/workflows/merge-requirements.yml
@ -0,0 +1,45 @@
+# Copyright 2024 The Forgejo Authors
+# SPDX-License-Identifier: MIT
+
+name: requirements
+
+on:
+  pull_request:
+    types:
+      - labeled
+      - edited
+      - opened
+      - synchronize
+
+jobs:
+  merge-conditions:
+    if: vars.ROLE == 'forgejo-coding'
+    runs-on: docker
+    container:
+      image: 'data.forgejo.org/oci/node:20-bookworm'
+    steps:
+      - name: Debug output
+        run: |
+          cat <<'EOF'
+          ${{ toJSON(github) }}
+          EOF
+      - name: Missing test label
+        if: >
+          !(
+            contains(toJSON(github.event.pull_request.labels), 'test/present')
+            || contains(toJSON(github.event.pull_request.labels), 'test/not-needed')
+            || contains(toJSON(github.event.pull_request.labels), 'test/manual')
+          )
+        run: |
+          echo "Test label must be set to either 'present', 'not-needed' or 'manual'."
+          exit 1
+      - name: Missing manual test instructions
+        if: >
+          (
+            contains(toJSON(github.event.pull_request.labels), 'test/manual')
+            && !contains(toJSON(github.event.pull_request.body), '# Test')
+          )
+        run: |
+          echo "Manual test label is set. The PR description needs to contain test steps introduced by a heading like:"
+          echo "# Testing"
+          exit 1
--- a/.forgejo/workflows/milestone.yml
+++ b/.forgejo/workflows/milestone.yml
@ -0,0 +1,24 @@
+# Copyright 2024 The Forgejo Authors
+# SPDX-License-Identifier: MIT
+#
+name: milestone
+
+on:
+  pull_request_target:
+    types:
+      - closed
+
+jobs:
+  set:
+    if: vars.ROLE == 'forgejo-coding' && github.event.pull_request.merged
+    runs-on: docker
+    container:
+      image: 'data.forgejo.org/oci/ci:1'
+    steps:
+      - uses: https://data.forgejo.org/forgejo/set-milestone@v1.0.0
+        with:
+          forgejo: https://codeberg.org
+          repository: forgejo/forgejo
+          token: ${{ secrets.SET_MILESTONE_TOKEN }}
+          pr-number: ${{ github.event.pull_request.number }}
+          verbose: ${{ vars.SET_MILESTONE_VERBOSE }}
--- a/.forgejo/workflows/mirror.yml
+++ b/.forgejo/workflows/mirror.yml
@ -11,7 +11,7 @@ jobs:
    if: ${{ secrets.MIRROR_TOKEN != '' }}
    runs-on: docker
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
    steps:
      - name: git push {v*/,}forgejo
        run: |
--- a/.forgejo/workflows/publish-release.yml
+++ b/.forgejo/workflows/publish-release.yml
@ -36,20 +36,20 @@ on:

 jobs:
  publish:
-    runs-on: self-hosted
+    runs-on: lxc-bookworm
    if: vars.DOER != '' && vars.FORGEJO != '' && vars.TO_OWNER != '' && vars.FROM_OWNER != '' && secrets.TOKEN != ''
    steps:
-      - uses: actions/checkout@v4
+      - uses: https://data.forgejo.org/actions/checkout@v4

      - name: copy & sign
-        uses: https://code.forgejo.org/forgejo/forgejo-build-publish/publish@v5
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/publish@v5.3.4
        with:
          from-forgejo: ${{ vars.FORGEJO }}
          to-forgejo: ${{ vars.FORGEJO }}
          from-owner: ${{ vars.FROM_OWNER }}
          to-owner: ${{ vars.TO_OWNER }}
          repo: ${{ vars.REPO }}
-          release-notes: "See https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#{ANCHOR}"
+          release-notes: "See https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/{VERSION}.md"
          ref-name: ${{ github.ref_name }}
          sha: ${{ github.sha }}
          from-token: ${{ secrets.TOKEN }}
@ -59,30 +59,28 @@ jobs:
          gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
          verbose: ${{ vars.VERBOSE }}

-      - name: upgrade v*.next.forgejo.org
-        run: |
-          export DEBIAN_FRONTEND=noninteractive
-          apt-get update -qq
-          apt-get -q install -y -qq curl
-          version="${{ github.ref_name }}"
-          version=${version##*v}
-          major=$(echo $version | sed -E -e 's/^([0-9]+).*/\1/')
-          # https://forgejo.org/docs/next/developer/infrastructure
-          curl -o /dev/null -sS https://v$major.next.forgejo.org/.well-known/wakeup-on-logs/forgejo-v$major
+      - name: get trigger mirror issue
+        id: mirror
+        uses: https://data.forgejo.org/infrastructure/issue-action/get@v1.3.0
+        with:
+          forgejo: https://code.forgejo.org
+          repository: forgejo/forgejo
+          labels: mirror-trigger

-      - name: set up go for the DNS update below
-        if: vars.ROLE == 'forgejo-experimental' && secrets.OVH_APP_KEY != ''
-        uses: https://code.forgejo.org/actions/setup-go@v4
+      - name: trigger the mirror
+        uses: https://data.forgejo.org/infrastructure/issue-action/set@v1.3.0
        with:
-          go-version-file: "go.mod"
-      - name: update the _release.experimental DNS record
-        if: vars.ROLE == 'forgejo-experimental' && secrets.OVH_APP_KEY != ''
-        uses: https://code.forgejo.org/actions/ovh-dns-update@v1
+          forgejo: https://code.forgejo.org
+          repository: forgejo/forgejo
+          token: ${{ secrets.LABEL_ISSUE_FORGEJO_MIRROR_TOKEN }}
+          numbers: ${{ steps.mirror.outputs.numbers }}
+          label-wait-if-exists: 3600
+          label: trigger
+
+      - name: upgrade v*.next.forgejo.org
+        uses: https://data.forgejo.org/infrastructure/next-digest@v1.1.0
        with:
-          subdomain: _release.experimental
-          domain: forgejo.com # there is a CNAME from .org to .com (for security reasons)
-          record-id: 5283602601
-          value: v=${{ github.ref_name }}
-          ovh-app-key: ${{ secrets.OVH_APP_KEY }}
-          ovh-app-secret: ${{ secrets.OVH_APP_SECRET }}
-          ovh-consumer-key: ${{ secrets.OVH_CON_KEY }}
+          url: https://placeholder:${{ secrets.TOKEN_NEXT_DIGEST }}@code.forgejo.org/infrastructure/next-digest
+          ref_name: '${{ github.ref_name }}'
+          image: 'codeberg.org/forgejo-experimental/forgejo'
+          tag_suffix: '-rootless'
--- a/.forgejo/workflows/release-notes-assistant-milestones.yml
+++ b/.forgejo/workflows/release-notes-assistant-milestones.yml
@ -6,14 +6,14 @@ on:

 jobs:
  release-notes:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-')
+    if: vars.ROLE == 'forgejo-coding'
    runs-on: docker
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v4
+      - uses: https://data.forgejo.org/actions/checkout@v4

-      - uses: https://code.forgejo.org/actions/setup-go@v4
+      - uses: https://data.forgejo.org/actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
--- a/.forgejo/workflows/release-notes-assistant.yml
+++ b/.forgejo/workflows/release-notes-assistant.yml
@ -1,3 +1,5 @@
+name: issue-labels
+
 on:
  pull_request_target:
    types:
@ -7,12 +9,12 @@ on:

 jobs:
  release-notes:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') && contains(github.event.pull_request.labels.*.name, 'worth a release-note') }}
+    if: ( vars.ROLE == 'forgejo-coding' ) && contains(github.event.pull_request.labels.*.name, 'worth a release-note')
    runs-on: docker
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v4
+      - uses: https://data.forgejo.org/actions/checkout@v4

      - name: event
        run: |
@ -23,7 +25,7 @@ jobs:
          ${{ toJSON(github.event) }}
          EOF

-      - uses: https://code.forgejo.org/actions/setup-go@v4
+      - uses: https://data.forgejo.org/actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
--- a/.forgejo/workflows/renovate.yml
+++ b/.forgejo/workflows/renovate.yml
@ -8,7 +8,9 @@ name: renovate
 on:
  push:
    branches:
-      - 'renovate/**' # self-test updates
+      - renovate/** # self-test updates
+    paths:
+      - .forgejo/workflows/renovate.yml
  schedule:
    - cron: '0 0/2 * * *'
  workflow_dispatch:
@ -16,18 +18,21 @@ on:
 env:
  RENOVATE_DRY_RUN: ${{ (github.event_name != 'schedule' && github.ref_name != github.event.repository.default_branch) && 'full' || '' }}
  RENOVATE_REPOSITORIES: ${{ github.repository }}
+  # fix because 10.0.0-58-7e1df53+gitea-1.22.0 < 10.0.0 for semver
+  # and codeberg api returns such versions from `git describe --tags`
+  RENOVATE_X_PLATFORM_VERSION: 10.0.0+gitea-1.22.0

 jobs:
  renovate:
-    if: ${{ secrets.RENOVATE_TOKEN != '' }}
+    if: vars.ROLE == 'forgejo-coding' && secrets.RENOVATE_TOKEN != ''

    runs-on: docker
    container:
-      image: code.forgejo.org/forgejo-contrib/renovate:38.93.2
+      image: data.forgejo.org/renovate/renovate:39.185.0

    steps:
      - name: Load renovate repo cache
-        uses: https://code.forgejo.org/actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: https://data.forgejo.org/actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
        with:
          path: |
            .tmp/cache/renovate/repository
@ -60,7 +65,7 @@ jobs:

      - name: Save renovate repo cache
        if: always() && env.RENOVATE_DRY_RUN != 'full'
-        uses: https://code.forgejo.org/actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: https://data.forgejo.org/actions/cache/save@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
        with:
          path: |
            .tmp/cache/renovate/repository
--- a/.forgejo/workflows/testing.yml
+++ b/.forgejo/workflows/testing.yml
@ -6,319 +6,270 @@ on:
    branches:
      - 'forgejo*'
      - 'v*/forgejo*'
+  workflow_dispatch:

 jobs:
  backend-checks:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
+      options: --tmpfs /tmp:exec,noatime
    steps:
      - name: event info
        run: |
          cat <<'EOF'
          ${{ toJSON(github) }}
          EOF
-      - uses: https://code.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
-        with:
-          go-version-file: "go.mod"
-      - run: make deps-backend deps-tools
-      - run: make --always-make -j$(nproc) lint-backend tidy-check swagger-check fmt-check swagger-validate # ensure the "go-licenses" make target runs
-      - run: |
-          make backend
-        env:
-          TAGS: bindata
-      - uses: actions/cache@v4
-        with:
-          path: '/workspace/forgejo/forgejo/gitea'
-          key: backend-build-${{ github.sha }}
+      - uses: https://data.forgejo.org/actions/checkout@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
+      - run: su forgejo -c 'make deps-backend deps-tools'
+      - run: su forgejo -c 'make --always-make -j$(nproc) lint-backend tidy-check swagger-check lint-swagger fmt-check swagger-validate' # ensure the "go-licenses" make target runs
+      - uses: ./.forgejo/workflows-composite/build-backend
  frontend-checks:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
+      options: --tmpfs /tmp:exec,noatime
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v4
+      - uses: https://data.forgejo.org/actions/checkout@v4
      - run: make deps-frontend
      - run: make lint-frontend
      - run: make checks-frontend
      - run: make test-frontend-coverage
      - run: make frontend
+      - name: Install zstd for cache saving
+        # works around https://github.com/actions/cache/issues/1169, because the
+        # consuming job has zstd and doesn't restore the cache otherwise
+        run: |
+          apt-get update -qq
+          apt-get -q install -qq -y zstd
+      - name: "Cache frontend build for playwright testing"
+        uses: https://data.forgejo.org/actions/cache/save@v4
+        with:
+          path: ${{github.workspace}}/public/assets
+          key: frontend-build-${{ github.sha }}
  test-unit:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    needs: [backend-checks, frontend-checks]
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
+      options: --tmpfs /tmp:exec,noatime
    services:
      elasticsearch:
-        image: docker.io/bitnami/elasticsearch:7
+        image: data.forgejo.org/oci/bitnami/elasticsearch:7
+        options: --tmpfs /bitnami/elasticsearch/data
        env:
          discovery.type: single-node
          ES_JAVA_OPTS: "-Xms512m -Xmx512m"
      minio:
-        image: docker.io/bitnami/minio:2024.8.17
+        image: data.forgejo.org/oci/bitnami/minio:2024.8.17
        options: >-
-          --hostname gitea.minio
+          --hostname gitea.minio --tmpfs /bitnami/minio/data:noatime
        env:
          MINIO_DOMAIN: minio
          MINIO_ROOT_USER: 123456
          MINIO_ROOT_PASSWORD: 12345678
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
-        with:
-          go-version-file: "go.mod"
-      - run: |
-          git config --add safe.directory '*'
-          adduser --quiet --comment forgejo --disabled-password forgejo
-          chown -R forgejo:forgejo .
+      - uses: https://data.forgejo.org/actions/checkout@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
      - name: install git >= 2.42
-        run: |
-          export DEBIAN_FRONTEND=noninteractive
-          echo deb http://deb.debian.org/debian/ testing  main > /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-          apt-get -q install -qq -y git
-          rm /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
+        uses: ./.forgejo/workflows-composite/apt-install-from
+        with:
+          packages: git
      - name: test release-notes-assistant.sh
        run: |
          apt-get -q install -qq -y jq
          ./release-notes-assistant.sh test_main
-      - run: |
-          su forgejo -c 'make deps-backend'
-      - uses: actions/cache/restore@v4
-        id: cache-backend
-        with:
-          path: '/workspace/forgejo/forgejo/gitea'
-          key: backend-build-${{ github.sha }}
-      - if: steps.cache-backend.outputs.cache-hit != 'true'
-        run: |
-          su forgejo -c 'make backend'
-        env:
-          TAGS: bindata
+      - uses: ./.forgejo/workflows-composite/build-backend
      - run: |
          su forgejo -c 'make test-backend test-check'
-        timeout-minutes: 50
+        timeout-minutes: 120
        env:
          RACE_ENABLED: 'true'
          TAGS: bindata
          TEST_ELASTICSEARCH_URL: http://elasticsearch:9200
-  test-remote-cacher:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+  test-e2e:
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    needs: [backend-checks, frontend-checks]
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/playwright:latest'
+      options: --tmpfs /tmp:exec,noatime
+    steps:
+      - uses: https://data.forgejo.org/actions/checkout@v4
+        with:
+          fetch-depth: 20
+      - uses: ./.forgejo/workflows-composite/setup-env
+      - name: "Restore frontend build"
+        uses: https://data.forgejo.org/actions/cache/restore@v4
+        id: cache-frontend
+        with:
+          path: ${{github.workspace}}/public/assets
+          key: frontend-build-${{ github.sha }}
+      - name: "Build frontend (if not cached)"
+        if: steps.cache-frontend.outputs.cache-hit != 'true'
+        run: |
+          su forgejo -c 'make deps-frontend frontend'
+      - uses: ./.forgejo/workflows-composite/build-backend
+      - name: Get changed files
+        id: changed-files
+        uses: https://data.forgejo.org/tj-actions/changed-files@v45
+        with:
+          separator: '\n'
+      - run: |
+          su forgejo -c 'make generate test-e2e-sqlite'
+        timeout-minutes: 120
+        env:
+          USE_REPO_TEST_DIR: 1
+          PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
+          CHANGED_FILES: ${{steps.changed-files.outputs.all_changed_files}}
+      - name: Upload test artifacts on failure
+        if: failure()
+        uses: https://data.forgejo.org/forgejo/upload-artifact@v4
+        with:
+          name: test-artifacts.zip
+          path: tests/e2e/test-artifacts/
+          retention-days: 3
+  test-remote-cacher:
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
+    runs-on: docker
+    needs: [backend-checks, frontend-checks, test-unit]
+    container:
+      image: 'data.forgejo.org/oci/node:20-bookworm'
+      options: --tmpfs /tmp:exec,noatime
+    name: ${{ format('test-remote-cacher ({0})', matrix.cacher.name) }}
    strategy:
      matrix:
        cacher:
-          # redis
-          - image: docker.io/bitnami/redis:7.2
-            port: 6379
-          # redict
-          - image: registry.redict.io/redict:7.3.0-scratch
-            port: 6379
-          # valkey
-          - image: docker.io/bitnami/valkey:7.2
-            port: 6379
-          # garnet
-          - image: ghcr.io/microsoft/garnet-alpine:1.0.14
-            port: 6379
+          - name: redis
+            image: data.forgejo.org/oci/bitnami/redis:7.2
+            options: --tmpfs /bitnami/redis/data:noatime
+          - name: redict
+            image: registry.redict.io/redict:7.3.0-scratch
+            options: --tmpfs /data:noatime
+          - name: valkey
+            image: data.forgejo.org/oci/bitnami/valkey:7.2
+            options: --tmpfs /bitnami/redis/data:noatime
+          - name: garnet
+            image: ghcr.io/microsoft/garnet-alpine:1.0.14
+            options: --tmpfs /data:noatime
    services:
      cacher:
        image: ${{ matrix.cacher.image }}
        options: ${{ matrix.cacher.options }}
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
-        with:
-          go-version-file: "go.mod"
-      - run: |
-          git config --add safe.directory '*'
-          adduser --quiet --comment forgejo --disabled-password forgejo
-          chown -R forgejo:forgejo .
+      - uses: https://data.forgejo.org/actions/checkout@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
      - name: install git >= 2.42
-        run: |
-          export DEBIAN_FRONTEND=noninteractive
-          echo deb http://deb.debian.org/debian/ testing  main > /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-          apt-get -q install -qq -y git
-          rm /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-      - run: |
-          su forgejo -c 'make deps-backend'
-      - uses: actions/cache/restore@v4
-        id: cache-backend
+        uses: ./.forgejo/workflows-composite/apt-install-from
        with:
-          path: '/workspace/forgejo/forgejo/gitea'
-          key: backend-build-${{ github.sha }}
-      - if: steps.cache-backend.outputs.cache-hit != 'true'
-        run: |
-          su forgejo -c 'make backend'
-        env:
-          TAGS: bindata
+          packages: git
+      - uses: ./.forgejo/workflows-composite/build-backend
      - run: |
          su forgejo -c 'make test-remote-cacher test-check'
-        timeout-minutes: 50
+        timeout-minutes: 120
        env:
          RACE_ENABLED: 'true'
          TAGS: bindata
          TEST_REDIS_SERVER: cacher:${{ matrix.cacher.port }}
  test-mysql:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    needs: [backend-checks, frontend-checks]
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
+      options: --tmpfs /tmp:exec,noatime
    services:
      mysql:
-        image: 'docker.io/bitnami/mysql:8.4'
+        image: 'data.forgejo.org/oci/bitnami/mysql:8.4'
        env:
          ALLOW_EMPTY_PASSWORD: yes
          MYSQL_DATABASE: testgitea
          #
          # See also https://codeberg.org/forgejo/forgejo/issues/976
          #
-          MYSQL_EXTRA_FLAGS: --innodb-adaptive-flushing=OFF --innodb-buffer-pool-size=4G --innodb-log-buffer-size=128M --innodb-flush-log-at-trx-commit=0 --innodb-flush-log-at-timeout=30 --innodb-flush-method=nosync --innodb-fsync-threshold=1000000000
+          MYSQL_EXTRA_FLAGS: --innodb-adaptive-flushing=OFF --innodb-buffer-pool-size=4G --innodb-log-buffer-size=128M --innodb-flush-log-at-trx-commit=0 --innodb-flush-log-at-timeout=30 --innodb-flush-method=nosync --innodb-fsync-threshold=1000000000 --disable-log-bin
+        options: --tmpfs /bitnami/mysql/data:noatime
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
-        with:
-          go-version-file: "go.mod"
+      - uses: https://data.forgejo.org/actions/checkout@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
      - name: install dependencies & git >= 2.42
-        run: |
-          export DEBIAN_FRONTEND=noninteractive
-          echo deb http://deb.debian.org/debian/ testing  main > /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-          apt-get install --no-install-recommends -qq -y git git-lfs
-          rm /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-      - name: setup user and permissions
-        run: |
-          git config --add safe.directory '*'
-          adduser --quiet --comment forgejo --disabled-password forgejo
-          chown -R forgejo:forgejo .
-      - run: |
-          su forgejo -c 'make deps-backend'
-      - uses: actions/cache/restore@v4
-        id: cache-backend
+        uses: ./.forgejo/workflows-composite/apt-install-from
        with:
-          path: '/workspace/forgejo/forgejo/gitea'
-          key: backend-build-${{ github.sha }}
-      - if: steps.cache-backend.outputs.cache-hit != 'true'
-        run: |
-          su forgejo -c 'make backend'
-        env:
-          TAGS: bindata
+          packages: git git-lfs
+      - uses: ./.forgejo/workflows-composite/build-backend
      - run: |
          su forgejo -c 'make test-mysql-migration test-mysql'
-        timeout-minutes: 50
+        timeout-minutes: 120
        env:
          USE_REPO_TEST_DIR: 1
  test-pgsql:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    needs: [backend-checks, frontend-checks]
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
+      options: --tmpfs /tmp:exec,noatime
    services:
      minio:
-        image: docker.io/bitnami/minio:2024.8.17
+        image: data.forgejo.org/oci/bitnami/minio:2024.8.17
        env:
          MINIO_ROOT_USER: 123456
          MINIO_ROOT_PASSWORD: 12345678
+        options: --tmpfs /bitnami/minio/data
      ldap:
-        image: docker.io/gitea/test-openldap:latest
+        image: data.forgejo.org/oci/test-openldap:latest
      pgsql:
-        image: 'code.forgejo.org/oci/postgres:15'
+        image: data.forgejo.org/oci/bitnami/postgresql:15
        env:
-          POSTGRES_DB: test
-          POSTGRES_PASSWORD: postgres
+          POSTGRESQL_DATABASE: test
+          POSTGRESQL_PASSWORD: postgres
+          POSTGRESQL_FSYNC: off
+          POSTGRESQL_EXTRA_FLAGS: -c full_page_writes=off
+        options: --tmpfs /bitnami/postgresql
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
-        with:
-          go-version-file: "go.mod"
+      - uses: https://data.forgejo.org/actions/checkout@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
      - name: install dependencies & git >= 2.42
-        run: |
-          export DEBIAN_FRONTEND=noninteractive
-          echo deb http://deb.debian.org/debian/ testing  main > /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-          apt-get install --no-install-recommends -qq -y git git-lfs
-          rm /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-      - name: setup user and permissions
-        run: |
-          git config --add safe.directory '*'
-          adduser --quiet --comment forgejo --disabled-password forgejo
-          chown -R forgejo:forgejo .
-      - run: |
-          su forgejo -c 'make deps-backend'
-      - uses: actions/cache/restore@v4
-        id: cache-backend
+        uses: ./.forgejo/workflows-composite/apt-install-from
        with:
-          path: '/workspace/forgejo/forgejo/gitea'
-          key: backend-build-${{ github.sha }}
-      - if: steps.cache-backend.outputs.cache-hit != 'true'
-        run: |
-          su forgejo -c 'make backend'
-        env:
-          TAGS: bindata
+          packages: git git-lfs
+      - uses: ./.forgejo/workflows-composite/build-backend
      - run: |
          su forgejo -c 'make test-pgsql-migration test-pgsql'
-        timeout-minutes: 50
+        timeout-minutes: 120
        env:
          RACE_ENABLED: true
          USE_REPO_TEST_DIR: 1
          TEST_LDAP: 1
  test-sqlite:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    needs: [backend-checks, frontend-checks]
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
+      options: --tmpfs /tmp:exec,noatime
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
-        with:
-          go-version-file: "go.mod"
+      - uses: https://data.forgejo.org/actions/checkout@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
      - name: install dependencies & git >= 2.42
-        run: |
-          export DEBIAN_FRONTEND=noninteractive
-          echo deb http://deb.debian.org/debian/ testing  main > /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-          apt-get install --no-install-recommends -qq -y git git-lfs
-          rm /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-      - name: setup user and permissions
-        run: |
-          git config --add safe.directory '*'
-          adduser --quiet --comment forgejo --disabled-password forgejo
-          chown -R forgejo:forgejo .
-      - run: |
-          su forgejo -c 'make deps-backend'
-      - uses: actions/cache/restore@v4
-        id: cache-backend
+        uses: ./.forgejo/workflows-composite/apt-install-from
        with:
-          path: '/workspace/forgejo/forgejo/gitea'
-          key: backend-build-${{ github.sha }}
-      - if: steps.cache-backend.outputs.cache-hit != 'true'
-        run: |
-          su forgejo -c 'make backend'
-        env:
-          TAGS: bindata sqlite sqlite_unlock_notify
+          packages: git git-lfs
+      - uses: ./.forgejo/workflows-composite/build-backend
      - run: |
          su forgejo -c 'make test-sqlite-migration test-sqlite'
-        timeout-minutes: 50
+        timeout-minutes: 120
        env:
          TAGS: sqlite sqlite_unlock_notify
          RACE_ENABLED: true
          TEST_TAGS: sqlite sqlite_unlock_notify
          USE_REPO_TEST_DIR: 1
  security-check:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    needs:
      - test-sqlite
@ -327,11 +278,10 @@ jobs:
      - test-remote-cacher
      - test-unit
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
+      options: --tmpfs /tmp:exec,noatime
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
-        with:
-          go-version-file: "go.mod"
-      - run: make deps-backend deps-tools
-      - run: make security-check
+      - uses: https://data.forgejo.org/actions/checkout@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
+      - run: su forgejo -c 'make deps-backend deps-tools'
+      - run: su forgejo -c 'make security-check'
--- a/.gitignore
+++ b/.gitignore
@ -37,6 +37,7 @@ _testmain.go

 *coverage.out
 coverage.all
+coverage/
 cpu.out

 /modules/migration/bindata.go
@ -72,6 +73,7 @@ cpu.out
 /tests/e2e/reports
 /tests/e2e/test-artifacts
 /tests/e2e/test-snapshots
+/tests/e2e/.auth
 /tests/*.ini
 /tests/**/*.git/**/*.sample
 /node_modules
@ -115,6 +117,9 @@ prime/
 *_source.tar.bz2
 .DS_Store

+# Direnv configuration
+/.envrc
+
 # nix-direnv generated files
 .direnv/

--- a/.golangci.yml
+++ b/.golangci.yml
@ -19,12 +19,12 @@ linters:
    - revive
    - staticcheck
    - stylecheck
-    - tenv
    - testifylint
    - typecheck
    - unconvert
    - unused
    - unparam
+    - usetesting
    - wastedassign

 run:
@ -77,6 +77,8 @@ linters-settings:
      - name: unreachable-code
      - name: var-declaration
      - name: var-naming
+      - name: redefines-builtin-id
+        disabled: true
  gofumpt:
    extra-rules: true
  depguard:
--- a/.release-notes-assistant.yaml
+++ b/.release-notes-assistant.yaml
@ -10,7 +10,7 @@ branch-known:
 cleanup-line: 'sed -Ee "s/^(feat|fix):\s*//g" -e "s/^\[WIP\] //" -e "s/^WIP: //" -e "s;\[(UI|BUG|FEAT|v.*?/forgejo)\]\s*;;g"'
 render-header: |

-  ## Draft release notes
+  ## Release notes
 comment: |
  <details>
  <summary>Where does that come from?</summary>
--- a/8
+++ b/8
@ -16,6 +16,9 @@ templates/.* @caesar @crystal @gusted
 ## the issue sidebar was touched by fnetx
 templates/repo/issue/view_content/sidebar.* @fnetx

+# Playwright tests
+tests/e2e/.* @fnetx
+
 # Files related to Go development.

 # The modules usually don't require much knowledge about Forgejo and could
@ -30,8 +33,9 @@ models/.* @gusted
 # for code that lives in here.
 routers/.* @gusted

-# Let new strings be checked by the translation team.
-options/locale/locale_en-US.ini @0ko
+# Let locale changes be checked by the translation team.
+options/locale/.* @0ko
+options/locale_next/.* @0ko

 # Personal interest
 .*/webhook.* @oliverpool
--- a/8
+++ b/8
@ -1,6 +1,6 @@
-FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/xx AS xx

-FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.23-alpine3.20 as build-env
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.24-alpine3.21 AS build-env

 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-direct}
@ -51,7 +51,7 @@ RUN chmod 755 /tmp/local/usr/bin/entrypoint \
              /go/src/code.gitea.io/gitea/environment-to-ini
 RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete

-FROM code.forgejo.org/oci/alpine:3.20
+FROM data.forgejo.org/oci/alpine:3.21
 ARG RELEASE_VERSION
 LABEL maintainer="contact@forgejo.org" \
      org.opencontainers.image.authors="Forgejo" \
@ -98,7 +98,7 @@ ENV GITEA_CUSTOM=/data/gitea
 VOLUME ["/data"]

 ENTRYPOINT ["/usr/bin/entrypoint"]
-CMD ["/bin/s6-svscan", "/etc/s6"]
+CMD ["/usr/bin/s6-svscan", "/etc/s6"]

 COPY --from=build-env /tmp/local /
 RUN cd /usr/local/bin ; ln -s gitea forgejo
--- a/Dockerfile.rootless
+++ b/Dockerfile.rootless
@ -1,6 +1,6 @@
-FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/xx AS xx

-FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.23-alpine3.20 as build-env
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.24-alpine3.21 AS build-env

 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-direct}
@ -49,7 +49,8 @@ RUN chmod 755 /tmp/local/usr/local/bin/docker-entrypoint.sh \
              /go/src/code.gitea.io/gitea/environment-to-ini
 RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete

-FROM code.forgejo.org/oci/alpine:3.20
+FROM data.forgejo.org/oci/alpine:3.21
+ARG RELEASE_VERSION
 LABEL maintainer="contact@forgejo.org" \
      org.opencontainers.image.authors="Forgejo" \
      org.opencontainers.image.url="https://forgejo.org" \
@ -71,6 +72,7 @@ RUN apk --no-cache add \
    git \
    curl \
    gnupg \
+    openssh-client \
    && rm -rf /var/cache/apk/*

 RUN addgroup \
--- a/180
+++ b/180
@ -18,48 +18,49 @@ DIST := dist
 DIST_DIRS := $(DIST)/binaries $(DIST)/release
 IMPORT := code.gitea.io/gitea

-GO ?= go
+GO ?= $(shell go env GOROOT)/bin/go
 SHASUM ?= shasum -a 256
 HAS_GO := $(shell hash $(GO) > /dev/null 2>&1 && echo yes)
 COMMA := ,
 DIFF ?= diff --unified

+ifeq ($(USE_GOTESTSUM), yes)
+	GOTEST ?= gotestsum --
+	GOTESTCOMPILEDRUNPREFIX ?= gotestsum --raw-command -- go tool test2json -t
+	GOTESTCOMPILEDRUNSUFFIX ?= -test.v=test2json
+else
+	GOTEST ?= $(GO) test
+	GOTESTCOMPILEDRUNPREFIX ?=
+	GOTESTCOMPILEDRUNSUFFIX ?=
+endif
+
 XGO_VERSION := go-1.21.x

 AIR_PACKAGE ?= github.com/air-verse/air@v1 # renovate: datasource=go
-EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3.0.3 # renovate: datasource=go
+EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3.2.0 # renovate: datasource=go
 GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.7.0 # renovate: datasource=go
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.61.0 # renovate: datasource=go
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.64.6 # renovate: datasource=go
 GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.11 # renovate: datasource=go
 MISSPELL_PACKAGE ?= github.com/golangci/misspell/cmd/misspell@v0.6.0 # renovate: datasource=go
 SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.31.0 # renovate: datasource=go
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
 GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.6.0 # renovate: datasource=go
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasource=go
-DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.25.0 # renovate: datasource=go
+DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.31.0 # renovate: datasource=go
 GOMOCK_PACKAGE ?= go.uber.org/mock/mockgen@v0.4.0 # renovate: datasource=go
-GOPLS_PACKAGE ?= golang.org/x/tools/gopls@v0.16.2 # renovate: datasource=go
-RENOVATE_NPM_PACKAGE ?= renovate@38.93.2 # renovate: datasource=docker packageName=code.forgejo.org/forgejo-contrib/renovate
+GOPLS_PACKAGE ?= golang.org/x/tools/gopls@v0.18.1 # renovate: datasource=go
+RENOVATE_NPM_PACKAGE ?= renovate@39.185.0 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
+
+# https://github.com/disposable-email-domains/disposable-email-domains/commits/main/
+DISPOSABLE_EMAILS_SHA ?= 0c27e671231d27cf66370034d7f6818037416989 # renovate: ...

 ifeq ($(HAS_GO), yes)
 	CGO_EXTRA_CFLAGS := -DSQLITE_MAX_VARIABLE_NUMBER=32766
 	CGO_CFLAGS ?= $(shell $(GO) env CGO_CFLAGS) $(CGO_EXTRA_CFLAGS)
 endif

-ifeq ($(GOOS),windows)
-	IS_WINDOWS := yes
-else ifeq ($(patsubst Windows%,Windows,$(OS)),Windows)
-	ifeq ($(GOOS),)
-		IS_WINDOWS := yes
-	endif
-endif
-ifeq ($(IS_WINDOWS),yes)
-	GOFLAGS := -v -buildmode=exe
-	EXECUTABLE ?= gitea.exe
-else
-	GOFLAGS := -v
-	EXECUTABLE ?= gitea
-endif
+GOFLAGS := -v
+EXECUTABLE ?= gitea

 ifeq ($(shell sed --version 2>/dev/null | grep -q GNU && echo gnu),gnu)
 	SED_INPLACE := sed -i
@ -114,6 +115,11 @@ FORGEJO_VERSION_API ?= ${FORGEJO_VERSION}
 show-version-api:
 	@echo ${FORGEJO_VERSION_API}

+# Strip binaries by default to reduce size, allow overriding for debugging
+STRIP ?= 1
+ifeq ($(STRIP),1)
+	LDFLAGS := $(LDFLAGS) -s -w
+endif
 LDFLAGS := $(LDFLAGS) -X "main.ReleaseVersion=$(RELEASE_VERSION)" -X "main.MakeVersion=$(MAKE_VERSION)" -X "main.Version=$(FORGEJO_VERSION)" -X "main.Tags=$(TAGS)" -X "main.ForgejoVersion=$(FORGEJO_VERSION_API)"

 LINUX_ARCHS ?= linux/amd64,linux/386,linux/arm-5,linux/arm-6,linux/arm64
@ -154,9 +160,8 @@ TAR_EXCLUDES := .git data indexers queues log node_modules $(EXECUTABLE) $(FOMAN
 GO_DIRS := build cmd models modules routers services tests
 WEB_DIRS := web_src/js web_src/css

-ESLINT_FILES := web_src/js tools *.js tests/e2e/*.js tests/e2e/shared/*.js
 STYLELINT_FILES := web_src/css web_src/js/components/*.vue
-SPELLCHECK_FILES := $(GO_DIRS) $(WEB_DIRS) docs/content templates options/locale/locale_en-US.ini .github $(wildcard *.go *.js *.md *.yml *.yaml *.toml)
+SPELLCHECK_FILES := $(GO_DIRS) $(WEB_DIRS) docs/content templates options/locale/locale_en-US.ini .github $(wildcard *.go *.js *.ts *.vue *.md *.yml *.yaml)

 GO_SOURCES := $(wildcard *.go)
 GO_SOURCES += $(shell find $(GO_DIRS) -type f -name "*.go" ! -path modules/options/bindata.go ! -path modules/public/bindata.go ! -path modules/templates/bindata.go)
@ -408,30 +413,30 @@ lint-frontend: lint-js lint-css
 lint-frontend-fix: lint-js-fix lint-css-fix

 .PHONY: lint-backend
-lint-backend: lint-go lint-go-vet lint-editorconfig lint-renovate
+lint-backend: lint-go lint-go-vet lint-editorconfig lint-renovate lint-locale lint-disposable-emails

 .PHONY: lint-backend-fix
-lint-backend-fix: lint-go-fix lint-go-vet lint-editorconfig
+lint-backend-fix: lint-go-fix lint-go-vet lint-editorconfig lint-disposable-emails-fix

 .PHONY: lint-codespell
-lint-codespell:
-	codespell
+lint-codespell: deps-py
+	@poetry run codespell

 .PHONY: lint-codespell-fix
-lint-codespell-fix:
-	codespell -w
+lint-codespell-fix: deps-py
+	@poetry run codespell -w

 .PHONY: lint-codespell-fix-i
-lint-codespell-fix-i:
-	codespell -w -i 3 -C 2
+lint-codespell-fix-i: deps-py
+	@poetry run codespell -w -i 3 -C 2

 .PHONY: lint-js
 lint-js: node_modules
-	npx eslint --color --max-warnings=0 --ext js,vue $(ESLINT_FILES)
+	npx eslint --color --max-warnings=0

 .PHONY: lint-js-fix
 lint-js-fix: node_modules
-	npx eslint --color --max-warnings=0 --ext js,vue $(ESLINT_FILES) --fix
+	npx eslint --color --max-warnings=0 --fix

 .PHONY: lint-css
 lint-css: node_modules
@ -451,6 +456,10 @@ lint-renovate: node_modules
 	@if grep --quiet --extended-regexp -e '^( WARN:|ERROR:)' .lint-renovate ; then cat .lint-renovate ; rm .lint-renovate ; exit 1 ; fi
 	@rm .lint-renovate

+.PHONY: lint-locale
+lint-locale:
+	$(GO) run build/lint-locale.go
+
 .PHONY: lint-md
 lint-md: node_modules
 	npx markdownlint docs *.md
@ -477,13 +486,6 @@ lint-go-fix:
 	$(GO) run $(GOLANGCI_LINT_PACKAGE) run $(GOLANGCI_LINT_ARGS) --fix
 	$(RUN_DEADCODE) > .deadcode-out

-# workaround step for the lint-go-windows CI task because 'go run' can not
-# have distinct GOOS/GOARCH for its build and run steps
-.PHONY: lint-go-windows
-lint-go-windows:
-	@GOOS= GOARCH= $(GO) install $(GOLANGCI_LINT_PACKAGE)
-	golangci-lint run
-
 .PHONY: lint-go-vet
 lint-go-vet:
 	@echo "Running go vet..."
@ -498,6 +500,14 @@ lint-go-gopls:
 lint-editorconfig:
 	$(GO) run $(EDITORCONFIG_CHECKER_PACKAGE) templates .forgejo/workflows

+.PHONY: lint-disposable-emails
+lint-disposable-emails:
+	$(GO) run build/generate-disposable-email.go -check -r $(DISPOSABLE_EMAILS_SHA)
+
+.PHONY: lint-disposable-emails-fix
+lint-disposable-emails-fix:
+	$(GO) run build/generate-disposable-email.go -r $(DISPOSABLE_EMAILS_SHA)
+
 .PHONY: lint-templates
 lint-templates: .venv node_modules
 	@node tools/lint-templates-svg.js
@ -505,7 +515,7 @@ lint-templates: .venv node_modules

 .PHONY: lint-yaml
 lint-yaml: .venv
-	@poetry run yamllint .
+	@poetry run yamllint -s .

 .PHONY: security-check
 security-check:
@ -534,12 +544,12 @@ test: test-frontend test-backend
 .PHONY: test-backend
 test-backend:
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)
+	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)

 .PHONY: test-remote-cacher
 test-remote-cacher:
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_REMOTE_CACHER_PACKAGES)
+	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_REMOTE_CACHER_PACKAGES)

 .PHONY: test-frontend
 test-frontend: node_modules
@ -564,7 +574,7 @@ test-check:
 .PHONY: test\#%
 test\#%:
 	@echo "Running go test with -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)
+	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)

 .PHONY: coverage
 coverage:
@ -575,7 +585,7 @@ coverage:
 .PHONY: unit-test-coverage
 unit-test-coverage:
 	@echo "Running unit-test-coverage $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTESTFLAGS) -timeout=20m -tags='$(TEST_TAGS)' -cover -coverprofile coverage.out $(GO_TEST_PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1
+	@$(GOTEST) $(GOTESTFLAGS) -timeout=20m -tags='$(TEST_TAGS)' -cover -coverprofile coverage.out $(GO_TEST_PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1

 .PHONY: tidy
 tidy:
@ -596,7 +606,7 @@ tidy-check: tidy
 go-licenses: $(GO_LICENSE_FILE)

 $(GO_LICENSE_FILE): go.mod go.sum
-	-$(shell $(GO) env GOROOT)/bin/go run $(GO_LICENSES_PACKAGE) save . --force --ignore code.gitea.io/gitea --save_path=$(GO_LICENSE_TMP_DIR) 2>/dev/null
+	-$(GO) run $(GO_LICENSES_PACKAGE) save . --force --ignore code.gitea.io/gitea --save_path=$(GO_LICENSE_TMP_DIR) 2>/dev/null
 	$(GO) run build/generate-go-licenses.go $(GO_LICENSE_TMP_DIR) $(GO_LICENSE_FILE)
 	@rm -rf $(GO_LICENSE_TMP_DIR)

@ -608,11 +618,11 @@ generate-ini-sqlite:

 .PHONY: test-sqlite
 test-sqlite: integrations.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.sqlite.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX)

 .PHONY: test-sqlite\#%
 test-sqlite\#%: integrations.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.sqlite.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run $(subst .,/,$*)

 .PHONY: test-sqlite-migration
 test-sqlite-migration:  migrations.sqlite.test migrations.individual.sqlite.test
@ -629,11 +639,11 @@ generate-ini-mysql:

 .PHONY: test-mysql
 test-mysql: integrations.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.mysql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.mysql.test $(GOTESTCOMPILEDRUNSUFFIX)

 .PHONY: test-mysql\#%
 test-mysql\#%: integrations.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.mysql.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.mysql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run $(subst .,/,$*)

 .PHONY: test-mysql-migration
 test-mysql-migration: migrations.mysql.test migrations.individual.mysql.test
@ -647,15 +657,16 @@ generate-ini-pgsql:
 		-e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
 		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
 		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
+		-e 's|{{TEST_STORAGE_TYPE}}|$(or $(TEST_STORAGE_TYPE),minio)|g' \
 			tests/pgsql.ini.tmpl > tests/pgsql.ini

 .PHONY: test-pgsql
 test-pgsql: integrations.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./integrations.pgsql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX)

 .PHONY: test-pgsql\#%
 test-pgsql\#%: integrations.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./integrations.pgsql.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run $(subst .,/,$*)

 .PHONY: test-pgsql-migration
 test-pgsql-migration: migrations.pgsql.test migrations.individual.pgsql.test
@ -674,35 +685,34 @@ test-e2e: test-e2e-sqlite

 .PHONY: test-e2e-sqlite
 test-e2e-sqlite: playwright e2e.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./e2e.sqlite.test -test.run TestE2e
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e

 .PHONY: test-e2e-sqlite\#%
 test-e2e-sqlite\#%: playwright e2e.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./e2e.sqlite.test -test.run TestE2e/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e/$*

 .PHONY: test-e2e-sqlite-firefox\#%
 test-e2e-sqlite-firefox\#%: playwright e2e.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini PLAYWRIGHT_PROJECT=firefox ./e2e.sqlite.test -test.run TestE2e/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini PLAYWRIGHT_PROJECT=firefox $(GOTESTCOMPILEDRUNPREFIX) ./e2e.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e/$*

 .PHONY: test-e2e-mysql
 test-e2e-mysql: playwright e2e.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./e2e.mysql.test -test.run TestE2e
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.mysql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e

 .PHONY: test-e2e-mysql\#%
 test-e2e-mysql\#%: playwright e2e.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./e2e.mysql.test -test.run TestE2e/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.mysql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e/$*

 .PHONY: test-e2e-pgsql
 test-e2e-pgsql: playwright e2e.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./e2e.pgsql.test -test.run TestE2e
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e

 .PHONY: test-e2e-pgsql\#%
 test-e2e-pgsql\#%: playwright e2e.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./e2e.pgsql.test -test.run TestE2e/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e/$*

 .PHONY: test-e2e-debugserver
 test-e2e-debugserver: e2e.sqlite.test generate-ini-sqlite
-	sed -i s/3003/3000/g tests/sqlite.ini
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./e2e.sqlite.test -test.run TestDebugserver -test.timeout 24h

 .PHONY: bench-sqlite
@ -726,73 +736,73 @@ integration-test-coverage-sqlite: integrations.cover.sqlite.test generate-ini-sq
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.cover.sqlite.test -test.coverprofile=integration.coverage.out

 integrations.mysql.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.mysql.test
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.mysql.test

 integrations.pgsql.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.pgsql.test
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.pgsql.test

 integrations.sqlite.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.sqlite.test -tags '$(TEST_TAGS)'
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.sqlite.test -tags '$(TEST_TAGS)'

 integrations.cover.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.test
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.test

 integrations.cover.sqlite.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.sqlite.test -tags '$(TEST_TAGS)'
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.sqlite.test -tags '$(TEST_TAGS)'

 .PHONY: migrations.mysql.test
 migrations.mysql.test: $(GO_SOURCES) generate-ini-mysql
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.mysql.test
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./migrations.mysql.test
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.mysql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./migrations.mysql.test $(GOTESTCOMPILEDRUNSUFFIX)

 .PHONY: migrations.pgsql.test
 migrations.pgsql.test: $(GO_SOURCES) generate-ini-pgsql
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.pgsql.test
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./migrations.pgsql.test
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.pgsql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./migrations.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX)

 .PHONY: migrations.sqlite.test
 migrations.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.sqlite.test -tags '$(TEST_TAGS)'
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./migrations.sqlite.test
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.sqlite.test -tags '$(TEST_TAGS)'
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./migrations.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX)

 .PHONY: migrations.individual.mysql.test
 migrations.individual.mysql.test: $(GO_SOURCES)
 	for pkg in $(MIGRATION_PACKAGES); do \
-		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
 	done

 .PHONY: migrations.individual.sqlite.test\#%
 migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*

 .PHONY: migrations.individual.pgsql.test
 migrations.individual.pgsql.test: $(GO_SOURCES)
 	for pkg in $(MIGRATION_PACKAGES); do \
-		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1;\
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1;\
 	done

 .PHONY: migrations.individual.pgsql.test\#%
 migrations.individual.pgsql.test\#%: $(GO_SOURCES) generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*

 .PHONY: migrations.individual.sqlite.test
 migrations.individual.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
 	for pkg in $(MIGRATION_PACKAGES); do \
-		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
 	done

 .PHONY: migrations.individual.sqlite.test\#%
 migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*

 e2e.mysql.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.mysql.test
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.mysql.test

 e2e.pgsql.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.pgsql.test
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.pgsql.test

 e2e.sqlite.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.sqlite.test -tags '$(TEST_TAGS)'
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.sqlite.test -tags '$(TEST_TAGS)'

 .PHONY: check
 check: test
@ -803,7 +813,7 @@ check: test

 .PHONY: install $(TAGS_PREREQ)
 install: $(wildcard *.go)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) install -v -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)'
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) install -v -tags '$(TAGS)' -ldflags '$(LDFLAGS)'

 .PHONY: build
 build: frontend backend
@ -831,13 +841,13 @@ merge-locales:
 	@echo "NOT NEEDED: THIS IS A NOOP AS OF Forgejo 7.0 BUT KEPT FOR BACKWARD COMPATIBILITY"

 $(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '$(LDFLAGS)' -o $@

 forgejo: $(EXECUTABLE)
 	ln -f $(EXECUTABLE) forgejo

 static-executable: $(GO_SOURCES) $(TAGS_PREREQ)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w -linkmode external -extldflags "-static" $(LDFLAGS)' -o $(EXECUTABLE)
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -o $(EXECUTABLE)

 .PHONY: release
 release: frontend generate release-linux release-copy release-compress vendor release-sources release-check
@ -848,10 +858,6 @@ sources-tarbal: frontend generate vendor release-sources release-check
 $(DIST_DIRS):
 	mkdir -p $(DIST_DIRS)

-.PHONY: release-windows
-release-windows: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out gitea-$(VERSION) .
-
 .PHONY: release-linux
 release-linux: | $(DIST_DIRS)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(LINUX_ARCHS)' -out forgejo-$(VERSION) .
@ -896,7 +902,7 @@ release-docs: | $(DIST_DIRS) docs
 .PHONY: reproduce-build
 reproduce-build:
 # Start building the Dockerfile with the RELEASE_VERSION tag set. GOPROXY is set
-# for convience, because the default of the Dockerfile is `direct` which can be
+# for convenience, because the default of the Dockerfile is `direct` which can be
 # quite slow.
 	@docker build --build-arg="RELEASE_VERSION=$(RELEASE_VERSION)" --build-arg="GOPROXY=$(shell $(GO) env GOPROXY)" --tag "forgejo-reproducibility" .
 	@id=$$(docker create forgejo-reproducibility); \
--- a/README.md
+++ b/README.md
@ -1,4 +1,3 @@
-
 <div align="center">
    <img src="./assets/logo.svg" alt="" width="192" align="center" />
    <h1 align="center">Welcome to Forgejo</h1>
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@ -4,19 +4,31 @@ A minor or major Forgejo release is published every [three months](https://forge

 A [patch or minor release](https://semver.org/spec/v2.0.0.html) (e.g. upgrading from v7.0.0 to v7.0.1 or v7.1.0) does not require manual intervention. But [major releases](https://semver.org/spec/v2.0.0.html#spec-item-8) where the first version number changes (e.g. upgrading from v1.21 to v7.0) contain breaking changes and the release notes explain how to deal with them.

-The release notes of each release [are available in the corresponding milestone](https://codeberg.org/forgejo/forgejo/milestones), starting with [Forgejo 7.0.7](https://codeberg.org/forgejo/forgejo/milestone/7683) and [Forgejo 8.0.1](https://codeberg.org/forgejo/forgejo/milestone/7682).
+The release notes of each release [are available in the release-notes-published directory of this repository](release-notes-published), starting with [Forgejo 7.0.7](release-notes-published/7.0.7.md) and [Forgejo 8.0.1](release-notes-published/8.0.1.md).
+
+## 9.0.2
+
+See the [Forgejo 9.0.2 release notes](release-notes-published/9.0.2.md).
+
+## 9.0.1
+
+See the [Forgejo 9.0.1 release notes](release-notes-published/9.0.1.md).
+
+## 9.0.0
+
+See the [Forgejo 9.0.0 release notes](release-notes-published/9.0.0.md).

 ## 8.0.3

-The Forgejo v8.0.3 release notes are [available in the v8.0.3 milestone](https://codeberg.org/forgejo/forgejo/milestone/8231).
+See the [Forgejo 8.0.3 release notes](release-notes-published/8.0.3.md).

 ## 8.0.2

-The Forgejo v8.0.2 release notes are [available in the v8.0.2 milestone](https://codeberg.org/forgejo/forgejo/milestone/7728).
+See the [Forgejo 8.0.2 release notes](release-notes-published/8.0.2.md).

 ## 8.0.1

-The Forgejo v8.0.1 release notes are [available in the v8.0.1 milestone](https://codeberg.org/forgejo/forgejo/milestone/7682).
+See the [Forgejo 8.0.1 release notes](release-notes-published/8.0.1.md).

 ## 8.0.0

@ -155,17 +167,25 @@ A [companion blog post](https://forgejo.org/2024-07-release-v8-0/) provides addi
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/2937): <!--number 2937 --><!--number--><!--description -->31 March updates<!--description-->
 <!--end release-notes-assistant-->

+## 7.0.11
+
+See the [Forgejo 7.0.11 release notes](release-notes-published/7.0.11.md).
+
+## 7.0.10
+
+See the [Forgejo 7.0.10 release notes](release-notes-published/7.0.10.md).
+
 ## 7.0.9

-The Forgejo v7.0.9 release notes are [available in the v7.0.9 milestone](https://codeberg.org/forgejo/forgejo/milestone/8232).
+See the [Forgejo 7.0.9 release notes](release-notes-published/7.0.9.md).

 ## 7.0.8

-The Forgejo v7.0.8 release notes are [available in the v7.0.8 milestone](https://codeberg.org/forgejo/forgejo/milestone/7729).
+See the [Forgejo 7.0.8 release notes](release-notes-published/7.0.8.md).

 ## 7.0.7

-The Forgejo v7.0.7 release notes are [available in the v7.0.7 milestone](https://codeberg.org/forgejo/forgejo/milestone/7683).
+See the [Forgejo 7.0.7 release notes](release-notes-published/7.0.7.md).

 ## 7.0.6

@ -1570,7 +1590,7 @@ this situation, [follow the instructions in the companion blog post](https://for

  The most prominent ones are described here, others can be found in the list of commits included in the release as described above.

-  * [Fix links to pull request reviews sent via mail](https://codeberg.org/forgejo/forgejo/commit/88e179d5ef8ee41f71d068195685ff098b38ca31). The pull request link was correct but it did not go the the review and stayed at the beginning of the page
+  * [Fix links to pull request reviews sent via mail](https://codeberg.org/forgejo/forgejo/commit/88e179d5ef8ee41f71d068195685ff098b38ca31). The pull request link was correct but it did not go the review and stayed at the beginning of the page
  * [Recognize OGG as an audio format](https://codeberg.org/forgejo/forgejo/commit/622ec5c79f299c32ac2667a1aa7b4bf5d7c2d6cf)
  * [Consistently show the last time a cron job was run in the admin panel](https://codeberg.org/forgejo/forgejo/commit/5f769ef20)
  * [Fix NuGet registry v2 & v3 API search endpoints](https://codeberg.org/forgejo/forgejo/commit/471138829b0c24fe8c621dbb866ae8bb45ebc674)
@ -1589,7 +1609,7 @@ this situation, [follow the instructions in the companion blog post](https://for
  * [Fix pull request check list when there are more than 30](https://codeberg.org/forgejo/forgejo/commit/e226b9646)
  * [Fix attachment clipboard copy on insecure origin](https://codeberg.org/forgejo/forgejo/commit/12ac84c26)
  * [Fix the profile README rendering](https://codeberg.org/forgejo/forgejo/commit/84c3b60a4) that [was inconsistent with other markdown files renderings](https://codeberg.org/forgejo/forgejo/issues/833)
-  * [Fix API leaking the user email when the caller is not authentified](https://codeberg.org/forgejo/forgejo/commit/d89003cc1)
+  * [Fix API leaking the user email when the caller is not authenticated](https://codeberg.org/forgejo/forgejo/commit/d89003cc1)

 ## 1.20.2-0

@ -1647,7 +1667,7 @@ $ git -C forgejo log --oneline --no-merges origin/v1.19/forgejo..origin/v1.20/fo
  The semantic version was updated to `5.0.0+0-gitea-1.20.1` because it contains breaking changes.
 - **Breaking:**
  - [Scoped access tokens](https://codeberg.org/forgejo/forgejo/commit/18de83b2a3fc120922096b7348d6375094ae1532) or (Personal Access Tokens), were refactored and although existing tokens are still valid, they may have a different scope than before. To ensure that no tokens have a larger scope than expected they must be removed and recreated.
-  - If your `app.ini` has one of the the following `[indexer].ISSUE_INDEXER_QUEUE_TYPE`, `[indexer].ISSUE_INDEXER_QUEUE_BATCH_NUMBER`, `[indexer].`, `[indexer].ISSUE_INDEXER_QUEUE_DIR`, `[indexer].ISSUE_INDEXER_QUEUE_CONN_STR`, `[indexer].UPDATE_BUFFER_LEN`, `[mailer].SEND_BUFFER_LEN`, `[repository].PULL_REQUEST_QUEUE_LENGTH` or `[repository].MIRROR_QUEUE_LENGTH`, Forgejo will abort immediately. Unless you know exactly what you're doing, you must comment them out so the default values are used.
+  - If your `app.ini` has one of the following `[indexer].ISSUE_INDEXER_QUEUE_TYPE`, `[indexer].ISSUE_INDEXER_QUEUE_BATCH_NUMBER`, `[indexer].`, `[indexer].ISSUE_INDEXER_QUEUE_DIR`, `[indexer].ISSUE_INDEXER_QUEUE_CONN_STR`, `[indexer].UPDATE_BUFFER_LEN`, `[mailer].SEND_BUFFER_LEN`, `[repository].PULL_REQUEST_QUEUE_LENGTH` or `[repository].MIRROR_QUEUE_LENGTH`, Forgejo will abort immediately. Unless you know exactly what you're doing, you must comment them out so the default values are used.
  - The `-p` option of `environment-to-ini` is [no longer supported](https://codeberg.org/forgejo/forgejo/commit/fa0b5b14c2faa6a5f76bb2e7bc9241a5e4354189)
  - The ".png" suffix for [user and organizations is now reserved](https://codeberg.org/forgejo/forgejo/commit/2b91841cd3e1213ff3e4ed4209d6a4be89c2fa79)
  - The section `[git.reflog]` is [now obsolete and its keys have been moved](https://codeberg.org/forgejo/forgejo/commit/2f149c5c9db97f20fbbc65e32d1f3133048b11a2) to the following replacements:
@ -1741,7 +1761,7 @@ $ git -C forgejo log --oneline --no-merges origin/v1.19/forgejo..origin/v1.20/fo
  - [The repository migration can be canceled](https://codeberg.org/forgejo/forgejo/commit/f6e029e6c7849d4361abf7f1d749b5d528364ac4)
  - [Add button on the diff header to copy the file name](https://codeberg.org/forgejo/forgejo/commit/c5ede35124c8d5280219c24049bb0ad7da9f02ed)
  - [Add --quiet option to the dump CLI](https://codeberg.org/forgejo/forgejo/commit/cb1536471bcef4d78a3fe5cbd738b9f60fabbcc2)
-  - [Support searching for an issue with its number in the the list of issues](https://codeberg.org/forgejo/forgejo/commit/1144b1d129de530b2c07dfdfaf55de383cd82212)
+  - [Support searching for an issue with its number in the list of issues](https://codeberg.org/forgejo/forgejo/commit/1144b1d129de530b2c07dfdfaf55de383cd82212)
  - [Improve the list of notifications](https://codeberg.org/forgejo/forgejo/commit/f7ede92f82f7f3ec7bb31a1249f9524e5b728f34)
  - [When editing a file in the web UI, allow for a preview whenever possible](https://codeberg.org/forgejo/forgejo/commit/ac64c8297444ade63a2a364c4afb7e6c1de5a75f)
  - [Make release download URLs human readable](https://codeberg.org/forgejo/forgejo/commit/42919ccb7cd32ab67d0878baf2bac6cd007899a8)
@ -1778,7 +1798,7 @@ $ git -C forgejo log --oneline --no-merges origin/v1.19/forgejo..origin/v1.20/fo
  - [Add API for gitignore templates](https://codeberg.org/forgejo/forgejo/commit/36a5d4c2f3b5670e5e921034cd5d25817534a6d4)
  - [Add API to upuload a file to an empty repository](https://codeberg.org/forgejo/forgejo/commit/cf465b472166ccf6d3e001e3043e4bf43e16e6b3)
  - [Allow for --not when listing the commits of a repo](https://codeberg.org/forgejo/forgejo/commit/f766b002938b5c81e343c81fda3c0669fa09809f)
-  - [Add `files` and `verification` parameters to improve performances when listing the commits of a a repo](https://codeberg.org/forgejo/forgejo/commit/1dd83dbb917d55bd253001646d6743f247a4d98b)
+  - [Add `files` and `verification` parameters to improve performances when listing the commits of a repo](https://codeberg.org/forgejo/forgejo/commit/1dd83dbb917d55bd253001646d6743f247a4d98b)
  - [Allow for listing a single commit in a repository](https://codeberg.org/forgejo/forgejo/commit/5930ab5fdf7a970fcca3cd50b44cf1cacb615a54)
  - [Create a branch directly from commit on the create branch API](https://codeberg.org/forgejo/forgejo/commit/cd9a13ebb47d32f46b38439a524e3b2e0c619490)
  - [Add API for Label templates](https://codeberg.org/forgejo/forgejo/commit/25dc1556cd70b567a4920beb002a0addfbfd6ef2)
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
--- a/build.go
+++ b/build.go
@ -11,13 +11,4 @@ package main
 import (
 	// for embed
 	_ "github.com/shurcooL/vfsgen"
-
-	// for cover merge
-	_ "golang.org/x/tools/cover"
-
-	// for vet
-	_ "code.gitea.io/gitea-vet"
-
-	// for swagger
-	_ "github.com/go-swagger/go-swagger/cmd/swagger"
 )
--- a/build/generate-disposable-email.go
+++ b/build/generate-disposable-email.go
@ -0,0 +1,203 @@
+// Copyright 2024 James Hatfield
+// SPDX-License-Identifier: MIT
+
+//go:build ignore
+
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"crypto"
+	"flag"
+	"fmt"
+	"go/format"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"regexp"
+	"strings"
+)
+
+const disposableEmailListURL string = "https://raw.githubusercontent.com/disposable-email-domains/disposable-email-domains/%s/disposable_email_blocklist.conf"
+
+var (
+	gitRef *string = flag.String("r", "master", "Git reference of the domain list version")
+	outPat *string = flag.String("o", "modules/setting/disposable_email_domain_data.go", "Output path")
+	check  *bool   = flag.Bool("check", false, "Check if the current output file matches the current upstream list")
+)
+
+func main() {
+	flag.Parse()
+
+	if *check {
+		// read in the local copy of the domain list
+		local, err := get_local_file()
+		if err != nil {
+			log.Fatalf("File Read Error: %v", err)
+		}
+
+		// generate the remote copy of the domain list
+		remote, err := generate()
+		if err != nil {
+			log.Fatalf("Generation Error: %v", err)
+		}
+
+		// strip the comments from both (so we dont fail simply due to git ref difference)
+		local = strip_comments(local)
+		remote = strip_comments(remote)
+
+		// generate the hash of the local copy
+		local_sha, err := hash(local)
+		if err != nil {
+			log.Fatalf("Local Hash Generation Error: %v", err)
+		}
+
+		// generate the hash of the remote copy
+		remote_sha, err := hash(remote)
+		if err != nil {
+			log.Fatalf("Remote Hash Generation Error: %v", err)
+		}
+
+		// if the hashes dont match then the local copy needs to be updated
+		if local_sha != remote_sha {
+			log.Fatalf("Disposable email domain list needs to be updated!! \"make lint-disposable-emails-fix\"")
+		}
+	} else {
+		// generate the source code (array of domains)
+		res, err := generate()
+		if err != nil {
+			log.Fatalf("Generation Error: %v", err)
+		}
+
+		// write result to a file
+		err = os.WriteFile(*outPat, res, 0o644)
+		if err != nil {
+			log.Fatalf("File Write Error: %v", err)
+		}
+	}
+}
+
+func strip_comments(data []byte) []byte {
+	result := make([]byte, 0, len(data))
+
+	re := regexp.MustCompile(`^\W*//.*$`)
+
+	for _, line := range bytes.Split(data, []byte("\n")) {
+		if !re.Match(line) {
+			result = append(result, line...)
+		}
+	}
+
+	return result
+}
+
+func hash(data []byte) (string, error) {
+	var err error
+
+	hash := crypto.SHA3_256.New()
+
+	_, err = hash.Write(data)
+	if err != nil {
+		return "", err
+	}
+
+	return fmt.Sprintf("%x", hash.Sum(nil)), err
+}
+
+func get_local_file() ([]byte, error) {
+	var err error
+
+	f, err := os.Open(*outPat)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	data, err := io.ReadAll(f)
+	if err != nil {
+		return nil, err
+	}
+
+	return data, err
+}
+
+func get_remote() ([]string, error) {
+	var err error
+	var url string = fmt.Sprintf(disposableEmailListURL, *gitRef)
+
+	// download the domain list
+	res, err := http.Get(url)
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+
+	body, err := io.ReadAll(res.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	// go through all entries (1 domain per line)
+	scanner := bufio.NewScanner(bytes.NewReader(body))
+
+	var arrDomains []string
+	for scanner.Scan() {
+		line := scanner.Text()
+		arrDomains = append(arrDomains, line)
+	}
+
+	return arrDomains, err
+}
+
+func generate() ([]byte, error) {
+	var err error
+	var url string = fmt.Sprintf(disposableEmailListURL, *gitRef)
+
+	// download the domains list
+	arrDomains, err := get_remote()
+	if err != nil {
+		return nil, err
+	}
+
+	// build the string in a readable way
+	var sb strings.Builder
+
+	_, err = sb.WriteString("[]string{\n")
+	if err != nil {
+		return nil, err
+	}
+
+	for _, item := range arrDomains {
+		_, err = sb.WriteString(fmt.Sprintf("\t%q,\n", item))
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	_, err = sb.WriteString("}")
+	if err != nil {
+		return nil, err
+	}
+
+	// insert the values into file
+	final := fmt.Sprintf(hdr, url, sb.String())
+
+	return format.Source([]byte(final))
+}
+
+const hdr = `
+// Copyright 2024 James Hatfield
+// SPDX-License-Identifier: MIT
+//
+// Code generated by build/generate-disposable-email.go. DO NOT EDIT
+// Sourced from %s
+package setting
+
+import "sync"
+
+var DisposableEmailDomains = sync.OnceValue(func() []string {
+		return %s
+})
+`
--- a/build/generate-emoji.go
+++ b/build/generate-emoji.go
@ -53,8 +53,6 @@ func (e Emoji) MarshalJSON() ([]byte, error) {
 }

 func main() {
-	var err error
-
 	flag.Parse()

 	// generate data
@ -83,8 +81,6 @@ var replacer = strings.NewReplacer(
 var emojiRE = regexp.MustCompile(`\{Emoji:"([^"]*)"`)

 func generate() ([]byte, error) {
-	var err error
-
 	// load gemoji data
 	res, err := http.Get(gemojiURL)
 	if err != nil {
--- a/build/gocovmerge.go
+++ b/build/gocovmerge.go
@ -1,118 +0,0 @@
-// Copyright 2020 The Gitea Authors. All rights reserved.
-// Copyright (c) 2015, Wade Simmons
-// SPDX-License-Identifier: MIT
-
-// gocovmerge takes the results from multiple `go test -coverprofile` runs and
-// merges them into one profile
-
-//go:build ignore
-
-package main
-
-import (
-	"flag"
-	"fmt"
-	"io"
-	"log"
-	"os"
-	"sort"
-
-	"golang.org/x/tools/cover"
-)
-
-func mergeProfiles(p, merge *cover.Profile) {
-	if p.Mode != merge.Mode {
-		log.Fatalf("cannot merge profiles with different modes")
-	}
-	// Since the blocks are sorted, we can keep track of where the last block
-	// was inserted and only look at the blocks after that as targets for merge
-	startIndex := 0
-	for _, b := range merge.Blocks {
-		startIndex = mergeProfileBlock(p, b, startIndex)
-	}
-}
-
-func mergeProfileBlock(p *cover.Profile, pb cover.ProfileBlock, startIndex int) int {
-	sortFunc := func(i int) bool {
-		pi := p.Blocks[i+startIndex]
-		return pi.StartLine >= pb.StartLine && (pi.StartLine != pb.StartLine || pi.StartCol >= pb.StartCol)
-	}
-
-	i := 0
-	if sortFunc(i) != true {
-		i = sort.Search(len(p.Blocks)-startIndex, sortFunc)
-	}
-	i += startIndex
-	if i < len(p.Blocks) && p.Blocks[i].StartLine == pb.StartLine && p.Blocks[i].StartCol == pb.StartCol {
-		if p.Blocks[i].EndLine != pb.EndLine || p.Blocks[i].EndCol != pb.EndCol {
-			log.Fatalf("OVERLAP MERGE: %v %v %v", p.FileName, p.Blocks[i], pb)
-		}
-		switch p.Mode {
-		case "set":
-			p.Blocks[i].Count |= pb.Count
-		case "count", "atomic":
-			p.Blocks[i].Count += pb.Count
-		default:
-			log.Fatalf("unsupported covermode: '%s'", p.Mode)
-		}
-	} else {
-		if i > 0 {
-			pa := p.Blocks[i-1]
-			if pa.EndLine >= pb.EndLine && (pa.EndLine != pb.EndLine || pa.EndCol > pb.EndCol) {
-				log.Fatalf("OVERLAP BEFORE: %v %v %v", p.FileName, pa, pb)
-			}
-		}
-		if i < len(p.Blocks)-1 {
-			pa := p.Blocks[i+1]
-			if pa.StartLine <= pb.StartLine && (pa.StartLine != pb.StartLine || pa.StartCol < pb.StartCol) {
-				log.Fatalf("OVERLAP AFTER: %v %v %v", p.FileName, pa, pb)
-			}
-		}
-		p.Blocks = append(p.Blocks, cover.ProfileBlock{})
-		copy(p.Blocks[i+1:], p.Blocks[i:])
-		p.Blocks[i] = pb
-	}
-	return i + 1
-}
-
-func addProfile(profiles []*cover.Profile, p *cover.Profile) []*cover.Profile {
-	i := sort.Search(len(profiles), func(i int) bool { return profiles[i].FileName >= p.FileName })
-	if i < len(profiles) && profiles[i].FileName == p.FileName {
-		mergeProfiles(profiles[i], p)
-	} else {
-		profiles = append(profiles, nil)
-		copy(profiles[i+1:], profiles[i:])
-		profiles[i] = p
-	}
-	return profiles
-}
-
-func dumpProfiles(profiles []*cover.Profile, out io.Writer) {
-	if len(profiles) == 0 {
-		return
-	}
-	fmt.Fprintf(out, "mode: %s\n", profiles[0].Mode)
-	for _, p := range profiles {
-		for _, b := range p.Blocks {
-			fmt.Fprintf(out, "%s:%d.%d,%d.%d %d %d\n", p.FileName, b.StartLine, b.StartCol, b.EndLine, b.EndCol, b.NumStmt, b.Count)
-		}
-	}
-}
-
-func main() {
-	flag.Parse()
-
-	var merged []*cover.Profile
-
-	for _, file := range flag.Args() {
-		profiles, err := cover.ParseProfiles(file)
-		if err != nil {
-			log.Fatalf("failed to parse profile '%s': %v", file, err)
-		}
-		for _, p := range profiles {
-			merged = addProfile(merged, p)
-		}
-	}
-
-	dumpProfiles(merged, os.Stdout)
-}
--- a/build/lint-locale.go
+++ b/build/lint-locale.go
@ -0,0 +1,215 @@
+// Copyright 2024 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//nolint:forbidigo
+package main
+
+import (
+	"encoding/json" //nolint:depguard
+	"fmt"
+	"html"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"regexp"
+	"slices"
+	"strings"
+
+	"github.com/microcosm-cc/bluemonday"
+	"github.com/sergi/go-diff/diffmatchpatch"
+	"gopkg.in/ini.v1" //nolint:depguard
+)
+
+var (
+	policy     *bluemonday.Policy
+	tagRemover *strings.Replacer
+	safeURL    = "https://TO-BE-REPLACED.COM"
+
+	// Matches href="", href="#", href="%s", href="#%s", href="%[1]s" and href="#%[1]s".
+	placeHolderRegex = regexp.MustCompile(`href="#?(%s|%\[\d\]s)?"`)
+
+	dmp = diffmatchpatch.New()
+)
+
+func initBlueMondayPolicy() {
+	policy = bluemonday.NewPolicy()
+
+	policy.RequireParseableURLs(true)
+	policy.AllowURLSchemes("https")
+
+	// Only allow safe URL on href.
+	// Only allow target="_blank".
+	// Only allow rel="nopener noreferrer", rel="noopener" and rel="noreferrer".
+	// Only allow placeholder on id and class.
+	policy.AllowAttrs("href").Matching(regexp.MustCompile("^" + regexp.QuoteMeta(safeURL) + "$")).OnElements("a")
+	policy.AllowAttrs("target").Matching(regexp.MustCompile("^_blank$")).OnElements("a")
+	policy.AllowAttrs("rel").Matching(regexp.MustCompile("^(noopener|noreferrer|noopener noreferrer)$")).OnElements("a")
+	policy.AllowAttrs("id", "class").Matching(regexp.MustCompile(`^%s|%\[\d\]s$`)).OnElements("a")
+
+	// Only allow positional placeholder as class.
+	positionalPlaceholderRe := regexp.MustCompile(`^%\[\d\]s$`)
+	policy.AllowAttrs("class").Matching(positionalPlaceholderRe).OnElements("strong")
+	policy.AllowAttrs("id").Matching(positionalPlaceholderRe).OnElements("code")
+
+	// Allowed elements with no attributes. Must be a recognized tagname.
+	policy.AllowElements("strong", "br", "b", "strike", "code", "i")
+
+	// TODO: Remove <c> in `actions.workflow.dispatch.trigger_found`.
+	policy.AllowNoAttrs().OnElements("c")
+}
+
+func initRemoveTags() {
+	oldnew := []string{}
+	for _, el := range []string{
+		"email@example.com", "correu@example.com", "epasts@domens.lv", "email@exemplo.com", "eposta@ornek.com", "email@példa.hu", "email@esempio.it",
+		"user", "utente", "lietotājs", "gebruiker", "usuário", "Benutzer", "Bruker", "bruger", "użytkownik",
+		"server", "servidor", "kiszolgáló", "serveris",
+		"label", "etichetta", "etiķete", "rótulo", "Label", "utilizador", "etiket", "iezīme", "etykieta",
+	} {
+		oldnew = append(oldnew, "<"+el+">", "REPLACED-TAG")
+	}
+
+	tagRemover = strings.NewReplacer(oldnew...)
+}
+
+func preprocessTranslationValue(value string) string {
+	// href should be a parsable URL, replace placeholder strings with a safe url.
+	value = placeHolderRegex.ReplaceAllString(value, `href="`+safeURL+`"`)
+
+	// Remove tags that aren't tags but will be parsed as tags. We already know they are safe and sound.
+	value = tagRemover.Replace(value)
+
+	return value
+}
+
+func checkValue(trKey, value string) []string {
+	keyValue := preprocessTranslationValue(value)
+
+	if html.UnescapeString(policy.Sanitize(keyValue)) == keyValue {
+		return nil
+	}
+
+	// Create a nice diff of the difference.
+	diffs := dmp.DiffMain(keyValue, html.UnescapeString(policy.Sanitize(keyValue)), false)
+	diffs = dmp.DiffCleanupSemantic(diffs)
+	diffs = dmp.DiffCleanupEfficiency(diffs)
+
+	return []string{trKey + ": " + dmp.DiffPrettyText(diffs)}
+}
+
+func checkLocaleContent(localeContent []byte) []string {
+	// Same configuration as Forgejo uses.
+	cfg := ini.Empty(ini.LoadOptions{
+		IgnoreContinuation: true,
+	})
+	cfg.NameMapper = ini.SnackCase
+
+	if err := cfg.Append(localeContent); err != nil {
+		panic(err)
+	}
+
+	errors := []string{}
+	for _, section := range cfg.Sections() {
+		for _, key := range section.Keys() {
+			var trKey string
+			if section.Name() == "" || section.Name() == "DEFAULT" || section.Name() == "common" {
+				trKey = key.Name()
+			} else {
+				trKey = section.Name() + "." + key.Name()
+			}
+
+			errors = append(errors, checkValue(trKey, key.Value())...)
+		}
+	}
+	return errors
+}
+
+func checkLocaleNextContent(data map[string]any, trKey ...string) []string {
+	errors := []string{}
+	for key, value := range data {
+		currentKey := key
+		if len(trKey) == 1 {
+			currentKey = trKey[0] + "." + key
+		}
+
+		switch value := value.(type) {
+		case string:
+			errors = append(errors, checkValue(currentKey, value)...)
+		case map[string]any:
+			errors = append(errors, checkLocaleNextContent(value, currentKey)...)
+		default:
+			panic(fmt.Sprintf("Unexpected type during linting locale next: %s - %T", currentKey, value))
+		}
+	}
+	return errors
+}
+
+func main() {
+	initBlueMondayPolicy()
+	initRemoveTags()
+
+	localeDir := filepath.Join("options", "locale")
+	localeFiles, err := os.ReadDir(localeDir)
+	if err != nil {
+		panic(err)
+	}
+
+	// Safety check that we are not reading the wrong directory.
+	if !slices.ContainsFunc(localeFiles, func(e fs.DirEntry) bool { return strings.HasSuffix(e.Name(), ".ini") }) {
+		fmt.Println("No locale files found")
+		os.Exit(1)
+	}
+
+	exitCode := 0
+	for _, localeFile := range localeFiles {
+		if !strings.HasSuffix(localeFile.Name(), ".ini") {
+			continue
+		}
+
+		localeContent, err := os.ReadFile(filepath.Join(localeDir, localeFile.Name()))
+		if err != nil {
+			panic(err)
+		}
+
+		if err := checkLocaleContent(localeContent); len(err) > 0 {
+			fmt.Println(localeFile.Name())
+			fmt.Println(strings.Join(err, "\n"))
+			fmt.Println()
+			exitCode = 1
+		}
+	}
+
+	// Check the locale next.
+	localeDir = filepath.Join("options", "locale_next")
+	localeFiles, err = os.ReadDir(localeDir)
+	if err != nil {
+		panic(err)
+	}
+
+	// Safety check that we are not reading the wrong directory.
+	if !slices.ContainsFunc(localeFiles, func(e fs.DirEntry) bool { return strings.HasSuffix(e.Name(), ".json") }) {
+		fmt.Println("No locale_next files found")
+		os.Exit(1)
+	}
+
+	for _, localeFile := range localeFiles {
+		localeContent, err := os.ReadFile(filepath.Join(localeDir, localeFile.Name()))
+		if err != nil {
+			panic(err)
+		}
+
+		var localeData map[string]any
+		if err := json.Unmarshal(localeContent, &localeData); err != nil {
+			panic(err)
+		}
+
+		if err := checkLocaleNextContent(localeData); len(err) > 0 {
+			fmt.Println(localeFile.Name())
+			fmt.Println(strings.Join(err, "\n"))
+			fmt.Println()
+			exitCode = 1
+		}
+	}
+
+	os.Exit(exitCode)
+}
--- a/build/lint-locale_test.go
+++ b/build/lint-locale_test.go
@ -0,0 +1,94 @@
+// Copyright 2024 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLocalizationPolicy(t *testing.T) {
+	initBlueMondayPolicy()
+	initRemoveTags()
+
+	t.Run("Remove tags", func(t *testing.T) {
+		assert.Empty(t, checkLocaleContent([]byte(`hidden_comment_types_description = Comment types checked here will not be shown inside issue pages. Checking "Label" for example removes all "<user> added/removed <label>" comments.`)))
+
+		assert.EqualValues(t, []string{"key: \x1b[31m<not-an-allowed-key>\x1b[0m REPLACED-TAG"}, checkLocaleContent([]byte(`key = "<not-an-allowed-key> <label>"`)))
+		assert.EqualValues(t, []string{"key: \x1b[31m<user@example.com>\x1b[0m REPLACED-TAG"}, checkLocaleContent([]byte(`key = "<user@example.com> <email@example.com>"`)))
+		assert.EqualValues(t, []string{"key: \x1b[31m<tag>\x1b[0m REPLACED-TAG \x1b[31m</tag>\x1b[0m"}, checkLocaleContent([]byte(`key = "<tag> <email@example.com> </tag>"`)))
+	})
+
+	t.Run("Specific exception", func(t *testing.T) {
+		assert.Empty(t, checkLocaleContent([]byte(`workflow.dispatch.trigger_found = This workflow has a <c>workflow_dispatch</c> event trigger.`)))
+		assert.Empty(t, checkLocaleContent([]byte(`pulls.title_desc_one = wants to merge %[1]d commit from <code>%[2]s</code> into <code id="%[4]s">%[3]s</code>`)))
+		assert.Empty(t, checkLocaleContent([]byte(`editor.commit_directly_to_this_branch = Commit directly to the <strong class="%[2]s">%[1]s</strong> branch.`)))
+
+		assert.EqualValues(t, []string{"workflow.dispatch.trigger_found: This workflow has a \x1b[31m<d>\x1b[0mworkflow_dispatch\x1b[31m</d>\x1b[0m event trigger."}, checkLocaleContent([]byte(`workflow.dispatch.trigger_found = This workflow has a <d>workflow_dispatch</d> event trigger.`)))
+		assert.EqualValues(t, []string{"key: <code\x1b[31m id=\"branch_targe\"\x1b[0m>%[3]s</code>"}, checkLocaleContent([]byte(`key = <code id="branch_targe">%[3]s</code>`)))
+		assert.EqualValues(t, []string{"key: <a\x1b[31m class=\"ui sh\"\x1b[0m href=\"https://TO-BE-REPLACED.COM\">"}, checkLocaleContent([]byte(`key = <a class="ui sh" href="%[3]s">`)))
+		assert.EqualValues(t, []string{"key: <a\x1b[31m class=\"js-click-me\"\x1b[0m href=\"https://TO-BE-REPLACED.COM\">"}, checkLocaleContent([]byte(`key = <a class="js-click-me" href="%[3]s">`)))
+		assert.EqualValues(t, []string{"key: <strong\x1b[31m class=\"branch-target\"\x1b[0m>%[1]s</strong>"}, checkLocaleContent([]byte(`key = <strong class="branch-target">%[1]s</strong>`)))
+	})
+
+	t.Run("General safe tags", func(t *testing.T) {
+		assert.Empty(t, checkLocaleContent([]byte("error404 = The page you are trying to reach either <strong>does not exist</strong> or <strong>you are not authorized</strong> to view it.")))
+		assert.Empty(t, checkLocaleContent([]byte("teams.specific_repositories_helper = Members will only have access to repositories explicitly added to the team. Selecting this <strong>will not</strong> automatically remove repositories already added with <i>All repositories</i>.")))
+		assert.Empty(t, checkLocaleContent([]byte("sqlite_helper = File path for the SQLite3 database.<br>Enter an absolute path if you run Forgejo as a service.")))
+		assert.Empty(t, checkLocaleContent([]byte("hi_user_x = Hi <b>%s</b>,")))
+
+		assert.EqualValues(t, []string{"error404: The page you are trying to reach either <strong\x1b[31m title='aaa'\x1b[0m>does not exist</strong> or <strong>you are not authorized</strong> to view it."}, checkLocaleContent([]byte("error404 = The page you are trying to reach either <strong title='aaa'>does not exist</strong> or <strong>you are not authorized</strong> to view it.")))
+	})
+
+	t.Run("<a>", func(t *testing.T) {
+		assert.Empty(t, checkLocaleContent([]byte(`admin.new_user.text = Please <a href="%s">click here</a> to manage this user from the admin panel.`)))
+		assert.Empty(t, checkLocaleContent([]byte(`access_token_desc = Selected token permissions limit authorization only to the corresponding <a href="%[1]s" target="_blank">API</a> routes. Read the <a href="%[2]s" target="_blank">documentation</a> for more information.`)))
+		assert.Empty(t, checkLocaleContent([]byte(`webauthn_desc = Security keys are hardware devices containing cryptographic keys. They can be used for two-factor authentication. Security keys must support the <a rel="noreferrer" target="_blank" href="%s">WebAuthn Authenticator</a> standard.`)))
+		assert.Empty(t, checkLocaleContent([]byte("issues.closed_at = `closed this issue <a id=\"%[1]s\" href=\"#%[1]s\">%[2]s</a>`")))
+
+		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"https://example.com\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="https://example.com">`)))
+		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"javascript:alert('1')\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="javascript:alert('1')">`)))
+		assert.EqualValues(t, []string{"key: <a href=\"https://TO-BE-REPLACED.COM\"\x1b[31m download\x1b[0m>"}, checkLocaleContent([]byte(`key = <a href="%s" download>`)))
+		assert.EqualValues(t, []string{"key: <a href=\"https://TO-BE-REPLACED.COM\"\x1b[31m target=\"_self\"\x1b[0m>"}, checkLocaleContent([]byte(`key = <a href="%s" target="_self">`)))
+		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"https://example.com/%s\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="https://example.com/%s">`)))
+		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"https://example.com/?q=%s\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="https://example.com/?q=%s">`)))
+		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"%s/open-redirect\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="%s/open-redirect">`)))
+		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"%s?q=open-redirect\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="%s?q=open-redirect">`)))
+	})
+
+	t.Run("Escaped HTML characters", func(t *testing.T) {
+		assert.Empty(t, checkLocaleContent([]byte("activity.git_stats_push_to_branch = `إلى %s و\"`")))
+
+		assert.EqualValues(t, []string{"key: و\x1b[31m&nbsp\x1b[0m\x1b[32m\u00a0\x1b[0m"}, checkLocaleContent([]byte(`key = و&nbsp;`)))
+	})
+}
+
+func TestNextLocalizationPolicy(t *testing.T) {
+	initBlueMondayPolicy()
+	initRemoveTags()
+
+	t.Run("Nested locales", func(t *testing.T) {
+		assert.Empty(t, checkLocaleNextContent(map[string]any{
+			"settings": map[string]any{
+				"hidden_comment_types_description": `Comment types checked here will not be shown inside issue pages. Checking "Label" for example removes all "<user> added/removed <label>" comments.`,
+			},
+		}))
+
+		assert.EqualValues(t, []string{"settings.hidden_comment_types_description: \"\x1b[31m<not-an-allowed-key>\x1b[0m REPLACED-TAG\""}, checkLocaleNextContent(map[string]any{
+			"settings": map[string]any{
+				"hidden_comment_types_description": `"<not-an-allowed-key> <label>"`,
+			},
+		}))
+	})
+
+	t.Run("Flat locales", func(t *testing.T) {
+		assert.Empty(t, checkLocaleNextContent(map[string]any{
+			"settings.hidden_comment_types_description": `Comment types checked here will not be shown inside issue pages. Checking "Label" for example removes all "<user> added/removed <label>" comments.`,
+		}))
+
+		assert.EqualValues(t, []string{"settings.hidden_comment_types_description: \"\x1b[31m<not-an-allowed-key>\x1b[0m REPLACED-TAG\""}, checkLocaleNextContent(map[string]any{
+			"settings.hidden_comment_types_description": `"<not-an-allowed-key> <label>"`,
+		}))
+	})
+}
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@ -386,7 +386,7 @@ func (a *authService) addLdapSimpleAuth(c *cli.Context) error {
 	return a.createAuthSource(ctx, authSource)
 }

-// updateLdapBindDn updates a new LDAP (simple auth) authentication source.
+// updateLdapSimpleAuth updates a new LDAP (simple auth) authentication source.
 func (a *authService) updateLdapSimpleAuth(c *cli.Context) error {
 	ctx, cancel := installSignals()
 	defer cancel()
--- a/cmd/admin_user_create.go
+++ b/cmd/admin_user_create.go
@ -69,6 +69,10 @@ var microcmdUserCreate = &cli.Command{
 }

 func runCreateUser(c *cli.Context) error {
+	// this command highly depends on the many setting options (create org, visibility, etc.), so it must have a full setting load first
+	// duplicate setting loading should be safe at the moment, but it should be refactored & improved in the future.
+	setting.LoadSettings()
+
 	if err := argsSet(c, "email"); err != nil {
 		return err
 	}
--- a/cmd/dump.go
+++ b/cmd/dump.go
@ -133,12 +133,12 @@ It can be used for backup and capture Forgejo server image to send to maintainer
 		&cli.BoolFlag{
 			Name:    "skip-repository",
 			Aliases: []string{"R"},
-			Usage:   "Skip the repository dumping",
+			Usage:   "Skip repositories",
 		},
 		&cli.BoolFlag{
 			Name:    "skip-log",
 			Aliases: []string{"L"},
-			Usage:   "Skip the log dumping",
+			Usage:   "Skip logs",
 		},
 		&cli.BoolFlag{
 			Name:  "skip-custom-dir",
@ -160,6 +160,10 @@ It can be used for backup and capture Forgejo server image to send to maintainer
 			Name:  "skip-index",
 			Usage: "Skip bleve index data",
 		},
+		&cli.BoolFlag{
+			Name:  "skip-repo-archives",
+			Usage: "Skip repository archives",
+		},
 		&cli.GenericFlag{
 			Name:  "type",
 			Value: outputTypeEnum,
@ -233,7 +237,7 @@ func runDump(ctx *cli.Context) error {
 	if file == nil {
 		file, err = os.Create(fileName)
 		if err != nil {
-			fatal("Unable to open %s: %v", fileName, err)
+			fatal("Failed to open %s: %v", fileName, err)
 		}
 	}
 	defer file.Close()
@ -250,7 +254,7 @@ func runDump(ctx *cli.Context) error {
 		iface, err = archiver.ByExtension(fileName)
 	}
 	if err != nil {
-		fatal("Unable to get archiver for extension: %v", err)
+		fatal("Failed to get archiver for extension: %v", err)
 	}

 	w, _ := iface.(archiver.Writer)
@ -260,7 +264,7 @@ func runDump(ctx *cli.Context) error {
 	defer w.Close()

 	if ctx.IsSet("skip-repository") && ctx.Bool("skip-repository") {
-		log.Info("Skip dumping local repositories")
+		log.Info("Skipping local repositories")
 	} else {
 		log.Info("Dumping local repositories... %s", setting.RepoRootPath)
 		if err := addRecursiveExclude(w, "repos", setting.RepoRootPath, []string{absFileName}, verbose); err != nil {
@ -268,9 +272,9 @@ func runDump(ctx *cli.Context) error {
 		}

 		if ctx.IsSet("skip-lfs-data") && ctx.Bool("skip-lfs-data") {
-			log.Info("Skip dumping LFS data")
+			log.Info("Skipping LFS data")
 		} else if !setting.LFS.StartServer {
-			log.Info("LFS isn't enabled. Skip dumping LFS data")
+			log.Info("LFS not enabled - skipping")
 		} else if err := storage.LFS.IterateObjects("", func(objPath string, object storage.Object) error {
 			info, err := object.Stat()
 			if err != nil {
@ -295,7 +299,7 @@ func runDump(ctx *cli.Context) error {
 	defer func() {
 		_ = dbDump.Close()
 		if err := util.Remove(dbDump.Name()); err != nil {
-			log.Warn("Unable to remove temporary file: %s: Error: %v", dbDump.Name(), err)
+			log.Warn("Failed to remove temporary file: %s: Error: %v", dbDump.Name(), err)
 		}
 	}()

@ -331,16 +335,16 @@ func runDump(ctx *cli.Context) error {
 					fatal("Failed to include custom: %v", err)
 				}
 			} else {
-				log.Info("Custom dir %s is inside data dir %s, skipped", setting.CustomPath, setting.AppDataPath)
+				log.Info("Custom dir %s is inside data dir %s, skipping", setting.CustomPath, setting.AppDataPath)
 			}
 		} else {
-			log.Info("Custom dir %s doesn't exist, skipped", setting.CustomPath)
+			log.Info("Custom dir %s does not exist, skipping", setting.CustomPath)
 		}
 	}

 	isExist, err := util.IsExist(setting.AppDataPath)
 	if err != nil {
-		log.Error("Unable to check if %s exists. Error: %v", setting.AppDataPath, err)
+		log.Error("Failed to check if %s exists: %v", setting.AppDataPath, err)
 	}
 	if isExist {
 		log.Info("Packing data directory...%s", setting.AppDataPath)
@ -355,10 +359,16 @@ func runDump(ctx *cli.Context) error {
 		}

 		if ctx.IsSet("skip-index") && ctx.Bool("skip-index") {
+			log.Info("Skipping bleve index data")
 			excludes = append(excludes, setting.Indexer.RepoPath)
 			excludes = append(excludes, setting.Indexer.IssuePath)
 		}

+		if ctx.IsSet("skip-repo-archives") && ctx.Bool("skip-repo-archives") {
+			log.Info("Skipping repository archives data")
+			excludes = append(excludes, setting.RepoArchive.Storage.Path)
+		}
+
 		excludes = append(excludes, setting.RepoRootPath)
 		excludes = append(excludes, setting.LFS.Storage.Path)
 		excludes = append(excludes, setting.Attachment.Storage.Path)
@ -371,7 +381,7 @@ func runDump(ctx *cli.Context) error {
 	}

 	if ctx.IsSet("skip-attachment-data") && ctx.Bool("skip-attachment-data") {
-		log.Info("Skip dumping attachment data")
+		log.Info("Skipping attachment data")
 	} else if err := storage.Attachments.IterateObjects("", func(objPath string, object storage.Object) error {
 		info, err := object.Stat()
 		if err != nil {
@ -384,9 +394,9 @@ func runDump(ctx *cli.Context) error {
 	}

 	if ctx.IsSet("skip-package-data") && ctx.Bool("skip-package-data") {
-		log.Info("Skip dumping package data")
+		log.Info("Skipping package data")
 	} else if !setting.Packages.Enabled {
-		log.Info("Packages isn't enabled. Skip dumping package data")
+		log.Info("Package registry not enabled - skipping")
 	} else if err := storage.Packages.IterateObjects("", func(objPath string, object storage.Object) error {
 		info, err := object.Stat()
 		if err != nil {
@ -402,11 +412,11 @@ func runDump(ctx *cli.Context) error {
 	// ensuring that it's clear the dump is skipped whether the directory's initialized
 	// yet or not.
 	if ctx.IsSet("skip-log") && ctx.Bool("skip-log") {
-		log.Info("Skip dumping log files")
+		log.Info("Skipping log files")
 	} else {
 		isExist, err := util.IsExist(setting.Log.RootPath)
 		if err != nil {
-			log.Error("Unable to check if %s exists. Error: %v", setting.Log.RootPath, err)
+			log.Error("Failed to check if %s exists: %v", setting.Log.RootPath, err)
 		}
 		if isExist {
 			if err := addRecursiveExclude(w, "log", setting.Log.RootPath, []string{absFileName}, verbose); err != nil {
@ -456,7 +466,7 @@ func addRecursiveExclude(w archiver.Writer, insidePath, absPath string, excludeA
 		currentInsidePath := path.Join(insidePath, file.Name())

 		if util.SliceContainsString(excludeAbsPath, currentAbsPath) {
-			log.Debug("Skipping %q because matched an excluded path.", currentAbsPath)
+			log.Debug("Skipping %q (matched an excluded path)", currentAbsPath)
 			continue
 		}

--- a/cmd/hook.go
+++ b/cmd/hook.go
@ -322,7 +322,8 @@ func runHookUpdate(c *cli.Context) error {
 		return fail(ctx, fmt.Sprintf("The deletion of %s is skipped as it's an internal reference.", refFullName), "")
 	}

-	return nil
+	// If the new comment isn't empty it means modification.
+	return fail(ctx, fmt.Sprintf("The modification of %s is skipped as it's an internal reference.", refFullName), "")
 }

 func runHookPostReceive(c *cli.Context) error {
--- a/cmd/hook_test.go
+++ b/cmd/hook_test.go
@ -6,7 +6,6 @@ package cmd
 import (
 	"bufio"
 	"bytes"
-	"context"
 	"io"
 	"net/http"
 	"net/http/httptest"
@ -42,7 +41,7 @@ func captureOutput(t *testing.T, stdFD *os.File) (finish func() (output string))
 }

 func TestPktLine(t *testing.T) {
-	ctx := context.Background()
+	ctx := t.Context()

 	t.Run("Read", func(t *testing.T) {
 		s := strings.NewReader("0000")
@ -180,8 +179,15 @@ func TestRunHookUpdate(t *testing.T) {
 	})

 	t.Run("Update of internal reference", func(t *testing.T) {
+		defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
+		defer test.MockVariableValue(&setting.IsProd, false)()
+		finish := captureOutput(t, os.Stderr)
+
 		err := app.Run([]string{"./forgejo", "update", "refs/pull/1/head", "0a51ae26bc73c47e2f754560c40904cf14ed51a9", "0000000000000000000000000000000000000001"})
-		require.NoError(t, err)
+		out := finish()
+		require.Error(t, err)
+
+		assert.Contains(t, out, "The modification of refs/pull/1/head is skipped as it's an internal reference.")
 	})

 	t.Run("Removal of branch", func(t *testing.T) {
--- a/cmd/main.go
+++ b/cmd/main.go
@ -206,6 +206,7 @@ func innerNewMainApp(version, versionExtra string, subCmdsStandaloneArgs, subCmd
 	app.Commands = append(app.Commands, subCmdWithConfig...)
 	app.Commands = append(app.Commands, subCmdStandalone...)

+	setting.InitGiteaEnvVars()
 	return app
 }

--- a/cmd/main_test.go
+++ b/cmd/main_test.go
@ -6,7 +6,6 @@ package cmd
 import (
 	"fmt"
 	"io"
-	"os"
 	"path/filepath"
 	"strings"
 	"testing"
@ -114,37 +113,17 @@ func TestCliCmd(t *testing.T) {
 		_, _ = fmt.Fprint(ctx.App.Writer, makePathOutput(setting.AppWorkPath, setting.CustomPath, setting.CustomConf))
 		return nil
 	})
-	var envBackup []string
-	for _, s := range os.Environ() {
-		if strings.HasPrefix(s, "GITEA_") && strings.Contains(s, "=") {
-			envBackup = append(envBackup, s)
-		}
-	}
-	clearGiteaEnv := func() {
-		for _, s := range os.Environ() {
-			if strings.HasPrefix(s, "GITEA_") {
-				_ = os.Unsetenv(s)
-			}
-		}
-	}
-	defer func() {
-		clearGiteaEnv()
-		for _, s := range envBackup {
-			k, v, _ := strings.Cut(s, "=")
-			_ = os.Setenv(k, v)
-		}
-	}()
-
 	for _, c := range cases {
-		clearGiteaEnv()
-		for k, v := range c.env {
-			_ = os.Setenv(k, v)
-		}
-		args := strings.Split(c.cmd, " ") // for test only, "split" is good enough
-		r, err := runTestApp(app, args...)
-		require.NoError(t, err, c.cmd)
-		assert.NotEmpty(t, c.exp, c.cmd)
-		assert.Contains(t, r.Stdout, c.exp, c.cmd)
+		t.Run(c.cmd, func(t *testing.T) {
+			for k, v := range c.env {
+				t.Setenv(k, v)
+			}
+			args := strings.Split(c.cmd, " ") // for test only, "split" is good enough
+			r, err := runTestApp(app, args...)
+			require.NoError(t, err, c.cmd)
+			assert.NotEmpty(t, c.exp, c.cmd)
+			assert.Contains(t, r.Stdout, c.exp, c.cmd)
+		})
 	}
 }

--- a/cmd/migrate.go
+++ b/cmd/migrate.go
@ -18,7 +18,7 @@ import (
 var CmdMigrate = &cli.Command{
 	Name:        "migrate",
 	Usage:       "Migrate the database",
-	Description: "This is a command for migrating the database, so that you can run gitea admin user create before starting the server.",
+	Description: "This is a command for migrating the database, so that you can run 'forgejo admin user create' before starting the server.",
 	Action:      runMigrate,
 }

--- a/cmd/migrate_storage_test.go
+++ b/cmd/migrate_storage_test.go
@ -4,7 +4,6 @@
 package cmd

 import (
-	"context"
 	"io"
 	"os"
 	"strings"
@ -31,7 +30,7 @@ func createLocalStorage(t *testing.T) (storage.ObjectStorage, string) {
 	p := t.TempDir()

 	storage, err := storage.NewLocalStorage(
-		context.Background(),
+		t.Context(),
 		&setting.Storage{
 			Path: p,
 		})
@ -72,7 +71,7 @@ func TestMigratePackages(t *testing.T) {
 	assert.NotNil(t, v)
 	assert.NotNil(t, f)

-	ctx := context.Background()
+	ctx := t.Context()

 	dstStorage, p := createLocalStorage(t)

@ -91,7 +90,7 @@ func TestMigrateActionsArtifacts(t *testing.T) {

 	srcStorage, _ := createLocalStorage(t)
 	defer test.MockVariableValue(&storage.ActionsArtifacts, srcStorage)()
-	id := int64(0)
+	id := int64(42)

 	addArtifact := func(storagePath string, status actions.ArtifactStatus) {
 		id++
--- a/cmd/web.go
+++ b/cmd/web.go
@ -12,6 +12,7 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+	"time"

 	_ "net/http/pprof" // Used for debugging if enabled and a web server is running

@ -115,6 +116,16 @@ func showWebStartupMessage(msg string) {
 	log.Info("* CustomPath: %s", setting.CustomPath)
 	log.Info("* ConfigFile: %s", setting.CustomConf)
 	log.Info("%s", msg) // show startup message
+
+	if setting.CORSConfig.Enabled {
+		log.Info("CORS Service Enabled")
+	}
+	if setting.DefaultUILocation != time.Local {
+		log.Info("Default UI Location is %v", setting.DefaultUILocation.String())
+	}
+	if setting.MailService != nil {
+		log.Info("Mail Service Enabled: RegisterEmailConfirm=%v, Service.EnableNotifyMail=%v", setting.Service.RegisterEmailConfirm, setting.Service.EnableNotifyMail)
+	}
 }

 func serveInstall(ctx *cli.Context) error {
@ -184,7 +195,7 @@ func serveInstalled(ctx *cli.Context) error {
 	publicFilesSet.Remove(".well-known")
 	publicFilesSet.Remove("assets")
 	publicFilesSet.Remove("robots.txt")
-	for _, fn := range publicFilesSet.Values() {
+	for fn := range publicFilesSet.Seq() {
 		log.Error("Found legacy public asset %q in CustomPath. Please move it to %s/public/assets/%s", fn, setting.CustomPath, fn)
 	}
 	if _, err := os.Stat(filepath.Join(setting.CustomPath, "robots.txt")); err == nil {
--- a/contrib/fixtures/fixture_generation.go
+++ b/contrib/fixtures/fixture_generation.go
@ -1,80 +0,0 @@
-// Copyright 2020 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-//nolint:forbidigo
-package main
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"path/filepath"
-
-	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/models/unittest"
-)
-
-// To generate derivative fixtures, execute the following from Gitea's repository base dir:
-// go run -tags 'sqlite sqlite_unlock_notify' contrib/fixtures/fixture_generation.go [fixture...]
-
-var (
-	generators = []struct {
-		gen  func(ctx context.Context) (string, error)
-		name string
-	}{
-		{
-			models.GetYamlFixturesAccess, "access",
-		},
-	}
-	fixturesDir string
-)
-
-func main() {
-	pathToGiteaRoot := "."
-	fixturesDir = filepath.Join(pathToGiteaRoot, "models", "fixtures")
-	if err := unittest.CreateTestEngine(unittest.FixturesOptions{
-		Dir: fixturesDir,
-	}); err != nil {
-		fmt.Printf("CreateTestEngine: %+v", err)
-		os.Exit(1)
-	}
-	if err := unittest.PrepareTestDatabase(); err != nil {
-		fmt.Printf("PrepareTestDatabase: %+v\n", err)
-		os.Exit(1)
-	}
-	ctx := context.Background()
-	if len(os.Args) == 0 {
-		for _, r := range os.Args {
-			if err := generate(ctx, r); err != nil {
-				fmt.Printf("generate '%s': %+v\n", r, err)
-				os.Exit(1)
-			}
-		}
-	} else {
-		for _, g := range generators {
-			if err := generate(ctx, g.name); err != nil {
-				fmt.Printf("generate '%s': %+v\n", g.name, err)
-				os.Exit(1)
-			}
-		}
-	}
-}
-
-func generate(ctx context.Context, name string) error {
-	for _, g := range generators {
-		if g.name == name {
-			data, err := g.gen(ctx)
-			if err != nil {
-				return err
-			}
-			path := filepath.Join(fixturesDir, name+".yml")
-			if err := os.WriteFile(path, []byte(data), 0o644); err != nil {
-				return fmt.Errorf("%s: %+v", path, err)
-			}
-			fmt.Printf("%s created.\n", path)
-			return nil
-		}
-	}
-
-	return fmt.Errorf("generator not found")
-}
--- a/contrib/ide/vscode/settings.json
+++ b/contrib/ide/vscode/settings.json
@ -1,4 +1,6 @@
 {
-    "go.buildTags": "sqlite,sqlite_unlock_notify",
-    "go.testFlags": ["-v"]
+  "go.buildTags": "sqlite,sqlite_unlock_notify",
+  "go.testFlags": ["-v"],
+  "go.lintTool": "golangci-lint",
+  "go.lintFlags": ["--fast"]
 }
--- a/contrib/legal/privacy.html.sample
+++ b/contrib/legal/privacy.html.sample
@ -7,11 +7,11 @@
 <body>
  <h1>Privacy Policy</h1>

-  <h4>Last updated: January 29, 2020</h4>
+  <h4>Last updated: December 19, 2024</h4>

  <h2>Who We Are?</h2>

-  <p>Your Gitea Instance</p>
+  <p>Your Forgejo Instance</p>

  <h2>What Personal Data We Collect?</h2>

@ -37,19 +37,19 @@

   <h3>With your Consent</h3>

-   <p>We share your User Personal Information, if you consent, after letting you know what information will be shared, with whom, and why. For example, if you allow third party applications to access your Account using <a href="https://docs.gitea.com/development/oauth2-provider">OAuth2 providers</a>, we share all information associated with your Account, including private repos and organizations. You may also direct us through your action on Your Gitea Instance to share your User Personal Information, such as when joining an Organization.</p>
+   <p>We share your User Personal Information, if you consent, after letting you know what information will be shared, with whom, and why. For example, if you allow third party applications to access your Account using <a href="https://forgejo.org/docs/latest/user/oauth2-provider/">OAuth2 providers</a>, we share all information associated with your Account, including private repos and organizations. You may also direct us through your action on Your Forgejo Instance to share your User Personal Information, such as when joining an Organization.</p>

   <h3>With Service Providers</h3>

-   <p>We share User Personal Information with a limited number of service providers who process it on our behalf to provide or improve our Service, and who have agreed to privacy restrictions similar to the ones in our Privacy Statement by signing data protection agreements or making similar commitments. Our service providers perform payment processing, customer support ticketing, network data transmission, security, and other similar services. While Your Gitea Instance processes all User Personal Information in the (country/state where Gitea is deployed), our service providers may process data outside of (country/state where Gitea is deployed), the United States or the European Union.</p>
+   <p>We share User Personal Information with a limited number of service providers who process it on our behalf to provide or improve our Service, and who have agreed to privacy restrictions similar to the ones in our Privacy Statement by signing data protection agreements or making similar commitments. Our service providers perform payment processing, customer support ticketing, network data transmission, security, and other similar services. While Your Forgejo Instance processes all User Personal Information in the (country/state where Forgejo is deployed), our service providers may process data outside of (country/state where Forgejo is deployed), the United States or the European Union.</p>

   <h3>For Security Purposes</h3>

-   <p>If you are a member of an Organization, Your Gitea Instance may share your username, Usage Information, and Device Information associated with that Organization with an owner and/or administrator of the Organization who has agreed to the Corporate Terms of Service or applicable customer agreements, to the extent that such information is provided only to investigate or respond to a security incident that affects or compromises the security of that particular Organization.</p>
+   <p>If you are a member of an Organization, Your Forgejo Instance may share your username, Usage Information, and Device Information associated with that Organization with an owner and/or administrator of the Organization who has agreed to the Corporate Terms of Service or applicable customer agreements, to the extent that such information is provided only to investigate or respond to a security incident that affects or compromises the security of that particular Organization.</p>

   <h3>For Legal Disclosure</h3>

-   <p>Your Gitea Instance strives for transparency in complying with legal process and legal obligations. Unless prevented from doing so by law or court order, or in rare, exigent circumstances, we make a reasonable effort to notify users of any legally compelled or required disclosure of their information. Your Gitea Instance may disclose User Personal Information or other information we collect about you to law enforcement if required in response to a valid subpoena, court order, search warrant, a similar government order, or when we believe in good faith that disclosure is necessary to comply with our legal obligations, to protect our property or rights, or those of third parties or the public at large.</p>
+   <p>Your Forgejo Instance strives for transparency in complying with legal process and legal obligations. Unless prevented from doing so by law or court order, or in rare, exigent circumstances, we make a reasonable effort to notify users of any legally compelled or required disclosure of their information. Your Forgejo Instance may disclose User Personal Information or other information we collect about you to law enforcement if required in response to a valid subpoena, court order, search warrant, a similar government order, or when we believe in good faith that disclosure is necessary to comply with our legal obligations, to protect our property or rights, or those of third parties or the public at large.</p>

   <h3>Change in Control or Sale</h3>

@ -57,7 +57,7 @@

   <h3>Aggregate, Non-Personally Identifying Information</h3>

-   <p>We share certain aggregated, non-personally identifying information with others about how our users, collectively, use Your Gitea Instance, or how our users respond to our other offerings, such as our conferences or events. For example, we may compile statistics on the open source activity across Your Gitea Instance.</p>
+   <p>We share certain aggregated, non-personally identifying information with others about how our users, collectively, use Your Forgejo Instance, or how our users respond to our other offerings, such as our conferences or events. For example, we may compile statistics on the open source activity across Your Forgejo Instance.</p>

   <p>We <b>don't</b> sell your User Personal Information for monetary or other consideration. </p>

@ -67,34 +67,34 @@

  <ol>
   <li>We use your Registration Information to create your account, and to provide you the Service.</li>
-   <li>We use your User Personal Information, specifically your username, to identify you on Your Gitea Instance.</li>
+   <li>We use your User Personal Information, specifically your username, to identify you on Your Forgejo Instance.</li>
   <li>We use your Profile Information to fill out your Account profile and to share that profile with other users if you ask us to.</li>
   <li>We use your email address to communicate with you, if you've said that's okay, and only for the reasons you’ve said that’s okay.</li>
-   <li>We use User Personal Information and other data to make recommendations for you, such as to suggest projects you may want to follow or contribute to. We learn from your public behavior on Your Gitea Instance—such as the projects you star—to determine your coding interests, and we recommend similar projects. These recommendations are automated decisions, but they have no legal impact on your rights.</li>
-   <li>We use Usage Information and Device Information to better understand how our Users use Your Gitea Instance and to improve our Website and Service.</li>
-   <li>We may use your User Personal Information if it is necessary for security purposes or to investigate possible fraud or attempts to harm Your Gitea Instance or our Users.</li>
+   <li>We use User Personal Information and other data to make recommendations for you, such as to suggest projects you may want to follow or contribute to. We learn from your public behavior on Your Forgejo Instance—such as the projects you star—to determine your coding interests, and we recommend similar projects. These recommendations are automated decisions, but they have no legal impact on your rights.</li>
+   <li>We use Usage Information and Device Information to better understand how our Users use Your Forgejo Instance and to improve our Website and Service.</li>
+   <li>We may use your User Personal Information if it is necessary for security purposes or to investigate possible fraud or attempts to harm Your Forgejo Instance or our Users.</li>
   <li>We may use your User Personal Information to comply with our legal obligations, protect our intellectual property, and enforce our Terms of Service.</li>

   <li>We limit our use of your User Personal Information to the purposes listed in this Privacy Statement. If we need to use your User Personal Information for other purposes, we will ask your permission first. You can always see what information we have, how we're using it, and what permissions you have given us in your user profile.</li>
  </ol>

-  <h2>How Your Gitea Instance Secures Your Information?</h2>
+  <h2>How Your Forgejo Instance Secures Your Information?</h2>

-  <p>Your Gitea Instance takes all measures reasonably necessary to protect User Personal Information from unauthorized access, alteration, or destruction; maintain data accuracy; and help ensure the appropriate use of User Personal Information.</p>
+  <p>Your Forgejo Instance takes all measures reasonably necessary to protect User Personal Information from unauthorized access, alteration, or destruction; maintain data accuracy; and help ensure the appropriate use of User Personal Information.</p>

  <p>To the extent above, we enforce a written security information program, which:</p>

  <ul>
    <li>aligns with industry recognized frameworks;</li>
    <li>includes security safeguards reasonably designed to protect the confidentiality, integrity, availability, and resilience of our Users' data;</li>
-    <li>is appropriate to the nature, size, and complexity of Your Gitea Instance’s business operations;</li>
+    <li>is appropriate to the nature, size, and complexity of Your Forgejo Instance’s business operations;</li>
    <li>includes incident response and data breach notification processes; and</li>
-    <li>complies with applicable information security-related laws and regulations in the geographic regions where Your Gitea Instance does business.</li>
+    <li>complies with applicable information security-related laws and regulations in the geographic regions where Your Forgejo Instance does business.</li>
  </ul>

  <p>In the event of a data breach that affects your User Personal Information, we will act promptly to mitigate the impact of a breach and notify any affected Users without undue delay.</p>

-  <p>Transmission of data on Your Gitea Instance is encrypted using SSH, HTTPS (TLS), and git repository content is encrypted at rest. We host Your Gitea Instance at our hosting partner, which they provide data centers with high level of physical and network security.</p>
+  <p>Transmission of data on Your Forgejo Instance is encrypted using SSH, HTTPS (TLS), and git repository content is encrypted at rest. We host Your Forgejo Instance at our hosting partner, which they provide data centers with high level of physical and network security.</p>

  <p><b>Disclaimer:</b> No method of transmission, or method of electronic storage, is 100% secure, therefore, we cannot guarantee absolute security.</p>

@ -102,13 +102,13 @@

   <h3>Cookies</h3>

-   <p>We uses cookies to make interactions with our service easy and meaningful. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors. We use cookies (and similar technologies, like HTML5 localStorage) to keep you logged in, remember your preferences, and provide information for future development of Your Gitea Instance. For security purposes, we use cookies to identify a device. By using our Website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept these cookies, you will not be able to log in or use our services.</p>
+   <p>We uses cookies to make interactions with our service easy and meaningful. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors. We use cookies (and similar technologies, like HTML5 localStorage) to keep you logged in, remember your preferences, and provide information for future development of Your Forgejo Instance. For security purposes, we use cookies to identify a device. By using our Website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept these cookies, you will not be able to log in or use our services.</p>

   <h3>Tracking and Analytics</h3>

-   <p>Out of the box, Gitea doesn't use third-party analytics. In case when we opt in to their usage, we do that to help us evaluate our Users' use of Your Gitea Instance, compile statistical reports on activity, and improve our content and Website performance. We only use these third-party analytics providers on certain areas of our Website, and all of them have signed data protection agreements with us that limit the type of User Personal Information they can collect and the purpose for which they can process the information. In addition, we may also deploy internal analytics software to provide similar functionality.</p>
+   <p>Out of the box, Forgejo doesn't use third-party analytics. In case when we opt in to their usage, we do that to help us evaluate our Users' use of Your Forgejo Instance, compile statistical reports on activity, and improve our content and Website performance. We only use these third-party analytics providers on certain areas of our Website, and all of them have signed data protection agreements with us that limit the type of User Personal Information they can collect and the purpose for which they can process the information. In addition, we may also deploy internal analytics software to provide similar functionality.</p>

-   <p>Some browsers have incorporated "Do Not Track" (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Your Gitea Instance responds to browser DNT signals and follows the <a href="https://www.w3.org/TR/tracking-dnt/">W3C standard for responding to DNT signals</a>. If you have not enabled DNT on a browser that supports it, cookies on some parts of our Website will track your online browsing activity on other online services over time, though we do not permit third parties other than our analytics and service providers to track Your Gitea Instance Users' activity over time on Your Gitea Instance.</p>
+   <p>Some browsers have incorporated "Do Not Track" (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Your Forgejo Instance responds to browser DNT signals and follows the <a href="https://www.w3.org/TR/tracking-dnt/">W3C standard for responding to DNT signals</a>. If you have not enabled DNT on a browser that supports it, cookies on some parts of our Website will track your online browsing activity on other online services over time, though we do not permit third parties other than our analytics and service providers to track Your Forgejo Instance Users' activity over time on Your Forgejo Instance.</p>

  <h2>Repository Contents</h2>

@ -118,19 +118,19 @@

  <h2>Public Information</h2>

-  <p>Many of our services and feature are public-facing. If your content is public-facing, third parties may access and use it in compliance with our Terms of Service, such as by viewing your profile or repositories or pulling data via our API. We do not sell that content; it is yours. However, we do allow third parties, such as research organizations or archives, to compile public-facing Your Gitea Instance information. Other third parties, such as data brokers, have been known to scrape Your Gitea Instance and compile data as well.</p>
+  <p>Many of our services and feature are public-facing. If your content is public-facing, third parties may access and use it in compliance with our Terms of Service, such as by viewing your profile or repositories or pulling data via our API. We do not sell that content; it is yours. However, we do allow third parties, such as research organizations or archives, to compile public-facing Your Forgejo Instance information. Other third parties, such as data brokers, have been known to scrape Your Forgejo Instance and compile data as well.</p>

-  <p>Your User Personal Information associated with your content could be gathered by third parties in these compilations of Your Gitea Instance data. If you do not want your User Personal Information to appear in third parties’ compilations of Your Gitea Instance data, please do not make your User Personal Information publicly available and be sure to configure your email address to be private in your user profile and in your git commit settings.</p>
+  <p>Your User Personal Information associated with your content could be gathered by third parties in these compilations of Your Forgejo Instance data. If you do not want your User Personal Information to appear in third parties’ compilations of Your Forgejo Instance data, please do not make your User Personal Information publicly available and be sure to configure your email address to be private in your user profile and in your git commit settings.</p>

-  <p>If you would like to compile Your Gitea Instance data, you must comply with our Terms of Service regarding scraping and privacy, and you may only use any public-facing User Personal Information you gather for the purpose for which our user authorized it. For example, where a Your Gitea Instance user has made an email address public-facing for the purpose of identification and attribution, do not use that email address for commercial advertising. We expect you to reasonably secure any User Personal Information you have gathered from Your Gitea Instance, and to respond promptly to complaints, removal requests, and "do not contact" requests from Your Gitea Instance or Your Gitea Instance users.</p>
+  <p>If you would like to compile Your Forgejo Instance data, you must comply with our Terms of Service regarding scraping and privacy, and you may only use any public-facing User Personal Information you gather for the purpose for which our user authorized it. For example, where a Your Forgejo Instance user has made an email address public-facing for the purpose of identification and attribution, do not use that email address for commercial advertising. We expect you to reasonably secure any User Personal Information you have gathered from Your Forgejo Instance, and to respond promptly to complaints, removal requests, and "do not contact" requests from Your Forgejo Instance or Your Forgejo Instance users.</p>

-  <p>In similar fashion, projects on Your Gitea Instance may include publicly available User Personal Information collected as part of the collaborative events.</p>
+  <p>In similar fashion, projects on Your Forgejo Instance may include publicly available User Personal Information collected as part of the collaborative events.</p>

  <h2>Organizations</h2>

  <p>If you collaborate on or become a member of an Organization, then its Account owners may receive your User Personal Information. When you accept an invitation to an Organization, you will be notified of the types of information owners may be able to see. If you accept an invitation to an Organization with a verified domain, then the owners of that Organization will be able to see your full email address(es) within that Organization's verified domain(s).</p>

-  <p>Please note, Your Gitea Instance may share your username, Usage Information, and Device Information with the owner of the Organization you are a member of, to the extent that your User Personal Information is provided only to investigate or respond to a security incident that affects or compromises the security of that particular Organization.</p>
+  <p>Please note, Your Forgejo Instance may share your username, Usage Information, and Device Information with the owner of the Organization you are a member of, to the extent that your User Personal Information is provided only to investigate or respond to a security incident that affects or compromises the security of that particular Organization.</p>

  <p>If you collaborate with or become a member of an Account that has agreed to a Data Protection Addendum (DPA) to this Privacy Policy, then that DPA governs in the event of conflicts between this Privacy Policy and DPA with respect to your activity in the Account.</p>

@ -138,17 +138,17 @@

  <h2>How You Can Access and Control the Information We Collect?</h2>

-  <p>If you're already a Your Gitea Instance user, you may access, update, alter, or delete your basic user information by editing your user profile. You can control the information we collect about you by limiting what information is in your profile, or by keeping your information current.</p>
+  <p>If you're already a Your Forgejo Instance user, you may access, update, alter, or delete your basic user information by editing your user profile. You can control the information we collect about you by limiting what information is in your profile, or by keeping your information current.</p>

-  <p>If Your Gitea Instance processes information about you, such as information receives from third parties, and you do not have an account, then you may, subject to applicable law, access, update, alter, delete, or object to the processing of your personal information by contacting our support.</p>
+  <p>If Your Forgejo Instance processes information about you, such as information receives from third parties, and you do not have an account, then you may, subject to applicable law, access, update, alter, delete, or object to the processing of your personal information by contacting our support.</p>

   <h3>Data Portability</h3>

-   <p>As a Your Gitea Instance User, you can always take your data with you. You can clone your repositories to your computer, or you can <a href="https://docs.gitea.com/development/migrations-interfaces">perform migrations using the provided interfaces</a>, for example.</p>
+   <p>As a Your Forgejo Instance User, you can always take your data with you. You can clone your repositories to your computer, or you can <a href="https://docs.gitea.com/development/migrations-interfaces">perform migrations using the provided interfaces</a>, for example.</p>

   <h3>Data Retention and Deletion of Data</h3>

-   <p>In general, Your Gitea Instance retains User Personal Information for as long as your account is active, or as needed to provide you service.</p>
+   <p>In general, Your Forgejo Instance retains User Personal Information for as long as your account is active, or as needed to provide you service.</p>

   <p>If you would like to cancel your account or delete your User Personal Information, you may do so in your user profile. We retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, but barring legal requirements, we will delete your full profile (within reason) within 90 days of your request. Feel free to contact our support to request erasure of the data we process on the basis of consent within 30 days.</p>

@ -158,14 +158,14 @@

  <h2>Our Global Privacy Practices</h2>

-  <p>We store and process the information that we collect in the (country/state where Gitea is deployed) in accordance with this Privacy Statement though our service providers may store and process data outside the (country/state where Gitea is deployed). However, we understand that we have Users from different countries and regions with different privacy expectations, and we try to meet those needs even when the (country/state where Gitea is deployed) does not have the same privacy framework as other countries.</p>
+  <p>We store and process the information that we collect in the (country/state where Forgejo is deployed) in accordance with this Privacy Statement though our service providers may store and process data outside the (country/state where Forgejo is deployed). However, we understand that we have Users from different countries and regions with different privacy expectations, and we try to meet those needs even when the (country/state where Forgejo is deployed) does not have the same privacy framework as other countries.</p>

  <p>We provide a high standard of privacy protection—as described in this Privacy Statement—to all our users around the world, regardless of their country of origin or location, and we are proud of the levels of notice, choice, accountability, security, data integrity, access, and recourse we provide. We work hard to comply with the applicable data privacy laws wherever we do business, working with our Data Protection Officer as part of a cross-functional team that oversees our privacy compliance efforts. Additionally, if our vendors or affiliates have access to User Personal Information, they must sign agreements that require them to comply with our privacy policies and with applicable data privacy laws.</p>

  <p>In particular:</p>

  <ul>
-   <li>Your Gitea Instance provides clear methods of unambiguous, informed, specific, and freely given consent at the time of data collection, when we collect your User Personal Information using consent as a basis.</li>
+   <li>Your Forgejo Instance provides clear methods of unambiguous, informed, specific, and freely given consent at the time of data collection, when we collect your User Personal Information using consent as a basis.</li>
   <li>We collect only the minimum amount of User Personal Information necessary for our purposes, unless you choose to provide more. We encourage you to only give us the amount of data you are comfortable sharing.</li>
   <li>We offer you simple methods of accessing, altering, or deleting the User Personal Information we have collected, where legally permitted.</li>
   <li>We provide our Users notice, choice, accountability, security, and access regarding their User Personal Information, and we limit the purpose for processing it. We also provide our Users a method of recourse and enforcement. These are the Privacy Shield Principles, but they are also just good practices.</li>
@ -173,21 +173,21 @@

  <h2>How We Communicate with You?</h2>

-  <p>We use your email address to communicate with you, if you've said that's okay, and only for the reasons you’ve said that’s okay. For example, if you contact our support with a request, we respond to you via email. You have a lot of control over how your email address is used and shared on and through Your Gitea instance. You may manage your communication preferences in your user profile.</p>
+  <p>We use your email address to communicate with you, if you've said that's okay, and only for the reasons you’ve said that’s okay. For example, if you contact our support with a request, we respond to you via email. You have a lot of control over how your email address is used and shared on and through Your Forgejo instance. You may manage your communication preferences in your user profile.</p>

  <p>By design, the Git version control system associates many actions with a User's email address, such as commit messages. We are not able to change many aspects of the Git system. If you would like your email address to remain private, even when you’re commenting on public repositories, you can create a private email address in your user profile. You should also update your local Git configuration to use your private email address. This will not change how we contact you, but it will affect how others see you.</p>

-  <p>Depending on your email settings, Your Gitea instance may occasionally send notification emails about changes in a repository you’re watching, new features, requests for feedback, important policy changes, or to offer customer support. We also send marketing emails, based on your choices and in accordance with applicable laws and regulations. There's an “unsubscribe” link located at the bottom of each of the marketing emails we send you. Note that you can opt out of any communications with us, except the important ones (like from our support and system emails).</p>
+  <p>Depending on your email settings, Your Forgejo instance may occasionally send notification emails about changes in a repository you’re watching, new features, requests for feedback, important policy changes, or to offer customer support. We also send marketing emails, based on your choices and in accordance with applicable laws and regulations. There's an “unsubscribe” link located at the bottom of each of the marketing emails we send you. Note that you can opt out of any communications with us, except the important ones (like from our support and system emails).</p>

  <p>Our emails may contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an email and what your IP address is. We use this pixel tag to make our email more effective for you and to make sure we’re not sending you unwanted email.</p>

  <h2>Changes to this Privacy Policy</h2>

-  <p>Although most changes are likely to be minor, Your Gitea Instance may change our Privacy Statement from time to time. We will provide notification to Users of material changes to this Privacy Statement through our Website at least 30 days prior to the change taking effect by posting a notice on our home page or sending email to the primary email address specified in your account.</p>
+  <p>Although most changes are likely to be minor, Your Forgejo Instance may change our Privacy Statement from time to time. We will provide notification to Users of material changes to this Privacy Statement through our Website at least 30 days prior to the change taking effect by posting a notice on our home page or sending email to the primary email address specified in your account.</p>

  <h2>Contact</h2>

-  <p>If you have any concerns about privacy, please contact us at <a href="mailto:privacy@your-gitea-instance">privacy@your-gitea-instance</a>. We will respond promptly, within 45 days.</p>
+  <p>If you have any concerns about privacy, please contact us at <a href="mailto:privacy@your-forgejo-instance">privacy@your-forgejo-instance</a>. We will respond promptly, within 45 days.</p>

  <h2>COPYING</h2>

--- a/contrib/legal/tos.html.sample
+++ b/contrib/legal/tos.html.sample
@ -7,26 +7,26 @@
 <body>
  <h1>Terms of Service</h1>

-  <h4>Last updated: January 29, 2020</h4>
+  <h4>Last updated: December 19, 2024</h4>

-  <p>Thank you for choosing Your Gitea Instance! Before you use it, please read this Terms of Service agreement carefully, which contains important contract between us and our users.</p>
+  <p>Thank you for choosing Your Forgejo Instance! Before you use it, please read this Terms of Service agreement carefully, which contains important contract between us and our users.</p>

  <h2>Definitions</h2>

   <ol>
-    <li>An "Account" represents your legal relationship with Your Gitea Instance. A “User Account” represents an individual User’s authorization to log in to and use the Service and serves as a User’s identity on Your Gitea Instance. “Organizations” are shared workspaces that may be associated with a single entity or with one or more Users where multiple Users can collaborate across many projects at once. A User Account can be a member of any number of Organizations.</li>
+    <li>An "Account" represents your legal relationship with Your Forgejo Instance. A “User Account” represents an individual User’s authorization to log in to and use the Service and serves as a User’s identity on Your Forgejo Instance. “Organizations” are shared workspaces that may be associated with a single entity or with one or more Users where multiple Users can collaborate across many projects at once. A User Account can be a member of any number of Organizations.</li>

    <li>The "Agreement" collectively refers to all terms, conditions, and notices referenced or contained in this document and other operating rules, policies (including Privacy Policy) and procedures that we may publish from time to time on this Website.</li>

    <li>“Content” refers to content featured or displayed through the Website, including without limitation code, text, data, articles, images, photographs, graphics, software, applications, packages, designs, features, and other materials that are available on the Website or otherwise available through the Service. "Content" also includes Services. “User-Generated Content” is Content, written or otherwise, created or uploaded by our Users. "Your Content" is Content that you create or own.</li>

-    <li>"Your Gitea Instance", "We", and "Us" refers to Your Gitea Instance, as well as our affiliates, directors, subsidiaries, contractors, licensors, officers, agents, and employees.</li>
+    <li>"Your Forgejo Instance", "We", and "Us" refers to Your Forgejo Instance, as well as our affiliates, directors, subsidiaries, contractors, licensors, officers, agents, and employees.</li>

-    <li>The "Service" refers to applications/software, products, and services provided by Your Gitea Instance.</li>
+    <li>The "Service" refers to applications/software, products, and services provided by Your Forgejo Instance.</li>

    <li>The "User", "You", and "Your" refers to individual person or institution (organizations or company) that has visited or using the Service; that have access or use any part of the Account; or that directs to use the Account to perform its function. Please note that additional terms may apply for Accounts related to business or government.</li>

-    <li>The "Website" refers to Your Gitea Instance's website at <a href="https://your-gitea-instance">your-gitea-instance</a>, including its subdomains and other websites owned by Your Gitea Instance.</li>
+    <li>The "Website" refers to Your Forgejo Instance's website at <a href="https://your-forgejo-instance">your-forgejo-instance</a>, including its subdomains and other websites owned by Your Forgejo Instance.</li>
   </ol>

  <h2>Account Terms</h2>
@ -48,7 +48,7 @@
  <ul>
   <li>You must be a human to create an Account. Accounts registered by "bots" or other automated methods are not permitted. We do permit machine accounts:</li>
   <li>A machine account is an Account set up by an individual human who accepts the Terms on behalf of the Account, provides a valid email address, and is responsible for its actions. A machine account is used exclusively for performing automated tasks. Multiple users may direct the actions of a machine account, but the owner of the Account is ultimately responsible for the machine's actions.</li>
-   <li>You must be age 13 or older. If we learn of any User under that age, we will immediately terminate that User's Account. Different countries may have different minimum age; in such cases you are responsible for complying with your country's regulation. By using Your Gitea Instance, you agree to comply with <a href="https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule">COPPA</a> and/or similar law in your country.</li>
+   <li>You must be age 13 or older. If we learn of any User under that age, we will immediately terminate that User's Account. Different countries may have different minimum age; in such cases you are responsible for complying with your country's regulation. By using Your Forgejo Instance, you agree to comply with <a href="https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule">COPPA</a> and/or similar law in your country.</li>
  </ul>

   <h3>User Account Security</h3>
@ -57,7 +57,7 @@

   <h3>Additional Terms</h3>

-   <p>In some situations, third parties' terms may apply to your use of Your Gitea Instance. For example, you may be a member of an organization on Your Gitea Instance with its own terms or license agreements; you may download an application that integrates with Your Gitea Instance; or you may use Your Gitea Instance to authenticate to another service. Please be aware that while these Terms are our full agreement with you, other parties' terms govern their relationships with you.</p>
+   <p>In some situations, third parties' terms may apply to your use of Your Forgejo Instance. For example, you may be a member of an organization on Your Forgejo Instance with its own terms or license agreements; you may download an application that integrates with Your Forgejo Instance; or you may use Your Forgejo Instance to authenticate to another service. Please be aware that while these Terms are our full agreement with you, other parties' terms govern their relationships with you.</p>

  <h2>Acceptable Use</h2>

@ -73,19 +73,19 @@
    <li>
     <p>You retain ownership of and responsibility for Your Content. If you're posting anything you did not create yourself or do not own the rights to, you agree that you are responsible for any Content you post; that you will only submit Content that you have the right to post; and that you will fully comply with any third party licenses relating to Content you post.</p>

-     <p>Because of above, we need you to grant us -- and other Your Gitea Instance users -- certain legal permissions, listed below in this section. If you upload Content that already comes with a license granting Your Gitea Instance the permissions we need to run our Service, no additional license is required. You understand that you will not receive any payment for any of the rights granted below. The licenses you grant to us will end when you remove Your Content from our servers, unless other Users have forked it.</p>
+     <p>Because of above, we need you to grant us -- and other Your Forgejo Instance users -- certain legal permissions, listed below in this section. If you upload Content that already comes with a license granting Your Forgejo Instance the permissions we need to run our Service, no additional license is required. You understand that you will not receive any payment for any of the rights granted below. The licenses you grant to us will end when you remove Your Content from our servers, unless other Users have forked it.</p>
    </li>

    <li>
     <p>We need the legal right to do things like host Your Content, publish it, and share it. You grant us and our legal successors the right to store, parse, and display Your Content, and make incidental copies as necessary to render the Website and provide the Service. This includes the right to do things like copy it to our database and make backups; show it to you and other users; parse it into a search index or otherwise analyze it on our servers; share it with other users; and perform it, in case Your Content is something like music or video.</p>

-     <p>This license, however, doesn't grant Your Gitea Instance the right to sell Your Content or otherwise distribute or use it outside of our provision of the Service.</p>
+     <p>This license, however, doesn't grant Your Forgejo Instance the right to sell Your Content or otherwise distribute or use it outside of our provision of the Service.</p>
    </li>

    <li>
     <p>Any User-Generated Content you post publicly, including issues, comments, and contributions to other Users' repositories, may be viewed by others. By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of Content from your repositories in repositories they control).</p>

-     <p>If you set your pages and repositories to be viewed publicly, you grant each User of Your Gitea Instance a nonexclusive, worldwide license to use, display, and perform Your Content through the Your Gitea Instance Service and to reproduce Your Content solely on Your Gitea Instance as permitted through Your Gitea Instance's functionality (for example, through forking). You may grant further rights if you adopt a license. If you are uploading Content you did not create or own, you are responsible for ensuring that the Content you upload is licensed under terms that grant these permissions to other Your Gitea Instance Users.</p>
+     <p>If you set your pages and repositories to be viewed publicly, you grant each User of Your Forgejo Instance a nonexclusive, worldwide license to use, display, and perform Your Content through the Your Forgejo Instance Service and to reproduce Your Content solely on Your Forgejo Instance as permitted through Your Forgejo Instance's functionality (for example, through forking). You may grant further rights if you adopt a license. If you are uploading Content you did not create or own, you are responsible for ensuring that the Content you upload is licensed under terms that grant these permissions to other Your Forgejo Instance Users.</p>
    </li>

    <li>
@ -97,7 +97,7 @@
    <li>
     <p>You retain all moral rights to Your Content that you upload, publish, or submit to any part of the Service, including the rights of integrity and attribution. However, you waive these rights and agree not to assert them against us, to enable us to reasonably exercise the rights granted above, but not otherwise.</p>

-     <p>To the extent this agreement is not enforceable by applicable law, you grant Your Gitea Instance the rights we need to use Your Content without attribution and to make reasonable adaptations of Your Content as necessary to render the Website and provide the Service.</p>
+     <p>To the extent this agreement is not enforceable by applicable law, you grant Your Forgejo Instance the rights we need to use Your Content without attribution and to make reasonable adaptations of Your Content as necessary to render the Website and provide the Service.</p>
    </li>
   </ol>

@ -106,27 +106,27 @@
   <ol>
    <li>Some Accounts may have private repositories, which allow the User to control access to Content.</li>

-    <li>Your Gitea Instance considers the contents of private repositories to be confidential to you. Your Gitea Instance will protect the contents of private repositories from unauthorized use, access, or disclosure in the same manner that we would use to protect our own confidential information of a similar nature and in no event with less than a reasonable degree of care.</li>
+    <li>Your Forgejo Instance considers the contents of private repositories to be confidential to you. Your Forgejo Instance will protect the contents of private repositories from unauthorized use, access, or disclosure in the same manner that we would use to protect our own confidential information of a similar nature and in no event with less than a reasonable degree of care.</li>

    <li>
-     <p>Your Gitea Instance employees may only access the content of your private repositories in the following situations:</p>
+     <p>Your Forgejo Instance employees may only access the content of your private repositories in the following situations:</p>

     <ul>
-      <li>With your consent and knowledge, for support reasons. If Your Gitea Instance accesses a private repository for support reasons, we will only do so with the owner’s consent and knowledge.</li>
-      <li>When access is required for security reasons, including when access is required to maintain ongoing confidentiality, integrity, availability and resilience of Your Gitea Instance's systems and Service.</li>
+      <li>With your consent and knowledge, for support reasons. If Your Forgejo Instance accesses a private repository for support reasons, we will only do so with the owner’s consent and knowledge.</li>
+      <li>When access is required for security reasons, including when access is required to maintain ongoing confidentiality, integrity, availability and resilience of Your Forgejo Instance's systems and Service.</li>
     </ul>
    </li>

-    <li>You may choose to enable additional access to your private repositories. For example: You may enable various Your Gitea Instance services or features that require additional rights to Your Content in private repositories. These rights may vary depending on the service or feature, but Your Gitea Instance will continue to treat your private repository Content as confidential. If those services or features require rights in addition to those we need to provide the Your Gitea Instance Service, we will provide an explanation of those rights.</li>
+    <li>You may choose to enable additional access to your private repositories. For example: You may enable various Your Forgejo Instance services or features that require additional rights to Your Content in private repositories. These rights may vary depending on the service or feature, but Your Forgejo Instance will continue to treat your private repository Content as confidential. If those services or features require rights in addition to those we need to provide the Your Forgejo Instance Service, we will provide an explanation of those rights.</li>
   </ol>

  <h2>Copyright Infringement and DMCA Policy</h2>

-  <p>If you are copyright owner and believe that content on our website violates your copyright, please contact us at <a href="mailto:copyright@your-gitea-instance">copyright@your-gitea-instance</a>. Please note that before sending a takedown notice, consider legal uses (such as fair use and licensed use); and legal consequences for sending false notices.</p>
+  <p>If you are copyright owner and believe that content on our website violates your copyright, please contact us at <a href="mailto:copyright@your-forgejo-instance">copyright@your-forgejo-instance</a>. Please note that before sending a takedown notice, consider legal uses (such as fair use and licensed use); and legal consequences for sending false notices.</p>

  <h2>Intellectual Properties and COPYING</h2>

-  <p>Your Gitea Instance and our licensors, vendors, agents, and/or our content providers retain ownership of all intellectual property rights of any kind related to the Website and Service. We reserve all rights that are not expressly granted to you under this Agreement or by law. The look and feel of the Website and Service is copyright © Your Gitea Instance. All rights reserved.</p>
+  <p>Your Forgejo Instance and our licensors, vendors, agents, and/or our content providers retain ownership of all intellectual property rights of any kind related to the Website and Service. We reserve all rights that are not expressly granted to you under this Agreement or by law. The look and feel of the Website and Service is copyright © Your Forgejo Instance. All rights reserved.</p>

  <p>If you'd like to use our trademarks, you must follow all of our trademark guidelines.</p>

@ -134,13 +134,13 @@

  <h2>API Terms</h2>

-  <p>Abuse or excessively frequent requests to Your Gitea Instance via the API may result in the temporary or permanent suspension of your Account's access to the API. Your Gitea Instance, in our sole discretion, will determine abuse or excessive usage of the API. We will make a reasonable attempt to warn you via email prior to suspension.</p>
+  <p>Abuse or excessively frequent requests to Your Forgejo Instance via the API may result in the temporary or permanent suspension of your Account's access to the API. Your Forgejo Instance, in our sole discretion, will determine abuse or excessive usage of the API. We will make a reasonable attempt to warn you via email prior to suspension.</p>

-  <p>You may not share API tokens to exceed Your Gitea Instance's rate limitations.</p>
+  <p>You may not share API tokens to exceed Your Forgejo Instance's rate limitations.</p>

-  <p>You may not use the API to download data or Content from Your Gitea Instance for spamming purposes, including for the purposes of selling Your Gitea Instance users' personal information, such as to recruiters, headhunters, and job boards.</p>
+  <p>You may not use the API to download data or Content from Your Forgejo Instance for spamming purposes, including for the purposes of selling Your Forgejo Instance users' personal information, such as to recruiters, headhunters, and job boards.</p>

-  <p>All use of the Your Gitea Instance API is subject to these Terms of Service and the Your Gitea Instance Privacy Statement.</p>
+  <p>All use of the Your Forgejo Instance API is subject to these Terms of Service and the Your Forgejo Instance Privacy Statement.</p>

  <p>However, we may provide subscription-based access to our API for Users who need high-throughput access or reselling our Service.</p>

@ -149,7 +149,7 @@

   <h3>Account Cancellation</h3>

-   <p>It is your responsibility to properly cancel your Account with Your Gitea Instance. You can cancel your Account at any time by going into your Settings in the global navigation bar at the top of the screen. The Account screen provides a simple, no questions asked cancellation link. We are not able to cancel Accounts in response to an email or phone request.</p>
+   <p>It is your responsibility to properly cancel your Account with Your Forgejo Instance. You can cancel your Account at any time by going into your Settings in the global navigation bar at the top of the screen. The Account screen provides a simple, no questions asked cancellation link. We are not able to cancel Accounts in response to an email or phone request.</p>

   <h3>Upon Cancellation</h3>

@ -161,7 +161,7 @@

   <h3>We May Terminate</h3>

-   <p>Your Gitea Instance has the right to suspend or terminate your access to all or any part of the Website at any time, with or without cause, with or without notice, effective immediately. Your Gitea Instance reserves the right to refuse service to anyone for any reason at any time.</p>
+   <p>Your Forgejo Instance has the right to suspend or terminate your access to all or any part of the Website at any time, with or without cause, with or without notice, effective immediately. Your Forgejo Instance reserves the right to refuse service to anyone for any reason at any time.</p>

   <h3>Survival</h3>

@ -175,7 +175,7 @@

   <h3>Legal Notices to Us Must Be in Writing</h3>

-   <p>Communications made through email or Your Gitea Instance Support's messaging system will not constitute legal notice to Your Gitea Instance or any of its officers, employees, agents or representatives in any situation where notice to Your Gitea Instance is required by contract or any law or regulation. Legal notice to Your Gitea Instance must be in writing and served on Your Gitea Instance's legal agent.</p>
+   <p>Communications made through email or Your Forgejo Instance Support's messaging system will not constitute legal notice to Your Forgejo Instance or any of its officers, employees, agents or representatives in any situation where notice to Your Forgejo Instance is required by contract or any law or regulation. Legal notice to Your Forgejo Instance must be in writing and served on Your Forgejo Instance's legal agent.</p>

   <h3>No Phone Support</h3>

@ -183,9 +183,9 @@

  <h2>Disclaimer of Warranties</h2>

-  <p>Your Gitea Instance provides the Website and the Service “as is” and “as available,” without warranty of any kind. Without limiting this, we expressly disclaim all warranties, whether express, implied or statutory, regarding the Website and the Service including without limitation any warranty of merchantability, fitness for a particular purpose, title, security, accuracy and non-infringement.</p>
+  <p>Your Forgejo Instance provides the Website and the Service “as is” and “as available,” without warranty of any kind. Without limiting this, we expressly disclaim all warranties, whether express, implied or statutory, regarding the Website and the Service including without limitation any warranty of merchantability, fitness for a particular purpose, title, security, accuracy and non-infringement.</p>

-  <p>Your Gitea Instance does not warrant that the Service will meet your requirements; that the Service will be uninterrupted, timely, secure, or error-free; that the information provided through the Service is accurate, reliable or correct; that any defects or errors will be corrected; that the Service will be available at any particular time or location; or that the Service is free of viruses or other harmful components. You assume full responsibility and risk of loss resulting from your downloading and/or use of files, information, content or other material obtained from the Service.</p>
+  <p>Your Forgejo Instance does not warrant that the Service will meet your requirements; that the Service will be uninterrupted, timely, secure, or error-free; that the information provided through the Service is accurate, reliable or correct; that any defects or errors will be corrected; that the Service will be available at any particular time or location; or that the Service is free of viruses or other harmful components. You assume full responsibility and risk of loss resulting from your downloading and/or use of files, information, content or other material obtained from the Service.</p>

  <h2>Limitation of Liability</h2>

@ -212,9 +212,9 @@

  <h2>Release and Indemnification</h2>

-  <p>If you have a dispute with one or more Users, you agree to release Your Gitea Instance from any and all claims, demands and damages (actual and consequential) of every kind and nature, known and unknown, arising out of or in any way connected with such disputes.</p>
+  <p>If you have a dispute with one or more Users, you agree to release Your Forgejo Instance from any and all claims, demands and damages (actual and consequential) of every kind and nature, known and unknown, arising out of or in any way connected with such disputes.</p>

-  <p>You agree to indemnify us, defend us, and hold us harmless from and against any and all claims, liabilities, and expenses, including attorneys’ fees, arising out of your use of the Website and the Service, including but not limited to your violation of this Agreement, provided that Your Gitea Instance (1) promptly gives you written notice of the claim, demand, suit or proceeding; (2) gives you sole control of the defense and settlement of the claim, demand, suit or proceeding (provided that you may not settle any claim, demand, suit or proceeding unless the settlement unconditionally releases Your Gitea Instance of all liability); and (3) provides to you all reasonable assistance, at your expense.</p>
+  <p>You agree to indemnify us, defend us, and hold us harmless from and against any and all claims, liabilities, and expenses, including attorneys’ fees, arising out of your use of the Website and the Service, including but not limited to your violation of this Agreement, provided that Your Forgejo Instance (1) promptly gives you written notice of the claim, demand, suit or proceeding; (2) gives you sole control of the defense and settlement of the claim, demand, suit or proceeding (provided that you may not settle any claim, demand, suit or proceeding unless the settlement unconditionally releases Your Forgejo Instance of all liability); and (3) provides to you all reasonable assistance, at your expense.</p>

  <h2>Changes to These Terms</h2>

@ -224,22 +224,22 @@

   <h3>Governing Law</h3>

-   <p>Except to the extent applicable law provides otherwise, this Agreement between you and us and any access to or use of the Website or the Service are governed by (national laws of country/state where Gitea is deployed) and (regional laws of locality where Gitea is deployed), without regard to conflict of law provisions. You and Your Gitea Instance agree to submit to the exclusive jurisdiction and venue of the courts located in (locality where Gitea is deployed).</p>
+   <p>Except to the extent applicable law provides otherwise, this Agreement between you and us and any access to or use of the Website or the Service are governed by (national laws of country/state where Forgejo is deployed) and (regional laws of locality where Forgejo is deployed), without regard to conflict of law provisions. You and Your Forgejo Instance agree to submit to the exclusive jurisdiction and venue of the courts located in (locality where Forgejo is deployed).</p>

   <h3>Non-Assignability</h3>

-   <p>Your Gitea Instance may assign or delegate these Terms of Service and/or our Privacy Policy in whole or in part, to any person or entity at any time with or without your consent, including the license granted in <i>User-Generated Content</i>. You may not assign or delegate any rights or obligations under the Terms of Service or Privacy Statement without our prior written consent, and any unauthorized assignment and delegation by you is void.</p>
+   <p>Your Forgejo Instance may assign or delegate these Terms of Service and/or our Privacy Policy in whole or in part, to any person or entity at any time with or without your consent, including the license granted in <i>User-Generated Content</i>. You may not assign or delegate any rights or obligations under the Terms of Service or Privacy Statement without our prior written consent, and any unauthorized assignment and delegation by you is void.</p>

   <h3>Severablity, No Waiver, and Survival</h3>

-   <p>If any part of this Agreement is held invalid or unenforceable, that portion of the Agreement will be construed to reflect the parties’ original intent. The remaining portions will remain in full force and effect. Any failure on the part of Your Gitea Instance to enforce any provision of this Agreement will not be considered a waiver of our right to enforce such provision. Our rights under this Agreement will survive any termination of this Agreement.</p>
+   <p>If any part of this Agreement is held invalid or unenforceable, that portion of the Agreement will be construed to reflect the parties’ original intent. The remaining portions will remain in full force and effect. Any failure on the part of Your Forgejo Instance to enforce any provision of this Agreement will not be considered a waiver of our right to enforce such provision. Our rights under this Agreement will survive any termination of this Agreement.</p>

   <h3>Amendments and Complete Agreement</h3>

-   <p>This Agreement may only be modified by a written amendment signed by an authorized representative of Your Gitea Instance, or by the posting by Your Gitea Instance of a revised version in accordance with <i>Changes to These Terms</i>. These Terms of Service, together with the Your Gitea Instance Privacy Policy, represent the complete and exclusive statement of the agreement between you and us. This Agreement supersedes any proposal or prior agreement oral or written, and any other communications between you and Your Gitea Instance relating to the subject matter of these terms including any confidentiality or nondisclosure agreements.</p>
+   <p>This Agreement may only be modified by a written amendment signed by an authorized representative of Your Forgejo Instance, or by the posting by Your Forgejo Instance of a revised version in accordance with <i>Changes to These Terms</i>. These Terms of Service, together with the Your Forgejo Instance Privacy Policy, represent the complete and exclusive statement of the agreement between you and us. This Agreement supersedes any proposal or prior agreement oral or written, and any other communications between you and Your Forgejo Instance relating to the subject matter of these terms including any confidentiality or nondisclosure agreements.</p>

   <h3>Contact</h3>

-   <p>If you have questions about these Terms of Service, you can <a href="mailto:support@your-gitea-instance">contact our support</a>.</p>
+   <p>If you have questions about these Terms of Service, you can <a href="mailto:support@your-forgejo-instance">contact our support</a>.</p>
 </body>
 </html>
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@ -328,6 +328,10 @@ RUN_USER = ; git
 ;; Maximum number of locks returned per page
 ;LFS_LOCKS_PAGING_NUM = 50
 ;;
+;; When clients make lfs batch requests, reject them if there are more pointers than this number
+;; zero means 'unlimited'
+;LFS_MAX_BATCH_SIZE = 0
+;;
 ;; Allow graceful restarts using SIGHUP to fork
 ;ALLOW_GRACEFUL_RESTARTS = true
 ;;
@ -349,16 +353,25 @@ RUN_USER = ; git
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
-;; Database to use. Either "mysql", "postgres", "mssql" or "sqlite3".
+;; Database to use. Either "sqlite3", "mySQL" or "postgres".
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; SQLite Configuration
+;;
+DB_TYPE = sqlite3
+;PATH= ; defaults to data/forgejo.db
+;SQLITE_TIMEOUT = ; Query timeout defaults to: 500
+;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; MySQL Configuration
 ;;
-DB_TYPE = mysql
-HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
-NAME = gitea
-USER = root
+;DB_TYPE = mysql
+;HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
+;NAME = gitea
+;USER = root
 ;PASSWD = ;Use PASSWD = `your password` for quoting if you use special characters in the password.
 ;SSL_MODE = false ; either "false" (default), "true", or "skip-verify"
 ;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
@ -377,26 +390,6 @@ USER = root
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
-;; SQLite Configuration
-;;
-;DB_TYPE = sqlite3
-;PATH= ; defaults to data/forgejo.db
-;SQLITE_TIMEOUT = ; Query timeout defaults to: 500
-;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
-;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;
-;; MSSQL Configuration
-;;
-;DB_TYPE = mssql
-;HOST = 172.17.0.2:1433
-;NAME = gitea
-;USER = SA
-;PASSWD = MwantsaSecurePassword1
-;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
-;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;
 ;; Other settings
 ;;
 ;; For iterate buffer, default is 50
@ -908,6 +901,9 @@ LEVEL = Info
 ;; Show Registration button
 ;SHOW_REGISTRATION_BUTTON = true
 ;;
+;; Whether to allow internal signin
+; ENABLE_INTERNAL_SIGNIN = true
+;;
 ;; Show milestones dashboard page - a view of all the user's milestones
 ;SHOW_MILESTONES_DASHBOARD_PAGE = true
 ;;
@ -925,6 +921,24 @@ LEVEL = Info
 ;; Valid site url schemes for user profiles
 ;VALID_SITE_URL_SCHEMES=http,https

+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;[service.explore]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; Only allow signed in users to view the explore pages.
+;REQUIRE_SIGNIN_VIEW = false
+;;
+;; Disable the users explore page.
+;DISABLE_USERS_PAGE = false
+;;
+;; Disable the organizations explore page.
+;DISABLE_ORGANIZATIONS_PAGE = false
+;;
+;; Disable the code explore page.
+;DISABLE_CODE_PAGE = false
+;;

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1927,7 +1941,7 @@ LEVEL = Info
 ;ENABLED = true
 ;;
 ;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
-;ALLOWED_TYPES = .cpuprofile,.csv,.dmp,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.json,.jsonc,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip
+;ALLOWED_TYPES = .avif,.cpuprofile,.csv,.dmp,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.json,.jsonc,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.webp,.xls,.xlsx,.zip
 ;;
 ;; Max size of each file. Defaults to 2048MB
 ;MAX_SIZE = 2048
@ -1965,7 +1979,7 @@ LEVEL = Info
 ;; Url lookup for the minio bucket only available when STORAGE_TYPE is `minio`
 ;; Available values: auto, dns, path
 ;; If empty, it behaves the same as "auto" was set
-;MINIO_BUCKET_LOOKUP = 
+;MINIO_BUCKET_LOOKUP =
 ;;
 ;; Minio location to create bucket only available when STORAGE_TYPE is `minio`
 ;MINIO_LOCATION = us-east-1
@ -2296,7 +2310,7 @@ LEVEL = Info

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;; Delete all old actions from database
+;; Delete all old activities from database
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[cron.delete_old_actions]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2393,8 +2407,8 @@ LEVEL = Info
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; The first locale will be used as the default if user browser's language doesn't match any locale in the list.
-;LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pt-PT,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sv-SE,ko-KR,el-GR,fa-IR,hu-HU,id-ID,ml-IN
-;NAMES = English,简体中文,繁體中文（香港）,繁體中文（台灣）,Deutsch,Français,Nederlands,Latviešu,Русский,Українська,日本語,Español,Português do Brasil,Português de Portugal,Polski,Български,Italiano,Suomi,Türkçe,Čeština,Српски,Svenska,한국어,Ελληνικά,فارسی,Magyar nyelv,Bahasa Indonesia,മലയാളം
+;LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,nds,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pt-PT,pl-PL,bg,it-IT,fi-FI,fil,eo,tr-TR,cs-CZ,sl,sv-SE,ko-KR,el-GR,fa-IR,hu-HU,id-ID
+;NAMES = English,简体中文,繁體中文（香港）,繁體中文（台灣）,Deutsch,Plattdüütsch,Français,Nederlands,Latviešu,Русский,Українська,日本語,Español,Português do Brasil,Português de Portugal,Polski,Български,Italiano,Suomi,Filipino,Esperanto,Türkçe,Čeština,Slovenščina,Svenska,한국어,Ελληνικά,فارسی,Magyar nyelv,Bahasa Indonesia

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2654,6 +2668,16 @@ LEVEL = Info
 ;; override the minio base path if storage type is minio
 ;MINIO_BASE_PATH = lfs/

+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; settings for Gitea's LFS client (eg: mirroring an upstream lfs endpoint)
+;;
+;[lfs_client]
+;; Limit the number of pointers in each batch request to this number
+;BATCH_SIZE = 20
+;; Limit the number of concurrent upload/download operations within a batch
+;BATCH_OPERATION_CONCURRENCY = 8
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; settings for packages, will override storage setting
@ -2688,7 +2712,7 @@ LEVEL = Info
 ;; Url lookup for the minio bucket only available when STORAGE_TYPE is `minio`
 ;; Available values: auto, dns, path
 ;; If empty, it behaves the same as "auto" was set
-;MINIO_BUCKET_LOOKUP = 
+;MINIO_BUCKET_LOOKUP =
 ;;
 ;; Minio location to create bucket only available when STORAGE_TYPE is `minio`
 ;MINIO_LOCATION = us-east-1
--- a/docker/root/usr/bin/entrypoint
+++ b/docker/root/usr/bin/entrypoint
@ -37,5 +37,5 @@ done
 if [ $# -gt 0 ]; then
    exec "$@"
 else
-    exec /bin/s6-svscan /etc/s6
+    exec /usr/bin/s6-svscan /etc/s6
 fi
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
--- a/flake.lock
+++ b/flake.lock
@ -5,11 +5,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@ -20,11 +20,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1720542800,
-        "narHash": "sha256-ZgnNHuKV6h2+fQ5LuqnUaqZey1Lqqt5dTUAiAnqH0QQ=",
+        "lastModified": 1733392399,
+        "narHash": "sha256-kEsTJTUQfQFIJOcLYFt/RvNxIK653ZkTBIs4DG+cBns=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "feb2849fdeb70028c70d73b848214b00d324a497",
+        "rev": "d0797a04b81caeae77bcff10a9dde78bc17f5661",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -3,14 +3,15 @@
    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
    flake-utils.url = "github:numtide/flake-utils";
  };
-  outputs =
-    { nixpkgs, flake-utils, ... }:
+  outputs = {
+    nixpkgs,
+    flake-utils,
+    ...
+  }:
    flake-utils.lib.eachDefaultSystem (
-      system:
-      let
+      system: let
        pkgs = nixpkgs.legacyPackages.${system};
-      in
-      {
+      in {
        devShells.default = pkgs.mkShell {
          buildInputs = with pkgs; [
            # generic
@ -29,9 +30,10 @@
            poetry

            # backend
-            go_1_22
            gofumpt
            sqlite
+            go
+            gopls
          ];
        };
      }
--- a/go.mod
+++ b/go.mod
@ -1,31 +1,33 @@
 module code.gitea.io/gitea

-go 1.23.2
+go 1.24
+
+toolchain go1.24.1

 require (
-	code.forgejo.org/f3/gof3/v3 v3.7.0
+	code.forgejo.org/f3/gof3/v3 v3.10.4
 	code.forgejo.org/forgejo-contrib/go-libravatar v0.0.0-20191008002943-06d1c002b251
+	code.forgejo.org/forgejo/levelqueue v1.0.0
 	code.forgejo.org/forgejo/reply v1.0.2
-	code.forgejo.org/go-chi/cache v0.0.0-20240912103640-dcb08fba860d
-	code.forgejo.org/go-chi/captcha v0.0.0-20240905153133-df43b9250ed5
-	code.forgejo.org/go-chi/session v0.0.0-20240905153124-557e3de77cd2
+	code.forgejo.org/go-chi/binding v1.0.0
+	code.forgejo.org/go-chi/cache v1.0.0
+	code.forgejo.org/go-chi/captcha v1.0.1
+	code.forgejo.org/go-chi/session v1.0.1
 	code.gitea.io/actions-proto-go v0.4.0
-	code.gitea.io/gitea-vet v0.2.3
-	code.gitea.io/sdk/gitea v0.17.1
+	code.gitea.io/sdk/gitea v0.20.0
 	codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570
 	connectrpc.com/connect v1.17.0
-	gitea.com/go-chi/binding v0.0.0-20240430071103-39a851e106ed
-	gitea.com/lunny/levelqueue v0.4.2-0.20230414023320-3c0159fe0fe4
+	github.com/42wim/httpsig v1.2.2
 	github.com/42wim/sshsig v0.0.0-20211121163825-841cf5bbc121
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358
-	github.com/ProtonMail/go-crypto v1.0.0
-	github.com/PuerkitoBio/goquery v1.10.0
+	github.com/ProtonMail/go-crypto v1.1.6
+	github.com/PuerkitoBio/goquery v1.10.2
 	github.com/SaveTheRbtz/zstd-seekable-format-go/pkg v0.7.2
-	github.com/alecthomas/chroma/v2 v2.14.0
+	github.com/alecthomas/chroma/v2 v2.15.0
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb
-	github.com/blevesearch/bleve/v2 v2.4.2
-	github.com/buildkite/terminal-to-html/v3 v3.16.2
-	github.com/caddyserver/certmagic v0.21.0
+	github.com/blevesearch/bleve/v2 v2.4.4
+	github.com/buildkite/terminal-to-html/v3 v3.16.6
+	github.com/caddyserver/certmagic v0.22.0
 	github.com/chi-middleware/proxy v1.1.1
 	github.com/djherbis/buffer v1.2.0
 	github.com/djherbis/nio/v3 v3.0.1
@ -34,82 +36,80 @@ require (
 	github.com/editorconfig/editorconfig-core-go/v2 v2.6.2
 	github.com/emersion/go-imap v1.2.1
 	github.com/felixge/fgprof v0.9.5
-	github.com/fsnotify/fsnotify v1.7.0
-	github.com/gliderlabs/ssh v0.3.7
+	github.com/fsnotify/fsnotify v1.8.0
+	github.com/gliderlabs/ssh v0.3.8
 	github.com/go-ap/activitypub v0.0.0-20231114162308-e219254dc5c9
 	github.com/go-ap/jsonld v0.0.0-20221030091449-f2a191312c73
-	github.com/go-chi/chi/v5 v5.1.0
+	github.com/go-chi/chi/v5 v5.2.0
 	github.com/go-chi/cors v1.2.1
 	github.com/go-co-op/gocron v1.37.0
-	github.com/go-enry/go-enry/v2 v2.8.9
-	github.com/go-fed/httpsig v1.1.1-0.20201223112313-55836744818e
-	github.com/go-git/go-git/v5 v5.11.0
+	github.com/go-enry/go-enry/v2 v2.9.2
+	github.com/go-git/go-git/v5 v5.13.2
 	github.com/go-ldap/ldap/v3 v3.4.6
+	github.com/go-openapi/spec v0.20.14
 	github.com/go-sql-driver/mysql v1.8.1
-	github.com/go-swagger/go-swagger v0.30.5
-	github.com/go-testfixtures/testfixtures/v3 v3.12.0
+	github.com/go-testfixtures/testfixtures/v3 v3.14.0
 	github.com/go-webauthn/webauthn v0.11.2
 	github.com/gobwas/glob v0.2.3
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f
 	github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85
 	github.com/golang-jwt/jwt/v5 v5.2.1
+	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0
 	github.com/google/go-github/v64 v64.0.0
-	github.com/google/pprof v0.0.0-20240528025155-186aa0362fba
+	github.com/google/pprof v0.0.0-20241017200806-017d972448fc
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/feeds v1.2.0
-	github.com/gorilla/sessions v1.2.2
-	github.com/h2non/gock v1.2.0
-	github.com/hashicorp/go-version v1.6.0
+	github.com/gorilla/sessions v1.4.0
+	github.com/hashicorp/go-version v1.7.0
 	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/huandu/xstrings v1.5.0
 	github.com/jaytaylor/html2text v0.0.0-20230321000545-74c2419ad056
-	github.com/jhillyerd/enmime v1.3.0
+	github.com/jhillyerd/enmime/v2 v2.1.0
 	github.com/json-iterator/go v1.1.12
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/compress v1.17.9
-	github.com/klauspost/cpuid/v2 v2.2.8
+	github.com/klauspost/compress v1.17.11
+	github.com/klauspost/cpuid/v2 v2.2.10
 	github.com/lib/pq v1.10.9
 	github.com/markbates/goth v1.80.0
 	github.com/mattn/go-isatty v0.0.20
-	github.com/mattn/go-sqlite3 v1.14.22
-	github.com/meilisearch/meilisearch-go v0.28.0
+	github.com/mattn/go-sqlite3 v1.14.24
+	github.com/meilisearch/meilisearch-go v0.31.0
 	github.com/mholt/archiver/v3 v3.5.1
 	github.com/microcosm-cc/bluemonday v1.0.27
-	github.com/minio/minio-go/v7 v7.0.77
+	github.com/minio/minio-go/v7 v7.0.85
 	github.com/msteinert/pam v1.2.0
 	github.com/nektos/act v0.2.52
 	github.com/niklasfasching/go-org v1.7.0
 	github.com/olivere/elastic/v7 v7.0.32
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.1.0
+	github.com/opencontainers/image-spec v1.1.1
 	github.com/pquerna/otp v1.4.0
-	github.com/prometheus/client_golang v1.18.0
-	github.com/quasoft/websspi v1.1.2
-	github.com/redis/go-redis/v9 v9.6.1
+	github.com/prometheus/client_golang v1.21.1
+	github.com/redis/go-redis/v9 v9.7.0
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.1
 	github.com/sassoftware/go-rpmutils v0.4.0
-	github.com/sergi/go-diff v1.3.1
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3
 	github.com/shurcooL/vfsgen v0.0.0-20230704071429-0000e147ea92
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.10.0
 	github.com/syndtr/goleveldb v1.0.0
 	github.com/ulikunitz/xz v0.5.12
-	github.com/urfave/cli/v2 v2.27.4
+	github.com/urfave/cli/v2 v2.27.6
 	github.com/valyala/fastjson v1.6.4
-	github.com/xanzy/go-gitlab v0.109.0
 	github.com/yohcop/openid-go v1.0.1
-	github.com/yuin/goldmark v1.7.4
+	github.com/yuin/goldmark v1.7.8
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
+	gitlab.com/gitlab-org/api/client-go v0.123.0
 	go.uber.org/mock v0.4.0
-	golang.org/x/crypto v0.27.0
-	golang.org/x/image v0.20.0
-	golang.org/x/net v0.29.0
-	golang.org/x/oauth2 v0.23.0
-	golang.org/x/sys v0.25.0
-	golang.org/x/text v0.18.0
-	golang.org/x/tools v0.25.0
-	google.golang.org/grpc v1.66.2
-	google.golang.org/protobuf v1.34.2
+	golang.org/x/crypto v0.36.0
+	golang.org/x/image v0.25.0
+	golang.org/x/net v0.37.0
+	golang.org/x/oauth2 v0.28.0
+	golang.org/x/sync v0.12.0
+	golang.org/x/sys v0.31.0
+	golang.org/x/text v0.23.0
+	google.golang.org/grpc v1.71.0
+	google.golang.org/protobuf v1.36.4
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	gopkg.in/ini.v1 v1.67.0
 	gopkg.in/yaml.v3 v3.0.1
@ -119,32 +119,36 @@ require (
 )

 require (
-	cloud.google.com/go/compute/metadata v0.3.0 // indirect
+	cel.dev/expr v0.19.1 // indirect
+	cloud.google.com/go v0.116.0 // indirect
+	cloud.google.com/go/auth v0.9.9 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	cloud.google.com/go/iam v1.2.1 // indirect
+	cloud.google.com/go/longrunning v0.6.1 // indirect
+	cloud.google.com/go/monitoring v1.21.1 // indirect
+	cloud.google.com/go/spanner v1.73.0 // indirect
 	dario.cat/mergo v1.0.0 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078 // indirect
-	github.com/ClickHouse/ch-go v0.61.5 // indirect
-	github.com/ClickHouse/clickhouse-go/v2 v2.26.0 // indirect
 	github.com/DataDog/zstd v1.5.5 // indirect
-	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.2.1 // indirect
-	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/RoaringBitmap/roaring v1.9.3 // indirect
-	github.com/andybalholm/brotli v1.1.0 // indirect
-	github.com/andybalholm/cascadia v1.3.2 // indirect
+	github.com/andybalholm/brotli v1.1.1 // indirect
+	github.com/andybalholm/cascadia v1.3.3 // indirect
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
-	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bits-and-blooms/bitset v1.13.0 // indirect
-	github.com/blevesearch/bleve_index_api v1.1.10 // indirect
+	github.com/blevesearch/bleve_index_api v1.1.12 // indirect
 	github.com/blevesearch/geo v0.1.20 // indirect
-	github.com/blevesearch/go-faiss v1.0.20 // indirect
+	github.com/blevesearch/go-faiss v1.0.24 // indirect
 	github.com/blevesearch/go-porterstemmer v1.0.3 // indirect
 	github.com/blevesearch/gtreap v0.1.1 // indirect
 	github.com/blevesearch/mmap-go v1.0.4 // indirect
-	github.com/blevesearch/scorch_segment_api/v2 v2.2.15 // indirect
+	github.com/blevesearch/scorch_segment_api/v2 v2.2.16 // indirect
 	github.com/blevesearch/segment v0.9.1 // indirect
 	github.com/blevesearch/snowballstem v0.9.0 // indirect
 	github.com/blevesearch/upsidedown_store_api v1.0.2 // indirect
@ -153,146 +157,136 @@ require (
 	github.com/blevesearch/zapx/v12 v12.3.10 // indirect
 	github.com/blevesearch/zapx/v13 v13.3.10 // indirect
 	github.com/blevesearch/zapx/v14 v14.3.10 // indirect
-	github.com/blevesearch/zapx/v15 v15.3.13 // indirect
-	github.com/blevesearch/zapx/v16 v16.1.5 // indirect
+	github.com/blevesearch/zapx/v15 v15.3.16 // indirect
+	github.com/blevesearch/zapx/v16 v16.1.9-0.20241217210638-a0519e7caf3b // indirect
 	github.com/boombuler/barcode v1.0.1 // indirect
 	github.com/bradfitz/gomemcache v0.0.0-20230905024940-24af94b03874 // indirect
-	github.com/caddyserver/zerossl v0.1.2 // indirect
+	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudflare/circl v1.3.8 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
+	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/davidmz/go-pageant v1.0.2 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/dlclark/regexp2 v1.11.0 // indirect
+	github.com/dlclark/regexp2 v1.11.4 // indirect
 	github.com/emersion/go-sasl v0.0.0-20231106173351-e73c9f7bad43 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-ap/errors v0.0.0-20231003111023-183eef4b31b7 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-enry/go-oniguruma v1.2.1 // indirect
-	github.com/go-faster/city v1.0.1 // indirect
-	github.com/go-faster/errors v0.7.1 // indirect
+	github.com/go-fed/httpsig v1.1.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/go-git/go-billy/v5 v5.6.2 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
-	github.com/go-openapi/analysis v0.22.2 // indirect
-	github.com/go-openapi/errors v0.21.0 // indirect
-	github.com/go-openapi/inflect v0.19.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.20.2 // indirect
 	github.com/go-openapi/jsonreference v0.20.4 // indirect
-	github.com/go-openapi/loads v0.21.5 // indirect
-	github.com/go-openapi/runtime v0.26.2 // indirect
-	github.com/go-openapi/spec v0.20.14 // indirect
-	github.com/go-openapi/strfmt v0.22.0 // indirect
 	github.com/go-openapi/swag v0.22.7 // indirect
-	github.com/go-openapi/validate v0.22.6 // indirect
 	github.com/go-webauthn/x v0.1.14 // indirect
-	github.com/goccy/go-json v0.10.3 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/goccy/go-json v0.10.4 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
 	github.com/golang/geo v0.0.0-20230421003525-6adc56603217 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/go-tpm v0.9.1 // indirect
+	github.com/google/s2a-go v0.1.8 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
+	github.com/googleapis/gax-go/v2 v2.13.0 // indirect
+	github.com/googleapis/go-sql-spanner v1.7.4 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
-	github.com/gorilla/handlers v1.5.2 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
-	github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jessevdk/go-flags v1.5.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
-	github.com/kr/text v0.2.0 // indirect
-	github.com/libdns/libdns v0.2.2 // indirect
-	github.com/magiconair/properties v1.8.7 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/libdns/libdns v0.2.3 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/markbates/going v1.0.3 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-runewidth v0.0.15 // indirect
-	github.com/mholt/acmez/v2 v2.0.1 // indirect
-	github.com/miekg/dns v1.1.59 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mholt/acmez/v3 v3.1.0 // indirect
+	github.com/miekg/dns v1.1.63 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
-	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mrjones/oauth v0.0.0-20190623134757-126b35219450 // indirect
 	github.com/mschoch/smat v0.2.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nwaples/rardecode v1.1.3 // indirect
-	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/onsi/ginkgo v1.16.5 // indirect
-	github.com/paulmach/orb v0.11.1 // indirect
-	github.com/pelletier/go-toml/v2 v2.1.1 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
-	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_model v0.5.0 // indirect
-	github.com/prometheus/common v0.46.0 // indirect
-	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rhysd/actionlint v1.6.27 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/rs/xid v1.6.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sagikazarmark/locafero v0.4.0 // indirect
-	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
-	github.com/segmentio/asm v1.2.0 // indirect
-	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/shurcooL/httpfs v0.0.0-20230704072500-f1e31cf0ba5c // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/skeema/knownhosts v1.2.1 // indirect
-	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/afero v1.11.0 // indirect
-	github.com/spf13/cast v1.6.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.18.2 // indirect
+	github.com/skeema/knownhosts v1.3.0 // indirect
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
-	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/toqueteos/webbrowser v1.2.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
-	github.com/zeebo/blake3 v0.2.3 // indirect
+	github.com/zeebo/blake3 v0.2.4 // indirect
 	go.etcd.io/bbolt v1.3.9 // indirect
-	go.mongodb.org/mongo-driver v1.13.1 // indirect
-	go.opentelemetry.io/otel v1.26.0 // indirect
-	go.opentelemetry.io/otel/trace v1.26.0 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.34.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
+	go.opentelemetry.io/otel v1.34.0 // indirect
+	go.opentelemetry.io/otel/metric v1.34.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.34.0 // indirect
+	go.opentelemetry.io/otel/trace v1.34.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect
-	golang.org/x/mod v0.21.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 // indirect
+	go.uber.org/zap/exp v0.3.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/time v0.9.0 // indirect
+	golang.org/x/tools v0.31.0 // indirect
+	google.golang.org/api v0.203.0 // indirect
+	google.golang.org/genproto v0.0.0-20241015192408-796eee8c2d53 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 )

 replace github.com/hashicorp/go-version => github.com/6543/go-version v1.3.1

 replace github.com/shurcooL/vfsgen => github.com/lunny/vfsgen v0.0.0-20220105142115-2c99e1ffdfa0

-replace github.com/nektos/act => code.forgejo.org/forgejo/act v1.21.3
+replace github.com/nektos/act => code.forgejo.org/forgejo/act v1.23.1

 replace github.com/mholt/archiver/v3 => code.forgejo.org/forgejo/archiver/v3 v3.5.1
+
+replace github.com/gliderlabs/ssh => code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616
+
+replace git.sr.ht/~mariusor/go-xsd-duration => code.forgejo.org/forgejo/go-xsd-duration v0.0.0-20220703122237-02e73435a078
--- a/go.sum
+++ b/go.sum
--- a/models/actions/run.go
+++ b/models/actions/run.go
@ -37,6 +37,7 @@ type ActionRun struct {
 	TriggerUser       *user_model.User       `xorm:"-"`
 	ScheduleID        int64
 	Ref               string `xorm:"index"` // the commit/tag/… that caused the run
+	IsRefDeleted      bool   `xorm:"-"`
 	CommitSHA         string
 	IsForkPullRequest bool                         // If this is triggered by a PR from a forked repository or an untrusted user, we need to check if it is approved and limit permissions when running the workflow.
 	NeedApproval      bool                         // may need approval if it's a fork pull request
@ -146,7 +147,11 @@ func (run *ActionRun) GetPushEventPayload() (*api.PushPayload, error) {
 }

 func (run *ActionRun) GetPullRequestEventPayload() (*api.PullRequestPayload, error) {
-	if run.Event == webhook_module.HookEventPullRequest || run.Event == webhook_module.HookEventPullRequestSync {
+	if run.Event == webhook_module.HookEventPullRequest ||
+		run.Event == webhook_module.HookEventPullRequestSync ||
+		run.Event == webhook_module.HookEventPullRequestAssign ||
+		run.Event == webhook_module.HookEventPullRequestMilestone ||
+		run.Event == webhook_module.HookEventPullRequestLabel {
 		var payload api.PullRequestPayload
 		if err := json.Unmarshal([]byte(run.EventPayload), &payload); err != nil {
 			return nil, err
@ -250,6 +255,7 @@ func CancelPreviousJobs(ctx context.Context, repoID int64, ref, workflowID strin
 }

 // InsertRun inserts a run
+// The title will be cut off at 255 characters if it's longer than 255 characters.
 func InsertRun(ctx context.Context, run *ActionRun, jobs []*jobparser.SingleWorkflow) error {
 	ctx, commiter, err := db.TxContext(ctx)
 	if err != nil {
@ -262,6 +268,7 @@ func InsertRun(ctx context.Context, run *ActionRun, jobs []*jobparser.SingleWork
 		return err
 	}
 	run.Index = index
+	run.Title, _ = util.SplitStringAtByteN(run.Title, 255)

 	if err := db.Insert(ctx, run); err != nil {
 		return err
@ -387,6 +394,7 @@ func UpdateRun(ctx context.Context, run *ActionRun, cols ...string) error {
 	if len(cols) > 0 {
 		sess.Cols(cols...)
 	}
+	run.Title, _ = util.SplitStringAtByteN(run.Title, 255)
 	affected, err := sess.Update(run)
 	if err != nil {
 		return err
--- a/models/actions/run_job.go
+++ b/models/actions/run_job.go
@ -10,6 +10,7 @@ import (
 	"time"

 	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/modules/container"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"

@ -71,6 +72,15 @@ func (job *ActionRunJob) LoadAttributes(ctx context.Context) error {
 	return job.Run.LoadAttributes(ctx)
 }

+func (job *ActionRunJob) ItRunsOn(labels []string) bool {
+	if len(labels) == 0 || len(job.RunsOn) == 0 {
+		return false
+	}
+	labelSet := make(container.Set[string])
+	labelSet.AddMultiple(labels...)
+	return labelSet.IsSubset(job.RunsOn)
+}
+
 func GetRunJobByID(ctx context.Context, id int64) (*ActionRunJob, error) {
 	var job ActionRunJob
 	has, err := db.GetEngine(ctx).Where("id=?", id).Get(&job)
@ -137,7 +147,7 @@ func UpdateRunJob(ctx context.Context, job *ActionRunJob, cond builder.Cond, col
 		if err != nil {
 			return 0, err
 		}
-		run.Status = aggregateJobStatus(jobs)
+		run.Status = AggregateJobStatus(jobs)
 		if run.Started.IsZero() && run.Status.IsRunning() {
 			run.Started = timeutil.TimeStampNow()
 		}
@ -152,29 +162,35 @@ func UpdateRunJob(ctx context.Context, job *ActionRunJob, cond builder.Cond, col
 	return affected, nil
 }

-func aggregateJobStatus(jobs []*ActionRunJob) Status {
-	allDone := true
-	allWaiting := true
-	hasFailure := false
+func AggregateJobStatus(jobs []*ActionRunJob) Status {
+	allSuccessOrSkipped := len(jobs) != 0
+	allSkipped := len(jobs) != 0
+	var hasFailure, hasCancelled, hasWaiting, hasRunning, hasBlocked bool
 	for _, job := range jobs {
-		if !job.Status.IsDone() {
-			allDone = false
-		}
-		if job.Status != StatusWaiting && !job.Status.IsDone() {
-			allWaiting = false
-		}
-		if job.Status == StatusFailure || job.Status == StatusCancelled {
-			hasFailure = true
-		}
+		allSuccessOrSkipped = allSuccessOrSkipped && (job.Status == StatusSuccess || job.Status == StatusSkipped)
+		allSkipped = allSkipped && job.Status == StatusSkipped
+		hasFailure = hasFailure || job.Status == StatusFailure
+		hasCancelled = hasCancelled || job.Status == StatusCancelled
+		hasWaiting = hasWaiting || job.Status == StatusWaiting
+		hasRunning = hasRunning || job.Status == StatusRunning
+		hasBlocked = hasBlocked || job.Status == StatusBlocked
 	}
-	if allDone {
-		if hasFailure {
-			return StatusFailure
-		}
+	switch {
+	case allSkipped:
+		return StatusSkipped
+	case allSuccessOrSkipped:
 		return StatusSuccess
-	}
-	if allWaiting {
+	case hasCancelled:
+		return StatusCancelled
+	case hasFailure:
+		return StatusFailure
+	case hasRunning:
+		return StatusRunning
+	case hasWaiting:
 		return StatusWaiting
+	case hasBlocked:
+		return StatusBlocked
+	default:
+		return StatusUnknown // it shouldn't happen
 	}
-	return StatusRunning
 }
--- a/models/actions/run_job_status_test.go
+++ b/models/actions/run_job_status_test.go
@ -0,0 +1,85 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAggregateJobStatus(t *testing.T) {
+	testStatuses := func(expected Status, statuses []Status) {
+		t.Helper()
+		var jobs []*ActionRunJob
+		for _, v := range statuses {
+			jobs = append(jobs, &ActionRunJob{Status: v})
+		}
+		actual := AggregateJobStatus(jobs)
+		if !assert.Equal(t, expected, actual) {
+			var statusStrings []string
+			for _, s := range statuses {
+				statusStrings = append(statusStrings, s.String())
+			}
+			t.Errorf("AggregateJobStatus(%v) = %v, want %v", statusStrings, statusNames[actual], statusNames[expected])
+		}
+	}
+
+	cases := []struct {
+		statuses []Status
+		expected Status
+	}{
+		// unknown cases, maybe it shouldn't happen in real world
+		{[]Status{}, StatusUnknown},
+		{[]Status{StatusUnknown, StatusSuccess}, StatusUnknown},
+		{[]Status{StatusUnknown, StatusSkipped}, StatusUnknown},
+		{[]Status{StatusUnknown, StatusFailure}, StatusFailure},
+		{[]Status{StatusUnknown, StatusCancelled}, StatusCancelled},
+		{[]Status{StatusUnknown, StatusWaiting}, StatusWaiting},
+		{[]Status{StatusUnknown, StatusRunning}, StatusRunning},
+		{[]Status{StatusUnknown, StatusBlocked}, StatusBlocked},
+
+		// success with other status
+		{[]Status{StatusSuccess}, StatusSuccess},
+		{[]Status{StatusSuccess, StatusSkipped}, StatusSuccess}, // skipped doesn't affect success
+		{[]Status{StatusSuccess, StatusFailure}, StatusFailure},
+		{[]Status{StatusSuccess, StatusCancelled}, StatusCancelled},
+		{[]Status{StatusSuccess, StatusWaiting}, StatusWaiting},
+		{[]Status{StatusSuccess, StatusRunning}, StatusRunning},
+		{[]Status{StatusSuccess, StatusBlocked}, StatusBlocked},
+
+		// any cancelled, then cancelled
+		{[]Status{StatusCancelled}, StatusCancelled},
+		{[]Status{StatusCancelled, StatusSuccess}, StatusCancelled},
+		{[]Status{StatusCancelled, StatusSkipped}, StatusCancelled},
+		{[]Status{StatusCancelled, StatusFailure}, StatusCancelled},
+		{[]Status{StatusCancelled, StatusWaiting}, StatusCancelled},
+		{[]Status{StatusCancelled, StatusRunning}, StatusCancelled},
+		{[]Status{StatusCancelled, StatusBlocked}, StatusCancelled},
+
+		// failure with other status, fail fast
+		// Should "running" win? Maybe no: old code does make "running" win, but GitHub does fail fast.
+		{[]Status{StatusFailure}, StatusFailure},
+		{[]Status{StatusFailure, StatusSuccess}, StatusFailure},
+		{[]Status{StatusFailure, StatusSkipped}, StatusFailure},
+		{[]Status{StatusFailure, StatusCancelled}, StatusCancelled},
+		{[]Status{StatusFailure, StatusWaiting}, StatusFailure},
+		{[]Status{StatusFailure, StatusRunning}, StatusFailure},
+		{[]Status{StatusFailure, StatusBlocked}, StatusFailure},
+
+		// skipped with other status
+		// TODO: need to clarify whether a PR with "skipped" job status is considered as "mergeable" or not.
+		{[]Status{StatusSkipped}, StatusSkipped},
+		{[]Status{StatusSkipped, StatusSuccess}, StatusSuccess},
+		{[]Status{StatusSkipped, StatusFailure}, StatusFailure},
+		{[]Status{StatusSkipped, StatusCancelled}, StatusCancelled},
+		{[]Status{StatusSkipped, StatusWaiting}, StatusWaiting},
+		{[]Status{StatusSkipped, StatusRunning}, StatusRunning},
+		{[]Status{StatusSkipped, StatusBlocked}, StatusBlocked},
+	}
+
+	for _, c := range cases {
+		testStatuses(c.expected, c.statuses)
+	}
+}
--- a/models/actions/run_job_test.go
+++ b/models/actions/run_job_test.go
@ -0,0 +1,29 @@
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestActionRunJob_ItRunsOn(t *testing.T) {
+	actionJob := ActionRunJob{RunsOn: []string{"ubuntu"}}
+	agentLabels := []string{"ubuntu", "node-20"}
+
+	assert.True(t, actionJob.ItRunsOn(agentLabels))
+	assert.False(t, actionJob.ItRunsOn([]string{}))
+
+	actionJob.RunsOn = append(actionJob.RunsOn, "node-20")
+
+	assert.True(t, actionJob.ItRunsOn(agentLabels))
+
+	agentLabels = []string{"ubuntu"}
+
+	assert.False(t, actionJob.ItRunsOn(agentLabels))
+
+	actionJob.RunsOn = []string{}
+
+	assert.False(t, actionJob.ItRunsOn(agentLabels))
+}
--- a/models/actions/run_list.go
+++ b/models/actions/run_list.go
@ -10,6 +10,7 @@ import (
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/container"
+	"code.gitea.io/gitea/modules/translation"
 	webhook_module "code.gitea.io/gitea/modules/webhook"

 	"xorm.io/builder"
@ -112,14 +113,14 @@ type StatusInfo struct {
 }

 // GetStatusInfoList returns a slice of StatusInfo
-func GetStatusInfoList(ctx context.Context) []StatusInfo {
+func GetStatusInfoList(ctx context.Context, lang translation.Locale) []StatusInfo {
 	// same as those in aggregateJobStatus
 	allStatus := []Status{StatusSuccess, StatusFailure, StatusWaiting, StatusRunning}
 	statusInfoList := make([]StatusInfo, 0, 4)
 	for _, s := range allStatus {
 		statusInfoList = append(statusInfoList, StatusInfo{
 			Status:          int(s),
-			DisplayedStatus: s.String(),
+			DisplayedStatus: s.LocaleString(lang),
 		})
 	}
 	return statusInfoList
--- a/models/actions/runner.go
+++ b/models/actions/runner.go
@ -271,6 +271,7 @@ func GetRunnerByID(ctx context.Context, id int64) (*ActionRunner, error) {
 // UpdateRunner updates runner's information.
 func UpdateRunner(ctx context.Context, r *ActionRunner, cols ...string) error {
 	e := db.GetEngine(ctx)
+	r.Name, _ = util.SplitStringAtByteN(r.Name, 255)
 	var err error
 	if len(cols) == 0 {
 		_, err = e.ID(r.ID).AllCols().Update(r)
@ -281,27 +282,22 @@ func UpdateRunner(ctx context.Context, r *ActionRunner, cols ...string) error {
 }

 // DeleteRunner deletes a runner by given ID.
-func DeleteRunner(ctx context.Context, id int64) error {
-	runner, err := GetRunnerByID(ctx, id)
-	if err != nil {
-		return err
-	}
-
+func DeleteRunner(ctx context.Context, r *ActionRunner) error {
 	// Replace the UUID, which was either based on the secret's first 16 bytes or an UUIDv4,
 	// with a sequence of 8 0xff bytes followed by the little-endian version of the record's
 	// identifier. This will prevent the deleted record's identifier from colliding with any
 	// new record.
 	b := make([]byte, 8)
-	binary.LittleEndian.PutUint64(b, uint64(id))
-	runner.UUID = fmt.Sprintf("ffffffff-ffff-ffff-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x",
+	binary.LittleEndian.PutUint64(b, uint64(r.ID))
+	r.UUID = fmt.Sprintf("ffffffff-ffff-ffff-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x",
 		b[0], b[1], b[2], b[3], b[4], b[5], b[6], b[7])

-	err = UpdateRunner(ctx, runner, "UUID")
+	err := UpdateRunner(ctx, r, "UUID")
 	if err != nil {
 		return err
 	}

-	_, err = db.DeleteByID[ActionRunner](ctx, id)
+	_, err = db.DeleteByID[ActionRunner](ctx, r.ID)
 	return err
 }

@ -312,6 +308,7 @@ func CreateRunner(ctx context.Context, t *ActionRunner) error {
 		// Remove OwnerID to avoid confusion; it's not worth returning an error here.
 		t.OwnerID = 0
 	}
+	t.Name, _ = util.SplitStringAtByteN(t.Name, 255)
 	return db.Insert(ctx, t)
 }

--- a/models/actions/runner_test.go
+++ b/models/actions/runner_test.go
@ -34,7 +34,7 @@ func TestDeleteRunner(t *testing.T) {
 	require.NoError(t, unittest.PrepareTestDatabase())
 	before := unittest.AssertExistsAndLoadBean(t, &ActionRunner{ID: recordID})

-	err := DeleteRunner(db.DefaultContext, recordID)
+	err := DeleteRunner(db.DefaultContext, &ActionRunner{ID: recordID})
 	require.NoError(t, err)

 	var after ActionRunner
--- a/models/actions/schedule.go
+++ b/models/actions/schedule.go
@ -12,7 +12,10 @@ import (
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/util"
 	webhook_module "code.gitea.io/gitea/modules/webhook"
+
+	"xorm.io/builder"
 )

 // ActionSchedule represents a schedule of a workflow file
@ -67,6 +70,7 @@ func CreateScheduleTask(ctx context.Context, rows []*ActionSchedule) error {

 	// Loop through each schedule row
 	for _, row := range rows {
+		row.Title, _ = util.SplitStringAtByteN(row.Title, 255)
 		// Create new schedule row
 		if err = db.Insert(ctx, row); err != nil {
 			return err
@ -138,3 +142,25 @@ func CleanRepoScheduleTasks(ctx context.Context, repo *repo_model.Repository, ca
 	}
 	return nil
 }
+
+type FindScheduleOptions struct {
+	db.ListOptions
+	RepoID  int64
+	OwnerID int64
+}
+
+func (opts FindScheduleOptions) ToConds() builder.Cond {
+	cond := builder.NewCond()
+	if opts.RepoID > 0 {
+		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
+	}
+	if opts.OwnerID > 0 {
+		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
+	}
+
+	return cond
+}
+
+func (opts FindScheduleOptions) ToOrders() string {
+	return "`id` DESC"
+}
--- a/models/actions/schedule_list.go
+++ b/models/actions/schedule_list.go
@ -1,83 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package actions
-
-import (
-	"context"
-
-	"code.gitea.io/gitea/models/db"
-	repo_model "code.gitea.io/gitea/models/repo"
-	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/container"
-
-	"xorm.io/builder"
-)
-
-type ScheduleList []*ActionSchedule
-
-// GetUserIDs returns a slice of user's id
-func (schedules ScheduleList) GetUserIDs() []int64 {
-	return container.FilterSlice(schedules, func(schedule *ActionSchedule) (int64, bool) {
-		return schedule.TriggerUserID, true
-	})
-}
-
-func (schedules ScheduleList) GetRepoIDs() []int64 {
-	return container.FilterSlice(schedules, func(schedule *ActionSchedule) (int64, bool) {
-		return schedule.RepoID, true
-	})
-}
-
-func (schedules ScheduleList) LoadTriggerUser(ctx context.Context) error {
-	userIDs := schedules.GetUserIDs()
-	users := make(map[int64]*user_model.User, len(userIDs))
-	if err := db.GetEngine(ctx).In("id", userIDs).Find(&users); err != nil {
-		return err
-	}
-	for _, schedule := range schedules {
-		if schedule.TriggerUserID == user_model.ActionsUserID {
-			schedule.TriggerUser = user_model.NewActionsUser()
-		} else {
-			schedule.TriggerUser = users[schedule.TriggerUserID]
-			if schedule.TriggerUser == nil {
-				schedule.TriggerUser = user_model.NewGhostUser()
-			}
-		}
-	}
-	return nil
-}
-
-func (schedules ScheduleList) LoadRepos(ctx context.Context) error {
-	repoIDs := schedules.GetRepoIDs()
-	repos, err := repo_model.GetRepositoriesMapByIDs(ctx, repoIDs)
-	if err != nil {
-		return err
-	}
-	for _, schedule := range schedules {
-		schedule.Repo = repos[schedule.RepoID]
-	}
-	return nil
-}
-
-type FindScheduleOptions struct {
-	db.ListOptions
-	RepoID  int64
-	OwnerID int64
-}
-
-func (opts FindScheduleOptions) ToConds() builder.Cond {
-	cond := builder.NewCond()
-	if opts.RepoID > 0 {
-		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
-	}
-	if opts.OwnerID > 0 {
-		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
-	}
-
-	return cond
-}
-
-func (opts FindScheduleOptions) ToOrders() string {
-	return "`id` DESC"
-}
--- a/models/actions/task.go
+++ b/models/actions/task.go
@ -12,7 +12,6 @@ import (
 	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/unit"
-	"code.gitea.io/gitea/modules/container"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
@ -245,7 +244,7 @@ func CreateTaskForRunner(ctx context.Context, runner *ActionRunner) (*ActionTask
 	var job *ActionRunJob
 	log.Trace("runner labels: %v", runner.AgentLabels)
 	for _, v := range jobs {
-		if isSubset(runner.AgentLabels, v.RunsOn) {
+		if v.ItRunsOn(runner.AgentLabels) {
 			job = v
 			break
 		}
@ -341,7 +340,7 @@ func UpdateTask(ctx context.Context, task *ActionTask, cols ...string) error {
 // UpdateTaskByState updates the task by the state.
 // It will always update the task if the state is not final, even there is no change.
 // So it will update ActionTask.Updated to avoid the task being judged as a zombie task.
-func UpdateTaskByState(ctx context.Context, state *runnerv1.TaskState) (*ActionTask, error) {
+func UpdateTaskByState(ctx context.Context, runnerID int64, state *runnerv1.TaskState) (*ActionTask, error) {
 	stepStates := map[int64]*runnerv1.StepState{}
 	for _, v := range state.Steps {
 		stepStates[v.Id] = v
@ -360,6 +359,8 @@ func UpdateTaskByState(ctx context.Context, state *runnerv1.TaskState) (*ActionT
 		return nil, err
 	} else if !has {
 		return nil, util.ErrNotExist
+	} else if runnerID != task.RunnerID {
+		return nil, fmt.Errorf("invalid runner for task")
 	}

 	if task.Status.IsDone() {
@ -480,20 +481,6 @@ func FindOldTasksToExpire(ctx context.Context, olderThan timeutil.TimeStamp, lim
 		Find(&tasks)
 }

-func isSubset(set, subset []string) bool {
-	m := make(container.Set[string], len(set))
-	for _, v := range set {
-		m.Add(v)
-	}
-
-	for _, v := range subset {
-		if !m.Contains(v) {
-			return false
-		}
-	}
-	return true
-}
-
 func convertTimestamp(timestamp *timestamppb.Timestamp) timeutil.TimeStamp {
 	if timestamp.GetSeconds() == 0 && timestamp.GetNanos() == 0 {
 		return timeutil.TimeStamp(0)
--- a/models/actions/task_list.go
+++ b/models/actions/task_list.go
@ -50,7 +50,7 @@ type FindTaskOptions struct {
 	RepoID        int64
 	OwnerID       int64
 	CommitSHA     string
-	Status        Status
+	Status        []Status
 	UpdatedBefore timeutil.TimeStamp
 	StartedBefore timeutil.TimeStamp
 	RunnerID      int64
@ -67,8 +67,8 @@ func (opts FindTaskOptions) ToConds() builder.Cond {
 	if opts.CommitSHA != "" {
 		cond = cond.And(builder.Eq{"commit_sha": opts.CommitSHA})
 	}
-	if opts.Status > StatusUnknown {
-		cond = cond.And(builder.Eq{"status": opts.Status})
+	if opts.Status != nil {
+		cond = cond.And(builder.In("status", opts.Status))
 	}
 	if opts.UpdatedBefore > 0 {
 		cond = cond.And(builder.Lt{"updated": opts.UpdatedBefore})
--- a/models/actions/variable.go
+++ b/models/actions/variable.go
@ -86,7 +86,7 @@ func FindVariables(ctx context.Context, opts FindVariablesOpts) ([]*ActionVariab
 }

 func UpdateVariable(ctx context.Context, variable *ActionVariable) (bool, error) {
-	count, err := db.GetEngine(ctx).ID(variable.ID).Cols("name", "data").
+	count, err := db.GetEngine(ctx).ID(variable.ID).Where("owner_id = ? AND repo_id = ?", variable.OwnerID, variable.RepoID).Cols("name", "data").
 		Update(&ActionVariable{
 			Name: variable.Name,
 			Data: variable.Data,
@ -94,11 +94,9 @@ func UpdateVariable(ctx context.Context, variable *ActionVariable) (bool, error)
 	return count != 0, err
 }

-func DeleteVariable(ctx context.Context, id int64) error {
-	if _, err := db.DeleteByID[ActionVariable](ctx, id); err != nil {
-		return err
-	}
-	return nil
+func DeleteVariable(ctx context.Context, variableID, ownerID, repoID int64) (bool, error) {
+	count, err := db.GetEngine(ctx).Table("action_variable").Where("id = ? AND owner_id = ? AND repo_id = ?", variableID, ownerID, repoID).Delete()
+	return count != 0, err
 }

 func GetVariablesOfRun(ctx context.Context, run *ActionRun) (map[string]string, error) {
--- a/models/activities/action.go
+++ b/models/activities/action.go
@ -250,6 +250,9 @@ func (a *Action) GetActDisplayNameTitle(ctx context.Context) string {
 // GetRepoUserName returns the name of the action repository owner.
 func (a *Action) GetRepoUserName(ctx context.Context) string {
 	a.loadRepo(ctx)
+	if a.Repo == nil {
+		return "(non-existing-repo)"
+	}
 	return a.Repo.OwnerName
 }

@ -262,6 +265,9 @@ func (a *Action) ShortRepoUserName(ctx context.Context) string {
 // GetRepoName returns the name of the action repository.
 func (a *Action) GetRepoName(ctx context.Context) string {
 	a.loadRepo(ctx)
+	if a.Repo == nil {
+		return "(non-existing-repo)"
+	}
 	return a.Repo.Name
 }

--- a/models/activities/main_test.go
+++ b/models/activities/main_test.go
@ -10,6 +10,7 @@ import (

 	_ "code.gitea.io/gitea/models"
 	_ "code.gitea.io/gitea/models/actions"
+	_ "code.gitea.io/gitea/models/forgefed"
 )

 func TestMain(m *testing.M) {
--- a/models/activities/user_heatmap_test.go
+++ b/models/activities/user_heatmap_test.go
@ -96,6 +96,6 @@ func TestGetUserHeatmapDataByUser(t *testing.T) {
 		// Test JSON rendering
 		jsonData, err := json.Marshal(heatmap)
 		require.NoError(t, err)
-		assert.Equal(t, tc.JSONResult, string(jsonData))
+		assert.JSONEq(t, tc.JSONResult, string(jsonData))
 	}
 }
--- a/models/admin/task.go
+++ b/models/admin/task.go
@ -44,7 +44,7 @@ func init() {
 // TranslatableMessage represents JSON struct that can be translated with a Locale
 type TranslatableMessage struct {
 	Format string
-	Args   []any `json:"omitempty"`
+	Args   []any `json:",omitempty"`
 }

 // LoadRepo loads repository of the task
--- a/models/asymkey/error.go
+++ b/models/asymkey/error.go
@ -192,28 +192,6 @@ func (err ErrGPGKeyIDAlreadyUsed) Unwrap() error {
 	return util.ErrAlreadyExist
 }

-// ErrGPGKeyAccessDenied represents a "GPGKeyAccessDenied" kind of Error.
-type ErrGPGKeyAccessDenied struct {
-	UserID int64
-	KeyID  int64
-}
-
-// IsErrGPGKeyAccessDenied checks if an error is a ErrGPGKeyAccessDenied.
-func IsErrGPGKeyAccessDenied(err error) bool {
-	_, ok := err.(ErrGPGKeyAccessDenied)
-	return ok
-}
-
-// Error pretty-prints an error of type ErrGPGKeyAccessDenied.
-func (err ErrGPGKeyAccessDenied) Error() string {
-	return fmt.Sprintf("user does not have access to the key [user_id: %d, key_id: %d]",
-		err.UserID, err.KeyID)
-}
-
-func (err ErrGPGKeyAccessDenied) Unwrap() error {
-	return util.ErrPermissionDenied
-}
-
 // ErrKeyAccessDenied represents a "KeyAccessDenied" kind of error.
 type ErrKeyAccessDenied struct {
 	UserID int64
--- a/models/asymkey/ssh_key_authorized_keys.go
+++ b/models/asymkey/ssh_key_authorized_keys.go
@ -87,19 +87,16 @@ func appendAuthorizedKeysToFile(keys ...*PublicKey) error {
 	}
 	defer f.Close()

-	// Note: chmod command does not support in Windows.
-	if !setting.IsWindows {
-		fi, err := f.Stat()
-		if err != nil {
-			return err
-		}
+	fi, err := f.Stat()
+	if err != nil {
+		return err
+	}

-		// .ssh directory should have mode 700, and authorized_keys file should have mode 600.
-		if fi.Mode().Perm() > 0o600 {
-			log.Error("authorized_keys file has unusual permission flags: %s - setting to -rw-------", fi.Mode().Perm().String())
-			if err = f.Chmod(0o600); err != nil {
-				return err
-			}
+	// .ssh directory should have mode 700, and authorized_keys file should have mode 600.
+	if fi.Mode().Perm() > 0o600 {
+		log.Error("authorized_keys file has unusual permission flags: %s - setting to -rw-------", fi.Mode().Perm().String())
+		if err = f.Chmod(0o600); err != nil {
+			return err
 		}
 	}

--- a/models/asymkey/ssh_key_deploy.go
+++ b/models/asymkey/ssh_key_deploy.go
@ -105,14 +105,6 @@ func addDeployKey(ctx context.Context, keyID, repoID int64, name, fingerprint st
 	return key, db.Insert(ctx, key)
 }

-// HasDeployKey returns true if public key is a deploy key of given repository.
-func HasDeployKey(ctx context.Context, keyID, repoID int64) bool {
-	has, _ := db.GetEngine(ctx).
-		Where("key_id = ? AND repo_id = ?", keyID, repoID).
-		Get(new(DeployKey))
-	return has
-}
-
 // AddDeployKey add new deploy key to database and authorized_keys file.
 func AddDeployKey(ctx context.Context, repoID int64, name, content string, readOnly bool) (*DeployKey, error) {
 	fingerprint, err := CalcFingerprint(content)
--- a/models/asymkey/ssh_key_parse.go
+++ b/models/asymkey/ssh_key_parse.go
@ -219,8 +219,13 @@ func SSHNativeParsePublicKey(keyLine string) (string, int, error) {
 		return "", 0, fmt.Errorf("ParsePublicKey: %w", err)
 	}

+	pkeyType := pkey.Type()
+	if certPkey, ok := pkey.(*ssh.Certificate); ok {
+		pkeyType = certPkey.Key.Type()
+	}
+
 	// The ssh library can parse the key, so next we find out what key exactly we have.
-	switch pkey.Type() {
+	switch pkeyType {
 	case ssh.KeyAlgoDSA:
 		rawPub := struct {
 			Name       string
--- a/models/asymkey/ssh_key_test.go
+++ b/models/asymkey/ssh_key_test.go
@ -35,6 +35,7 @@ func Test_SSHParsePublicKey(t *testing.T) {
 		{"ecdsa-384", false, "ecdsa", 384, "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBINmioV+XRX1Fm9Qk2ehHXJ2tfVxW30ypUWZw670Zyq5GQfBAH6xjygRsJ5wWsHXBsGYgFUXIHvMKVAG1tpw7s6ax9oA+dJOJ7tj+vhn8joFqT+sg3LYHgZkHrfqryRasQ== nocomment"},
 		{"ecdsa-sk", true, "ecdsa-sk", 256, "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBGXEEzWmm1dxb+57RoK5KVCL0w2eNv9cqJX2AGGVlkFsVDhOXHzsadS3LTK4VlEbbrDMJdoti9yM8vclA8IeRacAAAAEc3NoOg== nocomment"},
 		{"ed25519-sk", true, "ed25519-sk", 256, "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIE7kM1R02+4ertDKGKEDcKG0s+2vyDDcIvceJ0Gqv5f1AAAABHNzaDo= nocomment"},
+		{"ed25519-cert-v01", true, "ed25519", 256, "ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIAlIAPlEj0mYQzQo8Ks0Nm/Ct8ceNkyJSf4DLuF5l7+5AAAAIEuWAoaBo2tT29/oMNnoDfdAPRCIdM2RGapKUhY4nDfLRgPQwfnRoc0AAAABAAAAcHZhdWx0LW9pZGMtNmRhYjdiZDgtNDg5YS00MDFkLTg3ZmItNjdjNTlhMDZkZDkxLTNjNTk2M2YyMGRmMDM3MDkyMzc1YmNiYmNiNzkxY2EyZWIxM2I0NGZhMzc2NTcwMWI0MjMwODU0MWFmNjhkNTgAAAALAAAAB2Zvcmdlam8AAAAAZ6/RUQAAAABn115vAAAAAAAAAAAAAAAAAAACFwAAAAdzc2gtcnNhAAAAAwEAAQAAAgEAySnM/TvD117GyKgOgMatDB2t+fCHORFaWVmH5SaadAzNJ2DfDAauRSLfnim1xdgAOMTzsPEEHH47zyYMjE85o2AiJxrfUBMw3O/7AbNc6+HyLr/txH4+vD9tWQknKnpVWM+3Z9wiHDcOdKRoXCmFZKJH1vxs16GNWjwbrfNiimv7Oi0fadgvTDKX603gpLTuVDXqs9eQFLCONptei86JYBAJqaHvg51k8YUCKt9WFqKAj7BJUWmrDvhv5VFMOsnZieJjqxkoxnpsQNlXfPzxK0vIpJofbYfWwscv/g9WZypHwO1ZR2PqzKm99YrSdr8w5256l0f44vsF0NSP0N7bDQEfYYnRGj8zWTYCBFD+uYF7AxIeaRUpZoTQO8MvCHOLMIDinNgEeCUvNA2v9zHl4BGq+PQjzUKAgJiKj0MZeiCDAmQ22g83ggQlB6BOrBb1fNa/S1cmTbGHQ2oAN358aqkmHVCBhPOyA2Rf65D2M2vzDlUdOsNDUIWAHk7GbwSNGDgcYfTWqtR5fTzp2MJovMh1dDUDXjOvojbhzjJtSy9+rzUYIv18aXdOitzVBgPMWdeVCZFZv4OKF+5MiqxQvedUvfiSjsdxZWLxyT1CJ88G3MzxNMS/Djm86T8h/Oa55bdvFtqpsLfvpIqq0pnXq1V/vF2j1MWwRB5z5Xh/HtEAAAIUAAAADHJzYS1zaGEyLTI1NgAAAgB2I2gzqemQl8/ETxtakALlm/2BpUcbhADcFWuoH6BCPnWHuTSwf3OayM6KXv1PQfL3YFRoi9Afrp8kVFL6DePsmKH+0BUEMz71sZ7v1ty7pwfzibItGnpTbQXhzbEiNYAFoz77rl7oaXF7pV6JNZhj3DVAB5gVA2oN5KRNVxijz+6uyuFJEw1HIl1C7GworvGwZcN7BThTEh3i72/Vntejy9Z8uGVjSFjS0rjRo2oXK1LKN0rVt66p3TmCWHouLkVnOTk0qrhLGlL2HVyo24OYHbkAAObD9b6aMDYlmluk6NsaiTKsSTsvMrbIbjtFQlh7nNyoPhZ0VMwaT1l10pDQ5uxWWZjKGIkz4xM1ZfpBszjJNPo+ivYQnTSjj9LwkbLAT9a/5LawSj80TGcLEMO+0eyPdJsP0wYmOVRFAZeRiBgwb3HrzcF6Wqr8icj1EjYkKSy9YFHGTnFBGknpdh3HGwghRXrCUwAnSM76db9pv4/qowT8LthtJ3dY5Epe0OJ1Tqm+q8bkGH4gB+7uqLSqM5pIHSKLp7lfHQBt1J6xa7H2saiweaWjU+QGTgQ2Lg+uUC5DXJrmm60CeFJ4BoGhUenDlgijbQpjH/l6330PbwefgjWtUK/pqaEA4lCoPyvJ+eF2DbYfPiAIBAFQnhVJJae4AH+XoCt29nb2j30ztg== nocomment"},
 	}

 	for _, tc := range testCases {
--- a/models/auth/TestOrphanedOAuth2Applications/oauth2_application.yaml
+++ b/models/auth/TestOrphanedOAuth2Applications/oauth2_application.yaml
@ -23,3 +23,11 @@
  redirect_uris: '["http://127.0.0.1", "https://127.0.0.1"]'
  created_unix: 1712358091
  updated_unix: 1712358091
+-
+  id: 1003
+  uid: 0
+  name: "Global Auth source that should be kept"
+  client_id: "2f3467c1-7b3b-463d-ab04-2ae2b2712826"
+  redirect_uris: '["http://example.com/globalapp", "https://example.com/globalapp"]'
+  created_unix: 1732387292
+  updated_unix: 1732387292
--- a/models/auth/access_token.go
+++ b/models/auth/access_token.go
@ -98,6 +98,15 @@ func init() {

 // NewAccessToken creates new access token.
 func NewAccessToken(ctx context.Context, t *AccessToken) error {
+	err := generateAccessToken(t)
+	if err != nil {
+		return err
+	}
+	_, err = db.GetEngine(ctx).Insert(t)
+	return err
+}
+
+func generateAccessToken(t *AccessToken) error {
 	salt, err := util.CryptoRandomString(10)
 	if err != nil {
 		return err
@ -110,8 +119,7 @@ func NewAccessToken(ctx context.Context, t *AccessToken) error {
 	t.Token = hex.EncodeToString(token)
 	t.TokenHash = HashToken(t.Token, t.TokenSalt)
 	t.TokenLastEight = t.Token[len(t.Token)-8:]
-	_, err = db.GetEngine(ctx).Insert(t)
-	return err
+	return nil
 }

 // DisplayPublicOnly whether to display this as a public-only token.
@ -234,3 +242,25 @@ func DeleteAccessTokenByID(ctx context.Context, id, userID int64) error {
 	}
 	return nil
 }
+
+// RegenerateAccessTokenByID regenerates access token by given ID.
+// It regenerates token and salt, as well as updates the creation time.
+func RegenerateAccessTokenByID(ctx context.Context, id, userID int64) (*AccessToken, error) {
+	t := &AccessToken{}
+	found, err := db.GetEngine(ctx).Where("id = ? AND uid = ?", id, userID).Get(t)
+	if err != nil {
+		return nil, err
+	} else if !found {
+		return nil, ErrAccessTokenNotExist{}
+	}
+
+	err = generateAccessToken(t)
+	if err != nil {
+		return nil, err
+	}
+
+	// Reset the creation time, token is unused
+	t.UpdatedUnix = timeutil.TimeStampNow()
+
+	return t, UpdateAccessToken(ctx, t)
+}
--- a/models/auth/access_token_test.go
+++ b/models/auth/access_token_test.go
@ -131,3 +131,28 @@ func TestDeleteAccessTokenByID(t *testing.T) {
 	require.Error(t, err)
 	assert.True(t, auth_model.IsErrAccessTokenNotExist(err))
 }
+
+func TestRegenerateAccessTokenByID(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	token, err := auth_model.GetAccessTokenBySHA(db.DefaultContext, "4c6f36e6cf498e2a448662f915d932c09c5a146c")
+	require.NoError(t, err)
+
+	newToken, err := auth_model.RegenerateAccessTokenByID(db.DefaultContext, token.ID, 1)
+	require.NoError(t, err)
+	unittest.AssertNotExistsBean(t, &auth_model.AccessToken{ID: token.ID, UID: token.UID, TokenHash: token.TokenHash})
+	newToken = &auth_model.AccessToken{
+		ID:        newToken.ID,
+		UID:       newToken.UID,
+		TokenHash: newToken.TokenHash,
+	}
+	unittest.AssertExistsAndLoadBean(t, newToken)
+
+	// Token has been recreated, new salt and hash, but should retain the same ID, UID, Name and Scope
+	assert.Equal(t, token.ID, newToken.ID)
+	assert.NotEqual(t, token.TokenHash, newToken.TokenHash)
+	assert.NotEqual(t, token.TokenSalt, newToken.TokenSalt)
+	assert.Equal(t, token.UID, newToken.UID)
+	assert.Equal(t, token.Name, newToken.Name)
+	assert.Equal(t, token.Scope, newToken.Scope)
+}
--- a/models/auth/auth_token.go
+++ b/models/auth/auth_token.go
@ -15,12 +15,31 @@ import (
 	"code.gitea.io/gitea/modules/util"
 )

+type AuthorizationPurpose string
+
+var (
+	// Used to store long term authorization tokens.
+	LongTermAuthorization AuthorizationPurpose = "long_term_authorization"
+
+	// Used to activate a user account.
+	UserActivation AuthorizationPurpose = "user_activation"
+
+	// Used to reset the password.
+	PasswordReset AuthorizationPurpose = "password_reset"
+)
+
+// Used to activate the specified email address for a user.
+func EmailActivation(email string) AuthorizationPurpose {
+	return AuthorizationPurpose("email_activation:" + email)
+}
+
 // AuthorizationToken represents a authorization token to a user.
 type AuthorizationToken struct {
 	ID              int64  `xorm:"pk autoincr"`
 	UID             int64  `xorm:"INDEX"`
 	LookupKey       string `xorm:"INDEX UNIQUE"`
 	HashedValidator string
+	Purpose         AuthorizationPurpose `xorm:"NOT NULL DEFAULT 'long_term_authorization'"`
 	Expiry          timeutil.TimeStamp
 }

@ -41,7 +60,7 @@ func (authToken *AuthorizationToken) IsExpired() bool {
 // GenerateAuthToken generates a new authentication token for the given user.
 // It returns the lookup key and validator values that should be passed to the
 // user via a long-term cookie.
-func GenerateAuthToken(ctx context.Context, userID int64, expiry timeutil.TimeStamp) (lookupKey, validator string, err error) {
+func GenerateAuthToken(ctx context.Context, userID int64, expiry timeutil.TimeStamp, purpose AuthorizationPurpose) (lookupKey, validator string, err error) {
 	// Request 64 random bytes. The first 32 bytes will be used for the lookupKey
 	// and the other 32 bytes will be used for the validator.
 	rBytes, err := util.CryptoRandomBytes(64)
@ -56,14 +75,15 @@ func GenerateAuthToken(ctx context.Context, userID int64, expiry timeutil.TimeSt
 		Expiry:          expiry,
 		LookupKey:       lookupKey,
 		HashedValidator: HashValidator(rBytes[32:]),
+		Purpose:         purpose,
 	})
 	return lookupKey, validator, err
 }

 // FindAuthToken will find a authorization token via the lookup key.
-func FindAuthToken(ctx context.Context, lookupKey string) (*AuthorizationToken, error) {
+func FindAuthToken(ctx context.Context, lookupKey string, purpose AuthorizationPurpose) (*AuthorizationToken, error) {
 	var authToken AuthorizationToken
-	has, err := db.GetEngine(ctx).Where("lookup_key = ?", lookupKey).Get(&authToken)
+	has, err := db.GetEngine(ctx).Where("lookup_key = ? AND purpose = ?", lookupKey, purpose).Get(&authToken)
 	if err != nil {
 		return nil, err
 	} else if !has {
--- a/models/auth/main_test.go
+++ b/models/auth/main_test.go
@ -12,6 +12,7 @@ import (
 	_ "code.gitea.io/gitea/models/actions"
 	_ "code.gitea.io/gitea/models/activities"
 	_ "code.gitea.io/gitea/models/auth"
+	_ "code.gitea.io/gitea/models/forgefed"
 	_ "code.gitea.io/gitea/models/perm/access"
 )

--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@ -657,6 +657,7 @@ func CountOrphanedOAuth2Applications(ctx context.Context) (int64, error) {
 		Table("`oauth2_application`").
 		Join("LEFT", "`user`", "`oauth2_application`.`uid` = `user`.`id`").
 		Where(builder.IsNull{"`user`.id"}).
+		Where(builder.Neq{"uid": 0}). // exclude instance-wide admin applications
 		Where(builder.NotIn("`oauth2_application`.`client_id`", BuiltinApplicationsClientIDs())).
 		Select("COUNT(`oauth2_application`.`id`)").
 		Count()
@ -668,6 +669,7 @@ func DeleteOrphanedOAuth2Applications(ctx context.Context) (int64, error) {
 		From("`oauth2_application`").
 		Join("LEFT", "`user`", "`oauth2_application`.`uid` = `user`.`id`").
 		Where(builder.IsNull{"`user`.id"}).
+		Where(builder.Neq{"uid": 0}). // exclude instance-wide admin applications
 		Where(builder.NotIn("`oauth2_application`.`client_id`", BuiltinApplicationsClientIDs()))

 	b := builder.Delete(builder.In("id", subQuery)).From("`oauth2_application`")
--- a/models/auth/oauth2_test.go
+++ b/models/auth/oauth2_test.go
@ -296,4 +296,5 @@ func TestOrphanedOAuth2Applications(t *testing.T) {
 	require.NoError(t, err)
 	assert.EqualValues(t, 0, count)
 	unittest.AssertExistsIf(t, false, &auth_model.OAuth2Application{ID: 1002})
+	unittest.AssertExistsIf(t, true, &auth_model.OAuth2Application{ID: 1003})
 }
--- a/models/auth/source.go
+++ b/models/auth/source.go
@ -32,7 +32,7 @@ const (
 	PAM         // 4
 	DLDAP       // 5
 	OAuth2      // 6
-	SSPI        // 7
+	_           // 7 (was SSPI)
 	Remote      // 8
 )

@ -53,7 +53,6 @@ var Names = map[Type]string{
 	SMTP:   "SMTP",
 	PAM:    "PAM",
 	OAuth2: "OAuth2",
-	SSPI:   "SPNEGO with SSPI",
 	Remote: "Remote",
 }

@ -178,11 +177,6 @@ func (source *Source) IsOAuth2() bool {
 	return source.Type == OAuth2
 }

-// IsSSPI returns true of this source is of the SSPI type.
-func (source *Source) IsSSPI() bool {
-	return source.Type == SSPI
-}
-
 func (source *Source) IsRemote() bool {
 	return source.Type == Remote
 }
@ -216,7 +210,7 @@ func CreateSource(ctx context.Context, source *Source) error {
 		return ErrSourceAlreadyExist{source.Name}
 	}
 	// Synchronization is only available with LDAP for now
-	if !source.IsLDAP() && !source.IsOAuth2() {
+	if !source.IsLDAP() {
 		source.IsSyncEnabled = false
 	}

@ -265,20 +259,6 @@ func (opts FindSourcesOptions) ToConds() builder.Cond {
 	return conds
 }

-// IsSSPIEnabled returns true if there is at least one activated login
-// source of type LoginSSPI
-func IsSSPIEnabled(ctx context.Context) bool {
-	exist, err := db.Exist[Source](ctx, FindSourcesOptions{
-		IsActive:  optional.Some(true),
-		LoginType: SSPI,
-	}.ToConds())
-	if err != nil {
-		log.Error("IsSSPIEnabled: failed to query active SSPI sources: %v", err)
-		return false
-	}
-	return exist
-}
-
 // GetSourceByID returns login source by given ID.
 func GetSourceByID(ctx context.Context, id int64) (*Source, error) {
 	source := new(Source)
@ -299,17 +279,6 @@ func GetSourceByID(ctx context.Context, id int64) (*Source, error) {
 	return source, nil
 }

-func GetSourceByName(ctx context.Context, name string) (*Source, error) {
-	source := &Source{}
-	has, err := db.GetEngine(ctx).Where("name = ?", name).Get(source)
-	if err != nil {
-		return nil, err
-	} else if !has {
-		return nil, ErrSourceNotExist{}
-	}
-	return source, nil
-}
-
 // UpdateSource updates a Source record in DB.
 func UpdateSource(ctx context.Context, source *Source) error {
 	var originalSource *Source
--- a/models/auth/twofactor.go
+++ b/models/auth/twofactor.go
@ -5,17 +5,14 @@ package auth

 import (
 	"context"
-	"crypto/md5"
 	"crypto/sha256"
 	"crypto/subtle"
 	"encoding/base32"
-	"encoding/base64"
 	"encoding/hex"
 	"fmt"

 	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/modules/secret"
-	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/keying"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"

@ -49,9 +46,9 @@ func (err ErrTwoFactorNotEnrolled) Unwrap() error {

 // TwoFactor represents a two-factor authentication token.
 type TwoFactor struct {
-	ID               int64 `xorm:"pk autoincr"`
-	UID              int64 `xorm:"UNIQUE"`
-	Secret           string
+	ID               int64  `xorm:"pk autoincr"`
+	UID              int64  `xorm:"UNIQUE"`
+	Secret           []byte `xorm:"BLOB"`
 	ScratchSalt      string
 	ScratchHash      string
 	LastUsedPasscode string             `xorm:"VARCHAR(10)"`
@ -92,39 +89,35 @@ func (t *TwoFactor) VerifyScratchToken(token string) bool {
 	return subtle.ConstantTimeCompare([]byte(t.ScratchHash), []byte(tempHash)) == 1
 }

-func (t *TwoFactor) getEncryptionKey() []byte {
-	k := md5.Sum([]byte(setting.SecretKey))
-	return k[:]
-}
-
 // SetSecret sets the 2FA secret.
-func (t *TwoFactor) SetSecret(secretString string) error {
-	secretBytes, err := secret.AesEncrypt(t.getEncryptionKey(), []byte(secretString))
-	if err != nil {
-		return err
-	}
-	t.Secret = base64.StdEncoding.EncodeToString(secretBytes)
-	return nil
+func (t *TwoFactor) SetSecret(secretString string) {
+	key := keying.DeriveKey(keying.ContextTOTP)
+	t.Secret = key.Encrypt([]byte(secretString), keying.ColumnAndID("secret", t.ID))
 }

 // ValidateTOTP validates the provided passcode.
 func (t *TwoFactor) ValidateTOTP(passcode string) (bool, error) {
-	decodedStoredSecret, err := base64.StdEncoding.DecodeString(t.Secret)
+	key := keying.DeriveKey(keying.ContextTOTP)
+	secret, err := key.Decrypt(t.Secret, keying.ColumnAndID("secret", t.ID))
 	if err != nil {
 		return false, err
 	}
-	secretBytes, err := secret.AesDecrypt(t.getEncryptionKey(), decodedStoredSecret)
-	if err != nil {
-		return false, err
-	}
-	secretStr := string(secretBytes)
-	return totp.Validate(passcode, secretStr), nil
+	return totp.Validate(passcode, string(secret)), nil
 }

 // NewTwoFactor creates a new two-factor authentication token.
-func NewTwoFactor(ctx context.Context, t *TwoFactor) error {
-	_, err := db.GetEngine(ctx).Insert(t)
-	return err
+func NewTwoFactor(ctx context.Context, t *TwoFactor, secret string) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		sess := db.GetEngine(ctx)
+		_, err := sess.Insert(t)
+		if err != nil {
+			return err
+		}
+
+		t.SetSecret(secret)
+		_, err = sess.Cols("secret").ID(t.ID).Update(t)
+		return err
+	})
 }

 // UpdateTwoFactor updates a two-factor authentication token.
--- a/models/auth/webauthn.go
+++ b/models/auth/webauthn.go
@ -52,10 +52,10 @@ type WebAuthnCredential struct {
 	AAGUID          []byte
 	SignCount       uint32 `xorm:"BIGINT"`
 	CloneWarning    bool
-	BackupEligible  bool `XORM:"NOT NULL DEFAULT false"`
-	BackupState     bool `XORM:"NOT NULL DEFAULT false"`
+	BackupEligible  bool `xorm:"NOT NULL DEFAULT false"`
+	BackupState     bool `xorm:"NOT NULL DEFAULT false"`
 	// If legacy is set to true, backup_eligible and backup_state isn't set.
-	Legacy      bool               `XORM:"NOT NULL DEFAULT true"`
+	Legacy      bool               `xorm:"NOT NULL DEFAULT true"`
 	CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
 	UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
 }
--- a/models/db/context_committer_test.go
+++ b/models/db/context_committer_test.go
@ -4,7 +4,7 @@
 package db // it's not db_test, because this file is for testing the private type halfCommitter

 import (
-	"fmt"
+	"errors"
 	"testing"

 	"github.com/stretchr/testify/assert"
@ -80,7 +80,7 @@ func Test_halfCommitter(t *testing.T) {
 		testWithCommitter(mockCommitter, func(committer Committer) error {
 			defer committer.Close()
 			if true {
-				return fmt.Errorf("error")
+				return errors.New("error")
 			}
 			return committer.Commit()
 		})
@ -94,7 +94,7 @@ func Test_halfCommitter(t *testing.T) {
 		testWithCommitter(mockCommitter, func(committer Committer) error {
 			committer.Close()
 			committer.Commit()
-			return fmt.Errorf("error")
+			return errors.New("error")
 		})

 		mockCommitter.Assert(t)
--- a/models/db/engine.go
+++ b/models/db/engine.go
@ -11,6 +11,7 @@ import (
 	"fmt"
 	"io"
 	"reflect"
+	"runtime/trace"
 	"strings"
 	"time"

@ -163,6 +164,8 @@ func InitEngine(ctx context.Context) error {
 		Logger: errorLogger,
 	})

+	xormEngine.AddHook(&TracingHook{})
+
 	SetDefaultEngine(ctx, xormEngine)
 	return nil
 }
@ -318,6 +321,25 @@ func SetLogSQL(ctx context.Context, on bool) {
 	}
 }

+type TracingHook struct{}
+
+var _ contexts.Hook = &TracingHook{}
+
+type sqlTask struct{}
+
+func (TracingHook) BeforeProcess(c *contexts.ContextHook) (context.Context, error) {
+	ctx, task := trace.NewTask(c.Ctx, "sql")
+	ctx = context.WithValue(ctx, sqlTask{}, task)
+	trace.Log(ctx, "query", c.SQL)
+	trace.Logf(ctx, "args", "%v", c.Args)
+	return ctx, nil
+}
+
+func (TracingHook) AfterProcess(c *contexts.ContextHook) error {
+	c.Ctx.Value(sqlTask{}).(*trace.Task).End()
+	return nil
+}
+
 type SlowQueryHook struct {
 	Treshold time.Duration
 	Logger   log.Logger
--- a/models/error.go
+++ b/models/error.go
@ -151,25 +151,6 @@ func (err *ErrInvalidCloneAddr) Unwrap() error {
 	return util.ErrInvalidArgument
 }

-// ErrUpdateTaskNotExist represents a "UpdateTaskNotExist" kind of error.
-type ErrUpdateTaskNotExist struct {
-	UUID string
-}
-
-// IsErrUpdateTaskNotExist checks if an error is a ErrUpdateTaskNotExist.
-func IsErrUpdateTaskNotExist(err error) bool {
-	_, ok := err.(ErrUpdateTaskNotExist)
-	return ok
-}
-
-func (err ErrUpdateTaskNotExist) Error() string {
-	return fmt.Sprintf("update task does not exist [uuid: %s]", err.UUID)
-}
-
-func (err ErrUpdateTaskNotExist) Unwrap() error {
-	return util.ErrNotExist
-}
-
 // ErrInvalidTagName represents a "InvalidTagName" kind of error.
 type ErrInvalidTagName struct {
 	TagName string
--- a/models/fixture_generation.go
+++ b/models/fixture_generation.go
@ -1,50 +0,0 @@
-// Copyright 2020 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package models
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"code.gitea.io/gitea/models/db"
-	access_model "code.gitea.io/gitea/models/perm/access"
-	repo_model "code.gitea.io/gitea/models/repo"
-)
-
-// GetYamlFixturesAccess returns a string containing the contents
-// for the access table, as recalculated using repo.RecalculateAccesses()
-func GetYamlFixturesAccess(ctx context.Context) (string, error) {
-	repos := make([]*repo_model.Repository, 0, 50)
-	if err := db.GetEngine(ctx).Find(&repos); err != nil {
-		return "", err
-	}
-
-	for _, repo := range repos {
-		repo.MustOwner(ctx)
-		if err := access_model.RecalculateAccesses(ctx, repo); err != nil {
-			return "", err
-		}
-	}
-
-	var b strings.Builder
-
-	accesses := make([]*access_model.Access, 0, 200)
-	if err := db.GetEngine(ctx).OrderBy("user_id, repo_id").Find(&accesses); err != nil {
-		return "", err
-	}
-
-	for i, a := range accesses {
-		fmt.Fprintf(&b, "-\n")
-		fmt.Fprintf(&b, "  id: %d\n", i+1)
-		fmt.Fprintf(&b, "  user_id: %d\n", a.UserID)
-		fmt.Fprintf(&b, "  repo_id: %d\n", a.RepoID)
-		fmt.Fprintf(&b, "  mode: %d\n", a.Mode)
-		if i < len(accesses)-1 {
-			fmt.Fprintf(&b, "\n")
-		}
-	}
-
-	return b.String(), nil
-}
--- a/models/fixture_test.go
+++ b/models/fixture_test.go
@ -1,36 +0,0 @@
-// Copyright 2020 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package models
-
-import (
-	"context"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/models/unittest"
-	"code.gitea.io/gitea/modules/util"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestFixtureGeneration(t *testing.T) {
-	require.NoError(t, unittest.PrepareTestDatabase())
-
-	test := func(ctx context.Context, gen func(ctx context.Context) (string, error), name string) {
-		expected, err := gen(ctx)
-		require.NoError(t, err)
-
-		p := filepath.Join(unittest.FixturesDir(), name+".yml")
-		bytes, err := os.ReadFile(p)
-		require.NoError(t, err)
-
-		data := string(util.NormalizeEOL(bytes))
-		assert.EqualValues(t, expected, data, "Differences detected for %s", p)
-	}
-
-	test(db.DefaultContext, GetYamlFixturesAccess, "access")
-}
--- a/models/fixtures/PrivateIssueProjects/project.yml
+++ b/models/fixtures/PrivateIssueProjects/project.yml
@ -0,0 +1,23 @@
+-
+  id: 1001
+  title: Org project that contains private and public issues
+  owner_id: 3
+  repo_id: 0
+  is_closed: false
+  creator_id: 2
+  board_type: 1
+  type: 3
+  created_unix: 1738000000
+  updated_unix: 1738000000
+
+-
+  id: 1002
+  title: User project that contains private and public issues
+  owner_id: 2
+  repo_id: 0
+  is_closed: false
+  creator_id: 2
+  board_type: 1
+  type: 1
+  created_unix: 1738000000
+  updated_unix: 1738000000
--- a/Show more
+++ b/Show more