ServerSMP/forgejo
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Update to v15.0.3 #54

Manually merged
ServerSMP merged 46 commits from upstream into v15 2026-06-10 21:28:09 +00:00
Conversation 0 Commits 46 Files changed 160 +4605 -1880
Prince527 commented 2026-06-10 21:23:03 +00:00
Owner
Copy link
No description provided. 
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12141

Move the logic for handling reruns of Forgejo Action workflows and individual jobs to services. That is a prerequisite for adding the corresponding HTTP API endpoints.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12537
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12469

The dialog element shrink wrap up to the max-width boundary. The
`long-modal` is set to strictly fit the `800px` width in the test.
However with Playwright minor font rendering differences makes the
dialog modal width resulting in `797px`.

Test fails at: [expect(width).toBe(800);](6132d0e406/tests/e2e/modal.test.e2e.ts (L103))

The fix is to increase the content of the `#long-model` element in
`templates/demo/model.tmpl` to 300 characters length instead of the
current `100` characters length ensures that the dialog modal will always
hit the `800px` max-width.

Co-authored-by: Nirmal Kumar R <tildezero@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12471
## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12142
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
(cherry picked from commit db622afd87f8f6b1d0ca4228b9eac7095cda3a58)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12538
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/11356

Conflicts:
- tests/integration/pull_review_test.go

Removed the modification, since the conflicting test added in #12015 is
not present in v15.0

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11356
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
(cherry picked from commit 88ba1741190dd638abd3fd75fb95373e483ab695)

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12540
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Forgejo Actions keeps one set of artifacts per workflow run -- those of the latest workflow run. If a particular workflow run is rerun, Forgejo is supposed to remove outdated artifacts. However, it does not do that. As a result, the user is presented a mix of outdated and new artifacts, even within the same archive.

This is remedied by wiping the artifacts before each rerun. The same happens when only one or more jobs are rerun, which also matches the behaviour of GitHub Actions. In the example below, when only rerunning `artifacts-two`, `many-artifacts-one` would disappear and a new version of `many-artifacts-two` would be made available.

Reproducer:

```yaml
on:
  push:
jobs:
  artifacts-one:
    runs-on: ubuntu-latest
    steps:
      - run: mkdir -p artifacts-one
      - run: |
          if [[ "${{ github.run_attempt}}" == 1 ]] ; then echo "${{ github.run_attempt}}" > artifacts-one/ONE; fi
          echo "${{ github.run_attempt}}" > artifacts-one/TWO
      - uses: forgejo/upload-artifact@v4
        with:
          name: many-artifacts-one
          path: artifacts-one/
  artifacts-two:
    runs-on: ubuntu-latest
    steps:
      - run: mkdir -p artifacts-two
      - run: |
          if [[ "${{ github.run_attempt}}" == 1 ]] ; then echo "${{ github.run_attempt}}" > artifacts-two/ONE; fi
          echo "${{ github.run_attempt}}" > artifacts-two/TWO
      - uses: forgejo/upload-artifact@v4
        with:
          name: many-artifacts-two
          path: artifacts-two/
```

Resolves https://codeberg.org/forgejo/forgejo/issues/12163.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12523
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
(cherry picked from commit 753e289da58fd2e1044725f5f4cc42b0818b1d90)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12542
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12550

Forgejo erroneously links to Forgejo Actions artefacts that have been deleted due to expiration. The commit message of 460a2b0edf that introduced the feature describes the desired behaviour: "artifacts link in actions view should be non-clickable text when expired."

Resolves https://codeberg.org/forgejo/forgejo/issues/3653.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [x] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12553
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12554

The race condition on the test is happening because, we are immediately
calling `page.goto()` after the `Commit changes` button is clicked
without waiting for the previous redirect to finish. This interruption leads
to the error: `Error: page.goto: Target page, context or browser has been
closed`.

By adding the `await expect(page).toHaveURL`, Playwright waits for the
redirection and verifies the URL and then finally go to the next `await
page.goto()` to go to the `edit` page of the file.

Co-authored-by: Nirmal Kumar R <tildezero@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12574
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12442

When a forking target organization was supplied, the API handler only verified
org membership. This is asymmetric with the rest of the codebase, as
CanCreateOrgRepo is used everywhere else.

Co-authored-by: jvoisin <jvoisin@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12579
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [code.forgejo.org/forgejo/runner/v12](https://code.forgejo.org/forgejo/runner) | `v12.8.0` → `v12.10.1` | ![age](https://developer.mend.io/api/mc/badges/age/go/code.forgejo.org%2fforgejo%2frunner%2fv12/v12.10.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/code.forgejo.org%2fforgejo%2frunner%2fv12/v12.8.0/v12.10.1?slim=true) |

---

### Release Notes

<details>
<summary>forgejo/runner (code.forgejo.org/forgejo/runner/v12)</summary>

### [`v12.10.1`](https://code.forgejo.org/forgejo/runner/releases/tag/v12.10.1)

[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v12.10.0...v12.10.1)

- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)

Release Notes

***

<!--start release-notes-assistant-->

<!--URL:https://code.forgejo.org/forgejo/runner-->

- features
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1509): <!--number 1509 --><!--line 0 --><!--description ZmVhdDogbWVyZ2UgcmV1c2FibGUgZXhwYW5zaW9uIGNhbGxlcidzICdpZicgaW50byBleHBhbmRlZCBqb2Jz-->feat: merge reusable expansion caller's 'if' into expanded jobs<!--description-->
- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1510): <!--number 1510 --><!--line 0 --><!--description Zml4OiB3b3JrZmxvdy1sZXZlbCAnZW52JyBpcyBsb3N0IGR1cmluZyBqb2IgcGFyc2luZw==-->fix: workflow-level 'env' is lost during job parsing<!--description-->
- other
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1511): <!--number 1511 --><!--line 0 --><!--description Y2hvcmU6IHVzZSBzcGVjaWZpYyB2ZXJzaW9uIG9mIGdvZnVtcHQsIG5vdCBsYXRlc3Q=-->chore: use specific version of gofumpt, not latest<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1508): <!--number 1508 --><!--line 0 --><!--description Y2hvcmU6IGluY3JlYXNlIHRoZSBsZW5ndGggb2YgdGhlIGNhY2hlIHRva2VuIGtleQ==-->chore: increase the length of the cache token key<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1504): <!--number 1504 --><!--line 0 --><!--description Y2hvcmU6IHJlbW92ZSBnby1naXQ=-->chore: remove go-git<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1506): <!--number 1506 --><!--line 0 --><!--description cmVmYWN0b3I6IGRyb3AgdW51c2VkIENvbm5lY3RUb05ldHdvcmsgZnJvbSBDb250YWluZXIgaW50ZXJmYWNl-->refactor: drop unused ConnectToNetwork from Container interface<!--description-->

<!--end release-notes-assistant-->

### [`v12.10.0`](https://code.forgejo.org/forgejo/runner/releases/tag/v12.10.0)

[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v12.9.0...v12.10.0)

- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)

Release Notes

***

<!--start release-notes-assistant-->

<!--URL:https://code.forgejo.org/forgejo/runner-->

- features
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1493): <!--number 1493 --><!--line 0 --><!--description ZmVhdDogZW5hYmxlIGVudHJ5cG9pbnQgY3VzdG9taXphdGlvbiBvZiBqb2IgY29udGFpbmVycw==-->feat: enable entrypoint customization of job containers<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1498): <!--number 1498 --><!--line 0 --><!--description ZmVhdDogZW5hYmxlIGVudHJ5cG9pbnQgY3VzdG9taXphdGlvbiBmb3Igc2VydmljZXM=-->feat: enable entrypoint customization for services<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1491): <!--number 1491 --><!--line 0 --><!--description ZmVhdDogaW1wcm92ZSBwdWxsaW5nIG9mIGNvbnRhaW5lciBpbWFnZXM=-->feat: improve pulling of container images<!--description-->
- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1505): <!--number 1505 --><!--line 0 --><!--description Zml4OiB0cmltIHdoaXRlc3BhY2UgYXJvdW5kIGNhY2hlIHNlY3JldA==-->fix: trim whitespace around cache secret<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1499): <!--number 1499 --><!--line 0 --><!--description Zml4OiBwcmVzZXJ2ZSB3b3JrZmxvdy1sZXZlbCBlbnYgJiBlbmFibGUtb3BlbmlkLWNvbm5lY3QgZHVyaW5nIHdvcmtmbG93IGV4cGFuc2lvbg==-->fix: preserve workflow-level env & enable-openid-connect during workflow expansion<!--description-->
- other
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1497): <!--number 1497 --><!--line 0 --><!--description Y2hvcmU6IGluY29ycG9yYXRlIGdvLWdpdCdzIGdpdGlnbm9yZSBtYXRjaGluZw==-->chore: incorporate go-git's gitignore matching<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1495): <!--number 1495 --><!--line 0 --><!--description Y2hvcmU6IGFkZCBpc3N1ZXMgdG8gUkVBRE1FLCBtaW5pbWFsIGNvbnRyaWJ1dGlvbiBndWlkZQ==-->chore: add issues to README, minimal contribution guide<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1492): <!--number 1492 --><!--line 0 --><!--description VXBkYXRlIGZvcmdlam8tcnVubmVyIHRvIHYxMi45LjA=-->Update forgejo-runner to v12.9.0<!--description-->

<!--end release-notes-assistant-->

### [`v12.9.0`](https://code.forgejo.org/forgejo/runner/releases/tag/v12.9.0)

[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v12.8.2...v12.9.0)

- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)

Release Notes

***

<!--start release-notes-assistant-->

<!--URL:https://code.forgejo.org/forgejo/runner-->

- features
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1488): <!--number 1488 --><!--line 0 --><!--description ZmVhdDogdHJpbSB3aGl0ZXNwYWNlIGFyb3VuZCB0b2tlbiwgdmFsaWRhdGUgaXQ=-->feat: trim whitespace around token, validate it<!--description-->
- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1481): <!--number 1481 --><!--line 0 --><!--description Zml4OiBpbnRlcnBvbGF0aW9uIG9mIGB3b3JrZmxvd19jYWxsYCBpbnB1dHM=-->fix: interpolation of `workflow_call` inputs<!--description-->
- other
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1485): <!--number 1485 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvLWdpdC9nby1naXQvdjUgdG8gdjUuMTguMCBbU0VDVVJJVFld-->Update module github.com/go-git/go-git/v5 to v5.18.0 \[SECURITY]<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1482): <!--number 1482 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjUuOQ==-->Update dependency go to v1.25.9<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1479): <!--number 1479 --><!--line 0 --><!--description VXBkYXRlIGdvLm9wZW50ZWxlbWV0cnkuaW8vb3RlbC9leHBvcnRlcnMvb3RscC9vdGxwdHJhY2Uvb3RscHRyYWNlaHR0cCAoaW5kaXJlY3QpIHRvIHYxLjQzLjAgW1NFQ1VSSVRZXQ==-->Update go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp (indirect) to v1.43.0 \[SECURITY]<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1478): <!--number 1478 --><!--line 0 --><!--description VXBkYXRlIGZvcmdlam8tcnVubmVyIHRvIHYxMi44LjI=-->Update forgejo-runner to v12.8.2<!--description-->

<!--end release-notes-assistant-->

### [`v12.8.2`](https://code.forgejo.org/forgejo/runner/releases/tag/v12.8.2)

[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v12.8.1...v12.8.2)

- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)

Release Notes

***

<!--start release-notes-assistant-->

<!--URL:https://code.forgejo.org/forgejo/runner-->

- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1477): <!--number 1477 --><!--line 0 --><!--description Zml4OiByZXR1cm4gZXJyb3Igd2hlbiBgb25lLWpvYmAgcmVjZWl2ZXMgbm8gdGFzaw==-->fix: return error when `one-job` receives no task<!--description-->

<!--end release-notes-assistant-->

### [`v12.8.1`](https://code.forgejo.org/forgejo/runner/releases/tag/v12.8.1)

[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v12.8.0...v12.8.1)

- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)

Release Notes

***

<!--start release-notes-assistant-->

<!--URL:https://code.forgejo.org/forgejo/runner-->

- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1476): <!--number 1476 --><!--line 0 --><!--description Zml4OiB1c2UgYF57Y29tbWl0fWAgdG8gYWN0dWFsbHkgbGV0IGByZXYtcGFyc2VgIHJlc29sdmUgdG8gdGhlIGNvbW1pdA==-->fix: use `^{commit}` to actually let `rev-parse` resolve to the commit<!--description-->
- other
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1474): <!--number 1474 --><!--line 0 --><!--description Y2hvcmU6IHVwZ3JhZGUgTW9ja2VyeSB0byB2Mw==-->chore: upgrade Mockery to v3<!--description-->

<!--end release-notes-assistant-->

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzAuMjAiLCJ1cGRhdGVkSW5WZXIiOiI0My4xNzAuMjAiLCJ0YXJnZXRCcmFuY2giOiJ2MTUuMC9mb3JnZWpvIiwibGFiZWxzIjpbImRlcGVuZGVuY3ktdXBncmFkZSIsInJ1bi1lbmQtdG8tZW5kLXRlc3RzIiwidGVzdC9ub3QtbmVlZGVkIl19-->

Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12588
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12577

- Validate and sanitize topics.
- Cap topics at 25 (limit used elsewhere, now unified constant).
- Add more details and rephrase common user-facing error messages.

Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12593
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12581

Follow-up of: forgejo/forgejo!9002

Closes: Codeberg/Community#2575

Co-authored-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12594
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12589

The bleve indexer included a fast path to consider a single token to be of MUST rather than should.
However, the condition missed an additional check and would erroneosly include a NOT as a MUST.

This was not spotted by the tests as such exclude queries were usually made along with another term to avoid noise.

Co-authored-by: Shiny Nematoda <snematoda.751k2@aleeas.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12592
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12659
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
**Backport**: https://codeberg.org/forgejo/forgejo/pulls/12627  -- manual backport due to trivial conflicts in locale_en-US.json.

A concern has been raised to the security team that Forgejo users can be confused by the visibility of packages in Forgejo being linked to the owner of the package, and not the repository that a package may be linked to.  While future feature requests may change how package visibility works, an immediately actionable response is to ensure that this is clearer to end-users.

This PR adds a warning on the Settings -> Unit page of a private repository, and the Packages tab of a private repository, if the owner of the repository is public.  It also renames the unit "Enable repository package registry" to "Enable package linking", to better reflect the fact that enabling packages on a repository does not create some repository-level registry.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12652
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
API consumers will see a different HTTP status code (404 instead of 500) for invalid SHAs.

Fixes: #12239

Co-authored-by: guillermodotn <guillerm0.n@outlook.es>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12671
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12679
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) | [`v0.54.0` → `v0.55.0`](https://cs.opensource.google/go/x/net/+/refs/tags/v0.54.0...refs/tags/v0.55.0) | ![age](https://developer.mend.io/api/mc/badges/age/go/golang.org%2fx%2fnet/v0.55.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/golang.org%2fx%2fnet/v0.54.0/v0.55.0?slim=true) |

---

### Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
[CVE-2026-42506](https://nvd.nist.gov/vuln/detail/CVE-2026-42506) / [GO-2026-5025](https://pkg.go.dev/vuln/GO-2026-5025)

<details>
<summary>More information</summary>

#### Details
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79571](https://go.dev/issue/79571)
- [https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8](https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8)
- [https://go.dev/cl/781700](https://go.dev/cl/781700)

This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5025) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)).
</details>

---

### Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
[CVE-2026-39821](https://nvd.nist.gov/vuln/detail/CVE-2026-39821) / [GO-2026-5026](https://pkg.go.dev/vuln/GO-2026-5026)

<details>
<summary>More information</summary>

#### Details
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

#### Severity
Unknown

#### References
- [https://go.dev/cl/767220](https://go.dev/cl/767220)
- [https://go.dev/issue/78760](https://go.dev/issue/78760)
- [https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8](https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8)

This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5026) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)).
</details>

---

### Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
[CVE-2026-42502](https://nvd.nist.gov/vuln/detail/CVE-2026-42502) / [GO-2026-5027](https://pkg.go.dev/vuln/GO-2026-5027)

<details>
<summary>More information</summary>

#### Details
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79572](https://go.dev/issue/79572)
- [https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8](https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8)
- [https://go.dev/cl/781701](https://go.dev/cl/781701)

This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5027) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)).
</details>

---

### Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
[CVE-2026-25680](https://nvd.nist.gov/vuln/detail/CVE-2026-25680) / [GO-2026-5028](https://pkg.go.dev/vuln/GO-2026-5028)

<details>
<summary>More information</summary>

#### Details
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

#### Severity
Unknown

#### References
- [https://go.dev/cl/781702](https://go.dev/cl/781702)
- [https://go.dev/issue/79573](https://go.dev/issue/79573)
- [https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8](https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8)

This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5028) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)).
</details>

---

### Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
[CVE-2026-25681](https://nvd.nist.gov/vuln/detail/CVE-2026-25681) / [GO-2026-5029](https://pkg.go.dev/vuln/GO-2026-5029)

<details>
<summary>More information</summary>

#### Details
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79574](https://go.dev/issue/79574)
- [https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8](https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8)
- [https://go.dev/cl/781703](https://go.dev/cl/781703)

This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5029) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)).
</details>

---

### Invoking duplicate attributes can cause XSS in golang.org/x/net/html
[CVE-2026-27136](https://nvd.nist.gov/vuln/detail/CVE-2026-27136) / [GO-2026-5030](https://pkg.go.dev/vuln/GO-2026-5030)

<details>
<summary>More information</summary>

#### Details
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79575](https://go.dev/issue/79575)
- [https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8](https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8)
- [https://go.dev/cl/781685](https://go.dev/cl/781685)

This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5030) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)).
</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4Mi4xIiwidGFyZ2V0QnJhbmNoIjoidjE1LjAvZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12690
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12702

Closes #12251

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

Does not apply.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Co-authored-by: Mai-Lapyst <mai-lapyst@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12710
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12704

It is possible for a user that is not trusted to run Forgejo Actions workflows on a repository to act on a pull request and trigger a workflow after it is merged or closed. For instance by modifying the title of the pull request or setting a label.

Closes forgejo/forgejo#12576

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- User Interface bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12704): <!--number 12704 --><!--line 0 --><!--description ZGlzcGxheSB0aGUgYWN0aW9ucyB0cnVzdCBtYW5hZ2VtZW50IHBhbmVsIG9uIG1lcmdlZCBhbmQgY2xvc2VkIHB1bGwgcmVxdWVzdHM=-->display the actions trust management panel on merged and closed pull requests<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: limiting-factor <limiting-factor@posteo.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12712
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12685

During workflow expansion, jobs are replaced or added. That means that their execution order does not necessarily match the order of their numeric IDs. For example, job 129 might depend on job 130. Unfortunately, Forgejo doesn't take this possibility into account and always examines and updates jobs by ascending ID. That means that while examining job 129, job 130 has still its old status, and, as a result, Forgejo won't schedule job 129 for execution because it's still waiting for job 130 to complete. This can lead to workflows getting stuck:

```
...tions/job_emitter.go:48:jobEmitterQueueHandler() [E] checkJobsOfRun failed for RunID = 49: error in tryHandleIncompleteMatrix: jobStatusResolver attempted to tryHandleIncompleteMatrix for a job (id=129) with an incomplete 'needs' job (id=130)
```

This is caused by calculating all status changes recursively in memory before writing them to the database. For example, job A that was completed would unblock job B that depended on it. In that case, Forgejo would simultaneously mark job A as completed and B as waiting. However, that would not work if B had a lower ID than A. That is remedied by writing updates to the database before entering the next recursion. So, continuing the example, job A is marked as completed in the database before the next iteration detects that B is no longer blocked and writes that to the database.

Resolves https://codeberg.org/forgejo/forgejo/issues/12641.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12730
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12739

Forgejo would not trigger Actions workflows `on: pull_request:` with `paths:` or `paths-ignore:` filters when the pull request was merged. The reason was that the triggers were evaluated after the PR was merged, but Forgejo still looked for changed files between the base branch and the PR's HEAD, which by then was already in the base branch.

Resolves https://codeberg.org/forgejo/forgejo/issues/12585.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12744
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Backport: forgejo/forgejo!12753
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12767
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12764

Fixes #12645.  Detailed analysis in [this comment](https://codeberg.org/forgejo/forgejo/issues/12645#issuecomment-15939122).  New test case is verified to hit the bug -- the previous case just narrowly missed the problem because it ended up with an empty repository index.

Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12774
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
**Backport:** #12365

(cherry picked from commit d867b25e72b940728f82327925d474ecd68a3256)

github.com/robfig/cron is used for parsing cron schedules of scheduled Forgejo Actions workflows. It has not seen an update in roughly six years and looks abandoned. There are multiple code paths that trigger panics instead of errors. It is replaced by github.com/gdgvda/cron, which is one of the few maintained forks. github.com/gdgvda/cron was picked because its behaviour is fully backwards-compatible and the developers are responsive.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12365
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>

---

Backported to address https://code.forgejo.org/forgejo/runner/pulls/1519 with consistent parsing, as noted by https://codeberg.org/forgejo/forgejo/pulls/12775#issuecomment-15969155.

Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12777
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [code.forgejo.org/forgejo/runner/v12](https://code.forgejo.org/forgejo/runner) | `v12.10.1` → `v12.10.2` | ![age](https://developer.mend.io/api/mc/badges/age/go/code.forgejo.org%2fforgejo%2frunner%2fv12/v12.10.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/code.forgejo.org%2fforgejo%2frunner%2fv12/v12.10.1/v12.10.2?slim=true) |

---

### Release Notes

<details>
<summary>forgejo/runner (code.forgejo.org/forgejo/runner/v12)</summary>

### [`v12.10.2`](https://code.forgejo.org/forgejo/runner/releases/tag/v12.10.2)

[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v12.10.1...v12.10.2)

- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)

Release Notes

***

<!--start release-notes-assistant-->

<!--URL:https://code.forgejo.org/forgejo/runner-->

- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1523): <!--number 1523 --><!--line 0 --><!--description Zml4OiByZW1vdmUgY29udGFpbmVycyBhZnRlciBmYWlsZWQgc3RhcnQtdXA=-->fix: remove containers after failed start-up<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1519): <!--number 1519 --><!--line 0 --><!--description Zml4OiByZWplY3QgaW52YWxpZCBjcm9uIHNjaGVkdWxlcyB3aGlsZSBwYXJzaW5nIHdvcmtmbG93cw==-->fix: reject invalid cron schedules while parsing workflows<!--description-->
- other
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1532): <!--number 1532 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL3JoeXNkL2FjdGlvbmxpbnQgdG8gdjEuNy4xMg==-->Update module github.com/rhysd/actionlint to v1.7.12<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1531): <!--number 1531 --><!--line 0 --><!--description UmVwbGFjZSBOb2RlLmpzIHdpdGggZGF0YS5mb3JnZWpvLm9yZy9vY2kvbm9kZSAyNC10cml4aWU=-->Replace Node.js with data.forgejo.org/oci/node 24-trixie<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1530): <!--number 1530 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL2Nhc2NhZGluZy1wciBhY3Rpb24gdG8gdjIuMy4y-->Update <https://data.forgejo.org/actions/cascading-pr> action to v2.3.2<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1522): <!--number 1522 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL21vYnkvcGF0dGVybm1hdGNoZXIgdG8gdjAuNi4x-->Update module github.com/moby/patternmatcher to v0.6.1<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1529): <!--number 1529 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvc3lzIHRvIHYwLjQ0LjAgW1NFQ1VSSVRZXQ==-->Update module golang.org/x/sys to v0.44.0 \[SECURITY]<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1527): <!--number 1527 --><!--line 0 --><!--description dGVzdDogdXBkYXRlIGFwdCBjYWNoZSBiZWZvcmUgaW5zdGFsbGluZyBwYWNrYWdlcyBpbiBQb2RtYW4gam9i-->test: update apt cache before installing packages in Podman job<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1521): <!--number 1521 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL21hdHRuL2dvLWlzYXR0eSB0byB2MC4wLjIy-->Update module github.com/mattn/go-isatty to v0.0.22<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1520): <!--number 1520 --><!--line 0 --><!--description VXBkYXRlIGRhdGEuZm9yZ2Vqby5vcmcvZm9yZ2Vqby9mb3JnZWpvIERvY2tlciB0YWcgdG8gdjExLjAuMTQ=-->Update data.forgejo.org/forgejo/forgejo Docker tag to v11.0.14<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1515): <!--number 1515 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb25uZWN0cnBjLmNvbS9jb25uZWN0IHRvIHYxLjE5LjI=-->Update module connectrpc.com/connect to v1.19.2<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1514): <!--number 1514 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL3NldHVwLWZvcmdlam8gYWN0aW9uIHRvIHYzLjEuMTE=-->Update <https://data.forgejo.org/actions/setup-forgejo> action to v3.1.11<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1513): <!--number 1513 --><!--line 0 --><!--description VXBkYXRlIGRhdGEuZm9yZ2Vqby5vcmcvZm9yZ2Vqby9mb3JnZWpvIERvY2tlciB0YWcgdG8gdjExLjAuMTM=-->Update data.forgejo.org/forgejo/forgejo Docker tag to v11.0.13<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1512): <!--number 1512 --><!--line 0 --><!--description VXBkYXRlIGdvIHRvb2xjaGFpbiBkaXJlY3RpdmUgdG8gdjEuMjUuMTA=-->Update go toolchain directive to v1.25.10<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1503): <!--number 1503 --><!--line 0 --><!--description cmVmYWN0b3I6IHJlcGxhY2UgYmFja2VuZCBpZGVudGl0eSBjaGVja3Mgd2l0aCBjYXBhYmlsaXR5IHF1ZXJpZXM=-->refactor: replace backend identity checks with capability queries<!--description-->

<!--end release-notes-assistant-->

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NS4xIiwidGFyZ2V0QnJhbmNoIjoidjE1LjAvZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJydW4tZW5kLXRvLWVuZC10ZXN0cyIsInRlc3Qvbm90LW5lZWRlZCJdfQ==-->

Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12775
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Although #12777 and #12775 independently passed CI, when merged together they created a failure in the v15.0/forgejo branch that this PR fixes: https://codeberg.org/forgejo/forgejo/actions/runs/164353/jobs/0/attempt/1#jobstep-4-96

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12780
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
If a Forgejo Actions job was run more than once, Forgejo would not display previous attempts if no `ActionTask` existed for the latest attempt. That is the case when a job is cancelled or skipped before having been dispatched to a runner or while it is waiting for a runner. This is fixed by always loading all existing attempts.

Resolves #12626.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12779
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
(cherry picked from commit fa5a2501d021c2f837cbfd3c22a126e5b92313c2)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12787
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12737

Load the primary language of the repository when it's converted to a API struct. This is simpler than adding `LoadAttributes` to a lot of places.

Resolves forgejo/forgejo#12729

Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12789
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12755

Follow-up to the previously closed #12437; verifies git LFS quotas are checked against the repository owner not the current actor.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12755): <!--number 12755 --><!--line 0 --><!--description Y2hlY2sgcXVvdGEgaW4gTEZTIHVwbG9hZHMgYWdhaW5zdCB0aGUgcmVwb3NpdG9yeSBvd25lciwgbm90IG9wZXJhdGluZyB1c2Vy-->check quota in LFS uploads against the repository owner, not operating user<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12790
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12735

A dedicated test repository was added at https://gitlab.com/forgejo/test_repo-confidential with one "confidential issue" and two "internal notes".

Closes: #12688

Co-authored-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12792
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12771

closes #12769

Co-authored-by: Shiny Nematoda <snematoda.751k2@aleeas.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12793
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12756

When a single Forgejo Actions job should be rerun, its dependent jobs (those that have the job to be rerun in their `needs:`) might still be running. That means they cannot be rerun. Currently, Forgejo ignores and simply skips them. But that is wrong: their outcome is meaningless at best and wrong at worst because it depends on an outdated attempt of the job to be rerun. This is remedied by cancelling them before queueing them for a rerun, too.

Follow-up of https://codeberg.org/forgejo/forgejo/pulls/12141.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12806
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12828
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12818

When an individual job is rerun, the run it belongs to has to be kept in sync. For example, the timestamps when the run was started and stopped have to be adjusted accordingly. That didn't happen since https://codeberg.org/forgejo/forgejo/pulls/12141 because the functionality was accidentally omitted.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12826
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12785

For the same reason the merge box is displayed when the user can delete the branch from which the pull request was proposed, the trust panel must be displayed when runs are waiting approval, either for information or to approve/deny runs from untrusted users.

Closes forgejo/forgejo#12576

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12785
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
(cherry picked from commit 4ce9f2b061022161b9df8a2aebac5056b1baf737)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12832
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-by: crystal <crystal@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12812

When the status of a user makes it implicitly trusted to run actions (for instance when it becomes a member of the Owners team of an organization), the runs that were blocked before they became trusted will need to be approved or denied.

The trust management panel was not displayed if the poster of the pull request was trusted. It is now displayed regardless of the current trust status of the user.

Closes forgejo/forgejo#12811

Co-authored-by: limiting-factor <limiting-factor@posteo.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12831
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Reviewed-by: crystal <crystal@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12460

Resolves forgejo/forgejo#12436

Uppercase the token before verification as verification is case-sensitive. Some mail clients might've lower cased.

Co-authored-by: abidos <abidos@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12834
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12773

This
1. hides the “New issue” button, which currently leads to a 404 page, because it is not useful to have it, e.g., here: https://code.forgejo.org/forgejo/act/issues/169
2. removes the UI ability on projects in archived repos to move around issues and project columns. When a user performs such an action, currently it is shown as it were successful, but actually all requests lead to 404s without warning.
3. hides the hints for synching a fork or creating a pull request for recently pushed branches (which again would lead to 404s)
4. hides the branch selector (only shows the branch) on single issue/PR pages, which is disfunctional on archived repos

Thus, both these changes do not change anything related to what happens to issues or projects in archived repos, but only reduces 404 errors.

I don’t think this needs to be tested more than manually.

## Test

Create first a repository with at least **one issue** in **one project** and edit a file by creating a **new branch**. Then, perform following actions, once in the state where the repository is normal and once when it is archived:

action|unarchived|archived
---|---|---
\1. go to the issue|“New issue” button functional|“New issue” button removed
\2. click on the branch selector|menu opens|menu is now disabled and shows the branch
\3. go to the project|“New issue” button functional|“New issue” button removed
\4. try to move around columns|modifies columns|not possible anymore
\5. try to move around the issue|modifies issue location|not possible anymore
\6. go to the code view|see hint "You pushed …"|do not see this hint anymore

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

Co-authored-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12835
**Backport:** #12796

While working on #11356, I noticed https://codeberg.org/forgejo/forgejo/pulls/9906#issuecomment-10826066 which could have benefited from a `forgery.CreateProject` helper.
Since this helper wasn't available, the PR had to:
- adjust the global `project.yml` fixture
- fix the unrelated `models/project/project_test.go`, because of the fixture update

So 2/4 changed files in the PR were due to the usage of global fixtures.

This PR attempts at fixing this.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12852
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
**Backport:** #12555

Conflicts:
- tests/integration/actions_token_metadata_test.go does not exist in v15

Some imports and formatting were needed as well (dedicated commits).

---

Followup of #11356 to convert `tests.CreateDeclarativeRepo` to `forgery.CreateRepository (34 occurrences remaining after this PR - 39 occurrences replaced here).

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12868
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12928

Improve checkbox contrast inside of `.markup` as per #12647.

Add checkboxes to a PR description:

| Before | After |
|---|----------------------|
| `var(--color-secondary)` | `var(--color-secondary-dark-4)` |
| <img src="/attachments/21a20e56-0120-4568-9ffb-387a99ade090" width="300" /> | <img src="/attachments/69763fee-c3f2-4a98-90a0-b416137fcb64" width="300" /> |
| ![image](/attachments/7f300c2e-58e4-42f3-be3f-fba52dbe8fdb) | ![image](/attachments/9bb332ae-6895-4662-978e-b08aa02f3f40) |
| ![image](/attachments/b166574b-6b65-4e15-83a8-8b8c8a70de0c) | ![image](/attachments/e055ef28-f1a3-45d5-90f3-4a5bc4c20b38) |

Co-authored-by: Dylan Weijgertze <dylanwprivate@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12949
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12901

Attempt to address #11705 and #11028.

The docker container runs gitea by default: 1d12151086/docker/root/etc/s6/gitea/run

Whereas a user might run `forgejo doctor ...` (which is symlinked to gitea).

So the doctor expects a different value for the authorized_keys command.

This fix does the opposite of syncAppConfForGit: it fetches the `AppPath` from the database to ensure it is the same as forgejo:
1d12151086/routers/init.go (L76-L87)

### Testing

1. Make a symlink called `forgejo`, pointing to gitea `ln -s gitea forgejo`
2. Run `./gitea` and add a ssh key to a user
3. Stop `./gitea`
4. Run `./forgejo doctor check --run authorized-keys`

Without this fix, the last command should fail.
With the fix, the last command should succeed and print:
```
- [I] AppPath changed from '/home/forgejo/forgejo' to '/home/forgejo/gitea'
```

- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Co-authored-by: oliverpool <git@olivier.pfad.fr>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12974
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
See https://codeberg.org/forgejo/forgejo/issues/11453 for context on performance

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13000
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
[v15.0/forgejo]: 2026-06-10 security patches (#13002)
Some checks failed
issue-labels / backporting (pull_request_target) Has been cancelled
Details
milestone / set (pull_request_target) Has been cancelled
Details
f6d4219f10 
- fix: prevent stored XSS in user display name on Actions page
- fix: LFS locks must belong to the intended repo, port from Gitea
- fix: prevent unauthorized access to draft releases via API
- fix: prevent writes to OpenID visibility which may affect other users
- fix: prevent viewing private PRs that are linked to public issues on public projects

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13002
Reviewed-by: Beowulf <beowulf@beocode.eu>
ServerSMP manually merged commit 42d86e37be into v15 2026-06-10 21:28:09 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ServerSMP/forgejo!54
No description provided.