chore(ui): always use primary button color inside modals (#7161 )

Followup to https://codeberg.org/forgejo/forgejo/pulls/3002 Related to https://codeberg.org/forgejo/forgejo/pulls/6126 This deimplements `ModalButtonColors`. Nowhere in the UI except for one devtest page modal dialogs paint this button any other color and we don't want new UIs to do that. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7161 Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Update module google.golang.org/grpc to v1.71.0 (forgejo) (#7158 )
2025-03-09 16:02:06 +01:00 · 2025-03-09 07:45:58 +00:00 · 2025-03-08 15:28:58 +00:00 · 2025-03-08 14:52:32 +00:00 · 2025-03-08 14:42:14 +00:00 · 2025-03-08 14:19:36 +00:00
1586 changed files with 74827 additions and 26481 deletions
--- a/.deadcode-out
+++ b/.deadcode-out
@ -10,26 +10,10 @@ code.gitea.io/gitea/cmd/forgejo
 	ContextSetStdin
 code.gitea.io/gitea/models
 	IsErrUpdateTaskNotExist
 	ErrUpdateTaskNotExist.Error
 	ErrUpdateTaskNotExist.Unwrap
 	IsErrSHANotFound
 	IsErrMergeDivergingFastForwardOnly
 	GetYamlFixturesAccess
 code.gitea.io/gitea/models/actions
 	ScheduleList.GetUserIDs
 	ScheduleList.GetRepoIDs
 	ScheduleList.LoadTriggerUser
 	ScheduleList.LoadRepos
 code.gitea.io/gitea/models/asymkey
 	ErrGPGKeyAccessDenied.Error
 	ErrGPGKeyAccessDenied.Unwrap
 	HasDeployKey
 code.gitea.io/gitea/models/auth
 	GetSourceByName
 	WebAuthnCredentials
 code.gitea.io/gitea/models/db
@ -55,43 +39,24 @@ code.gitea.io/gitea/models/git
 code.gitea.io/gitea/models/issues
 	IsErrUnknownDependencyType
 	ErrNewIssueInsert.Error
 	IsErrIssueWasClosed
 	ChangeMilestoneStatus
 code.gitea.io/gitea/models/organization
 	GetTeamNamesByID
 	UpdateTeamUnits
 	SearchMembersOptions.ToConds
 	UsersInTeamsCount
 code.gitea.io/gitea/models/perm/access
 	GetRepoWriters
 code.gitea.io/gitea/models/project
 	UpdateColumnSorting
 	ChangeProjectStatus
 code.gitea.io/gitea/models/repo
 	DeleteAttachmentsByIssue
 	FindReposMapByIDs
 	IsErrTopicNotExist
 	ErrTopicNotExist.Error
 	ErrTopicNotExist.Unwrap
 	GetTopicByName
 	WatchRepoMode
 code.gitea.io/gitea/models/user
 	ErrUserInactive.Error
 	ErrUserInactive.Unwrap
 	IsErrExternalLoginUserAlreadyExist
 	IsErrExternalLoginUserNotExist
 	NewFederatedUser
 	IsErrUserSettingIsNotExist
 	GetUserAllSettings
 	DeleteUserSetting
 	GetUserEmailsByNames
 	GetUserNamesByIDs
 code.gitea.io/gitea/modules/activitypub
 	NewContext
@ -115,9 +80,6 @@ code.gitea.io/gitea/modules/cache
 	WithNoCacheContext
 	RemoveContextData
 code.gitea.io/gitea/modules/charset
 	BreakWriter.Write
 code.gitea.io/gitea/modules/emoji
 	ReplaceCodes
@ -125,6 +87,9 @@ code.gitea.io/gitea/modules/eventsource
 	Event.String
 code.gitea.io/gitea/modules/forgefed
 	NewForgeUndoLike
 	ForgeUndoLike.UnmarshalJSON
 	ForgeUndoLike.Validate
 	GetItemByType
 	JSONUnmarshalerFn
 	NotEmpty
@ -137,18 +102,9 @@ code.gitea.io/gitea/modules/git
 	AddChangesWithArgs
 	CommitChanges
 	CommitChangesWithArgs
 	IsErrExecTimeout
 	ErrExecTimeout.Error
 	ErrUnsupportedVersion.Error
 	SetUpdateHook
 	openRepositoryWithDefaultContext
 	IsTagExist
 	ToEntryMode
 	LimitedReaderCloser.Read
 	LimitedReaderCloser.Close
 code.gitea.io/gitea/modules/gitgraph
 	Parser.Reset
 code.gitea.io/gitea/modules/gitrepo
 	GetBranchCommitID
@ -173,6 +129,9 @@ code.gitea.io/gitea/modules/json
 	StdJSON.NewDecoder
 	StdJSON.Indent
 code.gitea.io/gitea/modules/log
 	NewEventWriterBuffer
 code.gitea.io/gitea/modules/markup
 	GetRendererByType
 	RenderString
@ -183,16 +142,8 @@ code.gitea.io/gitea/modules/markup/console
 	RenderString
 code.gitea.io/gitea/modules/markup/markdown
 	IsDetails
 	IsSummary
 	IsTaskCheckBoxListItem
 	IsIcon
 	RenderRawString
 code.gitea.io/gitea/modules/markup/markdown/math
 	WithInlineDollarParser
 	WithBlockDollarParser
 code.gitea.io/gitea/modules/markup/mdstripper
 	stripRenderer.AddOptions
 	StripMarkdown
@ -200,9 +151,6 @@ code.gitea.io/gitea/modules/markup/mdstripper
 code.gitea.io/gitea/modules/markup/orgmode
 	RenderString
 code.gitea.io/gitea/modules/private
 	ActionsRunnerRegister
 code.gitea.io/gitea/modules/process
 	Manager.ExecTimeout
@ -225,14 +173,6 @@ code.gitea.io/gitea/modules/setting
 	GitConfigType.GetOption
 	InitLoggersForTest
 code.gitea.io/gitea/modules/storage
 	ErrInvalidConfiguration.Error
 	IsErrInvalidConfiguration
 code.gitea.io/gitea/modules/structs
 	ParseCreateHook
 	ParsePushHook
 code.gitea.io/gitea/modules/sync
 	StatusTable.Start
 	StatusTable.IsRunning
@ -247,9 +187,13 @@ code.gitea.io/gitea/modules/translation
 	MockLocale.TrString
 	MockLocale.Tr
 	MockLocale.TrN
 	MockLocale.TrPluralString
 	MockLocale.TrSize
 	MockLocale.PrettyNumber
 code.gitea.io/gitea/modules/util
 	OptionalArg
 code.gitea.io/gitea/modules/util/filebuffer
 	CreateFromReader
@ -260,9 +204,6 @@ code.gitea.io/gitea/modules/web
 	RouteMock
 	RouteMockReset
 code.gitea.io/gitea/modules/web/middleware
 	DeleteLocaleCookie
 code.gitea.io/gitea/modules/zstd
 	NewWriter
 	Writer.Write
@ -277,26 +218,14 @@ code.gitea.io/gitea/routers/web/org
 code.gitea.io/gitea/services/context
 	GetPrivateContext
 code.gitea.io/gitea/services/convert
 	ToSecret
 code.gitea.io/gitea/services/forms
 	DeadlineForm.Validate
 code.gitea.io/gitea/services/pull
 	IsCommitStatusContextSuccess
 code.gitea.io/gitea/services/repository
 	IsErrForkAlreadyExist
 code.gitea.io/gitea/services/repository/archiver
 	ArchiveRepository
 code.gitea.io/gitea/services/repository/files
 	ContentType.String
-	GetFileResponseFromCommit
+
-	TemporaryUploadRepository.GetLastCommit
+code.gitea.io/gitea/services/repository/gitgraph
-	TemporaryUploadRepository.GetLastCommitByRef
+	Parser.Reset
 code.gitea.io/gitea/services/webhook
 	NewNotifier
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -6,7 +6,7 @@
    "ghcr.io/devcontainers/features/node:1": {
      "version": "20"
    },
-    "ghcr.io/devcontainers/features/git-lfs:1.2.1": {},
+    "ghcr.io/devcontainers/features/git-lfs:1.2.3": {},
    "ghcr.io/devcontainers-contrib/features/poetry:2": {},
    "ghcr.io/devcontainers/features/python:1": {
      "version": "3.12"
--- a/.dockerignore
+++ b/.dockerignore
@ -34,6 +34,7 @@ _testmain.go
 *coverage.out
 coverage.all
 coverage/
 cpu.out
 /modules/migration/bindata.go
--- a/.envrc.example
+++ b/.envrc.example
--- a/.eslintrc.yaml
+++ b/.eslintrc.yaml
@ -1,803 +0,0 @@
 root: true
 reportUnusedDisableDirectives: true
 ignorePatterns:
  - /web_src/js/vendor
  - /web_src/fomantic
  - /public/assets/js
 parserOptions:
  sourceType: module
  ecmaVersion: latest
 plugins:
  - "@eslint-community/eslint-plugin-eslint-comments"
  - "@stylistic/eslint-plugin-js"
  - "@vitest"
  - eslint-plugin-array-func
  - eslint-plugin-github
  - eslint-plugin-i
  - eslint-plugin-no-jquery
  - eslint-plugin-no-use-extend-native
  - eslint-plugin-regexp
  - eslint-plugin-sonarjs
  - eslint-plugin-unicorn
  - eslint-plugin-vitest-globals
  - eslint-plugin-wc
 env:
  es2024: true
  node: true
 overrides:
  - files: ["web_src/**/*"]
    globals:
      __webpack_public_path__: true
      process: false # https://github.com/webpack/webpack/issues/15833
  - files: ["web_src/**/*", "docs/**/*"]
    env:
      browser: true
      node: false
  - files: ["web_src/**/*worker.*"]
    env:
      worker: true
    rules:
      no-restricted-globals: [2, addEventListener, blur, close, closed, confirm, defaultStatus, defaultstatus, error, event, external, find, focus, frameElement, frames, history, innerHeight, innerWidth, isFinite, isNaN, length, locationbar, menubar, moveBy, moveTo, name, onblur, onerror, onfocus, onload, onresize, onunload, open, opener, opera, outerHeight, outerWidth, pageXOffset, pageYOffset, parent, print, removeEventListener, resizeBy, resizeTo, screen, screenLeft, screenTop, screenX, screenY, scroll, scrollbars, scrollBy, scrollTo, scrollX, scrollY, status, statusbar, stop, toolbar, top]
  - files: ["*.config.*"]
    rules:
      i/no-unused-modules: [0]
  - files: ["**/*.test.*", "web_src/js/test/setup.js"]
    env:
      vitest-globals/env: true
    rules:
      "@vitest/consistent-test-filename": [0]
      "@vitest/consistent-test-it": [0]
      "@vitest/expect-expect": [0]
      "@vitest/max-expects": [0]
      "@vitest/max-nested-describe": [0]
      "@vitest/no-alias-methods": [0]
      "@vitest/no-commented-out-tests": [0]
      "@vitest/no-conditional-expect": [0]
      "@vitest/no-conditional-in-test": [0]
      "@vitest/no-conditional-tests": [0]
      "@vitest/no-disabled-tests": [0]
      "@vitest/no-done-callback": [0]
      "@vitest/no-duplicate-hooks": [0]
      "@vitest/no-focused-tests": [0]
      "@vitest/no-hooks": [0]
      "@vitest/no-identical-title": [2]
      "@vitest/no-interpolation-in-snapshots": [0]
      "@vitest/no-large-snapshots": [0]
      "@vitest/no-mocks-import": [0]
      "@vitest/no-restricted-matchers": [0]
      "@vitest/no-restricted-vi-methods": [0]
      "@vitest/no-standalone-expect": [0]
      "@vitest/no-test-prefixes": [0]
      "@vitest/no-test-return-statement": [0]
      "@vitest/prefer-called-with": [0]
      "@vitest/prefer-comparison-matcher": [0]
      "@vitest/prefer-each": [0]
      "@vitest/prefer-equality-matcher": [0]
      "@vitest/prefer-expect-resolves": [0]
      "@vitest/prefer-hooks-in-order": [0]
      "@vitest/prefer-hooks-on-top": [2]
      "@vitest/prefer-lowercase-title": [0]
      "@vitest/prefer-mock-promise-shorthand": [0]
      "@vitest/prefer-snapshot-hint": [0]
      "@vitest/prefer-spy-on": [0]
      "@vitest/prefer-strict-equal": [0]
      "@vitest/prefer-to-be": [0]
      "@vitest/prefer-to-be-falsy": [0]
      "@vitest/prefer-to-be-object": [0]
      "@vitest/prefer-to-be-truthy": [0]
      "@vitest/prefer-to-contain": [0]
      "@vitest/prefer-to-have-length": [0]
      "@vitest/prefer-todo": [0]
      "@vitest/require-hook": [0]
      "@vitest/require-to-throw-message": [0]
      "@vitest/require-top-level-describe": [0]
      "@vitest/valid-describe-callback": [2]
      "@vitest/valid-expect": [2]
      "@vitest/valid-title": [2]
  - files: ["web_src/js/modules/fetch.js", "web_src/js/standalone/**/*"]
    rules:
      no-restricted-syntax: [2, WithStatement, ForInStatement, LabeledStatement, SequenceExpression]
 rules:
  "@eslint-community/eslint-comments/disable-enable-pair": [2]
  "@eslint-community/eslint-comments/no-aggregating-enable": [2]
  "@eslint-community/eslint-comments/no-duplicate-disable": [2]
  "@eslint-community/eslint-comments/no-restricted-disable": [0]
  "@eslint-community/eslint-comments/no-unlimited-disable": [2]
  "@eslint-community/eslint-comments/no-unused-disable": [2]
  "@eslint-community/eslint-comments/no-unused-enable": [2]
  "@eslint-community/eslint-comments/no-use": [0]
  "@eslint-community/eslint-comments/require-description": [0]
  "@stylistic/js/array-bracket-newline": [0]
  "@stylistic/js/array-bracket-spacing": [2, never]
  "@stylistic/js/array-element-newline": [0]
  "@stylistic/js/arrow-parens": [2, always]
  "@stylistic/js/arrow-spacing": [2, {before: true, after: true}]
  "@stylistic/js/block-spacing": [0]
  "@stylistic/js/brace-style": [2, 1tbs, {allowSingleLine: true}]
  "@stylistic/js/comma-dangle": [2, always-multiline]
  "@stylistic/js/comma-spacing": [2, {before: false, after: true}]
  "@stylistic/js/comma-style": [2, last]
  "@stylistic/js/computed-property-spacing": [2, never]
  "@stylistic/js/dot-location": [2, property]
  "@stylistic/js/eol-last": [2]
  "@stylistic/js/function-call-spacing": [2, never]
  "@stylistic/js/function-call-argument-newline": [0]
  "@stylistic/js/function-paren-newline": [0]
  "@stylistic/js/generator-star-spacing": [0]
  "@stylistic/js/implicit-arrow-linebreak": [0]
  "@stylistic/js/indent": [2, 2, {ignoreComments: true, SwitchCase: 1}]
  "@stylistic/js/key-spacing": [2]
  "@stylistic/js/keyword-spacing": [2]
  "@stylistic/js/linebreak-style": [2, unix]
  "@stylistic/js/lines-around-comment": [0]
  "@stylistic/js/lines-between-class-members": [0]
  "@stylistic/js/max-len": [0]
  "@stylistic/js/max-statements-per-line": [0]
  "@stylistic/js/multiline-ternary": [0]
  "@stylistic/js/new-parens": [2]
  "@stylistic/js/newline-per-chained-call": [0]
  "@stylistic/js/no-confusing-arrow": [0]
  "@stylistic/js/no-extra-parens": [0]
  "@stylistic/js/no-extra-semi": [2]
  "@stylistic/js/no-floating-decimal": [0]
  "@stylistic/js/no-mixed-operators": [0]
  "@stylistic/js/no-mixed-spaces-and-tabs": [2]
  "@stylistic/js/no-multi-spaces": [2, {ignoreEOLComments: true, exceptions: {Property: true}}]
  "@stylistic/js/no-multiple-empty-lines": [2, {max: 1, maxEOF: 0, maxBOF: 0}]
  "@stylistic/js/no-tabs": [2]
  "@stylistic/js/no-trailing-spaces": [2]
  "@stylistic/js/no-whitespace-before-property": [2]
  "@stylistic/js/nonblock-statement-body-position": [2]
  "@stylistic/js/object-curly-newline": [0]
  "@stylistic/js/object-curly-spacing": [2, never]
  "@stylistic/js/object-property-newline": [0]
  "@stylistic/js/one-var-declaration-per-line": [0]
  "@stylistic/js/operator-linebreak": [2, after]
  "@stylistic/js/padded-blocks": [2, never]
  "@stylistic/js/padding-line-between-statements": [0]
  "@stylistic/js/quote-props": [0]
  "@stylistic/js/quotes": [2, single, {avoidEscape: true, allowTemplateLiterals: true}]
  "@stylistic/js/rest-spread-spacing": [2, never]
  "@stylistic/js/semi": [2, always, {omitLastInOneLineBlock: true}]
  "@stylistic/js/semi-spacing": [2, {before: false, after: true}]
  "@stylistic/js/semi-style": [2, last]
  "@stylistic/js/space-before-blocks": [2, always]
  "@stylistic/js/space-before-function-paren": [2, {anonymous: ignore, named: never, asyncArrow: always}]
  "@stylistic/js/space-in-parens": [2, never]
  "@stylistic/js/space-infix-ops": [2]
  "@stylistic/js/space-unary-ops": [2]
  "@stylistic/js/spaced-comment": [2, always]
  "@stylistic/js/switch-colon-spacing": [2]
  "@stylistic/js/template-curly-spacing": [2, never]
  "@stylistic/js/template-tag-spacing": [2, never]
  "@stylistic/js/wrap-iife": [2, inside]
  "@stylistic/js/wrap-regex": [0]
  "@stylistic/js/yield-star-spacing": [2, after]
  accessor-pairs: [2]
  array-callback-return: [2, {checkForEach: true}]
  array-func/avoid-reverse: [2]
  array-func/from-map: [2]
  array-func/no-unnecessary-this-arg: [2]
  array-func/prefer-array-from: [2]
  array-func/prefer-flat-map: [0] # handled by unicorn/prefer-array-flat-map
  array-func/prefer-flat: [0] # handled by unicorn/prefer-array-flat
  arrow-body-style: [0]
  block-scoped-var: [2]
  camelcase: [0]
  capitalized-comments: [0]
  class-methods-use-this: [0]
  complexity: [0]
  consistent-return: [0]
  consistent-this: [0]
  constructor-super: [2]
  curly: [0]
  default-case-last: [2]
  default-case: [0]
  default-param-last: [0]
  dot-notation: [0]
  eqeqeq: [2]
  for-direction: [2]
  func-name-matching: [2]
  func-names: [0]
  func-style: [0]
  getter-return: [2]
  github/a11y-aria-label-is-well-formatted: [0]
  github/a11y-no-title-attribute: [0]
  github/a11y-no-visually-hidden-interactive-element: [0]
  github/a11y-role-supports-aria-props: [0]
  github/a11y-svg-has-accessible-name: [0]
  github/array-foreach: [0]
  github/async-currenttarget: [2]
  github/async-preventdefault: [2]
  github/authenticity-token: [0]
  github/get-attribute: [0]
  github/js-class-name: [0]
  github/no-blur: [0]
  github/no-d-none: [0]
  github/no-dataset: [2]
  github/no-dynamic-script-tag: [2]
  github/no-implicit-buggy-globals: [2]
  github/no-inner-html: [0]
  github/no-innerText: [2]
  github/no-then: [2]
  github/no-useless-passive: [2]
  github/prefer-observers: [2]
  github/require-passive-events: [2]
  github/unescaped-html-literal: [0]
  grouped-accessor-pairs: [2]
  guard-for-in: [0]
  id-blacklist: [0]
  id-length: [0]
  id-match: [0]
  i/consistent-type-specifier-style: [0]
  i/default: [0]
  i/dynamic-import-chunkname: [0]
  i/export: [2]
  i/exports-last: [0]
  i/extensions: [2, always, {ignorePackages: true}]
  i/first: [2]
  i/group-exports: [0]
  i/max-dependencies: [0]
  i/named: [2]
  i/namespace: [0]
  i/newline-after-import: [0]
  i/no-absolute-path: [0]
  i/no-amd: [2]
  i/no-anonymous-default-export: [0]
  i/no-commonjs: [2]
  i/no-cycle: [2, {ignoreExternal: true, maxDepth: 1}]
  i/no-default-export: [0]
  i/no-deprecated: [0]
  i/no-dynamic-require: [0]
  i/no-empty-named-blocks: [2]
  i/no-extraneous-dependencies: [2]
  i/no-import-module-exports: [0]
  i/no-internal-modules: [0]
  i/no-mutable-exports: [0]
  i/no-named-as-default-member: [0]
  i/no-named-as-default: [2]
  i/no-named-default: [0]
  i/no-named-export: [0]
  i/no-namespace: [0]
  i/no-nodejs-modules: [0]
  i/no-relative-packages: [0]
  i/no-relative-parent-imports: [0]
  i/no-restricted-paths: [0]
  i/no-self-import: [2]
  i/no-unassigned-import: [0]
  i/no-unresolved: [2, {commonjs: true, ignore: ["\\?.+$", ^vitest/]}]
  i/no-unused-modules: [2, {unusedExports: true}]
  i/no-useless-path-segments: [2, {commonjs: true}]
  i/no-webpack-loader-syntax: [2]
  i/order: [0]
  i/prefer-default-export: [0]
  i/unambiguous: [0]
  init-declarations: [0]
  line-comment-position: [0]
  logical-assignment-operators: [0]
  max-classes-per-file: [0]
  max-depth: [0]
  max-lines-per-function: [0]
  max-lines: [0]
  max-nested-callbacks: [0]
  max-params: [0]
  max-statements: [0]
  multiline-comment-style: [2, separate-lines]
  new-cap: [0]
  no-alert: [0]
  no-array-constructor: [2]
  no-async-promise-executor: [0]
  no-await-in-loop: [0]
  no-bitwise: [0]
  no-buffer-constructor: [0]
  no-caller: [2]
  no-case-declarations: [2]
  no-class-assign: [2]
  no-compare-neg-zero: [2]
  no-cond-assign: [2, except-parens]
  no-console: [1, {allow: [debug, info, warn, error]}]
  no-const-assign: [2]
  no-constant-binary-expression: [2]
  no-constant-condition: [0]
  no-constructor-return: [2]
  no-continue: [0]
  no-control-regex: [0]
  no-debugger: [1]
  no-delete-var: [2]
  no-div-regex: [0]
  no-dupe-args: [2]
  no-dupe-class-members: [2]
  no-dupe-else-if: [2]
  no-dupe-keys: [2]
  no-duplicate-case: [2]
  no-duplicate-imports: [2]
  no-else-return: [2]
  no-empty-character-class: [2]
  no-empty-function: [0]
  no-empty-pattern: [2]
  no-empty-static-block: [2]
  no-empty: [2, {allowEmptyCatch: true}]
  no-eq-null: [2]
  no-eval: [2]
  no-ex-assign: [2]
  no-extend-native: [2]
  no-extra-bind: [2]
  no-extra-boolean-cast: [2]
  no-extra-label: [0]
  no-fallthrough: [2]
  no-func-assign: [2]
  no-global-assign: [2]
  no-implicit-coercion: [2]
  no-implicit-globals: [0]
  no-implied-eval: [2]
  no-import-assign: [2]
  no-inline-comments: [0]
  no-inner-declarations: [2]
  no-invalid-regexp: [2]
  no-invalid-this: [0]
  no-irregular-whitespace: [2]
  no-iterator: [2]
  no-jquery/no-ajax-events: [2]
  no-jquery/no-ajax: [2]
  no-jquery/no-and-self: [2]
  no-jquery/no-animate-toggle: [2]
  no-jquery/no-animate: [2]
  no-jquery/no-append-html: [2]
  no-jquery/no-attr: [2]
  no-jquery/no-bind: [2]
  no-jquery/no-box-model: [2]
  no-jquery/no-browser: [2]
  no-jquery/no-camel-case: [2]
  no-jquery/no-class-state: [2]
  no-jquery/no-class: [0]
  no-jquery/no-clone: [2]
  no-jquery/no-closest: [0]
  no-jquery/no-constructor-attributes: [2]
  no-jquery/no-contains: [2]
  no-jquery/no-context-prop: [2]
  no-jquery/no-css: [2]
  no-jquery/no-data: [0]
  no-jquery/no-deferred: [2]
  no-jquery/no-delegate: [2]
  no-jquery/no-each-collection: [0]
  no-jquery/no-each-util: [0]
  no-jquery/no-each: [0]
  no-jquery/no-error-shorthand: [2]
  no-jquery/no-error: [2]
  no-jquery/no-escape-selector: [2]
  no-jquery/no-event-shorthand: [2]
  no-jquery/no-extend: [2]
  no-jquery/no-fade: [2]
  no-jquery/no-filter: [0]
  no-jquery/no-find-collection: [0]
  no-jquery/no-find-util: [2]
  no-jquery/no-find: [0]
  no-jquery/no-fx-interval: [2]
  no-jquery/no-global-eval: [2]
  no-jquery/no-global-selector: [0]
  no-jquery/no-grep: [2]
  no-jquery/no-has: [2]
  no-jquery/no-hold-ready: [2]
  no-jquery/no-html: [0]
  no-jquery/no-in-array: [2]
  no-jquery/no-is-array: [2]
  no-jquery/no-is-empty-object: [2]
  no-jquery/no-is-function: [2]
  no-jquery/no-is-numeric: [2]
  no-jquery/no-is-plain-object: [2]
  no-jquery/no-is-window: [2]
  no-jquery/no-is: [2]
  no-jquery/no-jquery-constructor: [0]
  no-jquery/no-live: [2]
  no-jquery/no-load-shorthand: [2]
  no-jquery/no-load: [2]
  no-jquery/no-map-collection: [0]
  no-jquery/no-map-util: [2]
  no-jquery/no-map: [2]
  no-jquery/no-merge: [2]
  no-jquery/no-node-name: [2]
  no-jquery/no-noop: [2]
  no-jquery/no-now: [2]
  no-jquery/no-on-ready: [2]
  no-jquery/no-other-methods: [0]
  no-jquery/no-other-utils: [2]
  no-jquery/no-param: [2]
  no-jquery/no-parent: [0]
  no-jquery/no-parents: [2]
  no-jquery/no-parse-html-literal: [2]
  no-jquery/no-parse-html: [2]
  no-jquery/no-parse-json: [2]
  no-jquery/no-parse-xml: [2]
  no-jquery/no-prop: [2]
  no-jquery/no-proxy: [2]
  no-jquery/no-ready-shorthand: [2]
  no-jquery/no-ready: [2]
  no-jquery/no-selector-prop: [2]
  no-jquery/no-serialize: [2]
  no-jquery/no-size: [2]
  no-jquery/no-sizzle: [0]
  no-jquery/no-slide: [2]
  no-jquery/no-sub: [2]
  no-jquery/no-support: [2]
  no-jquery/no-text: [0]
  no-jquery/no-trigger: [0]
  no-jquery/no-trim: [2]
  no-jquery/no-type: [2]
  no-jquery/no-unique: [2]
  no-jquery/no-unload-shorthand: [2]
  no-jquery/no-val: [0]
  no-jquery/no-visibility: [2]
  no-jquery/no-when: [2]
  no-jquery/no-wrap: [2]
  no-jquery/variable-pattern: [2]
  no-label-var: [2]
  no-labels: [0] # handled by no-restricted-syntax
  no-lone-blocks: [2]
  no-lonely-if: [0]
  no-loop-func: [0]
  no-loss-of-precision: [2]
  no-magic-numbers: [0]
  no-misleading-character-class: [2]
  no-multi-assign: [0]
  no-multi-str: [2]
  no-negated-condition: [0]
  no-nested-ternary: [0]
  no-new-func: [2]
  no-new-native-nonconstructor: [2]
  no-new-object: [2]
  no-new-symbol: [2]
  no-new-wrappers: [2]
  no-new: [0]
  no-nonoctal-decimal-escape: [2]
  no-obj-calls: [2]
  no-octal-escape: [2]
  no-octal: [2]
  no-param-reassign: [0]
  no-plusplus: [0]
  no-promise-executor-return: [0]
  no-proto: [2]
  no-prototype-builtins: [2]
  no-redeclare: [2]
  no-regex-spaces: [2]
  no-restricted-exports: [0]
  no-restricted-globals: [2, addEventListener, blur, close, closed, confirm, defaultStatus, defaultstatus, error, event, external, find, focus, frameElement, frames, history, innerHeight, innerWidth, isFinite, isNaN, length, location, locationbar, menubar, moveBy, moveTo, name, onblur, onerror, onfocus, onload, onresize, onunload, open, opener, opera, outerHeight, outerWidth, pageXOffset, pageYOffset, parent, print, removeEventListener, resizeBy, resizeTo, screen, screenLeft, screenTop, screenX, screenY, scroll, scrollbars, scrollBy, scrollTo, scrollX, scrollY, self, status, statusbar, stop, toolbar, top, __dirname, __filename]
  no-restricted-imports: [0]
  no-restricted-syntax: [2, WithStatement, ForInStatement, LabeledStatement, SequenceExpression, {selector: "CallExpression[callee.name='fetch']", message: "use modules/fetch.js instead"}]
  no-return-assign: [0]
  no-script-url: [2]
  no-self-assign: [2, {props: true}]
  no-self-compare: [2]
  no-sequences: [2]
  no-setter-return: [2]
  no-shadow-restricted-names: [2]
  no-shadow: [0]
  no-sparse-arrays: [2]
  no-template-curly-in-string: [2]
  no-ternary: [0]
  no-this-before-super: [2]
  no-throw-literal: [2]
  no-undef-init: [2]
  no-undef: [2, {typeof: true}]
  no-undefined: [0]
  no-underscore-dangle: [0]
  no-unexpected-multiline: [2]
  no-unmodified-loop-condition: [2]
  no-unneeded-ternary: [2]
  no-unreachable-loop: [2]
  no-unreachable: [2]
  no-unsafe-finally: [2]
  no-unsafe-negation: [2]
  no-unused-expressions: [2]
  no-unused-labels: [2]
  no-unused-private-class-members: [2]
  no-unused-vars: [2, {args: all, argsIgnorePattern: ^_, varsIgnorePattern: ^_, caughtErrorsIgnorePattern: ^_, destructuredArrayIgnorePattern: ^_, ignoreRestSiblings: false}]
  no-use-before-define: [2, {functions: false, classes: true, variables: true, allowNamedExports: true}]
  no-use-extend-native/no-use-extend-native: [2]
  no-useless-backreference: [2]
  no-useless-call: [2]
  no-useless-catch: [2]
  no-useless-computed-key: [2]
  no-useless-concat: [2]
  no-useless-constructor: [2]
  no-useless-escape: [2]
  no-useless-rename: [2]
  no-useless-return: [2]
  no-var: [2]
  no-void: [2]
  no-warning-comments: [0]
  no-with: [0] # handled by no-restricted-syntax
  object-shorthand: [2, always]
  one-var-declaration-per-line: [0]
  one-var: [0]
  operator-assignment: [2, always]
  operator-linebreak: [2, after]
  prefer-arrow-callback: [2, {allowNamedFunctions: true, allowUnboundThis: true}]
  prefer-const: [2, {destructuring: all, ignoreReadBeforeAssign: true}]
  prefer-destructuring: [0]
  prefer-exponentiation-operator: [2]
  prefer-named-capture-group: [0]
  prefer-numeric-literals: [2]
  prefer-object-has-own: [2]
  prefer-object-spread: [2]
  prefer-promise-reject-errors: [2, {allowEmptyReject: false}]
  prefer-regex-literals: [2]
  prefer-rest-params: [2]
  prefer-spread: [2]
  prefer-template: [2]
  radix: [2, as-needed]
  regexp/confusing-quantifier: [2]
  regexp/control-character-escape: [2]
  regexp/hexadecimal-escape: [0]
  regexp/letter-case: [0]
  regexp/match-any: [2]
  regexp/negation: [2]
  regexp/no-contradiction-with-assertion: [0]
  regexp/no-control-character: [0]
  regexp/no-dupe-characters-character-class: [2]
  regexp/no-dupe-disjunctions: [2]
  regexp/no-empty-alternative: [2]
  regexp/no-empty-capturing-group: [2]
  regexp/no-empty-character-class: [0]
  regexp/no-empty-group: [2]
  regexp/no-empty-lookarounds-assertion: [2]
  regexp/no-empty-string-literal: [2]
  regexp/no-escape-backspace: [2]
  regexp/no-extra-lookaround-assertions: [0]
  regexp/no-invalid-regexp: [2]
  regexp/no-invisible-character: [2]
  regexp/no-lazy-ends: [2]
  regexp/no-legacy-features: [2]
  regexp/no-misleading-capturing-group: [0]
  regexp/no-misleading-unicode-character: [0]
  regexp/no-missing-g-flag: [2]
  regexp/no-non-standard-flag: [2]
  regexp/no-obscure-range: [2]
  regexp/no-octal: [2]
  regexp/no-optional-assertion: [2]
  regexp/no-potentially-useless-backreference: [2]
  regexp/no-standalone-backslash: [2]
  regexp/no-super-linear-backtracking: [0]
  regexp/no-super-linear-move: [0]
  regexp/no-trivially-nested-assertion: [2]
  regexp/no-trivially-nested-quantifier: [2]
  regexp/no-unused-capturing-group: [0]
  regexp/no-useless-assertions: [2]
  regexp/no-useless-backreference: [2]
  regexp/no-useless-character-class: [2]
  regexp/no-useless-dollar-replacements: [2]
  regexp/no-useless-escape: [2]
  regexp/no-useless-flag: [2]
  regexp/no-useless-lazy: [2]
  regexp/no-useless-non-capturing-group: [2]
  regexp/no-useless-quantifier: [2]
  regexp/no-useless-range: [2]
  regexp/no-useless-set-operand: [2]
  regexp/no-useless-string-literal: [2]
  regexp/no-useless-two-nums-quantifier: [2]
  regexp/no-zero-quantifier: [2]
  regexp/optimal-lookaround-quantifier: [2]
  regexp/optimal-quantifier-concatenation: [0]
  regexp/prefer-character-class: [0]
  regexp/prefer-d: [0]
  regexp/prefer-escape-replacement-dollar-char: [0]
  regexp/prefer-lookaround: [0]
  regexp/prefer-named-backreference: [0]
  regexp/prefer-named-capture-group: [0]
  regexp/prefer-named-replacement: [0]
  regexp/prefer-plus-quantifier: [2]
  regexp/prefer-predefined-assertion: [2]
  regexp/prefer-quantifier: [0]
  regexp/prefer-question-quantifier: [2]
  regexp/prefer-range: [2]
  regexp/prefer-regexp-exec: [2]
  regexp/prefer-regexp-test: [2]
  regexp/prefer-result-array-groups: [0]
  regexp/prefer-set-operation: [2]
  regexp/prefer-star-quantifier: [2]
  regexp/prefer-unicode-codepoint-escapes: [2]
  regexp/prefer-w: [0]
  regexp/require-unicode-regexp: [0]
  regexp/simplify-set-operations: [2]
  regexp/sort-alternatives: [0]
  regexp/sort-character-class-elements: [0]
  regexp/sort-flags: [0]
  regexp/strict: [2]
  regexp/unicode-escape: [0]
  regexp/use-ignore-case: [0]
  require-atomic-updates: [0]
  require-await: [0]
  require-unicode-regexp: [0]
  require-yield: [2]
  sonarjs/cognitive-complexity: [0]
  sonarjs/elseif-without-else: [0]
  sonarjs/max-switch-cases: [0]
  sonarjs/no-all-duplicated-branches: [2]
  sonarjs/no-collapsible-if: [0]
  sonarjs/no-collection-size-mischeck: [2]
  sonarjs/no-duplicate-string: [0]
  sonarjs/no-duplicated-branches: [0]
  sonarjs/no-element-overwrite: [2]
  sonarjs/no-empty-collection: [2]
  sonarjs/no-extra-arguments: [2]
  sonarjs/no-gratuitous-expressions: [2]
  sonarjs/no-identical-conditions: [2]
  sonarjs/no-identical-expressions: [2]
  sonarjs/no-identical-functions: [2, 5]
  sonarjs/no-ignored-return: [2]
  sonarjs/no-inverted-boolean-check: [2]
  sonarjs/no-nested-switch: [0]
  sonarjs/no-nested-template-literals: [0]
  sonarjs/no-one-iteration-loop: [2]
  sonarjs/no-redundant-boolean: [2]
  sonarjs/no-redundant-jump: [2]
  sonarjs/no-same-line-conditional: [2]
  sonarjs/no-small-switch: [0]
  sonarjs/no-unused-collection: [2]
  sonarjs/no-use-of-empty-return-value: [2]
  sonarjs/no-useless-catch: [2]
  sonarjs/non-existent-operator: [2]
  sonarjs/prefer-immediate-return: [0]
  sonarjs/prefer-object-literal: [0]
  sonarjs/prefer-single-boolean-return: [0]
  sonarjs/prefer-while: [2]
  sort-imports: [0]
  sort-keys: [0]
  sort-vars: [0]
  strict: [0]
  symbol-description: [2]
  unicode-bom: [2, never]
  unicorn/better-regex: [0]
  unicorn/catch-error-name: [0]
  unicorn/consistent-destructuring: [2]
  unicorn/consistent-empty-array-spread: [2]
  unicorn/consistent-function-scoping: [2]
  unicorn/custom-error-definition: [0]
  unicorn/empty-brace-spaces: [2]
  unicorn/error-message: [0]
  unicorn/escape-case: [0]
  unicorn/expiring-todo-comments: [0]
  unicorn/explicit-length-check: [0]
  unicorn/filename-case: [0]
  unicorn/import-index: [0]
  unicorn/import-style: [0]
  unicorn/new-for-builtins: [2]
  unicorn/no-abusive-eslint-disable: [0]
  unicorn/no-anonymous-default-export: [0]
  unicorn/no-array-callback-reference: [0]
  unicorn/no-array-for-each: [2]
  unicorn/no-array-method-this-argument: [2]
  unicorn/no-array-push-push: [2]
  unicorn/no-array-reduce: [2]
  unicorn/no-await-expression-member: [0]
  unicorn/no-await-in-promise-methods: [2]
  unicorn/no-console-spaces: [0]
  unicorn/no-document-cookie: [2]
  unicorn/no-empty-file: [2]
  unicorn/no-for-loop: [0]
  unicorn/no-hex-escape: [0]
  unicorn/no-instanceof-array: [0]
  unicorn/no-invalid-fetch-options: [2]
  unicorn/no-invalid-remove-event-listener: [2]
  unicorn/no-keyword-prefix: [0]
  unicorn/no-length-as-slice-end: [2]
  unicorn/no-lonely-if: [2]
  unicorn/no-magic-array-flat-depth: [0]
  unicorn/no-negated-condition: [0]
  unicorn/no-negation-in-equality-check: [2]
  unicorn/no-nested-ternary: [0]
  unicorn/no-new-array: [0]
  unicorn/no-new-buffer: [0]
  unicorn/no-null: [0]
  unicorn/no-object-as-default-parameter: [0]
  unicorn/no-process-exit: [0]
  unicorn/no-single-promise-in-promise-methods: [2]
  unicorn/no-static-only-class: [2]
  unicorn/no-thenable: [2]
  unicorn/no-this-assignment: [2]
  unicorn/no-typeof-undefined: [2]
  unicorn/no-unnecessary-await: [2]
  unicorn/no-unnecessary-polyfills: [2]
  unicorn/no-unreadable-array-destructuring: [0]
  unicorn/no-unreadable-iife: [2]
  unicorn/no-unused-properties: [2]
  unicorn/no-useless-fallback-in-spread: [2]
  unicorn/no-useless-length-check: [2]
  unicorn/no-useless-promise-resolve-reject: [2]
  unicorn/no-useless-spread: [2]
  unicorn/no-useless-switch-case: [2]
  unicorn/no-useless-undefined: [0]
  unicorn/no-zero-fractions: [2]
  unicorn/number-literal-case: [0]
  unicorn/numeric-separators-style: [0]
  unicorn/prefer-add-event-listener: [2]
  unicorn/prefer-array-find: [2]
  unicorn/prefer-array-flat-map: [2]
  unicorn/prefer-array-flat: [2]
  unicorn/prefer-array-index-of: [2]
  unicorn/prefer-array-some: [2]
  unicorn/prefer-at: [0]
  unicorn/prefer-blob-reading-methods: [2]
  unicorn/prefer-code-point: [0]
  unicorn/prefer-date-now: [2]
  unicorn/prefer-default-parameters: [0]
  unicorn/prefer-dom-node-append: [2]
  unicorn/prefer-dom-node-dataset: [0]
  unicorn/prefer-dom-node-remove: [2]
  unicorn/prefer-dom-node-text-content: [2]
  unicorn/prefer-event-target: [2]
  unicorn/prefer-export-from: [0]
  unicorn/prefer-includes: [2]
  unicorn/prefer-json-parse-buffer: [0]
  unicorn/prefer-keyboard-event-key: [2]
  unicorn/prefer-logical-operator-over-ternary: [2]
  unicorn/prefer-math-trunc: [2]
  unicorn/prefer-modern-dom-apis: [0]
  unicorn/prefer-modern-math-apis: [2]
  unicorn/prefer-module: [2]
  unicorn/prefer-native-coercion-functions: [2]
  unicorn/prefer-negative-index: [2]
  unicorn/prefer-node-protocol: [2]
  unicorn/prefer-number-properties: [0]
  unicorn/prefer-object-from-entries: [2]
  unicorn/prefer-object-has-own: [0]
  unicorn/prefer-optional-catch-binding: [2]
  unicorn/prefer-prototype-methods: [0]
  unicorn/prefer-query-selector: [0]
  unicorn/prefer-reflect-apply: [0]
  unicorn/prefer-regexp-test: [2]
  unicorn/prefer-set-has: [0]
  unicorn/prefer-set-size: [2]
  unicorn/prefer-spread: [0]
  unicorn/prefer-string-raw: [0]
  unicorn/prefer-string-replace-all: [0]
  unicorn/prefer-string-slice: [0]
  unicorn/prefer-string-starts-ends-with: [2]
  unicorn/prefer-string-trim-start-end: [2]
  unicorn/prefer-structured-clone: [2]
  unicorn/prefer-switch: [0]
  unicorn/prefer-ternary: [0]
  unicorn/prefer-text-content: [2]
  unicorn/prefer-top-level-await: [0]
  unicorn/prefer-type-error: [0]
  unicorn/prevent-abbreviations: [0]
  unicorn/relative-url-style: [2]
  unicorn/require-array-join-separator: [2]
  unicorn/require-number-to-fixed-digits-argument: [2]
  unicorn/require-post-message-target-origin: [0]
  unicorn/string-content: [0]
  unicorn/switch-case-braces: [0]
  unicorn/template-indent: [2]
  unicorn/text-encoding-identifier-case: [0]
  unicorn/throw-new-error: [2]
  use-isnan: [2]
  valid-typeof: [2, {requireStringLiterals: true}]
  vars-on-top: [0]
  wc/attach-shadow-constructor: [2]
  wc/define-tag-after-class-definition: [0]
  wc/expose-class-on-global: [0]
  wc/file-name-matches-element: [2]
  wc/guard-define-call: [0]
  wc/guard-super-call: [2]
  wc/max-elements-per-file: [0]
  wc/no-child-traversal-in-attributechangedcallback: [2]
  wc/no-child-traversal-in-connectedcallback: [2]
  wc/no-closed-shadow-root: [2]
  wc/no-constructor-attributes: [2]
  wc/no-constructor-params: [2]
  wc/no-constructor: [2]
  wc/no-customized-built-in-elements: [2]
  wc/no-exports-with-element: [0]
  wc/no-invalid-element-name: [2]
  wc/no-invalid-extends: [2]
  wc/no-method-prefixed-with-on: [2]
  wc/no-self-class: [2]
  wc/no-typos: [2]
  wc/require-listener-teardown: [2]
  wc/tag-name-matches-class: [2]
  yoda: [2, never]
--- a/.forgejo/issue_template/config.yml
+++ b/.forgejo/issue_template/config.yml
@ -1,7 +1,7 @@
 contact_links:
  - name: 🔓 Security Reports
    url: mailto:security@forgejo.org
-    about: "Please email <security@forgejo.org> (GPG: `A4676E79`) instead of opening a public issue."
+    about: "Please email <security@forgejo.org> (See https://forgejo.org/.well-known/security.txt)."
  - name: 💬 Matrix Chat Room
    url: https://matrix.to/#/#forgejo-chat:matrix.org
    about: Please ask questions and discuss configuration or deployment problems here.
--- a/.forgejo/testdata/build-release/Dockerfile
+++ b/.forgejo/testdata/build-release/Dockerfile
@ -1,6 +1,6 @@
-FROM code.forgejo.org/oci/alpine:3.20
+FROM data.forgejo.org/oci/alpine:3.21
 ARG RELEASE_VERSION=unkown
 LABEL maintainer="contact@forgejo.org" \
      org.opencontainers.image.version="${RELEASE_VERSION}"
 RUN mkdir -p /app/gitea
-RUN ( echo '#!/bin/sh' ; echo "echo forgejo v$RELEASE_VERSION" ) > /app/gitea/forgejo-cli ; chmod +x /app/gitea/forgejo-cli
+RUN ( echo '#!/bin/sh' ; echo "echo forgejo v$RELEASE_VERSION" ) > /app/gitea/gitea ; chmod +x /app/gitea/gitea
--- a/.forgejo/testdata/build-release/go.mod
+++ b/.forgejo/testdata/build-release/go.mod
@ -1,3 +1,3 @@
 module code.gitea.io/gitea
-go 1.23.1
+go 1.23.3
--- a/.forgejo/workflows-composite/apt-install-from/action.yaml
+++ b/.forgejo/workflows-composite/apt-install-from/action.yaml
@ -0,0 +1,29 @@
 inputs:
  packages:
    description: 'Packages to install'
    required: true
  release:
    description: 'Release to install from'
    default: testing
 runs:
  using: "composite"
  steps:
    - name: setup apt package source
      run: |
        export DEBIAN_FRONTEND=noninteractive
        echo "deb http://deb.debian.org/debian/ ${RELEASE} main" > "/etc/apt/sources.list.d/${RELEASE}.list"
      env:
        RELEASE: ${{inputs.release}}
    - name: install packages
      run: |
        apt-get update -qq
        apt-get -q install -qq -y ${PACKAGES}
      env:
        PACKAGES: ${{inputs.packages}}
    - name: remove temporary package list to prevent using it in other steps
      run: |
        rm "/etc/apt/sources.list.d/${RELEASE}.list"
        apt-get update -qq
      env:
        RELEASE: ${{inputs.release}}
--- a/.forgejo/workflows-composite/build-backend/action.yaml
+++ b/.forgejo/workflows-composite/build-backend/action.yaml
@ -0,0 +1,15 @@
 runs:
  using: "composite"
  steps:
    - run: |
        su forgejo -c 'make deps-backend'
    - uses: https://data.forgejo.org/actions/cache@v4
      id: cache-backend
      with:
        path: ${{github.workspace}}/gitea
        key: backend-build-${{ github.sha }}
    - if: steps.cache-backend.outputs.cache-hit != 'true'
      run: |
        su forgejo -c 'make backend'
      env:
        TAGS: bindata
--- a/.forgejo/workflows-composite/setup-cache-go/action.yaml
+++ b/.forgejo/workflows-composite/setup-cache-go/action.yaml
@ -0,0 +1,61 @@
 # SPDX-License-Identifier: MIT
 name: 'Forgejo Actions to setup Go and cache dependencies'
 author: 'Forgejo authors'
 description: |
  Wrap the setup-go with improved dependency caching.
 inputs:
  username:
    description: 'User for which to manage the dependency cache'
    default: root
 runs:
  using: "composite"
  steps:
    - name: "Install zstd for faster caching"
      run: |
        apt-get update -qq
        apt-get -q install -qq -y zstd
    - name: "Set up Go using setup-go"
      uses: https://data.forgejo.org/actions/setup-go@v5
      id: go-version
      with:
        go-version-file: "go.mod"
        # do not cache dependencies, we do this manually
        cache: false
    - name: "Get go environment information"
      id: go-environment
      run: |
        chmod 755 $HOME # ensure ${RUN_AS_USER} has permission when go is located in $HOME
        export GOROOT="$(go env GOROOT)"
        echo "modcache=$(su ${RUN_AS_USER} -c '${GOROOT}/bin/go env GOMODCACHE')" >> "$GITHUB_OUTPUT"
        echo "cache=$(su ${RUN_AS_USER} -c '${GOROOT}/bin/go env GOCACHE')" >> "$GITHUB_OUTPUT"
      env:
        RUN_AS_USER: ${{ inputs.username }}
        GO_VERSION: ${{ steps.go-version.outputs.go-version }}
    - name: "Create cache folders with correct permissions (for non-root users)"
      if: inputs.username != 'root'
      # when the cache is restored, only the permissions of the last part are restored
      # so assuming that /home/user exists and we are restoring /home/user/go/pkg/mod,
      # both folders will have the correct permissions, but
      # /home/user/go and /home/user/go/pkg might be owned by root
      run: |
        su ${RUN_AS_USER} -c 'mkdir -p "${MODCACHE_DIR}" "${CACHE_DIR}"'
      env:
        RUN_AS_USER: ${{ inputs.username }}
        MODCACHE_DIR: ${{ steps.go-environment.outputs.modcache }}
        CACHE_DIR: ${{ steps.go-environment.outputs.cache }}
    - name: "Restore Go dependencies from cache or mark for later caching"
      id: cache-deps
      uses: https://data.forgejo.org/actions/cache@v4
      with:
        key: setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-${{ steps.go-version.outputs.go_version }}-${{ hashFiles('go.sum', 'go.mod') }}
        restore-keys: |
          setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-${{ steps.go-version.outputs.go_version }}-
          setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-
        path: |
          ${{ steps.go-environment.outputs.modcache }}
          ${{ steps.go-environment.outputs.cache }}
--- a/.forgejo/workflows-composite/setup-env/action.yaml
+++ b/.forgejo/workflows-composite/setup-env/action.yaml
@ -0,0 +1,25 @@
 # TODO:
 # - [ ] prepare a forgejo ci image with the necessary tools and forgejo user
 runs:
  using: "composite"
  steps:
    - name: setup user and permissions
      run: |
        git config --add safe.directory '*'
        # ignore if the user already exists (like with the playwright image)
        adduser --quiet --comment forgejo --disabled-password forgejo || true
        chown -R forgejo:forgejo .
    - uses: ./.forgejo/workflows-composite/setup-cache-go
      with:
        username: forgejo
    - name: validate go version
      run: |
        set -ex
        toolchain=$(grep -oP '(?<=toolchain ).+' go.mod)
        version=$(go version | cut -d' ' -f3)
        if dpkg --compare-versions ${version#go} lt ${toolchain#go}; then
          echo "go version too low: $toolchain >= $version"
          exit 1
        fi
--- a/.forgejo/workflows/backport.yml
+++ b/.forgejo/workflows/backport.yml
@ -22,6 +22,8 @@
 #    `backport/v1.21` label on a merged pull request that can be backported
 #    without conflict.
 #
 name: issue-labels
 on:
  pull_request_target:
    types:
@ -31,21 +33,21 @@ on:
 jobs:
  backporting:
    if: >
-      !startsWith(vars.ROLE, 'forgejo-') && (
+      ( vars.ROLE == 'forgejo-coding' ) && (
        github.event.pull_request.merged
        &&
        contains(toJSON(github.event.pull_request.labels), 'backport/v')
      )
    runs-on: docker
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
    steps:
      - name: event info
        run: |
          cat <<'EOF'
          ${{ toJSON(github) }}
          EOF
-      - uses: https://code.forgejo.org/actions/git-backporting@v4.8.0
+      - uses: https://data.forgejo.org/actions/git-backporting@v4.8.4
        with:
          target-branch-pattern: "^backport/(?<target>(v.*))$"
          strategy: ort
--- a/.forgejo/workflows/build-release-integration.yml
+++ b/.forgejo/workflows/build-release-integration.yml
@ -22,13 +22,13 @@ on:
 jobs:
  release-simulation:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding'
-    runs-on: self-hosted
+    runs-on: lxc-bookworm
    steps:
-      - uses: actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
      - id: forgejo
-        uses: https://code.forgejo.org/actions/setup-forgejo@v1
+        uses: https://data.forgejo.org/actions/setup-forgejo@v2.0.4
        with:
          user: root
          password: admin1234
--- a/.forgejo/workflows/build-release.yml
+++ b/.forgejo/workflows/build-release.yml
@ -14,6 +14,12 @@
 #  secrets.CASCADE_DESTINATION_TOKEN: <generated from code.forgejo.org/forgejo-ci> scope read:user, write:repository, write:issue
 #  vars.CASCADE_DESTINATION_DOER: forgejo-ci
 #
 #  vars.SKIP_END_TO_END: `true` or `false`
 #    It must be `false` (or absent) so https://code.forgejo.org/forgejo/end-to-end is run
 #    with the newly built release.
 #    It must be set to `true` when a release is missing, for instance because it was
 #    removed and failed to upload.
 #
 on:
  push:
    tags: 'v[0-9]+.[0-9]+.*'
@ -23,11 +29,11 @@ on:
 jobs:
  release:
-    runs-on: self-hosted
+    runs-on: lxc-bookworm
    # root is used for testing, allow it
    if: vars.ROLE == 'forgejo-integration' || github.repository_owner == 'root'
    steps:
-      - uses: actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
        with:
          fetch-depth: 0
@ -37,11 +43,11 @@ jobs:
          repository="${{ github.repository }}"
          echo "value=${repository##*/}" >> "$GITHUB_OUTPUT"
-      - uses: https://code.forgejo.org/actions/setup-node@v3
+      - uses: https://data.forgejo.org/actions/setup-node@v4
        with:
          node-version: 20
-      - uses: https://code.forgejo.org/actions/setup-go@v4
+      - uses: https://data.forgejo.org/actions/setup-go@v5
        with:
          go-version-file: "go.mod"
@ -87,7 +93,7 @@ jobs:
      - name: cache node_modules
        id: node
-        uses: https://code.forgejo.org/actions/cache@v3
+        uses: https://data.forgejo.org/actions/cache@v4
        with:
          path: |
            node_modules
@ -158,7 +164,7 @@ jobs:
      - name: build container & release
        if: ${{ secrets.TOKEN != '' }}
-        uses: https://code.forgejo.org/forgejo/forgejo-build-publish/build@v5.1.1
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.3.4
        with:
          forgejo: "${{ env.GITHUB_SERVER_URL }}"
          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
@ -170,14 +176,14 @@ jobs:
          platforms: linux/amd64,linux/arm64,linux/arm/v6
          release-notes: "${{ steps.release-notes.outputs.value }}"
          binary-name: forgejo
-          binary-path: /app/gitea/forgejo-cli
+          binary-path: /app/gitea/gitea
          override: "${{ steps.release-info.outputs.override }}"
          verify-labels: "maintainer=contact@forgejo.org,org.opencontainers.image.version=${{ steps.release-info.outputs.version }}"
          verbose: ${{ vars.VERBOSE || secrets.VERBOSE || 'false' }}
      - name: build rootless container
        if: ${{ secrets.TOKEN != '' }}
-        uses: https://code.forgejo.org/forgejo/forgejo-build-publish/build@v5.1.1
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.3.4
        with:
          forgejo: "${{ env.GITHUB_SERVER_URL }}"
          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
@ -194,8 +200,8 @@ jobs:
          verbose: ${{ vars.VERBOSE || secrets.VERBOSE || 'false' }}
      - name: end-to-end tests
-        if: ${{ secrets.TOKEN != '' && vars.ROLE == 'forgejo-integration' }}
+        if: ${{ secrets.TOKEN != '' && vars.ROLE == 'forgejo-integration' && vars.SKIP_END_TO_END != 'true' }}
-        uses: https://code.forgejo.org/actions/cascading-pr@v2
+        uses: https://data.forgejo.org/actions/cascading-pr@v2.2.0
        with:
          origin-url: ${{ env.GITHUB_SERVER_URL }}
          origin-repo: ${{ github.repository }}
--- a/.forgejo/workflows/cascade-setup-end-to-end.yml
+++ b/.forgejo/workflows/cascade-setup-end-to-end.yml
@ -12,8 +12,10 @@
 #    whatever is in the default branch instead
 #
 #  - after it is merged, double check it works by setting the
-#    run-end-to-end-test on a pull request (any pull request will doe
+#    run-end-to-end-test on a pull request (any pull request will do)
 #
 name: issue-labels
 on:
  push:
    branches:
@ -23,42 +25,23 @@ on:
      - labeled
 jobs:
  info:
    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
    runs-on: docker
    container:
      image: code.forgejo.org/oci/node:20-bookworm
    steps:
      - name: event
        run: |
          echo github.event.pull_request.head.repo.fork = ${{ github.event.pull_request.head.repo.fork }}
          echo github.event.action = ${{ github.event.action }}
          echo github.event.pull_request.merged = ${{ github.event.pull_request.merged }}
          echo github.event.pull_request.labels.*.name
          cat <<'EOF'
          ${{ toJSON(github.event.pull_request.labels.*.name) }}
          EOF
          cat <<'EOF'
          ${{ toJSON(github.event) }}
          EOF
  cascade:
    if: >
-      !startsWith(vars.ROLE, 'forgejo-') && (
+      vars.ROLE == 'forgejo-coding' && (
        github.event_name == 'push' ||
        (
-          github.event.action == 'label_updated' && contains(github.event.pull_request.labels.*.name, 'run-end-to-end-tests')
+          github.event.action == 'label_updated' && github.event.label.name == 'run-end-to-end-tests'
        )
      )
    runs-on: docker
    container:
-      image: code.forgejo.org/oci/node:20-bookworm
+      image: data.forgejo.org/oci/node:20-bookworm
    steps:
-      - uses: actions/checkout@v4
+      - uses: https://data.forgejo.org/actions/checkout@v4
        with:
          fetch-depth: '0'
          show-progress: 'false'
-      - uses: actions/cascading-pr@v2
+      - uses: https://data.forgejo.org/actions/cascading-pr@v2.2.0
        with:
          origin-url: ${{ env.GITHUB_SERVER_URL }}
          origin-repo: ${{ github.repository }}
--- a/.forgejo/workflows/e2e.yml
+++ b/.forgejo/workflows/e2e.yml
@ -1,37 +0,0 @@
 name: e2e
 on:
  pull_request:
    paths:
      - Makefile
      - playwright.config.js
      - .forgejo/workflows/e2e.yml
      - tests/e2e/**
      - web_src/js/**
      - web_src/css/form.css
      - templates/webhook/shared-settings.tmpl
      - templates/org/team/new.tmpl
 jobs:
  test-e2e:
    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
    runs-on: docker
    container:
      image: 'code.forgejo.org/oci/playwright:latest'
    steps:
      - uses: https://code.forgejo.org/actions/checkout@v4
      - uses: https://code.forgejo.org/actions/setup-go@v4
        with:
          go-version-file: "go.mod"
      - run: |
          git config --add safe.directory '*'
          chown -R forgejo:forgejo .
      - run: |
          su forgejo -c 'make deps-frontend frontend deps-backend'
      - run: |
          su forgejo -c 'make backend'
      - run: |
          su forgejo -c 'make generate test-e2e-sqlite'
        timeout-minutes: 40
        env:
          USE_REPO_TEST_DIR: 1
--- a/.forgejo/workflows/forgejo-integration-cleanup.yml
+++ b/.forgejo/workflows/forgejo-integration-cleanup.yml
@ -9,7 +9,7 @@ jobs:
    if: vars.ROLE == 'forgejo-integration'
    runs-on: docker
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
    steps:
      - name: apt install curl jq
--- a/.forgejo/workflows/merge-requirements.yml
+++ b/.forgejo/workflows/merge-requirements.yml
@ -0,0 +1,45 @@
 # Copyright 2024 The Forgejo Authors
 # SPDX-License-Identifier: MIT
 name: requirements
 on:
  pull_request:
    types:
      - labeled
      - edited
      - opened
      - synchronize
 jobs:
  merge-conditions:
    if: vars.ROLE == 'forgejo-coding'
    runs-on: docker
    container:
      image: 'data.forgejo.org/oci/node:20-bookworm'
    steps:
      - name: Debug output
        run: |
          cat <<'EOF'
          ${{ toJSON(github) }}
          EOF
      - name: Missing test label
        if: >
          !(
            contains(toJSON(github.event.pull_request.labels), 'test/present')
            || contains(toJSON(github.event.pull_request.labels), 'test/not-needed')
            || contains(toJSON(github.event.pull_request.labels), 'test/manual')
          )
        run: |
          echo "Test label must be set to either 'present', 'not-needed' or 'manual'."
          exit 1
      - name: Missing manual test instructions
        if: >
          (
            contains(toJSON(github.event.pull_request.labels), 'test/manual')
            && !contains(toJSON(github.event.pull_request.body), '# Test')
          )
        run: |
          echo "Manual test label is set. The PR description needs to contain test steps introduced by a heading like:"
          echo "# Testing"
          exit 1
--- a/.forgejo/workflows/milestone.yml
+++ b/.forgejo/workflows/milestone.yml
@ -0,0 +1,24 @@
 # Copyright 2024 The Forgejo Authors
 # SPDX-License-Identifier: MIT
 #
 name: milestone
 on:
  pull_request_target:
    types:
      - closed
 jobs:
  set:
    if: vars.ROLE == 'forgejo-coding' && github.event.pull_request.merged
    runs-on: docker
    container:
      image: 'data.forgejo.org/oci/ci:1'
    steps:
      - uses: https://data.forgejo.org/forgejo/set-milestone@v1.0.0
        with:
          forgejo: https://codeberg.org
          repository: forgejo/forgejo
          token: ${{ secrets.SET_MILESTONE_TOKEN }}
          pr-number: ${{ github.event.pull_request.number }}
          verbose: ${{ vars.SET_MILESTONE_VERBOSE }}
--- a/.forgejo/workflows/mirror.yml
+++ b/.forgejo/workflows/mirror.yml
@ -11,7 +11,7 @@ jobs:
    if: ${{ secrets.MIRROR_TOKEN != '' }}
    runs-on: docker
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
    steps:
      - name: git push {v*/,}forgejo
        run: |
--- a/.forgejo/workflows/publish-release.yml
+++ b/.forgejo/workflows/publish-release.yml
@ -36,20 +36,20 @@ on:
 jobs:
  publish:
-    runs-on: self-hosted
+    runs-on: lxc-bookworm
    if: vars.DOER != '' && vars.FORGEJO != '' && vars.TO_OWNER != '' && vars.FROM_OWNER != '' && secrets.TOKEN != ''
    steps:
-      - uses: actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
      - name: copy & sign
-        uses: https://code.forgejo.org/forgejo/forgejo-build-publish/publish@v5
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/publish@v5.3.4
        with:
          from-forgejo: ${{ vars.FORGEJO }}
          to-forgejo: ${{ vars.FORGEJO }}
          from-owner: ${{ vars.FROM_OWNER }}
          to-owner: ${{ vars.TO_OWNER }}
          repo: ${{ vars.REPO }}
-          release-notes: "See https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#{ANCHOR}"
+          release-notes: "See https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/{VERSION}.md"
          ref-name: ${{ github.ref_name }}
          sha: ${{ github.sha }}
          from-token: ${{ secrets.TOKEN }}
@ -59,30 +59,28 @@ jobs:
          gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
          verbose: ${{ vars.VERBOSE }}
-      - name: upgrade v*.next.forgejo.org
+      - name: get trigger mirror issue
-        run: |
+        id: mirror
-          export DEBIAN_FRONTEND=noninteractive
+        uses: https://data.forgejo.org/infrastructure/issue-action/get@v1.3.0
-          apt-get update -qq
+        with:
-          apt-get -q install -y -qq curl
+          forgejo: https://code.forgejo.org
-          version="${{ github.ref_name }}"
+          repository: forgejo/forgejo
-          version=${version##*v}
+          labels: mirror-trigger
          major=$(echo $version | sed -E -e 's/^([0-9]+).*/\1/')
          # https://forgejo.org/docs/next/developer/infrastructure
          curl -o /dev/null -sS https://v$major.next.forgejo.org/.well-known/wakeup-on-logs/forgejo-v$major
-      - name: set up go for the DNS update below
+      - name: trigger the mirror
-        if: vars.ROLE == 'forgejo-experimental' && secrets.OVH_APP_KEY != ''
+        uses: https://data.forgejo.org/infrastructure/issue-action/set@v1.3.0
        uses: https://code.forgejo.org/actions/setup-go@v4
        with:
-          go-version-file: "go.mod"
+          forgejo: https://code.forgejo.org
-      - name: update the _release.experimental DNS record
+          repository: forgejo/forgejo
-        if: vars.ROLE == 'forgejo-experimental' && secrets.OVH_APP_KEY != ''
+          token: ${{ secrets.LABEL_ISSUE_FORGEJO_MIRROR_TOKEN }}
-        uses: https://code.forgejo.org/actions/ovh-dns-update@v1
+          numbers: ${{ steps.mirror.outputs.numbers }}
          label-wait-if-exists: 3600
          label: trigger
      - name: upgrade v*.next.forgejo.org
        uses: https://data.forgejo.org/infrastructure/next-digest@v1.1.0
        with:
-          subdomain: _release.experimental
+          url: https://placeholder:${{ secrets.TOKEN_NEXT_DIGEST }}@code.forgejo.org/infrastructure/next-digest
-          domain: forgejo.com # there is a CNAME from .org to .com (for security reasons)
+          ref_name: '${{ github.ref_name }}'
-          record-id: 5283602601
+          image: 'codeberg.org/forgejo-experimental/forgejo'
-          value: v=${{ github.ref_name }}
+          tag_suffix: '-rootless'
          ovh-app-key: ${{ secrets.OVH_APP_KEY }}
          ovh-app-secret: ${{ secrets.OVH_APP_SECRET }}
          ovh-consumer-key: ${{ secrets.OVH_CON_KEY }}
--- a/.forgejo/workflows/release-notes-assistant-milestones.yml
+++ b/.forgejo/workflows/release-notes-assistant-milestones.yml
@ -6,14 +6,14 @@ on:
 jobs:
  release-notes:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-')
+    if: vars.ROLE == 'forgejo-coding'
    runs-on: docker
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
+      - uses: https://data.forgejo.org/actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
--- a/.forgejo/workflows/release-notes-assistant.yml
+++ b/.forgejo/workflows/release-notes-assistant.yml
@ -1,3 +1,5 @@
 name: issue-labels
 on:
  pull_request_target:
    types:
@ -7,12 +9,12 @@ on:
 jobs:
  release-notes:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') && contains(github.event.pull_request.labels.*.name, 'worth a release-note') }}
+    if: ( vars.ROLE == 'forgejo-coding' ) && contains(github.event.pull_request.labels.*.name, 'worth a release-note')
    runs-on: docker
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
      - name: event
        run: |
@ -23,7 +25,7 @@ jobs:
          ${{ toJSON(github.event) }}
          EOF
-      - uses: https://code.forgejo.org/actions/setup-go@v4
+      - uses: https://data.forgejo.org/actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
--- a/.forgejo/workflows/renovate.yml
+++ b/.forgejo/workflows/renovate.yml
@ -8,7 +8,9 @@ name: renovate
 on:
  push:
    branches:
-      - 'renovate/**' # self-test updates
+      - renovate/** # self-test updates
    paths:
      - .forgejo/workflows/renovate.yml
  schedule:
    - cron: '0 0/2 * * *'
  workflow_dispatch:
@ -16,18 +18,21 @@ on:
 env:
  RENOVATE_DRY_RUN: ${{ (github.event_name != 'schedule' && github.ref_name != github.event.repository.default_branch) && 'full' || '' }}
  RENOVATE_REPOSITORIES: ${{ github.repository }}
  # fix because 10.0.0-58-7e1df53+gitea-1.22.0 < 10.0.0 for semver
  # and codeberg api returns such versions from `git describe --tags`
  RENOVATE_X_PLATFORM_VERSION: 10.0.0+gitea-1.22.0
 jobs:
  renovate:
-    if: ${{ secrets.RENOVATE_TOKEN != '' }}
+    if: vars.ROLE == 'forgejo-coding' && secrets.RENOVATE_TOKEN != ''
    runs-on: docker
    container:
-      image: code.forgejo.org/forgejo-contrib/renovate:38.93.2
+      image: data.forgejo.org/renovate/renovate:39.185.0
    steps:
      - name: Load renovate repo cache
-        uses: https://code.forgejo.org/actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: https://data.forgejo.org/actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
        with:
          path: |
            .tmp/cache/renovate/repository
@ -60,7 +65,7 @@ jobs:
      - name: Save renovate repo cache
        if: always() && env.RENOVATE_DRY_RUN != 'full'
-        uses: https://code.forgejo.org/actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: https://data.forgejo.org/actions/cache/save@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
        with:
          path: |
            .tmp/cache/renovate/repository
--- a/.forgejo/workflows/testing.yml
+++ b/.forgejo/workflows/testing.yml
@ -6,319 +6,270 @@ on:
    branches:
      - 'forgejo*'
      - 'v*/forgejo*'
  workflow_dispatch:
 jobs:
  backend-checks:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
      options: --tmpfs /tmp:exec,noatime
    steps:
      - name: event info
        run: |
          cat <<'EOF'
          ${{ toJSON(github) }}
          EOF
-      - uses: https://code.forgejo.org/actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
-        with:
+      - run: su forgejo -c 'make deps-backend deps-tools'
-          go-version-file: "go.mod"
+      - run: su forgejo -c 'make --always-make -j$(nproc) lint-backend tidy-check swagger-check lint-swagger fmt-check swagger-validate' # ensure the "go-licenses" make target runs
-      - run: make deps-backend deps-tools
+      - uses: ./.forgejo/workflows-composite/build-backend
      - run: make --always-make -j$(nproc) lint-backend tidy-check swagger-check fmt-check swagger-validate # ensure the "go-licenses" make target runs
      - run: |
          make backend
        env:
          TAGS: bindata
      - uses: actions/cache@v4
        with:
          path: '/workspace/forgejo/forgejo/gitea'
          key: backend-build-${{ github.sha }}
  frontend-checks:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
      options: --tmpfs /tmp:exec,noatime
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
      - run: make deps-frontend
      - run: make lint-frontend
      - run: make checks-frontend
      - run: make test-frontend-coverage
      - run: make frontend
      - name: Install zstd for cache saving
        # works around https://github.com/actions/cache/issues/1169, because the
        # consuming job has zstd and doesn't restore the cache otherwise
        run: |
          apt-get update -qq
          apt-get -q install -qq -y zstd
      - name: "Cache frontend build for playwright testing"
        uses: https://data.forgejo.org/actions/cache/save@v4
        with:
          path: ${{github.workspace}}/public/assets
          key: frontend-build-${{ github.sha }}
  test-unit:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    needs: [backend-checks, frontend-checks]
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
      options: --tmpfs /tmp:exec,noatime
    services:
      elasticsearch:
-        image: docker.io/bitnami/elasticsearch:7
+        image: data.forgejo.org/oci/bitnami/elasticsearch:7
        options: --tmpfs /bitnami/elasticsearch/data
        env:
          discovery.type: single-node
          ES_JAVA_OPTS: "-Xms512m -Xmx512m"
      minio:
-        image: docker.io/bitnami/minio:2024.8.17
+        image: data.forgejo.org/oci/bitnami/minio:2024.8.17
        options: >-
-          --hostname gitea.minio
+          --hostname gitea.minio --tmpfs /bitnami/minio/data:noatime
        env:
          MINIO_DOMAIN: minio
          MINIO_ROOT_USER: 123456
          MINIO_ROOT_PASSWORD: 12345678
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
        with:
          go-version-file: "go.mod"
      - run: |
          git config --add safe.directory '*'
          adduser --quiet --comment forgejo --disabled-password forgejo
          chown -R forgejo:forgejo .
      - name: install git >= 2.42
-        run: |
+        uses: ./.forgejo/workflows-composite/apt-install-from
-          export DEBIAN_FRONTEND=noninteractive
+        with:
-          echo deb http://deb.debian.org/debian/ testing  main > /etc/apt/sources.list.d/testing.list
+          packages: git
          apt-get update -qq
          apt-get -q install -qq -y git
          rm /etc/apt/sources.list.d/testing.list
          apt-get update -qq
      - name: test release-notes-assistant.sh
        run: |
          apt-get -q install -qq -y jq
          ./release-notes-assistant.sh test_main
-      - run: |
+      - uses: ./.forgejo/workflows-composite/build-backend
          su forgejo -c 'make deps-backend'
      - uses: actions/cache/restore@v4
        id: cache-backend
        with:
          path: '/workspace/forgejo/forgejo/gitea'
          key: backend-build-${{ github.sha }}
      - if: steps.cache-backend.outputs.cache-hit != 'true'
        run: |
          su forgejo -c 'make backend'
        env:
          TAGS: bindata
      - run: |
          su forgejo -c 'make test-backend test-check'
-        timeout-minutes: 50
+        timeout-minutes: 120
        env:
          RACE_ENABLED: 'true'
          TAGS: bindata
          TEST_ELASTICSEARCH_URL: http://elasticsearch:9200
-  test-remote-cacher:
+  test-e2e:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    needs: [backend-checks, frontend-checks]
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/playwright:latest'
      options: --tmpfs /tmp:exec,noatime
    steps:
      - uses: https://data.forgejo.org/actions/checkout@v4
        with:
          fetch-depth: 20
      - uses: ./.forgejo/workflows-composite/setup-env
      - name: "Restore frontend build"
        uses: https://data.forgejo.org/actions/cache/restore@v4
        id: cache-frontend
        with:
          path: ${{github.workspace}}/public/assets
          key: frontend-build-${{ github.sha }}
      - name: "Build frontend (if not cached)"
        if: steps.cache-frontend.outputs.cache-hit != 'true'
        run: |
          su forgejo -c 'make deps-frontend frontend'
      - uses: ./.forgejo/workflows-composite/build-backend
      - name: Get changed files
        id: changed-files
        uses: https://data.forgejo.org/tj-actions/changed-files@v45
        with:
          separator: '\n'
      - run: |
          su forgejo -c 'make generate test-e2e-sqlite'
        timeout-minutes: 120
        env:
          USE_REPO_TEST_DIR: 1
          PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
          CHANGED_FILES: ${{steps.changed-files.outputs.all_changed_files}}
      - name: Upload test artifacts on failure
        if: failure()
        uses: https://data.forgejo.org/forgejo/upload-artifact@v4
        with:
          name: test-artifacts.zip
          path: tests/e2e/test-artifacts/
          retention-days: 3
  test-remote-cacher:
    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    needs: [backend-checks, frontend-checks, test-unit]
    container:
      image: 'data.forgejo.org/oci/node:20-bookworm'
      options: --tmpfs /tmp:exec,noatime
    name: ${{ format('test-remote-cacher ({0})', matrix.cacher.name) }}
    strategy:
      matrix:
        cacher:
-          # redis
+          - name: redis
-          - image: docker.io/bitnami/redis:7.2
+            image: data.forgejo.org/oci/bitnami/redis:7.2
-            port: 6379
+            options: --tmpfs /bitnami/redis/data:noatime
-          # redict
+          - name: redict
-          - image: registry.redict.io/redict:7.3.0-scratch
+            image: registry.redict.io/redict:7.3.0-scratch
-            port: 6379
+            options: --tmpfs /data:noatime
-          # valkey
+          - name: valkey
-          - image: docker.io/bitnami/valkey:7.2
+            image: data.forgejo.org/oci/bitnami/valkey:7.2
-            port: 6379
+            options: --tmpfs /bitnami/redis/data:noatime
-          # garnet
+          - name: garnet
-          - image: ghcr.io/microsoft/garnet-alpine:1.0.14
+            image: ghcr.io/microsoft/garnet-alpine:1.0.14
-            port: 6379
+            options: --tmpfs /data:noatime
    services:
      cacher:
        image: ${{ matrix.cacher.image }}
        options: ${{ matrix.cacher.options }}
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
        with:
          go-version-file: "go.mod"
      - run: |
          git config --add safe.directory '*'
          adduser --quiet --comment forgejo --disabled-password forgejo
          chown -R forgejo:forgejo .
      - name: install git >= 2.42
-        run: |
+        uses: ./.forgejo/workflows-composite/apt-install-from
          export DEBIAN_FRONTEND=noninteractive
          echo deb http://deb.debian.org/debian/ testing  main > /etc/apt/sources.list.d/testing.list
          apt-get update -qq
          apt-get -q install -qq -y git
          rm /etc/apt/sources.list.d/testing.list
          apt-get update -qq
      - run: |
          su forgejo -c 'make deps-backend'
      - uses: actions/cache/restore@v4
        id: cache-backend
        with:
-          path: '/workspace/forgejo/forgejo/gitea'
+          packages: git
-          key: backend-build-${{ github.sha }}
+      - uses: ./.forgejo/workflows-composite/build-backend
      - if: steps.cache-backend.outputs.cache-hit != 'true'
        run: |
          su forgejo -c 'make backend'
        env:
          TAGS: bindata
      - run: |
          su forgejo -c 'make test-remote-cacher test-check'
-        timeout-minutes: 50
+        timeout-minutes: 120
        env:
          RACE_ENABLED: 'true'
          TAGS: bindata
          TEST_REDIS_SERVER: cacher:${{ matrix.cacher.port }}
  test-mysql:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    needs: [backend-checks, frontend-checks]
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
      options: --tmpfs /tmp:exec,noatime
    services:
      mysql:
-        image: 'docker.io/bitnami/mysql:8.4'
+        image: 'data.forgejo.org/oci/bitnami/mysql:8.4'
        env:
          ALLOW_EMPTY_PASSWORD: yes
          MYSQL_DATABASE: testgitea
          #
          # See also https://codeberg.org/forgejo/forgejo/issues/976
          #
-          MYSQL_EXTRA_FLAGS: --innodb-adaptive-flushing=OFF --innodb-buffer-pool-size=4G --innodb-log-buffer-size=128M --innodb-flush-log-at-trx-commit=0 --innodb-flush-log-at-timeout=30 --innodb-flush-method=nosync --innodb-fsync-threshold=1000000000
+          MYSQL_EXTRA_FLAGS: --innodb-adaptive-flushing=OFF --innodb-buffer-pool-size=4G --innodb-log-buffer-size=128M --innodb-flush-log-at-trx-commit=0 --innodb-flush-log-at-timeout=30 --innodb-flush-method=nosync --innodb-fsync-threshold=1000000000 --disable-log-bin
        options: --tmpfs /bitnami/mysql/data:noatime
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
        with:
          go-version-file: "go.mod"
      - name: install dependencies & git >= 2.42
-        run: |
+        uses: ./.forgejo/workflows-composite/apt-install-from
          export DEBIAN_FRONTEND=noninteractive
          echo deb http://deb.debian.org/debian/ testing  main > /etc/apt/sources.list.d/testing.list
          apt-get update -qq
          apt-get install --no-install-recommends -qq -y git git-lfs
          rm /etc/apt/sources.list.d/testing.list
          apt-get update -qq
      - name: setup user and permissions
        run: |
          git config --add safe.directory '*'
          adduser --quiet --comment forgejo --disabled-password forgejo
          chown -R forgejo:forgejo .
      - run: |
          su forgejo -c 'make deps-backend'
      - uses: actions/cache/restore@v4
        id: cache-backend
        with:
-          path: '/workspace/forgejo/forgejo/gitea'
+          packages: git git-lfs
-          key: backend-build-${{ github.sha }}
+      - uses: ./.forgejo/workflows-composite/build-backend
      - if: steps.cache-backend.outputs.cache-hit != 'true'
        run: |
          su forgejo -c 'make backend'
        env:
          TAGS: bindata
      - run: |
          su forgejo -c 'make test-mysql-migration test-mysql'
-        timeout-minutes: 50
+        timeout-minutes: 120
        env:
          USE_REPO_TEST_DIR: 1
  test-pgsql:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    needs: [backend-checks, frontend-checks]
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
      options: --tmpfs /tmp:exec,noatime
    services:
      minio:
-        image: docker.io/bitnami/minio:2024.8.17
+        image: data.forgejo.org/oci/bitnami/minio:2024.8.17
        env:
          MINIO_ROOT_USER: 123456
          MINIO_ROOT_PASSWORD: 12345678
        options: --tmpfs /bitnami/minio/data
      ldap:
-        image: docker.io/gitea/test-openldap:latest
+        image: data.forgejo.org/oci/test-openldap:latest
      pgsql:
-        image: 'code.forgejo.org/oci/postgres:15'
+        image: data.forgejo.org/oci/bitnami/postgresql:15
        env:
-          POSTGRES_DB: test
+          POSTGRESQL_DATABASE: test
-          POSTGRES_PASSWORD: postgres
+          POSTGRESQL_PASSWORD: postgres
          POSTGRESQL_FSYNC: off
          POSTGRESQL_EXTRA_FLAGS: -c full_page_writes=off
        options: --tmpfs /bitnami/postgresql
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
        with:
          go-version-file: "go.mod"
      - name: install dependencies & git >= 2.42
-        run: |
+        uses: ./.forgejo/workflows-composite/apt-install-from
          export DEBIAN_FRONTEND=noninteractive
          echo deb http://deb.debian.org/debian/ testing  main > /etc/apt/sources.list.d/testing.list
          apt-get update -qq
          apt-get install --no-install-recommends -qq -y git git-lfs
          rm /etc/apt/sources.list.d/testing.list
          apt-get update -qq
      - name: setup user and permissions
        run: |
          git config --add safe.directory '*'
          adduser --quiet --comment forgejo --disabled-password forgejo
          chown -R forgejo:forgejo .
      - run: |
          su forgejo -c 'make deps-backend'
      - uses: actions/cache/restore@v4
        id: cache-backend
        with:
-          path: '/workspace/forgejo/forgejo/gitea'
+          packages: git git-lfs
-          key: backend-build-${{ github.sha }}
+      - uses: ./.forgejo/workflows-composite/build-backend
      - if: steps.cache-backend.outputs.cache-hit != 'true'
        run: |
          su forgejo -c 'make backend'
        env:
          TAGS: bindata
      - run: |
          su forgejo -c 'make test-pgsql-migration test-pgsql'
-        timeout-minutes: 50
+        timeout-minutes: 120
        env:
          RACE_ENABLED: true
          USE_REPO_TEST_DIR: 1
          TEST_LDAP: 1
  test-sqlite:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    needs: [backend-checks, frontend-checks]
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
      options: --tmpfs /tmp:exec,noatime
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
        with:
          go-version-file: "go.mod"
      - name: install dependencies & git >= 2.42
-        run: |
+        uses: ./.forgejo/workflows-composite/apt-install-from
          export DEBIAN_FRONTEND=noninteractive
          echo deb http://deb.debian.org/debian/ testing  main > /etc/apt/sources.list.d/testing.list
          apt-get update -qq
          apt-get install --no-install-recommends -qq -y git git-lfs
          rm /etc/apt/sources.list.d/testing.list
          apt-get update -qq
      - name: setup user and permissions
        run: |
          git config --add safe.directory '*'
          adduser --quiet --comment forgejo --disabled-password forgejo
          chown -R forgejo:forgejo .
      - run: |
          su forgejo -c 'make deps-backend'
      - uses: actions/cache/restore@v4
        id: cache-backend
        with:
-          path: '/workspace/forgejo/forgejo/gitea'
+          packages: git git-lfs
-          key: backend-build-${{ github.sha }}
+      - uses: ./.forgejo/workflows-composite/build-backend
      - if: steps.cache-backend.outputs.cache-hit != 'true'
        run: |
          su forgejo -c 'make backend'
        env:
          TAGS: bindata sqlite sqlite_unlock_notify
      - run: |
          su forgejo -c 'make test-sqlite-migration test-sqlite'
-        timeout-minutes: 50
+        timeout-minutes: 120
        env:
          TAGS: sqlite sqlite_unlock_notify
          RACE_ENABLED: true
          TEST_TAGS: sqlite sqlite_unlock_notify
          USE_REPO_TEST_DIR: 1
  security-check:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
    runs-on: docker
    needs:
      - test-sqlite
@ -327,11 +278,10 @@ jobs:
      - test-remote-cacher
      - test-unit
    container:
-      image: 'code.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:20-bookworm'
      options: --tmpfs /tmp:exec,noatime
    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
-        with:
+      - run: su forgejo -c 'make deps-backend deps-tools'
-          go-version-file: "go.mod"
+      - run: su forgejo -c 'make security-check'
      - run: make deps-backend deps-tools
      - run: make security-check
--- a/.gitignore
+++ b/.gitignore
@ -37,6 +37,7 @@ _testmain.go
 *coverage.out
 coverage.all
 coverage/
 cpu.out
 /modules/migration/bindata.go
@ -72,6 +73,7 @@ cpu.out
 /tests/e2e/reports
 /tests/e2e/test-artifacts
 /tests/e2e/test-snapshots
 /tests/e2e/.auth
 /tests/*.ini
 /tests/**/*.git/**/*.sample
 /node_modules
@ -115,6 +117,9 @@ prime/
 *_source.tar.bz2
 .DS_Store
 # Direnv configuration
 /.envrc
 # nix-direnv generated files
 .direnv/
--- a/.golangci.yml
+++ b/.golangci.yml
@ -19,12 +19,12 @@ linters:
    - revive
    - staticcheck
    - stylecheck
    - tenv
    - testifylint
    - typecheck
    - unconvert
    - unused
    - unparam
    - usetesting
    - wastedassign
 run:
@ -77,6 +77,8 @@ linters-settings:
      - name: unreachable-code
      - name: var-declaration
      - name: var-naming
      - name: redefines-builtin-id
        disabled: true
  gofumpt:
    extra-rules: true
  depguard:
--- a/.release-notes-assistant.yaml
+++ b/.release-notes-assistant.yaml
@ -10,7 +10,7 @@ branch-known:
 cleanup-line: 'sed -Ee "s/^(feat|fix):\s*//g" -e "s/^\[WIP\] //" -e "s/^WIP: //" -e "s;\[(UI|BUG|FEAT|v.*?/forgejo)\]\s*;;g"'
 render-header: |
-  ## Draft release notes
+  ## Release notes
 comment: |
  <details>
  <summary>Where does that come from?</summary>
--- a/8
+++ b/8
@ -16,6 +16,9 @@ templates/.* @caesar @crystal @gusted
 ## the issue sidebar was touched by fnetx
 templates/repo/issue/view_content/sidebar.* @fnetx
 # Playwright tests
 tests/e2e/.* @fnetx
 # Files related to Go development.
 # The modules usually don't require much knowledge about Forgejo and could
@ -30,8 +33,9 @@ models/.* @gusted
 # for code that lives in here.
 routers/.* @gusted
-# Let new strings be checked by the translation team.
+# Let locale changes be checked by the translation team.
-options/locale/locale_en-US.ini @0ko
+options/locale/.* @0ko
 options/locale_next/.* @0ko
 # Personal interest
 .*/webhook.* @oliverpool
--- a/10
+++ b/10
@ -1,6 +1,6 @@
-FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/xx AS xx
-FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.23-alpine3.20 as build-env
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.24-alpine3.21 AS build-env
 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-direct}
@ -51,7 +51,7 @@ RUN chmod 755 /tmp/local/usr/bin/entrypoint \
              /go/src/code.gitea.io/gitea/environment-to-ini
 RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete
-FROM code.forgejo.org/oci/golang:1.23-alpine3.20
+FROM data.forgejo.org/oci/alpine:3.21
 ARG RELEASE_VERSION
 LABEL maintainer="contact@forgejo.org" \
      org.opencontainers.image.authors="Forgejo" \
@ -98,11 +98,11 @@ ENV GITEA_CUSTOM=/data/gitea
 VOLUME ["/data"]
 ENTRYPOINT ["/usr/bin/entrypoint"]
-CMD ["/bin/s6-svscan", "/etc/s6"]
+CMD ["/usr/bin/s6-svscan", "/etc/s6"]
 COPY --from=build-env /tmp/local /
 RUN cd /usr/local/bin ; ln -s gitea forgejo
 COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
-RUN ln /app/gitea/gitea /app/gitea/forgejo-cli
+RUN ln -s /app/gitea/gitea /app/gitea/forgejo-cli
 COPY --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
 COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
--- a/Dockerfile.rootless
+++ b/Dockerfile.rootless
@ -1,6 +1,6 @@
-FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/xx AS xx
-FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.23-alpine3.20 as build-env
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.24-alpine3.21 AS build-env
 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-direct}
@ -49,7 +49,8 @@ RUN chmod 755 /tmp/local/usr/local/bin/docker-entrypoint.sh \
              /go/src/code.gitea.io/gitea/environment-to-ini
 RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete
-FROM code.forgejo.org/oci/golang:1.23-alpine3.20
+FROM data.forgejo.org/oci/alpine:3.21
 ARG RELEASE_VERSION
 LABEL maintainer="contact@forgejo.org" \
      org.opencontainers.image.authors="Forgejo" \
      org.opencontainers.image.url="https://forgejo.org" \
@ -71,6 +72,7 @@ RUN apk --no-cache add \
    git \
    curl \
    gnupg \
    openssh-client \
    && rm -rf /var/cache/apk/*
 RUN addgroup \
@ -90,7 +92,7 @@ RUN chown git:git /var/lib/gitea /etc/gitea
 COPY --from=build-env /tmp/local /
 RUN cd /usr/local/bin ; ln -s gitea forgejo
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
-RUN ln /app/gitea/gitea /app/gitea/forgejo-cli
+RUN ln -s /app/gitea/gitea /app/gitea/forgejo-cli
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
 COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
--- a/176
+++ b/176
@ -18,48 +18,49 @@ DIST := dist
 DIST_DIRS := $(DIST)/binaries $(DIST)/release
 IMPORT := code.gitea.io/gitea
-GO ?= go
+GO ?= $(shell go env GOROOT)/bin/go
 SHASUM ?= shasum -a 256
 HAS_GO := $(shell hash $(GO) > /dev/null 2>&1 && echo yes)
 COMMA := ,
 DIFF ?= diff --unified
 ifeq ($(USE_GOTESTSUM), yes)
 	GOTEST ?= gotestsum --
 	GOTESTCOMPILEDRUNPREFIX ?= gotestsum --raw-command -- go tool test2json -t
 	GOTESTCOMPILEDRUNSUFFIX ?= -test.v=test2json
 else
 	GOTEST ?= $(GO) test
 	GOTESTCOMPILEDRUNPREFIX ?=
 	GOTESTCOMPILEDRUNSUFFIX ?=
 endif
 XGO_VERSION := go-1.21.x
 AIR_PACKAGE ?= github.com/air-verse/air@v1 # renovate: datasource=go
-EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3.0.3 # renovate: datasource=go
+EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3.2.0 # renovate: datasource=go
 GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.7.0 # renovate: datasource=go
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.61.0 # renovate: datasource=go
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.64.6 # renovate: datasource=go
 GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.11 # renovate: datasource=go
 MISSPELL_PACKAGE ?= github.com/golangci/misspell/cmd/misspell@v0.6.0 # renovate: datasource=go
 SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.31.0 # renovate: datasource=go
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
 GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.6.0 # renovate: datasource=go
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasource=go
-DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.25.0 # renovate: datasource=go
+DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.31.0 # renovate: datasource=go
 GOMOCK_PACKAGE ?= go.uber.org/mock/mockgen@v0.4.0 # renovate: datasource=go
-GOPLS_PACKAGE ?= golang.org/x/tools/gopls@v0.16.2 # renovate: datasource=go
+GOPLS_PACKAGE ?= golang.org/x/tools/gopls@v0.18.1 # renovate: datasource=go
-RENOVATE_NPM_PACKAGE ?= renovate@38.93.2 # renovate: datasource=docker packageName=code.forgejo.org/forgejo-contrib/renovate
+RENOVATE_NPM_PACKAGE ?= renovate@39.185.0 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
 # https://github.com/disposable-email-domains/disposable-email-domains/commits/main/
 DISPOSABLE_EMAILS_SHA ?= 0c27e671231d27cf66370034d7f6818037416989 # renovate: ...
 ifeq ($(HAS_GO), yes)
 	CGO_EXTRA_CFLAGS := -DSQLITE_MAX_VARIABLE_NUMBER=32766
 	CGO_CFLAGS ?= $(shell $(GO) env CGO_CFLAGS) $(CGO_EXTRA_CFLAGS)
 endif
 ifeq ($(GOOS),windows)
 	IS_WINDOWS := yes
 else ifeq ($(patsubst Windows%,Windows,$(OS)),Windows)
 	ifeq ($(GOOS),)
 		IS_WINDOWS := yes
 	endif
 endif
 ifeq ($(IS_WINDOWS),yes)
 	GOFLAGS := -v -buildmode=exe
 	EXECUTABLE ?= gitea.exe
 else
 GOFLAGS := -v
 EXECUTABLE ?= gitea
 endif
 ifeq ($(shell sed --version 2>/dev/null | grep -q GNU && echo gnu),gnu)
 	SED_INPLACE := sed -i
@ -114,6 +115,11 @@ FORGEJO_VERSION_API ?= ${FORGEJO_VERSION}
 show-version-api:
 	@echo ${FORGEJO_VERSION_API}
 # Strip binaries by default to reduce size, allow overriding for debugging
 STRIP ?= 1
 ifeq ($(STRIP),1)
 	LDFLAGS := $(LDFLAGS) -s -w
 endif
 LDFLAGS := $(LDFLAGS) -X "main.ReleaseVersion=$(RELEASE_VERSION)" -X "main.MakeVersion=$(MAKE_VERSION)" -X "main.Version=$(FORGEJO_VERSION)" -X "main.Tags=$(TAGS)" -X "main.ForgejoVersion=$(FORGEJO_VERSION_API)"
 LINUX_ARCHS ?= linux/amd64,linux/386,linux/arm-5,linux/arm-6,linux/arm64
@ -154,9 +160,8 @@ TAR_EXCLUDES := .git data indexers queues log node_modules $(EXECUTABLE) $(FOMAN
 GO_DIRS := build cmd models modules routers services tests
 WEB_DIRS := web_src/js web_src/css
 ESLINT_FILES := web_src/js tools *.js tests/e2e/*.js tests/e2e/shared/*.js
 STYLELINT_FILES := web_src/css web_src/js/components/*.vue
-SPELLCHECK_FILES := $(GO_DIRS) $(WEB_DIRS) docs/content templates options/locale/locale_en-US.ini .github $(wildcard *.go *.js *.md *.yml *.yaml *.toml)
+SPELLCHECK_FILES := $(GO_DIRS) $(WEB_DIRS) docs/content templates options/locale/locale_en-US.ini .github $(wildcard *.go *.js *.ts *.vue *.md *.yml *.yaml)
 GO_SOURCES := $(wildcard *.go)
 GO_SOURCES += $(shell find $(GO_DIRS) -type f -name "*.go" ! -path modules/options/bindata.go ! -path modules/public/bindata.go ! -path modules/templates/bindata.go)
@ -408,30 +413,30 @@ lint-frontend: lint-js lint-css
 lint-frontend-fix: lint-js-fix lint-css-fix
 .PHONY: lint-backend
-lint-backend: lint-go lint-go-vet lint-editorconfig lint-renovate
+lint-backend: lint-go lint-go-vet lint-editorconfig lint-renovate lint-locale lint-disposable-emails
 .PHONY: lint-backend-fix
-lint-backend-fix: lint-go-fix lint-go-vet lint-editorconfig
+lint-backend-fix: lint-go-fix lint-go-vet lint-editorconfig lint-disposable-emails-fix
 .PHONY: lint-codespell
-lint-codespell:
+lint-codespell: deps-py
-	codespell
+	@poetry run codespell
 .PHONY: lint-codespell-fix
-lint-codespell-fix:
+lint-codespell-fix: deps-py
-	codespell -w
+	@poetry run codespell -w
 .PHONY: lint-codespell-fix-i
-lint-codespell-fix-i:
+lint-codespell-fix-i: deps-py
-	codespell -w -i 3 -C 2
+	@poetry run codespell -w -i 3 -C 2
 .PHONY: lint-js
 lint-js: node_modules
-	npx eslint --color --max-warnings=0 --ext js,vue $(ESLINT_FILES)
+	npx eslint --color --max-warnings=0
 .PHONY: lint-js-fix
 lint-js-fix: node_modules
-	npx eslint --color --max-warnings=0 --ext js,vue $(ESLINT_FILES) --fix
+	npx eslint --color --max-warnings=0 --fix
 .PHONY: lint-css
 lint-css: node_modules
@ -451,6 +456,10 @@ lint-renovate: node_modules
 	@if grep --quiet --extended-regexp -e '^( WARN:|ERROR:)' .lint-renovate ; then cat .lint-renovate ; rm .lint-renovate ; exit 1 ; fi
 	@rm .lint-renovate
 .PHONY: lint-locale
 lint-locale:
 	$(GO) run build/lint-locale.go
 .PHONY: lint-md
 lint-md: node_modules
 	npx markdownlint docs *.md
@ -477,13 +486,6 @@ lint-go-fix:
 	$(GO) run $(GOLANGCI_LINT_PACKAGE) run $(GOLANGCI_LINT_ARGS) --fix
 	$(RUN_DEADCODE) > .deadcode-out
 # workaround step for the lint-go-windows CI task because 'go run' can not
 # have distinct GOOS/GOARCH for its build and run steps
 .PHONY: lint-go-windows
 lint-go-windows:
 	@GOOS= GOARCH= $(GO) install $(GOLANGCI_LINT_PACKAGE)
 	golangci-lint run
 .PHONY: lint-go-vet
 lint-go-vet:
 	@echo "Running go vet..."
@ -498,6 +500,14 @@ lint-go-gopls:
 lint-editorconfig:
 	$(GO) run $(EDITORCONFIG_CHECKER_PACKAGE) templates .forgejo/workflows
 .PHONY: lint-disposable-emails
 lint-disposable-emails:
 	$(GO) run build/generate-disposable-email.go -check -r $(DISPOSABLE_EMAILS_SHA)
 .PHONY: lint-disposable-emails-fix
 lint-disposable-emails-fix:
 	$(GO) run build/generate-disposable-email.go -r $(DISPOSABLE_EMAILS_SHA)
 .PHONY: lint-templates
 lint-templates: .venv node_modules
 	@node tools/lint-templates-svg.js
@ -505,7 +515,7 @@ lint-templates: .venv node_modules
 .PHONY: lint-yaml
 lint-yaml: .venv
-	@poetry run yamllint .
+	@poetry run yamllint -s .
 .PHONY: security-check
 security-check:
@ -534,12 +544,12 @@ test: test-frontend test-backend
 .PHONY: test-backend
 test-backend:
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)
+	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)
 .PHONY: test-remote-cacher
 test-remote-cacher:
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_REMOTE_CACHER_PACKAGES)
+	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_REMOTE_CACHER_PACKAGES)
 .PHONY: test-frontend
 test-frontend: node_modules
@ -564,7 +574,7 @@ test-check:
 .PHONY: test\#%
 test\#%:
 	@echo "Running go test with -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)
+	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)
 .PHONY: coverage
 coverage:
@ -575,7 +585,7 @@ coverage:
 .PHONY: unit-test-coverage
 unit-test-coverage:
 	@echo "Running unit-test-coverage $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTESTFLAGS) -timeout=20m -tags='$(TEST_TAGS)' -cover -coverprofile coverage.out $(GO_TEST_PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1
+	@$(GOTEST) $(GOTESTFLAGS) -timeout=20m -tags='$(TEST_TAGS)' -cover -coverprofile coverage.out $(GO_TEST_PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1
 .PHONY: tidy
 tidy:
@ -596,7 +606,7 @@ tidy-check: tidy
 go-licenses: $(GO_LICENSE_FILE)
 $(GO_LICENSE_FILE): go.mod go.sum
-	-$(shell $(GO) env GOROOT)/bin/go run $(GO_LICENSES_PACKAGE) save . --force --ignore code.gitea.io/gitea --save_path=$(GO_LICENSE_TMP_DIR) 2>/dev/null
+	-$(GO) run $(GO_LICENSES_PACKAGE) save . --force --ignore code.gitea.io/gitea --save_path=$(GO_LICENSE_TMP_DIR) 2>/dev/null
 	$(GO) run build/generate-go-licenses.go $(GO_LICENSE_TMP_DIR) $(GO_LICENSE_FILE)
 	@rm -rf $(GO_LICENSE_TMP_DIR)
@ -608,11 +618,11 @@ generate-ini-sqlite:
 .PHONY: test-sqlite
 test-sqlite: integrations.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.sqlite.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX)
 .PHONY: test-sqlite\#%
 test-sqlite\#%: integrations.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.sqlite.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run $(subst .,/,$*)
 .PHONY: test-sqlite-migration
 test-sqlite-migration:  migrations.sqlite.test migrations.individual.sqlite.test
@ -629,11 +639,11 @@ generate-ini-mysql:
 .PHONY: test-mysql
 test-mysql: integrations.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.mysql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.mysql.test $(GOTESTCOMPILEDRUNSUFFIX)
 .PHONY: test-mysql\#%
 test-mysql\#%: integrations.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.mysql.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.mysql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run $(subst .,/,$*)
 .PHONY: test-mysql-migration
 test-mysql-migration: migrations.mysql.test migrations.individual.mysql.test
@ -647,15 +657,16 @@ generate-ini-pgsql:
 		-e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
 		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
 		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
 		-e 's|{{TEST_STORAGE_TYPE}}|$(or $(TEST_STORAGE_TYPE),minio)|g' \
 			tests/pgsql.ini.tmpl > tests/pgsql.ini
 .PHONY: test-pgsql
 test-pgsql: integrations.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./integrations.pgsql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX)
 .PHONY: test-pgsql\#%
 test-pgsql\#%: integrations.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./integrations.pgsql.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run $(subst .,/,$*)
 .PHONY: test-pgsql-migration
 test-pgsql-migration: migrations.pgsql.test migrations.individual.pgsql.test
@ -674,35 +685,34 @@ test-e2e: test-e2e-sqlite
 .PHONY: test-e2e-sqlite
 test-e2e-sqlite: playwright e2e.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./e2e.sqlite.test -test.run TestE2e
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e
 .PHONY: test-e2e-sqlite\#%
 test-e2e-sqlite\#%: playwright e2e.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./e2e.sqlite.test -test.run TestE2e/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e/$*
 .PHONY: test-e2e-sqlite-firefox\#%
 test-e2e-sqlite-firefox\#%: playwright e2e.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini PLAYWRIGHT_PROJECT=firefox ./e2e.sqlite.test -test.run TestE2e/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini PLAYWRIGHT_PROJECT=firefox $(GOTESTCOMPILEDRUNPREFIX) ./e2e.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e/$*
 .PHONY: test-e2e-mysql
 test-e2e-mysql: playwright e2e.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./e2e.mysql.test -test.run TestE2e
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.mysql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e
 .PHONY: test-e2e-mysql\#%
 test-e2e-mysql\#%: playwright e2e.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./e2e.mysql.test -test.run TestE2e/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.mysql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e/$*
 .PHONY: test-e2e-pgsql
 test-e2e-pgsql: playwright e2e.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./e2e.pgsql.test -test.run TestE2e
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e
 .PHONY: test-e2e-pgsql\#%
 test-e2e-pgsql\#%: playwright e2e.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./e2e.pgsql.test -test.run TestE2e/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e/$*
 .PHONY: test-e2e-debugserver
 test-e2e-debugserver: e2e.sqlite.test generate-ini-sqlite
 	sed -i s/3003/3000/g tests/sqlite.ini
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./e2e.sqlite.test -test.run TestDebugserver -test.timeout 24h
 .PHONY: bench-sqlite
@ -726,73 +736,73 @@ integration-test-coverage-sqlite: integrations.cover.sqlite.test generate-ini-sq
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.cover.sqlite.test -test.coverprofile=integration.coverage.out
 integrations.mysql.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.mysql.test
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.mysql.test
 integrations.pgsql.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.pgsql.test
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.pgsql.test
 integrations.sqlite.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.sqlite.test -tags '$(TEST_TAGS)'
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.sqlite.test -tags '$(TEST_TAGS)'
 integrations.cover.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.test
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.test
 integrations.cover.sqlite.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.sqlite.test -tags '$(TEST_TAGS)'
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.sqlite.test -tags '$(TEST_TAGS)'
 .PHONY: migrations.mysql.test
 migrations.mysql.test: $(GO_SOURCES) generate-ini-mysql
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.mysql.test
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.mysql.test
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./migrations.mysql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./migrations.mysql.test $(GOTESTCOMPILEDRUNSUFFIX)
 .PHONY: migrations.pgsql.test
 migrations.pgsql.test: $(GO_SOURCES) generate-ini-pgsql
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.pgsql.test
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.pgsql.test
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./migrations.pgsql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./migrations.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX)
 .PHONY: migrations.sqlite.test
 migrations.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.sqlite.test -tags '$(TEST_TAGS)'
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.sqlite.test -tags '$(TEST_TAGS)'
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./migrations.sqlite.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./migrations.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX)
 .PHONY: migrations.individual.mysql.test
 migrations.individual.mysql.test: $(GO_SOURCES)
 	for pkg in $(MIGRATION_PACKAGES); do \
-		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
 	done
 .PHONY: migrations.individual.sqlite.test\#%
 migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
 .PHONY: migrations.individual.pgsql.test
 migrations.individual.pgsql.test: $(GO_SOURCES)
 	for pkg in $(MIGRATION_PACKAGES); do \
-		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1;\
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1;\
 	done
 .PHONY: migrations.individual.pgsql.test\#%
 migrations.individual.pgsql.test\#%: $(GO_SOURCES) generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
 .PHONY: migrations.individual.sqlite.test
 migrations.individual.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
 	for pkg in $(MIGRATION_PACKAGES); do \
-		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
 	done
 .PHONY: migrations.individual.sqlite.test\#%
 migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
 e2e.mysql.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.mysql.test
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.mysql.test
 e2e.pgsql.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.pgsql.test
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.pgsql.test
 e2e.sqlite.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.sqlite.test -tags '$(TEST_TAGS)'
+	$(GOTEST) $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.sqlite.test -tags '$(TEST_TAGS)'
 .PHONY: check
 check: test
@ -803,7 +813,7 @@ check: test
 .PHONY: install $(TAGS_PREREQ)
 install: $(wildcard *.go)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) install -v -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)'
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) install -v -tags '$(TAGS)' -ldflags '$(LDFLAGS)'
 .PHONY: build
 build: frontend backend
@ -831,13 +841,13 @@ merge-locales:
 	@echo "NOT NEEDED: THIS IS A NOOP AS OF Forgejo 7.0 BUT KEPT FOR BACKWARD COMPATIBILITY"
 $(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '$(LDFLAGS)' -o $@
 forgejo: $(EXECUTABLE)
 	ln -f $(EXECUTABLE) forgejo
 static-executable: $(GO_SOURCES) $(TAGS_PREREQ)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w -linkmode external -extldflags "-static" $(LDFLAGS)' -o $(EXECUTABLE)
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -o $(EXECUTABLE)
 .PHONY: release
 release: frontend generate release-linux release-copy release-compress vendor release-sources release-check
@ -848,10 +858,6 @@ sources-tarbal: frontend generate vendor release-sources release-check
 $(DIST_DIRS):
 	mkdir -p $(DIST_DIRS)
 .PHONY: release-windows
 release-windows: | $(DIST_DIRS)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out gitea-$(VERSION) .
 .PHONY: release-linux
 release-linux: | $(DIST_DIRS)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(LINUX_ARCHS)' -out forgejo-$(VERSION) .
@ -896,7 +902,7 @@ release-docs: | $(DIST_DIRS) docs
 .PHONY: reproduce-build
 reproduce-build:
 # Start building the Dockerfile with the RELEASE_VERSION tag set. GOPROXY is set
-# for convience, because the default of the Dockerfile is `direct` which can be
+# for convenience, because the default of the Dockerfile is `direct` which can be
 # quite slow.
 	@docker build --build-arg="RELEASE_VERSION=$(RELEASE_VERSION)" --build-arg="GOPROXY=$(shell $(GO) env GOPROXY)" --tag "forgejo-reproducibility" .
 	@id=$$(docker create forgejo-reproducibility); \
--- a/README.md
+++ b/README.md
@ -1,4 +1,3 @@
 <div align="center">
    <img src="./assets/logo.svg" alt="" width="192" align="center" />
    <h1 align="center">Welcome to Forgejo</h1>
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@ -4,19 +4,31 @@ A minor or major Forgejo release is published every [three months](https://forge
 A [patch or minor release](https://semver.org/spec/v2.0.0.html) (e.g. upgrading from v7.0.0 to v7.0.1 or v7.1.0) does not require manual intervention. But [major releases](https://semver.org/spec/v2.0.0.html#spec-item-8) where the first version number changes (e.g. upgrading from v1.21 to v7.0) contain breaking changes and the release notes explain how to deal with them.
-The release notes of each release [are available in the corresponding milestone](https://codeberg.org/forgejo/forgejo/milestones), starting with [Forgejo 7.0.7](https://codeberg.org/forgejo/forgejo/milestone/7683) and [Forgejo 8.0.1](https://codeberg.org/forgejo/forgejo/milestone/7682).
+The release notes of each release [are available in the release-notes-published directory of this repository](release-notes-published), starting with [Forgejo 7.0.7](release-notes-published/7.0.7.md) and [Forgejo 8.0.1](release-notes-published/8.0.1.md).
 ## 9.0.2
 See the [Forgejo 9.0.2 release notes](release-notes-published/9.0.2.md).
 ## 9.0.1
 See the [Forgejo 9.0.1 release notes](release-notes-published/9.0.1.md).
 ## 9.0.0
 See the [Forgejo 9.0.0 release notes](release-notes-published/9.0.0.md).
 ## 8.0.3
-The Forgejo v8.0.3 release notes are [available in the v8.0.3 milestone](https://codeberg.org/forgejo/forgejo/milestone/8231).
+See the [Forgejo 8.0.3 release notes](release-notes-published/8.0.3.md).
 ## 8.0.2
-The Forgejo v8.0.2 release notes are [available in the v8.0.2 milestone](https://codeberg.org/forgejo/forgejo/milestone/7728).
+See the [Forgejo 8.0.2 release notes](release-notes-published/8.0.2.md).
 ## 8.0.1
-The Forgejo v8.0.1 release notes are [available in the v8.0.1 milestone](https://codeberg.org/forgejo/forgejo/milestone/7682).
+See the [Forgejo 8.0.1 release notes](release-notes-published/8.0.1.md).
 ## 8.0.0
@ -155,17 +167,25 @@ A [companion blog post](https://forgejo.org/2024-07-release-v8-0/) provides addi
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/2937): <!--number 2937 --><!--number--><!--description -->31 March updates<!--description-->
 <!--end release-notes-assistant-->
 ## 7.0.11
 See the [Forgejo 7.0.11 release notes](release-notes-published/7.0.11.md).
 ## 7.0.10
 See the [Forgejo 7.0.10 release notes](release-notes-published/7.0.10.md).
 ## 7.0.9
-The Forgejo v7.0.9 release notes are [available in the v7.0.9 milestone](https://codeberg.org/forgejo/forgejo/milestone/8232).
+See the [Forgejo 7.0.9 release notes](release-notes-published/7.0.9.md).
 ## 7.0.8
-The Forgejo v7.0.8 release notes are [available in the v7.0.8 milestone](https://codeberg.org/forgejo/forgejo/milestone/7729).
+See the [Forgejo 7.0.8 release notes](release-notes-published/7.0.8.md).
 ## 7.0.7
-The Forgejo v7.0.7 release notes are [available in the v7.0.7 milestone](https://codeberg.org/forgejo/forgejo/milestone/7683).
+See the [Forgejo 7.0.7 release notes](release-notes-published/7.0.7.md).
 ## 7.0.6
@ -1570,7 +1590,7 @@ this situation, [follow the instructions in the companion blog post](https://for
  The most prominent ones are described here, others can be found in the list of commits included in the release as described above.
-  * [Fix links to pull request reviews sent via mail](https://codeberg.org/forgejo/forgejo/commit/88e179d5ef8ee41f71d068195685ff098b38ca31). The pull request link was correct but it did not go the the review and stayed at the beginning of the page
+  * [Fix links to pull request reviews sent via mail](https://codeberg.org/forgejo/forgejo/commit/88e179d5ef8ee41f71d068195685ff098b38ca31). The pull request link was correct but it did not go the review and stayed at the beginning of the page
  * [Recognize OGG as an audio format](https://codeberg.org/forgejo/forgejo/commit/622ec5c79f299c32ac2667a1aa7b4bf5d7c2d6cf)
  * [Consistently show the last time a cron job was run in the admin panel](https://codeberg.org/forgejo/forgejo/commit/5f769ef20)
  * [Fix NuGet registry v2 & v3 API search endpoints](https://codeberg.org/forgejo/forgejo/commit/471138829b0c24fe8c621dbb866ae8bb45ebc674)
@ -1589,7 +1609,7 @@ this situation, [follow the instructions in the companion blog post](https://for
  * [Fix pull request check list when there are more than 30](https://codeberg.org/forgejo/forgejo/commit/e226b9646)
  * [Fix attachment clipboard copy on insecure origin](https://codeberg.org/forgejo/forgejo/commit/12ac84c26)
  * [Fix the profile README rendering](https://codeberg.org/forgejo/forgejo/commit/84c3b60a4) that [was inconsistent with other markdown files renderings](https://codeberg.org/forgejo/forgejo/issues/833)
-  * [Fix API leaking the user email when the caller is not authentified](https://codeberg.org/forgejo/forgejo/commit/d89003cc1)
+  * [Fix API leaking the user email when the caller is not authenticated](https://codeberg.org/forgejo/forgejo/commit/d89003cc1)
 ## 1.20.2-0
@ -1647,7 +1667,7 @@ $ git -C forgejo log --oneline --no-merges origin/v1.19/forgejo..origin/v1.20/fo
  The semantic version was updated to `5.0.0+0-gitea-1.20.1` because it contains breaking changes.
 - **Breaking:**
  - [Scoped access tokens](https://codeberg.org/forgejo/forgejo/commit/18de83b2a3fc120922096b7348d6375094ae1532) or (Personal Access Tokens), were refactored and although existing tokens are still valid, they may have a different scope than before. To ensure that no tokens have a larger scope than expected they must be removed and recreated.
-  - If your `app.ini` has one of the the following `[indexer].ISSUE_INDEXER_QUEUE_TYPE`, `[indexer].ISSUE_INDEXER_QUEUE_BATCH_NUMBER`, `[indexer].`, `[indexer].ISSUE_INDEXER_QUEUE_DIR`, `[indexer].ISSUE_INDEXER_QUEUE_CONN_STR`, `[indexer].UPDATE_BUFFER_LEN`, `[mailer].SEND_BUFFER_LEN`, `[repository].PULL_REQUEST_QUEUE_LENGTH` or `[repository].MIRROR_QUEUE_LENGTH`, Forgejo will abort immediately. Unless you know exactly what you're doing, you must comment them out so the default values are used.
+  - If your `app.ini` has one of the following `[indexer].ISSUE_INDEXER_QUEUE_TYPE`, `[indexer].ISSUE_INDEXER_QUEUE_BATCH_NUMBER`, `[indexer].`, `[indexer].ISSUE_INDEXER_QUEUE_DIR`, `[indexer].ISSUE_INDEXER_QUEUE_CONN_STR`, `[indexer].UPDATE_BUFFER_LEN`, `[mailer].SEND_BUFFER_LEN`, `[repository].PULL_REQUEST_QUEUE_LENGTH` or `[repository].MIRROR_QUEUE_LENGTH`, Forgejo will abort immediately. Unless you know exactly what you're doing, you must comment them out so the default values are used.
  - The `-p` option of `environment-to-ini` is [no longer supported](https://codeberg.org/forgejo/forgejo/commit/fa0b5b14c2faa6a5f76bb2e7bc9241a5e4354189)
  - The ".png" suffix for [user and organizations is now reserved](https://codeberg.org/forgejo/forgejo/commit/2b91841cd3e1213ff3e4ed4209d6a4be89c2fa79)
  - The section `[git.reflog]` is [now obsolete and its keys have been moved](https://codeberg.org/forgejo/forgejo/commit/2f149c5c9db97f20fbbc65e32d1f3133048b11a2) to the following replacements:
@ -1741,7 +1761,7 @@ $ git -C forgejo log --oneline --no-merges origin/v1.19/forgejo..origin/v1.20/fo
  - [The repository migration can be canceled](https://codeberg.org/forgejo/forgejo/commit/f6e029e6c7849d4361abf7f1d749b5d528364ac4)
  - [Add button on the diff header to copy the file name](https://codeberg.org/forgejo/forgejo/commit/c5ede35124c8d5280219c24049bb0ad7da9f02ed)
  - [Add --quiet option to the dump CLI](https://codeberg.org/forgejo/forgejo/commit/cb1536471bcef4d78a3fe5cbd738b9f60fabbcc2)
-  - [Support searching for an issue with its number in the the list of issues](https://codeberg.org/forgejo/forgejo/commit/1144b1d129de530b2c07dfdfaf55de383cd82212)
+  - [Support searching for an issue with its number in the list of issues](https://codeberg.org/forgejo/forgejo/commit/1144b1d129de530b2c07dfdfaf55de383cd82212)
  - [Improve the list of notifications](https://codeberg.org/forgejo/forgejo/commit/f7ede92f82f7f3ec7bb31a1249f9524e5b728f34)
  - [When editing a file in the web UI, allow for a preview whenever possible](https://codeberg.org/forgejo/forgejo/commit/ac64c8297444ade63a2a364c4afb7e6c1de5a75f)
  - [Make release download URLs human readable](https://codeberg.org/forgejo/forgejo/commit/42919ccb7cd32ab67d0878baf2bac6cd007899a8)
@ -1778,7 +1798,7 @@ $ git -C forgejo log --oneline --no-merges origin/v1.19/forgejo..origin/v1.20/fo
  - [Add API for gitignore templates](https://codeberg.org/forgejo/forgejo/commit/36a5d4c2f3b5670e5e921034cd5d25817534a6d4)
  - [Add API to upuload a file to an empty repository](https://codeberg.org/forgejo/forgejo/commit/cf465b472166ccf6d3e001e3043e4bf43e16e6b3)
  - [Allow for --not when listing the commits of a repo](https://codeberg.org/forgejo/forgejo/commit/f766b002938b5c81e343c81fda3c0669fa09809f)
-  - [Add `files` and `verification` parameters to improve performances when listing the commits of a a repo](https://codeberg.org/forgejo/forgejo/commit/1dd83dbb917d55bd253001646d6743f247a4d98b)
+  - [Add `files` and `verification` parameters to improve performances when listing the commits of a repo](https://codeberg.org/forgejo/forgejo/commit/1dd83dbb917d55bd253001646d6743f247a4d98b)
  - [Allow for listing a single commit in a repository](https://codeberg.org/forgejo/forgejo/commit/5930ab5fdf7a970fcca3cd50b44cf1cacb615a54)
  - [Create a branch directly from commit on the create branch API](https://codeberg.org/forgejo/forgejo/commit/cd9a13ebb47d32f46b38439a524e3b2e0c619490)
  - [Add API for Label templates](https://codeberg.org/forgejo/forgejo/commit/25dc1556cd70b567a4920beb002a0addfbfd6ef2)
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
--- a/build.go
+++ b/build.go
@ -11,13 +11,4 @@ package main
 import (
 	// for embed
 	_ "github.com/shurcooL/vfsgen"
 	// for cover merge
 	_ "golang.org/x/tools/cover"
 	// for vet
 	_ "code.gitea.io/gitea-vet"
 	// for swagger
 	_ "github.com/go-swagger/go-swagger/cmd/swagger"
 )
--- a/build/generate-disposable-email.go
+++ b/build/generate-disposable-email.go
@ -0,0 +1,203 @@
 // Copyright 2024 James Hatfield
 // SPDX-License-Identifier: MIT
 //go:build ignore
 package main
 import (
 	"bufio"
 	"bytes"
 	"crypto"
 	"flag"
 	"fmt"
 	"go/format"
 	"io"
 	"log"
 	"net/http"
 	"os"
 	"regexp"
 	"strings"
 )
 const disposableEmailListURL string = "https://raw.githubusercontent.com/disposable-email-domains/disposable-email-domains/%s/disposable_email_blocklist.conf"
 var (
 	gitRef *string = flag.String("r", "master", "Git reference of the domain list version")
 	outPat *string = flag.String("o", "modules/setting/disposable_email_domain_data.go", "Output path")
 	check  *bool   = flag.Bool("check", false, "Check if the current output file matches the current upstream list")
 )
 func main() {
 	flag.Parse()
 	if *check {
 		// read in the local copy of the domain list
 		local, err := get_local_file()
 		if err != nil {
 			log.Fatalf("File Read Error: %v", err)
 		}
 		// generate the remote copy of the domain list
 		remote, err := generate()
 		if err != nil {
 			log.Fatalf("Generation Error: %v", err)
 		}
 		// strip the comments from both (so we dont fail simply due to git ref difference)
 		local = strip_comments(local)
 		remote = strip_comments(remote)
 		// generate the hash of the local copy
 		local_sha, err := hash(local)
 		if err != nil {
 			log.Fatalf("Local Hash Generation Error: %v", err)
 		}
 		// generate the hash of the remote copy
 		remote_sha, err := hash(remote)
 		if err != nil {
 			log.Fatalf("Remote Hash Generation Error: %v", err)
 		}
 		// if the hashes dont match then the local copy needs to be updated
 		if local_sha != remote_sha {
 			log.Fatalf("Disposable email domain list needs to be updated!! \"make lint-disposable-emails-fix\"")
 		}
 	} else {
 		// generate the source code (array of domains)
 		res, err := generate()
 		if err != nil {
 			log.Fatalf("Generation Error: %v", err)
 		}
 		// write result to a file
 		err = os.WriteFile(*outPat, res, 0o644)
 		if err != nil {
 			log.Fatalf("File Write Error: %v", err)
 		}
 	}
 }
 func strip_comments(data []byte) []byte {
 	result := make([]byte, 0, len(data))
 	re := regexp.MustCompile(`^\W*//.*$`)
 	for _, line := range bytes.Split(data, []byte("\n")) {
 		if !re.Match(line) {
 			result = append(result, line...)
 		}
 	}
 	return result
 }
 func hash(data []byte) (string, error) {
 	var err error
 	hash := crypto.SHA3_256.New()
 	_, err = hash.Write(data)
 	if err != nil {
 		return "", err
 	}
 	return fmt.Sprintf("%x", hash.Sum(nil)), err
 }
 func get_local_file() ([]byte, error) {
 	var err error
 	f, err := os.Open(*outPat)
 	if err != nil {
 		return nil, err
 	}
 	defer f.Close()
 	data, err := io.ReadAll(f)
 	if err != nil {
 		return nil, err
 	}
 	return data, err
 }
 func get_remote() ([]string, error) {
 	var err error
 	var url string = fmt.Sprintf(disposableEmailListURL, *gitRef)
 	// download the domain list
 	res, err := http.Get(url)
 	if err != nil {
 		return nil, err
 	}
 	defer res.Body.Close()
 	body, err := io.ReadAll(res.Body)
 	if err != nil {
 		return nil, err
 	}
 	// go through all entries (1 domain per line)
 	scanner := bufio.NewScanner(bytes.NewReader(body))
 	var arrDomains []string
 	for scanner.Scan() {
 		line := scanner.Text()
 		arrDomains = append(arrDomains, line)
 	}
 	return arrDomains, err
 }
 func generate() ([]byte, error) {
 	var err error
 	var url string = fmt.Sprintf(disposableEmailListURL, *gitRef)
 	// download the domains list
 	arrDomains, err := get_remote()
 	if err != nil {
 		return nil, err
 	}
 	// build the string in a readable way
 	var sb strings.Builder
 	_, err = sb.WriteString("[]string{\n")
 	if err != nil {
 		return nil, err
 	}
 	for _, item := range arrDomains {
 		_, err = sb.WriteString(fmt.Sprintf("\t%q,\n", item))
 		if err != nil {
 			return nil, err
 		}
 	}
 	_, err = sb.WriteString("}")
 	if err != nil {
 		return nil, err
 	}
 	// insert the values into file
 	final := fmt.Sprintf(hdr, url, sb.String())
 	return format.Source([]byte(final))
 }
 const hdr = `
 // Copyright 2024 James Hatfield
 // SPDX-License-Identifier: MIT
 //
 // Code generated by build/generate-disposable-email.go. DO NOT EDIT
 // Sourced from %s
 package setting
 import "sync"
 var DisposableEmailDomains = sync.OnceValue(func() []string {
 		return %s
 })
 `
--- a/build/generate-emoji.go
+++ b/build/generate-emoji.go
@ -53,8 +53,6 @@ func (e Emoji) MarshalJSON() ([]byte, error) {
 }
 func main() {
 	var err error
 	flag.Parse()
 	// generate data
@ -83,8 +81,6 @@ var replacer = strings.NewReplacer(
 var emojiRE = regexp.MustCompile(`\{Emoji:"([^"]*)"`)
 func generate() ([]byte, error) {
 	var err error
 	// load gemoji data
 	res, err := http.Get(gemojiURL)
 	if err != nil {
--- a/build/gocovmerge.go
+++ b/build/gocovmerge.go
@ -1,118 +0,0 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
 // Copyright (c) 2015, Wade Simmons
 // SPDX-License-Identifier: MIT
 // gocovmerge takes the results from multiple `go test -coverprofile` runs and
 // merges them into one profile
 //go:build ignore
 package main
 import (
 	"flag"
 	"fmt"
 	"io"
 	"log"
 	"os"
 	"sort"
 	"golang.org/x/tools/cover"
 )
 func mergeProfiles(p, merge *cover.Profile) {
 	if p.Mode != merge.Mode {
 		log.Fatalf("cannot merge profiles with different modes")
 	}
 	// Since the blocks are sorted, we can keep track of where the last block
 	// was inserted and only look at the blocks after that as targets for merge
 	startIndex := 0
 	for _, b := range merge.Blocks {
 		startIndex = mergeProfileBlock(p, b, startIndex)
 	}
 }
 func mergeProfileBlock(p *cover.Profile, pb cover.ProfileBlock, startIndex int) int {
 	sortFunc := func(i int) bool {
 		pi := p.Blocks[i+startIndex]
 		return pi.StartLine >= pb.StartLine && (pi.StartLine != pb.StartLine || pi.StartCol >= pb.StartCol)
 	}
 	i := 0
 	if sortFunc(i) != true {
 		i = sort.Search(len(p.Blocks)-startIndex, sortFunc)
 	}
 	i += startIndex
 	if i < len(p.Blocks) && p.Blocks[i].StartLine == pb.StartLine && p.Blocks[i].StartCol == pb.StartCol {
 		if p.Blocks[i].EndLine != pb.EndLine || p.Blocks[i].EndCol != pb.EndCol {
 			log.Fatalf("OVERLAP MERGE: %v %v %v", p.FileName, p.Blocks[i], pb)
 		}
 		switch p.Mode {
 		case "set":
 			p.Blocks[i].Count |= pb.Count
 		case "count", "atomic":
 			p.Blocks[i].Count += pb.Count
 		default:
 			log.Fatalf("unsupported covermode: '%s'", p.Mode)
 		}
 	} else {
 		if i > 0 {
 			pa := p.Blocks[i-1]
 			if pa.EndLine >= pb.EndLine && (pa.EndLine != pb.EndLine || pa.EndCol > pb.EndCol) {
 				log.Fatalf("OVERLAP BEFORE: %v %v %v", p.FileName, pa, pb)
 			}
 		}
 		if i < len(p.Blocks)-1 {
 			pa := p.Blocks[i+1]
 			if pa.StartLine <= pb.StartLine && (pa.StartLine != pb.StartLine || pa.StartCol < pb.StartCol) {
 				log.Fatalf("OVERLAP AFTER: %v %v %v", p.FileName, pa, pb)
 			}
 		}
 		p.Blocks = append(p.Blocks, cover.ProfileBlock{})
 		copy(p.Blocks[i+1:], p.Blocks[i:])
 		p.Blocks[i] = pb
 	}
 	return i + 1
 }
 func addProfile(profiles []*cover.Profile, p *cover.Profile) []*cover.Profile {
 	i := sort.Search(len(profiles), func(i int) bool { return profiles[i].FileName >= p.FileName })
 	if i < len(profiles) && profiles[i].FileName == p.FileName {
 		mergeProfiles(profiles[i], p)
 	} else {
 		profiles = append(profiles, nil)
 		copy(profiles[i+1:], profiles[i:])
 		profiles[i] = p
 	}
 	return profiles
 }
 func dumpProfiles(profiles []*cover.Profile, out io.Writer) {
 	if len(profiles) == 0 {
 		return
 	}
 	fmt.Fprintf(out, "mode: %s\n", profiles[0].Mode)
 	for _, p := range profiles {
 		for _, b := range p.Blocks {
 			fmt.Fprintf(out, "%s:%d.%d,%d.%d %d %d\n", p.FileName, b.StartLine, b.StartCol, b.EndLine, b.EndCol, b.NumStmt, b.Count)
 		}
 	}
 }
 func main() {
 	flag.Parse()
 	var merged []*cover.Profile
 	for _, file := range flag.Args() {
 		profiles, err := cover.ParseProfiles(file)
 		if err != nil {
 			log.Fatalf("failed to parse profile '%s': %v", file, err)
 		}
 		for _, p := range profiles {
 			merged = addProfile(merged, p)
 		}
 	}
 	dumpProfiles(merged, os.Stdout)
 }
--- a/build/lint-locale.go
+++ b/build/lint-locale.go
@ -0,0 +1,215 @@
 // Copyright 2024 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 //nolint:forbidigo
 package main
 import (
 	"encoding/json" //nolint:depguard
 	"fmt"
 	"html"
 	"io/fs"
 	"os"
 	"path/filepath"
 	"regexp"
 	"slices"
 	"strings"
 	"github.com/microcosm-cc/bluemonday"
 	"github.com/sergi/go-diff/diffmatchpatch"
 	"gopkg.in/ini.v1" //nolint:depguard
 )
 var (
 	policy     *bluemonday.Policy
 	tagRemover *strings.Replacer
 	safeURL    = "https://TO-BE-REPLACED.COM"
 	// Matches href="", href="#", href="%s", href="#%s", href="%[1]s" and href="#%[1]s".
 	placeHolderRegex = regexp.MustCompile(`href="#?(%s|%\[\d\]s)?"`)
 	dmp = diffmatchpatch.New()
 )
 func initBlueMondayPolicy() {
 	policy = bluemonday.NewPolicy()
 	policy.RequireParseableURLs(true)
 	policy.AllowURLSchemes("https")
 	// Only allow safe URL on href.
 	// Only allow target="_blank".
 	// Only allow rel="nopener noreferrer", rel="noopener" and rel="noreferrer".
 	// Only allow placeholder on id and class.
 	policy.AllowAttrs("href").Matching(regexp.MustCompile("^" + regexp.QuoteMeta(safeURL) + "$")).OnElements("a")
 	policy.AllowAttrs("target").Matching(regexp.MustCompile("^_blank$")).OnElements("a")
 	policy.AllowAttrs("rel").Matching(regexp.MustCompile("^(noopener|noreferrer|noopener noreferrer)$")).OnElements("a")
 	policy.AllowAttrs("id", "class").Matching(regexp.MustCompile(`^%s|%\[\d\]s$`)).OnElements("a")
 	// Only allow positional placeholder as class.
 	positionalPlaceholderRe := regexp.MustCompile(`^%\[\d\]s$`)
 	policy.AllowAttrs("class").Matching(positionalPlaceholderRe).OnElements("strong")
 	policy.AllowAttrs("id").Matching(positionalPlaceholderRe).OnElements("code")
 	// Allowed elements with no attributes. Must be a recognized tagname.
 	policy.AllowElements("strong", "br", "b", "strike", "code", "i")
 	// TODO: Remove <c> in `actions.workflow.dispatch.trigger_found`.
 	policy.AllowNoAttrs().OnElements("c")
 }
 func initRemoveTags() {
 	oldnew := []string{}
 	for _, el := range []string{
 		"email@example.com", "correu@example.com", "epasts@domens.lv", "email@exemplo.com", "eposta@ornek.com", "email@példa.hu", "email@esempio.it",
 		"user", "utente", "lietotājs", "gebruiker", "usuário", "Benutzer", "Bruker", "bruger", "użytkownik",
 		"server", "servidor", "kiszolgáló", "serveris",
 		"label", "etichetta", "etiķete", "rótulo", "Label", "utilizador", "etiket", "iezīme", "etykieta",
 	} {
 		oldnew = append(oldnew, "<"+el+">", "REPLACED-TAG")
 	}
 	tagRemover = strings.NewReplacer(oldnew...)
 }
 func preprocessTranslationValue(value string) string {
 	// href should be a parsable URL, replace placeholder strings with a safe url.
 	value = placeHolderRegex.ReplaceAllString(value, `href="`+safeURL+`"`)
 	// Remove tags that aren't tags but will be parsed as tags. We already know they are safe and sound.
 	value = tagRemover.Replace(value)
 	return value
 }
 func checkValue(trKey, value string) []string {
 	keyValue := preprocessTranslationValue(value)
 	if html.UnescapeString(policy.Sanitize(keyValue)) == keyValue {
 		return nil
 	}
 	// Create a nice diff of the difference.
 	diffs := dmp.DiffMain(keyValue, html.UnescapeString(policy.Sanitize(keyValue)), false)
 	diffs = dmp.DiffCleanupSemantic(diffs)
 	diffs = dmp.DiffCleanupEfficiency(diffs)
 	return []string{trKey + ": " + dmp.DiffPrettyText(diffs)}
 }
 func checkLocaleContent(localeContent []byte) []string {
 	// Same configuration as Forgejo uses.
 	cfg := ini.Empty(ini.LoadOptions{
 		IgnoreContinuation: true,
 	})
 	cfg.NameMapper = ini.SnackCase
 	if err := cfg.Append(localeContent); err != nil {
 		panic(err)
 	}
 	errors := []string{}
 	for _, section := range cfg.Sections() {
 		for _, key := range section.Keys() {
 			var trKey string
 			if section.Name() == "" || section.Name() == "DEFAULT" || section.Name() == "common" {
 				trKey = key.Name()
 			} else {
 				trKey = section.Name() + "." + key.Name()
 			}
 			errors = append(errors, checkValue(trKey, key.Value())...)
 		}
 	}
 	return errors
 }
 func checkLocaleNextContent(data map[string]any, trKey ...string) []string {
 	errors := []string{}
 	for key, value := range data {
 		currentKey := key
 		if len(trKey) == 1 {
 			currentKey = trKey[0] + "." + key
 		}
 		switch value := value.(type) {
 		case string:
 			errors = append(errors, checkValue(currentKey, value)...)
 		case map[string]any:
 			errors = append(errors, checkLocaleNextContent(value, currentKey)...)
 		default:
 			panic(fmt.Sprintf("Unexpected type during linting locale next: %s - %T", currentKey, value))
 		}
 	}
 	return errors
 }
 func main() {
 	initBlueMondayPolicy()
 	initRemoveTags()
 	localeDir := filepath.Join("options", "locale")
 	localeFiles, err := os.ReadDir(localeDir)
 	if err != nil {
 		panic(err)
 	}
 	// Safety check that we are not reading the wrong directory.
 	if !slices.ContainsFunc(localeFiles, func(e fs.DirEntry) bool { return strings.HasSuffix(e.Name(), ".ini") }) {
 		fmt.Println("No locale files found")
 		os.Exit(1)
 	}
 	exitCode := 0
 	for _, localeFile := range localeFiles {
 		if !strings.HasSuffix(localeFile.Name(), ".ini") {
 			continue
 		}
 		localeContent, err := os.ReadFile(filepath.Join(localeDir, localeFile.Name()))
 		if err != nil {
 			panic(err)
 		}
 		if err := checkLocaleContent(localeContent); len(err) > 0 {
 			fmt.Println(localeFile.Name())
 			fmt.Println(strings.Join(err, "\n"))
 			fmt.Println()
 			exitCode = 1
 		}
 	}
 	// Check the locale next.
 	localeDir = filepath.Join("options", "locale_next")
 	localeFiles, err = os.ReadDir(localeDir)
 	if err != nil {
 		panic(err)
 	}
 	// Safety check that we are not reading the wrong directory.
 	if !slices.ContainsFunc(localeFiles, func(e fs.DirEntry) bool { return strings.HasSuffix(e.Name(), ".json") }) {
 		fmt.Println("No locale_next files found")
 		os.Exit(1)
 	}
 	for _, localeFile := range localeFiles {
 		localeContent, err := os.ReadFile(filepath.Join(localeDir, localeFile.Name()))
 		if err != nil {
 			panic(err)
 		}
 		var localeData map[string]any
 		if err := json.Unmarshal(localeContent, &localeData); err != nil {
 			panic(err)
 		}
 		if err := checkLocaleNextContent(localeData); len(err) > 0 {
 			fmt.Println(localeFile.Name())
 			fmt.Println(strings.Join(err, "\n"))
 			fmt.Println()
 			exitCode = 1
 		}
 	}
 	os.Exit(exitCode)
 }
--- a/build/lint-locale_test.go
+++ b/build/lint-locale_test.go
@ -0,0 +1,94 @@
 // Copyright 2024 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 package main
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestLocalizationPolicy(t *testing.T) {
 	initBlueMondayPolicy()
 	initRemoveTags()
 	t.Run("Remove tags", func(t *testing.T) {
 		assert.Empty(t, checkLocaleContent([]byte(`hidden_comment_types_description = Comment types checked here will not be shown inside issue pages. Checking "Label" for example removes all "<user> added/removed <label>" comments.`)))
 		assert.EqualValues(t, []string{"key: \x1b[31m<not-an-allowed-key>\x1b[0m REPLACED-TAG"}, checkLocaleContent([]byte(`key = "<not-an-allowed-key> <label>"`)))
 		assert.EqualValues(t, []string{"key: \x1b[31m<user@example.com>\x1b[0m REPLACED-TAG"}, checkLocaleContent([]byte(`key = "<user@example.com> <email@example.com>"`)))
 		assert.EqualValues(t, []string{"key: \x1b[31m<tag>\x1b[0m REPLACED-TAG \x1b[31m</tag>\x1b[0m"}, checkLocaleContent([]byte(`key = "<tag> <email@example.com> </tag>"`)))
 	})
 	t.Run("Specific exception", func(t *testing.T) {
 		assert.Empty(t, checkLocaleContent([]byte(`workflow.dispatch.trigger_found = This workflow has a <c>workflow_dispatch</c> event trigger.`)))
 		assert.Empty(t, checkLocaleContent([]byte(`pulls.title_desc_one = wants to merge %[1]d commit from <code>%[2]s</code> into <code id="%[4]s">%[3]s</code>`)))
 		assert.Empty(t, checkLocaleContent([]byte(`editor.commit_directly_to_this_branch = Commit directly to the <strong class="%[2]s">%[1]s</strong> branch.`)))
 		assert.EqualValues(t, []string{"workflow.dispatch.trigger_found: This workflow has a \x1b[31m<d>\x1b[0mworkflow_dispatch\x1b[31m</d>\x1b[0m event trigger."}, checkLocaleContent([]byte(`workflow.dispatch.trigger_found = This workflow has a <d>workflow_dispatch</d> event trigger.`)))
 		assert.EqualValues(t, []string{"key: <code\x1b[31m id=\"branch_targe\"\x1b[0m>%[3]s</code>"}, checkLocaleContent([]byte(`key = <code id="branch_targe">%[3]s</code>`)))
 		assert.EqualValues(t, []string{"key: <a\x1b[31m class=\"ui sh\"\x1b[0m href=\"https://TO-BE-REPLACED.COM\">"}, checkLocaleContent([]byte(`key = <a class="ui sh" href="%[3]s">`)))
 		assert.EqualValues(t, []string{"key: <a\x1b[31m class=\"js-click-me\"\x1b[0m href=\"https://TO-BE-REPLACED.COM\">"}, checkLocaleContent([]byte(`key = <a class="js-click-me" href="%[3]s">`)))
 		assert.EqualValues(t, []string{"key: <strong\x1b[31m class=\"branch-target\"\x1b[0m>%[1]s</strong>"}, checkLocaleContent([]byte(`key = <strong class="branch-target">%[1]s</strong>`)))
 	})
 	t.Run("General safe tags", func(t *testing.T) {
 		assert.Empty(t, checkLocaleContent([]byte("error404 = The page you are trying to reach either <strong>does not exist</strong> or <strong>you are not authorized</strong> to view it.")))
 		assert.Empty(t, checkLocaleContent([]byte("teams.specific_repositories_helper = Members will only have access to repositories explicitly added to the team. Selecting this <strong>will not</strong> automatically remove repositories already added with <i>All repositories</i>.")))
 		assert.Empty(t, checkLocaleContent([]byte("sqlite_helper = File path for the SQLite3 database.<br>Enter an absolute path if you run Forgejo as a service.")))
 		assert.Empty(t, checkLocaleContent([]byte("hi_user_x = Hi <b>%s</b>,")))
 		assert.EqualValues(t, []string{"error404: The page you are trying to reach either <strong\x1b[31m title='aaa'\x1b[0m>does not exist</strong> or <strong>you are not authorized</strong> to view it."}, checkLocaleContent([]byte("error404 = The page you are trying to reach either <strong title='aaa'>does not exist</strong> or <strong>you are not authorized</strong> to view it.")))
 	})
 	t.Run("<a>", func(t *testing.T) {
 		assert.Empty(t, checkLocaleContent([]byte(`admin.new_user.text = Please <a href="%s">click here</a> to manage this user from the admin panel.`)))
 		assert.Empty(t, checkLocaleContent([]byte(`access_token_desc = Selected token permissions limit authorization only to the corresponding <a href="%[1]s" target="_blank">API</a> routes. Read the <a href="%[2]s" target="_blank">documentation</a> for more information.`)))
 		assert.Empty(t, checkLocaleContent([]byte(`webauthn_desc = Security keys are hardware devices containing cryptographic keys. They can be used for two-factor authentication. Security keys must support the <a rel="noreferrer" target="_blank" href="%s">WebAuthn Authenticator</a> standard.`)))
 		assert.Empty(t, checkLocaleContent([]byte("issues.closed_at = `closed this issue <a id=\"%[1]s\" href=\"#%[1]s\">%[2]s</a>`")))
 		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"https://example.com\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="https://example.com">`)))
 		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"javascript:alert('1')\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="javascript:alert('1')">`)))
 		assert.EqualValues(t, []string{"key: <a href=\"https://TO-BE-REPLACED.COM\"\x1b[31m download\x1b[0m>"}, checkLocaleContent([]byte(`key = <a href="%s" download>`)))
 		assert.EqualValues(t, []string{"key: <a href=\"https://TO-BE-REPLACED.COM\"\x1b[31m target=\"_self\"\x1b[0m>"}, checkLocaleContent([]byte(`key = <a href="%s" target="_self">`)))
 		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"https://example.com/%s\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="https://example.com/%s">`)))
 		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"https://example.com/?q=%s\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="https://example.com/?q=%s">`)))
 		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"%s/open-redirect\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="%s/open-redirect">`)))
 		assert.EqualValues(t, []string{"key: \x1b[31m<a href=\"%s?q=open-redirect\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="%s?q=open-redirect">`)))
 	})
 	t.Run("Escaped HTML characters", func(t *testing.T) {
 		assert.Empty(t, checkLocaleContent([]byte("activity.git_stats_push_to_branch = `إلى %s و\"`")))
 		assert.EqualValues(t, []string{"key: و\x1b[31m&nbsp\x1b[0m\x1b[32m\u00a0\x1b[0m"}, checkLocaleContent([]byte(`key = و&nbsp;`)))
 	})
 }
 func TestNextLocalizationPolicy(t *testing.T) {
 	initBlueMondayPolicy()
 	initRemoveTags()
 	t.Run("Nested locales", func(t *testing.T) {
 		assert.Empty(t, checkLocaleNextContent(map[string]any{
 			"settings": map[string]any{
 				"hidden_comment_types_description": `Comment types checked here will not be shown inside issue pages. Checking "Label" for example removes all "<user> added/removed <label>" comments.`,
 			},
 		}))
 		assert.EqualValues(t, []string{"settings.hidden_comment_types_description: \"\x1b[31m<not-an-allowed-key>\x1b[0m REPLACED-TAG\""}, checkLocaleNextContent(map[string]any{
 			"settings": map[string]any{
 				"hidden_comment_types_description": `"<not-an-allowed-key> <label>"`,
 			},
 		}))
 	})
 	t.Run("Flat locales", func(t *testing.T) {
 		assert.Empty(t, checkLocaleNextContent(map[string]any{
 			"settings.hidden_comment_types_description": `Comment types checked here will not be shown inside issue pages. Checking "Label" for example removes all "<user> added/removed <label>" comments.`,
 		}))
 		assert.EqualValues(t, []string{"settings.hidden_comment_types_description: \"\x1b[31m<not-an-allowed-key>\x1b[0m REPLACED-TAG\""}, checkLocaleNextContent(map[string]any{
 			"settings.hidden_comment_types_description": `"<not-an-allowed-key> <label>"`,
 		}))
 	})
 }
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@ -386,7 +386,7 @@ func (a *authService) addLdapSimpleAuth(c *cli.Context) error {
 	return a.createAuthSource(ctx, authSource)
 }
-// updateLdapBindDn updates a new LDAP (simple auth) authentication source.
+// updateLdapSimpleAuth updates a new LDAP (simple auth) authentication source.
 func (a *authService) updateLdapSimpleAuth(c *cli.Context) error {
 	ctx, cancel := installSignals()
 	defer cancel()
--- a/cmd/admin_user_create.go
+++ b/cmd/admin_user_create.go
@ -69,6 +69,10 @@ var microcmdUserCreate = &cli.Command{
 }
 func runCreateUser(c *cli.Context) error {
 	// this command highly depends on the many setting options (create org, visibility, etc.), so it must have a full setting load first
 	// duplicate setting loading should be safe at the moment, but it should be refactored & improved in the future.
 	setting.LoadSettings()
 	if err := argsSet(c, "email"); err != nil {
 		return err
 	}
--- a/cmd/dump.go
+++ b/cmd/dump.go
@ -133,12 +133,12 @@ It can be used for backup and capture Forgejo server image to send to maintainer
 		&cli.BoolFlag{
 			Name:    "skip-repository",
 			Aliases: []string{"R"},
-			Usage:   "Skip the repository dumping",
+			Usage:   "Skip repositories",
 		},
 		&cli.BoolFlag{
 			Name:    "skip-log",
 			Aliases: []string{"L"},
-			Usage:   "Skip the log dumping",
+			Usage:   "Skip logs",
 		},
 		&cli.BoolFlag{
 			Name:  "skip-custom-dir",
@ -160,6 +160,10 @@ It can be used for backup and capture Forgejo server image to send to maintainer
 			Name:  "skip-index",
 			Usage: "Skip bleve index data",
 		},
 		&cli.BoolFlag{
 			Name:  "skip-repo-archives",
 			Usage: "Skip repository archives",
 		},
 		&cli.GenericFlag{
 			Name:  "type",
 			Value: outputTypeEnum,
@ -233,7 +237,7 @@ func runDump(ctx *cli.Context) error {
 	if file == nil {
 		file, err = os.Create(fileName)
 		if err != nil {
-			fatal("Unable to open %s: %v", fileName, err)
+			fatal("Failed to open %s: %v", fileName, err)
 		}
 	}
 	defer file.Close()
@ -250,7 +254,7 @@ func runDump(ctx *cli.Context) error {
 		iface, err = archiver.ByExtension(fileName)
 	}
 	if err != nil {
-		fatal("Unable to get archiver for extension: %v", err)
+		fatal("Failed to get archiver for extension: %v", err)
 	}
 	w, _ := iface.(archiver.Writer)
@ -260,7 +264,7 @@ func runDump(ctx *cli.Context) error {
 	defer w.Close()
 	if ctx.IsSet("skip-repository") && ctx.Bool("skip-repository") {
-		log.Info("Skip dumping local repositories")
+		log.Info("Skipping local repositories")
 	} else {
 		log.Info("Dumping local repositories... %s", setting.RepoRootPath)
 		if err := addRecursiveExclude(w, "repos", setting.RepoRootPath, []string{absFileName}, verbose); err != nil {
@ -268,9 +272,9 @@ func runDump(ctx *cli.Context) error {
 		}
 		if ctx.IsSet("skip-lfs-data") && ctx.Bool("skip-lfs-data") {
-			log.Info("Skip dumping LFS data")
+			log.Info("Skipping LFS data")
 		} else if !setting.LFS.StartServer {
-			log.Info("LFS isn't enabled. Skip dumping LFS data")
+			log.Info("LFS not enabled - skipping")
 		} else if err := storage.LFS.IterateObjects("", func(objPath string, object storage.Object) error {
 			info, err := object.Stat()
 			if err != nil {
@ -295,7 +299,7 @@ func runDump(ctx *cli.Context) error {
 	defer func() {
 		_ = dbDump.Close()
 		if err := util.Remove(dbDump.Name()); err != nil {
-			log.Warn("Unable to remove temporary file: %s: Error: %v", dbDump.Name(), err)
+			log.Warn("Failed to remove temporary file: %s: Error: %v", dbDump.Name(), err)
 		}
 	}()
@ -331,16 +335,16 @@ func runDump(ctx *cli.Context) error {
 					fatal("Failed to include custom: %v", err)
 				}
 			} else {
-				log.Info("Custom dir %s is inside data dir %s, skipped", setting.CustomPath, setting.AppDataPath)
+				log.Info("Custom dir %s is inside data dir %s, skipping", setting.CustomPath, setting.AppDataPath)
 			}
 		} else {
-			log.Info("Custom dir %s doesn't exist, skipped", setting.CustomPath)
+			log.Info("Custom dir %s does not exist, skipping", setting.CustomPath)
 		}
 	}
 	isExist, err := util.IsExist(setting.AppDataPath)
 	if err != nil {
-		log.Error("Unable to check if %s exists. Error: %v", setting.AppDataPath, err)
+		log.Error("Failed to check if %s exists: %v", setting.AppDataPath, err)
 	}
 	if isExist {
 		log.Info("Packing data directory...%s", setting.AppDataPath)
@ -355,10 +359,16 @@ func runDump(ctx *cli.Context) error {
 		}
 		if ctx.IsSet("skip-index") && ctx.Bool("skip-index") {
 			log.Info("Skipping bleve index data")
 			excludes = append(excludes, setting.Indexer.RepoPath)
 			excludes = append(excludes, setting.Indexer.IssuePath)
 		}
 		if ctx.IsSet("skip-repo-archives") && ctx.Bool("skip-repo-archives") {
 			log.Info("Skipping repository archives data")
 			excludes = append(excludes, setting.RepoArchive.Storage.Path)
 		}
 		excludes = append(excludes, setting.RepoRootPath)
 		excludes = append(excludes, setting.LFS.Storage.Path)
 		excludes = append(excludes, setting.Attachment.Storage.Path)
@ -371,7 +381,7 @@ func runDump(ctx *cli.Context) error {
 	}
 	if ctx.IsSet("skip-attachment-data") && ctx.Bool("skip-attachment-data") {
-		log.Info("Skip dumping attachment data")
+		log.Info("Skipping attachment data")
 	} else if err := storage.Attachments.IterateObjects("", func(objPath string, object storage.Object) error {
 		info, err := object.Stat()
 		if err != nil {
@ -384,9 +394,9 @@ func runDump(ctx *cli.Context) error {
 	}
 	if ctx.IsSet("skip-package-data") && ctx.Bool("skip-package-data") {
-		log.Info("Skip dumping package data")
+		log.Info("Skipping package data")
 	} else if !setting.Packages.Enabled {
-		log.Info("Packages isn't enabled. Skip dumping package data")
+		log.Info("Package registry not enabled - skipping")
 	} else if err := storage.Packages.IterateObjects("", func(objPath string, object storage.Object) error {
 		info, err := object.Stat()
 		if err != nil {
@ -402,11 +412,11 @@ func runDump(ctx *cli.Context) error {
 	// ensuring that it's clear the dump is skipped whether the directory's initialized
 	// yet or not.
 	if ctx.IsSet("skip-log") && ctx.Bool("skip-log") {
-		log.Info("Skip dumping log files")
+		log.Info("Skipping log files")
 	} else {
 		isExist, err := util.IsExist(setting.Log.RootPath)
 		if err != nil {
-			log.Error("Unable to check if %s exists. Error: %v", setting.Log.RootPath, err)
+			log.Error("Failed to check if %s exists: %v", setting.Log.RootPath, err)
 		}
 		if isExist {
 			if err := addRecursiveExclude(w, "log", setting.Log.RootPath, []string{absFileName}, verbose); err != nil {
@ -456,7 +466,7 @@ func addRecursiveExclude(w archiver.Writer, insidePath, absPath string, excludeA
 		currentInsidePath := path.Join(insidePath, file.Name())
 		if util.SliceContainsString(excludeAbsPath, currentAbsPath) {
-			log.Debug("Skipping %q because matched an excluded path.", currentAbsPath)
+			log.Debug("Skipping %q (matched an excluded path)", currentAbsPath)
 			continue
 		}
--- a/cmd/hook.go
+++ b/cmd/hook.go
@ -322,7 +322,8 @@ func runHookUpdate(c *cli.Context) error {
 		return fail(ctx, fmt.Sprintf("The deletion of %s is skipped as it's an internal reference.", refFullName), "")
 	}
-	return nil
+	// If the new comment isn't empty it means modification.
 	return fail(ctx, fmt.Sprintf("The modification of %s is skipped as it's an internal reference.", refFullName), "")
 }
 func runHookPostReceive(c *cli.Context) error {
--- a/cmd/hook_test.go
+++ b/cmd/hook_test.go
@ -6,7 +6,6 @@ package cmd
 import (
 	"bufio"
 	"bytes"
 	"context"
 	"io"
 	"net/http"
 	"net/http/httptest"
@ -42,7 +41,7 @@ func captureOutput(t *testing.T, stdFD *os.File) (finish func() (output string))
 }
 func TestPktLine(t *testing.T) {
-	ctx := context.Background()
+	ctx := t.Context()
 	t.Run("Read", func(t *testing.T) {
 		s := strings.NewReader("0000")
@ -180,8 +179,15 @@ func TestRunHookUpdate(t *testing.T) {
 	})
 	t.Run("Update of internal reference", func(t *testing.T) {
 		defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
 		defer test.MockVariableValue(&setting.IsProd, false)()
 		finish := captureOutput(t, os.Stderr)
 		err := app.Run([]string{"./forgejo", "update", "refs/pull/1/head", "0a51ae26bc73c47e2f754560c40904cf14ed51a9", "0000000000000000000000000000000000000001"})
-		require.NoError(t, err)
+		out := finish()
 		require.Error(t, err)
 		assert.Contains(t, out, "The modification of refs/pull/1/head is skipped as it's an internal reference.")
 	})
 	t.Run("Removal of branch", func(t *testing.T) {
--- a/cmd/main.go
+++ b/cmd/main.go
@ -206,6 +206,7 @@ func innerNewMainApp(version, versionExtra string, subCmdsStandaloneArgs, subCmd
 	app.Commands = append(app.Commands, subCmdWithConfig...)
 	app.Commands = append(app.Commands, subCmdStandalone...)
 	setting.InitGiteaEnvVars()
 	return app
 }
--- a/cmd/main_test.go
+++ b/cmd/main_test.go
@ -6,7 +6,6 @@ package cmd
 import (
 	"fmt"
 	"io"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
@ -114,37 +113,17 @@ func TestCliCmd(t *testing.T) {
 		_, _ = fmt.Fprint(ctx.App.Writer, makePathOutput(setting.AppWorkPath, setting.CustomPath, setting.CustomConf))
 		return nil
 	})
 	var envBackup []string
 	for _, s := range os.Environ() {
 		if strings.HasPrefix(s, "GITEA_") && strings.Contains(s, "=") {
 			envBackup = append(envBackup, s)
 		}
 	}
 	clearGiteaEnv := func() {
 		for _, s := range os.Environ() {
 			if strings.HasPrefix(s, "GITEA_") {
 				_ = os.Unsetenv(s)
 			}
 		}
 	}
 	defer func() {
 		clearGiteaEnv()
 		for _, s := range envBackup {
 			k, v, _ := strings.Cut(s, "=")
 			_ = os.Setenv(k, v)
 		}
 	}()
 	for _, c := range cases {
-		clearGiteaEnv()
+		t.Run(c.cmd, func(t *testing.T) {
 			for k, v := range c.env {
-			_ = os.Setenv(k, v)
+				t.Setenv(k, v)
 			}
 			args := strings.Split(c.cmd, " ") // for test only, "split" is good enough
 			r, err := runTestApp(app, args...)
 			require.NoError(t, err, c.cmd)
 			assert.NotEmpty(t, c.exp, c.cmd)
 			assert.Contains(t, r.Stdout, c.exp, c.cmd)
 		})
 	}
 }
--- a/cmd/migrate.go
+++ b/cmd/migrate.go
@ -18,7 +18,7 @@ import (
 var CmdMigrate = &cli.Command{
 	Name:        "migrate",
 	Usage:       "Migrate the database",
-	Description: "This is a command for migrating the database, so that you can run gitea admin user create before starting the server.",
+	Description: "This is a command for migrating the database, so that you can run 'forgejo admin user create' before starting the server.",
 	Action:      runMigrate,
 }
--- a/cmd/migrate_storage_test.go
+++ b/cmd/migrate_storage_test.go
@ -4,7 +4,6 @@
 package cmd
 import (
 	"context"
 	"io"
 	"os"
 	"strings"
@ -31,7 +30,7 @@ func createLocalStorage(t *testing.T) (storage.ObjectStorage, string) {
 	p := t.TempDir()
 	storage, err := storage.NewLocalStorage(
-		context.Background(),
+		t.Context(),
 		&setting.Storage{
 			Path: p,
 		})
@ -72,7 +71,7 @@ func TestMigratePackages(t *testing.T) {
 	assert.NotNil(t, v)
 	assert.NotNil(t, f)
-	ctx := context.Background()
+	ctx := t.Context()
 	dstStorage, p := createLocalStorage(t)
@ -91,7 +90,7 @@ func TestMigrateActionsArtifacts(t *testing.T) {
 	srcStorage, _ := createLocalStorage(t)
 	defer test.MockVariableValue(&storage.ActionsArtifacts, srcStorage)()
-	id := int64(0)
+	id := int64(42)
 	addArtifact := func(storagePath string, status actions.ArtifactStatus) {
 		id++
--- a/cmd/serv.go
+++ b/cmd/serv.go
@ -147,6 +147,12 @@ func runServ(c *cli.Context) error {
 		return nil
 	}
 	defer func() {
 		if err := recover(); err != nil {
 			_ = fail(ctx, "Internal Server Error", "Panic: %v\n%s", err, log.Stack(2))
 		}
 	}()
 	keys := strings.Split(c.Args().First(), "-")
 	if len(keys) != 2 || keys[0] != "key" {
 		return fail(ctx, "Key ID format error", "Invalid key argument: %s", c.Args().First())
@ -193,10 +199,7 @@ func runServ(c *cli.Context) error {
 	}
 	verb := words[0]
-	repoPath := words[1]
+	repoPath := strings.TrimPrefix(words[1], "/")
 	if repoPath[0] == '/' {
 		repoPath = repoPath[1:]
 	}
 	var lfsVerb string
 	if verb == lfsAuthenticateVerb {
--- a/cmd/web.go
+++ b/cmd/web.go
@ -12,6 +12,7 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
 	_ "net/http/pprof" // Used for debugging if enabled and a web server is running
@ -115,6 +116,16 @@ func showWebStartupMessage(msg string) {
 	log.Info("* CustomPath: %s", setting.CustomPath)
 	log.Info("* ConfigFile: %s", setting.CustomConf)
 	log.Info("%s", msg) // show startup message
 	if setting.CORSConfig.Enabled {
 		log.Info("CORS Service Enabled")
 	}
 	if setting.DefaultUILocation != time.Local {
 		log.Info("Default UI Location is %v", setting.DefaultUILocation.String())
 	}
 	if setting.MailService != nil {
 		log.Info("Mail Service Enabled: RegisterEmailConfirm=%v, Service.EnableNotifyMail=%v", setting.Service.RegisterEmailConfirm, setting.Service.EnableNotifyMail)
 	}
 }
 func serveInstall(ctx *cli.Context) error {
@ -184,7 +195,7 @@ func serveInstalled(ctx *cli.Context) error {
 	publicFilesSet.Remove(".well-known")
 	publicFilesSet.Remove("assets")
 	publicFilesSet.Remove("robots.txt")
-	for _, fn := range publicFilesSet.Values() {
+	for fn := range publicFilesSet.Seq() {
 		log.Error("Found legacy public asset %q in CustomPath. Please move it to %s/public/assets/%s", fn, setting.CustomPath, fn)
 	}
 	if _, err := os.Stat(filepath.Join(setting.CustomPath, "robots.txt")); err == nil {
--- a/contrib/fixtures/fixture_generation.go
+++ b/contrib/fixtures/fixture_generation.go
@ -1,80 +0,0 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 //nolint:forbidigo
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"path/filepath"
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/unittest"
 )
 // To generate derivative fixtures, execute the following from Gitea's repository base dir:
 // go run -tags 'sqlite sqlite_unlock_notify' contrib/fixtures/fixture_generation.go [fixture...]
 var (
 	generators = []struct {
 		gen  func(ctx context.Context) (string, error)
 		name string
 	}{
 		{
 			models.GetYamlFixturesAccess, "access",
 		},
 	}
 	fixturesDir string
 )
 func main() {
 	pathToGiteaRoot := "."
 	fixturesDir = filepath.Join(pathToGiteaRoot, "models", "fixtures")
 	if err := unittest.CreateTestEngine(unittest.FixturesOptions{
 		Dir: fixturesDir,
 	}); err != nil {
 		fmt.Printf("CreateTestEngine: %+v", err)
 		os.Exit(1)
 	}
 	if err := unittest.PrepareTestDatabase(); err != nil {
 		fmt.Printf("PrepareTestDatabase: %+v\n", err)
 		os.Exit(1)
 	}
 	ctx := context.Background()
 	if len(os.Args) == 0 {
 		for _, r := range os.Args {
 			if err := generate(ctx, r); err != nil {
 				fmt.Printf("generate '%s': %+v\n", r, err)
 				os.Exit(1)
 			}
 		}
 	} else {
 		for _, g := range generators {
 			if err := generate(ctx, g.name); err != nil {
 				fmt.Printf("generate '%s': %+v\n", g.name, err)
 				os.Exit(1)
 			}
 		}
 	}
 }
 func generate(ctx context.Context, name string) error {
 	for _, g := range generators {
 		if g.name == name {
 			data, err := g.gen(ctx)
 			if err != nil {
 				return err
 			}
 			path := filepath.Join(fixturesDir, name+".yml")
 			if err := os.WriteFile(path, []byte(data), 0o644); err != nil {
 				return fmt.Errorf("%s: %+v", path, err)
 			}
 			fmt.Printf("%s created.\n", path)
 			return nil
 		}
 	}
 	return fmt.Errorf("generator not found")
 }
--- a/contrib/ide/vscode/settings.json
+++ b/contrib/ide/vscode/settings.json
@ -1,4 +1,6 @@
 {
  "go.buildTags": "sqlite,sqlite_unlock_notify",
-    "go.testFlags": ["-v"]
+  "go.testFlags": ["-v"],
  "go.lintTool": "golangci-lint",
  "go.lintFlags": ["--fast"]
 }
--- a/contrib/legal/privacy.html.sample
+++ b/contrib/legal/privacy.html.sample
@ -7,11 +7,11 @@
 <body>
  <h1>Privacy Policy</h1>
-  <h4>Last updated: January 29, 2020</h4>
+  <h4>Last updated: December 19, 2024</h4>
  <h2>Who We Are?</h2>
-  <p>Your Gitea Instance</p>
+  <p>Your Forgejo Instance</p>
  <h2>What Personal Data We Collect?</h2>
@ -37,19 +37,19 @@
   <h3>With your Consent</h3>
-   <p>We share your User Personal Information, if you consent, after letting you know what information will be shared, with whom, and why. For example, if you allow third party applications to access your Account using <a href="https://docs.gitea.com/development/oauth2-provider">OAuth2 providers</a>, we share all information associated with your Account, including private repos and organizations. You may also direct us through your action on Your Gitea Instance to share your User Personal Information, such as when joining an Organization.</p>
+   <p>We share your User Personal Information, if you consent, after letting you know what information will be shared, with whom, and why. For example, if you allow third party applications to access your Account using <a href="https://forgejo.org/docs/latest/user/oauth2-provider/">OAuth2 providers</a>, we share all information associated with your Account, including private repos and organizations. You may also direct us through your action on Your Forgejo Instance to share your User Personal Information, such as when joining an Organization.</p>
   <h3>With Service Providers</h3>
-   <p>We share User Personal Information with a limited number of service providers who process it on our behalf to provide or improve our Service, and who have agreed to privacy restrictions similar to the ones in our Privacy Statement by signing data protection agreements or making similar commitments. Our service providers perform payment processing, customer support ticketing, network data transmission, security, and other similar services. While Your Gitea Instance processes all User Personal Information in the (country/state where Gitea is deployed), our service providers may process data outside of (country/state where Gitea is deployed), the United States or the European Union.</p>
+   <p>We share User Personal Information with a limited number of service providers who process it on our behalf to provide or improve our Service, and who have agreed to privacy restrictions similar to the ones in our Privacy Statement by signing data protection agreements or making similar commitments. Our service providers perform payment processing, customer support ticketing, network data transmission, security, and other similar services. While Your Forgejo Instance processes all User Personal Information in the (country/state where Forgejo is deployed), our service providers may process data outside of (country/state where Forgejo is deployed), the United States or the European Union.</p>
   <h3>For Security Purposes</h3>
-   <p>If you are a member of an Organization, Your Gitea Instance may share your username, Usage Information, and Device Information associated with that Organization with an owner and/or administrator of the Organization who has agreed to the Corporate Terms of Service or applicable customer agreements, to the extent that such information is provided only to investigate or respond to a security incident that affects or compromises the security of that particular Organization.</p>
+   <p>If you are a member of an Organization, Your Forgejo Instance may share your username, Usage Information, and Device Information associated with that Organization with an owner and/or administrator of the Organization who has agreed to the Corporate Terms of Service or applicable customer agreements, to the extent that such information is provided only to investigate or respond to a security incident that affects or compromises the security of that particular Organization.</p>
   <h3>For Legal Disclosure</h3>
-   <p>Your Gitea Instance strives for transparency in complying with legal process and legal obligations. Unless prevented from doing so by law or court order, or in rare, exigent circumstances, we make a reasonable effort to notify users of any legally compelled or required disclosure of their information. Your Gitea Instance may disclose User Personal Information or other information we collect about you to law enforcement if required in response to a valid subpoena, court order, search warrant, a similar government order, or when we believe in good faith that disclosure is necessary to comply with our legal obligations, to protect our property or rights, or those of third parties or the public at large.</p>
+   <p>Your Forgejo Instance strives for transparency in complying with legal process and legal obligations. Unless prevented from doing so by law or court order, or in rare, exigent circumstances, we make a reasonable effort to notify users of any legally compelled or required disclosure of their information. Your Forgejo Instance may disclose User Personal Information or other information we collect about you to law enforcement if required in response to a valid subpoena, court order, search warrant, a similar government order, or when we believe in good faith that disclosure is necessary to comply with our legal obligations, to protect our property or rights, or those of third parties or the public at large.</p>
   <h3>Change in Control or Sale</h3>
@ -57,7 +57,7 @@
   <h3>Aggregate, Non-Personally Identifying Information</h3>
-   <p>We share certain aggregated, non-personally identifying information with others about how our users, collectively, use Your Gitea Instance, or how our users respond to our other offerings, such as our conferences or events. For example, we may compile statistics on the open source activity across Your Gitea Instance.</p>
+   <p>We share certain aggregated, non-personally identifying information with others about how our users, collectively, use Your Forgejo Instance, or how our users respond to our other offerings, such as our conferences or events. For example, we may compile statistics on the open source activity across Your Forgejo Instance.</p>
   <p>We <b>don't</b> sell your User Personal Information for monetary or other consideration. </p>
@ -67,34 +67,34 @@
  <ol>
   <li>We use your Registration Information to create your account, and to provide you the Service.</li>
-   <li>We use your User Personal Information, specifically your username, to identify you on Your Gitea Instance.</li>
+   <li>We use your User Personal Information, specifically your username, to identify you on Your Forgejo Instance.</li>
   <li>We use your Profile Information to fill out your Account profile and to share that profile with other users if you ask us to.</li>
   <li>We use your email address to communicate with you, if you've said that's okay, and only for the reasons you’ve said that’s okay.</li>
-   <li>We use User Personal Information and other data to make recommendations for you, such as to suggest projects you may want to follow or contribute to. We learn from your public behavior on Your Gitea Instance—such as the projects you star—to determine your coding interests, and we recommend similar projects. These recommendations are automated decisions, but they have no legal impact on your rights.</li>
+   <li>We use User Personal Information and other data to make recommendations for you, such as to suggest projects you may want to follow or contribute to. We learn from your public behavior on Your Forgejo Instance—such as the projects you star—to determine your coding interests, and we recommend similar projects. These recommendations are automated decisions, but they have no legal impact on your rights.</li>
-   <li>We use Usage Information and Device Information to better understand how our Users use Your Gitea Instance and to improve our Website and Service.</li>
+   <li>We use Usage Information and Device Information to better understand how our Users use Your Forgejo Instance and to improve our Website and Service.</li>
-   <li>We may use your User Personal Information if it is necessary for security purposes or to investigate possible fraud or attempts to harm Your Gitea Instance or our Users.</li>
+   <li>We may use your User Personal Information if it is necessary for security purposes or to investigate possible fraud or attempts to harm Your Forgejo Instance or our Users.</li>
   <li>We may use your User Personal Information to comply with our legal obligations, protect our intellectual property, and enforce our Terms of Service.</li>
   <li>We limit our use of your User Personal Information to the purposes listed in this Privacy Statement. If we need to use your User Personal Information for other purposes, we will ask your permission first. You can always see what information we have, how we're using it, and what permissions you have given us in your user profile.</li>
  </ol>
-  <h2>How Your Gitea Instance Secures Your Information?</h2>
+  <h2>How Your Forgejo Instance Secures Your Information?</h2>
-  <p>Your Gitea Instance takes all measures reasonably necessary to protect User Personal Information from unauthorized access, alteration, or destruction; maintain data accuracy; and help ensure the appropriate use of User Personal Information.</p>
+  <p>Your Forgejo Instance takes all measures reasonably necessary to protect User Personal Information from unauthorized access, alteration, or destruction; maintain data accuracy; and help ensure the appropriate use of User Personal Information.</p>
  <p>To the extent above, we enforce a written security information program, which:</p>
  <ul>
    <li>aligns with industry recognized frameworks;</li>
    <li>includes security safeguards reasonably designed to protect the confidentiality, integrity, availability, and resilience of our Users' data;</li>
-    <li>is appropriate to the nature, size, and complexity of Your Gitea Instance’s business operations;</li>
+    <li>is appropriate to the nature, size, and complexity of Your Forgejo Instance’s business operations;</li>
    <li>includes incident response and data breach notification processes; and</li>
-    <li>complies with applicable information security-related laws and regulations in the geographic regions where Your Gitea Instance does business.</li>
+    <li>complies with applicable information security-related laws and regulations in the geographic regions where Your Forgejo Instance does business.</li>
  </ul>
  <p>In the event of a data breach that affects your User Personal Information, we will act promptly to mitigate the impact of a breach and notify any affected Users without undue delay.</p>
-  <p>Transmission of data on Your Gitea Instance is encrypted using SSH, HTTPS (TLS), and git repository content is encrypted at rest. We host Your Gitea Instance at our hosting partner, which they provide data centers with high level of physical and network security.</p>
+  <p>Transmission of data on Your Forgejo Instance is encrypted using SSH, HTTPS (TLS), and git repository content is encrypted at rest. We host Your Forgejo Instance at our hosting partner, which they provide data centers with high level of physical and network security.</p>
  <p><b>Disclaimer:</b> No method of transmission, or method of electronic storage, is 100% secure, therefore, we cannot guarantee absolute security.</p>
@ -102,13 +102,13 @@
   <h3>Cookies</h3>
-   <p>We uses cookies to make interactions with our service easy and meaningful. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors. We use cookies (and similar technologies, like HTML5 localStorage) to keep you logged in, remember your preferences, and provide information for future development of Your Gitea Instance. For security purposes, we use cookies to identify a device. By using our Website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept these cookies, you will not be able to log in or use our services.</p>
+   <p>We uses cookies to make interactions with our service easy and meaningful. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors. We use cookies (and similar technologies, like HTML5 localStorage) to keep you logged in, remember your preferences, and provide information for future development of Your Forgejo Instance. For security purposes, we use cookies to identify a device. By using our Website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept these cookies, you will not be able to log in or use our services.</p>
   <h3>Tracking and Analytics</h3>
-   <p>Out of the box, Gitea doesn't use third-party analytics. In case when we opt in to their usage, we do that to help us evaluate our Users' use of Your Gitea Instance, compile statistical reports on activity, and improve our content and Website performance. We only use these third-party analytics providers on certain areas of our Website, and all of them have signed data protection agreements with us that limit the type of User Personal Information they can collect and the purpose for which they can process the information. In addition, we may also deploy internal analytics software to provide similar functionality.</p>
+   <p>Out of the box, Forgejo doesn't use third-party analytics. In case when we opt in to their usage, we do that to help us evaluate our Users' use of Your Forgejo Instance, compile statistical reports on activity, and improve our content and Website performance. We only use these third-party analytics providers on certain areas of our Website, and all of them have signed data protection agreements with us that limit the type of User Personal Information they can collect and the purpose for which they can process the information. In addition, we may also deploy internal analytics software to provide similar functionality.</p>
-   <p>Some browsers have incorporated "Do Not Track" (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Your Gitea Instance responds to browser DNT signals and follows the <a href="https://www.w3.org/TR/tracking-dnt/">W3C standard for responding to DNT signals</a>. If you have not enabled DNT on a browser that supports it, cookies on some parts of our Website will track your online browsing activity on other online services over time, though we do not permit third parties other than our analytics and service providers to track Your Gitea Instance Users' activity over time on Your Gitea Instance.</p>
+   <p>Some browsers have incorporated "Do Not Track" (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Your Forgejo Instance responds to browser DNT signals and follows the <a href="https://www.w3.org/TR/tracking-dnt/">W3C standard for responding to DNT signals</a>. If you have not enabled DNT on a browser that supports it, cookies on some parts of our Website will track your online browsing activity on other online services over time, though we do not permit third parties other than our analytics and service providers to track Your Forgejo Instance Users' activity over time on Your Forgejo Instance.</p>
  <h2>Repository Contents</h2>
@ -118,19 +118,19 @@
  <h2>Public Information</h2>
-  <p>Many of our services and feature are public-facing. If your content is public-facing, third parties may access and use it in compliance with our Terms of Service, such as by viewing your profile or repositories or pulling data via our API. We do not sell that content; it is yours. However, we do allow third parties, such as research organizations or archives, to compile public-facing Your Gitea Instance information. Other third parties, such as data brokers, have been known to scrape Your Gitea Instance and compile data as well.</p>
+  <p>Many of our services and feature are public-facing. If your content is public-facing, third parties may access and use it in compliance with our Terms of Service, such as by viewing your profile or repositories or pulling data via our API. We do not sell that content; it is yours. However, we do allow third parties, such as research organizations or archives, to compile public-facing Your Forgejo Instance information. Other third parties, such as data brokers, have been known to scrape Your Forgejo Instance and compile data as well.</p>
-  <p>Your User Personal Information associated with your content could be gathered by third parties in these compilations of Your Gitea Instance data. If you do not want your User Personal Information to appear in third parties’ compilations of Your Gitea Instance data, please do not make your User Personal Information publicly available and be sure to configure your email address to be private in your user profile and in your git commit settings.</p>
+  <p>Your User Personal Information associated with your content could be gathered by third parties in these compilations of Your Forgejo Instance data. If you do not want your User Personal Information to appear in third parties’ compilations of Your Forgejo Instance data, please do not make your User Personal Information publicly available and be sure to configure your email address to be private in your user profile and in your git commit settings.</p>
-  <p>If you would like to compile Your Gitea Instance data, you must comply with our Terms of Service regarding scraping and privacy, and you may only use any public-facing User Personal Information you gather for the purpose for which our user authorized it. For example, where a Your Gitea Instance user has made an email address public-facing for the purpose of identification and attribution, do not use that email address for commercial advertising. We expect you to reasonably secure any User Personal Information you have gathered from Your Gitea Instance, and to respond promptly to complaints, removal requests, and "do not contact" requests from Your Gitea Instance or Your Gitea Instance users.</p>
+  <p>If you would like to compile Your Forgejo Instance data, you must comply with our Terms of Service regarding scraping and privacy, and you may only use any public-facing User Personal Information you gather for the purpose for which our user authorized it. For example, where a Your Forgejo Instance user has made an email address public-facing for the purpose of identification and attribution, do not use that email address for commercial advertising. We expect you to reasonably secure any User Personal Information you have gathered from Your Forgejo Instance, and to respond promptly to complaints, removal requests, and "do not contact" requests from Your Forgejo Instance or Your Forgejo Instance users.</p>
-  <p>In similar fashion, projects on Your Gitea Instance may include publicly available User Personal Information collected as part of the collaborative events.</p>
+  <p>In similar fashion, projects on Your Forgejo Instance may include publicly available User Personal Information collected as part of the collaborative events.</p>
  <h2>Organizations</h2>
  <p>If you collaborate on or become a member of an Organization, then its Account owners may receive your User Personal Information. When you accept an invitation to an Organization, you will be notified of the types of information owners may be able to see. If you accept an invitation to an Organization with a verified domain, then the owners of that Organization will be able to see your full email address(es) within that Organization's verified domain(s).</p>
-  <p>Please note, Your Gitea Instance may share your username, Usage Information, and Device Information with the owner of the Organization you are a member of, to the extent that your User Personal Information is provided only to investigate or respond to a security incident that affects or compromises the security of that particular Organization.</p>
+  <p>Please note, Your Forgejo Instance may share your username, Usage Information, and Device Information with the owner of the Organization you are a member of, to the extent that your User Personal Information is provided only to investigate or respond to a security incident that affects or compromises the security of that particular Organization.</p>
  <p>If you collaborate with or become a member of an Account that has agreed to a Data Protection Addendum (DPA) to this Privacy Policy, then that DPA governs in the event of conflicts between this Privacy Policy and DPA with respect to your activity in the Account.</p>
@ -138,17 +138,17 @@
  <h2>How You Can Access and Control the Information We Collect?</h2>
-  <p>If you're already a Your Gitea Instance user, you may access, update, alter, or delete your basic user information by editing your user profile. You can control the information we collect about you by limiting what information is in your profile, or by keeping your information current.</p>
+  <p>If you're already a Your Forgejo Instance user, you may access, update, alter, or delete your basic user information by editing your user profile. You can control the information we collect about you by limiting what information is in your profile, or by keeping your information current.</p>
-  <p>If Your Gitea Instance processes information about you, such as information receives from third parties, and you do not have an account, then you may, subject to applicable law, access, update, alter, delete, or object to the processing of your personal information by contacting our support.</p>
+  <p>If Your Forgejo Instance processes information about you, such as information receives from third parties, and you do not have an account, then you may, subject to applicable law, access, update, alter, delete, or object to the processing of your personal information by contacting our support.</p>
   <h3>Data Portability</h3>
-   <p>As a Your Gitea Instance User, you can always take your data with you. You can clone your repositories to your computer, or you can <a href="https://docs.gitea.com/development/migrations-interfaces">perform migrations using the provided interfaces</a>, for example.</p>
+   <p>As a Your Forgejo Instance User, you can always take your data with you. You can clone your repositories to your computer, or you can <a href="https://docs.gitea.com/development/migrations-interfaces">perform migrations using the provided interfaces</a>, for example.</p>
   <h3>Data Retention and Deletion of Data</h3>
-   <p>In general, Your Gitea Instance retains User Personal Information for as long as your account is active, or as needed to provide you service.</p>
+   <p>In general, Your Forgejo Instance retains User Personal Information for as long as your account is active, or as needed to provide you service.</p>
   <p>If you would like to cancel your account or delete your User Personal Information, you may do so in your user profile. We retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, but barring legal requirements, we will delete your full profile (within reason) within 90 days of your request. Feel free to contact our support to request erasure of the data we process on the basis of consent within 30 days.</p>
@ -158,14 +158,14 @@
  <h2>Our Global Privacy Practices</h2>
-  <p>We store and process the information that we collect in the (country/state where Gitea is deployed) in accordance with this Privacy Statement though our service providers may store and process data outside the (country/state where Gitea is deployed). However, we understand that we have Users from different countries and regions with different privacy expectations, and we try to meet those needs even when the (country/state where Gitea is deployed) does not have the same privacy framework as other countries.</p>
+  <p>We store and process the information that we collect in the (country/state where Forgejo is deployed) in accordance with this Privacy Statement though our service providers may store and process data outside the (country/state where Forgejo is deployed). However, we understand that we have Users from different countries and regions with different privacy expectations, and we try to meet those needs even when the (country/state where Forgejo is deployed) does not have the same privacy framework as other countries.</p>
  <p>We provide a high standard of privacy protection—as described in this Privacy Statement—to all our users around the world, regardless of their country of origin or location, and we are proud of the levels of notice, choice, accountability, security, data integrity, access, and recourse we provide. We work hard to comply with the applicable data privacy laws wherever we do business, working with our Data Protection Officer as part of a cross-functional team that oversees our privacy compliance efforts. Additionally, if our vendors or affiliates have access to User Personal Information, they must sign agreements that require them to comply with our privacy policies and with applicable data privacy laws.</p>
  <p>In particular:</p>
  <ul>
-   <li>Your Gitea Instance provides clear methods of unambiguous, informed, specific, and freely given consent at the time of data collection, when we collect your User Personal Information using consent as a basis.</li>
+   <li>Your Forgejo Instance provides clear methods of unambiguous, informed, specific, and freely given consent at the time of data collection, when we collect your User Personal Information using consent as a basis.</li>
   <li>We collect only the minimum amount of User Personal Information necessary for our purposes, unless you choose to provide more. We encourage you to only give us the amount of data you are comfortable sharing.</li>
   <li>We offer you simple methods of accessing, altering, or deleting the User Personal Information we have collected, where legally permitted.</li>
   <li>We provide our Users notice, choice, accountability, security, and access regarding their User Personal Information, and we limit the purpose for processing it. We also provide our Users a method of recourse and enforcement. These are the Privacy Shield Principles, but they are also just good practices.</li>
@ -173,21 +173,21 @@
  <h2>How We Communicate with You?</h2>
-  <p>We use your email address to communicate with you, if you've said that's okay, and only for the reasons you’ve said that’s okay. For example, if you contact our support with a request, we respond to you via email. You have a lot of control over how your email address is used and shared on and through Your Gitea instance. You may manage your communication preferences in your user profile.</p>
+  <p>We use your email address to communicate with you, if you've said that's okay, and only for the reasons you’ve said that’s okay. For example, if you contact our support with a request, we respond to you via email. You have a lot of control over how your email address is used and shared on and through Your Forgejo instance. You may manage your communication preferences in your user profile.</p>
  <p>By design, the Git version control system associates many actions with a User's email address, such as commit messages. We are not able to change many aspects of the Git system. If you would like your email address to remain private, even when you’re commenting on public repositories, you can create a private email address in your user profile. You should also update your local Git configuration to use your private email address. This will not change how we contact you, but it will affect how others see you.</p>
-  <p>Depending on your email settings, Your Gitea instance may occasionally send notification emails about changes in a repository you’re watching, new features, requests for feedback, important policy changes, or to offer customer support. We also send marketing emails, based on your choices and in accordance with applicable laws and regulations. There's an “unsubscribe” link located at the bottom of each of the marketing emails we send you. Note that you can opt out of any communications with us, except the important ones (like from our support and system emails).</p>
+  <p>Depending on your email settings, Your Forgejo instance may occasionally send notification emails about changes in a repository you’re watching, new features, requests for feedback, important policy changes, or to offer customer support. We also send marketing emails, based on your choices and in accordance with applicable laws and regulations. There's an “unsubscribe” link located at the bottom of each of the marketing emails we send you. Note that you can opt out of any communications with us, except the important ones (like from our support and system emails).</p>
  <p>Our emails may contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an email and what your IP address is. We use this pixel tag to make our email more effective for you and to make sure we’re not sending you unwanted email.</p>
  <h2>Changes to this Privacy Policy</h2>
-  <p>Although most changes are likely to be minor, Your Gitea Instance may change our Privacy Statement from time to time. We will provide notification to Users of material changes to this Privacy Statement through our Website at least 30 days prior to the change taking effect by posting a notice on our home page or sending email to the primary email address specified in your account.</p>
+  <p>Although most changes are likely to be minor, Your Forgejo Instance may change our Privacy Statement from time to time. We will provide notification to Users of material changes to this Privacy Statement through our Website at least 30 days prior to the change taking effect by posting a notice on our home page or sending email to the primary email address specified in your account.</p>
  <h2>Contact</h2>
-  <p>If you have any concerns about privacy, please contact us at <a href="mailto:privacy@your-gitea-instance">privacy@your-gitea-instance</a>. We will respond promptly, within 45 days.</p>
+  <p>If you have any concerns about privacy, please contact us at <a href="mailto:privacy@your-forgejo-instance">privacy@your-forgejo-instance</a>. We will respond promptly, within 45 days.</p>
  <h2>COPYING</h2>
--- a/contrib/legal/tos.html.sample
+++ b/contrib/legal/tos.html.sample
@ -7,26 +7,26 @@
 <body>
  <h1>Terms of Service</h1>
-  <h4>Last updated: January 29, 2020</h4>
+  <h4>Last updated: December 19, 2024</h4>
-  <p>Thank you for choosing Your Gitea Instance! Before you use it, please read this Terms of Service agreement carefully, which contains important contract between us and our users.</p>
+  <p>Thank you for choosing Your Forgejo Instance! Before you use it, please read this Terms of Service agreement carefully, which contains important contract between us and our users.</p>
  <h2>Definitions</h2>
   <ol>
-    <li>An "Account" represents your legal relationship with Your Gitea Instance. A “User Account” represents an individual User’s authorization to log in to and use the Service and serves as a User’s identity on Your Gitea Instance. “Organizations” are shared workspaces that may be associated with a single entity or with one or more Users where multiple Users can collaborate across many projects at once. A User Account can be a member of any number of Organizations.</li>
+    <li>An "Account" represents your legal relationship with Your Forgejo Instance. A “User Account” represents an individual User’s authorization to log in to and use the Service and serves as a User’s identity on Your Forgejo Instance. “Organizations” are shared workspaces that may be associated with a single entity or with one or more Users where multiple Users can collaborate across many projects at once. A User Account can be a member of any number of Organizations.</li>
    <li>The "Agreement" collectively refers to all terms, conditions, and notices referenced or contained in this document and other operating rules, policies (including Privacy Policy) and procedures that we may publish from time to time on this Website.</li>
    <li>“Content” refers to content featured or displayed through the Website, including without limitation code, text, data, articles, images, photographs, graphics, software, applications, packages, designs, features, and other materials that are available on the Website or otherwise available through the Service. "Content" also includes Services. “User-Generated Content” is Content, written or otherwise, created or uploaded by our Users. "Your Content" is Content that you create or own.</li>
-    <li>"Your Gitea Instance", "We", and "Us" refers to Your Gitea Instance, as well as our affiliates, directors, subsidiaries, contractors, licensors, officers, agents, and employees.</li>
+    <li>"Your Forgejo Instance", "We", and "Us" refers to Your Forgejo Instance, as well as our affiliates, directors, subsidiaries, contractors, licensors, officers, agents, and employees.</li>
-    <li>The "Service" refers to applications/software, products, and services provided by Your Gitea Instance.</li>
+    <li>The "Service" refers to applications/software, products, and services provided by Your Forgejo Instance.</li>
    <li>The "User", "You", and "Your" refers to individual person or institution (organizations or company) that has visited or using the Service; that have access or use any part of the Account; or that directs to use the Account to perform its function. Please note that additional terms may apply for Accounts related to business or government.</li>
-    <li>The "Website" refers to Your Gitea Instance's website at <a href="https://your-gitea-instance">your-gitea-instance</a>, including its subdomains and other websites owned by Your Gitea Instance.</li>
+    <li>The "Website" refers to Your Forgejo Instance's website at <a href="https://your-forgejo-instance">your-forgejo-instance</a>, including its subdomains and other websites owned by Your Forgejo Instance.</li>
   </ol>
  <h2>Account Terms</h2>
@ -48,7 +48,7 @@
  <ul>
   <li>You must be a human to create an Account. Accounts registered by "bots" or other automated methods are not permitted. We do permit machine accounts:</li>
   <li>A machine account is an Account set up by an individual human who accepts the Terms on behalf of the Account, provides a valid email address, and is responsible for its actions. A machine account is used exclusively for performing automated tasks. Multiple users may direct the actions of a machine account, but the owner of the Account is ultimately responsible for the machine's actions.</li>
-   <li>You must be age 13 or older. If we learn of any User under that age, we will immediately terminate that User's Account. Different countries may have different minimum age; in such cases you are responsible for complying with your country's regulation. By using Your Gitea Instance, you agree to comply with <a href="https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule">COPPA</a> and/or similar law in your country.</li>
+   <li>You must be age 13 or older. If we learn of any User under that age, we will immediately terminate that User's Account. Different countries may have different minimum age; in such cases you are responsible for complying with your country's regulation. By using Your Forgejo Instance, you agree to comply with <a href="https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule">COPPA</a> and/or similar law in your country.</li>
  </ul>
   <h3>User Account Security</h3>
@ -57,7 +57,7 @@
   <h3>Additional Terms</h3>
-   <p>In some situations, third parties' terms may apply to your use of Your Gitea Instance. For example, you may be a member of an organization on Your Gitea Instance with its own terms or license agreements; you may download an application that integrates with Your Gitea Instance; or you may use Your Gitea Instance to authenticate to another service. Please be aware that while these Terms are our full agreement with you, other parties' terms govern their relationships with you.</p>
+   <p>In some situations, third parties' terms may apply to your use of Your Forgejo Instance. For example, you may be a member of an organization on Your Forgejo Instance with its own terms or license agreements; you may download an application that integrates with Your Forgejo Instance; or you may use Your Forgejo Instance to authenticate to another service. Please be aware that while these Terms are our full agreement with you, other parties' terms govern their relationships with you.</p>
  <h2>Acceptable Use</h2>
@ -73,19 +73,19 @@
    <li>
     <p>You retain ownership of and responsibility for Your Content. If you're posting anything you did not create yourself or do not own the rights to, you agree that you are responsible for any Content you post; that you will only submit Content that you have the right to post; and that you will fully comply with any third party licenses relating to Content you post.</p>
-     <p>Because of above, we need you to grant us -- and other Your Gitea Instance users -- certain legal permissions, listed below in this section. If you upload Content that already comes with a license granting Your Gitea Instance the permissions we need to run our Service, no additional license is required. You understand that you will not receive any payment for any of the rights granted below. The licenses you grant to us will end when you remove Your Content from our servers, unless other Users have forked it.</p>
+     <p>Because of above, we need you to grant us -- and other Your Forgejo Instance users -- certain legal permissions, listed below in this section. If you upload Content that already comes with a license granting Your Forgejo Instance the permissions we need to run our Service, no additional license is required. You understand that you will not receive any payment for any of the rights granted below. The licenses you grant to us will end when you remove Your Content from our servers, unless other Users have forked it.</p>
    </li>
    <li>
     <p>We need the legal right to do things like host Your Content, publish it, and share it. You grant us and our legal successors the right to store, parse, and display Your Content, and make incidental copies as necessary to render the Website and provide the Service. This includes the right to do things like copy it to our database and make backups; show it to you and other users; parse it into a search index or otherwise analyze it on our servers; share it with other users; and perform it, in case Your Content is something like music or video.</p>
-     <p>This license, however, doesn't grant Your Gitea Instance the right to sell Your Content or otherwise distribute or use it outside of our provision of the Service.</p>
+     <p>This license, however, doesn't grant Your Forgejo Instance the right to sell Your Content or otherwise distribute or use it outside of our provision of the Service.</p>
    </li>
    <li>
     <p>Any User-Generated Content you post publicly, including issues, comments, and contributions to other Users' repositories, may be viewed by others. By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of Content from your repositories in repositories they control).</p>
-     <p>If you set your pages and repositories to be viewed publicly, you grant each User of Your Gitea Instance a nonexclusive, worldwide license to use, display, and perform Your Content through the Your Gitea Instance Service and to reproduce Your Content solely on Your Gitea Instance as permitted through Your Gitea Instance's functionality (for example, through forking). You may grant further rights if you adopt a license. If you are uploading Content you did not create or own, you are responsible for ensuring that the Content you upload is licensed under terms that grant these permissions to other Your Gitea Instance Users.</p>
+     <p>If you set your pages and repositories to be viewed publicly, you grant each User of Your Forgejo Instance a nonexclusive, worldwide license to use, display, and perform Your Content through the Your Forgejo Instance Service and to reproduce Your Content solely on Your Forgejo Instance as permitted through Your Forgejo Instance's functionality (for example, through forking). You may grant further rights if you adopt a license. If you are uploading Content you did not create or own, you are responsible for ensuring that the Content you upload is licensed under terms that grant these permissions to other Your Forgejo Instance Users.</p>
    </li>
    <li>
@ -97,7 +97,7 @@
    <li>
     <p>You retain all moral rights to Your Content that you upload, publish, or submit to any part of the Service, including the rights of integrity and attribution. However, you waive these rights and agree not to assert them against us, to enable us to reasonably exercise the rights granted above, but not otherwise.</p>
-     <p>To the extent this agreement is not enforceable by applicable law, you grant Your Gitea Instance the rights we need to use Your Content without attribution and to make reasonable adaptations of Your Content as necessary to render the Website and provide the Service.</p>
+     <p>To the extent this agreement is not enforceable by applicable law, you grant Your Forgejo Instance the rights we need to use Your Content without attribution and to make reasonable adaptations of Your Content as necessary to render the Website and provide the Service.</p>
    </li>
   </ol>
@ -106,27 +106,27 @@
   <ol>
    <li>Some Accounts may have private repositories, which allow the User to control access to Content.</li>
-    <li>Your Gitea Instance considers the contents of private repositories to be confidential to you. Your Gitea Instance will protect the contents of private repositories from unauthorized use, access, or disclosure in the same manner that we would use to protect our own confidential information of a similar nature and in no event with less than a reasonable degree of care.</li>
+    <li>Your Forgejo Instance considers the contents of private repositories to be confidential to you. Your Forgejo Instance will protect the contents of private repositories from unauthorized use, access, or disclosure in the same manner that we would use to protect our own confidential information of a similar nature and in no event with less than a reasonable degree of care.</li>
    <li>
-     <p>Your Gitea Instance employees may only access the content of your private repositories in the following situations:</p>
+     <p>Your Forgejo Instance employees may only access the content of your private repositories in the following situations:</p>
     <ul>
-      <li>With your consent and knowledge, for support reasons. If Your Gitea Instance accesses a private repository for support reasons, we will only do so with the owner’s consent and knowledge.</li>
+      <li>With your consent and knowledge, for support reasons. If Your Forgejo Instance accesses a private repository for support reasons, we will only do so with the owner’s consent and knowledge.</li>
-      <li>When access is required for security reasons, including when access is required to maintain ongoing confidentiality, integrity, availability and resilience of Your Gitea Instance's systems and Service.</li>
+      <li>When access is required for security reasons, including when access is required to maintain ongoing confidentiality, integrity, availability and resilience of Your Forgejo Instance's systems and Service.</li>
     </ul>
    </li>
-    <li>You may choose to enable additional access to your private repositories. For example: You may enable various Your Gitea Instance services or features that require additional rights to Your Content in private repositories. These rights may vary depending on the service or feature, but Your Gitea Instance will continue to treat your private repository Content as confidential. If those services or features require rights in addition to those we need to provide the Your Gitea Instance Service, we will provide an explanation of those rights.</li>
+    <li>You may choose to enable additional access to your private repositories. For example: You may enable various Your Forgejo Instance services or features that require additional rights to Your Content in private repositories. These rights may vary depending on the service or feature, but Your Forgejo Instance will continue to treat your private repository Content as confidential. If those services or features require rights in addition to those we need to provide the Your Forgejo Instance Service, we will provide an explanation of those rights.</li>
   </ol>
  <h2>Copyright Infringement and DMCA Policy</h2>
-  <p>If you are copyright owner and believe that content on our website violates your copyright, please contact us at <a href="mailto:copyright@your-gitea-instance">copyright@your-gitea-instance</a>. Please note that before sending a takedown notice, consider legal uses (such as fair use and licensed use); and legal consequences for sending false notices.</p>
+  <p>If you are copyright owner and believe that content on our website violates your copyright, please contact us at <a href="mailto:copyright@your-forgejo-instance">copyright@your-forgejo-instance</a>. Please note that before sending a takedown notice, consider legal uses (such as fair use and licensed use); and legal consequences for sending false notices.</p>
  <h2>Intellectual Properties and COPYING</h2>
-  <p>Your Gitea Instance and our licensors, vendors, agents, and/or our content providers retain ownership of all intellectual property rights of any kind related to the Website and Service. We reserve all rights that are not expressly granted to you under this Agreement or by law. The look and feel of the Website and Service is copyright © Your Gitea Instance. All rights reserved.</p>
+  <p>Your Forgejo Instance and our licensors, vendors, agents, and/or our content providers retain ownership of all intellectual property rights of any kind related to the Website and Service. We reserve all rights that are not expressly granted to you under this Agreement or by law. The look and feel of the Website and Service is copyright © Your Forgejo Instance. All rights reserved.</p>
  <p>If you'd like to use our trademarks, you must follow all of our trademark guidelines.</p>
@ -134,13 +134,13 @@
  <h2>API Terms</h2>
-  <p>Abuse or excessively frequent requests to Your Gitea Instance via the API may result in the temporary or permanent suspension of your Account's access to the API. Your Gitea Instance, in our sole discretion, will determine abuse or excessive usage of the API. We will make a reasonable attempt to warn you via email prior to suspension.</p>
+  <p>Abuse or excessively frequent requests to Your Forgejo Instance via the API may result in the temporary or permanent suspension of your Account's access to the API. Your Forgejo Instance, in our sole discretion, will determine abuse or excessive usage of the API. We will make a reasonable attempt to warn you via email prior to suspension.</p>
-  <p>You may not share API tokens to exceed Your Gitea Instance's rate limitations.</p>
+  <p>You may not share API tokens to exceed Your Forgejo Instance's rate limitations.</p>
-  <p>You may not use the API to download data or Content from Your Gitea Instance for spamming purposes, including for the purposes of selling Your Gitea Instance users' personal information, such as to recruiters, headhunters, and job boards.</p>
+  <p>You may not use the API to download data or Content from Your Forgejo Instance for spamming purposes, including for the purposes of selling Your Forgejo Instance users' personal information, such as to recruiters, headhunters, and job boards.</p>
-  <p>All use of the Your Gitea Instance API is subject to these Terms of Service and the Your Gitea Instance Privacy Statement.</p>
+  <p>All use of the Your Forgejo Instance API is subject to these Terms of Service and the Your Forgejo Instance Privacy Statement.</p>
  <p>However, we may provide subscription-based access to our API for Users who need high-throughput access or reselling our Service.</p>
@ -149,7 +149,7 @@
   <h3>Account Cancellation</h3>
-   <p>It is your responsibility to properly cancel your Account with Your Gitea Instance. You can cancel your Account at any time by going into your Settings in the global navigation bar at the top of the screen. The Account screen provides a simple, no questions asked cancellation link. We are not able to cancel Accounts in response to an email or phone request.</p>
+   <p>It is your responsibility to properly cancel your Account with Your Forgejo Instance. You can cancel your Account at any time by going into your Settings in the global navigation bar at the top of the screen. The Account screen provides a simple, no questions asked cancellation link. We are not able to cancel Accounts in response to an email or phone request.</p>
   <h3>Upon Cancellation</h3>
@ -161,7 +161,7 @@
   <h3>We May Terminate</h3>
-   <p>Your Gitea Instance has the right to suspend or terminate your access to all or any part of the Website at any time, with or without cause, with or without notice, effective immediately. Your Gitea Instance reserves the right to refuse service to anyone for any reason at any time.</p>
+   <p>Your Forgejo Instance has the right to suspend or terminate your access to all or any part of the Website at any time, with or without cause, with or without notice, effective immediately. Your Forgejo Instance reserves the right to refuse service to anyone for any reason at any time.</p>
   <h3>Survival</h3>
@ -175,7 +175,7 @@
   <h3>Legal Notices to Us Must Be in Writing</h3>
-   <p>Communications made through email or Your Gitea Instance Support's messaging system will not constitute legal notice to Your Gitea Instance or any of its officers, employees, agents or representatives in any situation where notice to Your Gitea Instance is required by contract or any law or regulation. Legal notice to Your Gitea Instance must be in writing and served on Your Gitea Instance's legal agent.</p>
+   <p>Communications made through email or Your Forgejo Instance Support's messaging system will not constitute legal notice to Your Forgejo Instance or any of its officers, employees, agents or representatives in any situation where notice to Your Forgejo Instance is required by contract or any law or regulation. Legal notice to Your Forgejo Instance must be in writing and served on Your Forgejo Instance's legal agent.</p>
   <h3>No Phone Support</h3>
@ -183,9 +183,9 @@
  <h2>Disclaimer of Warranties</h2>
-  <p>Your Gitea Instance provides the Website and the Service “as is” and “as available,” without warranty of any kind. Without limiting this, we expressly disclaim all warranties, whether express, implied or statutory, regarding the Website and the Service including without limitation any warranty of merchantability, fitness for a particular purpose, title, security, accuracy and non-infringement.</p>
+  <p>Your Forgejo Instance provides the Website and the Service “as is” and “as available,” without warranty of any kind. Without limiting this, we expressly disclaim all warranties, whether express, implied or statutory, regarding the Website and the Service including without limitation any warranty of merchantability, fitness for a particular purpose, title, security, accuracy and non-infringement.</p>
-  <p>Your Gitea Instance does not warrant that the Service will meet your requirements; that the Service will be uninterrupted, timely, secure, or error-free; that the information provided through the Service is accurate, reliable or correct; that any defects or errors will be corrected; that the Service will be available at any particular time or location; or that the Service is free of viruses or other harmful components. You assume full responsibility and risk of loss resulting from your downloading and/or use of files, information, content or other material obtained from the Service.</p>
+  <p>Your Forgejo Instance does not warrant that the Service will meet your requirements; that the Service will be uninterrupted, timely, secure, or error-free; that the information provided through the Service is accurate, reliable or correct; that any defects or errors will be corrected; that the Service will be available at any particular time or location; or that the Service is free of viruses or other harmful components. You assume full responsibility and risk of loss resulting from your downloading and/or use of files, information, content or other material obtained from the Service.</p>
  <h2>Limitation of Liability</h2>
@ -212,9 +212,9 @@
  <h2>Release and Indemnification</h2>
-  <p>If you have a dispute with one or more Users, you agree to release Your Gitea Instance from any and all claims, demands and damages (actual and consequential) of every kind and nature, known and unknown, arising out of or in any way connected with such disputes.</p>
+  <p>If you have a dispute with one or more Users, you agree to release Your Forgejo Instance from any and all claims, demands and damages (actual and consequential) of every kind and nature, known and unknown, arising out of or in any way connected with such disputes.</p>
-  <p>You agree to indemnify us, defend us, and hold us harmless from and against any and all claims, liabilities, and expenses, including attorneys’ fees, arising out of your use of the Website and the Service, including but not limited to your violation of this Agreement, provided that Your Gitea Instance (1) promptly gives you written notice of the claim, demand, suit or proceeding; (2) gives you sole control of the defense and settlement of the claim, demand, suit or proceeding (provided that you may not settle any claim, demand, suit or proceeding unless the settlement unconditionally releases Your Gitea Instance of all liability); and (3) provides to you all reasonable assistance, at your expense.</p>
+  <p>You agree to indemnify us, defend us, and hold us harmless from and against any and all claims, liabilities, and expenses, including attorneys’ fees, arising out of your use of the Website and the Service, including but not limited to your violation of this Agreement, provided that Your Forgejo Instance (1) promptly gives you written notice of the claim, demand, suit or proceeding; (2) gives you sole control of the defense and settlement of the claim, demand, suit or proceeding (provided that you may not settle any claim, demand, suit or proceeding unless the settlement unconditionally releases Your Forgejo Instance of all liability); and (3) provides to you all reasonable assistance, at your expense.</p>
  <h2>Changes to These Terms</h2>
@ -224,22 +224,22 @@
   <h3>Governing Law</h3>
-   <p>Except to the extent applicable law provides otherwise, this Agreement between you and us and any access to or use of the Website or the Service are governed by (national laws of country/state where Gitea is deployed) and (regional laws of locality where Gitea is deployed), without regard to conflict of law provisions. You and Your Gitea Instance agree to submit to the exclusive jurisdiction and venue of the courts located in (locality where Gitea is deployed).</p>
+   <p>Except to the extent applicable law provides otherwise, this Agreement between you and us and any access to or use of the Website or the Service are governed by (national laws of country/state where Forgejo is deployed) and (regional laws of locality where Forgejo is deployed), without regard to conflict of law provisions. You and Your Forgejo Instance agree to submit to the exclusive jurisdiction and venue of the courts located in (locality where Forgejo is deployed).</p>
   <h3>Non-Assignability</h3>
-   <p>Your Gitea Instance may assign or delegate these Terms of Service and/or our Privacy Policy in whole or in part, to any person or entity at any time with or without your consent, including the license granted in <i>User-Generated Content</i>. You may not assign or delegate any rights or obligations under the Terms of Service or Privacy Statement without our prior written consent, and any unauthorized assignment and delegation by you is void.</p>
+   <p>Your Forgejo Instance may assign or delegate these Terms of Service and/or our Privacy Policy in whole or in part, to any person or entity at any time with or without your consent, including the license granted in <i>User-Generated Content</i>. You may not assign or delegate any rights or obligations under the Terms of Service or Privacy Statement without our prior written consent, and any unauthorized assignment and delegation by you is void.</p>
   <h3>Severablity, No Waiver, and Survival</h3>
-   <p>If any part of this Agreement is held invalid or unenforceable, that portion of the Agreement will be construed to reflect the parties’ original intent. The remaining portions will remain in full force and effect. Any failure on the part of Your Gitea Instance to enforce any provision of this Agreement will not be considered a waiver of our right to enforce such provision. Our rights under this Agreement will survive any termination of this Agreement.</p>
+   <p>If any part of this Agreement is held invalid or unenforceable, that portion of the Agreement will be construed to reflect the parties’ original intent. The remaining portions will remain in full force and effect. Any failure on the part of Your Forgejo Instance to enforce any provision of this Agreement will not be considered a waiver of our right to enforce such provision. Our rights under this Agreement will survive any termination of this Agreement.</p>
   <h3>Amendments and Complete Agreement</h3>
-   <p>This Agreement may only be modified by a written amendment signed by an authorized representative of Your Gitea Instance, or by the posting by Your Gitea Instance of a revised version in accordance with <i>Changes to These Terms</i>. These Terms of Service, together with the Your Gitea Instance Privacy Policy, represent the complete and exclusive statement of the agreement between you and us. This Agreement supersedes any proposal or prior agreement oral or written, and any other communications between you and Your Gitea Instance relating to the subject matter of these terms including any confidentiality or nondisclosure agreements.</p>
+   <p>This Agreement may only be modified by a written amendment signed by an authorized representative of Your Forgejo Instance, or by the posting by Your Forgejo Instance of a revised version in accordance with <i>Changes to These Terms</i>. These Terms of Service, together with the Your Forgejo Instance Privacy Policy, represent the complete and exclusive statement of the agreement between you and us. This Agreement supersedes any proposal or prior agreement oral or written, and any other communications between you and Your Forgejo Instance relating to the subject matter of these terms including any confidentiality or nondisclosure agreements.</p>
   <h3>Contact</h3>
-   <p>If you have questions about these Terms of Service, you can <a href="mailto:support@your-gitea-instance">contact our support</a>.</p>
+   <p>If you have questions about these Terms of Service, you can <a href="mailto:support@your-forgejo-instance">contact our support</a>.</p>
 </body>
 </html>
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@ -328,6 +328,10 @@ RUN_USER = ; git
 ;; Maximum number of locks returned per page
 ;LFS_LOCKS_PAGING_NUM = 50
 ;;
 ;; When clients make lfs batch requests, reject them if there are more pointers than this number
 ;; zero means 'unlimited'
 ;LFS_MAX_BATCH_SIZE = 0
 ;;
 ;; Allow graceful restarts using SIGHUP to fork
 ;ALLOW_GRACEFUL_RESTARTS = true
 ;;
@ -349,16 +353,25 @@ RUN_USER = ; git
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
-;; Database to use. Either "mysql", "postgres", "mssql" or "sqlite3".
+;; Database to use. Either "sqlite3", "mySQL" or "postgres".
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; SQLite Configuration
 ;;
 DB_TYPE = sqlite3
 ;PATH= ; defaults to data/forgejo.db
 ;SQLITE_TIMEOUT = ; Query timeout defaults to: 500
 ;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; MySQL Configuration
 ;;
-DB_TYPE = mysql
+;DB_TYPE = mysql
-HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
+;HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
-NAME = gitea
+;NAME = gitea
-USER = root
+;USER = root
 ;PASSWD = ;Use PASSWD = `your password` for quoting if you use special characters in the password.
 ;SSL_MODE = false ; either "false" (default), "true", or "skip-verify"
 ;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
@ -377,26 +390,6 @@ USER = root
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; SQLite Configuration
 ;;
 ;DB_TYPE = sqlite3
 ;PATH= ; defaults to data/forgejo.db
 ;SQLITE_TIMEOUT = ; Query timeout defaults to: 500
 ;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; MSSQL Configuration
 ;;
 ;DB_TYPE = mssql
 ;HOST = 172.17.0.2:1433
 ;NAME = gitea
 ;USER = SA
 ;PASSWD = MwantsaSecurePassword1
 ;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; Other settings
 ;;
 ;; For iterate buffer, default is 50
@ -529,7 +522,8 @@ INTERNAL_TOKEN =
 ;; HMAC to encode urls with, it **is required** if camo is enabled.
 ;HMAC_KEY =
 ;; Set to true to use camo for https too lese only non https urls are proxyed
-;ALLWAYS = false
+;; ALLWAYS is deprecated and will be removed in the future
 ;ALWAYS = false
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -907,6 +901,9 @@ LEVEL = Info
 ;; Show Registration button
 ;SHOW_REGISTRATION_BUTTON = true
 ;;
 ;; Whether to allow internal signin
 ; ENABLE_INTERNAL_SIGNIN = true
 ;;
 ;; Show milestones dashboard page - a view of all the user's milestones
 ;SHOW_MILESTONES_DASHBOARD_PAGE = true
 ;;
@ -924,6 +921,24 @@ LEVEL = Info
 ;; Valid site url schemes for user profiles
 ;VALID_SITE_URL_SCHEMES=http,https
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[service.explore]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; Only allow signed in users to view the explore pages.
 ;REQUIRE_SIGNIN_VIEW = false
 ;;
 ;; Disable the users explore page.
 ;DISABLE_USERS_PAGE = false
 ;;
 ;; Disable the organizations explore page.
 ;DISABLE_ORGANIZATIONS_PAGE = false
 ;;
 ;; Disable the code explore page.
 ;DISABLE_CODE_PAGE = false
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1926,7 +1941,7 @@ LEVEL = Info
 ;ENABLED = true
 ;;
 ;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
-;ALLOWED_TYPES = .cpuprofile,.csv,.dmp,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.json,.jsonc,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip
+;ALLOWED_TYPES = .avif,.cpuprofile,.csv,.dmp,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.json,.jsonc,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.webp,.xls,.xlsx,.zip
 ;;
 ;; Max size of each file. Defaults to 2048MB
 ;MAX_SIZE = 2048
@ -2295,7 +2310,7 @@ LEVEL = Info
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;; Delete all old actions from database
+;; Delete all old activities from database
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[cron.delete_old_actions]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2392,8 +2407,8 @@ LEVEL = Info
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; The first locale will be used as the default if user browser's language doesn't match any locale in the list.
-;LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pt-PT,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sv-SE,ko-KR,el-GR,fa-IR,hu-HU,id-ID,ml-IN
+;LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,nds,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pt-PT,pl-PL,bg,it-IT,fi-FI,fil,eo,tr-TR,cs-CZ,sl,sv-SE,ko-KR,el-GR,fa-IR,hu-HU,id-ID
-;NAMES = English,简体中文,繁體中文（香港）,繁體中文（台灣）,Deutsch,Français,Nederlands,Latviešu,Русский,Українська,日本語,Español,Português do Brasil,Português de Portugal,Polski,Български,Italiano,Suomi,Türkçe,Čeština,Српски,Svenska,한국어,Ελληνικά,فارسی,Magyar nyelv,Bahasa Indonesia,മലയാളം
+;NAMES = English,简体中文,繁體中文（香港）,繁體中文（台灣）,Deutsch,Plattdüütsch,Français,Nederlands,Latviešu,Русский,Українська,日本語,Español,Português do Brasil,Português de Portugal,Polski,Български,Italiano,Suomi,Filipino,Esperanto,Türkçe,Čeština,Slovenščina,Svenska,한국어,Ελληνικά,فارسی,Magyar nyelv,Bahasa Indonesia
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2653,6 +2668,16 @@ LEVEL = Info
 ;; override the minio base path if storage type is minio
 ;MINIO_BASE_PATH = lfs/
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; settings for Gitea's LFS client (eg: mirroring an upstream lfs endpoint)
 ;;
 ;[lfs_client]
 ;; Limit the number of pointers in each batch request to this number
 ;BATCH_SIZE = 20
 ;; Limit the number of concurrent upload/download operations within a batch
 ;BATCH_OPERATION_CONCURRENCY = 8
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; settings for packages, will override storage setting
--- a/docker/root/usr/bin/entrypoint
+++ b/docker/root/usr/bin/entrypoint
@ -37,5 +37,5 @@ done
 if [ $# -gt 0 ]; then
    exec "$@"
 else
-    exec /bin/s6-svscan /etc/s6
+    exec /usr/bin/s6-svscan /etc/s6
 fi
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
--- a/flake.lock
+++ b/flake.lock
@ -5,11 +5,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1731533236,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@ -20,11 +20,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1720542800,
+        "lastModified": 1733392399,
-        "narHash": "sha256-ZgnNHuKV6h2+fQ5LuqnUaqZey1Lqqt5dTUAiAnqH0QQ=",
+        "narHash": "sha256-kEsTJTUQfQFIJOcLYFt/RvNxIK653ZkTBIs4DG+cBns=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "feb2849fdeb70028c70d73b848214b00d324a497",
+        "rev": "d0797a04b81caeae77bcff10a9dde78bc17f5661",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -3,14 +3,15 @@
    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
    flake-utils.url = "github:numtide/flake-utils";
  };
-  outputs =
+  outputs = {
-    { nixpkgs, flake-utils, ... }:
+    nixpkgs,
    flake-utils,
    ...
  }:
    flake-utils.lib.eachDefaultSystem (
-      system:
+      system: let
      let
        pkgs = nixpkgs.legacyPackages.${system};
-      in
+      in {
      {
        devShells.default = pkgs.mkShell {
          buildInputs = with pkgs; [
            # generic
@ -29,9 +30,10 @@
            poetry
            # backend
            go_1_22
            gofumpt
            sqlite
            go
            gopls
          ];
        };
      }
--- a/go.mod
+++ b/go.mod
@ -1,31 +1,33 @@
 module code.gitea.io/gitea
-go 1.23.1
+go 1.24
 toolchain go1.24.1
 require (
-	code.forgejo.org/f3/gof3/v3 v3.7.0
+	code.forgejo.org/f3/gof3/v3 v3.10.4
 	code.forgejo.org/forgejo-contrib/go-libravatar v0.0.0-20191008002943-06d1c002b251
 	code.forgejo.org/forgejo/levelqueue v1.0.0
 	code.forgejo.org/forgejo/reply v1.0.2
-	code.forgejo.org/go-chi/cache v0.0.0-20240912103640-dcb08fba860d
+	code.forgejo.org/go-chi/binding v1.0.0
-	code.forgejo.org/go-chi/captcha v0.0.0-20240905153133-df43b9250ed5
+	code.forgejo.org/go-chi/cache v1.0.0
-	code.forgejo.org/go-chi/session v0.0.0-20240905153124-557e3de77cd2
+	code.forgejo.org/go-chi/captcha v1.0.1
 	code.forgejo.org/go-chi/session v1.0.1
 	code.gitea.io/actions-proto-go v0.4.0
-	code.gitea.io/gitea-vet v0.2.3
+	code.gitea.io/sdk/gitea v0.20.0
 	code.gitea.io/sdk/gitea v0.17.1
 	codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570
 	connectrpc.com/connect v1.17.0
-	gitea.com/go-chi/binding v0.0.0-20240430071103-39a851e106ed
+	github.com/42wim/httpsig v1.2.2
 	gitea.com/lunny/levelqueue v0.4.2-0.20230414023320-3c0159fe0fe4
 	github.com/42wim/sshsig v0.0.0-20211121163825-841cf5bbc121
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358
-	github.com/ProtonMail/go-crypto v1.0.0
+	github.com/ProtonMail/go-crypto v1.1.6
-	github.com/PuerkitoBio/goquery v1.10.0
+	github.com/PuerkitoBio/goquery v1.10.2
 	github.com/SaveTheRbtz/zstd-seekable-format-go/pkg v0.7.2
-	github.com/alecthomas/chroma/v2 v2.14.0
+	github.com/alecthomas/chroma/v2 v2.15.0
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb
-	github.com/blevesearch/bleve/v2 v2.4.2
+	github.com/blevesearch/bleve/v2 v2.4.4
-	github.com/buildkite/terminal-to-html/v3 v3.16.2
+	github.com/buildkite/terminal-to-html/v3 v3.16.6
-	github.com/caddyserver/certmagic v0.21.0
+	github.com/caddyserver/certmagic v0.22.0
 	github.com/chi-middleware/proxy v1.1.1
 	github.com/djherbis/buffer v1.2.0
 	github.com/djherbis/nio/v3 v3.0.1
@ -34,82 +36,80 @@ require (
 	github.com/editorconfig/editorconfig-core-go/v2 v2.6.2
 	github.com/emersion/go-imap v1.2.1
 	github.com/felixge/fgprof v0.9.5
-	github.com/fsnotify/fsnotify v1.7.0
+	github.com/fsnotify/fsnotify v1.8.0
-	github.com/gliderlabs/ssh v0.3.7
+	github.com/gliderlabs/ssh v0.3.8
 	github.com/go-ap/activitypub v0.0.0-20231114162308-e219254dc5c9
 	github.com/go-ap/jsonld v0.0.0-20221030091449-f2a191312c73
-	github.com/go-chi/chi/v5 v5.1.0
+	github.com/go-chi/chi/v5 v5.2.0
 	github.com/go-chi/cors v1.2.1
 	github.com/go-co-op/gocron v1.37.0
-	github.com/go-enry/go-enry/v2 v2.8.9
+	github.com/go-enry/go-enry/v2 v2.9.2
-	github.com/go-fed/httpsig v1.1.1-0.20201223112313-55836744818e
+	github.com/go-git/go-git/v5 v5.13.2
 	github.com/go-git/go-git/v5 v5.11.0
 	github.com/go-ldap/ldap/v3 v3.4.6
 	github.com/go-openapi/spec v0.20.14
 	github.com/go-sql-driver/mysql v1.8.1
-	github.com/go-swagger/go-swagger v0.30.5
+	github.com/go-testfixtures/testfixtures/v3 v3.14.0
 	github.com/go-testfixtures/testfixtures/v3 v3.12.0
 	github.com/go-webauthn/webauthn v0.11.2
 	github.com/gobwas/glob v0.2.3
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f
 	github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85
 	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0
 	github.com/google/go-github/v64 v64.0.0
-	github.com/google/pprof v0.0.0-20240528025155-186aa0362fba
+	github.com/google/pprof v0.0.0-20241017200806-017d972448fc
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/feeds v1.2.0
-	github.com/gorilla/sessions v1.2.2
+	github.com/gorilla/sessions v1.4.0
-	github.com/h2non/gock v1.2.0
+	github.com/hashicorp/go-version v1.7.0
 	github.com/hashicorp/go-version v1.6.0
 	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/huandu/xstrings v1.5.0
 	github.com/jaytaylor/html2text v0.0.0-20230321000545-74c2419ad056
-	github.com/jhillyerd/enmime v1.3.0
+	github.com/jhillyerd/enmime/v2 v2.1.0
 	github.com/json-iterator/go v1.1.12
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/compress v1.17.9
+	github.com/klauspost/compress v1.17.11
-	github.com/klauspost/cpuid/v2 v2.2.8
+	github.com/klauspost/cpuid/v2 v2.2.10
 	github.com/lib/pq v1.10.9
 	github.com/markbates/goth v1.80.0
 	github.com/mattn/go-isatty v0.0.20
-	github.com/mattn/go-sqlite3 v1.14.22
+	github.com/mattn/go-sqlite3 v1.14.24
-	github.com/meilisearch/meilisearch-go v0.28.0
+	github.com/meilisearch/meilisearch-go v0.31.0
 	github.com/mholt/archiver/v3 v3.5.1
 	github.com/microcosm-cc/bluemonday v1.0.27
-	github.com/minio/minio-go/v7 v7.0.74
+	github.com/minio/minio-go/v7 v7.0.85
 	github.com/msteinert/pam v1.2.0
 	github.com/nektos/act v0.2.52
 	github.com/niklasfasching/go-org v1.7.0
 	github.com/olivere/elastic/v7 v7.0.32
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.1.0
+	github.com/opencontainers/image-spec v1.1.1
 	github.com/pquerna/otp v1.4.0
-	github.com/prometheus/client_golang v1.18.0
+	github.com/prometheus/client_golang v1.21.1
-	github.com/quasoft/websspi v1.1.2
+	github.com/redis/go-redis/v9 v9.7.0
 	github.com/redis/go-redis/v9 v9.6.1
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.1
 	github.com/sassoftware/go-rpmutils v0.4.0
-	github.com/sergi/go-diff v1.3.1
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3
 	github.com/shurcooL/vfsgen v0.0.0-20230704071429-0000e147ea92
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.10.0
 	github.com/syndtr/goleveldb v1.0.0
 	github.com/ulikunitz/xz v0.5.12
-	github.com/urfave/cli/v2 v2.27.4
+	github.com/urfave/cli/v2 v2.27.6
 	github.com/valyala/fastjson v1.6.4
 	github.com/xanzy/go-gitlab v0.109.0
 	github.com/yohcop/openid-go v1.0.1
-	github.com/yuin/goldmark v1.7.4
+	github.com/yuin/goldmark v1.7.8
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	gitlab.com/gitlab-org/api/client-go v0.123.0
 	go.uber.org/mock v0.4.0
-	golang.org/x/crypto v0.27.0
+	golang.org/x/crypto v0.36.0
-	golang.org/x/image v0.20.0
+	golang.org/x/image v0.25.0
-	golang.org/x/net v0.29.0
+	golang.org/x/net v0.37.0
-	golang.org/x/oauth2 v0.23.0
+	golang.org/x/oauth2 v0.28.0
-	golang.org/x/sys v0.25.0
+	golang.org/x/sync v0.12.0
-	golang.org/x/text v0.18.0
+	golang.org/x/sys v0.31.0
-	golang.org/x/tools v0.25.0
+	golang.org/x/text v0.23.0
-	google.golang.org/grpc v1.66.2
+	google.golang.org/grpc v1.71.0
-	google.golang.org/protobuf v1.34.2
+	google.golang.org/protobuf v1.36.4
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	gopkg.in/ini.v1 v1.67.0
 	gopkg.in/yaml.v3 v3.0.1
@ -119,32 +119,36 @@ require (
 )
 require (
-	cloud.google.com/go/compute/metadata v0.3.0 // indirect
+	cel.dev/expr v0.19.1 // indirect
 	cloud.google.com/go v0.116.0 // indirect
 	cloud.google.com/go/auth v0.9.9 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
 	cloud.google.com/go/compute/metadata v0.6.0 // indirect
 	cloud.google.com/go/iam v1.2.1 // indirect
 	cloud.google.com/go/longrunning v0.6.1 // indirect
 	cloud.google.com/go/monitoring v1.21.1 // indirect
 	cloud.google.com/go/spanner v1.73.0 // indirect
 	dario.cat/mergo v1.0.0 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078 // indirect
 	github.com/ClickHouse/ch-go v0.61.5 // indirect
 	github.com/ClickHouse/clickhouse-go/v2 v2.26.0 // indirect
 	github.com/DataDog/zstd v1.5.5 // indirect
-	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.0 // indirect
-	github.com/Masterminds/semver/v3 v3.2.1 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
-	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/RoaringBitmap/roaring v1.9.3 // indirect
-	github.com/andybalholm/brotli v1.1.0 // indirect
+	github.com/andybalholm/brotli v1.1.1 // indirect
-	github.com/andybalholm/cascadia v1.3.2 // indirect
+	github.com/andybalholm/cascadia v1.3.3 // indirect
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bits-and-blooms/bitset v1.13.0 // indirect
-	github.com/blevesearch/bleve_index_api v1.1.10 // indirect
+	github.com/blevesearch/bleve_index_api v1.1.12 // indirect
 	github.com/blevesearch/geo v0.1.20 // indirect
-	github.com/blevesearch/go-faiss v1.0.20 // indirect
+	github.com/blevesearch/go-faiss v1.0.24 // indirect
 	github.com/blevesearch/go-porterstemmer v1.0.3 // indirect
 	github.com/blevesearch/gtreap v0.1.1 // indirect
 	github.com/blevesearch/mmap-go v1.0.4 // indirect
-	github.com/blevesearch/scorch_segment_api/v2 v2.2.15 // indirect
+	github.com/blevesearch/scorch_segment_api/v2 v2.2.16 // indirect
 	github.com/blevesearch/segment v0.9.1 // indirect
 	github.com/blevesearch/snowballstem v0.9.0 // indirect
 	github.com/blevesearch/upsidedown_store_api v1.0.2 // indirect
@ -153,146 +157,136 @@ require (
 	github.com/blevesearch/zapx/v12 v12.3.10 // indirect
 	github.com/blevesearch/zapx/v13 v13.3.10 // indirect
 	github.com/blevesearch/zapx/v14 v14.3.10 // indirect
-	github.com/blevesearch/zapx/v15 v15.3.13 // indirect
+	github.com/blevesearch/zapx/v15 v15.3.16 // indirect
-	github.com/blevesearch/zapx/v16 v16.1.5 // indirect
+	github.com/blevesearch/zapx/v16 v16.1.9-0.20241217210638-a0519e7caf3b // indirect
 	github.com/boombuler/barcode v1.0.1 // indirect
 	github.com/bradfitz/gomemcache v0.0.0-20230905024940-24af94b03874 // indirect
-	github.com/caddyserver/zerossl v0.1.2 // indirect
+	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudflare/circl v1.3.8 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
+	github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
 	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/davidmz/go-pageant v1.0.2 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/dlclark/regexp2 v1.11.0 // indirect
+	github.com/dlclark/regexp2 v1.11.4 // indirect
 	github.com/emersion/go-sasl v0.0.0-20231106173351-e73c9f7bad43 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-ap/errors v0.0.0-20231003111023-183eef4b31b7 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-enry/go-oniguruma v1.2.1 // indirect
-	github.com/go-faster/city v1.0.1 // indirect
+	github.com/go-fed/httpsig v1.1.0 // indirect
 	github.com/go-faster/errors v0.7.1 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/go-git/go-billy/v5 v5.6.2 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
-	github.com/go-openapi/analysis v0.22.2 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
-	github.com/go-openapi/errors v0.21.0 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/inflect v0.19.0 // indirect
 	github.com/go-openapi/jsonpointer v0.20.2 // indirect
 	github.com/go-openapi/jsonreference v0.20.4 // indirect
 	github.com/go-openapi/loads v0.21.5 // indirect
 	github.com/go-openapi/runtime v0.26.2 // indirect
 	github.com/go-openapi/spec v0.20.14 // indirect
 	github.com/go-openapi/strfmt v0.22.0 // indirect
 	github.com/go-openapi/swag v0.22.7 // indirect
 	github.com/go-openapi/validate v0.22.6 // indirect
 	github.com/go-webauthn/x v0.1.14 // indirect
-	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/goccy/go-json v0.10.4 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
 	github.com/golang/geo v0.0.0-20230421003525-6adc56603217 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/go-tpm v0.9.1 // indirect
 	github.com/google/s2a-go v0.1.8 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
 	github.com/googleapis/gax-go/v2 v2.13.0 // indirect
 	github.com/googleapis/go-sql-spanner v1.7.4 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/gorilla/handlers v1.5.2 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jessevdk/go-flags v1.5.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
+	github.com/libdns/libdns v0.2.3 // indirect
-	github.com/kr/text v0.2.0 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/markbates/going v1.0.3 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
-	github.com/mholt/acmez/v2 v2.0.1 // indirect
+	github.com/mholt/acmez/v3 v3.1.0 // indirect
-	github.com/miekg/dns v1.1.59 // indirect
+	github.com/miekg/dns v1.1.63 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mrjones/oauth v0.0.0-20190623134757-126b35219450 // indirect
 	github.com/mschoch/smat v0.2.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nwaples/rardecode v1.1.3 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/onsi/ginkgo v1.16.5 // indirect
 	github.com/paulmach/orb v0.11.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.1 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
-	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.46.0 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rhysd/actionlint v1.6.27 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/rogpeppe/go-internal v1.12.0 // indirect
+	github.com/rs/xid v1.6.0 // indirect
 	github.com/rs/xid v1.5.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/shurcooL/httpfs v0.0.0-20230704072500-f1e31cf0ba5c // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/skeema/knownhosts v1.2.1 // indirect
+	github.com/skeema/knownhosts v1.3.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.18.2 // indirect
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/toqueteos/webbrowser v1.2.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
-	github.com/zeebo/blake3 v0.2.3 // indirect
+	github.com/zeebo/blake3 v0.2.4 // indirect
 	go.etcd.io/bbolt v1.3.9 // indirect
-	go.mongodb.org/mongo-driver v1.13.1 // indirect
+	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/otel v1.26.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/otel/trace v1.26.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.34.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
 	go.opentelemetry.io/otel v1.34.0 // indirect
 	go.opentelemetry.io/otel/metric v1.34.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.34.0 // indirect
 	go.opentelemetry.io/otel/trace v1.34.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect
+	go.uber.org/zap/exp v0.3.0 // indirect
-	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/time v0.9.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/tools v0.31.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 // indirect
+	google.golang.org/api v0.203.0 // indirect
 	google.golang.org/genproto v0.0.0-20241015192408-796eee8c2d53 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
 replace github.com/hashicorp/go-version => github.com/6543/go-version v1.3.1
 replace github.com/shurcooL/vfsgen => github.com/lunny/vfsgen v0.0.0-20220105142115-2c99e1ffdfa0
-replace github.com/nektos/act => code.forgejo.org/forgejo/act v1.21.3
+replace github.com/nektos/act => code.forgejo.org/forgejo/act v1.23.1
 replace github.com/mholt/archiver/v3 => code.forgejo.org/forgejo/archiver/v3 v3.5.1
 replace github.com/gliderlabs/ssh => code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616
 replace git.sr.ht/~mariusor/go-xsd-duration => code.forgejo.org/forgejo/go-xsd-duration v0.0.0-20220703122237-02e73435a078
--- a/go.sum
+++ b/go.sum
--- a/models/actions/artifact.go
+++ b/models/actions/artifact.go
@ -69,7 +69,7 @@ func CreateArtifact(ctx context.Context, t *ActionTask, artifactName, artifactPa
 			OwnerID:      t.OwnerID,
 			CommitSHA:    t.CommitSHA,
 			Status:       int64(ArtifactStatusUploadPending),
-			ExpiredUnix:  timeutil.TimeStamp(time.Now().Unix() + 3600*24*expiredDays),
+			ExpiredUnix:  timeutil.TimeStamp(time.Now().Unix() + timeutil.Day*expiredDays),
 		}
 		if _, err := db.GetEngine(ctx).Insert(artifact); err != nil {
 			return nil, err
@ -78,6 +78,13 @@ func CreateArtifact(ctx context.Context, t *ActionTask, artifactName, artifactPa
 	} else if err != nil {
 		return nil, err
 	}
 	if _, err := db.GetEngine(ctx).ID(artifact.ID).Cols("expired_unix").Update(&ActionArtifact{
 		ExpiredUnix: timeutil.TimeStamp(time.Now().Unix() + timeutil.Day*expiredDays),
 	}); err != nil {
 		return nil, err
 	}
 	return artifact, nil
 }
--- a/models/actions/run.go
+++ b/models/actions/run.go
@ -37,6 +37,7 @@ type ActionRun struct {
 	TriggerUser       *user_model.User       `xorm:"-"`
 	ScheduleID        int64
 	Ref               string `xorm:"index"` // the commit/tag/… that caused the run
 	IsRefDeleted      bool   `xorm:"-"`
 	CommitSHA         string
 	IsForkPullRequest bool                         // If this is triggered by a PR from a forked repository or an untrusted user, we need to check if it is approved and limit permissions when running the workflow.
 	NeedApproval      bool                         // may need approval if it's a fork pull request
@ -146,7 +147,11 @@ func (run *ActionRun) GetPushEventPayload() (*api.PushPayload, error) {
 }
 func (run *ActionRun) GetPullRequestEventPayload() (*api.PullRequestPayload, error) {
-	if run.Event == webhook_module.HookEventPullRequest || run.Event == webhook_module.HookEventPullRequestSync {
+	if run.Event == webhook_module.HookEventPullRequest ||
 		run.Event == webhook_module.HookEventPullRequestSync ||
 		run.Event == webhook_module.HookEventPullRequestAssign ||
 		run.Event == webhook_module.HookEventPullRequestMilestone ||
 		run.Event == webhook_module.HookEventPullRequestLabel {
 		var payload api.PullRequestPayload
 		if err := json.Unmarshal([]byte(run.EventPayload), &payload); err != nil {
 			return nil, err
@ -250,6 +255,7 @@ func CancelPreviousJobs(ctx context.Context, repoID int64, ref, workflowID strin
 }
 // InsertRun inserts a run
 // The title will be cut off at 255 characters if it's longer than 255 characters.
 func InsertRun(ctx context.Context, run *ActionRun, jobs []*jobparser.SingleWorkflow) error {
 	ctx, commiter, err := db.TxContext(ctx)
 	if err != nil {
@ -262,6 +268,7 @@ func InsertRun(ctx context.Context, run *ActionRun, jobs []*jobparser.SingleWork
 		return err
 	}
 	run.Index = index
 	run.Title, _ = util.SplitStringAtByteN(run.Title, 255)
 	if err := db.Insert(ctx, run); err != nil {
 		return err
@ -387,6 +394,7 @@ func UpdateRun(ctx context.Context, run *ActionRun, cols ...string) error {
 	if len(cols) > 0 {
 		sess.Cols(cols...)
 	}
 	run.Title, _ = util.SplitStringAtByteN(run.Title, 255)
 	affected, err := sess.Update(run)
 	if err != nil {
 		return err
--- a/models/actions/run_job.go
+++ b/models/actions/run_job.go
@ -10,6 +10,7 @@ import (
 	"time"
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/container"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
@ -71,6 +72,15 @@ func (job *ActionRunJob) LoadAttributes(ctx context.Context) error {
 	return job.Run.LoadAttributes(ctx)
 }
 func (job *ActionRunJob) ItRunsOn(labels []string) bool {
 	if len(labels) == 0 || len(job.RunsOn) == 0 {
 		return false
 	}
 	labelSet := make(container.Set[string])
 	labelSet.AddMultiple(labels...)
 	return labelSet.IsSubset(job.RunsOn)
 }
 func GetRunJobByID(ctx context.Context, id int64) (*ActionRunJob, error) {
 	var job ActionRunJob
 	has, err := db.GetEngine(ctx).Where("id=?", id).Get(&job)
@ -137,7 +147,7 @@ func UpdateRunJob(ctx context.Context, job *ActionRunJob, cond builder.Cond, col
 		if err != nil {
 			return 0, err
 		}
-		run.Status = aggregateJobStatus(jobs)
+		run.Status = AggregateJobStatus(jobs)
 		if run.Started.IsZero() && run.Status.IsRunning() {
 			run.Started = timeutil.TimeStampNow()
 		}
@ -152,29 +162,35 @@ func UpdateRunJob(ctx context.Context, job *ActionRunJob, cond builder.Cond, col
 	return affected, nil
 }
-func aggregateJobStatus(jobs []*ActionRunJob) Status {
+func AggregateJobStatus(jobs []*ActionRunJob) Status {
-	allDone := true
+	allSuccessOrSkipped := len(jobs) != 0
-	allWaiting := true
+	allSkipped := len(jobs) != 0
-	hasFailure := false
+	var hasFailure, hasCancelled, hasWaiting, hasRunning, hasBlocked bool
 	for _, job := range jobs {
-		if !job.Status.IsDone() {
+		allSuccessOrSkipped = allSuccessOrSkipped && (job.Status == StatusSuccess || job.Status == StatusSkipped)
-			allDone = false
+		allSkipped = allSkipped && job.Status == StatusSkipped
-		}
+		hasFailure = hasFailure || job.Status == StatusFailure
-		if job.Status != StatusWaiting && !job.Status.IsDone() {
+		hasCancelled = hasCancelled || job.Status == StatusCancelled
-			allWaiting = false
+		hasWaiting = hasWaiting || job.Status == StatusWaiting
-		}
+		hasRunning = hasRunning || job.Status == StatusRunning
-		if job.Status == StatusFailure || job.Status == StatusCancelled {
+		hasBlocked = hasBlocked || job.Status == StatusBlocked
 			hasFailure = true
 		}
 	}
 	if allDone {
 		if hasFailure {
 			return StatusFailure
 	}
 	switch {
 	case allSkipped:
 		return StatusSkipped
 	case allSuccessOrSkipped:
 		return StatusSuccess
-	}
+	case hasCancelled:
-	if allWaiting {
+		return StatusCancelled
-		return StatusWaiting
+	case hasFailure:
-	}
+		return StatusFailure
 	case hasRunning:
 		return StatusRunning
 	case hasWaiting:
 		return StatusWaiting
 	case hasBlocked:
 		return StatusBlocked
 	default:
 		return StatusUnknown // it shouldn't happen
 	}
 }
--- a/models/actions/run_job_status_test.go
+++ b/models/actions/run_job_status_test.go
@ -0,0 +1,85 @@
 // Copyright 2024 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 package actions
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestAggregateJobStatus(t *testing.T) {
 	testStatuses := func(expected Status, statuses []Status) {
 		t.Helper()
 		var jobs []*ActionRunJob
 		for _, v := range statuses {
 			jobs = append(jobs, &ActionRunJob{Status: v})
 		}
 		actual := AggregateJobStatus(jobs)
 		if !assert.Equal(t, expected, actual) {
 			var statusStrings []string
 			for _, s := range statuses {
 				statusStrings = append(statusStrings, s.String())
 			}
 			t.Errorf("AggregateJobStatus(%v) = %v, want %v", statusStrings, statusNames[actual], statusNames[expected])
 		}
 	}
 	cases := []struct {
 		statuses []Status
 		expected Status
 	}{
 		// unknown cases, maybe it shouldn't happen in real world
 		{[]Status{}, StatusUnknown},
 		{[]Status{StatusUnknown, StatusSuccess}, StatusUnknown},
 		{[]Status{StatusUnknown, StatusSkipped}, StatusUnknown},
 		{[]Status{StatusUnknown, StatusFailure}, StatusFailure},
 		{[]Status{StatusUnknown, StatusCancelled}, StatusCancelled},
 		{[]Status{StatusUnknown, StatusWaiting}, StatusWaiting},
 		{[]Status{StatusUnknown, StatusRunning}, StatusRunning},
 		{[]Status{StatusUnknown, StatusBlocked}, StatusBlocked},
 		// success with other status
 		{[]Status{StatusSuccess}, StatusSuccess},
 		{[]Status{StatusSuccess, StatusSkipped}, StatusSuccess}, // skipped doesn't affect success
 		{[]Status{StatusSuccess, StatusFailure}, StatusFailure},
 		{[]Status{StatusSuccess, StatusCancelled}, StatusCancelled},
 		{[]Status{StatusSuccess, StatusWaiting}, StatusWaiting},
 		{[]Status{StatusSuccess, StatusRunning}, StatusRunning},
 		{[]Status{StatusSuccess, StatusBlocked}, StatusBlocked},
 		// any cancelled, then cancelled
 		{[]Status{StatusCancelled}, StatusCancelled},
 		{[]Status{StatusCancelled, StatusSuccess}, StatusCancelled},
 		{[]Status{StatusCancelled, StatusSkipped}, StatusCancelled},
 		{[]Status{StatusCancelled, StatusFailure}, StatusCancelled},
 		{[]Status{StatusCancelled, StatusWaiting}, StatusCancelled},
 		{[]Status{StatusCancelled, StatusRunning}, StatusCancelled},
 		{[]Status{StatusCancelled, StatusBlocked}, StatusCancelled},
 		// failure with other status, fail fast
 		// Should "running" win? Maybe no: old code does make "running" win, but GitHub does fail fast.
 		{[]Status{StatusFailure}, StatusFailure},
 		{[]Status{StatusFailure, StatusSuccess}, StatusFailure},
 		{[]Status{StatusFailure, StatusSkipped}, StatusFailure},
 		{[]Status{StatusFailure, StatusCancelled}, StatusCancelled},
 		{[]Status{StatusFailure, StatusWaiting}, StatusFailure},
 		{[]Status{StatusFailure, StatusRunning}, StatusFailure},
 		{[]Status{StatusFailure, StatusBlocked}, StatusFailure},
 		// skipped with other status
 		// TODO: need to clarify whether a PR with "skipped" job status is considered as "mergeable" or not.
 		{[]Status{StatusSkipped}, StatusSkipped},
 		{[]Status{StatusSkipped, StatusSuccess}, StatusSuccess},
 		{[]Status{StatusSkipped, StatusFailure}, StatusFailure},
 		{[]Status{StatusSkipped, StatusCancelled}, StatusCancelled},
 		{[]Status{StatusSkipped, StatusWaiting}, StatusWaiting},
 		{[]Status{StatusSkipped, StatusRunning}, StatusRunning},
 		{[]Status{StatusSkipped, StatusBlocked}, StatusBlocked},
 	}
 	for _, c := range cases {
 		testStatuses(c.expected, c.statuses)
 	}
 }
--- a/models/actions/run_job_test.go
+++ b/models/actions/run_job_test.go
@ -0,0 +1,29 @@
 // SPDX-License-Identifier: MIT
 package actions
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestActionRunJob_ItRunsOn(t *testing.T) {
 	actionJob := ActionRunJob{RunsOn: []string{"ubuntu"}}
 	agentLabels := []string{"ubuntu", "node-20"}
 	assert.True(t, actionJob.ItRunsOn(agentLabels))
 	assert.False(t, actionJob.ItRunsOn([]string{}))
 	actionJob.RunsOn = append(actionJob.RunsOn, "node-20")
 	assert.True(t, actionJob.ItRunsOn(agentLabels))
 	agentLabels = []string{"ubuntu"}
 	assert.False(t, actionJob.ItRunsOn(agentLabels))
 	actionJob.RunsOn = []string{}
 	assert.False(t, actionJob.ItRunsOn(agentLabels))
 }
--- a/models/actions/run_list.go
+++ b/models/actions/run_list.go
@ -10,6 +10,7 @@ import (
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/container"
 	"code.gitea.io/gitea/modules/translation"
 	webhook_module "code.gitea.io/gitea/modules/webhook"
 	"xorm.io/builder"
@ -112,14 +113,14 @@ type StatusInfo struct {
 }
 // GetStatusInfoList returns a slice of StatusInfo
-func GetStatusInfoList(ctx context.Context) []StatusInfo {
+func GetStatusInfoList(ctx context.Context, lang translation.Locale) []StatusInfo {
 	// same as those in aggregateJobStatus
 	allStatus := []Status{StatusSuccess, StatusFailure, StatusWaiting, StatusRunning}
 	statusInfoList := make([]StatusInfo, 0, 4)
 	for _, s := range allStatus {
 		statusInfoList = append(statusInfoList, StatusInfo{
 			Status:          int(s),
-			DisplayedStatus: s.String(),
+			DisplayedStatus: s.LocaleString(lang),
 		})
 	}
 	return statusInfoList
--- a/models/actions/runner.go
+++ b/models/actions/runner.go
@ -271,6 +271,7 @@ func GetRunnerByID(ctx context.Context, id int64) (*ActionRunner, error) {
 // UpdateRunner updates runner's information.
 func UpdateRunner(ctx context.Context, r *ActionRunner, cols ...string) error {
 	e := db.GetEngine(ctx)
 	r.Name, _ = util.SplitStringAtByteN(r.Name, 255)
 	var err error
 	if len(cols) == 0 {
 		_, err = e.ID(r.ID).AllCols().Update(r)
@ -281,27 +282,22 @@ func UpdateRunner(ctx context.Context, r *ActionRunner, cols ...string) error {
 }
 // DeleteRunner deletes a runner by given ID.
-func DeleteRunner(ctx context.Context, id int64) error {
+func DeleteRunner(ctx context.Context, r *ActionRunner) error {
 	runner, err := GetRunnerByID(ctx, id)
 	if err != nil {
 		return err
 	}
 	// Replace the UUID, which was either based on the secret's first 16 bytes or an UUIDv4,
 	// with a sequence of 8 0xff bytes followed by the little-endian version of the record's
 	// identifier. This will prevent the deleted record's identifier from colliding with any
 	// new record.
 	b := make([]byte, 8)
-	binary.LittleEndian.PutUint64(b, uint64(id))
+	binary.LittleEndian.PutUint64(b, uint64(r.ID))
-	runner.UUID = fmt.Sprintf("ffffffff-ffff-ffff-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x",
+	r.UUID = fmt.Sprintf("ffffffff-ffff-ffff-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x",
 		b[0], b[1], b[2], b[3], b[4], b[5], b[6], b[7])
-	err = UpdateRunner(ctx, runner, "UUID")
+	err := UpdateRunner(ctx, r, "UUID")
 	if err != nil {
 		return err
 	}
-	_, err = db.DeleteByID[ActionRunner](ctx, id)
+	_, err = db.DeleteByID[ActionRunner](ctx, r.ID)
 	return err
 }
@ -312,6 +308,7 @@ func CreateRunner(ctx context.Context, t *ActionRunner) error {
 		// Remove OwnerID to avoid confusion; it's not worth returning an error here.
 		t.OwnerID = 0
 	}
 	t.Name, _ = util.SplitStringAtByteN(t.Name, 255)
 	return db.Insert(ctx, t)
 }
--- a/models/actions/runner_test.go
+++ b/models/actions/runner_test.go
@ -34,7 +34,7 @@ func TestDeleteRunner(t *testing.T) {
 	require.NoError(t, unittest.PrepareTestDatabase())
 	before := unittest.AssertExistsAndLoadBean(t, &ActionRunner{ID: recordID})
-	err := DeleteRunner(db.DefaultContext, recordID)
+	err := DeleteRunner(db.DefaultContext, &ActionRunner{ID: recordID})
 	require.NoError(t, err)
 	var after ActionRunner
--- a/models/actions/schedule.go
+++ b/models/actions/schedule.go
@ -12,7 +12,10 @@ import (
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 	webhook_module "code.gitea.io/gitea/modules/webhook"
 	"xorm.io/builder"
 )
 // ActionSchedule represents a schedule of a workflow file
@ -67,6 +70,7 @@ func CreateScheduleTask(ctx context.Context, rows []*ActionSchedule) error {
 	// Loop through each schedule row
 	for _, row := range rows {
 		row.Title, _ = util.SplitStringAtByteN(row.Title, 255)
 		// Create new schedule row
 		if err = db.Insert(ctx, row); err != nil {
 			return err
@ -118,12 +122,13 @@ func DeleteScheduleTaskByRepo(ctx context.Context, id int64) error {
 	return committer.Commit()
 }
-func CleanRepoScheduleTasks(ctx context.Context, repo *repo_model.Repository) error {
+func CleanRepoScheduleTasks(ctx context.Context, repo *repo_model.Repository, cancelPreviousJobs bool) error {
 	// If actions disabled when there is schedule task, this will remove the outdated schedule tasks
 	// There is no other place we can do this because the app.ini will be changed manually
 	if err := DeleteScheduleTaskByRepo(ctx, repo.ID); err != nil {
 		return fmt.Errorf("DeleteCronTaskByRepo: %v", err)
 	}
 	if cancelPreviousJobs {
 		// cancel running cron jobs of this repository and delete old schedules
 		if err := CancelPreviousJobs(
 			ctx,
@ -134,5 +139,28 @@ func CleanRepoScheduleTasks(ctx context.Context, repo *repo_model.Repository) er
 		); err != nil {
 			return fmt.Errorf("CancelPreviousJobs: %v", err)
 		}
 	}
 	return nil
 }
 type FindScheduleOptions struct {
 	db.ListOptions
 	RepoID  int64
 	OwnerID int64
 }
 func (opts FindScheduleOptions) ToConds() builder.Cond {
 	cond := builder.NewCond()
 	if opts.RepoID > 0 {
 		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
 	}
 	if opts.OwnerID > 0 {
 		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
 	}
 	return cond
 }
 func (opts FindScheduleOptions) ToOrders() string {
 	return "`id` DESC"
 }
--- a/models/actions/schedule_list.go
+++ b/models/actions/schedule_list.go
@ -1,83 +0,0 @@
 // Copyright 2023 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 package actions
 import (
 	"context"
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/container"
 	"xorm.io/builder"
 )
 type ScheduleList []*ActionSchedule
 // GetUserIDs returns a slice of user's id
 func (schedules ScheduleList) GetUserIDs() []int64 {
 	return container.FilterSlice(schedules, func(schedule *ActionSchedule) (int64, bool) {
 		return schedule.TriggerUserID, true
 	})
 }
 func (schedules ScheduleList) GetRepoIDs() []int64 {
 	return container.FilterSlice(schedules, func(schedule *ActionSchedule) (int64, bool) {
 		return schedule.RepoID, true
 	})
 }
 func (schedules ScheduleList) LoadTriggerUser(ctx context.Context) error {
 	userIDs := schedules.GetUserIDs()
 	users := make(map[int64]*user_model.User, len(userIDs))
 	if err := db.GetEngine(ctx).In("id", userIDs).Find(&users); err != nil {
 		return err
 	}
 	for _, schedule := range schedules {
 		if schedule.TriggerUserID == user_model.ActionsUserID {
 			schedule.TriggerUser = user_model.NewActionsUser()
 		} else {
 			schedule.TriggerUser = users[schedule.TriggerUserID]
 			if schedule.TriggerUser == nil {
 				schedule.TriggerUser = user_model.NewGhostUser()
 			}
 		}
 	}
 	return nil
 }
 func (schedules ScheduleList) LoadRepos(ctx context.Context) error {
 	repoIDs := schedules.GetRepoIDs()
 	repos, err := repo_model.GetRepositoriesMapByIDs(ctx, repoIDs)
 	if err != nil {
 		return err
 	}
 	for _, schedule := range schedules {
 		schedule.Repo = repos[schedule.RepoID]
 	}
 	return nil
 }
 type FindScheduleOptions struct {
 	db.ListOptions
 	RepoID  int64
 	OwnerID int64
 }
 func (opts FindScheduleOptions) ToConds() builder.Cond {
 	cond := builder.NewCond()
 	if opts.RepoID > 0 {
 		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
 	}
 	if opts.OwnerID > 0 {
 		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
 	}
 	return cond
 }
 func (opts FindScheduleOptions) ToOrders() string {
 	return "`id` DESC"
 }
--- a/models/actions/task.go
+++ b/models/actions/task.go
@ -12,7 +12,6 @@ import (
 	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/modules/container"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
@ -245,7 +244,7 @@ func CreateTaskForRunner(ctx context.Context, runner *ActionRunner) (*ActionTask
 	var job *ActionRunJob
 	log.Trace("runner labels: %v", runner.AgentLabels)
 	for _, v := range jobs {
-		if isSubset(runner.AgentLabels, v.RunsOn) {
+		if v.ItRunsOn(runner.AgentLabels) {
 			job = v
 			break
 		}
@ -341,7 +340,7 @@ func UpdateTask(ctx context.Context, task *ActionTask, cols ...string) error {
 // UpdateTaskByState updates the task by the state.
 // It will always update the task if the state is not final, even there is no change.
 // So it will update ActionTask.Updated to avoid the task being judged as a zombie task.
-func UpdateTaskByState(ctx context.Context, state *runnerv1.TaskState) (*ActionTask, error) {
+func UpdateTaskByState(ctx context.Context, runnerID int64, state *runnerv1.TaskState) (*ActionTask, error) {
 	stepStates := map[int64]*runnerv1.StepState{}
 	for _, v := range state.Steps {
 		stepStates[v.Id] = v
@ -360,6 +359,8 @@ func UpdateTaskByState(ctx context.Context, state *runnerv1.TaskState) (*ActionT
 		return nil, err
 	} else if !has {
 		return nil, util.ErrNotExist
 	} else if runnerID != task.RunnerID {
 		return nil, fmt.Errorf("invalid runner for task")
 	}
 	if task.Status.IsDone() {
@ -480,20 +481,6 @@ func FindOldTasksToExpire(ctx context.Context, olderThan timeutil.TimeStamp, lim
 		Find(&tasks)
 }
 func isSubset(set, subset []string) bool {
 	m := make(container.Set[string], len(set))
 	for _, v := range set {
 		m.Add(v)
 	}
 	for _, v := range subset {
 		if !m.Contains(v) {
 			return false
 		}
 	}
 	return true
 }
 func convertTimestamp(timestamp *timestamppb.Timestamp) timeutil.TimeStamp {
 	if timestamp.GetSeconds() == 0 && timestamp.GetNanos() == 0 {
 		return timeutil.TimeStamp(0)
--- a/models/actions/task_list.go
+++ b/models/actions/task_list.go
@ -50,7 +50,7 @@ type FindTaskOptions struct {
 	RepoID        int64
 	OwnerID       int64
 	CommitSHA     string
-	Status        Status
+	Status        []Status
 	UpdatedBefore timeutil.TimeStamp
 	StartedBefore timeutil.TimeStamp
 	RunnerID      int64
@ -67,8 +67,8 @@ func (opts FindTaskOptions) ToConds() builder.Cond {
 	if opts.CommitSHA != "" {
 		cond = cond.And(builder.Eq{"commit_sha": opts.CommitSHA})
 	}
-	if opts.Status > StatusUnknown {
+	if opts.Status != nil {
-		cond = cond.And(builder.Eq{"status": opts.Status})
+		cond = cond.And(builder.In("status", opts.Status))
 	}
 	if opts.UpdatedBefore > 0 {
 		cond = cond.And(builder.Lt{"updated": opts.UpdatedBefore})
--- a/models/actions/variable.go
+++ b/models/actions/variable.go
@ -86,7 +86,7 @@ func FindVariables(ctx context.Context, opts FindVariablesOpts) ([]*ActionVariab
 }
 func UpdateVariable(ctx context.Context, variable *ActionVariable) (bool, error) {
-	count, err := db.GetEngine(ctx).ID(variable.ID).Cols("name", "data").
+	count, err := db.GetEngine(ctx).ID(variable.ID).Where("owner_id = ? AND repo_id = ?", variable.OwnerID, variable.RepoID).Cols("name", "data").
 		Update(&ActionVariable{
 			Name: variable.Name,
 			Data: variable.Data,
@ -94,11 +94,9 @@ func UpdateVariable(ctx context.Context, variable *ActionVariable) (bool, error)
 	return count != 0, err
 }
-func DeleteVariable(ctx context.Context, id int64) error {
+func DeleteVariable(ctx context.Context, variableID, ownerID, repoID int64) (bool, error) {
-	if _, err := db.DeleteByID[ActionVariable](ctx, id); err != nil {
+	count, err := db.GetEngine(ctx).Table("action_variable").Where("id = ? AND owner_id = ? AND repo_id = ?", variableID, ownerID, repoID).Delete()
-		return err
+	return count != 0, err
 	}
 	return nil
 }
 func GetVariablesOfRun(ctx context.Context, run *ActionRun) (map[string]string, error) {
--- a/models/activities/action.go
+++ b/models/activities/action.go
@ -250,6 +250,9 @@ func (a *Action) GetActDisplayNameTitle(ctx context.Context) string {
 // GetRepoUserName returns the name of the action repository owner.
 func (a *Action) GetRepoUserName(ctx context.Context) string {
 	a.loadRepo(ctx)
 	if a.Repo == nil {
 		return "(non-existing-repo)"
 	}
 	return a.Repo.OwnerName
 }
@ -262,6 +265,9 @@ func (a *Action) ShortRepoUserName(ctx context.Context) string {
 // GetRepoName returns the name of the action repository.
 func (a *Action) GetRepoName(ctx context.Context) string {
 	a.loadRepo(ctx)
 	if a.Repo == nil {
 		return "(non-existing-repo)"
 	}
 	return a.Repo.Name
 }
--- a/models/activities/main_test.go
+++ b/models/activities/main_test.go
@ -10,6 +10,7 @@ import (
 	_ "code.gitea.io/gitea/models"
 	_ "code.gitea.io/gitea/models/actions"
 	_ "code.gitea.io/gitea/models/forgefed"
 )
 func TestMain(m *testing.M) {
--- a/models/activities/repo_activity.go
+++ b/models/activities/repo_activity.go
@ -34,6 +34,7 @@ type ActivityStats struct {
 	OpenedPRAuthorCount         int64
 	MergedPRs                   issues_model.PullRequestList
 	MergedPRAuthorCount         int64
 	ActiveIssues                issues_model.IssueList
 	OpenedIssues                issues_model.IssueList
 	OpenedIssueAuthorCount      int64
 	ClosedIssues                issues_model.IssueList
@ -172,7 +173,7 @@ func (stats *ActivityStats) MergedPRPerc() int {
 // ActiveIssueCount returns total active issue count
 func (stats *ActivityStats) ActiveIssueCount() int {
-	return stats.OpenedIssueCount() + stats.ClosedIssueCount()
+	return len(stats.ActiveIssues)
 }
 // OpenedIssueCount returns open issue count
@ -285,13 +286,21 @@ func (stats *ActivityStats) FillIssues(ctx context.Context, repoID int64, fromTi
 	stats.ClosedIssueAuthorCount = count
 	// New issues
-	sess = issuesForActivityStatement(ctx, repoID, fromTime, false, false)
+	sess = newlyCreatedIssues(ctx, repoID, fromTime)
 	sess.OrderBy("issue.created_unix ASC")
 	stats.OpenedIssues = make(issues_model.IssueList, 0)
 	if err = sess.Find(&stats.OpenedIssues); err != nil {
 		return err
 	}
 	// Active issues
 	sess = activeIssues(ctx, repoID, fromTime)
 	sess.OrderBy("issue.created_unix ASC")
 	stats.ActiveIssues = make(issues_model.IssueList, 0)
 	if err = sess.Find(&stats.ActiveIssues); err != nil {
 		return err
 	}
 	// Opened issue authors
 	sess = issuesForActivityStatement(ctx, repoID, fromTime, false, false)
 	if _, err = sess.Select("count(distinct issue.poster_id) as `count`").Table("issue").Get(&count); err != nil {
@ -317,6 +326,22 @@ func (stats *ActivityStats) FillUnresolvedIssues(ctx context.Context, repoID int
 	return sess.Find(&stats.UnresolvedIssues)
 }
 func newlyCreatedIssues(ctx context.Context, repoID int64, fromTime time.Time) *xorm.Session {
 	sess := db.GetEngine(ctx).Where("issue.repo_id = ?", repoID).
 		And("issue.is_pull = ?", false).                // Retain the is_pull check to exclude pull requests
 		And("issue.created_unix >= ?", fromTime.Unix()) // Include all issues created after fromTime
 	return sess
 }
 func activeIssues(ctx context.Context, repoID int64, fromTime time.Time) *xorm.Session {
 	sess := db.GetEngine(ctx).Where("issue.repo_id = ?", repoID).
 		And("issue.is_pull = ?", false).
 		And("issue.created_unix >= ? OR issue.closed_unix >= ?", fromTime.Unix(), fromTime.Unix())
 	return sess
 }
 func issuesForActivityStatement(ctx context.Context, repoID int64, fromTime time.Time, closed, unresolved bool) *xorm.Session {
 	sess := db.GetEngine(ctx).Where("issue.repo_id = ?", repoID).
 		And("issue.is_closed = ?", closed)
--- a/models/activities/repo_activity_test.go
+++ b/models/activities/repo_activity_test.go
@ -0,0 +1,30 @@
 // Copyright 2024 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 package activities
 import (
 	"testing"
 	"time"
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unittest"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestGetActivityStats(t *testing.T) {
 	require.NoError(t, unittest.PrepareTestDatabase())
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
 	stats, err := GetActivityStats(db.DefaultContext, repo, time.Unix(0, 0), true, true, true, true)
 	require.NoError(t, err)
 	assert.EqualValues(t, 2, stats.ActiveIssueCount())
 	assert.EqualValues(t, 2, stats.OpenedIssueCount())
 	assert.EqualValues(t, 0, stats.ClosedIssueCount())
 	assert.EqualValues(t, 3, stats.ActivePRCount())
 }
--- a/models/activities/user_heatmap_test.go
+++ b/models/activities/user_heatmap_test.go
@ -96,6 +96,6 @@ func TestGetUserHeatmapDataByUser(t *testing.T) {
 		// Test JSON rendering
 		jsonData, err := json.Marshal(heatmap)
 		require.NoError(t, err)
-		assert.Equal(t, tc.JSONResult, string(jsonData))
+		assert.JSONEq(t, tc.JSONResult, string(jsonData))
 	}
 }
--- a/models/admin/task.go
+++ b/models/admin/task.go
@ -44,7 +44,7 @@ func init() {
 // TranslatableMessage represents JSON struct that can be translated with a Locale
 type TranslatableMessage struct {
 	Format string
-	Args   []any `json:"omitempty"`
+	Args   []any `json:",omitempty"`
 }
 // LoadRepo loads repository of the task
--- a/models/asymkey/error.go
+++ b/models/asymkey/error.go
@ -192,28 +192,6 @@ func (err ErrGPGKeyIDAlreadyUsed) Unwrap() error {
 	return util.ErrAlreadyExist
 }
 // ErrGPGKeyAccessDenied represents a "GPGKeyAccessDenied" kind of Error.
 type ErrGPGKeyAccessDenied struct {
 	UserID int64
 	KeyID  int64
 }
 // IsErrGPGKeyAccessDenied checks if an error is a ErrGPGKeyAccessDenied.
 func IsErrGPGKeyAccessDenied(err error) bool {
 	_, ok := err.(ErrGPGKeyAccessDenied)
 	return ok
 }
 // Error pretty-prints an error of type ErrGPGKeyAccessDenied.
 func (err ErrGPGKeyAccessDenied) Error() string {
 	return fmt.Sprintf("user does not have access to the key [user_id: %d, key_id: %d]",
 		err.UserID, err.KeyID)
 }
 func (err ErrGPGKeyAccessDenied) Unwrap() error {
 	return util.ErrPermissionDenied
 }
 // ErrKeyAccessDenied represents a "KeyAccessDenied" kind of error.
 type ErrKeyAccessDenied struct {
 	UserID int64
--- a/models/asymkey/ssh_key_authorized_keys.go
+++ b/models/asymkey/ssh_key_authorized_keys.go
@ -87,8 +87,6 @@ func appendAuthorizedKeysToFile(keys ...*PublicKey) error {
 	}
 	defer f.Close()
 	// Note: chmod command does not support in Windows.
 	if !setting.IsWindows {
 	fi, err := f.Stat()
 	if err != nil {
 		return err
@ -101,7 +99,6 @@ func appendAuthorizedKeysToFile(keys ...*PublicKey) error {
 			return err
 		}
 	}
 	}
 	for _, key := range keys {
 		if key.Type == KeyTypePrincipal {
--- a/models/asymkey/ssh_key_deploy.go
+++ b/models/asymkey/ssh_key_deploy.go
@ -105,14 +105,6 @@ func addDeployKey(ctx context.Context, keyID, repoID int64, name, fingerprint st
 	return key, db.Insert(ctx, key)
 }
 // HasDeployKey returns true if public key is a deploy key of given repository.
 func HasDeployKey(ctx context.Context, keyID, repoID int64) bool {
 	has, _ := db.GetEngine(ctx).
 		Where("key_id = ? AND repo_id = ?", keyID, repoID).
 		Get(new(DeployKey))
 	return has
 }
 // AddDeployKey add new deploy key to database and authorized_keys file.
 func AddDeployKey(ctx context.Context, repoID int64, name, content string, readOnly bool) (*DeployKey, error) {
 	fingerprint, err := CalcFingerprint(content)
--- a/models/asymkey/ssh_key_parse.go
+++ b/models/asymkey/ssh_key_parse.go
@ -219,8 +219,13 @@ func SSHNativeParsePublicKey(keyLine string) (string, int, error) {
 		return "", 0, fmt.Errorf("ParsePublicKey: %w", err)
 	}
 	pkeyType := pkey.Type()
 	if certPkey, ok := pkey.(*ssh.Certificate); ok {
 		pkeyType = certPkey.Key.Type()
 	}
 	// The ssh library can parse the key, so next we find out what key exactly we have.
-	switch pkey.Type() {
+	switch pkeyType {
 	case ssh.KeyAlgoDSA:
 		rawPub := struct {
 			Name       string
--- a/models/asymkey/ssh_key_test.go
+++ b/models/asymkey/ssh_key_test.go
@ -35,6 +35,7 @@ func Test_SSHParsePublicKey(t *testing.T) {
 		{"ecdsa-384", false, "ecdsa", 384, "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBINmioV+XRX1Fm9Qk2ehHXJ2tfVxW30ypUWZw670Zyq5GQfBAH6xjygRsJ5wWsHXBsGYgFUXIHvMKVAG1tpw7s6ax9oA+dJOJ7tj+vhn8joFqT+sg3LYHgZkHrfqryRasQ== nocomment"},
 		{"ecdsa-sk", true, "ecdsa-sk", 256, "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBGXEEzWmm1dxb+57RoK5KVCL0w2eNv9cqJX2AGGVlkFsVDhOXHzsadS3LTK4VlEbbrDMJdoti9yM8vclA8IeRacAAAAEc3NoOg== nocomment"},
 		{"ed25519-sk", true, "ed25519-sk", 256, "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIE7kM1R02+4ertDKGKEDcKG0s+2vyDDcIvceJ0Gqv5f1AAAABHNzaDo= nocomment"},
 		{"ed25519-cert-v01", true, "ed25519", 256, "ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIAlIAPlEj0mYQzQo8Ks0Nm/Ct8ceNkyJSf4DLuF5l7+5AAAAIEuWAoaBo2tT29/oMNnoDfdAPRCIdM2RGapKUhY4nDfLRgPQwfnRoc0AAAABAAAAcHZhdWx0LW9pZGMtNmRhYjdiZDgtNDg5YS00MDFkLTg3ZmItNjdjNTlhMDZkZDkxLTNjNTk2M2YyMGRmMDM3MDkyMzc1YmNiYmNiNzkxY2EyZWIxM2I0NGZhMzc2NTcwMWI0MjMwODU0MWFmNjhkNTgAAAALAAAAB2Zvcmdlam8AAAAAZ6/RUQAAAABn115vAAAAAAAAAAAAAAAAAAACFwAAAAdzc2gtcnNhAAAAAwEAAQAAAgEAySnM/TvD117GyKgOgMatDB2t+fCHORFaWVmH5SaadAzNJ2DfDAauRSLfnim1xdgAOMTzsPEEHH47zyYMjE85o2AiJxrfUBMw3O/7AbNc6+HyLr/txH4+vD9tWQknKnpVWM+3Z9wiHDcOdKRoXCmFZKJH1vxs16GNWjwbrfNiimv7Oi0fadgvTDKX603gpLTuVDXqs9eQFLCONptei86JYBAJqaHvg51k8YUCKt9WFqKAj7BJUWmrDvhv5VFMOsnZieJjqxkoxnpsQNlXfPzxK0vIpJofbYfWwscv/g9WZypHwO1ZR2PqzKm99YrSdr8w5256l0f44vsF0NSP0N7bDQEfYYnRGj8zWTYCBFD+uYF7AxIeaRUpZoTQO8MvCHOLMIDinNgEeCUvNA2v9zHl4BGq+PQjzUKAgJiKj0MZeiCDAmQ22g83ggQlB6BOrBb1fNa/S1cmTbGHQ2oAN358aqkmHVCBhPOyA2Rf65D2M2vzDlUdOsNDUIWAHk7GbwSNGDgcYfTWqtR5fTzp2MJovMh1dDUDXjOvojbhzjJtSy9+rzUYIv18aXdOitzVBgPMWdeVCZFZv4OKF+5MiqxQvedUvfiSjsdxZWLxyT1CJ88G3MzxNMS/Djm86T8h/Oa55bdvFtqpsLfvpIqq0pnXq1V/vF2j1MWwRB5z5Xh/HtEAAAIUAAAADHJzYS1zaGEyLTI1NgAAAgB2I2gzqemQl8/ETxtakALlm/2BpUcbhADcFWuoH6BCPnWHuTSwf3OayM6KXv1PQfL3YFRoi9Afrp8kVFL6DePsmKH+0BUEMz71sZ7v1ty7pwfzibItGnpTbQXhzbEiNYAFoz77rl7oaXF7pV6JNZhj3DVAB5gVA2oN5KRNVxijz+6uyuFJEw1HIl1C7GworvGwZcN7BThTEh3i72/Vntejy9Z8uGVjSFjS0rjRo2oXK1LKN0rVt66p3TmCWHouLkVnOTk0qrhLGlL2HVyo24OYHbkAAObD9b6aMDYlmluk6NsaiTKsSTsvMrbIbjtFQlh7nNyoPhZ0VMwaT1l10pDQ5uxWWZjKGIkz4xM1ZfpBszjJNPo+ivYQnTSjj9LwkbLAT9a/5LawSj80TGcLEMO+0eyPdJsP0wYmOVRFAZeRiBgwb3HrzcF6Wqr8icj1EjYkKSy9YFHGTnFBGknpdh3HGwghRXrCUwAnSM76db9pv4/qowT8LthtJ3dY5Epe0OJ1Tqm+q8bkGH4gB+7uqLSqM5pIHSKLp7lfHQBt1J6xa7H2saiweaWjU+QGTgQ2Lg+uUC5DXJrmm60CeFJ4BoGhUenDlgijbQpjH/l6330PbwefgjWtUK/pqaEA4lCoPyvJ+eF2DbYfPiAIBAFQnhVJJae4AH+XoCt29nb2j30ztg== nocomment"},
 	}
 	for _, tc := range testCases {
--- a/models/auth/TestOrphanedOAuth2Applications/oauth2_application.yaml
+++ b/models/auth/TestOrphanedOAuth2Applications/oauth2_application.yaml
@ -23,3 +23,11 @@
  redirect_uris: '["http://127.0.0.1", "https://127.0.0.1"]'
  created_unix: 1712358091
  updated_unix: 1712358091
 -
  id: 1003
  uid: 0
  name: "Global Auth source that should be kept"
  client_id: "2f3467c1-7b3b-463d-ab04-2ae2b2712826"
  redirect_uris: '["http://example.com/globalapp", "https://example.com/globalapp"]'
  created_unix: 1732387292
  updated_unix: 1732387292
--- a/models/auth/access_token.go
+++ b/models/auth/access_token.go
@ -98,6 +98,15 @@ func init() {
 // NewAccessToken creates new access token.
 func NewAccessToken(ctx context.Context, t *AccessToken) error {
 	err := generateAccessToken(t)
 	if err != nil {
 		return err
 	}
 	_, err = db.GetEngine(ctx).Insert(t)
 	return err
 }
 func generateAccessToken(t *AccessToken) error {
 	salt, err := util.CryptoRandomString(10)
 	if err != nil {
 		return err
@ -110,8 +119,7 @@ func NewAccessToken(ctx context.Context, t *AccessToken) error {
 	t.Token = hex.EncodeToString(token)
 	t.TokenHash = HashToken(t.Token, t.TokenSalt)
 	t.TokenLastEight = t.Token[len(t.Token)-8:]
-	_, err = db.GetEngine(ctx).Insert(t)
+	return nil
 	return err
 }
 // DisplayPublicOnly whether to display this as a public-only token.
@ -234,3 +242,25 @@ func DeleteAccessTokenByID(ctx context.Context, id, userID int64) error {
 	}
 	return nil
 }
 // RegenerateAccessTokenByID regenerates access token by given ID.
 // It regenerates token and salt, as well as updates the creation time.
 func RegenerateAccessTokenByID(ctx context.Context, id, userID int64) (*AccessToken, error) {
 	t := &AccessToken{}
 	found, err := db.GetEngine(ctx).Where("id = ? AND uid = ?", id, userID).Get(t)
 	if err != nil {
 		return nil, err
 	} else if !found {
 		return nil, ErrAccessTokenNotExist{}
 	}
 	err = generateAccessToken(t)
 	if err != nil {
 		return nil, err
 	}
 	// Reset the creation time, token is unused
 	t.UpdatedUnix = timeutil.TimeStampNow()
 	return t, UpdateAccessToken(ctx, t)
 }
--- a/models/auth/access_token_test.go
+++ b/models/auth/access_token_test.go
@ -131,3 +131,28 @@ func TestDeleteAccessTokenByID(t *testing.T) {
 	require.Error(t, err)
 	assert.True(t, auth_model.IsErrAccessTokenNotExist(err))
 }
 func TestRegenerateAccessTokenByID(t *testing.T) {
 	require.NoError(t, unittest.PrepareTestDatabase())
 	token, err := auth_model.GetAccessTokenBySHA(db.DefaultContext, "4c6f36e6cf498e2a448662f915d932c09c5a146c")
 	require.NoError(t, err)
 	newToken, err := auth_model.RegenerateAccessTokenByID(db.DefaultContext, token.ID, 1)
 	require.NoError(t, err)
 	unittest.AssertNotExistsBean(t, &auth_model.AccessToken{ID: token.ID, UID: token.UID, TokenHash: token.TokenHash})
 	newToken = &auth_model.AccessToken{
 		ID:        newToken.ID,
 		UID:       newToken.UID,
 		TokenHash: newToken.TokenHash,
 	}
 	unittest.AssertExistsAndLoadBean(t, newToken)
 	// Token has been recreated, new salt and hash, but should retain the same ID, UID, Name and Scope
 	assert.Equal(t, token.ID, newToken.ID)
 	assert.NotEqual(t, token.TokenHash, newToken.TokenHash)
 	assert.NotEqual(t, token.TokenSalt, newToken.TokenSalt)
 	assert.Equal(t, token.UID, newToken.UID)
 	assert.Equal(t, token.Name, newToken.Name)
 	assert.Equal(t, token.Scope, newToken.Scope)
 }
--- a/models/auth/auth_token.go
+++ b/models/auth/auth_token.go
@ -15,12 +15,31 @@ import (
 	"code.gitea.io/gitea/modules/util"
 )
 type AuthorizationPurpose string
 var (
 	// Used to store long term authorization tokens.
 	LongTermAuthorization AuthorizationPurpose = "long_term_authorization"
 	// Used to activate a user account.
 	UserActivation AuthorizationPurpose = "user_activation"
 	// Used to reset the password.
 	PasswordReset AuthorizationPurpose = "password_reset"
 )
 // Used to activate the specified email address for a user.
 func EmailActivation(email string) AuthorizationPurpose {
 	return AuthorizationPurpose("email_activation:" + email)
 }
 // AuthorizationToken represents a authorization token to a user.
 type AuthorizationToken struct {
 	ID              int64  `xorm:"pk autoincr"`
 	UID             int64  `xorm:"INDEX"`
 	LookupKey       string `xorm:"INDEX UNIQUE"`
 	HashedValidator string
 	Purpose         AuthorizationPurpose `xorm:"NOT NULL DEFAULT 'long_term_authorization'"`
 	Expiry          timeutil.TimeStamp
 }
@ -41,7 +60,7 @@ func (authToken *AuthorizationToken) IsExpired() bool {
 // GenerateAuthToken generates a new authentication token for the given user.
 // It returns the lookup key and validator values that should be passed to the
 // user via a long-term cookie.
-func GenerateAuthToken(ctx context.Context, userID int64, expiry timeutil.TimeStamp) (lookupKey, validator string, err error) {
+func GenerateAuthToken(ctx context.Context, userID int64, expiry timeutil.TimeStamp, purpose AuthorizationPurpose) (lookupKey, validator string, err error) {
 	// Request 64 random bytes. The first 32 bytes will be used for the lookupKey
 	// and the other 32 bytes will be used for the validator.
 	rBytes, err := util.CryptoRandomBytes(64)
@ -56,14 +75,15 @@ func GenerateAuthToken(ctx context.Context, userID int64, expiry timeutil.TimeSt
 		Expiry:          expiry,
 		LookupKey:       lookupKey,
 		HashedValidator: HashValidator(rBytes[32:]),
 		Purpose:         purpose,
 	})
 	return lookupKey, validator, err
 }
 // FindAuthToken will find a authorization token via the lookup key.
-func FindAuthToken(ctx context.Context, lookupKey string) (*AuthorizationToken, error) {
+func FindAuthToken(ctx context.Context, lookupKey string, purpose AuthorizationPurpose) (*AuthorizationToken, error) {
 	var authToken AuthorizationToken
-	has, err := db.GetEngine(ctx).Where("lookup_key = ?", lookupKey).Get(&authToken)
+	has, err := db.GetEngine(ctx).Where("lookup_key = ? AND purpose = ?", lookupKey, purpose).Get(&authToken)
 	if err != nil {
 		return nil, err
 	} else if !has {
--- a/models/auth/main_test.go
+++ b/models/auth/main_test.go
@ -12,6 +12,7 @@ import (
 	_ "code.gitea.io/gitea/models/actions"
 	_ "code.gitea.io/gitea/models/activities"
 	_ "code.gitea.io/gitea/models/auth"
 	_ "code.gitea.io/gitea/models/forgefed"
 	_ "code.gitea.io/gitea/models/perm/access"
 )
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@ -657,6 +657,7 @@ func CountOrphanedOAuth2Applications(ctx context.Context) (int64, error) {
 		Table("`oauth2_application`").
 		Join("LEFT", "`user`", "`oauth2_application`.`uid` = `user`.`id`").
 		Where(builder.IsNull{"`user`.id"}).
 		Where(builder.Neq{"uid": 0}). // exclude instance-wide admin applications
 		Where(builder.NotIn("`oauth2_application`.`client_id`", BuiltinApplicationsClientIDs())).
 		Select("COUNT(`oauth2_application`.`id`)").
 		Count()
@ -668,6 +669,7 @@ func DeleteOrphanedOAuth2Applications(ctx context.Context) (int64, error) {
 		From("`oauth2_application`").
 		Join("LEFT", "`user`", "`oauth2_application`.`uid` = `user`.`id`").
 		Where(builder.IsNull{"`user`.id"}).
 		Where(builder.Neq{"uid": 0}). // exclude instance-wide admin applications
 		Where(builder.NotIn("`oauth2_application`.`client_id`", BuiltinApplicationsClientIDs()))
 	b := builder.Delete(builder.In("id", subQuery)).From("`oauth2_application`")
--- a/models/auth/oauth2_test.go
+++ b/models/auth/oauth2_test.go
@ -296,4 +296,5 @@ func TestOrphanedOAuth2Applications(t *testing.T) {
 	require.NoError(t, err)
 	assert.EqualValues(t, 0, count)
 	unittest.AssertExistsIf(t, false, &auth_model.OAuth2Application{ID: 1002})
 	unittest.AssertExistsIf(t, true, &auth_model.OAuth2Application{ID: 1003})
 }
--- a/models/auth/source.go
+++ b/models/auth/source.go
@ -32,7 +32,7 @@ const (
 	PAM         // 4
 	DLDAP       // 5
 	OAuth2      // 6
-	SSPI        // 7
+	_           // 7 (was SSPI)
 	Remote      // 8
 )
@ -53,7 +53,6 @@ var Names = map[Type]string{
 	SMTP:   "SMTP",
 	PAM:    "PAM",
 	OAuth2: "OAuth2",
 	SSPI:   "SPNEGO with SSPI",
 	Remote: "Remote",
 }
@ -178,11 +177,6 @@ func (source *Source) IsOAuth2() bool {
 	return source.Type == OAuth2
 }
 // IsSSPI returns true of this source is of the SSPI type.
 func (source *Source) IsSSPI() bool {
 	return source.Type == SSPI
 }
 func (source *Source) IsRemote() bool {
 	return source.Type == Remote
 }
@ -216,7 +210,7 @@ func CreateSource(ctx context.Context, source *Source) error {
 		return ErrSourceAlreadyExist{source.Name}
 	}
 	// Synchronization is only available with LDAP for now
-	if !source.IsLDAP() && !source.IsOAuth2() {
+	if !source.IsLDAP() {
 		source.IsSyncEnabled = false
 	}
@ -265,20 +259,6 @@ func (opts FindSourcesOptions) ToConds() builder.Cond {
 	return conds
 }
 // IsSSPIEnabled returns true if there is at least one activated login
 // source of type LoginSSPI
 func IsSSPIEnabled(ctx context.Context) bool {
 	exist, err := db.Exist[Source](ctx, FindSourcesOptions{
 		IsActive:  optional.Some(true),
 		LoginType: SSPI,
 	}.ToConds())
 	if err != nil {
 		log.Error("IsSSPIEnabled: failed to query active SSPI sources: %v", err)
 		return false
 	}
 	return exist
 }
 // GetSourceByID returns login source by given ID.
 func GetSourceByID(ctx context.Context, id int64) (*Source, error) {
 	source := new(Source)
@ -299,17 +279,6 @@ func GetSourceByID(ctx context.Context, id int64) (*Source, error) {
 	return source, nil
 }
 func GetSourceByName(ctx context.Context, name string) (*Source, error) {
 	source := &Source{}
 	has, err := db.GetEngine(ctx).Where("name = ?", name).Get(source)
 	if err != nil {
 		return nil, err
 	} else if !has {
 		return nil, ErrSourceNotExist{}
 	}
 	return source, nil
 }
 // UpdateSource updates a Source record in DB.
 func UpdateSource(ctx context.Context, source *Source) error {
 	var originalSource *Source
--- a/models/auth/twofactor.go
+++ b/models/auth/twofactor.go
@ -5,17 +5,14 @@ package auth
 import (
 	"context"
 	"crypto/md5"
 	"crypto/sha256"
 	"crypto/subtle"
 	"encoding/base32"
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/modules/secret"
+	"code.gitea.io/gitea/modules/keying"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
@ -51,7 +48,7 @@ func (err ErrTwoFactorNotEnrolled) Unwrap() error {
 type TwoFactor struct {
 	ID               int64  `xorm:"pk autoincr"`
 	UID              int64  `xorm:"UNIQUE"`
-	Secret           string
+	Secret           []byte `xorm:"BLOB"`
 	ScratchSalt      string
 	ScratchHash      string
 	LastUsedPasscode string             `xorm:"VARCHAR(10)"`
@ -92,41 +89,37 @@ func (t *TwoFactor) VerifyScratchToken(token string) bool {
 	return subtle.ConstantTimeCompare([]byte(t.ScratchHash), []byte(tempHash)) == 1
 }
 func (t *TwoFactor) getEncryptionKey() []byte {
 	k := md5.Sum([]byte(setting.SecretKey))
 	return k[:]
 }
 // SetSecret sets the 2FA secret.
-func (t *TwoFactor) SetSecret(secretString string) error {
+func (t *TwoFactor) SetSecret(secretString string) {
-	secretBytes, err := secret.AesEncrypt(t.getEncryptionKey(), []byte(secretString))
+	key := keying.DeriveKey(keying.ContextTOTP)
-	if err != nil {
+	t.Secret = key.Encrypt([]byte(secretString), keying.ColumnAndID("secret", t.ID))
 		return err
 	}
 	t.Secret = base64.StdEncoding.EncodeToString(secretBytes)
 	return nil
 }
 // ValidateTOTP validates the provided passcode.
 func (t *TwoFactor) ValidateTOTP(passcode string) (bool, error) {
-	decodedStoredSecret, err := base64.StdEncoding.DecodeString(t.Secret)
+	key := keying.DeriveKey(keying.ContextTOTP)
 	secret, err := key.Decrypt(t.Secret, keying.ColumnAndID("secret", t.ID))
 	if err != nil {
 		return false, err
 	}
-	secretBytes, err := secret.AesDecrypt(t.getEncryptionKey(), decodedStoredSecret)
+	return totp.Validate(passcode, string(secret)), nil
 	if err != nil {
 		return false, err
 	}
 	secretStr := string(secretBytes)
 	return totp.Validate(passcode, secretStr), nil
 }
 // NewTwoFactor creates a new two-factor authentication token.
-func NewTwoFactor(ctx context.Context, t *TwoFactor) error {
+func NewTwoFactor(ctx context.Context, t *TwoFactor, secret string) error {
-	_, err := db.GetEngine(ctx).Insert(t)
+	return db.WithTx(ctx, func(ctx context.Context) error {
 		sess := db.GetEngine(ctx)
 		_, err := sess.Insert(t)
 		if err != nil {
 			return err
 		}
 		t.SetSecret(secret)
 		_, err = sess.Cols("secret").ID(t.ID).Update(t)
 		return err
 	})
 }
 // UpdateTwoFactor updates a two-factor authentication token.
 func UpdateTwoFactor(ctx context.Context, t *TwoFactor) error {
 	_, err := db.GetEngine(ctx).ID(t.ID).AllCols().Update(t)
--- a/models/auth/webauthn.go
+++ b/models/auth/webauthn.go
@ -52,10 +52,10 @@ type WebAuthnCredential struct {
 	AAGUID          []byte
 	SignCount       uint32 `xorm:"BIGINT"`
 	CloneWarning    bool
-	BackupEligible  bool `XORM:"NOT NULL DEFAULT false"`
+	BackupEligible  bool `xorm:"NOT NULL DEFAULT false"`
-	BackupState     bool `XORM:"NOT NULL DEFAULT false"`
+	BackupState     bool `xorm:"NOT NULL DEFAULT false"`
 	// If legacy is set to true, backup_eligible and backup_state isn't set.
-	Legacy      bool               `XORM:"NOT NULL DEFAULT true"`
+	Legacy      bool               `xorm:"NOT NULL DEFAULT true"`
 	CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
 	UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
 }
--- a/models/db/context_committer_test.go
+++ b/models/db/context_committer_test.go
@ -4,7 +4,7 @@
 package db // it's not db_test, because this file is for testing the private type halfCommitter
 import (
-	"fmt"
+	"errors"
 	"testing"
 	"github.com/stretchr/testify/assert"
@ -80,7 +80,7 @@ func Test_halfCommitter(t *testing.T) {
 		testWithCommitter(mockCommitter, func(committer Committer) error {
 			defer committer.Close()
 			if true {
-				return fmt.Errorf("error")
+				return errors.New("error")
 			}
 			return committer.Commit()
 		})
@ -94,7 +94,7 @@ func Test_halfCommitter(t *testing.T) {
 		testWithCommitter(mockCommitter, func(committer Committer) error {
 			committer.Close()
 			committer.Commit()
-			return fmt.Errorf("error")
+			return errors.New("error")
 		})
 		mockCommitter.Assert(t)
--- a/models/db/engine.go
+++ b/models/db/engine.go
@ -11,6 +11,7 @@ import (
 	"fmt"
 	"io"
 	"reflect"
 	"runtime/trace"
 	"strings"
 	"time"
@ -163,6 +164,8 @@ func InitEngine(ctx context.Context) error {
 		Logger: errorLogger,
 	})
 	xormEngine.AddHook(&TracingHook{})
 	SetDefaultEngine(ctx, xormEngine)
 	return nil
 }
@ -318,6 +321,25 @@ func SetLogSQL(ctx context.Context, on bool) {
 	}
 }
 type TracingHook struct{}
 var _ contexts.Hook = &TracingHook{}
 type sqlTask struct{}
 func (TracingHook) BeforeProcess(c *contexts.ContextHook) (context.Context, error) {
 	ctx, task := trace.NewTask(c.Ctx, "sql")
 	ctx = context.WithValue(ctx, sqlTask{}, task)
 	trace.Log(ctx, "query", c.SQL)
 	trace.Logf(ctx, "args", "%v", c.Args)
 	return ctx, nil
 }
 func (TracingHook) AfterProcess(c *contexts.ContextHook) error {
 	c.Ctx.Value(sqlTask{}).(*trace.Task).End()
 	return nil
 }
 type SlowQueryHook struct {
 	Treshold time.Duration
 	Logger   log.Logger
--- a/Show more
+++ b/Show more
`@ -1,3 +1,3 @@`
	`module code.gitea.io/gitea`	`module code.gitea.io/gitea`

	`go 1.23.1`	`go 1.23.3`