Merge branch 'main' into lunny/fix_webhook_glob

Author: lunny

.devcontainer/devcontainer.json

@@ -13,7 +13,7 @@
     "ghcr.io/devcontainers/features/git-lfs:1.2.5": {},
     "ghcr.io/jsburckhardt/devcontainer-features/uv:1": {},
     "ghcr.io/devcontainers/features/python:1": {
-      "version": "3.13"
+      "version": "3.14"
     },
     "ghcr.io/warrenbuckley/codespace-features/sqlite:1": {}
   },

.github/labeler.yml

@@ -46,7 +46,7 @@ modifies/internal:
           - ".gitpod.yml"
           - ".markdownlint.yaml"
           - ".spectral.yaml"
-          - "stylelint.config.ts"
+          - "stylelint.config.*"
           - ".yamllint.yaml"
           - ".github/**"
           - ".gitea/**"
@@ -89,4 +89,4 @@ topic/code-linting:
           - ".markdownlint.yaml"
           - ".spectral.yaml"
           - ".yamllint.yaml"
-          - "stylelint.config.ts"
+          - "stylelint.config.*"

.github/workflows/pull-compliance.yml

@@ -39,7 +39,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - uses: astral-sh/setup-uv@v7
-      - run: uv python install 3.12
+      - run: uv python install 3.14
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v6
         with:
@@ -59,7 +59,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - uses: astral-sh/setup-uv@v7
-      - run: uv python install 3.12
+      - run: uv python install 3.14
       - run: make deps-py
       - run: make lint-yaml
 

.golangci.yml

@@ -48,6 +48,10 @@ linters:
               desc: do not use the ini package, use gitea's config system instead
             - pkg: gitea.com/go-chi/cache
               desc: do not use the go-chi cache package, use gitea's cache system
+            - pkg: github.com/pkg/errors
+              desc: use builtin errors package instead
+            - pkg: github.com/go-ap/errors
+              desc: use builtin errors package instead
     nolintlint:
       allow-unused: false
       require-explanation: true

CHANGELOG.md

@@ -4,7 +4,39 @@ This changelog goes through the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.com).
 
-## [1.25.3](https://github.com/go-gitea/gitea/releases/tag/1.25.3) - 2025-12-17
+## [1.25.4](https://github.com/go-gitea/gitea/releases/tag/v1.25.4) - 2026-01-15
+
+* SECURITY
+  * Release attachments must belong to the intended repo (#36347) (#36375)
+  * Fix permission check on org project operations (#36318) (#36373)
+  * Clean watches when make a repository private and check permission when send release emails (#36319) (#36370)
+  * Add more check for stopwatch read or list (#36340) (#36368)
+  * Fix openid setting check (#36346) (#36361)
+  * Fix cancel auto merge bug (#36341) (#36356)
+  * Fix delete attachment check (#36320) (#36355)
+  * LFS locks must belong to the intended repo (#36344) (#36349)
+  * Fix bug on notification read (#36339) #36387
+* ENHANCEMENTS
+  * Add more routes to the "expensive" list (#36290)
+  * Make "commit statuses" API accept slashes in "ref" (#36264) (#36275)
+* BUGFIXES
+  * Fix git http service handling (#36396)
+  * Fix markdown newline handling during IME composition (#36421) (#36424)
+  * Fix missing repository id when migrating release attachments (#36389)
+  * Fix bug when compare in the pull request (#36363) (#36372)
+  * Fix incorrect text content detection (#36364) (#36369)
+  * Fill missing `has_code` in repository api (#36338) (#36359)
+  * Fix notifications pagination query parameters (#36351) (#36358)
+  * Fix some trivial problems (#36336) (#36337)
+  * Prevent panic when GitLab release has more links than sources (#36295) (#36305)
+  * Fix stats bug when syncing release (#36285) (#36294)
+  * Always honor user's choice for "delete branch after merge" (#36281) (#36286)
+  * Use the requested host for LFS links (#36242) (#36258)
+  * Fix panic when get editor config file (#36241) (#36247)
+  * Fix regression in writing authorized principals (#36213) (#36218)
+  * Fix WebAuthn error checking (#36219) (#36235)
+
+## [1.25.3](https://github.com/go-gitea/gitea/releases/tag/v1.25.3) - 2025-12-17
 
 * SECURITY
   * Bump toolchain to go1.25.5, misc fixes (#36082)
@@ -31,7 +63,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
   * Fix error handling in mailer and wiki services (#36041) (#36053)
   * Fix bugs when comparing and creating pull request (#36166) (#36144)
 
-## [1.25.2](https://github.com/go-gitea/gitea/releases/tag/1.25.2) - 2025-11-23
+## [1.25.2](https://github.com/go-gitea/gitea/releases/tag/v1.25.2) - 2025-11-23
 
 * SECURITY
   * Upgrade golang.org/x/crypto to 0.45.0 (#35985) (#35988)
@@ -418,7 +450,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
   * Hide href attribute of a tag if there is no target_url (#34556) (#34684)
   * Fix tag target (#34781) #34783
 
-## [1.24.0](https://github.com/go-gitea/gitea/releases/tag/1.24.0) - 2025-05-26
+## [1.24.0](https://github.com/go-gitea/gitea/releases/tag/v1.24.0) - 2025-05-26
 
 * BREAKING
   * Make Gitea always use its internal config, ignore `/etc/gitconfig` (#33076)
@@ -788,7 +820,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
   * Bump x/net (#32896) (#32900)
   * Only activity tab needs heatmap data loading (#34652)
 
-## [1.23.8](https://github.com/go-gitea/gitea/releases/tag/1.23.8) - 2025-05-11
+## [1.23.8](https://github.com/go-gitea/gitea/releases/tag/v1.23.8) - 2025-05-11
 
 * SECURITY
   * Fix a bug when uploading file via lfs ssh command (#34408) (#34411)
@@ -815,7 +847,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
   * Bump go version in go.mod (#34160)
   * remove hardcoded 'code' string in clone_panel.tmpl (#34153) (#34158)
 
-## [1.23.7](https://github.com/go-gitea/gitea/releases/tag/1.23.7) - 2025-04-07
+## [1.23.7](https://github.com/go-gitea/gitea/releases/tag/v1.23.7) - 2025-04-07
 
 * Enhancements
   * Add a config option to block "expensive" pages for anonymous users (#34024) (#34071)
@@ -913,7 +945,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
 * BUGFIXES
   * Fix a bug caused by status webhook template #33512
 
-## [1.23.2](https://github.com/go-gitea/gitea/releases/tag/1.23.2) - 2025-02-04
+## [1.23.2](https://github.com/go-gitea/gitea/releases/tag/v1.23.2) - 2025-02-04
 
 * BREAKING
   * Add tests for webhook and fix some webhook bugs (#33396) (#33442)
@@ -3443,7 +3475,7 @@ Key highlights of this release encompass significant changes categorized under `
   * Improve decryption failure message (#24573) (#24575)
   * Makefile: Use portable !, not GNUish -not, with find(1). (#24565) (#24572)
 
-## [1.19.3](https://github.com/go-gitea/gitea/releases/tag/1.19.3) - 2023-05-03
+## [1.19.3](https://github.com/go-gitea/gitea/releases/tag/v1.19.3) - 2023-05-03
 
 * SECURITY
   * Use golang 1.20.4 to fix CVE-2023-24539, CVE-2023-24540, and CVE-2023-29400
@@ -3456,7 +3488,7 @@ Key highlights of this release encompass significant changes categorized under `
   * Fix incorrect CurrentUser check for docker rootless (#24435)
   * Getting the tag list does not require being signed in (#24413) (#24416)
 
-## [1.19.2](https://github.com/go-gitea/gitea/releases/tag/1.19.2) - 2023-04-26
+## [1.19.2](https://github.com/go-gitea/gitea/releases/tag/v1.19.2) - 2023-04-26
 
 * SECURITY
   * Require repo scope for PATs for private repos and basic authentication (#24362) (#24364)
@@ -3955,7 +3987,7 @@ Key highlights of this release encompass significant changes categorized under `
   * Display attachments of review comment when comment content is blank (#23035) (#23046)
   * Return empty url for submodule tree entries (#23043) (#23048)
 
-## [1.18.4](https://github.com/go-gitea/gitea/releases/tag/1.18.4) - 2023-02-20
+## [1.18.4](https://github.com/go-gitea/gitea/releases/tag/v1.18.4) - 2023-02-20
 
 * SECURITY
   * Provide the ability to set password hash algorithm parameters (#22942) (#22943)
@@ -4382,7 +4414,7 @@ Key highlights of this release encompass significant changes categorized under `
   * Fix the mode of custom dir to 0700 in docker-rootless (#20861) (#20867)
   * Fix UI mis-align for PR commit history (#20845) (#20859)
 
-## [1.17.1](https://github.com/go-gitea/gitea/releases/tag/1.17.1) - 2022-08-17
+## [1.17.1](https://github.com/go-gitea/gitea/releases/tag/v1.17.1) - 2022-08-17
 
 * SECURITY
   * Correctly escape within tribute.js (#20831) (#20832)

Makefile

@@ -32,14 +32,14 @@ XGO_VERSION := go-1.25.x
 AIR_PACKAGE ?= github.com/air-verse/air@v1
 EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3
 GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.9.2
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.7.2
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.8.0
 GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.15
 MISSPELL_PACKAGE ?= github.com/golangci/misspell/cmd/misspell@v0.7.0
 SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.33.1
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
 GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1
-ACTIONLINT_PACKAGE ?= github.com/rhysd/actionlint/cmd/actionlint@v1.7.9
+ACTIONLINT_PACKAGE ?= github.com/rhysd/actionlint/cmd/actionlint@v1.7.10
 
 DOCKER_IMAGE ?= gitea/gitea
 DOCKER_TAG ?= latest
@@ -100,7 +100,7 @@ GITHUB_REF_NAME ?= $(shell git rev-parse --abbrev-ref HEAD)
 
 # Enable typescript support in Node.js before 22.18
 # TODO: Remove this once we can raise the minimum Node.js version to 22.18 (alpine >= 3.23)
-NODE_VERSION := $(shell printf "%03d%03d%03d" $(shell node -v 2>/dev/null | cut -c2- | tr '.' ' '))
+NODE_VERSION := $(shell printf "%03d%03d%03d" $(shell node -v 2>/dev/null | cut -c2- | sed 's/-.*//' | tr '.' ' '))
 ifeq ($(shell test "$(NODE_VERSION)" -lt "022018000"; echo $$?),0)
 	NODE_VARS := NODE_OPTIONS="--experimental-strip-types"
 else
@@ -211,37 +211,13 @@ help: Makefile ## print Makefile help information.
 	@printf "  \033[36m%-46s\033[0m %s\n" "test[#TestSpecificName]" "run unit test"
 	@printf "  \033[36m%-46s\033[0m %s\n" "test-sqlite[#TestSpecificName]" "run integration test for sqlite"
 
-.PHONY: go-check
-go-check:
-	$(eval MIN_GO_VERSION_STR := $(shell grep -Eo '^go\s+[0-9]+\.[0-9]+' go.mod | cut -d' ' -f2))
-	$(eval MIN_GO_VERSION := $(shell printf "%03d%03d" $(shell echo '$(MIN_GO_VERSION_STR)' | tr '.' ' ')))
-	$(eval GO_VERSION := $(shell printf "%03d%03d" $(shell $(GO) version | grep -Eo '[0-9]+\.[0-9]+' | tr '.' ' ');))
-	@if [ "$(GO_VERSION)" -lt "$(MIN_GO_VERSION)" ]; then \
-		echo "Gitea requires Go $(MIN_GO_VERSION_STR) or greater to build. You can get it at https://go.dev/dl/"; \
-		exit 1; \
-	fi
-
 .PHONY: git-check
 git-check:
 	@if git lfs >/dev/null 2>&1 ; then : ; else \
 		echo "Gitea requires git with lfs support to run tests." ; \
 		exit 1; \
 	fi
 
-.PHONY: node-check
-node-check:
-	$(eval MIN_NODE_VERSION_STR := $(shell grep -Eo '"node":.*[0-9.]+"' package.json | sed -n 's/.*[^0-9.]\([0-9.]*\)"/\1/p'))
-	$(eval MIN_NODE_VERSION := $(shell printf "%03d%03d%03d" $(shell echo '$(MIN_NODE_VERSION_STR)' | tr '.' ' ')))
-	$(eval PNPM_MISSING := $(shell hash pnpm > /dev/null 2>&1 || echo 1))
-	@if [ "$(NODE_VERSION)" -lt "$(MIN_NODE_VERSION)" ]; then \
-		echo "Gitea requires Node.js $(MIN_NODE_VERSION_STR) or greater to build. You can get it at https://nodejs.org/en/download/"; \
-		exit 1; \
-	fi
-	@if [ "$(PNPM_MISSING)" = "1" ]; then \
-		echo "Gitea requires pnpm to build. You can install it at https://pnpm.io/installation"; \
-		exit 1; \
-	fi
-
 .PHONY: clean-all
 clean-all: clean ## delete backend, frontend and integration files
 	rm -rf $(WEBPACK_DEST_ENTRIES) node_modules
@@ -341,11 +317,13 @@ lint-backend-fix: lint-go-fix lint-go-gitea-vet lint-editorconfig ## lint backen
 lint-js: node_modules ## lint js files
 	$(NODE_VARS) pnpm exec eslint --color --max-warnings=0 $(ESLINT_FILES)
 	$(NODE_VARS) pnpm exec vue-tsc
+	$(NODE_VARS) pnpm exec knip --no-progress --cache
 
 .PHONY: lint-js-fix
 lint-js-fix: node_modules ## lint js files and fix issues
 	$(NODE_VARS) pnpm exec eslint --color --max-warnings=0 $(ESLINT_FILES) --fix
 	$(NODE_VARS) pnpm exec vue-tsc
+	$(NODE_VARS) pnpm exec knip --no-progress --cache --fix
 
 .PHONY: lint-css
 lint-css: node_modules ## lint css files
@@ -426,12 +404,12 @@ watch: ## watch everything and continuously rebuild
 	@bash tools/watch.sh
 
 .PHONY: watch-frontend
-watch-frontend: node-check node_modules ## watch frontend files and continuously rebuild
+watch-frontend: node_modules ## watch frontend files and continuously rebuild
 	@rm -rf $(WEBPACK_DEST_ENTRIES)
 	NODE_ENV=development $(NODE_VARS) pnpm exec webpack --watch --progress --disable-interpret
 
 .PHONY: watch-backend
-watch-backend: go-check ## watch backend files and continuously rebuild
+watch-backend: ## watch backend files and continuously rebuild
 	GITEA_RUN_MODE=dev $(GO) run $(AIR_PACKAGE) -c .air.toml
 
 .PHONY: test
@@ -749,7 +727,7 @@ build: frontend backend ## build everything
 frontend: $(WEBPACK_DEST) ## build frontend files
 
 .PHONY: backend
-backend: go-check generate-backend $(EXECUTABLE) ## build backend files
+backend: generate-backend $(EXECUTABLE) ## build backend files
 
 # We generate the backend before the frontend in case we in future we want to generate things in the frontend from generated files in backend
 .PHONY: generate
@@ -860,7 +838,7 @@ node_modules: pnpm-lock.yaml
 update: update-js update-py ## update js and py dependencies
 
 .PHONY: update-js
-update-js: node-check | node_modules ## update js dependencies
+update-js: node_modules ## update js dependencies
 	$(NODE_VARS) pnpm exec updates -u -f package.json
 	rm -rf node_modules pnpm-lock.yaml
 	$(NODE_VARS) pnpm install
@@ -869,7 +847,7 @@ update-js: node-check | node_modules ## update js dependencies
 	@touch node_modules
 
 .PHONY: update-py
-update-py: node-check | node_modules ## update py dependencies
+update-py: node_modules ## update py dependencies
 	$(NODE_VARS) pnpm exec updates -u -f pyproject.toml
 	rm -rf .venv uv.lock
 	uv sync
@@ -879,14 +857,14 @@ update-py: node-check | node_modules ## update py dependencies
 webpack: $(WEBPACK_DEST) ## build webpack files
 
 $(WEBPACK_DEST): $(WEBPACK_SOURCES) $(WEBPACK_CONFIGS) pnpm-lock.yaml
-	@$(MAKE) -s node-check node_modules
+	@$(MAKE) -s node_modules
 	@rm -rf $(WEBPACK_DEST_ENTRIES)
 	@echo "Running webpack..."
 	@BROWSERSLIST_IGNORE_OLD_DATA=true $(NODE_VARS) pnpm exec webpack --disable-interpret
 	@touch $(WEBPACK_DEST)
 
 .PHONY: svg
-svg: node-check | node_modules ## build svg files
+svg: node_modules ## build svg files
 	rm -rf $(SVG_DEST_DIR)
 	node tools/generate-svg.ts
 

README.zh-cn.md

@@ -46,7 +46,7 @@
 `build` 目标分为两个子目标：
 
 - `make backend` 需要 [Go Stable](https://go.dev/dl/)，所需版本在 [go.mod](/go.mod) 中定义。
-- `make frontend` 需要 [Node.js LTS](https://nodejs.org/en/download/) 或更高版本。
+- `make frontend` 需要 [Node.js LTS](https://nodejs.org/en/download/) 或更高版本以及 [pnpm](https://pnpm.io/installation)。
 
 需要互联网连接来下载 go 和 npm 模块。从包含预构建前端文件的官方源代码压缩包构建时，不会触发 `frontend` 目标，因此可以在没有 Node.js 的情况下构建。
 

README.zh-tw.md

@@ -46,7 +46,7 @@
 `build` 目標分為兩個子目標：
 
 - `make backend` 需要 [Go Stable](https://go.dev/dl/)，所需版本在 [go.mod](/go.mod) 中定義。
-- `make frontend` 需要 [Node.js LTS](https://nodejs.org/en/download/) 或更高版本。
+- `make frontend` 需要 [Node.js LTS](https://nodejs.org/en/download/) 或更高版本以及 [pnpm](https://pnpm.io/installation)。
 
 需要互聯網連接來下載 go 和 npm 模塊。從包含預構建前端文件的官方源代碼壓縮包構建時，不會觸發 `frontend` 目標，因此可以在沒有 Node.js 的情況下構建。