Merge remote-tracking branch 'giteaofficial/main'

* giteaofficial/main:
  [skip ci] Updated translations via Crowdin
  Update Nix flake (go-gitea#36902)
  Migrate fomantic `search` and `modal` CSS to first-party modules (go-gitea#36869)
  Feature: Add per-runner “Disable/Pause” (go-gitea#36776)
  Enable native dark mode for swagger-ui (go-gitea#36899)
  Front port changelog for 1.25.5 (go-gitea#36892)
  Fix typos in code comments: doesnt, dont, wont (go-gitea#36890)
  Vendor relative-time-element as local web component (go-gitea#36853)

Author: zjjhot

CHANGELOG.md

@@ -4,6 +4,53 @@ This changelog goes through the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.com).
 
+## [1.25.5](https://github.com/go-gitea/gitea/releases/tag/v1.25.5) - 2026-03-10
+
+* SECURITY
+  * Toolchain Update to Go 1.25.6 (#36480) (#36487)
+  * Adjust the toolchain version (#36537) (#36542)
+  * Update toolchain to 1.25.8 for v1.25 (#36888)
+  * Prevent redirect bypasses via backslash-encoded paths (#36660) (#36716)
+  * Fix get release draft permission check (#36659) (#36715)
+  * Fix a bug user could change another user's primary email (#36586) (#36607)
+  * Fix OAuth2 authorization code expiry and reuse handling (#36797) (#36851)
+  * Add validation constraints for repository creation fields (#36671) (#36757)
+  * Fix bug to check whether user can update pull request branch or rebase branch (#36465) (#36838)
+  * Add migration http transport for push/sync mirror lfs (#36665) (#36691)
+  * Fix track time list permission check (#36662) (#36744)
+  * Fix track time issue id (#36664) (#36689)
+  * Fix path resolving (#36734) (#36746)
+  * Fix dump release asset bug (#36799) (#36839)
+  * Fix org permission API visibility checks for hidden members and private orgs (#36798) (#36841)
+  * Fix forwarded proto handling for public URL detection (#36810) (#36836)
+  * Add a git grep search timeout (#36809) (#36835)
+  * Fix oauth2 s256 (#36462) (#36477)
+* ENHANCEMENTS
+  * Make `security-check` informational only (#36681) (#36852)
+  * Upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (#36840)
+  * Add some validation on values provided to USER_DISABLED_FEATURES and EXTERNAL_USER_DISABLED_FEATURES (#36688) (#36692)
+  * Upgrade gogit to 5.16.5 (#36687)
+  * Add wrap to runner label list (#36565) (#36574)
+  * Add dnf5 command for Fedora in RPM package instructions (#36527) (#36572)
+  * Allow scroll propagation outside code editor (#36502) (#36510)
+* BUGFIXES
+  * Fix non-admins unable to automerge PRs from forks (#36833) (#36843)
+  * Fix bug when pushing mirror with wiki (#36795) (#36807)
+  * Fix artifacts v4 backend upload problems (#36805) (#36834)
+  * Fix CRAN package version validation to allow more than 4 version components (#36813) (#36821)
+  * Fix force push time-line commit comments of pull request (#36653) (#36717)
+  * Fix SVG height calculation in diff viewer (#36748) (#36750)
+  * Fix push time bug (#36693) (#36713)
+  * Fix bug the protected branch rule name is conflicted with renamed branch name (#36650) (#36661)
+  * Fix bug when do LFS GC (#36500) (#36608)
+  * Fix focus lost bugs in the Monaco editor (#36609)
+  * Reprocess htmx content after loading more files (#36568) (#36577)
+  * Fix assignee sidebar links and empty placeholder (#36559) (#36563)
+  * Fix issues filter dropdown showing empty label scope section (#36535) (#36544)
+  * Fix various mermaid bugs (#36547) (#36552)
+  * Fix data race when uploading container blobs concurrently (#36524) (#36526)
+  * Correct spacing between username and bot label (#36473) (#36484)
+
 ## [1.25.4](https://github.com/go-gitea/gitea/releases/tag/v1.25.4) - 2026-01-15
 
 * SECURITY

flake.lock

@@ -62,6 +62,8 @@ type ActionRunner struct {
 	AgentLabels []string `xorm:"TEXT"`
 	// Store if this is a runner that only ever get one single job assigned
 	Ephemeral bool `xorm:"ephemeral NOT NULL DEFAULT false"`
+	// Store if this runner is disabled and should not pick up new jobs
+	IsDisabled bool `xorm:"is_disabled NOT NULL DEFAULT false"`
 
 	Created timeutil.TimeStamp `xorm:"created"`
 	Updated timeutil.TimeStamp `xorm:"updated"`
@@ -199,6 +201,7 @@ type FindRunnerOptions struct {
 	Sort          string
 	Filter        string
 	IsOnline      optional.Option[bool]
+	IsDisabled    optional.Option[bool]
 	WithAvailable bool // not only runners belong to, but also runners can be used
 }
 
@@ -239,6 +242,10 @@ func (opts FindRunnerOptions) ToConds() builder.Cond {
 			cond = cond.And(builder.Lte{"last_online": time.Now().Add(-RunnerOfflineTime).Unix()})
 		}
 	}
+
+	if opts.IsDisabled.Has() {
+		cond = cond.And(builder.Eq{"is_disabled": opts.IsDisabled.Value()})
+	}
 	return cond
 }
 
@@ -297,6 +304,20 @@ func UpdateRunner(ctx context.Context, r *ActionRunner, cols ...string) error {
 	return err
 }
 
+func SetRunnerDisabled(ctx context.Context, runner *ActionRunner, isDisabled bool) error {
+	if runner.IsDisabled == isDisabled {
+		return nil
+	}
+
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		runner.IsDisabled = isDisabled
+		if err := UpdateRunner(ctx, runner, "is_disabled"); err != nil {
+			return err
+		}
+		return IncreaseTaskVersion(ctx, runner.OwnerID, runner.RepoID)
+	})
+}
+
 // DeleteRunner deletes a runner by given ID.
 func DeleteRunner(ctx context.Context, id int64) error {
 	if _, err := GetRunnerByID(ctx, id); err != nil {

models/actions/runner.go

@@ -113,7 +113,7 @@ func createOrUpdateIssueNotifications(ctx context.Context, issueID, commentID, n
 		}
 		toNotify.AddMultiple(issueParticipants...)
 
-		// dont notify user who cause notification
+		// don't notify user who cause notification
 		delete(toNotify, notificationAuthorID)
 		// explicit unwatch on issue
 		issueUnWatches, err := issues_model.GetIssueWatchersIDs(ctx, issueID, false)

models/activities/notification_list.go

@@ -254,7 +254,7 @@ func TestGetLabelsByIssueID(t *testing.T) {
 func TestUpdateLabel(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	label := unittest.AssertExistsAndLoadBean(t, &issues_model.Label{ID: 1})
-	// make sure update wont overwrite it
+	// make sure update won't overwrite it
 	update := &issues_model.Label{
 		ID:           label.ID,
 		Color:        "#ffff00",

models/issues/label_test.go

@@ -401,6 +401,7 @@ func prepareMigrationTasks() []*migration {
 		newMigration(324, "Fix closed milestone completeness for milestones with no issues", v1_26.FixClosedMilestoneCompleteness),
 		newMigration(325, "Fix missed repo_id when migrate attachments", v1_26.FixMissedRepoIDWhenMigrateAttachments),
 		newMigration(326, "Migrate commit status target URL to use run ID and job ID", v1_26.FixCommitStatusTargetURLToUseRunAndJobID),
+		newMigration(327, "Add disabled state to action runners", v1_26.AddDisabledToActionRunner),
 	}
 	return preparedMigrations
 }

models/migrations/migrations.go

@@ -0,0 +1,17 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_26
+
+import "xorm.io/xorm"
+
+func AddDisabledToActionRunner(x *xorm.Engine) error {
+	type ActionRunner struct {
+		IsDisabled bool `xorm:"is_disabled NOT NULL DEFAULT false"`
+	}
+
+	_, err := x.SyncWithOptions(xorm.SyncOptions{
+		IgnoreDropIndices: true,
+	}, new(ActionRunner))
+	return err
+}

models/migrations/v1_26/v327.go

@@ -0,0 +1,33 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_26
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models/migrations/base"
+
+	"github.com/stretchr/testify/require"
+)
+
+func Test_AddDisabledToActionRunner(t *testing.T) {
+	type ActionRunner struct {
+		ID   int64 `xorm:"pk autoincr"`
+		Name string
+	}
+
+	x, deferable := base.PrepareTestEnv(t, 0, new(ActionRunner))
+	defer deferable()
+
+	_, err := x.Insert(&ActionRunner{Name: "runner"})
+	require.NoError(t, err)
+
+	require.NoError(t, AddDisabledToActionRunner(x))
+
+	var isDisabled bool
+	has, err := x.SQL("SELECT is_disabled FROM action_runner WHERE id = ?", 1).Get(&isDisabled)
+	require.NoError(t, err)
+	require.True(t, has)
+	require.False(t, isDisabled)
+}

models/migrations/v1_26/v327_test.go

@@ -27,7 +27,7 @@ func TokenFilterConstructor(config map[string]any, cache *registry.Cache) (analy
 
 func (s *TokenFilter) Filter(input analysis.TokenStream) analysis.TokenStream {
 	if len(input) == 1 {
-		// if there is only one token, we dont need to generate the reversed chain
+		// if there is only one token, we don't need to generate the reversed chain
 		return generatePathTokens(input, false)
 	}
 

modules/indexer/code/bleve/token/path/path.go

@@ -196,10 +196,18 @@ type ActionRunner struct {
 	Name      string               `json:"name"`
 	Status    string               `json:"status"`
 	Busy      bool                 `json:"busy"`
+	Disabled  bool                 `json:"disabled"`
 	Ephemeral bool                 `json:"ephemeral"`
 	Labels    []*ActionRunnerLabel `json:"labels"`
 }
 
+// EditActionRunnerOption represents the editable fields for a runner.
+// swagger:model
+type EditActionRunnerOption struct {
+	// required: true
+	Disabled *bool `json:"disabled"`
+}
+
 // ActionRunnersResponse returns Runners
 type ActionRunnersResponse struct {
 	Entries    []*ActionRunner `json:"runners"`