Modified - [scripts] [configure] [git-lfs] Added conditional Git LFS setup to configure.sh when repository LFS hooks are installed.

- 1 - I updated `.configure.sh` so repositories that already have Git LFS hook scripts in `.git/hooks` now treat `git-lfs` as a required dependency during verification, install the `git-lfs` system package on supported package managers, and run `git lfs install --local` during non-verify setup.

(cherry picked from commit b66ec8c19d)

.ai-structure.md

@@ -0,0 +1,358 @@
+.
+./types.d.ts
+./docker
+./docker/manifest.rootless.tmpl
+./docker/root
+./docker/manifest.tmpl
+./docker/README.md
+./docker/rootless
+./BSDmakefile
+./tests
+./tests/integration
+./tests/gitea-lfs-meta
+./tests/mysql.ini.tmpl
+./tests/e2e
+./tests/testdata
+./tests/fuzz
+./tests/test_utils.go
+./tests/sqlite.ini.tmpl
+./tests/gitea-repositories-meta
+./tests/pgsql.ini.tmpl
+./tests/mssql.ini.tmpl
+./eslint.json.config.ts
+./LICENSE
+./models
+./models/repo.go
+./models/avatars
+./models/system
+./models/auth
+./models/migrations
+./models/pull
+./models/main_test.go
+./models/fixtures
+./models/asymkey
+./models/packages
+./models/unittest
+./models/admin
+./models/repo
+./models/activities
+./models/unit
+./models/db
+./models/dbfs
+./models/shared
+./models/webhook
+./models/secret
+./models/perm
+./models/user
+./models/renderhelper
+./models/actions
+./models/git
+./models/organization
+./models/issues
+./models/repo_test.go
+./models/project
+./eslint.config.ts
+./flake.lock
+./tools
+./tools/generate-svg-vscode-extensions.json
+./tools/test-e2e.sh
+./tools/code-batch-process.go
+./tools/gocovmerge.go
+./tools/lint-templates-svg.ts
+./tools/generate-images.ts
+./tools/codeformat
+./tools/generate-svg.ts
+./tools/test-echo.go
+./tools/watch.sh
+./vitest.config.ts
+./CHANGELOG.md
+./+x
+./CODE_OF_CONDUCT.md
+./CLAUDE.md
+./README.zh-tw.md
+./web_src
+./web_src/svg
+./web_src/fomantic
+./web_src/js
+./web_src/css
+./CHANGELOG-archived.md
+./custom
+./custom/conf
+./contrib
+./contrib/systemd
+./contrib/init
+./contrib/update_dependencies.sh
+./contrib/fhs-compliant-script
+./contrib/launchd
+./contrib/backport
+./contrib/README
+./contrib/legal
+./contrib/supervisor
+./contrib/options
+./contrib/upgrade.sh
+./contrib/ide
+./contrib/gitea-monitoring-mixin
+./templates
+./templates/package
+./templates/post-install.tmpl
+./templates/status
+./templates/devtest
+./templates/projects
+./templates/base
+./templates/org
+./templates/swagger
+./templates/custom
+./templates/admin
+./templates/repo
+./templates/shared
+./templates/webhook
+./templates/api
+./templates/home.tmpl
+./templates/install.tmpl
+./templates/user
+./templates/explore
+./templates/mail
+./update-gitea.sh
+./flake.nix
+./DCO
+./MAINTAINERS
+./routers
+./routers/common
+./routers/install
+./routers/web
+./routers/private
+./routers/init.go
+./routers/api
+./routers/utils
+./pnpm
+./package.json
+./snap
+./snap/snapcraft.yaml
+./services
+./services/uinotification
+./services/convert
+./services/secrets
+./services/wiki
+./services/auth
+./services/migrations
+./services/pull
+./services/projects
+./services/repository
+./services/markup
+./services/oauth2_provider
+./services/asymkey
+./services/org
+./services/task
+./services/packages
+./services/mailer
+./services/forms
+./services/issue
+./services/webtheme
+./services/attachment
+./services/mirror
+./services/versioned_migration
+./services/agit
+./services/context
+./services/release
+./services/doctor
+./services/gitdiff
+./services/webhook
+./services/automerge
+./services/contexttest
+./services/cron
+./services/user
+./services/automergequeue
+./services/feed
+./services/actions
+./services/git
+./services/lfs
+./services/notify
+./services/indexer
+./services/externalaccount
+./go.mod
+./assets
+./assets/misspellings.csv
+./assets/logo.svg
+./assets/emoji.json
+./assets/go-licenses.json
+./assets/favicon.svg
+./smart-build.sh
+./Dockerfile.rootless
+./build
+./build/generate-go-licenses.go
+./build/update-locales.sh
+./build/generate-emoji.go
+./build/generate-bindata.go
+./build/generate-gitignores.go
+./build/test-env-check.sh
+./build/test-env-prepare.sh
+./pyproject.toml
+./updates.config.ts
+./tsconfig.json
+./pnpm-lock.yaml
+./crowdin.yml
+./SECURITY.md
+./options
+./options/locale
+./options/gitignore
+./options/fileicon
+./options/label
+./options/license
+./options/readme
+./docs
+./docs/guideline-frontend.md
+./docs/release-management.md
+./docs/guideline-backend.md
+./docs/community-governance.md
+./playwright.config.ts
+./cmd
+./cmd/manager_logging.go
+./cmd/admin_auth_ldap_test.go
+./cmd/web_acme.go
+./cmd/admin_user_delete.go
+./cmd/admin_user_must_change_password_test.go
+./cmd/admin_user_create.go
+./cmd/admin_regenerate.go
+./cmd/generate.go
+./cmd/admin_auth.go
+./cmd/dump.go
+./cmd/admin_user_must_change_password.go
+./cmd/doctor_test.go
+./cmd/migrate.go
+./cmd/admin_auth_oauth.go
+./cmd/main_test.go
+./cmd/actions.go
+./cmd/cmd_test.go
+./cmd/cert_test.go
+./cmd/migrate_storage_test.go
+./cmd/web_graceful.go
+./cmd/doctor.go
+./cmd/admin_user_delete_test.go
+./cmd/embedded.go
+./cmd/manager.go
+./cmd/config.go
+./cmd/admin_user_change_password.go
+./cmd/cert.go
+./cmd/hook_test.go
+./cmd/web.go
+./cmd/hook.go
+./cmd/admin_auth_ldap.go
+./cmd/admin_user_list.go
+./cmd/admin_user_change_password_test.go
+./cmd/admin_auth_smtp_test.go
+./cmd/web_https.go
+./cmd/docs.go
+./cmd/admin_user_create_test.go
+./cmd/migrate_storage.go
+./cmd/admin_auth_oauth_test.go
+./cmd/serv.go
+./cmd/admin_user_generate_access_token.go
+./cmd/admin.go
+./cmd/config_test.go
+./cmd/doctor_convert.go
+./cmd/main.go
+./cmd/dump_repo.go
+./cmd/keys.go
+./cmd/admin_user.go
+./cmd/admin_auth_smtp.go
+./cmd/restore_repo.go
+./cmd/mailer.go
+./cmd/cmd.go
+./AGENTS.md
+./README.zh-cn.md
+./Dockerfile
+./tailwind.config.ts
+./Makefile
+./README.md
+./main.go
+./go.sum
+./uv.lock
+./stylelint.config.js
+./CONTRIBUTING.md
+./modules
+./modules/reqctx
+./modules/public
+./modules/references
+./modules/httplib
+./modules/hcaptcha
+./modules/generate
+./modules/tailmsg
+./modules/turnstile
+./modules/system
+./modules/badge
+./modules/eventsource
+./modules/htmlutil
+./modules/setting
+./modules/fileicon
+./modules/auth
+./modules/migration
+./modules/svg
+./modules/repository
+./modules/markup
+./modules/typesniffer
+./modules/test
+./modules/web
+./modules/pprof
+./modules/validation
+./modules/base
+./modules/tempdir
+./modules/zstd
+./modules/gitrepo
+./modules/packages
+./modules/testlogger
+./modules/process
+./modules/templates
+./modules/label
+./modules/issue
+./modules/dump
+./modules/metrics
+./modules/assetfs
+./modules/nosql
+./modules/avatar
+./modules/updatechecker
+./modules/private
+./modules/cache
+./modules/regexplru
+./modules/gtprof
+./modules/log
+./modules/commitstatus
+./modules/session
+./modules/highlight
+./modules/csv
+./modules/proxy
+./modules/queue
+./modules/uri
+./modules/httpcache
+./modules/lfstransfer
+./modules/options
+./modules/webhook
+./modules/secret
+./modules/json
+./modules/globallock
+./modules/emoji
+./modules/charset
+./modules/recaptcha
+./modules/user
+./modules/paginator
+./modules/proxyprotocol
+./modules/actions
+./modules/optional
+./modules/structs
+./modules/ssh
+./modules/timeutil
+./modules/glob
+./modules/git
+./modules/lfs
+./modules/mcaptcha
+./modules/util
+./modules/sitemap
+./modules/graceful
+./modules/storage
+./modules/cachegroup
+./modules/hostmatcher
+./modules/container
+./modules/translation
+./modules/indexer
+./modules/analyze
+./vite.config.ts
+./main_timezones.go

.air.toml

@@ -4,7 +4,7 @@ tmp_dir = ".air"
 [build]
 pre_cmd = ["killall -9 gitea 2>/dev/null || true"] # kill off potential zombie processes from previous runs
 cmd = "make --no-print-directory backend"
-bin = "gitea"
+entrypoint = ["./gitea"]
 delay = 2000
 include_ext = ["go", "tmpl"]
 include_file = ["main.go"]

.codex-context.md

@@ -0,0 +1,64 @@
+# Gitea Codex Context
+
+This file is Codex's persistent operating context for this repository.
+
+Related orientation documents:
+- Full project change log: `./.codex-history.md`
+- Persistent implementation map: `./.codex-project-map.md`
+- Raw structural baseline: `./.ai-structure.md`
+
+## Recommended Read Order
+
+1. `./.codex-context.md`
+2. `./.codex-project-map.md`
+3. The concrete files involved in the current task
+4. `./.codex-history.md` only through targeted search, tags, or the latest relevant entries
+
+## High-Value Project Anchors
+
+- App entry point and default version wiring: `main.go`
+- Web command and server startup: `cmd/web.go`
+- Installed-instance initialization and route mounting: `routers/init.go`
+- Main web router: `routers/web/web.go`
+- Authentication handlers: `routers/web/auth/`
+- Request context, session, template data, and response helpers: `services/context/`
+- Domain business logic: `services/`
+- Persistence, DB infrastructure, and migrations: `models/`, `models/db/`, `models/migrations/`
+- Server-side UI templates: `templates/`
+- Browser-side JS/CSS/frontend: `web_src/`
+
+For detailed request flow, auth flow, extension points, and task-oriented entry points, use `./.codex-project-map.md` instead of duplicating them here.
+
+## Persistent Workflow Rules
+
+- Update `./.codex-history.md` after real project code changes.
+- Do not add Codex-only preference or memory edits to `./.codex-history.md`.
+- Do not reread unchanged context files within the same session unless the current task explicitly depends on them.
+- Prefer targeted search in `./.codex-history.md` by keyword, tag, or subsystem before reading larger ranges.
+- When the user asks for `revert`:
+  - first show the latest 10 commits as a numbered list with short descriptions;
+  - wait for the user's numeric choice before doing anything;
+  - if the target change is not committed, explain that the safe path is `git restore`, not `git revert`.
+- Revert flows must stay non-destructive by default; prefer `git revert` for committed changes and avoid destructive reset-style actions unless the user explicitly asks for them.
+
+## Persistent `.codex-history.md` Rules
+
+- Numeric IDs are reserved only for real project code changes.
+- IDs start at `0` and increase sequentially by `1`.
+- Use the format `N - [YYYY-MM-DD HH:MM:SS]`.
+- Store the real repository-derived application version, without a `Version:` label.
+- Keep only the final consolidated result of a task; do not keep intermediate attempts or failed correction steps.
+- Append to the same task only while the changes are consecutive follow-ups to the same problem.
+- If unrelated tasks happened in between, record the new work as a new task even if it returns to the same area.
+
+## Persistent Communication Preferences
+
+- After finishing a task, respond briefly and directly unless there are blockers or problems.
+- Re-check the rules in this file before and after making changes.
+
+## Current Working Notes
+
+- `main.go` defaults `setting.AppVer` to `development`; derive the real build/version string from the repository when writing `./.codex-history.md`.
+- The repository is predictably split across `cmd/`, `routers/`, `services/`, `models/`, `templates/`, and `web_src/`, so changes should normally stay localized to one or two layers plus their tests.
+- For custom release maintenance and repo-sync tasks, consult `./.codex-script-notes.md` before reanalyzing the large helper scripts.
+- New UI-visible functionality in this fork often also requires locale updates, so UI tasks and related history searches should usually consider `options/locale/`, especially `locale_en-US.json` and any actively maintained translated locale files.

.codex-history.md

@@ -0,0 +1,812 @@
+Project Change ID[date-time] - application-version - Type - Summary:
+
+History search guidance:
+- Prefer targeted search by task tag, subsystem keyword, or file/path before reading long ranges.
+- Entries are tagged inline as `[tag] [tag]` to support targeted search and filtering.
+
+
+0 - [2026-04-16 02:46:18] - v.1.27.0-dev-38-g4b334df6d4 - Type: Modified - [repo-ui] [visibility] [badges] Added explicit repository visibility badges to match the requested GitHub-style presentation more closely.
+- 1 - I modified `templates/repo/header.tmpl` so the repository page header now always shows a visibility badge on the right side: `Private`, `Internal`, or `Public`.
+- 2 - I modified `templates/shared/repo/list.tmpl` so each repository entry in shared repository lists also shows an explicit visibility badge for `Private`, `Internal`, or `Public`.
+- 3 - I added the `Public` label for repositories that previously had no explicit visibility badge, while preserving the existing archived, template, and sha256 labels.
+- 4 - I reused existing translation keys and existing badge styling so the change stays visually consistent with the current Gitea UI.
+
+
+1 - [2026-04-16 03:31:29] - v.1.27.0-dev-38-g4b334df6d4 - Type: Modified - [repo-ui] [visibility] [badges] [repo-settings] Refined repository visibility badges with semantic colors, owner-aware navigation, and broader coverage in repository settings views.
+- 1 - I modified `templates/shared/repo/list.tmpl` so `Public` now uses a basic green badge and `Private` now uses a basic red badge, while `Internal` remains neutral.
+- 2 - I modified `templates/repo/header.tmpl` so the repository header uses the same color-coded visibility badges and keeps the mobile icon behavior unchanged.
+- 3 - I added owner-aware navigation for the `Public` and `Private` badges so they link to the repository `Settings` page only when the signed-in user is the repository owner.
+- 4 - I modified `templates/user/settings/repos.tmpl` so the same visibility badge now appears next to repository names in `/user/settings/repos`, in both list variants rendered by that page.
+- 5 - I preserved the existing archived, template, fork, mirror, and object-format indicators so only the requested visibility presentation changed.
+
+
+2 - [2026-04-16 03:45:08] - v.1.27.0-dev-38-g4b334df6d4 - Type: Fixed - [user-settings] Corrected a template rendering error in /user/settings/repos caused by dereferencing a missing Owner object.
+- 1 - I fixed `templates/user/settings/repos.tmpl` so the internal-visibility check now guards against a nil `Owner` before accessing `Owner.Visibility`.
+- 2 - I applied the null-safe visibility guard in both repository list variants rendered by `/user/settings/repos`.
+- 3 - I preserved the new green/red visibility badge styling and owner-aware settings links while removing the nil-pointer render failure.
+
+
+3 - [2026-04-16 04:53:24] - v.1.27.0-dev-38-g4b334df6d4 - Type: Modified - [admin-users] Hid the admin privilege toggle when an administrator edits their own account from the admin user edit page.
+- 1 - I modified `templates/admin/user/edit.tmpl` so the `Is Administrator` checkbox is no longer rendered when the edited user ID matches the signed-in admin ID.
+- 2 - I preserved the existing checkbox behavior for editing other users, so administrators can still grant or revoke admin rights for other accounts.
+- 3 - I kept the change limited to the admin edit UI without altering unrelated fields or backend update logic.
+
+4 - [2026-04-16 03:11:08] - v.1.27.0-dev-38-g4b334df6d4 - Type: Modified - [admin-users] [account-deletion] Disabled the self-account deletion option only for the last administrator and aligned the backend rule with that behavior.
+- 1 - I modified `templates/user/settings/account.tmpl` so the `Delete Your Account` action is disabled and shows the last-admin warning when the signed-in user is the only remaining admin.
+- 2 - I modified `routers/web/user/setting/account.go` so the account settings page now receives an `IsLastAdminUser` flag used by the template.
+- 3 - I updated the self-delete backend flow so it blocks account deletion only when the signed-in user is the last admin, instead of blocking every admin unconditionally.
+
+5 - [2026-04-16 03:26:40] - v.1.27.0-dev-38-g4b334df6d4 - Type: Fixed - [admin-users] [account-deletion] Adjusted the shared last-admin detection to count only active administrators so account deletion and admin demotion rules behave correctly in real instances.
+- 1 - I modified `models/user/user.go` so `IsLastAdminUser` now treats only active admins as candidates when deciding whether a user is the last admin.
+- 2 - This aligns the shared last-admin protection used by account deletion and admin privilege update flows with practical instance behavior.
+- 3 - The existing `/user/settings/account` UI and backend guards now work against the refined active-admin definition without additional template changes.
+
+6 - [2026-04-16 03:43:20] - v.1.27.0-dev-38-g4b334df6d4 - Type: Modified - [user-settings] [admin-users] [account-deletion] [ui] Updated the Delete Your Account panel for the last-admin case so it shows a direct warning message and hides the deletion controls.
+- 1 - I modified `templates/user/settings/account.tmpl` so the panel now shows `You cannot remove the last admin. There must be at least one admin.` while keeping the existing alert icon.
+- 2 - I hid the `Password` field for the last-admin case.
+- 3 - I hid the `Confirm Deletion` button for the last-admin case while preserving the normal delete flow for other users.
+
+7 - [2026-04-16 17:37:53] - v.1.27.0-dev-40-gc3b9d21472 - Type: Added - [auth] [account-requests] [mailer] [locale] [en] Added administrator notifications for pending account requests and delayed the user activation email until manual approval.
+- 1 - I added a new `email_notification.new_account_requests` user setting in `models/user/setting_options.go`, with an admin-default enabled preference and helper functions to read the preference consistently.
+- 2 - I modified `routers/web/user/setting/notifications.go`, `routers/web/web.go`, and `templates/user/settings/notifications.tmpl` so administrators now get a `New account request notifications` checkbox in `/user/settings/notifications`, and the last active admin cannot disable it.
+- 3 - I modified `routers/web/auth/auth.go`, `services/mailer/mail_user.go`, `templates/mail/user/auth/new_account_request.tmpl`, and `options/locale/locale_en-US.json` so manual account requests now send notification emails to opted-in active admins with a direct review link.
+- 4 - I modified `routers/web/admin/users.go` so when an administrator activates a manually approved account while registration email confirmation is disabled, the applicant receives the standard account activation email at that approval moment.
+
+8 - [2026-04-16 18:59:58] - v.1.27.0-dev-41-g97eee0a9a8 - Type: Fixed - [account-requests] [locale] [en] Corrected the new account request notification rule so at least one active administrator must remain subscribed.
+- 1 - I modified `models/user/setting_options.go` to count active administrators who still have new account request notifications enabled and to detect when the current admin is the last enabled recipient.
+- 2 - I modified `routers/web/user/setting/notifications.go` so the backend now blocks disabling the preference only when the signed-in admin is the last enabled notification recipient, instead of checking whether they are merely the last admin user.
+- 3 - I modified `templates/user/settings/notifications.tmpl` so the checkbox and submit button are disabled only for the last enabled notification recipient.
+- 4 - I updated `options/locale/locale_en-US.json` so the warning message now states the real rule clearly: at least one admin must keep these notifications enabled.
+
+9 - [2026-04-16 20:53:32] - v.1.27.0-dev-41-g97eee0a9a8 - Type: Added - [account-requests] Added automatic notification fallback when deleting the only admin who still receives new account request notifications.
+- 1 - I added `ShouldEnableNewAccountRequestNotificationsFallback` in `models/user/setting_options.go` so the code can detect when the deleted user is the last active admin with this notification enabled and the acting admin is currently unsubscribed.
+- 2 - I modified `routers/web/admin/users.go` so, after a successful admin-driven user deletion, the acting admin is automatically subscribed to new account request notifications when they deleted the last subscribed admin.
+- 3 - I modified `routers/api/v1/admin/user.go` so the same automatic fallback also applies to admin deletions performed through the API, keeping the behavior consistent across both deletion entry points.
+
+10 - [2026-04-16 23:02:55] - v.1.27.0-dev-42-g81727dd3e9 - Type: Added - [account-requests] [mailer] [locale] [en] Implemented a staged new account request workflow with email validation, admin review, request statuses, and automatic expiry cleanup.
+- 1 - I added `models/user/account_request.go` to store and manage account request states, validation expiry, retry counting, approval or rejection metadata, validation code generation, and expired pending-request cleanup.
+- 2 - I modified `routers/web/auth/auth.go`, added `routers/web/auth/account_request.go`, and updated `templates/user/auth/signup_inner.tmpl` so registration now creates pending account requests, resends validation mail when appropriate, blocks repeated unconfirmed attempts after five tries, and moves validated requests into administrator review instead of activating them immediately.
+- 3 - I modified `routers/web/admin/users.go`, added `routers/web/admin/account_request.go`, updated `routers/web/web.go`, and updated `templates/admin/user/edit.tmpl` so administrators can see the account request status for a user and explicitly activate, reject, or unblock requests from the admin user edit page.
+- 4 - I modified `services/mailer/mail_user.go`, added the new account request mail templates, updated `options/locale/locale_en-US.json`, and modified `services/user/user.go` with `services/cron/tasks_extended.go` so the workflow now sends dedicated validation, approval, and rejection emails, preserves rejected or blocked accounts from inactive-user cleanup, and automatically deletes only expired requests that never completed email validation.
+
+11 - [2026-04-16 23:18:45] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Fixed - [account-requests] [locale] [en] Added the missing admin dashboard translation entries for the expired account request cleanup cron task.
+- 1 - I modified `options/locale/locale_en-US.json` to add `admin.dashboard.delete_expired_account_requests` so the new cron task can be rendered correctly in the admin dashboard task list.
+- 2 - I added `admin.dashboard.delete_expired_account_requests.started` alongside it so the matching task start message is also available and the cron task follows the same translation pattern as the existing dashboard tasks.
+- 3 - I verified the locale file remains valid JSON after the change.
+
+12 - [2026-04-17 00:05:29] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Fixed - [account-requests] [mailer] [signup] Hardened the account request validation email flow so manual approval registrations do not silently skip or hide validation mail failures.
+- 1 - I modified `routers/web/auth/auth.go` so the `RegisterManualConfirm` path now runs before the generic activation shortcut for normal self-registrations, while still preserving the first-user bootstrap exception.
+- 2 - I modified `services/mailer/mail_user.go` so account request validation, approval, and rejection emails now return explicit errors when their templates cannot be rendered instead of failing silently.
+- 3 - I modified `routers/web/auth/account_request.go` and `routers/web/admin/account_request.go` so resend and unblock flows now surface validation-email rendering failures immediately, while approval and rejection actions log mail errors without rolling back the already completed admin decision.
+- 4 - I verified the updated flow builds cleanly after formatting with compile-only Go tests on the touched packages.
+
+13 - [2026-04-17 00:53:04] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Fixed - [account-requests] [mailer] Reworked the first-user bootstrap path so manual confirmation sends the validation email instead of bypassing the new account request flow.
+- 1 - I modified `routers/web/auth/auth.go` so the automatic first-user admin bootstrap now only bypasses email handling when manual confirmation is disabled, while manual-confirm registrations still go through the validation email path.
+- 2 - I modified `routers/web/auth/account_request.go` so when the validated account is the only user in the instance, the system activates it directly and grants admin rights immediately instead of sending it into an impossible admin-review deadlock.
+- 3 - I preserved the normal staged workflow for all non-bootstrap registrations, so other users still go from email validation to pending admin review as before.
+- 4 - I formatted the code and verified the touched packages with compile-only Go tests after the bootstrap flow change.
+
+14 - [2026-04-17 01:14:35] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Added - [account-requests] [admin-users] [mailer] [locale] [en] Added an admin-side validation email send indicator with success or failure icon and attempt timestamp.
+- 1 - I modified `models/user/account_request.go` to persist the last validation email attempt status and timestamp for each account request.
+- 2 - I modified `routers/web/auth/auth.go`, `routers/web/auth/account_request.go`, and `routers/web/admin/account_request.go` so initial send, resend, and unblock flows now record whether the validation email send function returned success or error.
+- 3 - I modified `routers/web/admin/account_request.go` and `templates/admin/user/edit.tmpl` so the account request panel in the admin user edit page now shows a `✔` or `❌` together with the last validation email attempt timestamp.
+- 4 - I updated `options/locale/locale_en-US.json`, validated the JSON file, formatted the code, and verified the touched packages with compile-only Go tests.
+
+15 - [2026-04-17 06:26:17] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Modified - [account-requests] [mailer] [ui] [signup] Extended the validation email attempt indicator so it is visible in the user-facing registration flow as well as in the admin account request panel.
+- 1 - I modified `routers/web/auth/account_request.go` and `routers/web/auth/auth.go` so the last validation email attempt status and timestamp are loaded into the user-facing signup retry and activation prompt pages.
+- 2 - I modified `templates/user/auth/signup_inner.tmpl` so the `✔` or `❌` indicator and timestamp now appear next to the pending request message and beside the `Resend` button area.
+- 3 - I modified `templates/user/auth/activate_prompt.tmpl` so the same indicator and timestamp now appear after the initial validation email attempt triggered by account creation.
+- 4 - I adjusted `templates/admin/user/edit.tmpl` so the admin panel also shows the indicator when there is mail-attempt data even if the current account request status line is otherwise absent.
+
+16 - [2026-04-17 07:05:39] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Fixed - [account-requests] [mailer] Switched the account request validation email to a real synchronous send path and added logging for silent mail queue enqueue failures.
+- 1 - I modified `services/mailer/mail_user.go` so `SendAccountRequestValidationMail` now uses a synchronous sender path instead of only enqueueing the message asynchronously.
+- 2 - I modified `services/mailer/mailer.go` to add `SendImmediately`, which uses the initialized configured sender directly and returns the real SMTP or sendmail error back to the caller.
+- 3 - I modified `services/mailer/mailer.go` so `SendAsync` now logs queue initialization and enqueue failures instead of silently discarding them.
+- 4 - This makes the new-user validation mail behave much closer to `SendTestMail`, which was already using direct sending and was one likely reason test emails succeeded while queued validation emails still appeared to disappear.
+
+17 - [2026-04-17 08:20:46] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Fixed - [auth] [mailer] Switched the remaining user-facing activation emails to synchronous delivery and stopped showing success when the actual send fails.
+- 1 - I modified `services/mailer/mail_user.go` so `SendActivateAccountMail` and `SendActivateEmailMail` now return real errors and use direct synchronous sending instead of only queueing the message.
+- 2 - I modified `services/mailer/mail_user.go` so account request approval and rejection emails sent to the user now use the same synchronous delivery path for consistent behavior.
+- 3 - I modified `routers/web/auth/auth.go` and `routers/web/user/setting/account.go` so signup and email-confirmation flows stop reporting success when the mail send to the user fails.
+- 4 - I modified `routers/web/admin/users.go` so administrator-triggered account activation now logs and warns when the activation email to the user could not be sent.
+
+18 - [2026-04-17 18:54:53] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Modified - [auth] [account-requests] [signup] [locale] [en] Refined the account request resend UX so pending users can retry from both activation and signup pages without losing their entered registration data.
+- 1 - I modified `templates/user/auth/activate_prompt.tmpl` so the activation page now shows a separate `Did not receive the email?` prompt, a standalone `Resend` button under the mail status indicator, and a Spam/Junk reminder.
+- 2 - I modified `templates/user/auth/signup_inner.tmpl` so the pending-registration panel now uses plain prompt text plus a dedicated `Resend` button instead of the combined button label, while also preserving the signup form values through the resend action.
+- 3 - I modified `models/user/account_request.go` and `routers/web/auth/account_request.go` so account request validation emails now track up to five resend actions and automatically hide the resend button after that limit is reached.
+- 4 - I modified `routers/web/auth/auth.go` and `options/locale/locale_en-US.json` so the activation prompt receives the same resend controls immediately after registration and the new texts are available consistently across both user-facing flows.
+
+19 - [2026-04-17 22:10:39] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Fixed - [auth] [account-requests] [mailer] [signup] Prevented invalid signup email input from triggering an internal server error in the account request pre-check flow.
+- 1 - I modified `models/user/account_request.go` so `GetUserByAnyEmail` now trims and validates the email address before querying, reusing the normal email validation behavior instead of treating malformed input like a server-side lookup problem.
+- 2 - I modified `routers/web/auth/account_request.go` so the signup pre-check now treats invalid or unsupported email formats as normal invalid input and lets the standard registration validation flow handle the user-facing error message.
+- 3 - I modified `routers/web/auth/account_request.go` so the resend endpoint also treats malformed email input as unavailable instead of escalating it into a 500 error.
+
+20 - [2026-04-17 23:13:17] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Fixed - [mailer] [signup] [locale] [en] Rolled back newly created self-registration accounts when the initial confirmation email cannot actually be sent.
+- 1 - I modified `routers/web/auth/auth.go` so `createAndHandleCreatedUser` now passes the template and form context into the post-create flow, allowing failed registration emails to return a normal form error instead of a 500 page.
+- 2 - I modified `routers/web/auth/auth.go` so the initial account-request validation mail and the initial standard activation mail both delete the newly created user if sending fails, preventing orphaned accounts from being left in the database.
+- 3 - I added a dedicated `auth.confirmation_mail_failed` user-facing message in `options/locale/locale_en-US.json` so registration now tells the user that the account was not created because the confirmation email could not be sent.
+- 4 - I preserved the existing resend behavior for already created inactive users, so the rollback applies only to the first mail send during new self-registration.
+
+21 - [2026-04-26 22:55:56] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Fixed - [scripts] [smart-build] Updated the smart build script for PNPM 10 and the repository frontend build flow.
+- 1 - I modified `smart-build.sh` to remove the unsupported `--ignore-engines` PNPM option from dependency installation.
+- 2 - I changed the frontend rebuild step to call `make frontend`, matching the Gitea Makefile target instead of calling a missing `pnpm run build` script.
+- 3 - I fixed the architecture menu echo line so `Initialization checks` is no longer appended as stray shell text.
+
+22 - [2026-04-26 23:01:28] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Fixed - [scripts] [smart-build] Made the smart build script find the local Go toolchain before running backend builds.
+- 1 - I modified `smart-build.sh` to prepend `/usr/local/go/bin` to `PATH` when the local Go binary exists.
+- 2 - I added an early Go availability check so the script stops with a clear message before invoking `make build` if Go is not installed or visible.
+- 3 - I added explicit failure handling for dependency installation and frontend asset builds so the script does not continue after a failed prerequisite step.
+
+23 - [2026-04-26 23:20:08] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Modified - [scripts] [smart-build] [bindata] Added a smart build menu option for SQLite-enabled bindata builds.
+- 1 - I modified `smart-build.sh` to add a build-tag selection menu with the existing `bindata` build and a new `bindata sqlite sqlite_unlock_notify` option.
+- 2 - I changed the backend build command to use the selected tag set instead of always passing `TAGS="bindata"`.
+- 3 - I made SQLite builds enable CGO and write artifacts with a `-sqlite` suffix so they are distinguishable from default bindata builds.
+
+24 - [2026-04-27 00:18:15] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Fixed - [account-requests] [auth] Made account request validation links robust after account data changes.
+- 1 - I modified `models/user/account_request.go` so account request validation codes can be stored as hashes and later accepted as a fallback when the stateless code can no longer be recalculated from current user data.
+- 2 - I modified the registration, resend, and admin unblock flows to generate one validation code, send that exact code by email, and store its hash only after the email send succeeds.
+- 3 - I cleared stored validation-code hashes when account requests are reset, validated, or approved so old validation links cannot keep working after the request leaves email validation.
+- 4 - I added focused tests for account request code verification and `/user/activate` handling, including the case where user data changes after the validation email is sent.
+
+25 - [2026-04-27 00:49:34] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Fixed - [account-requests] [signup] [auth] Corrected pending account request detection for validation links and repeated registration attempts.
+- 1 - I modified account request status detection so inactive users with validation markers are treated as pending email validation even if `account_request.status` is missing.
+- 2 - I added a dedicated account-request time-limit code purpose while keeping compatibility with older account-request links, preventing normal activation links from being intercepted by the account request path.
+- 3 - I moved the pending account request pre-check before generic signup form errors so repeated registration attempts show the pending-request message and resend option instead of `The username is already taken`.
+- 4 - I updated the pending signup message to include the email address that received the validation email and added focused tests for missing-status validation, classic activation separation, and repeated registration.
+
+26 - [2026-04-27 01:10:03] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Fixed - [account-requests] Restored the admin account request review flow link to the page with approval controls.
+- 1 - I modified `services/mailer/mail_user.go` so new account request notification emails now link directly to `/-/admin/users/{id}/edit`, where the `Activate Request` and `Reject` controls are rendered.
+- 2 - I added a focused mailer test to ensure future account request notifications keep pointing to the admin edit page instead of the read-only user view page.
+
+27 - [2026-04-27 01:47:34] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Modified - [admin-users] [account-deletion] Hid admin-side account deletion controls for the last active administrator.
+- 1 - I modified `routers/web/admin/users.go` so the admin user edit page receives `IsLastAdminUser` for the edited user.
+- 2 - I modified `templates/admin/user/edit.tmpl` so `Delete User Account` is replaced by the existing last-admin warning when the edited user is the only active admin.
+- 3 - I hid the admin delete confirmation modal for the last-admin case while preserving the backend `DeleteUser` last-admin guard as the final protection.
+
+28 - [2026-04-27 02:06:06] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Modified - [admin-users] [account-deletion] Kept last-admin account deletion actions visible but disabled.
+- 1 - I modified `templates/admin/user/edit.tmpl` so `Delete User Account` remains visible as a disabled button for the last active admin while showing the existing last-admin warning.
+- 2 - I modified `templates/user/settings/account.tmpl` so the self-delete confirmation button remains visible as disabled for the last active admin while showing the same warning.
+- 3 - I kept delete confirmation modals unavailable for the disabled last-admin actions so blocked actions cannot be submitted from the UI.
+
+29 - [2026-04-27 09:12:11] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Modified - [admin-users] Adjusted last-admin delete warning placement and spacing.
+- 1 - I modified `templates/admin/user/edit.tmpl` so the last-admin warning appears above the disabled `Delete User Account` button with vertical spacing.
+- 2 - I modified `templates/user/settings/account.tmpl` so the disabled self-delete confirmation button has spacing below the warning message.
+
+30 - [2026-04-27 09:28:16] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Modified - [admin-users] [ui] Restored admin edit action button alignment while keeping the last-admin warning above them.
+- 1 - I modified `templates/admin/user/edit.tmpl` so the last-admin warning appears above the action button row.
+- 2 - I kept `Update Profile` and the disabled `Delete User Account` button in the same button row and original order.
+
+31 - [2026-04-27 10:07:15] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Modified - [account-requests] Adjusted account request resend button sizing and delivery-state feedback.
+- 1 - I modified the pending signup and activation prompt templates so the resend button is smaller, blue by default, and spaced away from the spam-folder hint.
+- 2 - I added resend result state rendering so successful sends turn the button green for five seconds and failed sends keep it red.
+- 3 - I changed the resend handler to re-render the current account-request page with a failed send message instead of showing a server-error page when email delivery fails.
+
+32 - [2026-04-27 14:41:33] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Added - [scripts] [build-env] Added a build environment configuration script.
+- 1 - I added `configure.sh` to install and verify the system packages, Go version, Node version, pnpm version, and frontend dependencies required by this Gitea tree.
+- 2 - I made the script read the required Go, Node, and pnpm versions from `go.mod` and `package.json`, while still allowing environment overrides.
+- 3 - I added an optional `--with-cross-cgo` mode that installs/configures the heavier cross-CGO toolchains needed for SQLite builds targeting linux/armv7 and windows/amd64.
+
+33 - [2026-04-27 14:51:16] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Modified - [scripts] [build-env] Added an interactive run menu to the build environment configuration script.
+- 1 - I modified `configure.sh` so running it without arguments in an interactive terminal shows a description of what the script installs and verifies.
+- 2 - I added a run menu with Normal, With cross cgo, Verify only, and Quit options.
+- 3 - I added a `--menu` flag so the same interactive menu can be requested explicitly while keeping the existing command-line options for automated runs.
+
+34 - [2026-04-27 14:59:01] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Modified - [scripts] [build-env] Made interactive environment verification report missing requirements without failing the menu run.
+- 1 - I modified `configure.sh` so the interactive `Verify only` menu option lists all detected missing commands and configuration issues instead of stopping at the first missing requirement.
+- 2 - I kept the direct `./configure.sh --verify-only` mode strict for automated checks, returning a failure when requirements are missing.
+- 3 - I adjusted the final interactive verification message so it recommends rerunning the menu with Normal or With cross cgo instead of suggesting a build when requirements are still missing.
+
+35 - [2026-04-27 15:20:01] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Modified - [scripts] [build-env] Translated the build environment configuration script text to English.
+- 1 - I modified `configure.sh` so the interactive description is written in English.
+- 2 - I translated the interactive menu option descriptions to English while keeping the existing script behavior unchanged.
+
+36 - [2026-04-27 19:28:55] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Modified - [mailer] [mailer-ui] Moved test email feedback inline and aligned mail action button states.
+- 1 - I modified `routers/web/admin/config.go` so the test email result redirects back to the config page with local test-mail state instead of using the global flash alert.
+- 2 - I modified `templates/admin/config.tmpl` so the test email result appears beside the `Send` button, with the button using primary, green, or red state colors.
+- 3 - I changed the account request `Resend` button default state from `blue` to `primary` so it uses the same visible blue styling as the rest of the Gitea UI.
+
+37 - [2026-04-27 19:56:31] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Fixed - [mailer] [mailer-ui] [scripts] [bindata] Forced mail action button colors and refreshed local template bindata.
+- 1 - I modified the admin test mail and account request resend templates so their default, success, and failure colors are set directly with Gitea theme variables.
+- 2 - I updated the success timeout scripts to restore the direct primary-color styling after five seconds.
+- 3 - I regenerated the local ignored `modules/templates/bindata.dat` file so local bindata builds can include the updated templates.
+
+38 - [2026-04-27 20:05:18] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Modified - [scripts] [smart-build] [bindata] Added bindata freshness checks to the smart build script.
+- 1 - I modified `smart-build.sh` so bindata builds check the generated templates, options, public, and migration schema bindata files before compilation.
+- 2 - I made the script regenerate any missing or stale bindata file with `go generate -tags bindata` before running `make build`.
+- 3 - I kept the regeneration step neutral from cross-build environment variables by clearing `GOOS`, `GOARCH`, `CGO_ENABLED`, and `CC` for the go generate command.
+
+39 - [2026-04-27 20:35:07] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Fixed - [mailer] [mailer-ui] [admin-config] [ui] [sticky-layout] Preserved scroll position after sending a test email from the admin config page.
+- 1 - I modified `templates/admin/config.tmpl` so the test email form records the current scroll position before submit.
+- 2 - I modified `routers/web/admin/config.go` so the test email redirect carries the saved scroll position and returns to the local test-email anchor.
+- 3 - I regenerated the local ignored `modules/templates/bindata.dat` file so bindata builds can include the scroll-preserving template update.
+
+40 - [2026-04-27 21:03:25] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Fixed - [mailer] [mailer-ui] [admin-config] [ui] Removed page reload and scroll movement from the admin test email action.
+- 1 - I modified `templates/admin/config.tmpl` so the `Send Testing Email` form submits through `fetch` and updates the inline message without changing the page URL or scroll position.
+- 2 - I modified `routers/web/admin/config.go` so inline test email requests return JSON state and message data instead of redirecting.
+- 3 - I regenerated the local ignored `modules/templates/bindata.dat` file so bindata builds can include the no-jump test email behavior.
+
+41 - [2026-04-27 21:14:20] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Modified - [mailer] [mailer-ui] [admin-config] Shortened admin test email delivery error messages.
+- 1 - I modified `routers/web/admin/config.go` so `Send Testing Email` displays a concise SMTP failure reason instead of the full command chain.
+- 2 - I added normalization for common mail errors such as user unknown, mailbox unavailable, relay access denied, and authentication failure.
+- 3 - I added a focused unit test for the short test mail error formatter.
+
+42 - [2026-04-27 21:47:26] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Added - [admin-users] [account-deletion] Added an admin user-list delete account action.
+- 1 - I modified `templates/admin/user/list.tmpl` so each user row now shows a red trash icon beside the existing User Details and Edit actions.
+- 2 - I added a shared delete-account confirmation modal on the user management list, including the existing purge option and delete-account warning text.
+- 3 - I regenerated the local ignored `modules/templates/bindata.dat` file so bindata builds can include the new list action.
+
+43 - [2026-04-27 22:17:13] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Modified - [admin-users] Matched the admin user-list delete action to the edit-page delete state.
+- 1 - I modified `routers/web/explore/user.go` so user search pages can receive optional per-user extra data before rendering.
+- 2 - I modified `routers/web/admin/users.go` so the admin user list marks rows where the user is the last active administrator using the same condition as the edit page.
+- 3 - I modified `templates/admin/user/list.tmpl` so the trash icon is disabled with the existing last-admin warning tooltip whenever the edit-page `Delete User Account` button would be disabled.
+
+44 - [2026-04-28 09:12:49] - v.1.27.0-dev-43-gb2b024d0b6 - Type: Fixed - [auth] [account-requests] Blocked inactive account-request users from getting a signed-in session.
+- 1 - I modified the password sign-in flow so inactive account-request users are stopped before session, 2FA, or remember-cookie creation and are shown the activation prompt instead.
+- 2 - I added account-request login prompts for pending email validation, pending admin review, rejected, and blocked states, while keeping the resend button available only for pending email validation.
+- 3 - I modified existing inactive signed sessions on web pages to be signed out before rendering the activation/account-request prompt so the account menu and Sign Out action are not shown.
+- 4 - I added targeted auth tests for pending email validation and pending admin review login attempts, including username and email login for the validation case.
+- 5 - I regenerated the local ignored `modules/options/bindata.dat` file so bindata builds can include the new login prompt locale string.
+
+45 - [2026-04-28 16:01:28] - v1.27.0-dev-47-gf21b6b7a3b - Type: Modified - [auth] [recovery] Added password confirmation to account recovery.
+- 1 - I modified `templates/user/auth/reset_passwd.tmpl` so the account recovery reset form includes a required `Confirm Password` field.
+- 2 - I modified `routers/web/auth/password.go` so reset submissions reject mismatched passwords before two-factor checks or password updates.
+- 3 - I added a focused auth test for mismatched recovery password confirmation and regenerated the local ignored `modules/templates/bindata.dat` file for bindata builds.
+
+46 - [2026-04-28 19:05:06] - v1.27.0-dev-48-g25a1d84c2e - Type: Fixed - [auth] [recovery] Used the reset-password lifetime for account recovery codes.
+- 1 - I modified `models/user/user.go` so reset-password time-limit codes are generated and verified with `RESET_PASSWD_CODE_LIVE_MINUTES` instead of `ACTIVE_CODE_LIVE_MINUTES`.
+- 2 - I kept activation, email activation, and account-request time-limit codes on the existing active-code lifetime.
+- 3 - I added a focused user-model test that proves reset-password codes remain valid when only `RESET_PASSWD_CODE_LIVE_MINUTES` allows them.
+
+47 - [2026-04-28 20:31:34] - v1.27.0-dev-48-g25a1d84c2e - Type: Added - [admin-invite] [admin-created-user] [signup] Added admin-created account invitation flow when registration is disabled.
+- 1 - I modified admin user creation so `DISABLE_REGISTRATION = true` creates inactive, sign-in-prohibited accounts and checks `Send User Registration Notification` by default when mail is configured.
+- 2 - I added a 24-hour admin invitation token and email template that lets the invited user accept the account, activate the email, and clear `Disable Sign-In`.
+- 3 - I added targeted tests for invitation token lifetime, invitation acceptance, and disabled-registration admin account creation defaults, then regenerated local ignored template and options bindata.
+
+48 - [2026-04-28 21:56:08] - v1.27.0-dev-48-g25a1d84c2e - Type: Modified - [scripts] [smart-build] Added smart-build load profile options.
+- 1 - I modified `smart-build.sh` so it asks for a build load profile before dependency checks, frontend build, bindata generation, and Go compilation.
+- 2 - I added Moderate and Low Resource profiles that set `GOMAXPROCS`, `MAKEFLAGS=-j1`, and a conservative Node memory limit to reduce CPU and RAM pressure.
+- 3 - I kept the Normal profile available for the existing unrestricted build behavior.
+
+49 - [2026-04-28 23:00:25] - v1.27.0-dev-49-g20405fe5e7 - Type: Added - [admin-invite] Notified inviting admins when admin-created invitations are accepted.
+- 1 - I stored the creator admin ID on disabled-registration admin-created invitation accounts so the invitation acceptance flow knows who to notify.
+- 2 - I added an invitation-accepted email template and mailer function that sends the accepting user's details back to the admin who created the account.
+- 3 - I updated targeted admin/auth tests and regenerated local ignored template and options bindata for the new email template and locale strings.
+
+50 - [2026-04-28 23:52:04] - v1.27.0-dev-50-g8147f7a798 - Type: Modified - [admin-created-user] [admin-users] [badges] Added creator-admin badges to the admin users list.
+- 1 - I modified the admin user list data loader so users created through the disabled-registration invitation flow include the admin creator name.
+- 2 - I modified `templates/admin/user/list.tmpl` so the Created column shows a `by <admin>` mini badge next to the creation date when creator data exists.
+- 3 - I added a focused admin list test for the creator-admin mapping and regenerated local ignored template bindata.
+
+51 - [2026-04-29 01:55:04] - v1.27.0-dev-51-gcfd7cfa1dc - Type: Fixed - [admin-invite] [admin-created-user] [badges] Kept creator-admin badges permanently attached to invited accounts.
+- 1 - I modified the admin invitation acceptance notification flow so it no longer deletes the stored creator-admin ID.
+- 2 - I updated the invitation acceptance test to assert the creator-admin marker remains after the user accepts the invitation.
+
+52 - [2026-04-29 02:04:41] - v1.27.0-dev-52-gcd96c721e0 - Type: Modified - [admin-created-user] [badges] [mailer] Added persistent admin email tooltip to creator badges.
+- 1 - I modified admin-created invitation account storage so it permanently saves the creator admin ID, username, and email address.
+- 2 - I modified the admin users list creator badge so it shows `by <admin>` and exposes the stored admin email as a hover tooltip.
+- 3 - I updated the focused admin list tests to prove the badge data still renders from stored name/email even without looking up the admin account, then regenerated local ignored template bindata.
+
+53 - [2026-04-29 02:30:55] - v1.27.0-dev-52-gcd96c721e0 - Type: Modified - [auth] [admin-created-user] [badges] Added admin activation badges and first-admin GOD badge.
+- 1 - I modified the admin users list so the Activated column can show a `by <admin>` badge with the stored admin email as a hover tooltip.
+- 2 - I stored admin activation ID, username, and email address when account requests are approved or inactive users are manually activated by an admin.
+- 3 - I added the special `by GOD` Created-column badge for the first admin account, updated focused admin list tests, and regenerated local ignored template bindata.
+
+54 - [2026-04-29 08:25:36] - v1.27.0-dev-53-ga3e09bb819 - Type: Fixed - [admin-users] [badges] Prevented empty `by` badges in the admin users list.
+- 1 - I changed the admin users list badge maps to use pointer values so missing entries render as empty instead of truthy zero-value structs.
+- 2 - I guarded the Created and Activated badge rendering so badges only appear when a display name exists.
+- 3 - I reran the focused admin badge tests and regenerated local ignored template bindata.
+
+55 - [2026-04-29 09:02:42] - v1.27.0-dev-53-ga3e09bb819 - Type: Modified - [account-requests] [admin-users] [ui] Moved account request review controls to the top of the admin user edit panel.
+- 1 - I moved the account request status message to the top of the admin user edit segment, immediately under the panel header.
+- 2 - I moved the Activate/Reject/Unblock request controls above the profile edit form so admins can review pending accounts without scrolling down.
+- 3 - I regenerated local ignored template bindata for the updated admin user edit template.
+
+56 - [2026-04-29 09:32:09] - v1.27.0-dev-54-gc7c7af77a1 - Type: Modified - [admin-users] Defaulted admin user purge checkboxes to enabled.
+- 1 - I set the Purge User checkbox to checked by default in the admin user edit delete modal.
+- 2 - I set the Purge User checkbox to checked by default in the admin users list delete modal.
+- 3 - I regenerated local ignored template bindata for the updated admin templates.
+
+57 - [2026-04-29 09:53:08] - v1.27.0-dev-55-ga8d9e5e659 - Type: Added - [auth] [admin-users] [account-status] Added Disable Sign-In metadata to the admin users list.
+- 1 - I added persistent admin metadata for Disable Sign-In actions, including timestamp, admin ID, admin name, and admin email.
+- 2 - I added a Disable Sign-In column to the admin users list that displays the block date and `by <admin>` badge with email tooltip.
+- 3 - I stored the same metadata when admin-created invitation accounts start disabled, when an admin disables sign-in from the edit form, and when an account request is rejected.
+
+58 - [2026-04-29 10:09:41] - v1.27.0-dev-55-ga8d9e5e659 - Type: Modified - [auth] [admin-users] [account-status] Added inactive marker to the Disable Sign-In admin users column.
+- 1 - I changed the Disable Sign-In column so users without sign-in disabled show the same `octicon-x` marker style as the other status columns.
+- 2 - I kept the block date and `by <admin>` badge for users that do have Disable Sign-In metadata.
+- 3 - I regenerated local ignored template bindata for the updated admin users list template.
+
+59 - [2026-04-29 14:49:39] - v1.27.0-dev-56-g1dcd81b420 - Type: Added - [admin-users] [account-status] [mailer] Added admin status-change reasons and user email notifications.
+- 1 - I added reason fields under the admin edit checkboxes for account activation, Disable Sign-In, and restricted status.
+- 2 - I require a reason when an admin newly deactivates an account, enables Disable Sign-In, or enables restricted mode, then email the user with the action, admin name, and reason.
+- 3 - I added the status-change email template, locale strings, regenerated local ignored template/options bindata, and reran the focused admin tests.
+
+60 - [2026-04-29 19:01:39] - v1.27.0-dev-57-g210955465e - Type: Fixed - [auth] [account-status] [mailer] Corrected admin status reason behavior and reactivation emails.
+- 1 - I changed the admin edit form so reason fields belong to the existing checkboxes and only appear for the restrictive state of each checkbox.
+- 2 - I persisted the deactivation, Disable Sign-In, and restricted reasons in user settings so later administrators can see the saved reason.
+- 3 - I changed status-change emails to describe the actual account effect, added notifications when restrictions are lifted, and stopped sending the old activation email on admin reactivation.
+
+61 - [2026-04-29 19:56:22] - v1.27.0-dev-59-gb3204f3db6 - Type: Added - [admin-users] [badges] Added restricted-admin badges and reason actor badges.
+- 1 - I added persistent admin metadata for Restricted actions, including timestamp, admin ID, admin name, and admin email.
+- 2 - I changed the admin users list Restricted column so newly restricted users show the restriction date and `by <admin>` badge with email tooltip.
+- 3 - I added `by <admin>` badges next to the saved Reason labels in the admin user edit panel for deactivation, Disable Sign-In, and Restricted reasons.
+
+62 - [2026-04-29 21:00:30] - v1.27.0-dev-60-g396b15372d - Type: Added - [admin-users] [badges] Added Is Administrator reason and admin-grant badges.
+- 1 - I added persistent metadata for granting administrator privileges, including timestamp, admin ID, admin name, admin email, and reason.
+- 2 - I changed the admin users list so administrator accounts with grant metadata show an `Admin by <admin>` badge with email tooltip.
+- 3 - I added the Is Administrator reason field, reason actor badge, grant/revoke email notifications, regenerated local ignored bindata, and added focused admin grant tests.
+
+63 - [2026-04-29 21:30:55] - v1.27.0-dev-60-g396b15372d - Type: Fixed - [admin-users] Made Is Administrator reasons apply only when admin rights are revoked.
+- 1 - I changed the Is Administrator reason field so it appears only when the checkbox is unchecked.
+- 2 - I stopped requiring or sending a reason when administrator privileges are granted and changed that email to a congratulatory promotion message.
+- 3 - I kept the reason on administrator privilege removal, regenerated template/options bindata, and reran the focused admin grant tests.
+
+64 - [2026-04-29 22:03:18] - v1.27.0-dev-61-g067a09c2ac - Type: Fixed - [admin-users] Disabled critical self-edit account state checkboxes.
+- 1 - I disabled User Account Is Activated and Is Restricted when an administrator edits their own account, matching the existing self-edit protection for Disable Sign-In.
+- 2 - I hardened the admin user update handler so manually submitted self-edit forms cannot change the current admin's active, restricted, or prohibit-login state.
+- 3 - I regenerated local ignored template bindata and verified the admin package compilation with reduced build pressure.
+
+65 - [2026-04-29 22:37:56] - v1.27.0-dev-62-g3afb4e8afa - Type: Added - [auth] [scripts] Added Codex ChatGPT login helper script.
+- 1 - I added `.codex_gpt_login`, an interactive helper for completing the local Codex ChatGPT auth callback in code-server environments.
+- 2 - The script accepts either a raw received code or a full URL/query containing `code=...`, calls the local callback endpoint, extracts `id_token`, and completes the `/success` request.
+- 3 - I made the script executable and verified its shell syntax with `bash -n`.
+
+66 - [2026-04-29 22:55:08] - v1.27.0-dev-62-g3afb4e8afa - Type: Modified - [admin-users] [badges] Added admin actor badge beside the Is Administrator option.
+- 1 - I updated the admin user edit panel so the Is Administrator checkbox label shows `by <admin>` when administrator grant metadata exists.
+- 2 - I reused the stored admin email as the badge hover tooltip and regenerated local ignored template bindata.
+
+67 - [2026-04-30 00:30:40] - v1.27.0-dev-63-g4aacf3bd20 - Type: Fixed - [admin-users] Hid Is Administrator reason unless admin rights were revoked.
+- 1 - I changed the Is Administrator reason field so normal non-admin users do not see it just because the checkbox is unchecked.
+- 2 - The reason field now appears only when a saved admin-revocation reason exists or when an existing administrator is being unchecked during the current edit.
+- 3 - I regenerated local ignored template bindata and verified whitespace with `git diff --check`.
+
+68 - [2026-04-30 01:44:17] - v1.27.0-dev-64-gcff1b46f50 - Type: Added - [admin-users] [super-admin] Added persistent super administrator protection.
+- 1 - I added `SUPER_ADMIN_ENABLED` and `ADMIN_MANAGEMENT_POLICY` configuration options for administrator permission management.
+- 2 - I stored the super administrator role and grant/revoke metadata in persistent user settings, with automatic `by GOD` bootstrap for the first active admin.
+- 3 - I protected administrator and super administrator changes so regular admins cannot alter existing admins unless the selected policy allows a regular-user promotion.
+- 4 - I added super administrator badges, reason tracking, and status-change emails, then regenerated template and options bindata.
+
+69 - [2026-04-30 02:20:26] - v1.27.0-dev-64-gcff1b46f50 - Type: Fixed - [admin-users] [super-admin] Enabled super administrator bootstrap by default.
+- 1 - I changed `SUPER_ADMIN_ENABLED` to default to `true` so existing installations without the new app.ini key bootstrap the first active administrator automatically.
+- 2 - I updated the app.ini example to document the enabled default and kept `SUPER_ADMIN_ENABLED = false` available as the explicit opt-out.
+- 3 - I made the super administrator list badge fall back to `by GOD` for the bootstrapped first administrator and regenerated options bindata.
+
+70 - [2026-04-30 04:08:23] - v1.27.0-dev-66-g35b9fa65d3 - Type: Fixed - [admin-users] [super-admin] Blocked regular administrators from editing super administrator accounts.
+- 1 - I modified `routers/web/admin/users.go` so non-super-admins are redirected away from super-admin edit actions, including profile edits and avatar changes.
+- 2 - I modified `routers/api/v1/admin/user.go` so the admin user edit API now returns forbidden when a regular admin targets a super admin.
+- 3 - I modified `templates/admin/user/list.tmpl` and `templates/admin/user/view.tmpl` so edit actions are hidden for super-admin accounts when the acting admin is not also a super admin.
+- 4 - I added `TestAdminCannotEditSuperAdminUser` in `tests/integration/admin_user_test.go` to cover the denied web-edit flow.
+
+71 - [2026-04-30 04:19:14] - v1.27.0-dev-67-g0fc6f30a30 - Type: Modified - [admin-users] [super-admin] Kept super administrator Edit and Delete controls visible but disabled for regular admins.
+- 1 - I modified `templates/admin/user/list.tmpl` so super-admin rows still show the `Edit` and `Delete` icons for regular admins, but as disabled muted controls with the super-admin-required tooltip.
+- 2 - I modified `templates/admin/user/view.tmpl` so the `Edit` button remains visible on the super-admin user details page for regular admins, but in a disabled state.
+
+72 - [2026-04-30 04:58:16] - v1.27.0-dev-68-g5da24d2c7b - Type: Modified - [admin-users] [admin-policy] Protected GOD-granted admin accounts and blocked deleting the direct grantor.
+- 1 - I added `models/user/admin_grant.go` with helpers to read admin and super-admin grantor metadata, detect `by GOD` bootstrap grants, and check whether a target user is the direct grantor of another admin.
+- 2 - I modified `routers/web/admin/users.go` so GOD-granted accounts cannot be edited or deleted through admin actions, and regular admins may delete other admin accounts except their direct grantor and protected super-admin cases.
+- 3 - I modified `routers/api/v1/admin/user.go` so the admin API now enforces the same GOD-protection and direct-grantor deletion rule.
+- 4 - I added locale messages for the new admin restrictions and added focused integration coverage for deleting another admin versus the direct grantor, plus GOD-protected admin API edits.
+
+73 - [2026-04-30 16:51:42] - v1.27.0-dev-71-g80497e4194 - Type: Modified - [admin-users] Restored normal self-edit access for super admins and disabled only the admin actions that are truly forbidden.
+- 1 - I modified `routers/web/admin/users.go` so a GOD-granted or super-admin user can still edit their own ordinary account fields, while forbidden cross-user edits remain blocked and table action states are computed per target user.
+- 2 - I modified `routers/api/v1/admin/user.go` so GOD-protection no longer blocks a user from editing their own account through the admin API.
+- 3 - I modified `templates/admin/user/list.tmpl`, `templates/admin/user/view.tmpl`, and `templates/admin/user/edit.tmpl` so `Edit` stays enabled for allowed self-edits, while forbidden `Edit` and `Delete` actions are shown disabled with the specific reason tooltip or warning message.
+
+74 - [2026-04-30 20:11:48] - v1.27.0-dev-72-g43161732e3 - Type: Modified - [installer] [locale] [en] Added install-time admin management policy choices with direct-grantor and inherited-grantor enforcement.
+- 1 - I modified `modules/setting/admin.go`, `services/forms/user_form.go`, `routers/install/install.go`, `templates/install.tmpl`, and `options/locale/locale_en-US.json` so installation now exposes three administrator-management policies: `super_admin_only`, `grantor_only`, and `grantor_inheritance`, while normalizing the old legacy policy names.
+- 2 - I modified `models/user/admin_grant.go` so the code can resolve the effective admin grantor by walking the admin-grant chain until it finds an active administrator who still has sign-in enabled.
+- 3 - I modified `routers/web/admin/users.go` so regular admins can edit or delete only the administrator accounts allowed by the selected policy, while keeping super-admin protections, GOD protections, self-edit exceptions, and disabled forbidden actions intact in the admin UI.
+- 4 - I modified `routers/api/v1/admin/user.go` so the admin API now applies the same grantor-based restrictions for editing and deleting administrator accounts.
+- 5 - I added focused integration coverage in `tests/integration/admin_user_test.go` and `tests/integration/api_admin_test.go` for direct-grantor edits, inherited-grantor edits, and API denial for unrelated admins.
+
+75 - [2026-04-30 20:37:01] - v1.27.0-dev-72-g43161732e3 - Type: Modified - [installer] [app-ini-import] [admin-policy] Updated the example app.ini documentation for the new administrator management policies.
+- 1 - I modified `custom/conf/app.example.ini` so the `ADMIN_MANAGEMENT_POLICY` comments now document `super_admin_only`, `grantor_only`, and `grantor_inheritance`, and changed the documented default to `grantor_only`.
+
+76 - [2026-04-30 22:03:50] - v1.27.0-dev-73-g1e13af4d6e - Type: Modified - [admin-users] [super-admin] [installer] [locale] [en] Updated install-page administrator labels to super administrator wording.
+- 1 - I modified `options/locale/locale_en-US.json` so the install-page administrator account title, description, and username label now refer to the super administrator role.
+- 2 - I renamed the install-page policy label from `Administrator Management Policy` to `Administration Management Policy`.
+
+77 - [2026-04-30 23:05:46] - v1.27.0-dev-75-gd4a1b88385 - Type: Modified - [mailer] [installer] [locale] [en] Added install-page testing email verification using the entered SMTP settings.
+- 1 - I modified `routers/install/routes.go`, `routers/install/install.go`, and `templates/install.tmpl` so the install page now has an inline `Send Testing Email` action that posts the current SMTP form values to a dedicated install endpoint.
+- 2 - I modified `services/mailer/mail.go` and `routers/web/admin/config.go` so compact test-mail error formatting is shared and install can send a test message with a temporary mailer configuration instead of relying on saved global settings.
+- 3 - I modified `options/locale/locale_en-US.json` for the install-page test-mail labels and regenerated template and options bindata after verifying the affected Go packages compile.
+
+78 - [2026-04-30 23:25:10] - v1.27.0-dev-75-gd4a1b88385 - Type: Modified - [mailer] [mailer-ui] [installer] Repositioned install-page Send Testing Email under SMTP Password.
+- 1 - I modified `templates/install.tmpl` so the `Send Testing Email` row now appears immediately below the `SMTP Password` field inside `Email Settings`.
+- 2 - I kept the existing selectors, inline message area, and button behavior unchanged while preserving the remaining field order.
+- 3 - I regenerated template bindata and rechecked the install package compile path after the layout-only change.
+
+79 - [2026-04-30 23:48:41] - v1.27.0-dev-75-gd4a1b88385 - Type: Fixed - [mailer] [mailer-ui] [installer] Aligned install-page Send Testing Email with the standard inline form grid.
+- 1 - I modified `templates/install.tmpl` so the `Send Testing Email` input, button, and message now render inside the same `right-content` column used by the other install-page inline fields.
+- 2 - I kept the existing selectors and behavior unchanged and only corrected the layout alignment relative to `SMTP Password`.
+
+80 - [2026-05-01 00:36:35] - v1.27.0-dev-75-gd4a1b88385 - Type: Fixed - [mailer] [mailer-ui] [installer] [ui] Matched install-page Send Testing Email row to the target inline layout.
+- 1 - I modified `templates/install.tmpl` so the `Send Testing Email` controls now use an inline wrapper with the same 60 percent content width as the standard install-form inputs instead of the block-style `right-content` helper.
+- 2 - I kept the existing selectors and behavior unchanged and only corrected the horizontal alignment to match the target SMTP Password row layout.
+
+81 - [2026-05-01 00:56:45] - v1.27.0-dev-75-gd4a1b88385 - Type: Modified - [mailer] [mailer-ui] [installer] [ui] Brightened install-page Send Testing Email status message colors.
+- 1 - I modified `templates/install.tmpl` so the inline status message now uses `var(--color-green)` for success and `var(--color-red)` for failure instead of the softer Tailwind utility classes.
+- 2 - I kept the existing button behavior unchanged and only adjusted the message text color handling in the install-page JavaScript.
+
+82 - [2026-05-01 13:09:43] - v1.27.0-dev-76-g362d01abbc - Type: Modified - [installer] [signup] [locale] [en] Added install-page Registration Management with coherent mode-driven registration settings.
+- 1 - I modified `templates/install.tmpl`, `services/forms/user_form.go`, and `routers/install/install.go` so the install page now exposes a dedicated `Registration Management` section with radio-button registration modes plus dependent local and external sub-options.
+- 2 - I mapped the new UI to the existing service settings by deriving `DISABLE_REGISTRATION`, `ALLOW_ONLY_INTERNAL_REGISTRATION`, `ALLOW_ONLY_EXTERNAL_REGISTRATION`, `REGISTER_EMAIL_CONFIRM`, and `REGISTER_MANUAL_CONFIRM` consistently from the selected mode and sub-options.
+- 3 - I updated `web_src/js/features/install.ts` and `options/locale/locale_en-US.json` so contradictory options are hidden or disabled in the browser, added the new English labels and descriptions, and regenerated template and options bindata.
+
+83 - [2026-05-01 18:14:40] - v1.27.0-dev-77-g19fb194db6 - Type: Modified - [installer] [locale] [en] Completed install-page admin-managed account modes and aligned locale install sections.
+- 1 - I modified `modules/setting/service.go`, `custom/conf/app.example.ini`, `services/forms/user_form.go`, `routers/install/install.go`, `templates/install.tmpl`, and `web_src/js/features/install.ts` so `Registration Management` now includes administrator-managed local versus invitation-based account provisioning, plus a helper for `Enable Email Notifications`.
+- 2 - I updated `routers/web/admin/users.go` and `routers/api/v1/admin/user.go` so disabled-registration account creation follows the configured administrator-created account mode, stores creator metadata for admin-created users, and sends either invitation mail or standard registration notification accordingly.
+- 3 - I aligned every `options/locale/locale_*.json` install section to the new key set and en-US fallback order, regenerated template and options bindata, and verified the affected install, admin web, and admin API packages.
+
+84 - [2026-05-02 00:16:23] - v1.27.0-dev-78-gad0ab4be60 - Type: Modified - [admin-created-user] [admin-users] [installer] [locale] [en] Moved admin-created account delivery mode selection from install to the admin new-user form.
+- 1 - I updated `templates/install.tmpl` and `web_src/js/features/install.ts` to remove the install-page `Administrator-managed accounts only` sub-mode choice so registration mode no longer decides how `/admin/users/new` delivers newly created accounts.
+- 2 - I extended `services/forms/admin.go`, `templates/admin/user/new.tmpl`, `web_src/js/features/admin/common.ts`, and `routers/web/admin/users.go` so `/admin/users/new` now offers mutually exclusive `Send User Registration Notification` and `Send User Registration Invitation` checkboxes, defaults the invitation checkbox when mail is available, preserves checkbox state on form re-render, and sends the matching email flow.
+- 3 - I adjusted `routers/web/admin/users_test.go`, added the new `admin.users.send_register_invite` locale key across `options/locale/locale_*.json`, regenerated template and options bindata, and re-verified the focused admin user flow.
+
+85 - [2026-05-02 01:52:40] - v1.27.0-dev-79-ga6695a6e73 - Type: Modified - [auth] [mailer] [signup] [locale] [en] Unified classic email-confirmation signup with the resend-based pending validation flow.
+- 1 - I updated `routers/web/auth/auth.go` and `routers/web/auth/account_request.go` so classic `REGISTER_EMAIL_CONFIRM` signups now render the same resend-capable activation prompt after account creation, redirect repeated signups with the same unconfirmed email to the resend-capable pending state instead of `The username is already taken`, and show the same resend-capable prompt when an unconfirmed user attempts to sign in.
+- 2 - I added classic activation resend state tracking in `models/user/account_request.go`, re-used the existing resend UI data contract for both signup and activation prompts, and extended `/user/sign_up/resend` to handle classic email-confirmation accounts with a five-resend limit.
+- 3 - I added focused auth tests in `routers/web/auth/auth_test.go`, aligned all `options/locale/locale_*.json` files with the new confirmation-mail keys, regenerated options bindata, and re-verified the affected auth package.
+
+86 - [2026-05-02 02:20:53] - v1.27.0-dev-80-g4ab8063966 - Type: Modified - [installer] [locale] [en] Added default language selection to the install page initial configuration.
+- 1 - I extended `services/forms/user_form.go`, `routers/install/install.go`, and `templates/install.tmpl` so `General Settings` now includes a `Default Language` selector backed by the existing `AllLangs` list and validated against configured locales.
+- 2 - I wired install submission to persist the selection by reordering `[i18n] LANGS` so the chosen language becomes the first fallback/default locale, while keeping the remaining languages available.
+- 3 - I added focused install tests in `routers/install/routes_test.go`, aligned all `options/locale/locale_*.json` files with the new install language keys, regenerated template and options bindata, and re-verified the install package.
+
+87 - [2026-05-02 02:36:07] - v1.27.0-dev-80-g4ab8063966 - Type: Modified - [mailer] Disabled forbidden email deletion actions in the admin email list.
+- 1 - I extended `routers/web/admin/emails.go` so each listed email now carries explicit delete permission state and, for primary addresses, the existing `admin.emails.delete_primary_email_error` reason for the disabled UI.
+- 2 - I updated `templates/admin/emails/list.tmpl` so the trash icon remains clickable only for deletable addresses and renders as a muted disabled control with a tooltip when deletion is forbidden, such as for a primary email address.
+- 3 - I kept the existing backend deletion guard in place, regenerated template bindata, and re-verified the affected admin package plus whitespace consistency.
+
+88 - [2026-05-02 03:12:25] - v1.27.0-dev-82-gf8f988e85e - Type: Modified - [admin-invite] [installer] [sticky-layout] [locale] [en] Added a dedicated pending-invitation flow for admin-created invite accounts and pinned the install footer.
+- 1 - I updated `templates/admin/user/new.tmpl`, `routers/web/admin/users.go`, `routers/api/v1/admin/user.go`, `models/user/account_request.go`, and `services/mailer/mail_user.go` so admin-created invitation accounts remain inactive without forcing `Disable Sign-In`, carry explicit pending-invitation state, and show helper text for the notification versus invitation options.
+- 2 - I added the dedicated invitation prompt and resend flow through `templates/user/auth/invite_prompt.tmpl`, `routers/web/auth/auth.go`, `routers/web/auth/account_request.go`, and `routers/web/web.go`, including sign-in redirection for pending invitations, backward-compatible handling for legacy prohibited invite accounts, and resend tracking for invitation emails.
+- 3 - I updated `templates/base/footer_content.tmpl`, `web_src/css/install.css`, and all `options/locale/locale_*.json` files so the install footer stays continuously visible on the install page, the new invitation strings are available across locales, template and option bindata were regenerated, and the affected auth/admin/API packages were re-verified.
+
+89 - [2026-05-02 04:05:54] - v1.27.0-dev-83-gf7bc24d4e8 - Type: Modified - [admin-invite] [installer] [ui] Aligned the admin new-user invitation help text with the install-page help layout.
+- 1 - I updated `templates/admin/user/new.tmpl` so the `Send User Registration Notification` and `Send User Registration Invitation` rows now use a dedicated right-side content wrapper instead of rendering the help text directly under the checkbox.
+- 2 - I extended `web_src/css/admin.css` with scoped layout rules for `.admin-user-mail-option` so the help text sits under the checkbox content in the same visual column style used on the install page, including responsive behavior for narrow screens.
+- 3 - I regenerated template bindata after the markup change and re-verified whitespace consistency for the affected files.
+
+90 - [2026-05-02 12:11:50] - v1.27.0-dev-84-gf60b2af5a6 - Type: Modified - [installer] [locale] [en] [ui] [sticky-layout] Added an install-page language hint balloon anchored to the footer language selector.
+- 1 - I updated `templates/base/footer_content.tmpl` and `templates/install.tmpl` so the install page now renders a green `Choose a language` hint balloon tied to the footer language selector and dismisses it on the first page click.
+- 2 - I extended `web_src/css/install.css` with fixed-position balloon styling and responsive placement above the install footer so the hint remains visible without overlapping the footer controls.
+- 3 - I added the new `install.language_balloon` locale key to `options/locale/locale_en-US.json`, aligned all `options/locale/locale_*.json` files to include it, and re-generated the template and options bindata assets.
+
+91 - [2026-05-02 12:28:12] - v1.27.0-dev-84-gf60b2af5a6 - Type: Fixed - [installer] [locale] [ui] [sticky-layout] Delayed the install-page language hint balloon initialization until the footer exists in the DOM.
+- 1 - I updated `templates/install.tmpl` so the `Choose a language` balloon now initializes on `DOMContentLoaded` instead of running before the footer language selector has been parsed.
+- 2 - I kept the existing dismiss-on-first-click behavior unchanged and only fixed the timing issue that prevented the balloon from appearing at first page load.
+- 3 - I regenerated the template bindata assets and re-verified whitespace consistency after the template-only fix.
+
+92 - [2026-05-02 13:31:45] - v1.27.0-dev-85-g4eaa42bccd - Type: Modified - [locale] [en] [ro] Added official bootstrap support for the Romanian locale.
+- 1 - I updated `modules/setting/i18n.go` so `ro-RO` is now part of the built-in language list with the display name `Română`.
+- 2 - I updated `custom/conf/app.example.ini` so the example `[i18n] LANGS` and `NAMES` lists now include `ro-RO` and `Română`.
+- 3 - I added `options/locale/locale_ro-RO.json` as an initial bootstrap locale copied from `locale_en-US.json`, so the Romanian locale can be selected and loaded cleanly before the dedicated translation pass.
+
+93 - [2026-05-02 14:41:58] - v1.27.0-dev-86-g414c77278b - Type: Modified - [locale] [en] [ro] Added a first complete Romanian translation pass for `locale_ro-RO.json`.
+- 1 - I translated `options/locale/locale_ro-RO.json` from the current `locale_en-US.json` structure, preserving placeholders and HTML fragments, then applied targeted manual overrides for the install, auth, mail, and admin account-management flows customized in this fork.
+- 2 - I normalized key Git and administration terms in Romanian and fixed token-protection artifacts that surfaced during the automated translation pass, including the affected `WebAuthn`, `OpenID`, `CAPTCHA`, `Gitea`, milestone completeness, delete-warning, and GPG warning strings.
+- 3 - I regenerated `modules/options/bindata.dat` so the updated Romanian locale is embedded in the build output.
+
+94 - [2026-05-05 02:30:50] - v1.27.0-dev-86-g414c77278b - Type: Modified - [locale] [ro] Refined Romanian UI wording in `locale_ro-RO.json`.
+- 1 - I adjusted Romanian phrasing across the translated locale to improve readability and consistency in general UI strings.
+- 2 - I normalized terminology for navigation, repository, authentication, and administration labels to better match the existing Gitea interface.
+- 3 - I kept placeholders, HTML fragments, and technical tokens intact while polishing the translated text.
+
+95 - [2026-05-06 03:15:10] - v1.27.0-dev-86-g414c77278b - Type: Modified - [locale] [ro] Corrected Romanian wording and grammar in `locale_ro-RO.json`.
+- 1 - I fixed a small set of Romanian phrasing and grammar issues identified after the previous translation polish pass.
+- 2 - I kept the scope limited to wording corrections without changing the locale structure or translation coverage.
+- 3 - I preserved existing placeholders, HTML fragments, and technical tokens while applying the text fixes.
+
+96 - [2026-05-06 00:47:16] - v1.27.0-dev-90-g75a9dbf7d7 - Type: Modified - [org-ui] [ui] Restyled the organization creation panel and added a cancel action.
+- 1 - I updated `templates/org/create.tmpl` so `/org/create` now renders inside a settings-style attached header and segment panel instead of the older standalone form block.
+- 2 - I kept the existing organization creation fields intact, but changed the action row to a right-aligned button group with a new `Cancel` button beside `Create Organization`.
+- 3 - I updated `routers/web/org/org.go` to provide a `CancelLink` back to `/user/settings/organization`, regenerated template bindata, and re-verified the `routers/web/org` package.
+
+97 - [2026-05-06 01:08:23] - v1.27.0-dev-90-g75a9dbf7d7 - Type: Modified - [org-ui] [modal] Converted the organization creation page to a modal-style dialog and preserved the caller page for cancel.
+- 1 - I updated `templates/org/create.tmpl` so `/org/create` now renders as a visible `ui small modal` dialog with header, content, and actions matching the visual structure used by the Actions secrets and variables modals.
+- 2 - I extended `web_src/css/org.css` with page-scoped layout rules that center the active modal on the standalone page while keeping the styling limited to `page-content.organization.new.org`.
+- 3 - I updated `routers/web/org/org.go` so `Cancel` now returns to a safe current-site `redirect_to` target or same-site referrer instead of always forcing `/user/settings/organization`, regenerated template bindata, and re-verified the `routers/web/org` package.
+
+98 - [2026-05-06 02:02:33] - v1.27.0-dev-91-gba0da47957 - Type: Added - [codex-docs] Added persistent Codex project-orientation documents for fast task handoff and recovery.
+- 1 - I added `.codex-project-map.md` as a durable project guide that captures the web request flow, authentication architecture, practical extension points, and a restart procedure for new tasks.
+- 2 - I modified `.codex-context.md` so it now points explicitly to `.codex-project-map.md` and documents the recommended read order for resuming work after a blocked session.
+- 3 - I refreshed the repository-derived version reference in `.codex-context.md` so future history updates can use the current application version format consistently.
+
+99 - [2026-05-06 02:18:58] - v1.27.0-dev-91-gba0da47957 - Type: Modified - [org-ui] [modal] [ui] Reworked organization creation into a real overlay modal on top of the organization settings page and made outside clicks close it.
+- 1 - I modified `templates/user/settings/organization.tmpl` so the `New Organization` action now opens the create dialog with the standard `show-modal` flow while keeping the organization settings page visible in the background.
+- 2 - I converted `templates/org/create.tmpl` into a reusable modal partial and updated `routers/web/org/org.go` so `/org/create` now renders the same organization settings page with that modal auto-opened, preserving `CancelLink` for close and validation-error flows.
+- 3 - I simplified `web_src/css/org.css` to keep only the create-modal helper text styling and removed the previous fake standalone modal layout that replaced the background page.
+
+100 - [2026-05-06 10:13:49] - v1.27.0-dev-91-gba0da47957 - Type: Fixed - [org-ui] [ui] Corrected the organization settings cancel-link build regression.
+- 1 - I fixed `routers/web/user/setting/profile.go` so it uses the `ctx.Req.RequestURI` field instead of calling it like a function.
+- 2 - This removes the compile error in `code.gitea.io/gitea/routers/web/user/setting` that was blocking the Windows build after the organization-create modal refactor.
+
+101 - [2026-05-06 10:54:10] - v1.27.0-dev-91-gba0da47957 - Type: Modified - [org-ui] [modal] Made the new-organization modal open in place from the UI and reset its default values consistently.
+- 1 - I moved the reusable `create-org-modal` inclusion to `templates/base/footer.tmpl` so signed-in users who can create organizations have the modal available on normal pages without navigating away first.
+- 2 - I updated the `New Organization` triggers in `templates/base/head_navbar.tmpl`, `templates/user/dashboard/navbar.tmpl`, `templates/admin/org/list.tmpl`, and `templates/user/settings/organization.tmpl` to use `show-modal` with `/org/create` as a non-JavaScript fallback, preserving the current page and scroll position when JavaScript is enabled.
+- 3 - I added explicit reset attributes for organization name, `redirect_to`, visibility radios, and the `repo_admin_change_team_access` checkbox so the modal opened from `/user/settings/organization` now uses the same defaults as the one opened from the global create menu.
+
+102 - [2026-05-06 10:55:13] - v1.27.0-dev-91-gba0da47957 - Type: Modified - [org-ui] [modal] Extended the in-place new-organization modal behavior to the dashboard organization list component.
+- 1 - I modified `web_src/js/components/DashboardRepoList.vue` so the `New Organization` trigger in the organizations dashboard tab now also uses the shared `show-modal` flow instead of forcing navigation when JavaScript is enabled.
+- 2 - I kept `/org/create` as the fallback `href` in the component so the non-JavaScript path remains available.
+
+103 - [2026-05-06 18:03:33] - v1.27.0-dev-91-gba0da47957 - Type: Modified - [locale] [ro] Somes correction Romanian wording and grammar in `locale_ro-RO.json`.
+104 - [2026-05-06 18:19:21] - v1.27.0-dev-91-gba0da47957 - Type: Modified - [ui] Fix align new-user check-boxes help text.
+105 - [2026-05-06 18:47:44] - v1.27.0-dev-91-gba0da47957 - Type: Modified - [locale] [ro] Some new correction Romanian wording and grammar in `locale_ro-RO.json`.
+106 - [2026-05-06 15:54:50] - v1.27.0-dev-96-g7c7357f314 - Type: Modified - [admin-invite] [auth] Reduced the resend button size on the invitation acceptance prompt.
+- 1 - I modified `templates/user/auth/invite_prompt.tmpl` so the `Resend` button on `/user/invitation?email=...` now uses the smaller `ui mini button` size instead of `ui tiny button`.
+- 2 - I kept the existing inline resend states, colors, and success reset behavior unchanged.
+
+107 - [2026-05-06 18:57:49] - v1.27.0-dev-98-g5f0f52d04f - Type: Fixed - [org-ui] [modal] Prevented the new-organization modal from inheriting unrelated global success flashes from the underlying page.
+- 1 - I modified `templates/org/create.tmpl` so the modal now renders only its local error flash instead of the full `base/alert` block.
+- 2 - This keeps `/org/create` validation errors visible in the modal while preventing inherited success, info, or warning flash messages from the background page from appearing inside it.
+
+108 - [2026-05-06 21:07:26] - v1.27.0-dev-99-gfc43980a5c - Type: Fixed - [admin-invite] [admin-created-user] [mailer] [locale] Made admin-created user notification and invitation emails use the current page locale.
+- 1 - I modified `services/mailer/mail_user.go` to add locale-aware variants for registration-notify and admin-invite emails, while preserving the existing user-language fallback helpers for other call sites.
+- 2 - I modified `routers/web/admin/users.go` and `routers/api/v1/admin/user.go` so admin-created account emails now use `ctx.Locale` from the current request instead of always rendering in the new account's empty or default language.
+
+109 - [2026-05-06 22:11:33] - v1.27.0-dev-100-g70ef46362e - Type: Modified - [admin-created-user] [mailer] [locale] [en] [ro] Personalized the admin-created account notification email with the creator name and a direct set-password link.
+- 1 - I modified `services/mailer/mail_user.go` so the registration notification email now accepts the admin user, generates a time-limited `reset_password` token URL for the new account, and passes both values into the mail template.
+- 2 - I modified `routers/web/admin/users.go` and `routers/api/v1/admin/user.go` so the admin-created account notification now includes `ctx.Doer` when sending the non-invite email variant.
+- 3 - I modified `templates/mail/user/auth/register_notify.tmpl`, `options/locale/locale_en-US.json`, and `options/locale/locale_ro-RO.json` so the email explicitly states that the administrator created the account and instructs the recipient to use a personal password-setup link before signing in.
+
+110 - [2026-05-06 22:11:33] - v1.27.0-dev-100-g70ef46362e - Type: Fixed - [admin-created-user] [mailer] Corrected the admin-created account password-setup email link to use the public recovery route.
+- 1 - I modified `services/mailer/mail_user.go` so the personalized password-setup link now targets `/user/recover_account?code=...`, which is the actual public route mounted for password reset token handling.
+- 2 - This fixes the 404 triggered by the previous `/user/reset_password?code=...` link, because the router exposes `auth.ResetPasswd` on `/user/recover_account` instead.
+
+111 - [2026-05-06 23:43:34] - v1.27.0-dev-102-g146013827c - Type: Modified - [admin-invite] [admin-created-user] Made the admin-created account notification link behave like an invitation by signing the user in through `/user/activate`.
+- 1 - I modified `models/user/user.go` to add a dedicated `TimeLimitCodeAdminAccess` purpose that reuses the password-reset lifetime but remains separate from reset-password and invite tokens.
+- 2 - I modified `services/mailer/mail_user.go` so the `Send User Registration Notification` email now points to `/user/activate?code=...` with the new admin-access token instead of sending the recipient through the recovery form flow.
+- 3 - I modified `routers/web/auth/auth.go` so `auth.Activate` and `auth.ActivatePost` can consume the new token, rotate `Rands`, create the session, refresh locale, update last-login metadata, and then rely on the existing `MustChangePassword` redirect to land the user on `/user/settings/change_password`.
+- 4 - I added `TestActivateAdminAccessSignsInAndInvalidatesCode` in `routers/web/auth/auth_test.go` to cover the new direct-access flow and confirm the token is invalidated after first use.
+
+112 - [2026-05-06 23:43:34] - v1.27.0-dev-102-g146013827c - Type: Modified - [auth] [admin-created-user] [mailer] Simplified the admin-created account notification email to show only the personalized activation link.
+- 1 - I modified `templates/mail/user/auth/register_notify.tmpl` so the mail no longer shows the generic `/user/login` URL and instead displays the personalized admin-access link directly under the username.
+- 2 - I removed the trailing explanatory paragraph below that link to avoid repeating the same password-setup action twice in the same email.
+
+113 - [2026-05-07 01:01:44] - v1.27.0-dev-104-g10495b7cd1 - Type: Modified - [user-settings] [sticky-layout] [appearance] [locale] [en] [ro] Reverted the global fixed-footer behavior and replaced it with a persistent per-user footer preference in `/user/settings/appearance`.
+- 1 - I modified `templates/user/settings/appearance.tmpl`, `routers/web/user/setting/profile.go`, and `routers/web/web.go` to add a new footer section with a checkbox that saves whether the footer should stay visible at the bottom of the viewport for the current user.
+- 2 - I modified `models/user/setting_options.go`, `routers/common/pagetmpl.go`, `templates/base/head.tmpl`, `modules/web/middleware/cookie.go`, `web_src/css/base.css`, and `web_src/css/home.css` so the preference is stored in `user_settings`, propagated into the page layout, and applied only when the `show-persistent-footer` body class is enabled.
+- 3 - I modified `options/locale/locale_en-US.json`, `options/locale/locale_ro-RO.json`, and `models/user/setting_test.go` to add the new UI strings and a focused test covering the new persisted setting key.
+
+114 - [2026-05-07 09:30:56] - v1.27.0-dev-105-gb3a7692ce9 - Type: Modified - [ui] [sticky-layout] Moved the persistent footer outside the page scroll area.
+- 1 - I modified `web_src/css/base.css` so pages with `show-persistent-footer` stop scrolling the whole `body` and instead scroll the `.full.height` content container, keeping the footer in its own fixed viewport slot.
+- 2 - I modified `web_src/css/home.css` so the persistent footer no longer overlays the page with `position: fixed`, but stays permanently visible as a non-scrolling sibling below the main content area.
+
+115 - [2026-05-07 09:54:43] - v1.27.0-dev-106-g61a9e4bd06 - Type: Modified - [user-settings] [sticky-layout] [locale] [en] [ro] Added the persistent sticky side-menu preference and the finalized sidebar behavior for `/user/settings` and `/-/admin`.
+- 1 - I modified `models/user/setting_options.go`, `routers/common/pagetmpl.go`, `templates/base/head.tmpl`, `routers/web/user/setting/profile.go`, `routers/web/web.go`, `templates/user/settings/appearance.tmpl`, `options/locale/locale_en-US.json`, `options/locale/locale_ro-RO.json`, and `models/user/setting_test.go` to add the persisted `ui.sticky_side_menus` preference, expose it to templates as `ShowStickySideMenus`, save it from `/user/settings/appearance`, document it in the UI, and cover it with a focused test.
+- 2 - I modified `templates/user/settings/actions_general.tmpl` so `/user/settings/actions/general` passes the expected `pageClass` and participates in the same sticky-sidebar behavior as the other settings subpages.
+- 3 - I modified `web_src/css/modules/flexcontainer.css` so, when the preference is enabled, the shared left menus on `/user/settings` and `/-/admin` use the current sticky layout: sticky positioning on the inner menu, `top: var(--page-spacing)`, footer-aware `max-height` handling for both persistent and non-persistent footer modes, hidden desktop scrollbars, green overflow hints, local menu scrolling, and the current `/user/settings` item padding.
+- 4 - I modified `web_src/js/features/common-page.ts` so the sticky side menus update their overflow-hint classes dynamically as their scroll position, size, or expanded sections change.
+
+116 - [2026-05-07 20:41:28] - v1.27.0-dev-106-g61a9e4bd06 - Type: Modified - [user-settings] [sticky-layout] [appearance] [locale] [en] [ro] Added a persistent navigation-bar preference in `/user/settings/appearance`.
+- 1 - I modified `models/user/setting_options.go`, `models/user/setting_test.go`, `routers/common/pagetmpl.go`, `routers/web/user/setting/profile.go`, `routers/web/web.go`, `templates/base/head.tmpl`, `templates/user/settings/appearance.tmpl`, `options/locale/locale_en-US.json`, and `options/locale/locale_ro-RO.json` to add the persisted `ui.persistent_navbar` preference, expose it to templates as `ShowPersistentNavbar`, save it from `/user/settings/appearance`, and document it in the UI.
+- 2 - I modified `web_src/css/modules/navbar.css` so the main `#navbar` becomes sticky at the top of the viewport when the new preference is enabled.
+- 3 - I modified `web_src/css/modules/flexcontainer.css` so sticky side menus take the persistent navbar height into account on desktop, preventing the left menus from sliding underneath the navbar when both preferences are enabled.
+
+117 - [2026-05-07 20:49:16] - v1.27.0-dev-106-g61a9e4bd06 - Type: Modified - [user-settings] [ui] [sticky-layout] Preserved the `/user/settings` left-menu scroll position across settings-page navigation.
+- 1 - I modified `web_src/js/features/common-page.ts` so the sticky `/user/settings` menu saves its current `scrollTop` to `sessionStorage` while scrolling and immediately before clicking a menu link.
+- 2 - I also made the same code restore that saved scroll position after the next settings page renders, keeping the left menu at the same viewport position when navigating between items and subitems.
+
+118 - [2026-05-07 20:57:42] - v1.27.0-dev-106-g61a9e4bd06 - Type: Modified - [ui] [sticky-layout] Made the footer `Licenses` and `API` links open in a new browser tab and finalized the sticky `User Settings` header plus its top green scroll indicator.
+- 1 - I modified `templates/base/footer_content.tmpl` so both footer links now use `target="_blank"` with `rel="noreferrer"`.
+- 2 - I modified `web_src/css/modules/flexcontainer.css` so the `.header.item` at the top of the `/user/settings` sticky side menu now uses `position: sticky` inside the menu itself, with its own background and bottom separator.
+- 3 - I modified `web_src/css/modules/flexcontainer.css` so, after making the `User Settings` header sticky, the top overflow hint is rendered on the bottom edge of that header and its gradient is drawn by a dedicated `::after` element extending into the scrollable area, while the menu container keeps only the bottom hint when both are active.
+
+119 - [2026-05-07 21:14:11] - v1.27.0-dev-106-g61a9e4bd06 - Type: Modified - [ui] [sticky-layout] Made the `Admin Settings` menu header sticky while the admin left-menu options scroll.
+- 1 - I modified `web_src/css/modules/flexcontainer.css` so the `.header.item` at the top of the `/-/admin` sticky side menu now uses the same sticky header treatment as `/user/settings`, with its own background and bottom separator.
+- 2 - I modified `web_src/css/modules/flexcontainer.css` so the top green overflow indicator for `/-/admin` is also rendered on the bottom edge of the sticky header, with the gradient drawn by the same dedicated `::after` element used in `/user/settings`.
+
+120 - [2026-05-07 21:31:18] - v1.27.0-dev-106-g61a9e4bd06 - Type: Modified - [user-settings] [ui] [sticky-layout] Preserved the `/user/settings` left-menu scroll position without the visible reset flicker during navigation.
+- 1 - I modified `templates/user/settings/navbar.tmpl` to add a small inline restore hook around the menu markup, so a saved `scrollTop` is applied from `sessionStorage` before the menu becomes visible on the next settings page.
+- 2 - I modified `web_src/css/modules/flexcontainer.css` so, while that inline restore is in progress, only the `/user/settings` left menu is temporarily hidden, preventing the brief flash of the menu reset at the top.
+- 3 - I kept `web_src/js/features/common-page.ts` focused on saving the menu scroll position and refreshing the scroll indicators, removing the now-redundant late restore path from the global initializer.
+
+121 - [2026-05-07 21:41:44] - v1.27.0-dev-106-g61a9e4bd06 - Type: Modified - [user-settings] [sticky-layout] Restored the agreed `/user/settings` sticky-menu item padding behavior.
+- 1 - I also updated the same CSS so the `/user/settings` menu padding is applied at the item level inside `.ui.vertical.menu`, using `0.9em 1.14285714em` instead of relying on a menu-level spacing adjustment.
+
+122 - [2026-05-07 22:11:06] - v1.27.0-dev-106-g61a9e4bd06 - Type: Modified - [user-settings] [ui] [sticky-layout] Restored the pre-`122` `/user/settings` layout baseline while keeping the current sticky-menu behavior.
+- 1 - I modified `templates/user/settings/layout_head.tmpl` to return the settings page wrapper from `ui container fluid padded flex-container` to `ui container flex-container`.
+- 2 - I restored the `/user/settings` menu to the same single scroll container structure used before, removing the ineffective inner-body split and keeping the inline restore hook in `templates/user/settings/navbar.tmpl`.
+- 3 - I modified `web_src/css/modules/flexcontainer.css` so the `/user/settings` left menu remains temporarily hidden only during the inline scroll restore, keeps the `/user/settings`-only 24px non-persistent-footer bottom padding on the left navigation column, and supports the small `--sticky-side-menu-correction` transform without affecting admin pages.
+- 4 - I kept the matching logic in `web_src/js/features/common-page.ts`, so the `/user/settings` menu still restores its saved scroll position after navigation, refreshes the green overflow indicators, and applies the modest runtime correction only when the sticky menu drifts slightly above its configured top offset.
+
+123 - [2026-05-09 12:47:10] - v1.27.0-dev-114-gbb77e80bf5 - Type: Modified - [sticky-layout] Finalized the sticky side-menu bottom-edge behavior by compacting menu items and increasing the viewport reserve.
+- 1 - I modified `web_src/css/modules/menu.css` so shared menu items now use `padding: 0.75em 1.14285714em`, reducing vertical item height across the sticky left menus.
+- 2 - I modified `web_src/css/modules/flexcontainer.css` so the sticky side menus in both `/user/settings` and `/-/admin` now reserve `40px` instead of `24px` at the bottom of their `max-height` calculation for the non-persistent-footer case.
+- 3 - This combination keeps the sticky menus from jumping upward at the bottom of the page scroll while preserving the current sticky headers, scroll hints, and `/user/settings` scroll-position restore behavior.
+
+124 - [2026-05-09 15:31:52] - v1.27.0-dev-115-g06b7bd3ca1 - Type: Modified - [sticky-layout] Highlighted the active submenu entry with the standard active background color.
+- 1 - I modified `web_src/css/modules/menu.css` so `.ui.vertical.menu .item .menu .active.item` now uses `background-color: var(--color-active)` instead of `transparent`.
+- 2 - I kept the existing medium font weight and text color unchanged, so only the active submenu background treatment changed.
+
+125 - [2026-05-09 15:56:47] - v1.27.0-dev-116-g8a0d319607 - Type: Added - [permissions-table] [locale] [en] [ro] Added column-wide Select all controls to the user access-token permissions table.
+- 1 - I modified `templates/user/settings/applications.tmpl` to add a `Select all` row above the token-scope category rows, with per-column `All` radio buttons for No access, Read, and Write.
+- 2 - I added `web_src/js/features/access-token-settings.ts` and registered it in `web_src/js/index.ts` so selecting one of those top-row radios automatically applies the matching permission choice to every category row in the same column.
+- 3 - I added the `settings.select_all` locale string in both `options/locale/locale_en-US.json` and `options/locale/locale_ro-RO.json` for the new control row label.
+- 4 - I extended the same `web_src/js/features/access-token-settings.ts` logic so each top-row `All` radio now becomes active only when every category row in its column is selected, becomes inactive when the column is no longer fully selected, and can still be reselected to apply that column choice to all rows again.
+- 5 - I corrected the select-all synchronization fallback so no top-row radio stays selected when no permission column is fully matched, instead of incorrectly defaulting back to the `No access` column.
+
+126 - [2026-05-09 17:16:12] - v1.27.0-dev-117-gab1135d1c6 - Type: Added - [permissions-table] Added header-level Select all controls to the shared Actions maximum-permissions table.
+- 1 - I modified `templates/shared/actions/permissions_table.tmpl` to add a second header row with `Select all` on the left and per-column `All` radio controls for None, Read, and Write.
+- 2 - I extended `web_src/js/features/common-actions-permissions.ts` so those header radios apply the chosen permission to every row in the table and stay synchronized bidirectionally with the current per-row selections.
+- 3 - Because the change is implemented in the shared Actions permissions partial and its existing initializer, the same behavior now applies consistently to `/user/settings/actions/general` and the other pages that reuse that table.
+
+127 - [2026-05-09 17:34:41] - v1.27.0-dev-118-g021f12509f - Type: Modified - [org-ui] [sticky-layout] Applied the shared sticky side-menu behavior to organization settings pages.
+- 1 - I modified `web_src/css/modules/flexcontainer.css` so the same sticky left-menu layout, hidden scrollbar styling, sticky header behavior, and green overflow indicators used by user settings and admin pages now also apply to `.page-content.organization.settings`.
+- 2 - I modified `web_src/js/features/common-page.ts` so organization settings menus participate in the shared sticky-menu overflow indicator logic.
+- 3 - I modified `templates/org/settings/actions_general.tmpl` to pass `pageClass: "organization settings actions"` into the shared organization settings layout, so the Actions General page also matches the shared organization settings selectors.
+
+128 - [2026-05-09 18:46:07] - v1.27.0-dev-120-g01e3eb1306 - Type: Added - [auth] [password-ui] [signup] [locale] [en] [ro] Added password visibility toggles to the login and signup forms.
+- 1 - I modified `templates/user/auth/signin_inner.tmpl` to add an eye button beside the `/user/login` password field.
+- 2 - I modified `templates/user/auth/signup_inner.tmpl` to add the same eye button beside the `/user/sign_up` password field and marked the `Confirm Password` field for toggle-aware behavior.
+- 3 - I added `web_src/js/features/password-visibility.ts` and registered it in `web_src/js/index.ts` so the eye button toggles between hidden and visible password states.
+- 4 - In the signup form, when password visibility is enabled, the script now hides the `Confirm Password` field, removes its `required` state, and keeps its value synchronized with the main password field; when visibility is disabled again, the field is shown and required again.
+- 5 - I added `auth.show_password` and `auth.hide_password` locale strings in both `options/locale/locale_en-US.json` and `options/locale/locale_ro-RO.json` for the button tooltip and accessibility label.
+- 6 - I corrected the login and signup password-toggle button templates so their `data-hide-label` attributes close the Go template expression properly, removing the template parsing error that prevented startup.
+- 7 - I added `octicon-eye-closed` to `web_src/js/svg.ts`, fixing the runtime JavaScript error raised when the password toggle switched from the visible-eye icon to the hidden-eye icon.
+
+129 - [2026-05-09 19:36:18] - v1.27.0-dev-121-gbfb584f161 - Type: Modified - [sticky-layout] [repo-settings] Applied the shared sticky side-menu behavior to repository settings pages.
+- 1 - I modified `web_src/css/modules/flexcontainer.css` so the same sticky left-menu layout, hidden scrollbar styling, sticky header behavior, and green overflow indicators used by user settings, organization settings, and admin pages now also apply to `.page-content.repository.settings`.
+- 2 - I modified `web_src/js/features/common-page.ts` so repository settings menus participate in the shared sticky-menu overflow indicator logic.
+
+130 - [2026-05-09 20:07:36] - v1.27.0-dev-122-g652d3c20da - Type: Modified - [sticky-layout] [repo-actions] Applied the shared sticky side-menu behavior to repository Actions pages.
+- 1 - I modified `templates/repo/actions/list.tmpl` to mark the workflow sidebar menu with a dedicated hook class for the shared sticky-menu initializer.
+- 2 - I modified `web_src/css/modules/flexcontainer.css` so the same sticky left-menu layout, hidden scrollbar styling, and green overflow indicators now also apply to `.page-content.repository.actions`.
+- 3 - I modified `web_src/js/features/common-page.ts` so the repository Actions sidebar participates in the shared sticky-menu overflow indicator logic.
+- 4 - I refined the same CSS for repository Actions so the top green scroll hint is drawn directly on the menu container, because that sidebar has no `.header.item` for the shared header-based top-gradient treatment.
+- 5 - I extended `templates/repo/actions/list.tmpl` with the same inline `sessionStorage` restore hook pattern used by `/user/settings`, so the repository Actions sidebar can restore its scroll position before becoming visible.
+- 6 - I modified `web_src/css/modules/flexcontainer.css` so the repository Actions sidebar is temporarily hidden only during that inline restore step, preventing the visible reset flicker.
+- 7 - I extended `web_src/js/features/common-page.ts` so the repository Actions sidebar now saves its own scroll position on scroll and before navigation clicks, using the dedicated `sticky-side-menu-scroll:repo-actions` session key.
+
+131 - [2026-05-09 20:54:41] - v1.27.0-dev-123-g0f3876c0b1 - Type: Added - [repo-actions] Added pilot partial navigation for the repository Actions sidebar.
+- 1 - I added `web_src/js/features/repo-actions-sidebar.ts` and registered it in `web_src/js/index.ts` to intercept plain left-click navigation on `/<user>/<repo>/actions` sidebar workflow links.
+- 2 - The new client-side flow fetches the target page, replaces only the Actions page `.ui.container` content, updates `document.title`, and pushes the new URL into browser history instead of reloading the full page.
+- 3 - The same logic also handles browser back/forward through `popstate`, keeping the pilot partial navigation limited to repository Actions pages.
+- 4 - I extended the same pilot so, after each partial `.ui.container` swap, the repository Actions sidebar re-runs the shared sticky-menu indicator initializer on the new DOM, restoring the green overflow hints that disappeared after the first in-page navigation.
+
+132 - [2026-05-09 21:10:27] - v1.27.0-dev-123-g0f3876c0b1 - Type: Modified - [scripts] [smart-build] Added an audio bell for interactive prompts in `smart-build.sh`.
+- 1 - I added a small `notify_human_interaction()` helper to `smart-build.sh` that emits a terminal bell only when the script is running on an interactive terminal.
+- 2 - I call that helper immediately before the build-load, architecture, and build-tags interactive menus, so the user gets an audible prompt exactly when human input is needed.
+- 3 - I extended the same helper so VS Code and code-server terminals also get a high-visibility fallback banner when browser-controlled terminal bells do not produce an audible sound.
+- 4 - I extended the same helper again to send a Linux desktop notification through `notify-send` before each interactive menu, while keeping the existing audio and terminal fallbacks for environments where no notification daemon is available.
+
+133 - [2026-05-09 22:32:57] - v1.27.0-dev-125-g1525c9c8ee - Type: Modified - [auth] [password-ui] [signup] Finalized the manual-only password visibility toggle behavior for login and signup.
+- 1 - I removed the static eye button from the login and signup templates and now create it from `web_src/js/features/password-visibility.ts` only when the current password value qualifies for manual reveal.
+- 2 - The final reveal rules are now strict: prefilled or browser-autofilled passwords never show the eye, appending characters to an already non-empty password still keeps it hidden, and the eye appears only after a trusted manual empty-to-non-empty entry or a full manual replacement of a selected existing value.
+- 3 - Once the eye has legitimately appeared, it stays visible through continued typing until the password is cleared again, preserves focus plus caret/selection on click, and keeps the signup confirm-password field synchronized while reveal mode is active.
+- 4 - I converted the toggle into an overlaid control inside the password field, hid the browser-native reveal buttons, and kept the final transparent eye-button background styling that was adjusted manually in `web_src/css/user.css`.
+
+134 - [2026-05-09 23:58:22] - v1.27.0-dev-125-g1525c9c8ee - Type: Modified - [build-artifacts] Ignored the local frontend hash artifact.
+- 1 - I added `/.frontend.hash` to `.gitignore` so local frontend rebuild hash churn no longer appears in the repository working tree.
+- 2 - I removed `.frontend.hash` from Git tracking with `git rm --cached`, so the ignore rule now fully suppresses future local hash churn instead of only affecting newly untracked copies.
+
+135 - [2026-05-10 00:06:54] - v1.27.0-dev-125-g1525c9c8ee - Type: Modified - [user-settings] [appearance] Unified the persistent appearance toggles into a single settings group.
+- 1 - I merged the top navigation bar, side menus, and footer persistence controls in `templates/user/settings/appearance.tmpl` into one shared `Persistent layout` section with a single Save button.
+- 2 - I added `UpdatePersistentLayout` in `routers/web/user/setting/profile.go` and routed `/user/settings/appearance/layout` to save all three preferences in one request while preserving the footer cookie update.
+- 3 - I added the `settings.persistent_layout` and `settings.persistent_layout_desc` locale strings and finalized the section markup so the shared description sits in its own `.field` container and each per-option help paragraph is separated with a `<br>` after the checkbox row.
+
+136 - [2026-05-10 18:40:36] - v1.27.0-dev-125-g1525c9c8ee - Type: Added - [org-ui] [permissions-table] Added column-wide Select all controls to the organization team-units permissions table.
+- 1 - I extended `templates/org/team/new.tmpl` so the team-units permissions table in `org/<team_name>/teams/new` gets the same header-level Select row used by the Actions permissions table, with `All` radios for none, read, and write.
+- 2 - I extended `web_src/js/features/org-team.ts` to synchronize those header radios bidirectionally with the per-unit permission rows, while correctly ignoring globally disabled read/write cells when applying or computing a column-wide selection.
+
+137 - [2026-05-10 19:02:14] - v1.27.0-dev-125-g1525c9c8ee - Type: Added - [installer] [password-ui] Added the password visibility toggle to the SMTP password field on the install page.
+- 1 - I wrapped the `smtp_passwd` input in `templates/install.tmpl` with the same `js-password-toggle-group` used by login and signup, reusing the existing password-visibility initializer and show/hide labels so the install-page SMTP password field gets the same eye toggle behavior.
+
+138 - [2026-05-10 19:08:32] - v1.27.0-dev-125-g1525c9c8ee - Type: Modified - [mailer] [installer] Enabled install-page email notifications by default for fresh setups.
+- 1 - I updated `routers/install/install.go` so the install form defaults `mail_notify` to enabled when there is no existing mailer configuration and notify-mail was still unset, while preserving an explicit existing configuration during reinstall/edit scenarios.
+
+139 - [2026-05-10 19:15:41] - v1.27.0-dev-125-g1525c9c8ee - Type: Added - [installer] [password-ui] Added the password visibility toggle and confirm-password behavior to the install-page super-admin password fields.
+- 1 - I wrapped the install-page `admin_passwd` field in the same `js-password-toggle-group` used by signup and login, so the super-admin password now gets the same eye toggle UI and manual-entry reveal behavior.
+- 2 - I wired the install-page `admin_confirm_passwd` field into the existing confirm-password flow, so revealing the admin password hides the confirm field and keeps it synchronized just like the signup form.
+- 3 - I refined `web_src/js/features/password-visibility.ts` so confirm-field synchronization is opt-in per toggle group via explicit selectors, preventing the install-page SMTP password toggle from accidentally targeting the super-admin confirm field in the same form.
+- 4 - I adjusted `web_src/css/install.css` so install-page password fields that use the overlaid eye wrapper keep the same 60% inline-field width as the original plain inputs instead of shrinking or stretching when the wrapper is present.
+
+140 - [2026-05-10 19:22:04] - v1.27.0-dev-125-g1525c9c8ee - Type: Added - [installer] [password-ui] Added the password visibility toggle to the install-page database password field.
+- 1 - I wrapped `db_passwd` in `templates/install.tmpl` with the same `js-password-toggle-group` used by the other install-page password fields, so the database password now gets the same eye control without changing its inline width or reusing any confirm-password logic.
+
+141 - [2026-05-10 19:27:48] - v1.27.0-dev-125-g1525c9c8ee - Type: Added - [user-settings] [password-ui] Added the password visibility toggle and confirm-password behavior to `/user/settings/account`.
+- 1 - I wrapped the `settings.new_password` field in `templates/user/settings/account.tmpl` with the shared `js-password-toggle-group`, reusing the existing eye-toggle logic and show/hide labels.
+- 2 - I wired the `settings.retype_new_password` field into the existing confirm-password flow through dedicated selectors, so revealing the new password hides the confirm field and keeps it synchronized the same way as signup and the install-page super-admin password form.
+
+142 - [2026-05-10 19:43:11] - v1.27.0-dev-125-g1525c9c8ee - Type: Added - [installer] [branding] Added optional custom branding uploads to the install page.
+- 1 - I finalized the installer `Branding` section with optional uploads for `logo.svg`, `logo.png`, `loading.png`, `favicon.svg`, and `favicon.png`, including clear format/size guidance plus a shared-assets checkbox for using one SVG and one PNG upload for both logo and favicon.
+- 2 - I implemented backend validation and persistence for all branding uploads in `routers/install/install.go` (expected type checks, 1 MB limit, square PNG with minimum 64x64) and save accepted overrides under `custom/public/assets/img/`.
+- 3 - I completed the runtime behavior so uploaded branding files override built-in assets through layered serving, `logo.svg` is mirrored to `gitea.svg` for legacy lookups, post-install progress prefers a custom `loading.png`, and the shared-assets mode hides favicon fields while relabeling logo fields to `Logo & Favicon SVG/PNG`.
+- 4 - I manually updated Romanian locale wording for the final branding texts and labels.
+
+143 - [2026-05-12 00:02:10] - v1.27.0-dev-125-g1525c9c8ee - Type: Modified - [auth] [signup] [admin-created-user] [locale] [en] [ro] Finalized Register behavior for admin-created notification accounts without altering the invitation flow.
+- 1 - I extended `POST /user/sign_up` in `routers/web/auth/auth.go` for existing active local accounts created by an admin when `username` and `email` match, while explicitly leaving pending admin invitations on their existing flow.
+- 2 - If password is correct, the user is now authenticated into that existing account; when `MustChangePassword` is enabled, the flow redirects directly to `/user/settings/change_password`, otherwise it follows the normal post-auth redirect.
+- 3 - If password is incorrect, the flow now redirects to `/user/forgot_password?email=<email>` and shows a warning to use account recovery plus check Spam/Junk.
+- 4 - I added the locale key `auth.admin_notify_recover_password_spam_hint` in both `options/locale/locale_en-US.json` and `options/locale/locale_ro-RO.json`.
+- 5 - I added regression tests in `routers/web/auth/auth_test.go` for normal sign-in, forced change-password redirect, wrong-password recovery redirect, and a guard that the admin-invitation flow still redirects to `/user/invitation`.
+
+144 - [2026-05-12 00:47:20] - v1.27.0-dev-125-g1525c9c8ee - Type: Added - [user-settings] [password-ui] Added the password visibility toggle to `/user/settings/change_password`.
+- 1 - I wrapped the forced-change password field in `templates/user/auth/change_passwd_inner.tmpl` with the shared `js-password-toggle-group`, reusing the existing eye-toggle logic and show/hide labels.
+- 2 - I wired the confirm-password field into the existing toggle sync behavior so revealing the new password hides the confirm field and keeps it synchronized like the other password-update forms.
+
+145 - [2026-05-12 01:16:50] - v1.27.0-dev-125-g1525c9c8ee - Type: Added - [installer] [app-ini-import] [locale] [en] [ro] Added installer support for importing an existing `app.ini`.
+- 1 - I added an `Import Existing Configuration` section at the top of `templates/install.tmpl` with an `app.ini` upload control that imports automatically as soon as a file is selected, without a separate `Load app.ini` button.
+- 2 - I kept the dedicated installer route `POST /import_app_ini` in `routers/install/routes.go`, but the page now posts to it via `fetch` and applies the imported values back into the existing form with `DOMParser`, so the browser is not visibly navigated to `/import_app_ini` and the page scripts are not re-executed.
+- 3 - In `routers/install/install.go`, I factored the installer defaults into reusable helpers, added `app.ini` upload parsing with size/error handling, and mapped the imported config into the existing install form fields for database, general server paths, mailer, registration, OpenID, security, and admin policy settings.
+- 4 - I added installer locale strings in both `options/locale/locale_en-US.json` and `options/locale/locale_ro-RO.json` for the new import UI, success message, and import errors, and the success flash now auto-dismisses after 5 seconds both on initial page load and after the AJAX import injects a new flash message.
+- 5 - I added regression coverage in `routers/install/routes_test.go` for the new upload control and the config-to-form mapping behavior.
+
+146 - [2026-05-12 01:30:10] - v1.27.0-dev-125-g1525c9c8ee - Type: Modified - [installer] [branding] Enabled shared branding assets by default in the installer.
+- 1 - I updated `routers/install/install.go` so `BrandingUseSharedAssets` starts as enabled on the install form, making `Use the same logo files for favicon assets` checked by default.
+
+147 - [2026-05-12 01:43:10] - v1.27.0-dev-125-g1525c9c8ee - Type: Added - [installer] [app-ini-import] [secrets] Added optional sensitive-secret import for installer `app.ini` uploads.
+- 1 - I added an explicit installer checkbox for importing sensitive secrets from `app.ini` in `templates/install.tmpl`.
+- 2 - I extended the installer form, submit pipeline, and final config writer so the optional import reuses `LFS_JWT_SECRET`, `INTERNAL_TOKEN`, and `oauth2.JWT_SECRET` from the uploaded `app.ini` instead of generating new values, including a submit-time fallback that re-reads the uploaded file if the checkbox was enabled after the first auto-import.
+- 3 - I finalized secret resolution for both direct values and `LFS_JWT_SECRET_URI` / `INTERNAL_TOKEN_URI` / `JWT_SECRET_URI` file-based references, and added regression coverage for direct imports, URI-based imports, the real `POST /import_app_ini` flow, and the persisted `app.ini` output.
+
+148 - [2026-05-12 22:44:38] - v1.27.0-dev-143-g512e577c3f - Type: Added - [scripts] [repo-sync] [rollback] Finalized the safe upstream update helper script as `.update-gitea.sh`.
+- 1 - I renamed the updater to `.update-gitea.sh`, documented its purpose and ordered usage steps, including the explicit "dry-run has conflicts" path before any real sync, and added an interactive menu plus direct commands for `sync`, `dry-run`, `fetch`, `backup`, `status`, `list-backups`, `rollback`, `restore-stash`, `restore-snapshot`, and `clean-dry-run`.
+- 2 - I hardened real update actions so they verify repository state, create or offer safety backup branches, retain the original pre-sync stash for rollback, and record the active restore metadata inside `.git`.
+- 3 - I added exact worktree snapshots under `.git/.update-gitea-snapshots`, showed the latest/saved snapshot paths in `status`, and made `rollback` plus `restore-snapshot` restore the saved starting commit, the original local changes, and the exact worktree contents including untracked and ignored files while preserving a fresh safety snapshot of the state being replaced.
+- 4 - I implemented a reusable dry-run workspace under `.git/.update-gitea-dry-run`, added cleanup for both that workspace and legacy temporary dry-run directories, and made dry-run collect and report all detected rebase conflict steps without modifying the real repository.
+- 5 - I improved conflict reporting so package.json conflicts show the upstream scripts block, the conflicting commit side, and the current branch working-tree side, and the final dry-run summary now includes the total conflict-step count, the local commits that conflicted, and the unique conflicted files.
+
+149 - [2026-05-13 00:05:18] - v1.27.0-dev-143-g512e577c3f - Type: Added - [scripts] [repo-sync] [cherry-pick] Added a dedicated safe upstream import helper based on `cherry-pick`.
+- 1 - I added [`.import-upstream-cherry-pick.sh`](/config/workspace/gitea-dev/gitea/.import-upstream-cherry-pick.sh) as a separate helper that fetches upstream, lists importable upstream-only commits, and imports either selected commits or an inclusive upstream range through `git cherry-pick -x` so the imported commits keep a visible reference to the original upstream hashes.
+- 2 - I gave the script the same safety model as the updater flow by creating a fresh backup branch, an exact worktree snapshot, and a saved tracked/untracked stash before every real import action, while recording the active restore metadata in `.git/.import-upstream-cherry-pick-state`.
+- 3 - I added safe recovery commands for `continue`, `rollback`, `restore-stash`, and `restore-snapshot`, so interrupted or unwanted imports can be resumed or reverted back to the saved starting commit and exact worktree state, including untracked and ignored files.
+- 4 - I added both command-line usage and an interactive menu for fetch, list, import, import-range, continue, backup, rollback, restore, and status workflows.
+
+150 - [2026-05-13 00:18:42] - v1.27.0-dev-143-g512e577c3f - Type: Added - [scripts] [custom-release] [interactive] Added an interactive custom-release maintenance helper for stable patch lines.
+- 1 - I added [`.maintain-custom-release.sh`](/config/workspace/gitea-dev/gitea/.maintain-custom-release.sh) to maintain a persistent custom branch such as `release/v1.26-custom`, starting from a base tag like `v1.26.0-rc0`, importing the missing upstream commits from the real upstream minor release branch such as `release/v1.26`, and then importing only the custom commits from a chosen local source branch.
+- 2 - I made the helper interactive with a menu plus a guided `configure` step, so the base tag, upstream release branch, maintenance branch, custom source branch, upstream compare branch, and custom tag suffix can all be adjusted from prompts instead of only through environment variables, and I added automatic fallback from mistyped patch-style branch names like `release/v1.26.0` to the real upstream branch `release/v1.26` when it exists.
+- 3 - I gave the script the same safety model as the other local Git helpers by creating a fresh backup branch, an exact worktree snapshot, and a saved tracked/untracked stash before every real import action, while also storing pending cherry-pick state so interrupted sequences can be continued.
+- 4 - I added recovery commands for `continue`, `rollback`, `restore-stash`, and `restore-snapshot`, and a `tag` command that creates annotated custom release tags such as `v1.26.0-custom` on the maintained custom release branch.
+
+151 - [2026-05-13 00:34:10] - v1.27.0-dev-143-g512e577c3f - Type: Modified - [scripts] [repo-sync] [fetch] Narrowed local upstream fetch scope and cleaned unused upstream tracking refs.
+- 1 - I updated [`.update-gitea.sh`](/config/workspace/gitea-dev/gitea/.update-gitea.sh) and [`.import-upstream-cherry-pick.sh`](/config/workspace/gitea-dev/gitea/.import-upstream-cherry-pick.sh) so they fetch only the explicitly requested upstream branch instead of all upstream branches.
+- 2 - I updated [`.maintain-custom-release.sh`](/config/workspace/gitea-dev/gitea/.maintain-custom-release.sh) so it fetches only the configured upstream release branch, the configured compare branch, and tags, while also normalizing mistaken patch-style release branch names like `release/v1.26.0` to the real upstream branch `release/v1.26`.
+- 3 - I narrowed the local `remote.upstream.fetch` refspec to `upstream/main` and `upstream/release/v1.26`, then removed the other local `upstream/*` remote-tracking refs so Git Graph no longer shows the unused upstream branches by default.
+
+152 - [2026-05-13 20:23:40] - v1.27.0-dev-143-g512e577c3f - Type: Modified - [scripts] [custom-release] [restore-points] Extended the custom-release maintenance helper with manual restore points and corrected its fetch and interactive configuration behavior.
+- 1 - I updated [`.maintain-custom-release.sh`](/config/workspace/gitea-dev/gitea/.maintain-custom-release.sh) so it no longer auto-fetches upstream tags during release-branch synchronization, preventing patch tags like `v1.26.1` from being pulled in just because the release branch history was fetched.
+- 2 - I added manual restore-point management commands for `create-restore-point`, `list-restore-points`, `restore-point`, and `delete-restore-point`, each backed by an exact worktree snapshot plus an associated backup branch stored under `.git/.maintain-custom-release-restore-points`.
+- 3 - I integrated the new restore-point workflow into the interactive menu, the `help` text, and `status`, including support for restoring by full path or by the final restore-point directory name, automatically using the latest restore point for the current branch when no target is provided, recognizing the older manual restore points already stored under `.git/.manual-restore-points`, and fixing the interactive configuration prompts so they are shown correctly during `Edit configuration`.
+
+153 - [2026-05-13 21:51:32] - v1.27.0-dev-143-g512e577c3f - Type: Modified - [scripts] [custom-release] [rollback] Finalized the custom-release maintenance helper workflow and recovery behavior.
+- 1 - I made `bootstrap` a clean branch-creation step from `BASE_TAG`, separated fetch and sync into explicit compare/release-target/custom actions, added `UPSTREAM_RELEASE_TARGET_REF`, and updated the built-in help so the recommended workflow matches the current menu structure.
+- 2 - I hardened recovery so rollback, restore-point, restore-snapshot, restore-stash, and restore-deletion correctly preserve or clean script-managed refs, maintenance branches, state files, backup branches, and snapshots, including rollback from the original entry branch after a bootstrap-created maintenance branch, cleanup of legacy restore-point leftovers, and removal of the correctly paired `backup/maint-*` Git Graph marker when a saved snapshot is deleted.
+- 3 - I finalized the interactive UX by keeping a self-updating runtime copy in `/tmp`, persisting the last-used settings in `/tmp/.maintain-custom-release.env`, and reorganizing the menu into `Manual Backups >`, `Fetch upstreams >`, `Sync >`, `Rollback >`, and `Restore >` submenus, including `Delete Restore >` with numbered stash and snapshot selection, with numbered selections, `b`/`B` or `Enter` for Back, correct return-to-parent behavior from every submenu, and `0` for Exit.
+
+154 - [2026-05-17 00:18:43] - v1.26.0-rc0-154-gfc98a14014 - Type: Fixed - [admin-users] [terminology] [locale] [en] [ro] Corrected the bootstrap-admin label from `GOOD` to `GOD`.
+- 1 - I renamed the bootstrap admin actor label and the related immutable-account locale key from `good` to `god` in the admin grant helpers and admin users UI flow.
+- 2 - I updated the admin API and admin-panel restriction messages, tests, and both English and Romanian locale strings so bootstrap-protected accounts are consistently labeled as `GOD`-granted.
+- 3 - I updated the matching historical task descriptions in `.codex-history.md` so the earlier admin-policy entries now use the corrected `GOD` terminology.
+
+155 - [2026-05-17 15:35:49] - v1.26.0-by-petru - Type: Fixed - [scripts] [custom-release] [release-target] Stopped release-target sync from requiring the remote release branch when an explicit target tag/ref is configured.
+- 1 - I updated [`.maintain-custom-release.sh`](/config/workspace/gitea-dev/gitea/.maintain-custom-release.sh) so `Sync upstream release target commits` validates only the configured `UPSTREAM_RELEASE_TARGET_REF` when one is set, instead of still failing on a missing local `upstream/release/...` remote-tracking branch after successfully fetching a target tag such as `v1.26.1`.
+
+156 - [2026-05-17 18:14:08] - v1.26.0-by-petru-24-gadb90b3453 - Type: Modified - [scripts] [smart-build] [artifacts] Renamed smart-build outputs to include the tag/ref and generated per-file SHA-256 checksums.
+- 1 - I updated [`.smart-build.sh`](/config/workspace/gitea-dev/gitea/.smart-build.sh) so each build artifact is now written as `gitea-<tag-or-ref>-<os>-<platform><-sqlite>` with the original executable extension preserved, and each output also gets its own adjacent `.sha256` file generated with `sha256sum` or `shasum -a 256`.
+
+157 - [2026-05-17 17:32:10] - v1.26.0-by-petru-23-g2d228475fc - Type: Fixed - [build] [versioning] Preserved custom tag names in `GITEA_VERSION` while keeping `git describe` build metadata.
+- 1 - I updated `Makefile` so `GITEA_VERSION` now strips the leading `v`, preserves exact custom tag names such as `1.26.0-by-petru`, and converts only the trailing `-N-gSHA` suffix from `git describe` into `+N-gSHA` for in-between builds like `1.26.0-by-petru+3-g...` and `1.27.0-dev+143-g...`.
+
+158 - [2026-05-17 22:20:35] - v1.26.0-by-petru - Type: Fixed - [admin-users] [delete-user] [fetch-action] Made the admin user-table trash action return fetch-compatible delete responses.
+- 1 - I updated the `/-/admin/users` delete modal in the user table to submit an explicit inline fetch flag, and I changed the web admin `DeleteUser` handler so that this table-specific fetch flow now returns `JSONRedirect` on success and `JSONError` for expected validation failures, while the classic edit-page delete form keeps its normal redirect behavior; I also added integration coverage for the table delete path.
+
+159 - [2026-05-17 00:21:37] - v1.26.0-by-petru - Type: Modified - [docs] [changelog] [github-links] Documented the custom `1.26.0-by petru & codex` release in `CHANGELOG.md`.
+- 1 - I added the custom release reference and the dedicated `CUSTOM by petru & codex` release-notes block in `CHANGELOG.md`, summarizing the project-specific features and behavior changes shipped on top of upstream `1.26.0`.
+- 2 - I updated `CHANGELOG.md` and `CHANGELOG-archived.md` so plain standalone references of the form `(#NNNNN)` and compound ampersand groups such as `(#NNNNN & #MMMMM)` now point directly to `https://github.com/
+
+159  - [2026-05-17 17:13:47] - v1.26.0-by-petru - Type: Modified - [update] Added v1.26.1 original Gitea commits
+
+160  - [2026-05-17 17:13:47] - v1.26.1-by-petru - Type: Modified - [docs] [changelog] [github-links] Added explicit GitHub links for the remaining bare PR references in `CHANGELOG.md` for the `v1.26.1-by-petru` release notes.
+- 1 - I updated the remaining bare `#NNNNN` pull-request references in `CHANGELOG.md` so they now point directly to `https://github.com/go-gitea/gitea/pull/...`, without folding this tag-specific changelog cleanup into the earlier generic changelog-link conversion entry.
+
+161 - [2026-05-19 21:31:45] - v1.27.0-dev-172-g3a6684178a - Type: Modified - [scripts] [smart-build] [darwin] Added macOS amd64/arm64 smart-build support, including SQLite-aware Docker-host handling for containerized workspaces.
+- 1 - I updated `smart-build.sh` so its interactive architecture menu now offers `macos-amd64`, `macos-arm64`, and includes both Darwin targets in `All Arch`, while preserving the existing `darwin` artifact naming in `dist/`.
+- 2 - I added a dedicated Darwin SQLite build path in `smart-build.sh` that routes macOS `bindata sqlite sqlite_unlock_notify` builds through `make release-darwin`, and I updated `Makefile` to make `release-darwin` configurable through `DARWIN_ARCHS` so helper scripts can request only `darwin-10.12/amd64` or `darwin-10.12/arm64`.
+- 3 - I hardened the Darwin SQLite flow in `smart-build.sh` for `code-server`-style containerized workspaces by distinguishing between a missing Docker CLI and an unreachable Docker daemon, by validating that the host Docker daemon can see the same mounted repository `go.mod` path as the current workspace, and by moving the temporary release output under `dist/` instead of `/tmp`.
+- 4 - I added `SMART_BUILD_DARWIN_HOST_REPO_PATH` support to `smart-build.sh` so Darwin SQLite builds can be redirected to a host-visible repository mount path when the interactive workspace path inside the container differs from the real host path used by the Docker daemon.
+
+161 - [2026-05-19 23:43:29] - v1.27.0-dev-172-g06e5bd7f46 - Type: Modified - [scripts] [configure] [git-lfs] Added conditional Git LFS setup to `configure.sh` when repository LFS hooks are installed.
+- 1 - I updated `.configure.sh` so repositories that already have Git LFS hook scripts in `.git/hooks` now treat `git-lfs` as a required dependency during verification, install the `git-lfs` system package on supported package managers, and run `git lfs install --local` during non-verify setup.

.codex-project-map.md

@@ -0,0 +1,337 @@
+# Gitea Project Map for Codex
+
+This file is the persistent implementation map for fast project orientation.
+
+Use it after `./.codex-context.md` when a task needs architecture, flow, or extension-point context.
+
+## 1. Fast Entry Points Index
+
+- auth -> `routers/web/auth/`, `templates/user/auth/`, `services/auth/`
+- installer -> `routers/install/`, `templates/install.tmpl`, `options/locale/`
+- user settings UI -> `routers/web/user/setting/`, `templates/user/settings/`, `web_src/js/features/`, `web_src/css/modules/`
+- sticky menus / persistent layout UI -> `templates/*/navbar*.tmpl`, `web_src/css/modules/menu.css`, `web_src/css/modules/flexcontainer.css`, `web_src/js/features/common-page.ts`
+- repo settings / actions UI -> `routers/web/repo/`, `templates/repo/`, `templates/repo/settings/`
+- admin UI -> `routers/web/admin/`, `templates/admin/`
+- mail / notifications -> `services/mailer/`, `templates/mail/`, `routers/web/admin/`, `routers/web/auth/`
+- custom release maintenance and repo-sync helpers -> `./.maintain-custom-release.sh`, `./.update-gitea.sh`, `./.import-upstream-cherry-pick.sh`, `./.codex-script-notes.md`
+
+## 2. Repository Map
+
+- Executable entry point: `main.go`
+- CLI lifecycle and command startup: `cmd/`
+- Installed-instance initialization and route-tree mounting: `routers/init.go`
+- Web SSR routes: `routers/web/`
+- API routes: `routers/api/`
+- Request context, session, template data, response helpers: `services/context/`
+- Business logic: `services/`
+- Persistence and domain models: `models/`
+- Cross-cutting infrastructure: `modules/`
+- Server-side templates: `templates/`
+- Browser-side frontend: `web_src/`
+
+## 3. Bootstrap and Request Flow
+
+### 2.1 Application Bootstrap
+
+1. `main.go`
+- Sets `setting.AppVer`, `setting.AppBuiltWith`, and `setting.AppStartTime`.
+- Starts the CLI app through `cmd.NewMainApp(...)` and `cmd.RunMainApp(...)`.
+
+2. `cmd/web.go`
+- `newWebCommand()` defines the `web` command.
+- `runWeb(...)` prepares graceful shutdown.
+- `serveInstalled(...)` calls `routers.InitWebInstalled(...)` and then `routers.NormalRoutes()`.
+
+3. `routers/init.go`
+- `InitWebInstalled(...)` initializes Git, settings, storage, cache, DB, models, auth, indexers, webhooks, SSH, Actions, and cron.
+- `NormalRoutes()` mounts:
+  - `/` -> `routers/web.Routes()`
+  - `/api/v1` -> public API
+  - `/api/internal` -> private API
+  - optional package and Actions API areas when enabled
+
+### 2.2 Web Request Pipeline
+
+1. `routers/web/web.go:Routes()`
+- Builds the main web router.
+- Exposes static assets, avatars, `robots.txt`, `metrics`, and `healthz`.
+
+2. Core middleware
+- `common.MustInitSessioner()` prepares the session.
+- `context.Contexter()` builds the web context and template data.
+- `newWebAuthMiddleware()` resolves optional or required authentication.
+
+3. `services/context/`
+- `NewBaseContext(...)` creates the base request context.
+- `NewWebContext(...)` attaches `Doer`, `Repo`, `Org`, `Session`, `Flash`, and `PageData`.
+- `Contexter()` injects global template and page data such as:
+  - `Link`
+  - `PageData`
+  - flash cookie
+  - `SystemConfig`
+  - shared template state
+
+4. Auth and access validation
+- `verifyAuthWithOptions(...)` enforces:
+  - `SignInRequired`
+  - `SignOutRequired`
+  - `AdminRequired`
+  - cross-origin rules
+  - inactive-user and forced-password-change constraints
+
+5. Domain handler
+- The request reaches `routers/web/...` or `routers/api/...`.
+- Handlers should stay thin and delegate to `services/...`.
+
+6. Business logic and persistence
+- `services/...` orchestrate business rules.
+- `models/...` read or write the DB and represent domain state.
+- `modules/...` provide reusable infrastructure such as git, storage, cache, markup, logging, web helpers, SSH, and indexing.
+
+7. Response
+- Web:
+  - templates from `templates/...`
+  - optional page JS data for `web_src/js/...`
+- API:
+  - JSON or file responses through helpers in `services/context/`
+
+## 4. Authentication Map
+
+### 3.1 Where Auth Routes Live
+
+Auth routes are mainly declared in `routers/web/web.go`, especially around:
+- `/user/login`
+- `/user/sign_up`
+- `/user/two_factor/...`
+- `/user/webauthn/...`
+- `/user/openid/...`
+- `/login/oauth/...`
+- `/user/settings/security/...`
+- `/user/settings/applications/oauth2/...`
+
+### 3.2 Key Auth Files
+
+- `routers/web/auth/auth.go`
+  - classic login
+  - signup
+  - remember-cookie login
+  - post-login redirect
+  - branching toward 2FA or WebAuthn
+
+- `routers/web/auth/password.go`
+  - forgot password
+  - reset password
+  - forced password change
+
+- `routers/web/auth/2fa.go`
+  - TOTP
+  - scratch codes
+
+- `routers/web/auth/webauthn.go`
+  - passkeys
+  - WebAuthn challenge/assertion flow
+
+- `routers/web/auth/openid.go`
+  - OpenID sign-in
+  - connect
+  - register
+
+- `routers/web/auth/oauth.go`
+  - OAuth2 / OIDC provider login start and callback
+  - link account
+  - auto-registration
+  - provider-data sync triggers
+
+- `routers/web/auth/oauth_signin_sync.go`
+  - post-login provider-data synchronization
+
+- `routers/web/auth/oauth2_provider.go`
+  - Gitea as an OAuth2 / OIDC provider
+  - authorize, access token, userinfo, introspection, JWKS
+
+- `routers/web/auth/linkaccount.go`
+  - external-account linking to a local account
+
+### 3.3 Classic Web Login Flow
+
+1. Browser requests `/user/login`.
+2. `context.Contexter()` prepares context and page data.
+3. `newWebAuthMiddleware()` attempts authentication through available strategies:
+  - OAuth2 header/bearer where allowed
+  - Basic auth where allowed
+  - reverse-proxy auth if enabled
+  - session
+  - SSPI on Windows if enabled
+4. `auth.SignIn` renders the page.
+5. `POST /user/login` enters `auth.SignInPost`.
+6. On success, the flow may:
+  - branch to 2FA
+  - branch to WebAuthn
+  - create a remember cookie
+  - redirect to `redirect_to` or the default target
+7. Inactive, blocked, or forced-password-change users are stopped by auth logic or `verifyAuthWithOptions(...)`.
+
+### 3.4 Auth Services and UI
+
+- `services/auth/` contains reusable auth strategies such as:
+  - `Basic`
+  - `OAuth2`
+  - `Session`
+  - `ReverseProxy`
+  - `SSPI`
+
+- Auth UI lives in `templates/user/auth/`
+- Relevant browser-side auth code includes:
+  - `web_src/js/features/user-auth-webauthn.ts`
+  - `web_src/js/features/captcha.ts`
+
+### 3.5 Where to Extend Auth
+
+- New auth UI step:
+  - `routers/web/auth/...`
+  - `templates/user/auth/...`
+  - optional `web_src/js/features/...`
+
+- New authentication rule or source:
+  - `services/auth/...`
+  - optionally `models/auth/...`
+  - integrate through `newWebAuthMiddleware()`
+
+- New OAuth2/OIDC provider endpoint:
+  - `routers/web/auth/oauth2_provider.go`
+  - `services/oauth2_provider/...`
+
+## 5. Change Entry Points
+
+### 4.1 New Web Route
+
+- Add handler in `routers/web/<domain>/`
+- Register in `routers/web/web.go`
+- If it has UI:
+  - template in `templates/...`
+  - optional JS/CSS in `web_src/...`
+
+### 4.2 New API Route
+
+- Add handler in `routers/api/v1/...` or the proper API subtree
+- Mount through `routers/init.go` or the existing API router
+- Use `services/context/` helpers for validation and response consistency
+
+### 4.3 New Business Rule
+
+- Orchestration in `services/<domain>/`
+- Persistence in `models/<domain>/`
+- Keep routing logic thin
+
+### 4.4 New Template Data
+
+- Put page-specific data in handlers or domain middleware
+- Put global data there only if it is truly cross-cutting
+- For data consumed by page JS, use `ctx.PageData`
+
+### 4.5 New SSR Screen or UI Change
+
+- Template in `templates/...`
+- If client-side interaction is needed:
+  - logic in `web_src/js/features/...`
+  - styles in `web_src/css/...`
+
+### 4.6 Global Navigation and Template Hooks
+
+- Main top navigation:
+  - `templates/base/head_navbar.tmpl`
+
+- Extra global links without rewriting the standard navbar:
+  - `templates/custom/`
+  - `custom/extra_links` hook in `templates/base/head_navbar.tmpl`
+
+- Repository header and main repo tabs:
+  - `templates/repo/header.tmpl`
+
+- Extra repo tabs without rewriting the standard header:
+  - `custom/extra_tabs` hook in `templates/repo/header.tmpl`
+
+- Repo submenu areas:
+  - `templates/repo/navbar.tmpl`
+  - `templates/repo/sub_menu.tmpl`
+
+### 4.7 User, Org, Repo, and Admin Areas
+
+- Repo:
+  - `routers/web/repo/`
+  - `services/repository/`, `services/pull/`, `services/issue/`, `services/git/`
+  - `templates/repo/`
+
+- User:
+  - `routers/web/user/`
+  - `routers/web/user/setting/`
+  - `services/user/`
+  - `templates/user/`
+  - `templates/user/settings/`
+
+- Org:
+  - `routers/web/org/`
+  - `services/org/`
+  - `templates/org/`
+  - `templates/org/settings/`
+
+- Admin:
+  - `routers/web/admin/`
+  - support often spans `models/`, `services/`, and `modules/setting/`
+  - `templates/admin/`
+
+## 6. Frequent Task Shortcuts
+
+- Login / signup / account recovery:
+  - `routers/web/auth/`
+  - `templates/user/auth/`
+  - `services/auth/`
+  - `models/auth/`
+  - `models/user/`
+
+- User settings / security / applications:
+  - `routers/web/user/setting/`
+  - `templates/user/settings/`
+
+- Repository header / tabs / page chrome:
+  - `templates/repo/header.tmpl`
+  - `templates/repo/navbar.tmpl`
+  - `templates/repo/sub_menu.tmpl`
+
+- Top navigation / global links:
+  - `templates/base/head_navbar.tmpl`
+  - `templates/custom/`
+
+- Packages:
+  - `routers/api/packages/`
+  - `services/packages/`
+  - `models/packages/`
+
+- Actions:
+  - `routers/api/actions/`
+  - `routers/web/repo/actions/`
+  - `services/actions/`
+  - `models/actions/`
+
+## 7. Technology and Validation Notes
+
+- Backend: Go
+- Server-side rendering: Go `.tmpl` templates
+- Frontend: TypeScript
+- Vue components exist in the repo
+- Styling: CSS, Tailwind CSS, Fomantic UI
+- Frontend verification tooling: Vitest, Playwright, ESLint, Stylelint
+
+For area-specific validation:
+- Go:
+  - `make fmt`
+  - `make lint-go`
+  - targeted Go tests
+- TypeScript / frontend:
+  - `make lint-js`
+  - `make test-frontend` or targeted frontend tests when needed
+- `go.mod` changes:
+  - `make tidy`
+  - targeted frontend tests when needed
+- `go.mod` changes:
+  - `make tidy`

.codex-script-notes.md

@@ -0,0 +1,62 @@
+# Codex Script Notes
+
+This file is a fast-reference companion for the large local helper scripts.
+
+## `.maintain-custom-release.sh`
+
+Purpose:
+- maintain a custom stable branch such as `release/v1.26-custom`
+- start from `BASE_TAG`
+- fetch and sync upstream compare / release-target refs explicitly
+- cherry-pick selected custom work from a local source branch
+
+Current interaction model:
+- interactive menu with submenus:
+  - `Manual Backups >`
+  - `Fetch upstreams >`
+  - `Sync >`
+  - `Rollback >`
+  - `Restore >`
+- submenu navigation:
+  - `Enter` or `b` / `B` => Back
+  - `0` => Exit
+
+Persistent runtime state:
+- runtime copy: `/tmp/.maintain-custom-release.sh`
+- persisted settings: `/tmp/.maintain-custom-release.env`
+- restore points: `.git/.maintain-custom-release-restore-points/`
+- snapshots: `.git/.maintain-custom-release-snapshots/`
+- active state file: `.git/.maintain-custom-release-state`
+
+Recommended order:
+1. `Bootstrap maintenance branch`
+2. `Fetch upstream/main compare ref`
+3. `Fetch upstream release target ref`
+4. `Show import plan`
+5. `Sync` actions as needed
+
+Important behavior:
+- `bootstrap` should only create/switch the maintenance branch from `BASE_TAG`; it should not fetch automatically
+- `rollback` should remove bootstrap-created maintenance branches and clean script-managed refs/artifacts
+- deleting a saved exact snapshot should also remove its paired `backup/maint-*` Git Graph marker
+
+## `.update-gitea.sh`
+
+Purpose:
+- safe upstream sync helper for the working tree
+- create safety backups before real sync actions
+- provide `dry-run`, `rollback`, `restore-stash`, and `restore-snapshot`
+
+Key safety expectations:
+- `dry-run` must not modify the real repository
+- real sync actions must preserve enough state for exact rollback
+
+## `.import-upstream-cherry-pick.sh`
+
+Purpose:
+- import upstream commits through `git cherry-pick -x`
+- support commit-by-commit or range-based import
+
+Key safety expectations:
+- save backup branch, snapshot, and stash before real import actions
+- support `continue`, `rollback`, `restore-stash`, and `restore-snapshot`

.codex_gpt_login.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+CALLBACK_URL="http://127.0.0.1:1455/auth/callback"
+SUCCESS_URL="http://localhost:1455/success"
+
+die() {
+	printf 'ERROR: %s\n' "$*" >&2
+	exit 1
+}
+
+extract_code() {
+	local input="$1"
+
+	case "$input" in
+		*code=*)
+			input="${input#*code=}"
+			input="${input%%&*}"
+			input="${input%%#*}"
+			;;
+	esac
+
+	printf '%s' "$input"
+}
+
+extract_id_token() {
+	local response_file="$1"
+
+	sed -n 's/.*id_token=\([^&[:space:]"'"'"'<>]*\).*/\1/p' "$response_file" |
+		tr -d '\r' |
+		head -n 1
+}
+
+printf 'Codex ChatGPT login helper\n'
+printf 'Paste the received code, full callback URL, or query string containing code=...\n'
+printf 'Received key: '
+IFS= read -r received_key
+
+[ -n "$received_key" ] || die "empty received key"
+
+code="$(extract_code "$received_key")"
+[ -n "$code" ] || die "could not extract code"
+
+response_file="$(mktemp)"
+trap 'rm -f "$response_file"' EXIT
+
+printf '\nCalling Codex auth callback...\n'
+curl -sv -H "Host: localhost" --get --data-urlencode "code=$code" "$CALLBACK_URL" >"$response_file" 2>&1 || {
+	cat "$response_file" >&2
+	die "callback request failed"
+}
+
+id_token="$(extract_id_token "$response_file")"
+[ -n "$id_token" ] || {
+	cat "$response_file" >&2
+	die "could not find id_token in callback response"
+}
+
+printf 'id_token received. Completing login...\n'
+curl -sv --get --data-urlencode "id_token=$id_token" "$SUCCESS_URL"
+printf '\nDone.\n'

.configure.sh

@@ -0,0 +1,722 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+repo_go_version() {
+	sed -n 's/^go //p' "$SCRIPT_DIR/go.mod" 2>/dev/null | head -n 1
+}
+
+repo_node_version() {
+	sed -n 's/.*"node": ">= *\([^"]*\)".*/\1/p' "$SCRIPT_DIR/package.json" 2>/dev/null | head -n 1
+}
+
+repo_pnpm_version() {
+	sed -n 's/.*"packageManager": "pnpm@\([^"]*\)".*/\1/p' "$SCRIPT_DIR/package.json" 2>/dev/null | head -n 1
+}
+
+GO_VERSION="${GO_VERSION:-$(repo_go_version)}"
+GO_VERSION="${GO_VERSION:-1.26.2}"
+NODE_VERSION="${NODE_VERSION:-$(repo_node_version)}"
+NODE_VERSION="${NODE_VERSION:-22.18.0}"
+PNPM_VERSION="${PNPM_VERSION:-$(repo_pnpm_version)}"
+PNPM_VERSION="${PNPM_VERSION:-10.33.0}"
+NVM_VERSION="${NVM_VERSION:-v0.40.3}"
+
+INSTALL_SYSTEM=1
+INSTALL_GO=1
+INSTALL_NODE=1
+INSTALL_FRONTEND_DEPS=1
+VERIFY_ONLY=0
+WITH_CROSS_CGO=0
+SHOW_MENU=0
+VERIFY_REPORT_ONLY=0
+VERIFY_HAD_ISSUES=0
+
+usage() {
+	cat <<EOF
+Usage: ./configure.sh [options]
+
+Installs and configures the local build requirements for this Gitea tree.
+
+Options:
+  --with-cross-cgo       Also install/configure cross-CGO toolchains for
+                         sqlite builds targeting linux/armv7 and windows/amd64.
+                         This is useful for "All Arch" + sqlite builds, but it
+                         downloads noticeably larger packages.
+  --skip-system          Do not install system packages.
+  --skip-go              Do not install Go.
+  --skip-node            Do not install NVM/Node/pnpm.
+  --skip-frontend-deps   Do not run pnpm install --frozen-lockfile.
+  --verify-only          Only check the current environment.
+  --menu                 Show the interactive run menu.
+  -h, --help             Show this help.
+
+Environment overrides:
+  GO_VERSION=$GO_VERSION
+  NODE_VERSION=$NODE_VERSION
+  PNPM_VERSION=$PNPM_VERSION
+  NVM_VERSION=$NVM_VERSION
+EOF
+}
+
+show_description() {
+	cat <<EOF
+Gitea build environment setup
+
+This script prepares the local machine for the Gitea build used in this tree.
+It can install or verify:
+  - the required system build packages, including gcc, make, git, pkg-config,
+    and the SQLite/PAM libraries;
+  - git-lfs when this repository has Git LFS hooks installed;
+  - Go $GO_VERSION, as required by go.mod;
+  - Node $NODE_VERSION and pnpm $PNPM_VERSION, as required by package.json;
+  - frontend dependencies with pnpm install --frozen-lockfile;
+  - optional cross-CGO compilers for SQLite builds targeting linux/armv7
+    and windows/amd64.
+
+For automated runs, you can keep using CLI options, for example:
+  ./configure.sh --verify-only
+  ./configure.sh --with-cross-cgo
+
+EOF
+}
+
+interactive_menu() {
+	show_description
+	cat <<EOF
+Select install mode:
+  1) Normal mode
+  2) With cross cgo
+  3) Verify only
+  4) Quit
+
+EOF
+    #  Install the standard requirements: system packages, Go, Node, pnpm, and frontend deps.
+    #  Normal mode plus cross-CGO toolchains for multi-arch SQLite builds.
+    #  Install nothing; only check the current environment.
+
+	while true; do
+		printf 'Choose option [1-4]: '
+		if ! read -r choice; then
+			die "No menu option selected."
+		fi
+
+		case "$choice" in
+			1)
+				printf 'Selected: Normal\n'
+				return
+				;;
+			2)
+				WITH_CROSS_CGO=1
+				printf 'Selected: With cross cgo\n'
+				return
+				;;
+			3)
+				VERIFY_ONLY=1
+				INSTALL_SYSTEM=0
+				INSTALL_GO=0
+				INSTALL_NODE=0
+				INSTALL_FRONTEND_DEPS=0
+				VERIFY_REPORT_ONLY=1
+				printf 'Selected: Verify only\n'
+				return
+				;;
+			4)
+				printf 'Canceled.\n'
+				exit 0
+				;;
+			*)
+				printf 'Invalid option: %s\n' "$choice"
+				;;
+		esac
+	done
+}
+
+log() {
+	printf '\n==> %s\n' "$*"
+}
+
+warn() {
+	printf 'WARNING: %s\n' "$*" >&2
+}
+
+die() {
+	printf 'ERROR: %s\n' "$*" >&2
+	exit 1
+}
+
+command_exists() {
+	command -v "$1" >/dev/null 2>&1
+}
+
+repo_has_git_lfs_hooks() {
+	local hook
+	for hook in pre-push post-checkout post-commit post-merge; do
+		[ -f "$SCRIPT_DIR/.git/hooks/$hook" ] || continue
+		if grep -q 'git-lfs' "$SCRIPT_DIR/.git/hooks/$hook"; then
+			return 0
+		fi
+	done
+	return 1
+}
+
+repo_requires_git_lfs() {
+	repo_has_git_lfs_hooks
+}
+
+run_as_root() {
+	if [ "$(id -u)" -eq 0 ]; then
+		"$@"
+	elif command_exists sudo; then
+		sudo "$@"
+	else
+		die "This step needs root privileges. Install sudo or run the script as root."
+	fi
+}
+
+fetch_to() {
+	local url="$1"
+	local output="$2"
+
+	if command_exists curl; then
+		curl -fL --retry 3 --retry-delay 2 -o "$output" "$url"
+	elif command_exists wget; then
+		wget -O "$output" "$url"
+	else
+		die "curl or wget is required to download $url"
+	fi
+}
+
+version_ge() {
+	local actual="$1"
+	local required="$2"
+	[ "$(printf '%s\n%s\n' "$required" "$actual" | sort -V | head -n 1)" = "$required" ]
+}
+
+append_profile_line() {
+	local file="$1"
+	local line="$2"
+
+	touch "$file"
+	if ! grep -qxF "$line" "$file"; then
+		printf '\n%s\n' "$line" >>"$file"
+	fi
+}
+
+ensure_go_path() {
+	activate_go_path
+	append_profile_line "$HOME/.profile" 'export PATH="/usr/local/go/bin:$HOME/go/bin:$PATH"'
+	append_profile_line "$HOME/.bashrc" 'export PATH="/usr/local/go/bin:$HOME/go/bin:$PATH"'
+}
+
+activate_go_path() {
+	export PATH="/usr/local/go/bin:$HOME/go/bin:$PATH"
+}
+
+install_system_packages() {
+	log "Installing system packages"
+
+	if command_exists apt-get; then
+		local -a packages=(
+			bash
+			build-essential
+			ca-certificates
+			coreutils
+			curl
+			findutils
+			gawk
+			git
+			gzip
+			libpam0g-dev
+			libsqlite3-dev
+			make
+			openssh-client
+			perl
+			pkg-config
+			python3
+			sed
+			sqlite3
+			tar
+			unzip
+			wget
+			xz-utils
+			zip
+		)
+		repo_requires_git_lfs && packages+=(git-lfs)
+		if [ "$WITH_CROSS_CGO" -eq 1 ]; then
+			packages+=(
+				gcc-arm-linux-gnueabihf
+				g++-arm-linux-gnueabihf
+				gcc-mingw-w64-x86-64
+				g++-mingw-w64-x86-64
+			)
+		fi
+		run_as_root apt-get update
+		run_as_root env DEBIAN_FRONTEND=noninteractive apt-get install -y "${packages[@]}"
+		return
+	fi
+
+	if command_exists dnf; then
+		local -a packages=(
+			bash
+			ca-certificates
+			coreutils
+			curl
+			findutils
+			gawk
+			gcc
+			gcc-c++
+			git
+			gzip
+			make
+			openssh-clients
+			pam-devel
+			perl-core
+			pkgconf-pkg-config
+			python3
+			sed
+			sqlite
+			sqlite-devel
+			tar
+			unzip
+			wget
+			xz
+			zip
+		)
+		repo_requires_git_lfs && packages+=(git-lfs)
+		run_as_root dnf install -y "${packages[@]}"
+		[ "$WITH_CROSS_CGO" -eq 0 ] || warn "Cross-CGO package setup is only automated for apt-based systems."
+		return
+	fi
+
+	if command_exists yum; then
+		local -a packages=(
+			bash
+			ca-certificates
+			coreutils
+			curl
+			findutils
+			gawk
+			gcc
+			gcc-c++
+			git
+			gzip
+			make
+			openssh-clients
+			pam-devel
+			perl
+			pkgconfig
+			python3
+			sed
+			sqlite
+			sqlite-devel
+			tar
+			unzip
+			wget
+			xz
+			zip
+		)
+		repo_requires_git_lfs && packages+=(git-lfs)
+		run_as_root yum install -y "${packages[@]}"
+		[ "$WITH_CROSS_CGO" -eq 0 ] || warn "Cross-CGO package setup is only automated for apt-based systems."
+		return
+	fi
+
+	if command_exists pacman; then
+		local -a packages=(
+			base-devel
+			bash
+			ca-certificates
+			coreutils
+			curl
+			findutils
+			gawk
+			git
+			gzip
+			make
+			openssh
+			pam
+			perl
+			pkgconf
+			python
+			sed
+			sqlite
+			tar
+			unzip
+			wget
+			xz
+			zip
+		)
+		repo_requires_git_lfs && packages+=(git-lfs)
+		run_as_root pacman -Sy --needed --noconfirm "${packages[@]}"
+		[ "$WITH_CROSS_CGO" -eq 0 ] || warn "Cross-CGO package setup is only automated for apt-based systems."
+		return
+	fi
+
+	if command_exists zypper; then
+		local -a packages=(
+			bash
+			ca-certificates
+			coreutils
+			curl
+			findutils
+			gawk
+			gcc
+			gcc-c++
+			git
+			gzip
+			make
+			openssh
+			pam-devel
+			perl
+			pkg-config
+			python3
+			sed
+			sqlite3
+			sqlite3-devel
+			tar
+			unzip
+			wget
+			xz
+			zip
+		)
+		repo_requires_git_lfs && packages+=(git-lfs)
+		run_as_root zypper install -y "${packages[@]}"
+		[ "$WITH_CROSS_CGO" -eq 0 ] || warn "Cross-CGO package setup is only automated for apt-based systems."
+		return
+	fi
+
+	die "Unsupported package manager. Install git, make, gcc/g++, pkg-config, sqlite3 headers, curl/wget, tar, unzip, xz, python3, and then rerun with --skip-system."
+}
+
+go_download_arch() {
+	case "$(uname -m)" in
+		x86_64 | amd64)
+			printf 'amd64'
+			;;
+		aarch64 | arm64)
+			printf 'arm64'
+			;;
+		i386 | i686)
+			printf '386'
+			;;
+		armv6l | armv7l)
+			printf 'armv6l'
+			;;
+		*)
+			die "Unsupported CPU architecture for automatic Go install: $(uname -m)"
+			;;
+	esac
+}
+
+current_go_version() {
+	if command_exists go; then
+		go version | awk '{print $3}' | sed 's/^go//'
+	fi
+}
+
+install_go() {
+	log "Configuring Go $GO_VERSION"
+	ensure_go_path
+
+	if [ "$(current_go_version)" = "$GO_VERSION" ]; then
+		printf 'Go %s is already installed.\n' "$GO_VERSION"
+		return
+	fi
+
+	local arch
+	arch="$(go_download_arch)"
+	local archive="/tmp/go${GO_VERSION}.linux-${arch}.tar.gz"
+	local url="https://go.dev/dl/go${GO_VERSION}.linux-${arch}.tar.gz"
+
+	fetch_to "$url" "$archive"
+	run_as_root rm -rf /usr/local/go
+	run_as_root tar -C /usr/local -xzf "$archive"
+	ensure_go_path
+
+	[ "$(current_go_version)" = "$GO_VERSION" ] || die "Go install finished, but go version is not $GO_VERSION."
+}
+
+load_nvm() {
+	export NVM_DIR="${NVM_DIR:-$HOME/.nvm}"
+	# shellcheck disable=SC1091
+	[ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh"
+}
+
+install_nvm() {
+	export NVM_DIR="${NVM_DIR:-$HOME/.nvm}"
+	if [ -s "$NVM_DIR/nvm.sh" ]; then
+		load_nvm
+		return
+	fi
+
+	log "Installing NVM $NVM_VERSION"
+	local installer="/tmp/nvm-install-${NVM_VERSION}.sh"
+	fetch_to "https://raw.githubusercontent.com/nvm-sh/nvm/${NVM_VERSION}/install.sh" "$installer"
+	bash "$installer"
+	load_nvm
+	command_exists nvm || die "NVM could not be loaded after installation."
+}
+
+current_node_version() {
+	if command_exists node; then
+		node -p 'process.versions.node'
+	fi
+}
+
+current_pnpm_version() {
+	if command_exists pnpm; then
+		pnpm --version
+	fi
+}
+
+install_node_and_pnpm() {
+	log "Configuring Node $NODE_VERSION and pnpm $PNPM_VERSION"
+	install_nvm
+
+	nvm install "$NODE_VERSION"
+	nvm alias default "$NODE_VERSION" >/dev/null
+	nvm use "$NODE_VERSION" >/dev/null
+	hash -r
+
+	if command_exists corepack; then
+		corepack enable
+		corepack prepare "pnpm@${PNPM_VERSION}" --activate
+		hash -r
+	fi
+
+	if ! command_exists pnpm || ! version_ge "$(current_pnpm_version)" "$PNPM_VERSION"; then
+		npm install -g "pnpm@${PNPM_VERSION}"
+		hash -r
+	fi
+
+	if ! version_ge "$(current_node_version)" "$NODE_VERSION"; then
+		die "Node $(current_node_version) is older than required $NODE_VERSION."
+	fi
+	if ! version_ge "$(current_pnpm_version)" "$PNPM_VERSION"; then
+		die "pnpm $(current_pnpm_version) is older than required $PNPM_VERSION."
+	fi
+}
+
+install_frontend_deps() {
+	log "Installing frontend dependencies"
+	cd "$SCRIPT_DIR"
+	pnpm install --frozen-lockfile
+}
+
+configure_git_lfs() {
+	repo_requires_git_lfs || return
+
+	log "Configuring Git LFS"
+	command_exists git-lfs || die "git-lfs is required for this repository but is not installed."
+
+	cd "$SCRIPT_DIR"
+	git lfs install --local >/dev/null
+}
+
+configure_cross_cgo() {
+	[ "$WITH_CROSS_CGO" -eq 1 ] || return
+
+	log "Configuring Makefile.local for cross-CGO sqlite builds"
+	cd "$SCRIPT_DIR"
+	if [ -f Makefile.local ] && grep -qF '# BEGIN configure.sh cross-cgo' Makefile.local; then
+		printf 'Makefile.local already contains configure.sh cross-CGO settings.\n'
+		return
+	fi
+
+	cat >>Makefile.local <<'EOF'
+
+# BEGIN configure.sh cross-cgo
+ifeq ($(GOOS)/$(GOARCH),windows/amd64)
+CC := x86_64-w64-mingw32-gcc
+CXX := x86_64-w64-mingw32-g++
+export CC
+export CXX
+endif
+
+ifeq ($(GOOS)/$(GOARCH)/$(GOARM),linux/arm/7)
+CC := arm-linux-gnueabihf-gcc
+CXX := arm-linux-gnueabihf-g++
+export CC
+export CXX
+endif
+# END configure.sh cross-cgo
+EOF
+}
+
+verify_environment() {
+	log "Verifying build environment"
+	activate_go_path
+	load_nvm || true
+	hash -r
+
+	local -a missing=()
+	local -a problems=()
+	local command_name
+	for command_name in git make go node pnpm gcc pkg-config; do
+		if ! command_exists "$command_name"; then
+			missing+=("$command_name")
+		fi
+	done
+	if repo_requires_git_lfs && ! command_exists git-lfs; then
+		missing+=("git-lfs")
+	fi
+
+	if command_exists go; then
+		local found_go
+		found_go="$(current_go_version)"
+		[ "$found_go" = "$GO_VERSION" ] || problems+=("Go $found_go found, but $GO_VERSION is required.")
+	fi
+
+	if command_exists node; then
+		local found_node
+		found_node="$(current_node_version)"
+		version_ge "$found_node" "$NODE_VERSION" || problems+=("Node $found_node found, but >= $NODE_VERSION is required.")
+	fi
+
+	if command_exists pnpm; then
+		local found_pnpm
+		found_pnpm="$(current_pnpm_version)"
+		version_ge "$found_pnpm" "$PNPM_VERSION" || problems+=("pnpm $found_pnpm found, but >= $PNPM_VERSION is required.")
+	fi
+
+	cd "$SCRIPT_DIR"
+	if command_exists make && ! make help >/dev/null; then
+		problems+=("make help failed.")
+	fi
+
+	if [ "$WITH_CROSS_CGO" -eq 1 ]; then
+		for command_name in arm-linux-gnueabihf-gcc x86_64-w64-mingw32-gcc; do
+			if ! command_exists "$command_name"; then
+				missing+=("$command_name")
+			fi
+		done
+	fi
+
+	if [ ! -d "$SCRIPT_DIR/node_modules" ]; then
+		problems+=("node_modules is missing; frontend dependencies are not installed.")
+	fi
+
+	if [ "${#missing[@]}" -gt 0 ] || [ "${#problems[@]}" -gt 0 ]; then
+		VERIFY_HAD_ISSUES=1
+		if [ "${#missing[@]}" -gt 0 ]; then
+			printf '\nMissing commands:\n'
+			for command_name in "${missing[@]}"; do
+				printf '  - %s\n' "$command_name"
+			done
+		fi
+		if [ "${#problems[@]}" -gt 0 ]; then
+			printf '\nConfiguration issues:\n'
+			local problem
+			for problem in "${problems[@]}"; do
+				printf '  - %s\n' "$problem"
+			done
+		fi
+		printf '\nTo fix the standard build environment, run ./configure.sh and choose 1) Normal.\n'
+		printf 'For sqlite multi-arch builds, choose 2) With cross cgo.\n'
+		if [ "$VERIFY_REPORT_ONLY" -eq 1 ]; then
+			printf '\nVerify only completed; no changes were made.\n'
+			return 0
+		fi
+		return 1
+	fi
+
+	printf 'Go:   %s\n' "$(go version)"
+	printf 'Node: %s\n' "$(node --version)"
+	printf 'pnpm: %s\n' "$(pnpm --version)"
+	printf 'gcc:  %s\n' "$(gcc --version | head -n 1)"
+	if repo_requires_git_lfs; then
+		printf 'git-lfs: %s\n' "$(git lfs version)"
+	fi
+	if [ -d "$SCRIPT_DIR/node_modules" ]; then
+		printf 'node_modules: present\n'
+	else
+		printf 'node_modules: missing; run ./configure.sh or pnpm install --frozen-lockfile\n'
+	fi
+}
+
+if [ "$#" -eq 0 ] && [ -t 0 ]; then
+	SHOW_MENU=1
+fi
+
+while [ "$#" -gt 0 ]; do
+	case "$1" in
+		--with-cross-cgo)
+			WITH_CROSS_CGO=1
+			;;
+		--skip-system)
+			INSTALL_SYSTEM=0
+			;;
+		--skip-go)
+			INSTALL_GO=0
+			;;
+		--skip-node)
+			INSTALL_NODE=0
+			;;
+		--skip-frontend-deps)
+			INSTALL_FRONTEND_DEPS=0
+			;;
+		--verify-only)
+			VERIFY_ONLY=1
+			INSTALL_SYSTEM=0
+			INSTALL_GO=0
+			INSTALL_NODE=0
+			INSTALL_FRONTEND_DEPS=0
+			;;
+		--menu)
+			SHOW_MENU=1
+			;;
+		-h | --help)
+			usage
+			exit 0
+			;;
+		*)
+			usage
+			die "Unknown option: $1"
+			;;
+	esac
+	shift
+done
+
+if [ "$SHOW_MENU" -eq 1 ]; then
+	interactive_menu
+fi
+
+if [ "$(id -u)" -eq 0 ]; then
+	warn "You are running as root. NVM/Node will be configured for root, not for your normal user."
+fi
+
+if [ "$VERIFY_ONLY" -eq 0 ]; then
+	[ "$INSTALL_SYSTEM" -eq 0 ] || install_system_packages
+	configure_git_lfs
+	[ "$INSTALL_GO" -eq 0 ] || install_go
+	[ "$INSTALL_NODE" -eq 0 ] || install_node_and_pnpm
+	configure_cross_cgo
+	[ "$INSTALL_FRONTEND_DEPS" -eq 0 ] || install_frontend_deps
+fi
+
+verify_environment
+
+if [ "$VERIFY_HAD_ISSUES" -eq 1 ]; then
+	cat <<EOF
+
+Done. Missing requirements were reported above and no changes were made.
+Run ./configure.sh again and choose:
+  1) Normal
+
+For sqlite builds across all smart-build architectures, choose:
+  2) With cross cgo
+EOF
+else
+	cat <<EOF
+
+Done.
+Recommended next steps:
+  ./smart-build.sh
+
+For sqlite builds across all smart-build architectures, prepare the heavier
+cross-CGO tools with:
+  ./configure.sh --with-cross-cgo
+EOF
+fi

.devcontainer/devcontainer.json

@@ -1,22 +1,25 @@
 {
   "name": "Gitea DevContainer",
-  "image": "mcr.microsoft.com/devcontainers/go:1.24-bookworm",
+  "image": "mcr.microsoft.com/devcontainers/go:1.25-trixie",
+  "containerEnv": {
+    // override "local" from packaged version
+    "GOTOOLCHAIN": "auto"
+  },
   "features": {
     // installs nodejs into container
     "ghcr.io/devcontainers/features/node:1": {
-      "version": "20"
+      "version": "latest"
     },
-    "ghcr.io/devcontainers/features/git-lfs:1.2.2": {},
-    "ghcr.io/devcontainers-contrib/features/poetry:2": {},
+    "ghcr.io/devcontainers/features/git-lfs:1.2.5": {},
+    "ghcr.io/jsburckhardt/devcontainer-features/uv:1": {},
     "ghcr.io/devcontainers/features/python:1": {
-      "version": "3.12"
+      "version": "3.14"
     },
     "ghcr.io/warrenbuckley/codespace-features/sqlite:1": {}
   },
   "customizations": {
     "vscode": {
       "settings": {},
-      // same extensions as Gitpod, should match /.gitpod.yml
       "extensions": [
         "editorconfig.editorconfig",
         "dbaeumer.vscode-eslint",

.dockerignore

@@ -36,15 +36,6 @@ _testmain.go
 coverage.all
 cpu.out
 
-/modules/migration/bindata.go
-/modules/migration/bindata.go.hash
-/modules/options/bindata.go
-/modules/options/bindata.go.hash
-/modules/public/bindata.go
-/modules/public/bindata.go.hash
-/modules/templates/bindata.go
-/modules/templates/bindata.go.hash
-
 *.db
 *.log
 
@@ -74,6 +65,7 @@ cpu.out
 /yarn.lock
 /yarn-error.log
 /npm-debug.log*
+/pnpm-debug.log*
 /public/assets/js
 /public/assets/css
 /public/assets/fonts
@@ -82,6 +74,9 @@ cpu.out
 /VERSION
 /.air
 /.go-licenses
+/Dockerfile
+/Dockerfile.rootless
+/.venv
 
 # Files and folders that were previously generated
 /public/assets/img/webpack

.editorconfig

@@ -25,6 +25,10 @@ insert_final_newline = false
 [templates/user/auth/oidc_wellknown.tmpl]
 indent_style = space
 
+[templates/shared/actions/runner_badge_*.tmpl]
+# editconfig lint requires these XML-like files to have charset defined, but the files don't have.
+charset = unset
+
 [Makefile]
 indent_style = tab
 

.frontend.hash

@@ -0,0 +1 @@
+34a58393847d8354e1a401512d0e56138e53bcae

.gitattributes

@@ -8,3 +8,4 @@
 /vendor/** -text -eol linguist-vendored
 /web_src/js/vendor/** -text -eol linguist-vendored
 Dockerfile.* linguist-language=Dockerfile
+Makefile.* linguist-language=Makefile

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    labels: [modifies/dependencies]
+    directory: /
+    schedule:
+      interval: daily
+    cooldown:
+      default-days: 5

.github/labeler.yml

@@ -43,15 +43,13 @@ modifies/internal:
           - ".editorconfig"
           - ".eslintrc.cjs"
           - ".golangci.yml"
-          - ".gitpod.yml"
           - ".markdownlint.yaml"
           - ".spectral.yaml"
-          - "stylelint.config.js"
+          - "stylelint.config.*"
           - ".yamllint.yaml"
           - ".github/**"
           - ".gitea/**"
           - ".devcontainer/**"
-          - "build.go"
           - "build/**"
           - "contrib/**"
 
@@ -59,9 +57,9 @@ modifies/dependencies:
   - changed-files:
       - any-glob-to-any-file:
           - "package.json"
-          - "package-lock.json"
+          - "pnpm-lock.yaml"
           - "pyproject.toml"
-          - "poetry.lock"
+          - "uv.lock"
           - "go.mod"
           - "go.sum"
 
@@ -81,3 +79,13 @@ docs-update-needed:
   - changed-files:
       - any-glob-to-any-file:
           - "custom/conf/app.example.ini"
+
+topic/code-linting:
+  - changed-files:
+      - any-glob-to-any-file:
+          - ".golangci.yml"
+          - ".markdownlint.yaml"
+          - ".spectral.yaml"
+          - ".yamllint.yaml"
+          - "eslint*.config.*"
+          - "stylelint.config.*"

.github/workflows/cron-flake-updater.yml

@@ -0,0 +1,22 @@
+name: cron-flake-updater
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
+
+jobs:
+  nix-flake-update:
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: DeterminateSystems/determinate-nix-action@v3
+      - uses: DeterminateSystems/update-flake-lock@main
+        with:
+          pr-title: "Update Nix flake"
+          pr-labels: |
+            dependencies

.github/workflows/cron-licenses.yml

@@ -9,16 +9,18 @@ jobs:
   cron-licenses:
     runs-on: ubuntu-latest
     if: github.repository == 'go-gitea/gitea'
+    permissions:
+      contents: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
       - run: make generate-gitignore
         timeout-minutes: 40
       - name: push translations to repo
-        uses: appleboy/git-push-action@v0.0.3
+        uses: appleboy/git-push-action@v1.2.0
         with:
           author_email: "teabot@gitea.io"
           author_name: GiteaBot

.github/workflows/cron-translations.yml

@@ -9,9 +9,11 @@ jobs:
   crowdin-pull:
     runs-on: ubuntu-latest
     if: github.repository == 'go-gitea/gitea'
+    permissions:
+      contents: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: crowdin/github-action@v1
+      - uses: actions/checkout@v6
+      - uses: crowdin/github-action@v2
         with:
           upload_sources: true
           upload_translations: false
@@ -27,7 +29,7 @@ jobs:
       - name: update locales
         run: ./build/update-locales.sh
       - name: push translations to repo
-        uses: appleboy/git-push-action@v0.0.3
+        uses: appleboy/git-push-action@v1.2.0
         with:
           author_email: "teabot@gitea.io"
           author_name: GiteaBot

.github/workflows/files-changed.yml

@@ -19,11 +19,15 @@ on:
         value: ${{ jobs.detect.outputs.swagger }}
       yaml:
         value: ${{ jobs.detect.outputs.yaml }}
+      json:
+        value: ${{ jobs.detect.outputs.json }}
 
 jobs:
   detect:
     runs-on: ubuntu-latest
     timeout-minutes: 3
+    permissions:
+      contents: read
     outputs:
       backend: ${{ steps.changes.outputs.backend }}
       frontend: ${{ steps.changes.outputs.frontend }}
@@ -33,9 +37,10 @@ jobs:
       docker: ${{ steps.changes.outputs.docker }}
       swagger: ${{ steps.changes.outputs.swagger }}
       yaml: ${{ steps.changes.outputs.yaml }}
+      json: ${{ steps.changes.outputs.json }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@v3
+      - uses: actions/checkout@v6
+      - uses: dorny/paths-filter@v4
         id: changes
         with:
           filters: |
@@ -48,7 +53,7 @@ jobs:
               - "Makefile"
               - ".golangci.yml"
               - ".editorconfig"
-              - "options/locale/locale_en-US.ini"
+              - "options/locale/locale_en-US.json"
 
             frontend:
               - "*.js"
@@ -58,7 +63,7 @@ jobs:
               - "tools/*.ts"
               - "assets/emoji.json"
               - "package.json"
-              - "package-lock.json"
+              - "pnpm-lock.yaml"
               - "Makefile"
               - ".eslintrc.cjs"
               - ".npmrc"
@@ -67,7 +72,7 @@ jobs:
               - "**/*.md"
               - ".markdownlint.yaml"
               - "package.json"
-              - "package-lock.json"
+              - "pnpm-lock.yaml"
 
             actions:
               - ".github/workflows/*"
@@ -77,9 +82,10 @@ jobs:
               - "tools/lint-templates-*.js"
               - "templates/**/*.tmpl"
               - "pyproject.toml"
-              - "poetry.lock"
+              - "uv.lock"
 
             docker:
+              - ".github/workflows/pull-docker-dryrun.yml"
               - "Dockerfile"
               - "Dockerfile.rootless"
               - "docker/**"
@@ -90,7 +96,7 @@ jobs:
               - "templates/swagger/v1_input.json"
               - "Makefile"
               - "package.json"
-              - "package-lock.json"
+              - "pnpm-lock.yaml"
               - ".spectral.yaml"
 
             yaml:
@@ -98,4 +104,6 @@ jobs:
               - "**/*.yaml"
               - ".yamllint.yaml"
               - "pyproject.toml"
-              - "poetry.lock"
+
+            json:
+              - "**/*.json"

.github/workflows/pull-compliance.yml

@@ -10,14 +10,18 @@ concurrency:
 jobs:
   files-changed:
     uses: ./.github/workflows/files-changed.yml
+    permissions:
+      contents: read
 
   lint-backend:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
@@ -30,17 +34,18 @@ jobs:
     if: needs.files-changed.outputs.templates == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v8.0.0
+      - run: uv python install 3.14
+      - uses: pnpm/action-setup@v5
+      - uses: actions/setup-node@v6
         with:
-          python-version: "3.12"
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-          cache: npm
-          cache-dependency-path: package-lock.json
-      - run: pip install poetry
+          node-version: 24
+          cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
       - run: make deps-py
       - run: make deps-frontend
       - run: make lint-templates
@@ -49,26 +54,44 @@ jobs:
     if: needs.files-changed.outputs.yaml == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: "3.12"
-      - run: pip install poetry
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v8.0.0
+      - run: uv python install 3.14
       - run: make deps-py
       - run: make lint-yaml
 
+  lint-json:
+    if: needs.files-changed.outputs.json == 'true'
+    needs: files-changed
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+      - uses: pnpm/action-setup@v5
+      - uses: actions/setup-node@v5
+        with:
+          node-version: 24
+      - run: make deps-frontend
+      - run: make lint-json
+
   lint-swagger:
     if: needs.files-changed.outputs.swagger == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: pnpm/action-setup@v5
+      - uses: actions/setup-node@v6
         with:
-          node-version: 22
-          cache: npm
-          cache-dependency-path: package-lock.json
+          node-version: 24
+          cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
       - run: make deps-frontend
       - run: make lint-swagger
 
@@ -76,9 +99,11 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.actions == 'true' || needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.templates == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
@@ -88,9 +113,11 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
@@ -105,9 +132,11 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
@@ -120,9 +149,11 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
@@ -133,13 +164,16 @@ jobs:
     if: needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: pnpm/action-setup@v5
+      - uses: actions/setup-node@v6
         with:
-          node-version: 22
-          cache: npm
-          cache-dependency-path: package-lock.json
+          node-version: 24
+          cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
       - run: make deps-frontend
       - run: make lint-frontend
       - run: make checks-frontend
@@ -150,9 +184,11 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
@@ -182,13 +218,16 @@ jobs:
     if: needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: pnpm/action-setup@v5
+      - uses: actions/setup-node@v6
         with:
-          node-version: 22
-          cache: npm
-          cache-dependency-path: package-lock.json
+          node-version: 24
+          cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
       - run: make deps-frontend
       - run: make lint-md
 
@@ -196,9 +235,11 @@ jobs:
     if: needs.files-changed.outputs.actions == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true

.github/workflows/pull-db-tests.yml

@@ -10,14 +10,18 @@ concurrency:
 jobs:
   files-changed:
     uses: ./.github/workflows/files-changed.yml
+    permissions:
+      contents: read
 
   test-pgsql:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     services:
       pgsql:
-        image: postgres:12
+        image: postgres:14
         env:
           POSTGRES_DB: test
           POSTGRES_PASSWORD: postgres
@@ -31,15 +35,15 @@ jobs:
       minio:
         # as github actions doesn't support "entrypoint", we need to use a non-official image
         # that has a custom entrypoint set to "minio server /data"
-        image: bitnami/minio:2023.8.31
+        image: bitnamilegacy/minio:2023.8.31
         env:
           MINIO_ROOT_USER: 123456
           MINIO_ROOT_PASSWORD: 12345678
         ports:
           - "9000:9000"
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
@@ -59,37 +63,39 @@ jobs:
           RACE_ENABLED: true
           TEST_TAGS: gogit
           TEST_LDAP: 1
-          USE_REPO_TEST_DIR: 1
 
   test-sqlite:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
       - run: make deps-backend
-      - run: make backend
+      - run: GOEXPERIMENT='' make backend
         env:
           TAGS: bindata gogit sqlite sqlite_unlock_notify
       - name: run migration tests
         run: make test-sqlite-migration
       - name: run tests
-        run: make test-sqlite
+        run: GOEXPERIMENT='' make test-sqlite
         timeout-minutes: 50
         env:
           TAGS: bindata gogit sqlite sqlite_unlock_notify
           RACE_ENABLED: true
           TEST_TAGS: gogit sqlite sqlite_unlock_notify
-          USE_REPO_TEST_DIR: 1
 
   test-unit:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     services:
       elasticsearch:
         image: elasticsearch:7.5.0
@@ -113,7 +119,7 @@ jobs:
         ports:
           - 6379:6379
       minio:
-        image: bitnami/minio:2021.3.17
+        image: bitnamilegacy/minio:2021.3.17
         env:
           MINIO_ACCESS_KEY: 123456
           MINIO_SECRET_KEY: 12345678
@@ -124,8 +130,8 @@ jobs:
         ports:
           - 10000:10000
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
@@ -142,7 +148,7 @@ jobs:
           RACE_ENABLED: true
           GITHUB_READ_TOKEN: ${{ secrets.GITHUB_READ_TOKEN }}
       - name: unit-tests-gogit
-        run: make unit-test-coverage test-check
+        run: GOEXPERIMENT='' make unit-test-coverage test-check
         env:
           TAGS: bindata gogit
           RACE_ENABLED: true
@@ -152,10 +158,12 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     services:
       mysql:
         # the bitnami mysql image has more options than the official one, it's easier to customize
-        image: bitnami/mysql:8.0
+        image: bitnamilegacy/mysql:8.0
         env:
           ALLOW_EMPTY_PASSWORD: true
           MYSQL_DATABASE: testgitea
@@ -177,8 +185,8 @@ jobs:
           - "587:587"
           - "993:993"
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
@@ -196,13 +204,14 @@ jobs:
         env:
           TAGS: bindata
           RACE_ENABLED: true
-          USE_REPO_TEST_DIR: 1
           TEST_INDEXER_CODE_ES_URL: "http://elastic:changeme@elasticsearch:9200"
 
   test-mssql:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     services:
       mssql:
         image: mcr.microsoft.com/mssql/server:2019-latest
@@ -217,8 +226,8 @@ jobs:
         ports:
           - 10000:10000
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
@@ -234,4 +243,3 @@ jobs:
         timeout-minutes: 50
         env:
           TAGS: bindata
-          USE_REPO_TEST_DIR: 1

.github/workflows/pull-docker-dryrun.yml

@@ -10,26 +10,31 @@ concurrency:
 jobs:
   files-changed:
     uses: ./.github/workflows/files-changed.yml
+    permissions:
+      contents: read
 
-  regular:
-    if: needs.files-changed.outputs.docker == 'true' || needs.files-changed.outputs.actions == 'true'
+  container:
+    if: needs.files-changed.outputs.docker == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/build-push-action@v5
+      - uses: actions/checkout@v6
+      - uses: docker/setup-qemu-action@v4
+      - uses: docker/setup-buildx-action@v4
+      - name: Build regular container image
+        uses: docker/build-push-action@v7
         with:
+          context: .
+          platforms: linux/amd64,linux/arm64,linux/riscv64
           push: false
-          tags: gitea/gitea:linux-amd64
-
-  rootless:
-    if: needs.files-changed.outputs.docker == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    steps:
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/build-push-action@v5
+          cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful
+      - name: Build rootless container image
+        uses: docker/build-push-action@v7
         with:
+          context: .
           push: false
+          platforms: linux/amd64,linux/arm64,linux/riscv64
           file: Dockerfile.rootless
-          tags: gitea/gitea:linux-amd64
+          cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootless

.github/workflows/pull-e2e-tests.yml

@@ -10,27 +10,34 @@ concurrency:
 jobs:
   files-changed:
     uses: ./.github/workflows/files-changed.yml
+    permissions:
+      contents: read
 
   test-e2e:
-    # the "test-e2e" won't pass, and it seems that there is no useful test, so skip
-    # if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.actions == 'true'
-    if: false
+    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.frontend == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
-      - uses: actions/setup-node@v4
+      - uses: pnpm/action-setup@v5
+      - uses: actions/setup-node@v6
         with:
-          node-version: 22
-          cache: npm
-          cache-dependency-path: package-lock.json
-      - run: make deps-frontend frontend deps-backend
-      - run: npx playwright install --with-deps
-      - run: make test-e2e-sqlite
-        timeout-minutes: 40
+          node-version: 24
+          cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
+      - run: make deps-frontend
+      - run: make frontend
+      - run: make deps-backend
+      - run: make gitea-e2e
+      - run: make playwright
+      - run: make test-e2e
+        timeout-minutes: 10
         env:
-          USE_REPO_TEST_DIR: 1
+          FORCE_COLOR: 1
+          GITEA_TEST_E2E_DEBUG: 1

.github/workflows/pull-labeler.yml

@@ -15,6 +15,6 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - uses: actions/labeler@v5
+      - uses: actions/labeler@v6
         with:
           sync-labels: true

.github/workflows/release-nightly.yml

@@ -11,20 +11,23 @@ concurrency:
 jobs:
   nightly-binary:
     runs-on: namespace-profile-gitea-release-binary
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
       # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
       - run: git fetch --unshallow --quiet --tags --force
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
-      - uses: actions/setup-node@v4
+      - uses: pnpm/action-setup@v5
+      - uses: actions/setup-node@v6
         with:
-          node-version: 22
-          cache: npm
-          cache-dependency-path: package-lock.json
+          node-version: 24
+          cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
       - run: make deps-frontend deps-backend
       # xgo build
       - run: make release
@@ -32,7 +35,7 @@ jobs:
           TAGS: bindata sqlite sqlite_unlock_notify
       - name: import gpg key
         id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@v7
         with:
           gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
           passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
@@ -49,7 +52,7 @@ jobs:
           echo "Cleaned name is ${REF_NAME}"
           echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT"
       - name: configure aws
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           aws-region: ${{ secrets.AWS_REGION }}
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -57,98 +60,76 @@ jobs:
       - name: upload binaries to s3
         run: |
           aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
-  nightly-docker-rootful:
+
+  nightly-container:
     runs-on: namespace-profile-gitea-release-docker
     permissions:
+      contents: read
       packages: write # to publish to ghcr.io
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
       # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
       - run: git fetch --unshallow --quiet --tags --force
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
+      - uses: docker/setup-qemu-action@v4
+      - uses: docker/setup-buildx-action@v4
       - name: Get cleaned branch name
         id: clean_name
         run: |
-          # if main then say nightly otherwise cleanup name
-          if [ "${{ github.ref }}" = "refs/heads/main" ]; then
-            echo "branch=nightly" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
           REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
           echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT"
+      - uses: docker/metadata-action@v6
+        id: meta
+        with:
+          images: |-
+            gitea/gitea
+            ghcr.io/go-gitea/gitea
+          tags: |
+            type=raw,value=${{ steps.clean_name.outputs.branch }}
+          annotations: |
+            org.opencontainers.image.authors="maintainers@gitea.io"
+      - uses: docker/metadata-action@v6
+        id: meta_rootless
+        with:
+          images: |-
+            gitea/gitea
+            ghcr.io/go-gitea/gitea
+          # each tag below will have the suffix of -rootless
+          flavor: |
+            suffix=-rootless
+          tags: |
+            type=raw,value=${{ steps.clean_name.outputs.branch }}
+          annotations: |
+            org.opencontainers.image.authors="maintainers@gitea.io"
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Login to GHCR using PAT
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: fetch go modules
-        run: make vendor
-      - name: build rootful docker image
-        uses: docker/build-push-action@v5
+      - name: build regular docker image
+        uses: docker/build-push-action@v7
         with:
           context: .
           platforms: linux/amd64,linux/arm64,linux/riscv64
           push: true
-          tags: |-
-            gitea/gitea:${{ steps.clean_name.outputs.branch }}
-            ghcr.io/go-gitea/gitea:${{ steps.clean_name.outputs.branch }}
-  nightly-docker-rootless:
-    runs-on: namespace-profile-gitea-release-docker
-    permissions:
-      packages: write # to publish to ghcr.io
-    steps:
-      - uses: actions/checkout@v4
-      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
-      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
-      - run: git fetch --unshallow --quiet --tags --force
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - name: Get cleaned branch name
-        id: clean_name
-        run: |
-          # if main then say nightly otherwise cleanup name
-          if [ "${{ github.ref }}" = "refs/heads/main" ]; then
-            echo "branch=nightly" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
-          echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT"
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR using PAT
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: fetch go modules
-        run: make vendor
+          tags: ${{ steps.meta.outputs.tags }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful
+          cache-to: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful,mode=max
       - name: build rootless docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v7
         with:
           context: .
-          platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64,linux/arm64,linux/riscv64
           push: true
           file: Dockerfile.rootless
-          tags: |-
-            gitea/gitea:${{ steps.clean_name.outputs.branch }}-rootless
-            ghcr.io/go-gitea/gitea:${{ steps.clean_name.outputs.branch }}-rootless
+          tags: ${{ steps.meta_rootless.outputs.tags }}
+          annotations: ${{ steps.meta_rootless.outputs.annotations }}
+          cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootless
+          cache-to: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootless,mode=max

.github/workflows/release-tag-rc.yml

@@ -12,20 +12,23 @@ concurrency:
 jobs:
   binary:
     runs-on: namespace-profile-gitea-release-binary
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
       # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
       - run: git fetch --unshallow --quiet --tags --force
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
-      - uses: actions/setup-node@v4
+      - uses: pnpm/action-setup@v5
+      - uses: actions/setup-node@v6
         with:
-          node-version: 22
-          cache: npm
-          cache-dependency-path: package-lock.json
+          node-version: 24
+          cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
       - run: make deps-frontend deps-backend
       # xgo build
       - run: make release
@@ -33,7 +36,7 @@ jobs:
           TAGS: bindata sqlite sqlite_unlock_notify
       - name: import gpg key
         id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@v7
         with:
           gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
           passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
@@ -50,7 +53,7 @@ jobs:
           echo "Cleaned name is ${REF_NAME}"
           echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT"
       - name: configure aws
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           aws-region: ${{ secrets.AWS_REGION }}
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -59,7 +62,7 @@ jobs:
         run: |
           aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
       - name: Install GH CLI
-        uses: dev-hanz-ops/install-gh-cli-action@v0.1.0
+        uses: dev-hanz-ops/install-gh-cli-action@v0.2.1
         with:
           gh-cli-version: 2.39.1
       - name: create github release
@@ -67,18 +70,20 @@ jobs:
           gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --draft --notes-from-tag dist/release/*
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-  docker-rootful:
+
+  container:
     runs-on: namespace-profile-gitea-release-docker
     permissions:
+      contents: read
       packages: write # to publish to ghcr.io
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
       # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
       - run: git fetch --unshallow --quiet --tags --force
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/metadata-action@v5
+      - uses: docker/setup-qemu-action@v4
+      - uses: docker/setup-buildx-action@v4
+      - uses: docker/metadata-action@v6
         id: meta
         with:
           images: |-
@@ -89,38 +94,10 @@ jobs:
           # 1.2.3-rc0
           tags: |
             type=semver,pattern={{version}}
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR using PAT
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: build rootful docker image
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64,linux/riscv64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-  docker-rootless:
-    runs-on: namespace-profile-gitea-release-docker
-    permissions:
-      packages: write # to publish to ghcr.io
-    steps:
-      - uses: actions/checkout@v4
-      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
-      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
-      - run: git fetch --unshallow --quiet --tags --force
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/metadata-action@v5
-        id: meta
+          annotations: |
+            org.opencontainers.image.authors="maintainers@gitea.io"
+      - uses: docker/metadata-action@v6
+        id: meta_rootless
         with:
           images: |-
             gitea/gitea
@@ -132,23 +109,33 @@ jobs:
           # 1.2.3-rc0
           tags: |
             type=semver,pattern={{version}}
+          annotations: |
+            org.opencontainers.image.authors="maintainers@gitea.io"
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Login to GHCR using PAT
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: build rootless docker image
-        uses: docker/build-push-action@v5
+      - name: build regular container image
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64,linux/riscv64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+      - name: build rootless container image
+        uses: docker/build-push-action@v7
         with:
           context: .
           platforms: linux/amd64,linux/arm64,linux/riscv64
           push: true
           file: Dockerfile.rootless
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta_rootless.outputs.tags }}
+          annotations: ${{ steps.meta_rootless.outputs.annotations }}

.github/workflows/release-tag-version.yml

@@ -15,21 +15,23 @@ jobs:
   binary:
     runs-on: namespace-profile-gitea-release-binary
     permissions:
+      contents: read
       packages: write # to publish to ghcr.io
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
       # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
       - run: git fetch --unshallow --quiet --tags --force
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
-      - uses: actions/setup-node@v4
+      - uses: pnpm/action-setup@v5
+      - uses: actions/setup-node@v6
         with:
-          node-version: 22
-          cache: npm
-          cache-dependency-path: package-lock.json
+          node-version: 24
+          cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
       - run: make deps-frontend deps-backend
       # xgo build
       - run: make release
@@ -37,7 +39,7 @@ jobs:
           TAGS: bindata sqlite sqlite_unlock_notify
       - name: import gpg key
         id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@v7
         with:
           gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
           passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
@@ -54,7 +56,7 @@ jobs:
           echo "Cleaned name is ${REF_NAME}"
           echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT"
       - name: configure aws
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           aws-region: ${{ secrets.AWS_REGION }}
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -63,7 +65,7 @@ jobs:
         run: |
           aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
       - name: Install GH CLI
-        uses: dev-hanz-ops/install-gh-cli-action@v0.1.0
+        uses: dev-hanz-ops/install-gh-cli-action@v0.2.1
         with:
           gh-cli-version: 2.39.1
       - name: create github release
@@ -71,18 +73,20 @@ jobs:
           gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --notes-from-tag dist/release/*
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-  docker-rootful:
+
+  container:
     runs-on: namespace-profile-gitea-release-docker
     permissions:
+      contents: read
       packages: write # to publish to ghcr.io
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
       # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
       - run: git fetch --unshallow --quiet --tags --force
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/metadata-action@v5
+      - uses: docker/setup-qemu-action@v4
+      - uses: docker/setup-buildx-action@v4
+      - uses: docker/metadata-action@v6
         id: meta
         with:
           images: |-
@@ -97,36 +101,10 @@ jobs:
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}
             type=semver,pattern={{major}}.{{minor}}
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR using PAT
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: build rootful docker image
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64,linux/riscv64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-  docker-rootless:
-    runs-on: namespace-profile-gitea-release-docker
-    steps:
-      - uses: actions/checkout@v4
-      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
-      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
-      - run: git fetch --unshallow --quiet --tags --force
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/metadata-action@v5
-        id: meta
+          annotations: |
+            org.opencontainers.image.authors="maintainers@gitea.io"
+      - uses: docker/metadata-action@v6
+        id: meta_rootless
         with:
           images: |-
             gitea/gitea
@@ -143,23 +121,33 @@ jobs:
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}
             type=semver,pattern={{major}}.{{minor}}
+          annotations: |
+            org.opencontainers.image.authors="maintainers@gitea.io"
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Login to GHCR using PAT
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: build rootless docker image
-        uses: docker/build-push-action@v5
+      - name: build regular container image
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64,linux/riscv64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+      - name: build rootless container image
+        uses: docker/build-push-action@v7
         with:
           context: .
           platforms: linux/amd64,linux/arm64,linux/riscv64
           push: true
           file: Dockerfile.rootless
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta_rootless.outputs.tags }}
+          annotations: ${{ steps.meta_rootless.outputs.annotations }}

.gitignore

@@ -22,6 +22,12 @@ _test
 .vscode
 __debug_bin*
 
+# Visual Studio
+/.vs/
+
+# mise version managment tool
+mise.toml
+
 *.cgo1.go
 *.cgo2.c
 _cgo_defun.c
@@ -39,20 +45,17 @@ _testmain.go
 coverage.all
 cpu.out
 
-/modules/migration/bindata.go
-/modules/migration/bindata.go.hash
-/modules/options/bindata.go
-/modules/options/bindata.go.hash
-/modules/public/bindata.go
-/modules/public/bindata.go.hash
-/modules/templates/bindata.go
-/modules/templates/bindata.go.hash
+/modules/migration/bindata.*
+/modules/options/bindata.*
+/modules/public/bindata.*
+/modules/templates/bindata.*
 
 *.db
 *.log
 *.log.*.gz
 
 /gitea
+/gitea-e2e
 /gitea-vet
 /debug
 /integrations.test
@@ -65,13 +68,9 @@ cpu.out
 /indexers
 /log
 /public/assets/img/avatar
+/tests/e2e-output
 /tests/integration/gitea-integration-*
 /tests/integration/indexers-*
-/tests/e2e/gitea-e2e-*
-/tests/e2e/indexers-*
-/tests/e2e/reports
-/tests/e2e/test-artifacts
-/tests/e2e/test-snapshots
 /tests/*.ini
 /tests/**/*.git/**/*.sample
 /node_modules
@@ -79,6 +78,8 @@ cpu.out
 /yarn.lock
 /yarn-error.log
 /npm-debug.log*
+/.pnpm-store
+/public/assets/.vite
 /public/assets/js
 /public/assets/css
 /public/assets/fonts
@@ -86,10 +87,7 @@ cpu.out
 /vendor
 /VERSION
 /.air
-/.go-licenses
 
-# Files and folders that were previously generated
-/public/assets/img/webpack
 
 # Snapcraft
 /gitea_a*.txt
@@ -110,3 +108,25 @@ prime/
 
 # Manpage
 /man
+
+# Ignore AI/LLM instruction files
+/.claude/
+/.cursorrules
+/.cursor/
+# /.configure.sh
+# /configure.sh
+/.frontend.hash
+# /.smart-build.sh
+# /smart-build.sh
+# /.update-gitea.sh
+# /update-gitea.sh
+/.goosehints
+/.windsurfrules
+/.github/copilot-instructions.md
+/llms.txt
+
+# Ignore worktrees when working on multiple branches
+.worktrees/
+
+# A Makefile for custom make targets
+Makefile.local

.gitpod.yml

@@ -1,51 +0,0 @@
-tasks:
-  - name: Setup
-    init: |
-      cp -r contrib/ide/vscode .vscode
-      make deps
-      make build
-    command: |
-      gp sync-done setup
-      exit 0
-  - name: Run backend
-    command: |
-      gp sync-await setup
-
-      # Get the URL and extract the domain
-      url=$(gp url 3000)
-      domain=$(echo $url | awk -F[/:] '{print $4}')
-
-      if [ -f custom/conf/app.ini ]; then
-        sed -i "s|^ROOT_URL =.*|ROOT_URL = ${url}/|" custom/conf/app.ini
-        sed -i "s|^DOMAIN =.*|DOMAIN = ${domain}|" custom/conf/app.ini
-        sed -i "s|^SSH_DOMAIN =.*|SSH_DOMAIN = ${domain}|" custom/conf/app.ini
-        sed -i "s|^NO_REPLY_ADDRESS =.*|SSH_DOMAIN = noreply.${domain}|" custom/conf/app.ini
-      else
-        mkdir -p custom/conf/
-        echo -e "[server]\nROOT_URL = ${url}/" > custom/conf/app.ini
-        echo -e "\n[database]\nDB_TYPE = sqlite3\nPATH = $GITPOD_REPO_ROOT/data/gitea.db" >> custom/conf/app.ini
-      fi
-      export TAGS="sqlite sqlite_unlock_notify"
-      make watch-backend
-  - name: Run frontend
-    command: |
-      gp sync-await setup
-      make watch-frontend
-    openMode: split-right
-
-vscode:
-  extensions:
-    - editorconfig.editorconfig
-    - dbaeumer.vscode-eslint
-    - golang.go
-    - stylelint.vscode-stylelint
-    - DavidAnson.vscode-markdownlint
-    - Vue.volar
-    - ms-azuretools.vscode-docker
-    - vitest.explorer
-    - cweijan.vscode-database-client2
-    - GitHub.vscode-pull-request-github
-
-ports:
-  - name: Gitea
-    port: 3000

.golangci.yml

@@ -6,15 +6,19 @@ linters:
   default: none
   enable:
     - bidichk
+    - bodyclose
     - depguard
     - dupl
     - errcheck
     - forbidigo
+    - gocheckcompilerdirectives
     - gocritic
     - govet
     - ineffassign
     - mirror
+    - modernize
     - nakedret
+    - nilnil
     - nolintlint
     - perfsprint
     - revive
@@ -45,44 +49,46 @@ linters:
               desc: do not use the ini package, use gitea's config system instead
             - pkg: gitea.com/go-chi/cache
               desc: do not use the go-chi cache package, use gitea's cache system
+            - pkg: github.com/pkg/errors
+              desc: use builtin errors package instead
+    nolintlint:
+      allow-unused: false
+      require-explanation: true
+      require-specific: true
     gocritic:
+      enabled-checks:
+        - equalFold
       disabled-checks:
         - ifElseChain
         - singleCaseSwitch # Every time this occurred in the code, there was no other way.
+        - deprecatedComment # conflicts with go-swagger comments
     revive:
       severity: error
       rules:
-        - name: atomic
-        - name: bare-return
         - name: blank-imports
         - name: constant-logical-expr
         - name: context-as-argument
         - name: context-keys-type
         - name: dot-imports
-        - name: duplicated-imports
         - name: empty-lines
-        - name: error-naming
         - name: error-return
         - name: error-strings
-        - name: errorf
         - name: exported
         - name: identical-branches
         - name: if-return
         - name: increment-decrement
-        - name: indent-error-flow
         - name: modifies-value-receiver
         - name: package-comments
-        - name: range
-        - name: receiver-naming
         - name: redefines-builtin-id
-        - name: string-of-int
         - name: superfluous-else
         - name: time-naming
-        - name: unconditional-recursion
         - name: unexported-return
-        - name: unreachable-code
         - name: var-declaration
         - name: var-naming
+          arguments:
+            - [] # AllowList - do not remove as args for the rule are positional and won't work without lists first
+            - [] # DenyList
+            - - skip-package-name-checks: true # supress errors from underscore in migration packages
     staticcheck:
       checks:
         - all
@@ -97,6 +103,12 @@ linters:
         - require-error
     usetesting:
       os-temp-dir: true
+    perfsprint:
+      concat-loop: false
+    govet:
+      enable:
+        - nilness
+        - unusedwrite
   exclusions:
     generated: lax
     presets:
@@ -108,16 +120,12 @@ linters:
       - linters:
           - dupl
           - errcheck
-          - gocyclo
-          - gosec
           - staticcheck
           - unparam
         path: _test\.go
       - linters:
           - dupl
           - errcheck
-          - gocyclo
-          - gosec
         path: models/migrations/v
       - linters:
           - forbidigo
@@ -129,12 +137,8 @@ linters:
           - gocritic
         text: (?i)`ID' should not be capitalized
       - linters:
-          - deadcode
           - unused
         text: (?i)swagger
-      - linters:
-          - staticcheck
-        text: (?i)argument x is overwritten before first use
       - linters:
           - gocritic
         text: '(?i)commentFormatting: put a space between `//` and comment text'
@@ -143,6 +147,7 @@ linters:
         text: '(?i)exitAfterDefer:'
     paths:
       - node_modules
+      - .venv
       - public
       - web_src
       - third_party$
@@ -162,6 +167,7 @@ formatters:
     generated: lax
     paths:
       - node_modules
+      - .venv
       - public
       - web_src
       - third_party$

.ignore

@@ -1,9 +1,6 @@
 *.min.css
 *.min.js
 /assets/*.json
-/modules/options/bindata.go
-/modules/public/bindata.go
-/modules/templates/bindata.go
 /options/gitignore
 /options/license
 /public/assets

.import-upstream-cherry-pick.sh

@@ -0,0 +1,894 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# This script safely imports selected upstream commits onto the current local
+# branch through cherry-pick.
+# It:
+# 1. checks that no conflicting git operation is already in progress;
+# 2. ensures the upstream remote exists and points to the official repository;
+# 3. lists upstream commits whose changes are not yet present on the current
+#    branch;
+# 4. creates a safety backup branch and an exact worktree snapshot;
+# 5. stashes tracked and untracked local changes before the import;
+# 6. cherry-picks the selected upstream commits with `-x` so the original
+#    upstream commit hash remains visible in the imported commit message;
+# 7. restores the stashed local changes only after the import completes.
+# If a conflict happens, the backup branch, the exact snapshot, and the saved
+# stash are all kept so the original state can be restored safely.
+
+BRANCH="${BRANCH:-main}"
+REMOTE_NAME="${REMOTE_NAME:-upstream}"
+REMOTE_URL="${REMOTE_URL:-https://github.com/go-gitea/gitea.git}"
+REPO_ROOT=""
+GIT_DIR=""
+STATE_FILE=""
+SNAPSHOT_ROOT=""
+CURRENT_BRANCH=""
+BACKUP_BRANCH=""
+STASH_REF=""
+STASH_HASH=""
+STATE_BRANCH=""
+STATE_BACKUP_BRANCH=""
+STATE_STASH_HASH=""
+STATE_REMOTE_NAME=""
+STATE_REMOTE_URL=""
+STATE_TARGET_BRANCH=""
+STATE_START_HEAD=""
+STATE_SNAPSHOT_PATH=""
+STATE_IMPORT_COMMITS=""
+STATE_STATUS=""
+STATE_UPDATED_AT=""
+
+say() {
+  printf '%s\n' "$*"
+}
+
+die() {
+  say "ERROR: $*" >&2
+  exit 1
+}
+
+show_usage() {
+  cat <<EOF
+Usage: $(basename "$0") [command]
+
+Available commands:
+  fetch
+          Fetch the latest upstream changes only.
+  list
+          Show upstream commits whose changes are not yet present on the current branch.
+  import <commit> [commit...]
+          Cherry-pick one or more selected upstream commits with \`-x\`.
+  import-range <from-commit> <to-commit>
+          Cherry-pick an inclusive upstream commit range in upstream order.
+  continue
+          Continue an interrupted cherry-pick and restore the saved local stash once the import finishes.
+  backup
+          Create a safety backup branch from the current HEAD only.
+  rollback [backup-branch|snapshot-dir]
+          Restore the saved pre-import state, or an explicit backup branch / snapshot.
+  restore-stash
+          Re-apply the saved pre-import local stash from the last recorded import state.
+  restore-snapshot [snapshot-dir]
+          Restore the exact saved repository snapshot from the last recorded real action, or from a specific snapshot directory.
+  status
+          Show the current repository, branch, remote, local-change state, and saved import metadata.
+  help
+          Show this help text.
+
+If no command is provided and the script is run from a terminal, an interactive
+menu is shown.
+
+Recommended order:
+  1. Run:  ./.import-upstream-cherry-pick.sh status
+  2. Run:  ./.import-upstream-cherry-pick.sh list
+  3. Choose the exact upstream commits you want to import.
+  4. Run:  ./.import-upstream-cherry-pick.sh import <commit...>
+     or:   ./.import-upstream-cherry-pick.sh import-range <from> <to>
+  5. If cherry-pick stops with conflicts:
+     - either resolve them and continue with: ./.import-upstream-cherry-pick.sh continue
+     - or return safely with: ./.import-upstream-cherry-pick.sh rollback
+  6. If restoring local changes after the import causes conflicts:
+     - either resolve them manually
+     - or return safely with: ./.import-upstream-cherry-pick.sh rollback
+  7. Use:  ./.import-upstream-cherry-pick.sh restore-snapshot
+     when you want to restore the exact saved repository state, including
+     untracked and ignored files that existed at snapshot time.
+EOF
+}
+
+ensure_git_repo() {
+  local raw_git_dir
+
+  REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null)" || die "This script must be run inside a git repository."
+  raw_git_dir="$(git rev-parse --git-dir)"
+  case "$raw_git_dir" in
+    /*) GIT_DIR="$raw_git_dir" ;;
+    *) GIT_DIR="$REPO_ROOT/$raw_git_dir" ;;
+  esac
+  STATE_FILE="$GIT_DIR/.import-upstream-cherry-pick-state"
+  SNAPSHOT_ROOT="$GIT_DIR/.import-upstream-cherry-pick-snapshots"
+}
+
+write_state() {
+  {
+    printf 'STATE_BRANCH=%q\n' "$STATE_BRANCH"
+    printf 'STATE_BACKUP_BRANCH=%q\n' "$STATE_BACKUP_BRANCH"
+    printf 'STATE_STASH_HASH=%q\n' "$STATE_STASH_HASH"
+    printf 'STATE_REMOTE_NAME=%q\n' "$STATE_REMOTE_NAME"
+    printf 'STATE_REMOTE_URL=%q\n' "$STATE_REMOTE_URL"
+    printf 'STATE_TARGET_BRANCH=%q\n' "$STATE_TARGET_BRANCH"
+    printf 'STATE_START_HEAD=%q\n' "$STATE_START_HEAD"
+    printf 'STATE_SNAPSHOT_PATH=%q\n' "$STATE_SNAPSHOT_PATH"
+    printf 'STATE_IMPORT_COMMITS=%q\n' "$STATE_IMPORT_COMMITS"
+    printf 'STATE_STATUS=%q\n' "$STATE_STATUS"
+    printf 'STATE_UPDATED_AT=%q\n' "$(date +%Y-%m-%dT%H:%M:%S)"
+  } >"$STATE_FILE"
+}
+
+load_state() {
+  ensure_git_repo
+  [ -f "$STATE_FILE" ] || return 1
+  # shellcheck disable=SC1090
+  . "$STATE_FILE"
+  return 0
+}
+
+worktree_has_local_changes() {
+  ! git diff --quiet || ! git diff --cached --quiet || [ -n "$(git ls-files --others --exclude-standard)" ]
+}
+
+has_cherry_pick_in_progress() {
+  [ -e "$(git rev-parse --git-path CHERRY_PICK_HEAD)" ]
+}
+
+sanitize_ref_name() {
+  printf '%s\n' "${1//\//-}"
+}
+
+ensure_rsync_available() {
+  command -v rsync >/dev/null 2>&1 || die "rsync is required for exact repository snapshots."
+}
+
+snapshot_repo_dir() {
+  printf '%s\n' "$1/repo"
+}
+
+is_valid_snapshot_dir() {
+  [ -d "$1" ] && [ -d "$(snapshot_repo_dir "$1")" ]
+}
+
+snapshot_metadata_value() {
+  local snapshot_dir="$1" key="$2"
+
+  [ -f "$snapshot_dir/metadata.txt" ] || return 1
+  sed -n "s/^${key}=//p" "$snapshot_dir/metadata.txt" | head -n 1
+}
+
+create_worktree_snapshot_for_reason() {
+  local reason="$1" safe_branch_name timestamp snapshot_dir snapshot_dir_repo
+
+  ensure_rsync_available
+  safe_branch_name="$(sanitize_ref_name "$CURRENT_BRANCH")"
+  timestamp="$(date +%Y%m%d-%H%M%S)"
+  snapshot_dir="$SNAPSHOT_ROOT/$safe_branch_name/${timestamp}-${reason}"
+  snapshot_dir_repo="$(snapshot_repo_dir "$snapshot_dir")"
+
+  mkdir -p "$snapshot_dir_repo"
+  rsync --archive --delete --exclude='.git' "$REPO_ROOT"/ "$snapshot_dir_repo"/
+
+  {
+    printf 'branch=%s\n' "$CURRENT_BRANCH"
+    printf 'head=%s\n' "$(git rev-parse HEAD)"
+    printf 'created_at=%s\n' "$(date +%Y-%m-%dT%H:%M:%S)"
+    printf 'reason=%s\n' "$reason"
+  } >"$snapshot_dir/metadata.txt"
+
+  printf '%s\n' "$snapshot_dir"
+}
+
+restore_worktree_snapshot() {
+  local snapshot_dir="$1" snapshot_dir_repo
+
+  ensure_rsync_available
+  is_valid_snapshot_dir "$snapshot_dir" || die "Snapshot directory '$snapshot_dir' is not valid."
+  snapshot_dir_repo="$(snapshot_repo_dir "$snapshot_dir")"
+
+  rsync --archive --delete --exclude='.git' "$snapshot_dir_repo"/ "$REPO_ROOT"/
+}
+
+find_latest_snapshot_for_current() {
+  local safe_branch_name snapshot_branch_dir
+  safe_branch_name="$(sanitize_ref_name "$CURRENT_BRANCH")"
+  snapshot_branch_dir="$SNAPSHOT_ROOT/$safe_branch_name"
+  [ -d "$snapshot_branch_dir" ] || return 1
+  find "$snapshot_branch_dir" -mindepth 1 -maxdepth 1 -type d | sort -r | head -n 1
+}
+
+ensure_no_noncherrypick_git_operation_in_progress() {
+  local git_path
+  for git_path in MERGE_HEAD REVERT_HEAD BISECT_LOG rebase-merge rebase-apply; do
+    if [ -e "$(git rev-parse --git-path "$git_path")" ]; then
+      die "A git operation is already in progress ($git_path). Finish it before running this script."
+    fi
+  done
+}
+
+ensure_no_git_operation_in_progress() {
+  local git_path
+  for git_path in CHERRY_PICK_HEAD MERGE_HEAD REVERT_HEAD BISECT_LOG rebase-merge rebase-apply; do
+    if [ -e "$(git rev-parse --git-path "$git_path")" ]; then
+      die "A git operation is already in progress ($git_path). Finish it before running this script."
+    fi
+  done
+
+  if [ -n "$(git diff --name-only --diff-filter=U)" ]; then
+    die "There are unmerged files in the working tree. Resolve them first."
+  fi
+}
+
+ensure_current_branch() {
+  CURRENT_BRANCH="$(git symbolic-ref --quiet --short HEAD || true)"
+  [ -n "$CURRENT_BRANCH" ] || die "Detached HEAD is not supported. Check out a branch first."
+}
+
+ensure_current_branch_with_state_fallback() {
+  CURRENT_BRANCH="$(git symbolic-ref --quiet --short HEAD || true)"
+  if [ -n "$CURRENT_BRANCH" ]; then
+    return
+  fi
+
+  if load_state && [ -n "${STATE_BRANCH:-}" ]; then
+    CURRENT_BRANCH="$STATE_BRANCH"
+    return
+  fi
+
+  die "Detached HEAD is not supported here and no saved branch state was found."
+}
+
+ensure_upstream_remote() {
+  local current_remote_url
+
+  if current_remote_url="$(git remote get-url "$REMOTE_NAME" 2>/dev/null)"; then
+    if [ "$current_remote_url" != "$REMOTE_URL" ]; then
+      die "Remote '$REMOTE_NAME' points to '$current_remote_url', expected '$REMOTE_URL'."
+    fi
+    return
+  fi
+
+  say "Adding remote '$REMOTE_NAME'..."
+  git remote add "$REMOTE_NAME" "$REMOTE_URL"
+}
+
+create_backup_branch_for_reason() {
+  local reason="$1" safe_branch_name timestamp branch_name
+
+  safe_branch_name="$(sanitize_ref_name "$CURRENT_BRANCH")"
+  timestamp="$(date +%Y%m%d-%H%M%S)"
+  branch_name="backup/cherry-pick-${safe_branch_name}-${reason}-${timestamp}"
+
+  git branch "$branch_name" HEAD >/dev/null
+  printf '%s\n' "$branch_name"
+}
+
+find_latest_backup_branch_for_current() {
+  local safe_branch_name
+
+  safe_branch_name="$(sanitize_ref_name "$CURRENT_BRANCH")"
+  git for-each-ref --sort=-creatordate --format='%(refname:short)' "refs/heads/backup/cherry-pick-${safe_branch_name}-*" | head -n 1
+}
+
+prepare_safety_before_real_action() {
+  local backup_reason="$1"
+
+  STATE_START_HEAD="$(git rev-parse HEAD)"
+  BACKUP_BRANCH="$(create_backup_branch_for_reason "$backup_reason")"
+  STATE_SNAPSHOT_PATH="$(create_worktree_snapshot_for_reason "$backup_reason")"
+  say "Safety backup branch created: $BACKUP_BRANCH"
+  say "Exact worktree snapshot created: $STATE_SNAPSHOT_PATH"
+}
+
+stash_current_changes() {
+  local stash_prefix="$1" timestamp stash_name
+
+  STASH_REF=""
+  STASH_HASH=""
+  if ! worktree_has_local_changes; then
+    say "No local tracked/untracked changes to stash."
+    return
+  fi
+
+  timestamp="$(date +%Y%m%d-%H%M%S)"
+  stash_name="${stash_prefix}-$(sanitize_ref_name "$CURRENT_BRANCH")-${timestamp}"
+
+  say "Stashing local tracked and untracked changes..."
+  git stash push --include-untracked --message "$stash_name" >/dev/null
+  STASH_REF="$(git stash list -1 --format='%gd')"
+  [ -n "$STASH_REF" ] || die "Failed to locate the created stash entry."
+  STASH_HASH="$(git rev-parse "$STASH_REF")"
+  [ -n "$STASH_HASH" ] || die "Failed to resolve the created stash hash."
+  say "Local changes saved in $STASH_REF"
+}
+
+fetch_upstream() {
+  say "Fetching latest changes from $REMOTE_NAME/$BRANCH..."
+  git fetch --prune "$REMOTE_NAME" "+refs/heads/$BRANCH:refs/remotes/$REMOTE_NAME/$BRANCH"
+  git show-ref --verify --quiet "refs/remotes/$REMOTE_NAME/$BRANCH" || die "Remote branch '$REMOTE_NAME/$BRANCH' was not found."
+}
+
+update_state() {
+  STATE_BRANCH="$CURRENT_BRANCH"
+  STATE_BACKUP_BRANCH="$BACKUP_BRANCH"
+  STATE_STASH_HASH="$STASH_HASH"
+  STATE_REMOTE_NAME="$REMOTE_NAME"
+  STATE_REMOTE_URL="$REMOTE_URL"
+  STATE_TARGET_BRANCH="$BRANCH"
+  write_state
+}
+
+find_stash_ref_by_hash() {
+  local target_hash="$1" hash ref
+
+  while read -r hash ref; do
+    if [ "$hash" = "$target_hash" ]; then
+      printf '%s\n' "$ref"
+      return 0
+    fi
+  done < <(git stash list --format='%H %gd')
+  return 1
+}
+
+drop_stash_by_hash_if_present() {
+  local target_hash="$1" stash_ref
+
+  [ -n "$target_hash" ] || return 0
+  if stash_ref="$(find_stash_ref_by_hash "$target_hash")"; then
+    git stash drop "$stash_ref" >/dev/null
+  fi
+}
+
+restore_stash() {
+  local keep_saved_copy="${1:-0}" restore_target
+
+  if [ -z "$STASH_HASH" ] && [ -z "$STASH_REF" ]; then
+    return
+  fi
+
+  restore_target="${STASH_HASH:-$STASH_REF}"
+  say "Restoring stashed local changes from $restore_target..."
+  if git stash apply --index "$restore_target"; then
+    STASH_REF=""
+    if [ "$keep_saved_copy" -eq 0 ]; then
+      drop_stash_by_hash_if_present "$STASH_HASH"
+      STASH_HASH=""
+      STATE_STASH_HASH=""
+    else
+      STATE_STASH_HASH="${STASH_HASH:-$restore_target}"
+    fi
+    STATE_STATUS="completed"
+    update_state
+    if [ "$keep_saved_copy" -eq 0 ]; then
+      say "Local changes restored successfully."
+    else
+      say "Local changes restored successfully. The original stash was kept for rollback safety."
+    fi
+    return
+  fi
+
+  STATE_STATUS="restore_conflict"
+  update_state
+  say "Conflicts occurred while restoring local changes."
+  say "Backup branch kept at: $BACKUP_BRANCH"
+  say "Stash kept at: $restore_target"
+  say "Resolve the conflicts manually, or return safely with: ./.import-upstream-cherry-pick.sh rollback"
+  exit 1
+}
+
+ordered_available_upstream_commits() {
+  local available_commit_shas="" commit
+
+  available_commit_shas="$(git cherry -v HEAD "$REMOTE_NAME/$BRANCH" | awk '$1=="+"{print $2}')"
+  [ -n "$available_commit_shas" ] || return 0
+
+  while IFS= read -r commit; do
+    [ -n "$commit" ] || continue
+    if printf '%s\n' "$available_commit_shas" | grep -Fxq "$commit"; then
+      printf '%s\n' "$commit"
+    fi
+  done < <(git rev-list --reverse HEAD.."$REMOTE_NAME/$BRANCH")
+}
+
+commit_is_available_for_import() {
+  local commit="$1"
+
+  ordered_available_upstream_commits | grep -Fxq "$commit"
+}
+
+resolve_import_commit() {
+  local commit="$1"
+
+  git rev-parse --verify "${commit}^{commit}" 2>/dev/null || die "Commit '$commit' could not be resolved."
+}
+
+validate_importable_commit() {
+  local commit="$1"
+
+  git merge-base --is-ancestor "$commit" "$REMOTE_NAME/$BRANCH" || die "Commit '$commit' is not reachable from $REMOTE_NAME/$BRANCH."
+  commit_is_available_for_import "$commit" || die "Commit '$commit' is not currently available for import into '$CURRENT_BRANCH'."
+}
+
+show_available_commits() {
+  local found_any=0 commit
+
+  while IFS= read -r commit; do
+    [ -n "$commit" ] || continue
+    found_any=1
+    git show --no-patch --date=short --format='  - %h | %ad | %s' "$commit"
+  done < <(ordered_available_upstream_commits)
+
+  if [ "$found_any" -eq 0 ]; then
+    say "No upstream commits are currently available for cherry-pick import."
+  fi
+}
+
+run_status() {
+  local stash_count latest_backup latest_snapshot
+
+  ensure_git_repo
+  ensure_current_branch_with_state_fallback
+  ensure_upstream_remote
+
+  stash_count="$(git stash list | wc -l | tr -d ' ')"
+  latest_backup="$(find_latest_backup_branch_for_current || true)"
+  latest_snapshot="$(find_latest_snapshot_for_current || true)"
+
+  say "Repository: $(git rev-parse --show-toplevel)"
+  say "Current branch: $CURRENT_BRANCH"
+  say "Upstream remote: $REMOTE_NAME -> $REMOTE_URL"
+  say "Working tree:"
+  if ! worktree_has_local_changes; then
+    say "  clean"
+  else
+    git status --short
+  fi
+  say "Stash entries: $stash_count"
+  say "Latest backup for current branch: ${latest_backup:-none}"
+  say "Latest snapshot for current branch: ${latest_snapshot:-none}"
+  if load_state; then
+    say "Saved import state: $STATE_STATUS"
+    say "Saved backup branch: ${STATE_BACKUP_BRANCH:-none}"
+    say "Saved starting commit: ${STATE_START_HEAD:-none}"
+    say "Saved exact snapshot: ${STATE_SNAPSHOT_PATH:-none}"
+    say "Saved original stash: ${STATE_STASH_HASH:-none}"
+    say "Saved import commits: ${STATE_IMPORT_COMMITS:-none}"
+  else
+    say "Saved import state: none"
+  fi
+}
+
+run_fetch_only() {
+  ensure_git_repo
+  ensure_no_git_operation_in_progress
+  ensure_current_branch
+  ensure_upstream_remote
+  fetch_upstream
+  say "Latest changes fetched from $REMOTE_NAME/$BRANCH."
+}
+
+run_list() {
+  ensure_git_repo
+  ensure_no_git_operation_in_progress
+  ensure_current_branch
+  ensure_upstream_remote
+  fetch_upstream
+  show_available_commits
+}
+
+run_backup_only() {
+  ensure_git_repo
+  ensure_no_git_operation_in_progress
+  ensure_current_branch
+  ensure_upstream_remote
+  BACKUP_BRANCH="$(create_backup_branch_for_reason "manual-backup")"
+  say "Safety backup branch created: $BACKUP_BRANCH"
+}
+
+run_import_commits() {
+  local requested_commits=("$@") commit resolved_commit
+  local -a selected_commits=()
+
+  [ "${#requested_commits[@]}" -gt 0 ] || die "Provide at least one upstream commit to import."
+  ensure_git_repo
+  ensure_no_git_operation_in_progress
+  ensure_current_branch
+  ensure_upstream_remote
+  fetch_upstream
+
+  for commit in "${requested_commits[@]}"; do
+    resolved_commit="$(resolve_import_commit "$commit")"
+    validate_importable_commit "$resolved_commit"
+    selected_commits+=("$resolved_commit")
+  done
+
+  STATE_IMPORT_COMMITS="${selected_commits[*]}"
+  prepare_safety_before_real_action "before-cherry-pick-import"
+  stash_current_changes "pre-cherry-pick-import"
+  STATE_STATUS="prepared"
+  update_state
+
+  for commit in "${selected_commits[@]}"; do
+    say "Cherry-picking upstream commit: $(git show --no-patch --format='%h %s' "$commit")"
+    if ! git cherry-pick -x "$commit"; then
+      STATE_STATUS="cherry_pick_conflict"
+      update_state
+      say "Cherry-pick stopped because of conflicts."
+      say "Conflicting upstream commit: $(git show --no-patch --format='%h %s' CHERRY_PICK_HEAD)"
+      say "Resolve conflicts and continue with: ./.import-upstream-cherry-pick.sh continue"
+      say "Or return safely with: ./.import-upstream-cherry-pick.sh rollback"
+      exit 1
+    fi
+  done
+
+  restore_stash 1
+  say "Imported ${#selected_commits[@]} upstream commit(s) by cherry-pick."
+  say "Safety backup branch available at: $BACKUP_BRANCH"
+  say "Safety snapshot available at: $STATE_SNAPSHOT_PATH"
+  if [ -n "$STATE_STASH_HASH" ]; then
+    say "Original pre-import stash retained for rollback at: $STATE_STASH_HASH"
+  fi
+}
+
+run_import_range() {
+  local from_commit="${1:-}" to_commit="${2:-}" from_resolved to_resolved commit
+  local -a selected_commits=()
+
+  [ -n "$from_commit" ] || die "Provide the start commit for import-range."
+  [ -n "$to_commit" ] || die "Provide the end commit for import-range."
+  ensure_git_repo
+  ensure_no_git_operation_in_progress
+  ensure_current_branch
+  ensure_upstream_remote
+  fetch_upstream
+
+  from_resolved="$(resolve_import_commit "$from_commit")"
+  to_resolved="$(resolve_import_commit "$to_commit")"
+  git merge-base --is-ancestor "$from_resolved" "$REMOTE_NAME/$BRANCH" || die "Start commit '$from_commit' is not reachable from $REMOTE_NAME/$BRANCH."
+  git merge-base --is-ancestor "$to_resolved" "$REMOTE_NAME/$BRANCH" || die "End commit '$to_commit' is not reachable from $REMOTE_NAME/$BRANCH."
+  git merge-base --is-ancestor "$from_resolved" "$to_resolved" || die "Start commit '$from_commit' must be an ancestor of end commit '$to_commit' on $REMOTE_NAME/$BRANCH."
+
+  while IFS= read -r commit; do
+    [ -n "$commit" ] || continue
+    if commit_is_available_for_import "$commit"; then
+      selected_commits+=("$commit")
+    fi
+  done < <(git rev-list --reverse "${from_resolved}^..${to_resolved}")
+
+  [ "${#selected_commits[@]}" -gt 0 ] || die "No importable commits were found in the requested range."
+  run_import_commits "${selected_commits[@]}"
+}
+
+run_continue() {
+  ensure_git_repo
+  ensure_current_branch_with_state_fallback
+  ensure_upstream_remote
+  load_state || die "No saved cherry-pick state was found."
+  [ "$CURRENT_BRANCH" = "${STATE_BRANCH:-$CURRENT_BRANCH}" ] || die "Saved cherry-pick state belongs to branch '$STATE_BRANCH'. Check out that branch first."
+  has_cherry_pick_in_progress || die "There is no in-progress cherry-pick to continue."
+
+  say "Continuing cherry-pick..."
+  GIT_EDITOR=: git cherry-pick --continue
+
+  if has_cherry_pick_in_progress; then
+    STATE_STATUS="cherry_pick_conflict"
+    update_state
+    say "Cherry-pick hit another conflict."
+    say "Current conflicting upstream commit: $(git show --no-patch --format='%h %s' CHERRY_PICK_HEAD)"
+    say "Resolve conflicts and run: ./.import-upstream-cherry-pick.sh continue"
+    say "Or return safely with: ./.import-upstream-cherry-pick.sh rollback"
+    exit 1
+  fi
+
+  STASH_HASH="${STATE_STASH_HASH:-}"
+  STASH_REF=""
+  BACKUP_BRANCH="${STATE_BACKUP_BRANCH:-}"
+  restore_stash 1
+  say "Cherry-pick import completed."
+}
+
+run_restore_saved_stash() {
+  ensure_git_repo
+  ensure_no_git_operation_in_progress
+  ensure_current_branch_with_state_fallback
+  load_state || die "No saved import state was found."
+  [ "$CURRENT_BRANCH" = "${STATE_BRANCH:-$CURRENT_BRANCH}" ] || die "Saved import state belongs to branch '$STATE_BRANCH'. Check out that branch first."
+  [ -n "${STATE_STASH_HASH:-}" ] || die "There is no saved pre-import stash to restore."
+  if worktree_has_local_changes; then
+    die "The working tree is not clean. Commit, stash, or discard current changes before restoring the saved stash."
+  fi
+
+  prepare_safety_before_real_action "before-restore-stash"
+  STASH_HASH="$STATE_STASH_HASH"
+  STASH_REF=""
+  restore_stash 1
+  say "Saved pre-import local changes restored."
+}
+
+run_rollback() {
+  local explicit_target="${1:-}" reset_target="" reset_snapshot=""
+  local original_restore_stash_hash="" original_restore_start_head=""
+  local rollback_safety_snapshot="" rollback_safety_backup="" rollback_safety_start_head=""
+  local preserve_stash_hash=""
+
+  ensure_git_repo
+  ensure_no_noncherrypick_git_operation_in_progress
+  load_state || true
+  ensure_current_branch_with_state_fallback
+  ensure_upstream_remote
+
+  if [ -n "$explicit_target" ] && is_valid_snapshot_dir "$explicit_target"; then
+    reset_snapshot="$explicit_target"
+  elif [ -n "$explicit_target" ]; then
+    git show-ref --verify --quiet "refs/heads/$explicit_target" || die "Backup branch '$explicit_target' does not exist."
+    reset_target="$explicit_target"
+  else
+    if [ -n "${STATE_BRANCH:-}" ] && [ "$CURRENT_BRANCH" != "$STATE_BRANCH" ]; then
+      die "Saved import state belongs to branch '$STATE_BRANCH'. Check out that branch or pass an explicit backup branch or snapshot."
+    fi
+    if [ -n "${STATE_SNAPSHOT_PATH:-}" ] && is_valid_snapshot_dir "$STATE_SNAPSHOT_PATH"; then
+      reset_snapshot="$STATE_SNAPSHOT_PATH"
+    fi
+    if [ -n "${STATE_START_HEAD:-}" ]; then
+      reset_target="$STATE_START_HEAD"
+    elif [ -n "${STATE_BACKUP_BRANCH:-}" ]; then
+      reset_target="$STATE_BACKUP_BRANCH"
+    else
+      reset_target="$(find_latest_backup_branch_for_current || true)"
+    fi
+  fi
+
+  if [ -z "$reset_target" ] && [ -n "$reset_snapshot" ]; then
+    reset_target="$(snapshot_metadata_value "$reset_snapshot" head || true)"
+  fi
+
+  [ -n "$reset_target" ] || [ -n "$reset_snapshot" ] || die "No saved rollback target was found."
+
+  original_restore_stash_hash="${STATE_STASH_HASH:-}"
+  original_restore_start_head="${STATE_START_HEAD:-}"
+  if [ -z "$original_restore_start_head" ] && [ -n "$reset_snapshot" ]; then
+    original_restore_start_head="$(snapshot_metadata_value "$reset_snapshot" head || true)"
+  fi
+
+  if has_cherry_pick_in_progress; then
+    say "Aborting in-progress cherry-pick before rollback..."
+    git cherry-pick --abort || die "Failed to abort the in-progress cherry-pick."
+  fi
+
+  if [ -n "$(git diff --name-only --diff-filter=U)" ]; then
+    die "There are still unmerged files in the working tree. Resolve or discard them before rollback."
+  fi
+
+  prepare_safety_before_real_action "before-rollback"
+  rollback_safety_backup="$BACKUP_BRANCH"
+  rollback_safety_snapshot="$STATE_SNAPSHOT_PATH"
+  rollback_safety_start_head="$STATE_START_HEAD"
+
+  preserve_stash_hash=""
+  if worktree_has_local_changes; then
+    stash_current_changes "pre-rollback-preserve"
+    preserve_stash_hash="$STASH_HASH"
+  fi
+
+  if [ -n "$reset_target" ]; then
+    say "Resetting '$CURRENT_BRANCH' to '$reset_target'..."
+    git reset --hard "$reset_target" >/dev/null
+  fi
+
+  if [ -n "$original_restore_stash_hash" ]; then
+    STASH_HASH="$original_restore_stash_hash"
+    STASH_REF=""
+    BACKUP_BRANCH="$rollback_safety_backup"
+    say "Restoring original pre-import local changes..."
+    restore_stash 1
+  fi
+
+  if [ -n "$reset_snapshot" ]; then
+    say "Restoring exact worktree snapshot from: $reset_snapshot"
+    restore_worktree_snapshot "$reset_snapshot"
+  fi
+
+  STATE_BRANCH="$CURRENT_BRANCH"
+  STATE_BACKUP_BRANCH="$rollback_safety_backup"
+  STATE_STASH_HASH="$preserve_stash_hash"
+  STATE_REMOTE_NAME="$REMOTE_NAME"
+  STATE_REMOTE_URL="$REMOTE_URL"
+  STATE_TARGET_BRANCH="$BRANCH"
+  STATE_START_HEAD="$rollback_safety_start_head"
+  STATE_SNAPSHOT_PATH="$rollback_safety_snapshot"
+  STATE_IMPORT_COMMITS=""
+  STATE_STATUS="rollback_completed"
+  write_state
+
+  say "Rollback completed."
+  say "Restored starting commit: ${original_restore_start_head:-$reset_target}"
+  if [ -n "$reset_snapshot" ]; then
+    say "Restored snapshot: $reset_snapshot"
+  fi
+  say "Safety backup of the pre-rollback state kept at: $rollback_safety_backup"
+  say "Safety snapshot of the pre-rollback state kept at: $rollback_safety_snapshot"
+  if [ -n "$preserve_stash_hash" ]; then
+    say "Safety stash of the pre-rollback local changes kept at: $preserve_stash_hash"
+  fi
+}
+
+run_restore_snapshot() {
+  local target_snapshot="${1:-}" restore_safety_backup="" restore_safety_snapshot=""
+  local restore_safety_start_head="" restore_start_head="" preserve_stash_hash=""
+
+  ensure_git_repo
+  ensure_no_noncherrypick_git_operation_in_progress
+  load_state || die "No saved import state was found."
+  ensure_current_branch_with_state_fallback
+  ensure_upstream_remote
+
+  if [ -z "$target_snapshot" ]; then
+    target_snapshot="${STATE_SNAPSHOT_PATH:-}"
+  fi
+  is_valid_snapshot_dir "$target_snapshot" || die "No valid saved snapshot was found to restore."
+  restore_start_head="${STATE_START_HEAD:-}"
+  if [ -z "$restore_start_head" ]; then
+    restore_start_head="$(snapshot_metadata_value "$target_snapshot" head || true)"
+  fi
+  [ -n "$restore_start_head" ] || die "No saved starting commit was found for the snapshot restore."
+
+  if has_cherry_pick_in_progress; then
+    say "Aborting in-progress cherry-pick before snapshot restore..."
+    git cherry-pick --abort || die "Failed to abort the in-progress cherry-pick."
+  fi
+
+  if [ -n "$(git diff --name-only --diff-filter=U)" ]; then
+    die "There are still unmerged files in the working tree. Resolve or discard them before restoring the snapshot."
+  fi
+
+  prepare_safety_before_real_action "before-restore-snapshot"
+  restore_safety_backup="$BACKUP_BRANCH"
+  restore_safety_snapshot="$STATE_SNAPSHOT_PATH"
+  restore_safety_start_head="$STATE_START_HEAD"
+
+  if worktree_has_local_changes; then
+    stash_current_changes "pre-restore-snapshot-preserve"
+    preserve_stash_hash="$STASH_HASH"
+  fi
+
+  say "Resetting '$CURRENT_BRANCH' to '$restore_start_head' before snapshot restore..."
+  git reset --hard "$restore_start_head" >/dev/null
+
+  if [ -n "${STATE_STASH_HASH:-}" ]; then
+    STASH_HASH="$STATE_STASH_HASH"
+    STASH_REF=""
+    BACKUP_BRANCH="$restore_safety_backup"
+    say "Restoring saved pre-import local changes..."
+    restore_stash 1
+  fi
+
+  say "Restoring exact worktree snapshot from: $target_snapshot"
+  restore_worktree_snapshot "$target_snapshot"
+
+  STATE_BRANCH="$CURRENT_BRANCH"
+  STATE_BACKUP_BRANCH="$restore_safety_backup"
+  STATE_STASH_HASH="$preserve_stash_hash"
+  STATE_REMOTE_NAME="$REMOTE_NAME"
+  STATE_REMOTE_URL="$REMOTE_URL"
+  STATE_TARGET_BRANCH="$BRANCH"
+  STATE_START_HEAD="$restore_safety_start_head"
+  STATE_SNAPSHOT_PATH="$restore_safety_snapshot"
+  STATE_IMPORT_COMMITS=""
+  STATE_STATUS="snapshot_restored"
+  write_state
+
+  say "Snapshot restore completed."
+  say "Safety backup of the pre-restore state kept at: $restore_safety_backup"
+  say "Safety snapshot of the pre-restore state kept at: $restore_safety_snapshot"
+  if [ -n "$preserve_stash_hash" ]; then
+    say "Safety stash of the pre-restore local changes kept at: $preserve_stash_hash"
+  fi
+}
+
+show_menu() {
+  local choice import_commits range_from range_to snapshot_target rollback_target
+
+  while true; do
+    cat <<EOF
+Available actions:
+  1) Fetch upstream only
+  2) List available upstream commits
+  3) Import selected commit(s)
+  4) Import an inclusive commit range
+  5) Continue in-progress cherry-pick
+  6) Rollback last import
+  7) Restore saved stash
+  8) Restore exact snapshot
+  9) Create backup branch only
+  10) Show repository status
+  11) Help
+  0) Exit
+EOF
+    printf 'Choose an action: '
+    read -r choice
+
+    case "$choice" in
+      1) run_fetch_only ;;
+      2) run_list ;;
+      3)
+        printf 'Enter upstream commit hash(es), separated by spaces: '
+        read -r -a import_commits
+        run_import_commits "${import_commits[@]}"
+        return
+        ;;
+      4)
+        printf 'Enter the start commit hash: '
+        read -r range_from
+        printf 'Enter the end commit hash: '
+        read -r range_to
+        run_import_range "$range_from" "$range_to"
+        return
+        ;;
+      5)
+        run_continue
+        return
+        ;;
+      6)
+        printf 'Optional backup branch or snapshot path (leave empty for saved state): '
+        read -r rollback_target
+        run_rollback "$rollback_target"
+        return
+        ;;
+      7)
+        run_restore_saved_stash
+        return
+        ;;
+      8)
+        printf 'Optional snapshot path (leave empty for saved state): '
+        read -r snapshot_target
+        run_restore_snapshot "$snapshot_target"
+        return
+        ;;
+      9) run_backup_only ;;
+      10) run_status ;;
+      11) show_usage ;;
+      0) exit 0 ;;
+      *) say "Invalid menu selection: $choice" ;;
+    esac
+  done
+}
+
+main() {
+  case "${1:-menu}" in
+    fetch) run_fetch_only ;;
+    list) run_list ;;
+    import)
+      shift
+      run_import_commits "$@"
+      ;;
+    import-range) run_import_range "${2:-}" "${3:-}" ;;
+    continue) run_continue ;;
+    backup) run_backup_only ;;
+    rollback) run_rollback "${2:-}" ;;
+    restore-stash) run_restore_saved_stash ;;
+    restore-snapshot) run_restore_snapshot "${2:-}" ;;
+    status) run_status ;;
+    help|-h|--help) show_usage ;;
+    menu)
+      if [ -t 0 ] && [ -t 1 ]; then
+        show_menu
+      else
+        show_usage
+      fi
+      ;;
+    *)
+      die "Unknown command: $1. Run with 'help' to see available options."
+      ;;
+  esac
+}
+
+main "$@"

.npmrc

@@ -1,6 +1,7 @@
 audit=false
 fund=false
 update-notifier=false
-package-lock=true
 save-exact=true
-lockfile-version=3
+auto-install-peers=true
+dedupe-peer-dependents=false
+enable-pre-post-scripts=true

.smart-build.sh

@@ -0,0 +1,435 @@
+#!/bin/bash
+
+# Folosește instalarea Go standard dacă există, chiar dacă nu este în PATH.
+if [ -x "/usr/local/go/bin/go" ]; then
+    export PATH="/usr/local/go/bin:$PATH"
+fi
+
+# Încarcă NVM dacă este disponibil
+export NVM_DIR="$HOME/.nvm"
+[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
+
+# Forțează folosirea versiunii 22
+nvm use 22 > /dev/null 2>&1 || echo "⚠️ NVM nu a putut activa Node 22 automatically."
+
+resolve_build_ref() {
+    git describe --tags --exact-match 2>/dev/null || git describe --tags --always
+}
+
+require_docker_for_darwin_sqlite() {
+    if ! command -v docker > /dev/null 2>&1; then
+        echo "❌ Docker is required for macOS SQLite cross-builds."
+        echo "   Install the Docker CLI in this environment, or use the non-SQLite macOS build option."
+        echo "   If you are running inside a code-server container, also mount the host Docker socket."
+        exit 1
+    fi
+
+    if ! docker info > /dev/null 2>&1; then
+        echo "❌ Docker is installed but the daemon is not reachable."
+        echo "   Start Docker, or expose the host Docker daemon to this container."
+        echo "   For a code-server container, mount /var/run/docker.sock from the host."
+        if [ -n "${DOCKER_HOST:-}" ]; then
+            echo "   Current DOCKER_HOST: ${DOCKER_HOST}"
+        else
+            echo "   Current DOCKER_HOST is unset."
+        fi
+        exit 1
+    fi
+}
+
+resolve_xgo_image() {
+    local xgo_version
+
+    xgo_version="$(awk '$1 == "XGO_VERSION" { print $3; exit }' Makefile 2>/dev/null)"
+    if [ -z "$xgo_version" ]; then
+        xgo_version="go-1.25.x"
+    fi
+
+    printf 'ghcr.io/techknowlogick/xgo:%s' "$xgo_version"
+}
+
+resolve_darwin_sqlite_repo_root() {
+    local override_path
+
+    override_path="${SMART_BUILD_DARWIN_HOST_REPO_PATH:-}"
+    if [ -z "$override_path" ]; then
+        pwd -P
+        return
+    fi
+
+    if [ ! -d "$override_path" ] || [ ! -f "$override_path/go.mod" ]; then
+        echo "❌ SMART_BUILD_DARWIN_HOST_REPO_PATH is set, but the path is not usable in this container:"
+        echo "   $override_path"
+        echo "   Mount the host repository path into the container at the same absolute path, then retry."
+        exit 1
+    fi
+
+    printf '%s' "$override_path"
+}
+
+validate_repo_bind_mount_for_darwin_sqlite() {
+    local repo_path="$1"
+    local xgo_image
+
+    xgo_image="$(resolve_xgo_image)"
+
+    if ! docker run --rm -v "$repo_path":/probe:ro --entrypoint sh "$xgo_image" -lc 'test -f /probe/go.mod'; then
+        echo "❌ Docker can reach the daemon, but the daemon cannot mount this repository path correctly:"
+        echo "   $repo_path"
+        echo "   The xgo container only sees an empty or different host path, so /source/go.mod is missing there."
+        echo "   If smart-build runs inside a code-server container with the host Docker socket,"
+        echo "   the repository must be mounted from a host bind path that exists at the same absolute path."
+        exit 1
+    fi
+}
+
+write_sha256_file() {
+    local artifact_path="$1"
+    local artifact_dir artifact_name
+
+    artifact_dir="$(dirname "$artifact_path")"
+    artifact_name="$(basename "$artifact_path")"
+
+    if command -v sha256sum > /dev/null 2>&1; then
+        (
+            cd "$artifact_dir" || exit 1
+            sha256sum "$artifact_name" > "$artifact_name.sha256"
+        )
+        return
+    fi
+
+    if command -v shasum > /dev/null 2>&1; then
+        (
+            cd "$artifact_dir" || exit 1
+            shasum -a 256 "$artifact_name" > "$artifact_name.sha256"
+        )
+        return
+    fi
+
+    echo "❌ Neither sha256sum nor shasum is available for checksum generation."
+    exit 1
+}
+
+# --- 1. VERIFICARE INTEGRITATE ȘI CURĂȚARE CACHE INIȚIALĂ ---
+echo "🔍 Initialization checks..."
+
+if ! command -v go > /dev/null 2>&1; then
+    echo "❌ Go nu este disponibil în PATH. Instalează Go 1.26.2 sau adaugă binarul go în PATH."
+    exit 1
+fi
+
+notify_human_interaction() {
+    local bell_oga="/usr/share/sounds/freedesktop/stereo/bell.oga"
+    local bell_wav="/usr/share/sounds/alsa/Front_Center.wav"
+    local in_vscode_terminal=0
+    local notification_sent=0
+
+    if [ "${TERM_PROGRAM:-}" = "vscode" ] || [ -n "${VSCODE_IPC_HOOK_CLI:-}" ] || [ -n "${VSCODE_GIT_IPC_HANDLE:-}" ]; then
+        in_vscode_terminal=1
+    fi
+
+    if command -v notify-send > /dev/null 2>&1; then
+        notify-send "Gitea smart-build" "Human input required in smart-build.sh" > /dev/null 2>&1 && notification_sent=1
+    fi
+
+    if command -v canberra-gtk-play > /dev/null 2>&1; then
+        canberra-gtk-play -i bell > /dev/null 2>&1 && return
+    fi
+
+    if [ -f "$bell_oga" ] && command -v paplay > /dev/null 2>&1; then
+        paplay "$bell_oga" > /dev/null 2>&1 && return
+    fi
+
+    if [ -f "$bell_wav" ] && command -v aplay > /dev/null 2>&1; then
+        aplay -q "$bell_wav" > /dev/null 2>&1 && return
+    fi
+
+    if [ -f "$bell_wav" ] && command -v play > /dev/null 2>&1; then
+        play -q "$bell_wav" > /dev/null 2>&1 && return
+    fi
+
+    if [ -t 1 ]; then
+        printf '\a'
+    fi
+
+    if [ "$notification_sent" -eq 0 ] && [ "$in_vscode_terminal" -eq 1 ]; then
+        printf '\033[1;33m%s\033[0m\n' ">>> Human input required below <<<"
+    fi
+}
+
+apply_moderate_build_limits() {
+    local go_procs="$1"
+    local node_memory="$2"
+
+    export GOMAXPROCS="$go_procs"
+    export MAKEFLAGS="-j1"
+
+    if [[ "$NODE_OPTIONS" != *"--max-old-space-size="* ]]; then
+        export NODE_OPTIONS="${NODE_OPTIONS:+$NODE_OPTIONS }--max-old-space-size=$node_memory"
+    fi
+}
+
+echo ""
+echo "⚙️ Select Build Load Profile:"
+echo "   Normal keeps the default build behavior."
+echo "   Moderate limits parallel jobs and keeps CPU/RAM usage lower."
+echo "   Low Resource is slower, but safest for weaker machines."
+notify_human_interaction
+load_options=("Normal" "Moderate (GOMAXPROCS=2, make -j1)" "Low Resource (GOMAXPROCS=1, make -j1)" "Quit")
+select opt in "${load_options[@]}"
+do
+    case $opt in
+        "Normal")
+            echo "✅ Selected: Normal build profile."
+            break
+            ;;
+        "Moderate (GOMAXPROCS=2, make -j1)")
+            apply_moderate_build_limits 2 2048
+            echo "✅ Selected: Moderate build profile."
+            echo "   GOMAXPROCS=$GOMAXPROCS MAKEFLAGS=\"$MAKEFLAGS\" NODE_OPTIONS=\"$NODE_OPTIONS\""
+            break
+            ;;
+        "Low Resource (GOMAXPROCS=1, make -j1)")
+            apply_moderate_build_limits 1 2048
+            echo "✅ Selected: Low Resource build profile."
+            echo "   GOMAXPROCS=$GOMAXPROCS MAKEFLAGS=\"$MAKEFLAGS\" NODE_OPTIONS=\"$NODE_OPTIONS\""
+            break
+            ;;
+        "Quit")
+            exit 0
+            ;;
+        *) echo "Opțiune invalidă $REPLY";;
+    esac
+done
+
+# Dacă compilarea anterioară a fost întreruptă, ștergem binarul parțial
+if [ -f "gitea" ] || [ -f "gitea.exe" ]; then
+    echo "🧹 Garbages found. Cleanning..."
+rm -f gitea gitea.exe
+fi
+
+# Verificăm dacă node_modules există. Dacă nu, forțăm pnpm install
+if [ ! -d "node_modules" ]; then
+    echo "⚠️ node_modules missing. Instaling..."
+    if ! pnpm install --frozen-lockfile; then
+        echo "❌ Fail to install frontend dependencies."
+        exit 1
+    fi
+fi
+
+# --- 2. LOGICĂ FRONTEND (CHECKSUM) ---
+CHECKSUM_FILE=".frontend.hash"
+CURRENT_HASH=$(find web_src package.json tailwind.config.js -type f -print0 2>/dev/null | xargs -0 sha1sum | sha1sum | awk '{print $1}')
+
+if [ -f "$CHECKSUM_FILE" ] && [ "$CURRENT_HASH" == "$(cat $CHECKSUM_FILE)" ]; then
+    echo "✅ Frontend is unchanged."
+else
+    echo "🚀 Code changes detected. Running frontend build..."
+    if ! make frontend; then
+        echo "❌ Fail to build frontend assets."
+        exit 1
+    fi
+    echo "$CURRENT_HASH" > "$CHECKSUM_FILE"
+fi
+
+# --- 3. MENIU INTERACTIV PENTRU ARHITECTURĂ ---
+echo ""
+echo "🎯 Select Arch to build:"
+notify_human_interaction
+arch_options=("linux-amd64" "linux-armv7" "windows-amd64" "macos-amd64" "macos-arm64" "All Arch" "Quit")
+select opt in "${arch_options[@]}"
+do
+    case $opt in
+        "linux-amd64")
+            TARGETS=("linux/amd64")
+            break
+            ;;
+        "linux-armv7")
+            TARGETS=("linux/arm/7")
+            break
+            ;;
+        "windows-amd64")
+            TARGETS=("windows/amd64")
+            break
+            ;;
+        "macos-amd64")
+            TARGETS=("darwin/amd64")
+            break
+            ;;
+        "macos-arm64")
+            TARGETS=("darwin/arm64")
+            break
+            ;;
+        "All Arch")
+            TARGETS=("linux/amd64" "linux/arm/7" "windows/amd64" "darwin/amd64" "darwin/arm64")
+            break
+            ;;
+        "Quit")
+            exit 0
+            ;;
+        *) echo "Opțiune invalidă $REPLY";;
+    esac
+done
+
+echo ""
+echo "🏷️ Select Build Tags:"
+notify_human_interaction
+tag_options=("bindata" "bindata sqlite sqlite_unlock_notify" "Quit")
+select opt in "${tag_options[@]}"
+do
+    case $opt in
+        "bindata")
+            BUILD_TAGS="bindata"
+            break
+            ;;
+        "bindata sqlite sqlite_unlock_notify")
+            BUILD_TAGS="bindata sqlite sqlite_unlock_notify"
+            BUILD_VARIANT="sqlite"
+            break
+            ;;
+        "Quit")
+            exit 0
+            ;;
+        *) echo "Opțiune invalidă $REPLY";;
+    esac
+done
+
+if [ -z "$BUILD_VARIANT" ]; then
+    BUILD_VARIANT="default"
+fi
+
+BUILD_REF="$(resolve_build_ref)"
+BUILD_REF="${BUILD_REF//\//-}"
+echo "🏷️ Build tag/reference: $BUILD_REF"
+
+bindata_needs_update() {
+    local source_dir="$1"
+    local bindata_file="$2"
+
+    if [ ! -f "$bindata_file" ]; then
+        return 0
+    fi
+
+    find "$source_dir" -type f -newer "$bindata_file" -print -quit 2>/dev/null | grep -q .
+}
+
+ensure_bindata_asset() {
+    local label="$1"
+    local source_dir="$2"
+    local go_package="$3"
+    local bindata_file="$4"
+
+    if bindata_needs_update "$source_dir" "$bindata_file"; then
+        echo "♻️ Regenerating $label bindata..."
+        if ! CC= GOOS= GOARCH= CGO_ENABLED=0 go generate -tags bindata "$go_package"; then
+            echo "❌ Failed to regenerate $label bindata."
+            exit 1
+        fi
+    else
+        echo "✅ $label bindata is up to date."
+    fi
+}
+
+ensure_bindata_assets() {
+    if [[ " $BUILD_TAGS " != *" bindata "* ]]; then
+        return
+    fi
+
+    echo "🔎 Checking embedded bindata assets..."
+    ensure_bindata_asset "templates" "templates" "./modules/templates" "modules/templates/bindata.dat"
+    ensure_bindata_asset "options" "options" "./modules/options" "modules/options/bindata.dat"
+    ensure_bindata_asset "public" "public" "./modules/public" "modules/public/bindata.dat"
+    ensure_bindata_asset "migration schemas" "modules/migration/schemas" "./modules/migration" "modules/migration/bindata.dat"
+}
+
+ensure_bindata_assets
+
+build_darwin_sqlite_target() {
+    local arch="$1"
+    local output="$2"
+    local repo_root temp_dist built_file output_abs
+    local built_files=()
+
+    require_docker_for_darwin_sqlite
+    repo_root="$(resolve_darwin_sqlite_repo_root)"
+    validate_repo_bind_mount_for_darwin_sqlite "$repo_root"
+    output_abs="$(pwd -P)/$output"
+
+    temp_dist="$repo_root/dist/.smart-build-darwin-${arch}-$$"
+    rm -rf "$temp_dist"
+    if ! mkdir -p "$temp_dist"; then
+        echo "❌ Failed to create a temporary macOS release directory in dist/."
+        exit 1
+    fi
+
+    echo "📦 Building for darwin/$arch with TAGS=\"$BUILD_TAGS\" via release-darwin..."
+    if ! make -C "$repo_root" release-darwin TAGS="$BUILD_TAGS" DARWIN_ARCHS="darwin-10.12/$arch" DIST="$temp_dist"; then
+        rm -rf "$temp_dist"
+        echo "❌ Fail to build for darwin/$arch with SQLite"
+        exit 1
+    fi
+
+    mapfile -t built_files < <(find "$temp_dist/binaries" -maxdepth 1 -type f | sort)
+    if [ "${#built_files[@]}" -ne 1 ]; then
+        rm -rf "$temp_dist"
+        echo "❌ Unexpected macOS artifact count for darwin/$arch: ${#built_files[@]}"
+        exit 1
+    fi
+    built_file="${built_files[0]}"
+
+    mv "$built_file" "$output_abs"
+    rm -rf "$temp_dist"
+
+    write_sha256_file "$output_abs"
+    echo "✅ Created: $output_abs"
+    echo "✅ Created: $output_abs.sha256"
+}
+
+build_standard_target() {
+    local os="$1"
+    local arch="$2"
+    local arm_ver="$3"
+    local output="$4"
+    local ext="$5"
+
+    export GOOS=$os
+    export GOARCH=$arch
+    export GOARM=$arm_ver
+    export CGO_ENABLED=0
+    if [ "$BUILD_VARIANT" == "sqlite" ]; then
+        export CGO_ENABLED=1
+    fi
+
+    if make build TAGS="$BUILD_TAGS"; then
+        mv "gitea$ext" "$output"
+        write_sha256_file "$output"
+        echo "✅ Created: $output"
+        echo "✅ Created: $output.sha256"
+    else
+        echo "❌ Fail to build for $os/$arch${arm_ver:+/v$arm_ver}"
+        exit 1
+    fi
+}
+
+# --- 4. COMPILARE ---
+mkdir -p dist
+for TARGET in "${TARGETS[@]}"; do
+    IFS="/" read -r OS ARCH ARM_VER <<< "$TARGET"
+
+    EXT="" && [ "$OS" == "windows" ] && EXT=".exe"
+    PLATFORM="$ARCH" && [ ! -z "$ARM_VER" ] && PLATFORM="armv$ARM_VER"
+    VARIANT_SUFFIX="" && [ "$BUILD_VARIANT" == "sqlite" ] && VARIANT_SUFFIX="-sqlite"
+    OUTPUT="dist/gitea-$BUILD_REF-$OS-$PLATFORM$VARIANT_SUFFIX$EXT"
+
+    if [ "$OS" == "darwin" ] && [ "$BUILD_VARIANT" == "sqlite" ]; then
+        build_darwin_sqlite_target "$ARCH" "$OUTPUT"
+    else
+        echo "📦 Building for $OS/$ARCH ${ARM_VER:+(v$ARM_VER) }with TAGS=\"$BUILD_TAGS\"..."
+        build_standard_target "$OS" "$ARCH" "$ARM_VER" "$OUTPUT" "$EXT"
+    fi
+
+    unset GOOS GOARCH GOARM CGO_ENABLED
+done
+
+echo "✨ Buid finished. Get file(s) from /dist"
+go clean -cache # || true

.yamllint.yaml

@@ -21,9 +21,7 @@ rules:
   comments-indentation:
     level: error
 
-  document-start:
-    level: error
-    present: false
+  document-start: disable
 
   document-end:
     present: false

AGENTS.md

@@ -0,0 +1,36 @@
+## Core Repository Rules
+
+- Use `make help` to find available development targets
+- Run `make fmt` to format `.go` files, and run `make lint-go` to lint them
+- Run `make lint-js` to lint `.ts` files
+- Run `make tidy` after any `go.mod` changes
+- Add the current year into the copyright header of new `.go` files
+- Ensure no trailing whitespace in edited files
+- Never force-push, amend, or squash unless asked. Use new commits and normal push for pull request updates
+- Preserve existing code comments, do not remove or rewrite comments that are still relevant
+- In TypeScript, use `!` (non-null assertion) instead of `?.`/`??` when a value is known to always exist
+- Include authorship attribution in issue and pull request comments
+- Add `Co-Authored-By` lines to all commits, indicating name and model used
+
+## Execution Rules (Token Optimization)
+
+- DO NOT read full files unless they are explicitly targeted with `@filename`, referenced from instruction `*.md` files, or required to complete the user's task.
+- Assume the workspace structure described in `./.codex-context.md` and `./.codex-project-map.md` is the current baseline unless the user indicates otherwise.
+- DO NOT read `./.codex-history.md` end-to-end by default; search by keyword, subsystem, tag, or read only the latest relevant entries first.
+
+## Project Context
+
+- Read and follow `./.codex-context.md` as the persistent repository context before starting work and when validating final changes.
+- Use `./.codex-project-map.md` for the persistent structural and architectural map of the repository.
+
+## Routing Rules for Tasks (Multi-Model Delegation)
+
+Apply these routing preferences when the environment supports model selection. If the preferred model is unavailable, use the closest available model and note the fallback.
+
+Priority for mixed tasks:
+Architecture & Orchestration > Go & Database Coding > Frontend & Template Tasks > DevOps & Terminal Execution
+
+1. Architecture & Orchestration Tasks: Prefer `gpt-5.4` (Reasoning: High/Extra High). Use for complex requirement breakdown, solution design, and validation of large structural updates.
+2. Go & Database Coding Tasks: Prefer `gpt-5.3-codex` (Reasoning: Medium). This includes writing HTTP handlers, database queries, internal Go business logic, and server-side integration work.
+3. Frontend & Template Tasks: Prefer `gpt-5.3-codex` (Reasoning: Medium). This includes `templates/`, `web_src/`, CSS, and TypeScript changes.
+4. DevOps & Terminal Commands: Prefer `gpt-5.4-mini` (Reasoning: Low). Use for `pnpm`, `git`, `go mod`, `npm`, `make`, or `bash` execution flows and shell-oriented maintenance tasks.

CLAUDE.md

@@ -0,0 +1 @@
+@AGENTS.md

CODE_OF_CONDUCT.md

@@ -30,7 +30,7 @@ These are the values to which people in the Gitea community should aspire.
 - **Be constructive.**
   - Avoid derailing: stay on topic; if you want to talk about something else, start a new conversation.
   - Avoid unconstructive criticism: don't merely decry the current state of affairs; offer—or at least solicit—suggestions as to how things may be improved.
-  - Avoid snarking (pithy, unproductive, sniping comments)
+  - Avoid snarking (pithy, unproductive, sniping comments).
   - Avoid discussing potentially offensive or sensitive issues; this all too often leads to unnecessary conflict.
   - Avoid microaggressions (brief and commonplace verbal, behavioral and environmental indignities that communicate hostile, derogatory or negative slights and insults to a person or group).
 - **Be responsible.**
@@ -42,7 +42,7 @@ People are complicated. You should expect to be misunderstood and to misundersta
 
 ### Our Pledge
 
-In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to make participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
 
 ### Our Standards
 

CONTRIBUTING.md

@@ -4,6 +4,7 @@
 
 - [Contribution Guidelines](#contribution-guidelines)
   - [Introduction](#introduction)
+  - [AI Contribution Policy](#ai-contribution-policy)
   - [Issues](#issues)
     - [How to report issues](#how-to-report-issues)
     - [Types of issues](#types-of-issues)
@@ -67,6 +68,21 @@ Sensitive security-related issues should be reported to [security@gitea.io](mail
 
 For configuring IDEs for Gitea development, see the [contributed IDE configurations](contrib/ide/).
 
+## AI Contribution Policy
+
+Contributions made with the assistance of AI tools are welcome, but contributors must use them responsibly and disclose that use clearly.
+
+1. Review AI-generated code closely before marking a pull request ready for review.
+2. Manually test the changes and add appropriate automated tests where feasible.
+3. Only use AI to assist in contributions that you understand well enough to explain, defend, and revise yourself during review.
+4. Disclose AI-assisted content clearly.
+5. Do not use AI to reply to questions about your issue or pull request. The questions are for you, not an AI model.
+6. AI may be used to help draft issues and pull requests, but contributors remain responsible for the accuracy, completeness, and intent of what they submit.
+
+Maintainers reserve the right to close pull requests and issues that do not disclose AI assistance, that appear to be low-quality AI-generated content, or where the contributor cannot explain or defend the proposed changes themselves.
+
+We welcome new contributors, but cannot sustain the effort of supporting contributors who primarily defer to AI rather than engaging substantively with the review process.
+
 ## Issues
 
 ### How to report issues
@@ -80,7 +96,7 @@ The more detailed and specific you are, the faster we can fix the issue. \
 It is really helpful if you can reproduce your problem on a site running on the latest commits, i.e. <https://demo.gitea.com>, as perhaps your problem has already been fixed on a current version. \
 Please follow the guidelines described in [How to Report Bugs Effectively](http://www.chiark.greenend.org.uk/~sgtatham/bugs.html) for your report.
 
-Please be kind, remember that Gitea comes at no cost to you, and you're getting free help.
+Please be kind—remember that Gitea comes at no cost to you, and you're getting free help.
 
 ### Types of issues
 
@@ -166,24 +182,32 @@ Here's how to run the test suite:
 
 - code lint
 
-|                       |                                                                   |
-| :-------------------- | :---------------------------------------------------------------- |
+|                       |                                                                              |
+| :-------------------- | :--------------------------------------------------------------------------- |
 |``make lint``          | lint everything (not needed if you only change the front- **or** backend)    |
-|``make lint-frontend`` | lint frontend files  |
-|``make lint-backend``  | lint backend files   |
+|``make lint-frontend`` | lint frontend files                                                          |
+|``make lint-backend``  | lint backend files                                                           |
 
 - run tests (we suggest running them on Linux)
 
-|  Command                               | Action                                           |              |
-| :------------------------------------- | :----------------------------------------------- | ------------ |
-|``make test[\#SpecificTestName]``       |  run unit test(s)  | |
-|``make test-sqlite[\#SpecificTestName]``|  run [integration](tests/integration) test(s) for SQLite |[More details](tests/integration/README.md)  |
-|``make test-e2e-sqlite[\#SpecificTestName]``|  run [end-to-end](tests/e2e) test(s) for SQLite |[More details](tests/e2e/README.md)  |
+|  Command                                    | Action                                                   |                                             |
+| :------------------------------------------ | :------------------------------------------------------- | ------------------------------------------- |
+|``make test[\#SpecificTestName]``            |  run unit test(s)                                        |                                             |
+|``make test-sqlite[\#SpecificTestName]``     |  run [integration](tests/integration) test(s) for SQLite | [More details](tests/integration/README.md) |
+|``make test-e2e``                            |  run [end-to-end](tests/e2e) test(s) using Playwright    |                                             |
+
+- E2E test environment variables
+
+| Variable                          | Description                                                 |
+| :-------------------------------- | :---------------------------------------------------------- |
+| ``GITEA_TEST_E2E_DEBUG``          | When set, show Gitea server output                          |
+| ``GITEA_TEST_E2E_FLAGS``          | Additional flags passed to Playwright, for example ``--ui`` |
+| ``GITEA_TEST_E2E_TIMEOUT_FACTOR`` | Timeout multiplier (default: 3 on CI, 1 locally)            |
 
 ## Translation
 
 All translation work happens on [Crowdin](https://translate.gitea.com).
-The only translation that is maintained in this repository is [the English translation](https://github.com/go-gitea/gitea/blob/main/options/locale/locale_en-US.ini).
+The only translation that is maintained in this repository is [the English translation](https://github.com/go-gitea/gitea/blob/main/options/locale/locale_en-US.json).
 It is synced regularly with Crowdin. \
 Other locales on main branch **should not** be updated manually as they will be overwritten with each sync. \
 Once a language has reached a **satisfactory percentage** of translated keys (~25%), it will be synced back into this repo and included in the next released version.
@@ -591,7 +615,7 @@ be reviewed by two maintainers and must pass the automatic tests.
 ## Releasing Gitea
 
 - Let $vmaj, $vmin and $vpat be Major, Minor and Patch version numbers, $vpat should be rc1, rc2, 0, 1, ...... $vmaj.$vmin will be kept the same as milestones on github or gitea in future.
-- Before releasing, confirm all the version's milestone issues or PRs has been resolved. Then discuss the release on Discord channel #maintainers and get agreed with almost all the owners and mergers. Or you can declare the version and if nobody against in about serval hours.
+- Before releasing, confirm all the version's milestone issues or PRs has been resolved. Then discuss the release on Discord channel #maintainers and get agreed with almost all the owners and mergers. Or you can declare the version and if nobody is against it in about several hours.
 - If this is a big version first you have to create PR for changelog on branch `main` with PRs with label `changelog` and after it has been merged do following steps:
   - Create `-dev` tag as `git tag -s -F release.notes v$vmaj.$vmin.0-dev` and push the tag as `git push origin v$vmaj.$vmin.0-dev`.
   - When CI has finished building tag then you have to create a new branch named `release/v$vmaj.$vmin`

Dockerfile

@@ -1,8 +1,15 @@
-# Build stage
-FROM docker.io/library/golang:1.24-alpine3.21 AS build-env
+# syntax=docker/dockerfile:1
+# Build frontend on the native platform to avoid QEMU-related issues with nodejs ecosystem
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.26-alpine3.23 AS frontend-build
+RUN apk --no-cache add build-base git nodejs pnpm
+WORKDIR /src
+COPY package.json pnpm-lock.yaml .npmrc ./
+RUN --mount=type=cache,target=/root/.local/share/pnpm/store pnpm install --frozen-lockfile
+COPY --exclude=.git/ . .
+RUN make frontend
 
-ARG GOPROXY
-ENV GOPROXY=${GOPROXY:-direct}
+# Build backend for each target platform
+FROM docker.io/library/golang:1.26-alpine3.23 AS build-env
 
 ARG GITEA_VERSION
 ARG TAGS="sqlite sqlite_unlock_notify"
@@ -12,37 +19,32 @@ ARG CGO_EXTRA_CFLAGS
 # Build deps
 RUN apk --no-cache add \
     build-base \
-    git \
-    nodejs \
-    npm \
-    && rm -rf /var/cache/apk/*
+    git
 
-# Setup repo
-COPY . ${GOPATH}/src/code.gitea.io/gitea
 WORKDIR ${GOPATH}/src/code.gitea.io/gitea
+COPY go.mod go.sum ./
+RUN go mod download
+# Use COPY instead of bind mount as read-only one breaks makefile state tracking and read-write one needs binary to be moved as it's discarded.
+# ".git" directory is mounted separately later only for version data extraction.
+COPY --exclude=.git/ . .
+COPY --from=frontend-build /src/public/assets public/assets
 
-# Checkout version if set
-RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
- && make clean-all build
+# Build gitea, .git mount is required for version data
+RUN --mount=type=cache,target="/root/.cache/go-build" \
+    --mount=type=bind,source=".git/",target=".git/" \
+    make backend
 
-# Begin env-to-ini build
-RUN go build contrib/environment-to-ini/environment-to-ini.go
-
-# Copy local files
 COPY docker/root /tmp/local
 
-# Set permissions
+# Set permissions for builds that made under windows which strips the executable bit from file
 RUN chmod 755 /tmp/local/usr/bin/entrypoint \
-              /tmp/local/usr/local/bin/gitea \
+              /tmp/local/usr/local/bin/* \
               /tmp/local/etc/s6/gitea/* \
               /tmp/local/etc/s6/openssh/* \
               /tmp/local/etc/s6/.s6-svscan/* \
-              /go/src/code.gitea.io/gitea/gitea \
-              /go/src/code.gitea.io/gitea/environment-to-ini
-RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete
+              /go/src/code.gitea.io/gitea/gitea
 
-FROM docker.io/library/alpine:3.21
-LABEL maintainer="maintainers@gitea.io"
+FROM docker.io/library/alpine:3.23 AS gitea
 
 EXPOSE 22 3000
 
@@ -57,8 +59,7 @@ RUN apk --no-cache add \
     s6 \
     sqlite \
     su-exec \
-    gnupg \
-    && rm -rf /var/cache/apk/*
+    gnupg
 
 RUN addgroup \
     -S -g 1000 \
@@ -72,15 +73,14 @@ RUN addgroup \
     git && \
   echo "git:*" | chpasswd -e
 
+COPY --from=build-env /tmp/local /
+COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
+
 ENV USER=git
 ENV GITEA_CUSTOM=/data/gitea
 
 VOLUME ["/data"]
 
+# HINT: HEALTH-CHECK-ENDPOINT: don't use HEALTHCHECK, search this hint keyword for more information
 ENTRYPOINT ["/usr/bin/entrypoint"]
 CMD ["/usr/bin/s6-svscan", "/etc/s6"]
-
-COPY --from=build-env /tmp/local /
-COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
-COPY --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
-COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh

Dockerfile.rootless

@@ -1,46 +1,45 @@
-# Build stage
-FROM docker.io/library/golang:1.24-alpine3.21 AS build-env
+# syntax=docker/dockerfile:1
+# Build frontend on the native platform to avoid QEMU-related issues with nodejs ecosystem
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.26-alpine3.23 AS frontend-build
+RUN apk --no-cache add build-base git nodejs pnpm
+WORKDIR /src
+COPY package.json pnpm-lock.yaml .npmrc ./
+RUN --mount=type=cache,target=/root/.local/share/pnpm/store pnpm install --frozen-lockfile
+COPY --exclude=.git/ . .
+RUN make frontend
 
-ARG GOPROXY
-ENV GOPROXY=${GOPROXY:-direct}
+# Build backend for each target platform
+FROM docker.io/library/golang:1.26-alpine3.23 AS build-env
 
 ARG GITEA_VERSION
 ARG TAGS="sqlite sqlite_unlock_notify"
 ENV TAGS="bindata timetzdata $TAGS"
 ARG CGO_EXTRA_CFLAGS
 
-#Build deps
+# Build deps
 RUN apk --no-cache add \
     build-base \
-    git \
-    nodejs \
-    npm \
-    && rm -rf /var/cache/apk/*
+    git
 
-# Setup repo
-COPY . ${GOPATH}/src/code.gitea.io/gitea
 WORKDIR ${GOPATH}/src/code.gitea.io/gitea
+COPY go.mod go.sum ./
+RUN go mod download
+# See the comments in Dockerfile
+COPY --exclude=.git/ . .
+COPY --from=frontend-build /src/public/assets public/assets
 
-# Checkout version if set
-RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
- && make clean-all build
+# Build gitea, .git mount is required for version data
+RUN --mount=type=cache,target="/root/.cache/go-build" \
+    --mount=type=bind,source=".git/",target=".git/" \
+    make backend
 
-# Begin env-to-ini build
-RUN go build contrib/environment-to-ini/environment-to-ini.go
-
-# Copy local files
 COPY docker/rootless /tmp/local
 
-# Set permissions
-RUN chmod 755 /tmp/local/usr/local/bin/docker-entrypoint.sh \
-              /tmp/local/usr/local/bin/docker-setup.sh \
-              /tmp/local/usr/local/bin/gitea \
-              /go/src/code.gitea.io/gitea/gitea \
-              /go/src/code.gitea.io/gitea/environment-to-ini
-RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete
+# Set permissions for builds that made under windows which strips the executable bit from file
+RUN chmod 755 /tmp/local/usr/local/bin/* \
+              /go/src/code.gitea.io/gitea/gitea
 
-FROM docker.io/library/alpine:3.21
-LABEL maintainer="maintainers@gitea.io"
+FROM docker.io/library/alpine:3.23 AS gitea-rootless
 
 EXPOSE 2222 3000
 
@@ -52,7 +51,7 @@ RUN apk --no-cache add \
     git \
     curl \
     gnupg \
-    && rm -rf /var/cache/apk/*
+    openssh-keygen
 
 RUN addgroup \
     -S -g 1000 \
@@ -70,8 +69,6 @@ RUN chown git:git /var/lib/gitea /etc/gitea
 
 COPY --from=build-env /tmp/local /
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
-COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
-COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
 
 # git:git
 USER 1000:1000
@@ -86,5 +83,6 @@ ENV HOME="/var/lib/gitea/git"
 VOLUME ["/var/lib/gitea", "/etc/gitea"]
 WORKDIR /var/lib/gitea
 
+# HINT: HEALTH-CHECK-ENDPOINT: don't use HEALTHCHECK, search this hint keyword for more information
 ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/docker-entrypoint.sh"]
 CMD []

MAINTAINERS

@@ -36,9 +36,7 @@ a1012112796 <1012112796@qq.com> (@a1012112796)
 Karl Heinz Marbaise <kama@soebes.de> (@khmarbaise)
 Norwin Roosen <git@nroo.de> (@noerw)
 Kyle Dumont <kdumontnu@gmail.com> (@kdumontnu)
-Patrick Schratz <patrick.schratz@gmail.com> (@pat-s)
 Janis Estelmann <admin@oldschoolhack.me> (@KN4CK3R)
-Steven Kriegler <sk.bunsenbrenner@gmail.com> (@justusbunsi)
 Jimmy Praet <jimmy.praet@telenet.be> (@jpraet)
 Leon Hofmeister <dev.lh@web.de> (@delvh)
 Wim <wim@42.be> (@42wim)
@@ -64,3 +62,6 @@ Rowan Bohde <rowan.bohde@gmail.com> (@bohde)
 hiifong <i@hiif.ong> (@hiifong)
 metiftikci <metiftikci@hotmail.com> (@metiftikci)
 Christopher Homberger <christopher.homberger@web.de> (@ChristopherHX)
+Tobias Balle-Petersen <tobiasbp@gmail.com> (@tobiasbp)
+TheFox <thefox0x7@gmail.com> (@TheFox0x7)
+Nicolas <bircni@icloud.com> (@bircni)

Makefile

@@ -1,42 +1,27 @@
-ifeq ($(USE_REPO_TEST_DIR),1)
-
-# This rule replaces the whole Makefile when we're trying to use /tmp repository temporary files
-location = $(CURDIR)/$(word $(words $(MAKEFILE_LIST)),$(MAKEFILE_LIST))
-self := $(location)
-
-%:
-	@tmpdir=`mktemp --tmpdir -d` ; \
-	echo Using temporary directory $$tmpdir for test repositories ; \
-	USE_REPO_TEST_DIR= $(MAKE) -f $(self) --no-print-directory REPO_TEST_DIR=$$tmpdir/ $@ ; \
-	STATUS=$$? ; rm -r "$$tmpdir" ; exit $$STATUS
-
-else
-
-# This is the "normal" part of the Makefile
-
 DIST := dist
 DIST_DIRS := $(DIST)/binaries $(DIST)/release
-IMPORT := code.gitea.io/gitea
+
+# By default use go's 1.25 experimental json v2 library when building
+# TODO: remove when no longer experimental
+export GOEXPERIMENT ?= jsonv2
 
 GO ?= go
 SHASUM ?= shasum -a 256
 HAS_GO := $(shell hash $(GO) > /dev/null 2>&1 && echo yes)
 COMMA := ,
 
-XGO_VERSION := go-1.24.x
+XGO_VERSION := go-1.25.x
 
 AIR_PACKAGE ?= github.com/air-verse/air@v1
-EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3.2.1
-GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.7.0
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.0.2
-GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.12
-MISSPELL_PACKAGE ?= github.com/golangci/misspell/cmd/misspell@v0.6.0
-SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.31.0
+EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3
+GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.9.2
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4
+GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.15
+MISSPELL_PACKAGE ?= github.com/golangci/misspell/cmd/misspell@v0.8.0
+SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.33.1
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
-GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1
-ACTIONLINT_PACKAGE ?= github.com/rhysd/actionlint/cmd/actionlint@v1
-GOPLS_PACKAGE ?= golang.org/x/tools/gopls@v0.17.1
+ACTIONLINT_PACKAGE ?= github.com/rhysd/actionlint/cmd/actionlint@v1.7.11
 
 DOCKER_IMAGE ?= gitea/gitea
 DOCKER_TAG ?= latest
@@ -47,6 +32,17 @@ ifeq ($(HAS_GO), yes)
 	CGO_CFLAGS ?= $(shell $(GO) env CGO_CFLAGS) $(CGO_EXTRA_CFLAGS)
 endif
 
+CGO_ENABLED ?= 0
+ifneq (,$(findstring sqlite,$(TAGS))$(findstring pam,$(TAGS)))
+	CGO_ENABLED = 1
+endif
+
+STATIC ?=
+EXTLDFLAGS ?=
+ifneq ($(STATIC),)
+	EXTLDFLAGS = -extldflags "-static"
+endif
+
 ifeq ($(GOOS),windows)
 	IS_WINDOWS := yes
 else ifeq ($(patsubst Windows%,Windows,$(OS)),Windows)
@@ -57,9 +53,11 @@ endif
 ifeq ($(IS_WINDOWS),yes)
 	GOFLAGS := -v -buildmode=exe
 	EXECUTABLE ?= gitea.exe
+	EXECUTABLE_E2E ?= gitea-e2e.exe
 else
 	GOFLAGS := -v
 	EXECUTABLE ?= gitea
+	EXECUTABLE_E2E ?= gitea-e2e
 endif
 
 ifeq ($(shell sed --version 2>/dev/null | grep -q GNU && echo gnu),gnu)
@@ -70,7 +68,6 @@ endif
 
 EXTRA_GOFLAGS ?=
 
-MAKE_VERSION := $(shell "$(MAKE)" -v | cat | head -n 1)
 MAKE_EVIDENCE_DIR := .make_evidence
 
 GOTESTFLAGS ?=
@@ -80,7 +77,6 @@ ifeq ($(RACE_ENABLED),true)
 endif
 
 STORED_VERSION_FILE := VERSION
-HUGO_VERSION ?= 0.111.3
 
 GITHUB_REF_TYPE ?= branch
 GITHUB_REF_NAME ?= $(shell git rev-parse --abbrev-ref HEAD)
@@ -99,7 +95,7 @@ else
 	ifneq ($(STORED_VERSION),)
 		GITEA_VERSION ?= $(STORED_VERSION)
 	else
-		GITEA_VERSION ?= $(shell git describe --tags --always | sed 's/-/+/' | sed 's/^v//')
+		GITEA_VERSION ?= $(shell git describe --tags --always | sed -E 's/^v//; s/^(.*)-([0-9]+-g[0-9a-f]+)$$/\1+\2/')
 	endif
 endif
 
@@ -108,20 +104,21 @@ ifeq ($(VERSION),main)
 	VERSION := main-nightly
 endif
 
-LDFLAGS := $(LDFLAGS) -X "main.MakeVersion=$(MAKE_VERSION)" -X "main.Version=$(GITEA_VERSION)" -X "main.Tags=$(TAGS)"
+LDFLAGS := $(LDFLAGS) -X "main.Version=$(GITEA_VERSION)" -X "main.Tags=$(TAGS)"
 
 LINUX_ARCHS ?= linux/amd64,linux/386,linux/arm-5,linux/arm-6,linux/arm64,linux/riscv64
+DARWIN_ARCHS ?= darwin-10.12/amd64,darwin-10.12/arm64
 
-GO_TEST_PACKAGES ?= $(filter-out $(shell $(GO) list code.gitea.io/gitea/models/migrations/...) code.gitea.io/gitea/tests/integration/migration-test code.gitea.io/gitea/tests code.gitea.io/gitea/tests/integration code.gitea.io/gitea/tests/e2e,$(shell $(GO) list ./... | grep -v /vendor/))
+GO_TEST_PACKAGES ?= $(filter-out $(shell $(GO) list code.gitea.io/gitea/models/migrations/...) code.gitea.io/gitea/tests/integration/migration-test code.gitea.io/gitea/tests code.gitea.io/gitea/tests/integration,$(shell $(GO) list ./... | grep -v /vendor/))
 MIGRATE_TEST_PACKAGES ?= $(shell $(GO) list code.gitea.io/gitea/models/migrations/...)
 
-WEBPACK_SOURCES := $(shell find web_src/js web_src/css -type f)
-WEBPACK_CONFIGS := webpack.config.js tailwind.config.js
-WEBPACK_DEST := public/assets/js/index.js public/assets/css/index.css
-WEBPACK_DEST_ENTRIES := public/assets/js public/assets/css public/assets/fonts
+FRONTEND_SOURCES := $(shell find web_src/js web_src/css -type f)
+FRONTEND_CONFIGS := vite.config.ts tailwind.config.ts
+FRONTEND_DEST := public/assets/.vite/manifest.json
+FRONTEND_DEST_ENTRIES := public/assets/js public/assets/css public/assets/fonts public/assets/.vite
+FRONTEND_DEV_LOG_LEVEL ?= warn
 
-BINDATA_DEST := modules/public/bindata.go modules/options/bindata.go modules/templates/bindata.go
-BINDATA_HASH := $(addsuffix .hash,$(BINDATA_DEST))
+BINDATA_DEST_WILDCARD := modules/migration/bindata.* modules/public/bindata.* modules/options/bindata.* modules/templates/bindata.*
 
 GENERATED_GO_DEST := modules/charset/invisible_gen.go modules/charset/ambiguous_gen.go
 
@@ -129,7 +126,6 @@ SVG_DEST_DIR := public/assets/img/svg
 
 AIR_TMP_DIR := .air
 
-GO_LICENSE_TMP_DIR := .go-licenses
 GO_LICENSE_FILE := assets/go-licenses.json
 
 TAGS ?=
@@ -138,30 +134,21 @@ TAGS_EVIDENCE := $(MAKE_EVIDENCE_DIR)/tags
 
 TEST_TAGS ?= $(TAGS_SPLIT) sqlite sqlite_unlock_notify
 
-TAR_EXCLUDES := .git data indexers queues log node_modules $(EXECUTABLE) $(DIST) $(MAKE_EVIDENCE_DIR) $(AIR_TMP_DIR) $(GO_LICENSE_TMP_DIR)
+TAR_EXCLUDES := .git data indexers queues log node_modules $(EXECUTABLE) $(DIST) $(MAKE_EVIDENCE_DIR) $(AIR_TMP_DIR)
 
-GO_DIRS := build cmd models modules routers services tests
+GO_DIRS := build cmd models modules routers services tests tools
 WEB_DIRS := web_src/js web_src/css
 
-ESLINT_FILES := web_src/js tools *.js *.ts *.cjs tests/e2e
+ESLINT_FILES := web_src/js tools *.ts tests/e2e
 STYLELINT_FILES := web_src/css web_src/js/components/*.vue
-SPELLCHECK_FILES := $(GO_DIRS) $(WEB_DIRS) templates options/locale/locale_en-US.ini .github $(filter-out CHANGELOG.md, $(wildcard *.go *.js *.md *.yml *.yaml *.toml)) $(filter-out tools/misspellings.csv, $(wildcard tools/*))
-EDITORCONFIG_FILES := templates .github/workflows options/locale/locale_en-US.ini
+SPELLCHECK_FILES := $(GO_DIRS) $(WEB_DIRS) templates options/locale/locale_en-US.json .github $(filter-out CHANGELOG.md, $(wildcard *.go *.md *.yml *.yaml *.toml))
+EDITORCONFIG_FILES := templates .github/workflows options/locale/locale_en-US.json
 
 GO_SOURCES := $(wildcard *.go)
-GO_SOURCES += $(shell find $(GO_DIRS) -type f -name "*.go" ! -path modules/options/bindata.go ! -path modules/public/bindata.go ! -path modules/templates/bindata.go)
+GO_SOURCES += $(shell find $(GO_DIRS) -type f -name "*.go")
 GO_SOURCES += $(GENERATED_GO_DEST)
-GO_SOURCES_NO_BINDATA := $(GO_SOURCES)
 
-ifeq ($(filter $(TAGS_SPLIT),bindata),bindata)
-	GO_SOURCES += $(BINDATA_DEST)
-	GENERATED_GO_DEST += $(BINDATA_DEST)
-endif
-
-# Force installation of playwright dependencies by setting this flag
-ifdef DEPS_PLAYWRIGHT
-	PLAYWRIGHT_FLAGS += --with-deps
-endif
+ESLINT_CONCURRENCY ?= 2
 
 SWAGGER_SPEC := templates/swagger/v1_json.tmpl
 SWAGGER_SPEC_INPUT := templates/swagger/v1_input.json
@@ -182,26 +169,20 @@ TEST_MSSQL_DBNAME ?= gitea
 TEST_MSSQL_USERNAME ?= sa
 TEST_MSSQL_PASSWORD ?= MwantsaSecurePassword1
 
+# Include local Makefile
+# Makefile.local is listed in .gitignore
+sinclude Makefile.local
+
 .PHONY: all
 all: build
 
 .PHONY: help
 help: Makefile ## print Makefile help information.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m[TARGETS] default target: build\033[0m\n\n\033[35mTargets:\033[0m\n"} /^[0-9A-Za-z._-]+:.*?##/ { printf "  \033[36m%-45s\033[0m %s\n", $$1, $$2 }' Makefile #$(MAKEFILE_LIST)
-	@printf "  \033[36m%-46s\033[0m %s\n" "test-e2e[#TestSpecificName]" "test end to end using playwright"
+	@printf "  \033[36m%-46s\033[0m %s\n" "test-e2e" "test end to end using playwright"
 	@printf "  \033[36m%-46s\033[0m %s\n" "test[#TestSpecificName]" "run unit test"
 	@printf "  \033[36m%-46s\033[0m %s\n" "test-sqlite[#TestSpecificName]" "run integration test for sqlite"
 
-.PHONY: go-check
-go-check:
-	$(eval MIN_GO_VERSION_STR := $(shell grep -Eo '^go\s+[0-9]+\.[0-9]+' go.mod | cut -d' ' -f2))
-	$(eval MIN_GO_VERSION := $(shell printf "%03d%03d" $(shell echo '$(MIN_GO_VERSION_STR)' | tr '.' ' ')))
-	$(eval GO_VERSION := $(shell printf "%03d%03d" $(shell $(GO) version | grep -Eo '[0-9]+\.[0-9]+' | tr '.' ' ');))
-	@if [ "$(GO_VERSION)" -lt "$(MIN_GO_VERSION)" ]; then \
-		echo "Gitea requires Go $(MIN_GO_VERSION_STR) or greater to build. You can get it at https://go.dev/dl/"; \
-		exit 1; \
-	fi
-
 .PHONY: git-check
 git-check:
 	@if git lfs >/dev/null 2>&1 ; then : ; else \
@@ -209,36 +190,24 @@ git-check:
 		exit 1; \
 	fi
 
-.PHONY: node-check
-node-check:
-	$(eval MIN_NODE_VERSION_STR := $(shell grep -Eo '"node":.*[0-9.]+"' package.json | sed -n 's/.*[^0-9.]\([0-9.]*\)"/\1/p'))
-	$(eval MIN_NODE_VERSION := $(shell printf "%03d%03d%03d" $(shell echo '$(MIN_NODE_VERSION_STR)' | tr '.' ' ')))
-	$(eval NODE_VERSION := $(shell printf "%03d%03d%03d" $(shell node -v | cut -c2- | tr '.' ' ');))
-	$(eval NPM_MISSING := $(shell hash npm > /dev/null 2>&1 || echo 1))
-	@if [ "$(NODE_VERSION)" -lt "$(MIN_NODE_VERSION)" -o "$(NPM_MISSING)" = "1" ]; then \
-		echo "Gitea requires Node.js $(MIN_NODE_VERSION_STR) or greater and npm to build. You can get it at https://nodejs.org/en/download/"; \
-		exit 1; \
-	fi
-
 .PHONY: clean-all
 clean-all: clean ## delete backend, frontend and integration files
-	rm -rf $(WEBPACK_DEST_ENTRIES) node_modules
+	rm -rf $(FRONTEND_DEST_ENTRIES) node_modules
 
 .PHONY: clean
 clean: ## delete backend and integration files
-	rm -rf $(EXECUTABLE) $(DIST) $(BINDATA_DEST) $(BINDATA_HASH) \
+	rm -rf $(EXECUTABLE) $(EXECUTABLE_E2E) $(DIST) $(BINDATA_DEST_WILDCARD) \
 		integrations*.test \
-		e2e*.test \
 		tests/integration/gitea-integration-* \
 		tests/integration/indexers-* \
-		tests/mysql.ini tests/pgsql.ini tests/mssql.ini man/ \
+		tests/sqlite.ini tests/mysql.ini tests/pgsql.ini tests/mssql.ini man/ \
 		tests/e2e/gitea-e2e-*/ \
 		tests/e2e/indexers-*/ \
 		tests/e2e/reports/ tests/e2e/test-artifacts/ tests/e2e/test-snapshots/
 
 .PHONY: fmt
-fmt: ## format the Go code
-	@GOFUMPT_PACKAGE=$(GOFUMPT_PACKAGE) $(GO) run build/code-batch-process.go gitea-fmt -w '{file-list}'
+fmt: ## format the Go and template code
+	@GOFUMPT_PACKAGE=$(GOFUMPT_PACKAGE) $(GO) run tools/code-batch-process.go gitea-fmt -w '{file-list}'
 	$(eval TEMPLATES := $(shell find templates -type f -name '*.tmpl'))
 	@# strip whitespace after '{{' or '(' and before '}}' or ')' unless there is only
 	@# whitespace before it
@@ -268,7 +237,7 @@ endif
 .PHONY: generate-swagger
 generate-swagger: $(SWAGGER_SPEC) ## generate the swagger spec from code comments
 
-$(SWAGGER_SPEC): $(GO_SOURCES_NO_BINDATA) $(SWAGGER_SPEC_INPUT)
+$(SWAGGER_SPEC): $(GO_SOURCES) $(SWAGGER_SPEC_INPUT)
 	$(GO) run $(SWAGGER_PACKAGE) generate spec --exclude "$(SWAGGER_EXCLUDE)" --input "$(SWAGGER_SPEC_INPUT)" --output './$(SWAGGER_SPEC)'
 
 .PHONY: swagger-check
@@ -310,44 +279,48 @@ lint-frontend: lint-js lint-css ## lint frontend files
 lint-frontend-fix: lint-js-fix lint-css-fix ## lint frontend files and fix issues
 
 .PHONY: lint-backend
-lint-backend: lint-go lint-go-gitea-vet lint-go-gopls lint-editorconfig ## lint backend files
+lint-backend: lint-go lint-go-gitea-vet lint-editorconfig ## lint backend files
 
 .PHONY: lint-backend-fix
 lint-backend-fix: lint-go-fix lint-go-gitea-vet lint-editorconfig ## lint backend files and fix issues
 
 .PHONY: lint-js
-lint-js: node_modules ## lint js files
-	npx eslint --color --max-warnings=0 --ext js,ts,vue $(ESLINT_FILES)
-	npx vue-tsc
+lint-js: node_modules ## lint js and ts files
+	pnpm exec eslint --color --max-warnings=0 --concurrency $(ESLINT_CONCURRENCY) $(ESLINT_FILES)
+	pnpm exec vue-tsc
 
 .PHONY: lint-js-fix
-lint-js-fix: node_modules ## lint js files and fix issues
-	npx eslint --color --max-warnings=0 --ext js,ts,vue $(ESLINT_FILES) --fix
-	npx vue-tsc
+lint-js-fix: node_modules ## lint js and ts files and fix issues
+	pnpm exec eslint --color --max-warnings=0 --concurrency $(ESLINT_CONCURRENCY) $(ESLINT_FILES) --fix
+	pnpm exec vue-tsc
 
 .PHONY: lint-css
 lint-css: node_modules ## lint css files
-	npx stylelint --color --max-warnings=0 $(STYLELINT_FILES)
+	pnpm exec stylelint --color --max-warnings=0 $(STYLELINT_FILES)
 
 .PHONY: lint-css-fix
 lint-css-fix: node_modules ## lint css files and fix issues
-	npx stylelint --color --max-warnings=0 $(STYLELINT_FILES) --fix
+	pnpm exec stylelint --color --max-warnings=0 $(STYLELINT_FILES) --fix
 
 .PHONY: lint-swagger
 lint-swagger: node_modules ## lint swagger files
-	npx spectral lint -q -F hint $(SWAGGER_SPEC)
+	pnpm exec spectral lint -q -F hint $(SWAGGER_SPEC)
 
 .PHONY: lint-md
 lint-md: node_modules ## lint markdown files
-	npx markdownlint *.md
+	pnpm exec markdownlint *.md
+
+.PHONY: lint-md-fix
+lint-md-fix: node_modules ## lint markdown files and fix issues
+	pnpm exec markdownlint --fix *.md
 
 .PHONY: lint-spell
 lint-spell: ## lint spelling
-	@go run $(MISSPELL_PACKAGE) -dict tools/misspellings.csv -error $(SPELLCHECK_FILES)
+	@git ls-files $(SPELLCHECK_FILES) | xargs go run $(MISSPELL_PACKAGE) -dict assets/misspellings.csv -error
 
 .PHONY: lint-spell-fix
 lint-spell-fix: ## lint spelling and fix issues
-	@go run $(MISSPELL_PACKAGE) -dict tools/misspellings.csv -w $(SPELLCHECK_FILES)
+	@git ls-files $(SPELLCHECK_FILES) | xargs go run $(MISSPELL_PACKAGE) -dict assets/misspellings.csv -w
 
 .PHONY: lint-go
 lint-go: ## lint go files
@@ -367,13 +340,7 @@ lint-go-windows:
 .PHONY: lint-go-gitea-vet
 lint-go-gitea-vet: ## lint go files with gitea-vet
 	@echo "Running gitea-vet..."
-	@GOOS= GOARCH= $(GO) build code.gitea.io/gitea-vet
-	@$(GO) vet -vettool=gitea-vet ./...
-
-.PHONY: lint-go-gopls
-lint-go-gopls: ## lint go files with gopls
-	@echo "Running gopls check..."
-	@GO=$(GO) GOPLS_PACKAGE=$(GOPLS_PACKAGE) tools/lint-go-gopls.sh $(GO_SOURCES_NO_BINDATA)
+	@$(GO) vet -vettool="$(shell GOOS= GOARCH= go tool -n gitea-vet)" ./...
 
 .PHONY: lint-editorconfig
 lint-editorconfig:
@@ -386,24 +353,31 @@ lint-actions: ## lint action workflow files
 
 .PHONY: lint-templates
 lint-templates: .venv node_modules ## lint template files
-	@node tools/lint-templates-svg.js
-	@poetry run djlint $(shell find templates -type f -iname '*.tmpl')
+	@node tools/lint-templates-svg.ts
+	@uv run --frozen djlint $(shell find templates -type f -iname '*.tmpl')
 
 .PHONY: lint-yaml
 lint-yaml: .venv ## lint yaml files
-	@poetry run yamllint -s .
+	@uv run --frozen yamllint -s .
+
+.PHONY: lint-json
+lint-json: node_modules ## lint json files
+	pnpm exec eslint -c eslint.json.config.ts --color --max-warnings=0 --concurrency $(ESLINT_CONCURRENCY)
+
+.PHONY: lint-json-fix
+lint-json-fix: node_modules ## lint and fix json files
+	pnpm exec eslint -c eslint.json.config.ts --color --max-warnings=0 --concurrency $(ESLINT_CONCURRENCY) --fix
 
 .PHONY: watch
 watch: ## watch everything and continuously rebuild
 	@bash tools/watch.sh
 
 .PHONY: watch-frontend
-watch-frontend: node-check node_modules ## watch frontend files and continuously rebuild
-	@rm -rf $(WEBPACK_DEST_ENTRIES)
-	NODE_ENV=development npx webpack --watch --progress
+watch-frontend: node_modules ## start vite dev server for frontend
+	NODE_ENV=development pnpm exec vite --logLevel $(FRONTEND_DEV_LOG_LEVEL)
 
 .PHONY: watch-backend
-watch-backend: go-check ## watch backend files and continuously rebuild
+watch-backend: ## watch backend files and continuously rebuild
 	GITEA_RUN_MODE=dev $(GO) run $(AIR_PACKAGE) -c .air.toml
 
 .PHONY: test
@@ -416,7 +390,7 @@ test-backend: ## test backend files
 
 .PHONY: test-frontend
 test-frontend: node_modules ## test frontend files
-	npx vitest
+	pnpm exec vitest
 
 .PHONY: test-check
 test-check:
@@ -439,7 +413,7 @@ test\#%:
 coverage:
 	grep '^\(mode: .*\)\|\(.*:[0-9]\+\.[0-9]\+,[0-9]\+\.[0-9]\+ [0-9]\+ [0-9]\+\)$$' coverage.out > coverage-bodged.out
 	grep '^\(mode: .*\)\|\(.*:[0-9]\+\.[0-9]\+,[0-9]\+\.[0-9]\+ [0-9]\+ [0-9]\+\)$$' integration.coverage.out > integration.coverage-bodged.out
-	$(GO) run build/gocovmerge.go integration.coverage-bodged.out coverage-bodged.out > coverage.all
+	$(GO) run tools/gocovmerge.go integration.coverage-bodged.out coverage-bodged.out > coverage.all
 
 .PHONY: unit-test-coverage
 unit-test-coverage:
@@ -469,25 +443,20 @@ tidy-check: tidy
 go-licenses: $(GO_LICENSE_FILE) ## regenerate go licenses
 
 $(GO_LICENSE_FILE): go.mod go.sum
-	@rm -rf $(GO_LICENSE_FILE)
-	$(GO) install $(GO_LICENSES_PACKAGE)
-	-GOOS=linux CGO_ENABLED=1 go-licenses save . --force --save_path=$(GO_LICENSE_TMP_DIR) 2>/dev/null
-	$(GO) run build/generate-go-licenses.go $(GO_LICENSE_TMP_DIR) $(GO_LICENSE_FILE)
-	@rm -rf $(GO_LICENSE_TMP_DIR)
+	GO=$(GO) $(GO) run build/generate-go-licenses.go $(GO_LICENSE_FILE)
 
 generate-ini-sqlite:
-	sed -e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
+	sed -e 's|{{WORK_PATH}}|$(CURDIR)/tests/$(or $(TEST_TYPE),integration)/gitea-$(or $(TEST_TYPE),integration)-sqlite|g' \
 		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
-		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
 			tests/sqlite.ini.tmpl > tests/sqlite.ini
 
 .PHONY: test-sqlite
 test-sqlite: integrations.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.sqlite.test
+	GITEA_TEST_CONF=tests/sqlite.ini ./integrations.sqlite.test
 
 .PHONY: test-sqlite\#%
 test-sqlite\#%: integrations.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.sqlite.test -test.run $(subst .,/,$*)
+	GITEA_TEST_CONF=tests/sqlite.ini ./integrations.sqlite.test -test.run $(subst .,/,$*)
 
 .PHONY: test-sqlite-migration
 test-sqlite-migration:  migrations.sqlite.test migrations.individual.sqlite.test
@@ -497,18 +466,17 @@ generate-ini-mysql:
 		-e 's|{{TEST_MYSQL_DBNAME}}|${TEST_MYSQL_DBNAME}|g' \
 		-e 's|{{TEST_MYSQL_USERNAME}}|${TEST_MYSQL_USERNAME}|g' \
 		-e 's|{{TEST_MYSQL_PASSWORD}}|${TEST_MYSQL_PASSWORD}|g' \
-		-e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
+		-e 's|{{WORK_PATH}}|$(CURDIR)/tests/$(or $(TEST_TYPE),integration)/gitea-$(or $(TEST_TYPE),integration)-mysql|g' \
 		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
-		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
 			tests/mysql.ini.tmpl > tests/mysql.ini
 
 .PHONY: test-mysql
 test-mysql: integrations.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.mysql.test
+	GITEA_TEST_CONF=tests/mysql.ini ./integrations.mysql.test
 
 .PHONY: test-mysql\#%
 test-mysql\#%: integrations.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.mysql.test -test.run $(subst .,/,$*)
+	GITEA_TEST_CONF=tests/mysql.ini ./integrations.mysql.test -test.run $(subst .,/,$*)
 
 .PHONY: test-mysql-migration
 test-mysql-migration: migrations.mysql.test migrations.individual.mysql.test
@@ -520,18 +488,17 @@ generate-ini-pgsql:
 		-e 's|{{TEST_PGSQL_PASSWORD}}|${TEST_PGSQL_PASSWORD}|g' \
 		-e 's|{{TEST_PGSQL_SCHEMA}}|${TEST_PGSQL_SCHEMA}|g' \
 		-e 's|{{TEST_MINIO_ENDPOINT}}|${TEST_MINIO_ENDPOINT}|g' \
-		-e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
+		-e 's|{{WORK_PATH}}|$(CURDIR)/tests/$(or $(TEST_TYPE),integration)/gitea-$(or $(TEST_TYPE),integration)-pgsql|g' \
 		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
-		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
 			tests/pgsql.ini.tmpl > tests/pgsql.ini
 
 .PHONY: test-pgsql
 test-pgsql: integrations.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./integrations.pgsql.test
+	GITEA_TEST_CONF=tests/pgsql.ini ./integrations.pgsql.test
 
 .PHONY: test-pgsql\#%
 test-pgsql\#%: integrations.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./integrations.pgsql.test -test.run $(subst .,/,$*)
+	GITEA_TEST_CONF=tests/pgsql.ini ./integrations.pgsql.test -test.run $(subst .,/,$*)
 
 .PHONY: test-pgsql-migration
 test-pgsql-migration: migrations.pgsql.test migrations.individual.pgsql.test
@@ -541,89 +508,53 @@ generate-ini-mssql:
 		-e 's|{{TEST_MSSQL_DBNAME}}|${TEST_MSSQL_DBNAME}|g' \
 		-e 's|{{TEST_MSSQL_USERNAME}}|${TEST_MSSQL_USERNAME}|g' \
 		-e 's|{{TEST_MSSQL_PASSWORD}}|${TEST_MSSQL_PASSWORD}|g' \
-		-e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
+		-e 's|{{WORK_PATH}}|$(CURDIR)/tests/$(or $(TEST_TYPE),integration)/gitea-$(or $(TEST_TYPE),integration)-mssql|g' \
 		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
-		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
 			tests/mssql.ini.tmpl > tests/mssql.ini
 
 .PHONY: test-mssql
 test-mssql: integrations.mssql.test generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./integrations.mssql.test
+	GITEA_TEST_CONF=tests/mssql.ini ./integrations.mssql.test
 
 .PHONY: test-mssql\#%
 test-mssql\#%: integrations.mssql.test generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./integrations.mssql.test -test.run $(subst .,/,$*)
+	GITEA_TEST_CONF=tests/mssql.ini ./integrations.mssql.test -test.run $(subst .,/,$*)
 
 .PHONY: test-mssql-migration
 test-mssql-migration: migrations.mssql.test migrations.individual.mssql.test
 
 .PHONY: playwright
 playwright: deps-frontend
-	npx playwright install $(PLAYWRIGHT_FLAGS)
-
-.PHONY: test-e2e%
-test-e2e%: TEST_TYPE ?= e2e
-	# Clear display env variable. Otherwise, chromium tests can fail.
-	DISPLAY=
+	@# on GitHub Actions VMs, playwright's system deps are pre-installed
+	@pnpm exec playwright install $(if $(GITHUB_ACTIONS),,--with-deps) chromium firefox $(PLAYWRIGHT_FLAGS)
 
 .PHONY: test-e2e
-test-e2e: test-e2e-sqlite
-
-.PHONY: test-e2e-sqlite
-test-e2e-sqlite: playwright e2e.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./e2e.sqlite.test
-
-.PHONY: test-e2e-sqlite\#%
-test-e2e-sqlite\#%: playwright e2e.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./e2e.sqlite.test -test.run TestE2e/$*
-
-.PHONY: test-e2e-mysql
-test-e2e-mysql: playwright e2e.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./e2e.mysql.test
-
-.PHONY: test-e2e-mysql\#%
-test-e2e-mysql\#%: playwright e2e.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./e2e.mysql.test -test.run TestE2e/$*
-
-.PHONY: test-e2e-pgsql
-test-e2e-pgsql: playwright e2e.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./e2e.pgsql.test
-
-.PHONY: test-e2e-pgsql\#%
-test-e2e-pgsql\#%: playwright e2e.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./e2e.pgsql.test -test.run TestE2e/$*
-
-.PHONY: test-e2e-mssql
-test-e2e-mssql: playwright e2e.mssql.test generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./e2e.mssql.test
-
-.PHONY: test-e2e-mssql\#%
-test-e2e-mssql\#%: playwright e2e.mssql.test generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./e2e.mssql.test -test.run TestE2e/$*
+test-e2e: playwright $(EXECUTABLE_E2E)
+	@EXECUTABLE=$(EXECUTABLE_E2E) ./tools/test-e2e.sh $(GITEA_TEST_E2E_FLAGS)
 
 .PHONY: bench-sqlite
 bench-sqlite: integrations.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.sqlite.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
+	GITEA_TEST_CONF=tests/sqlite.ini ./integrations.sqlite.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
 
 .PHONY: bench-mysql
 bench-mysql: integrations.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.mysql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
+	GITEA_TEST_CONF=tests/mysql.ini ./integrations.mysql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
 
 .PHONY: bench-mssql
 bench-mssql: integrations.mssql.test generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./integrations.mssql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
+	GITEA_TEST_CONF=tests/mssql.ini ./integrations.mssql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
 
 .PHONY: bench-pgsql
 bench-pgsql: integrations.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./integrations.pgsql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
+	GITEA_TEST_CONF=tests/pgsql.ini ./integrations.pgsql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
 
 .PHONY: integration-test-coverage
 integration-test-coverage: integrations.cover.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.cover.test -test.coverprofile=integration.coverage.out
+	GITEA_TEST_CONF=tests/mysql.ini ./integrations.cover.test -test.coverprofile=integration.coverage.out
 
 .PHONY: integration-test-coverage-sqlite
 integration-test-coverage-sqlite: integrations.cover.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.cover.sqlite.test -test.coverprofile=integration.coverage.out
+	GITEA_TEST_CONF=tests/sqlite.ini ./integrations.cover.sqlite.test -test.coverprofile=integration.coverage.out
 
 integrations.mysql.test: git-check $(GO_SOURCES)
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.mysql.test
@@ -646,66 +577,54 @@ integrations.cover.sqlite.test: git-check $(GO_SOURCES)
 .PHONY: migrations.mysql.test
 migrations.mysql.test: $(GO_SOURCES) generate-ini-mysql
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.mysql.test
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./migrations.mysql.test
+	GITEA_TEST_CONF=tests/mysql.ini ./migrations.mysql.test
 
 .PHONY: migrations.pgsql.test
 migrations.pgsql.test: $(GO_SOURCES) generate-ini-pgsql
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.pgsql.test
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./migrations.pgsql.test
+	GITEA_TEST_CONF=tests/pgsql.ini ./migrations.pgsql.test
 
 .PHONY: migrations.mssql.test
 migrations.mssql.test: $(GO_SOURCES) generate-ini-mssql
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.mssql.test
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./migrations.mssql.test
+	GITEA_TEST_CONF=tests/mssql.ini ./migrations.mssql.test
 
 .PHONY: migrations.sqlite.test
 migrations.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.sqlite.test -tags '$(TEST_TAGS)'
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./migrations.sqlite.test
+	GITEA_TEST_CONF=tests/sqlite.ini ./migrations.sqlite.test
 
 .PHONY: migrations.individual.mysql.test
-migrations.individual.mysql.test: $(GO_SOURCES)
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
+migrations.individual.mysql.test: $(GO_SOURCES) generate-ini-mysql
+	GITEA_TEST_CONF=tests/mysql.ini $(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
 
 .PHONY: migrations.individual.sqlite.test\#%
 migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
+	GITEA_TEST_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
 
 .PHONY: migrations.individual.pgsql.test
-migrations.individual.pgsql.test: $(GO_SOURCES)
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
+migrations.individual.pgsql.test: $(GO_SOURCES) generate-ini-pgsql
+	GITEA_TEST_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
 
 .PHONY: migrations.individual.pgsql.test\#%
 migrations.individual.pgsql.test\#%: $(GO_SOURCES) generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
+	GITEA_TEST_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
 
 .PHONY: migrations.individual.mssql.test
 migrations.individual.mssql.test: $(GO_SOURCES) generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini $(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
+	GITEA_TEST_CONF=tests/mssql.ini $(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
 
 .PHONY: migrations.individual.mssql.test\#%
 migrations.individual.mssql.test\#%: $(GO_SOURCES) generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
+	GITEA_TEST_CONF=tests/mssql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
 
 .PHONY: migrations.individual.sqlite.test
 migrations.individual.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
+	GITEA_TEST_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
 
 .PHONY: migrations.individual.sqlite.test\#%
 migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
-
-e2e.mysql.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.mysql.test
-
-e2e.pgsql.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.pgsql.test
-
-e2e.mssql.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.mssql.test
-
-e2e.sqlite.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.sqlite.test -tags '$(TEST_TAGS)'
+	GITEA_TEST_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
 
 .PHONY: check
 check: test
@@ -718,10 +637,10 @@ install: $(wildcard *.go)
 build: frontend backend ## build everything
 
 .PHONY: frontend
-frontend: $(WEBPACK_DEST) ## build frontend files
+frontend: $(FRONTEND_DEST) ## build frontend files
 
 .PHONY: backend
-backend: go-check generate-backend $(EXECUTABLE) ## build backend files
+backend: generate-backend $(EXECUTABLE) ## build backend files
 
 # We generate the backend before the frontend in case we in future we want to generate things in the frontend from generated files in backend
 .PHONY: generate
@@ -737,10 +656,16 @@ generate-go: $(TAGS_PREREQ)
 
 .PHONY: security-check
 security-check:
-	go run $(GOVULNCHECK_PACKAGE) -show color ./...
+	GOEXPERIMENT= go run $(GOVULNCHECK_PACKAGE) -show color ./... || true
 
 $(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@
+ifneq ($(and $(STATIC),$(findstring pam,$(TAGS))),)
+  $(error pam support set via TAGS does not support static builds)
+endif
+	CGO_ENABLED="$(CGO_ENABLED)" CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(EXTLDFLAGS) $(LDFLAGS)' -o $@
+
+$(EXECUTABLE_E2E): $(GO_SOURCES) $(FRONTEND_DEST)
+	CGO_ENABLED=1 $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TEST_TAGS)' -ldflags '-s -w $(EXTLDFLAGS) $(LDFLAGS)' -o $@
 
 .PHONY: release
 release: frontend generate release-windows release-linux release-darwin release-freebsd release-copy release-compress vendor release-sources release-check
@@ -761,7 +686,7 @@ release-linux: | $(DIST_DIRS)
 
 .PHONY: release-darwin
 release-darwin: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w $(LDFLAGS)' -targets 'darwin-10.12/amd64,darwin-10.12/arm64' -out gitea-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w $(LDFLAGS)' -targets '$(DARWIN_ARCHS)' -out gitea-$(VERSION) .
 
 .PHONY: release-freebsd
 release-freebsd: | $(DIST_DIRS)
@@ -812,53 +737,56 @@ deps-tools: ## install tool dependencies
 	$(GO) install $(MISSPELL_PACKAGE) & \
 	$(GO) install $(SWAGGER_PACKAGE) & \
 	$(GO) install $(XGO_PACKAGE) & \
-	$(GO) install $(GO_LICENSES_PACKAGE) & \
 	$(GO) install $(GOVULNCHECK_PACKAGE) & \
 	$(GO) install $(ACTIONLINT_PACKAGE) & \
-	$(GO) install $(GOPLS_PACKAGE) & \
 	wait
 
-node_modules: package-lock.json
-	npm install --no-save
+node_modules: pnpm-lock.yaml
+	pnpm install --frozen-lockfile
 	@touch node_modules
 
-.venv: poetry.lock
-	poetry install
+.venv: uv.lock
+	uv sync
 	@touch .venv
 
 .PHONY: update
-update: update-js update-py ## update js and py dependencies
+update: update-go update-js update-py ## update dependencies
+
+.PHONY: update-go
+update-go: ## update go dependencies
+	$(GO) get -u ./...
+	$(MAKE) tidy
 
 .PHONY: update-js
-update-js: node-check | node_modules ## update js dependencies
-	npx updates -u -f package.json
-	rm -rf node_modules package-lock.json
-	npm install --package-lock
-	npx nolyfill install
-	npm install --package-lock
+update-js: node_modules ## update js dependencies
+	pnpm exec updates -u -f package.json
+	rm -rf node_modules pnpm-lock.yaml
+	pnpm install
+	pnpm exec nolyfill install
+	pnpm install
 	@touch node_modules
 
 .PHONY: update-py
-update-py: node-check | node_modules ## update py dependencies
-	npx updates -u -f pyproject.toml
-	rm -rf .venv poetry.lock
-	poetry install
+update-py: node_modules ## update py dependencies
+	pnpm exec updates -u -f pyproject.toml
+	rm -rf .venv uv.lock
+	uv sync
 	@touch .venv
 
-.PHONY: webpack
-webpack: $(WEBPACK_DEST) ## build webpack files
+.PHONY: vite
+vite: $(FRONTEND_DEST) ## build vite files
 
-$(WEBPACK_DEST): $(WEBPACK_SOURCES) $(WEBPACK_CONFIGS) package-lock.json
-	@$(MAKE) -s node-check node_modules
-	@rm -rf $(WEBPACK_DEST_ENTRIES)
-	@echo "Running webpack..."
-	@BROWSERSLIST_IGNORE_OLD_DATA=true npx webpack
-	@touch $(WEBPACK_DEST)
+$(FRONTEND_DEST): $(FRONTEND_SOURCES) $(FRONTEND_CONFIGS) pnpm-lock.yaml
+	@$(MAKE) -s node_modules
+	@rm -rf $(FRONTEND_DEST_ENTRIES)
+	@echo "Running vite build..."
+	@pnpm exec vite build
+	@touch $(FRONTEND_DEST)
 
 .PHONY: svg
-svg: node-check | node_modules ## build svg files
+svg: node_modules ## build svg files
 	rm -rf $(SVG_DEST_DIR)
-	node tools/generate-svg.js
+	node tools/generate-svg.ts
 
 .PHONY: svg-check
 svg-check: svg
@@ -872,33 +800,22 @@ svg-check: svg
 
 .PHONY: lockfile-check
 lockfile-check:
-	npm install --package-lock-only
-	@diff=$$(git diff --color=always package-lock.json); \
+	pnpm install --frozen-lockfile
+	@diff=$$(git diff --color=always pnpm-lock.yaml); \
 	if [ -n "$$diff" ]; then \
-		echo "package-lock.json is inconsistent with package.json"; \
-		echo "Please run 'npm install --package-lock-only' and commit the result:"; \
+		echo "pnpm-lock.yaml is inconsistent with package.json"; \
+		echo "Please run 'pnpm install --frozen-lockfile' and commit the result:"; \
 		printf "%s" "$${diff}"; \
 		exit 1; \
 	fi
 
-.PHONY: update-translations
-update-translations:
-	mkdir -p ./translations
-	cd ./translations && curl -L https://crowdin.com/download/project/gitea.zip > gitea.zip && unzip gitea.zip
-	rm ./translations/gitea.zip
-	$(SED_INPLACE) -e 's/="/=/g' -e 's/"$$//g' ./translations/*.ini
-	$(SED_INPLACE) -e 's/\\"/"/g' ./translations/*.ini
-	mv ./translations/*.ini ./options/locale/
-	rmdir ./translations
-
 .PHONY: generate-gitignore
 generate-gitignore: ## update gitignore files
 	$(GO) run build/generate-gitignores.go
 
 .PHONY: generate-images
-generate-images: | node_modules
-	npm install --no-save fabric@6 imagemin-zopfli@7
-	node tools/generate-images.js $(TAGS)
+generate-images: | node_modules ## generate images
+	cd tools && node generate-images.ts $(TAGS)
 
 .PHONY: generate-manpage
 generate-manpage: ## generate manpage
@@ -913,9 +830,6 @@ docker:
 	docker build --disable-content-trust=false -t $(DOCKER_REF) .
 # support also build args docker build --build-arg GITEA_VERSION=v1.2.3 --build-arg TAGS="bindata sqlite sqlite_unlock_notify"  .
 
-# This endif closes the if at the top of the file
-endif
-
 # Disable parallel execution because it would break some targets that don't
 # specify exact dependencies like 'backend' which does currently not depend
 # on 'frontend' to enable Node.js-less builds from source tarballs.

README.md

@@ -8,7 +8,6 @@
 [![](https://www.codetriage.com/go-gitea/gitea/badges/users.svg)](https://www.codetriage.com/go-gitea/gitea "Help Contribute to Open Source")
 [![](https://opencollective.com/gitea/tiers/backers/badge.svg?label=backers&color=brightgreen)](https://opencollective.com/gitea "Become a backer/sponsor of gitea")
 [![](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT "License: MIT")
-[![Contribute with Gitpod](https://img.shields.io/badge/Contribute%20with-Gitpod-908a85?logo=gitpod&color=green)](https://gitpod.io/#https://github.com/go-gitea/gitea)
 [![](https://badges.crowdin.net/gitea/localized.svg)](https://translate.gitea.com "Crowdin")
 
 [繁體中文](./README.zh-tw.md) | [简体中文](./README.zh-cn.md)
@@ -52,7 +51,7 @@ or if SQLite support is required:
 The `build` target is split into two sub-targets:
 
 - `make backend` which requires [Go Stable](https://go.dev/dl/), the required version is defined in [go.mod](/go.mod).
-- `make frontend` which requires [Node.js LTS](https://nodejs.org/en/download/) or greater.
+- `make frontend` which requires [Node.js LTS](https://nodejs.org/en/download/) or greater and [pnpm](https://pnpm.io/installation).
 
 Internet connectivity is required to download the go and npm modules. When building from the official source tarballs which include pre-built frontend files, the `frontend` target will not be triggered, making it possible to build without Node.js.
 
@@ -80,9 +79,9 @@ Expected workflow is: Fork -> Patch -> Push -> Pull Request
 
 [![Crowdin](https://badges.crowdin.net/gitea/localized.svg)](https://translate.gitea.com)
 
-Translations are done through [Crowdin](https://translate.gitea.com). If you want to translate to a new language ask one of the managers in the Crowdin project to add a new language there.
+Translations are done through [Crowdin](https://translate.gitea.com). If you want to translate to a new language, ask one of the managers in the Crowdin project to add a new language there.
 
-You can also just create an issue for adding a language or ask on discord on the #translation channel. If you need context or find some translation issues, you can leave a comment on the string or ask on Discord. For general translation questions there is a section in the docs. Currently a bit empty but we hope to fill it as questions pop up.
+You can also just create an issue for adding a language or ask on Discord on the #translation channel. If you need context or find some translation issues, you can leave a comment on the string or ask on Discord. For general translation questions there is a section in the docs. Currently a bit empty, but we hope to fill it as questions pop up.
 
 Get more information from [documentation](https://docs.gitea.com/contributing/localization).
 

README.zh-cn.md

@@ -8,7 +8,6 @@
 [![](https://www.codetriage.com/go-gitea/gitea/badges/users.svg)](https://www.codetriage.com/go-gitea/gitea "Help Contribute to Open Source")
 [![](https://opencollective.com/gitea/tiers/backers/badge.svg?label=backers&color=brightgreen)](https://opencollective.com/gitea "Become a backer/sponsor of gitea")
 [![](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT "License: MIT")
-[![Contribute with Gitpod](https://img.shields.io/badge/Contribute%20with-Gitpod-908a85?logo=gitpod&color=green)](https://gitpod.io/#https://github.com/go-gitea/gitea)
 [![](https://badges.crowdin.net/gitea/localized.svg)](https://translate.gitea.com "Crowdin")
 
 [English](./README.md) | [繁體中文](./README.zh-tw.md)
@@ -46,7 +45,7 @@
 `build` 目标分为两个子目标：
 
 - `make backend` 需要 [Go Stable](https://go.dev/dl/)，所需版本在 [go.mod](/go.mod) 中定义。
-- `make frontend` 需要 [Node.js LTS](https://nodejs.org/en/download/) 或更高版本。
+- `make frontend` 需要 [Node.js LTS](https://nodejs.org/en/download/) 或更高版本以及 [pnpm](https://pnpm.io/installation)。
 
 需要互联网连接来下载 go 和 npm 模块。从包含预构建前端文件的官方源代码压缩包构建时，不会触发 `frontend` 目标，因此可以在没有 Node.js 的情况下构建。
 

README.zh-tw.md

@@ -8,7 +8,6 @@
 [![](https://www.codetriage.com/go-gitea/gitea/badges/users.svg)](https://www.codetriage.com/go-gitea/gitea "Help Contribute to Open Source")
 [![](https://opencollective.com/gitea/tiers/backers/badge.svg?label=backers&color=brightgreen)](https://opencollective.com/gitea "Become a backer/sponsor of gitea")
 [![](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT "License: MIT")
-[![Contribute with Gitpod](https://img.shields.io/badge/Contribute%20with-Gitpod-908a85?logo=gitpod&color=green)](https://gitpod.io/#https://github.com/go-gitea/gitea)
 [![](https://badges.crowdin.net/gitea/localized.svg)](https://translate.gitea.com "Crowdin")
 
 [English](./README.md) | [简体中文](./README.zh-cn.md)
@@ -46,7 +45,7 @@
 `build` 目標分為兩個子目標：
 
 - `make backend` 需要 [Go Stable](https://go.dev/dl/)，所需版本在 [go.mod](/go.mod) 中定義。
-- `make frontend` 需要 [Node.js LTS](https://nodejs.org/en/download/) 或更高版本。
+- `make frontend` 需要 [Node.js LTS](https://nodejs.org/en/download/) 或更高版本以及 [pnpm](https://pnpm.io/installation)。
 
 需要互聯網連接來下載 go 和 npm 模塊。從包含預構建前端文件的官方源代碼壓縮包構建時，不會觸發 `frontend` 目標，因此可以在沒有 Node.js 的情況下構建。
 

SECURITY.md

@@ -14,12 +14,12 @@ Please **DO NOT** file a public issue, instead send your report privately to `se
 
 Due to the sensitive nature of security information, you can use the below GPG public key to encrypt your mail body.
 
-The PGP key is valid until July 9, 2025.
+The PGP key is valid until July 4, 2026.
 
 ```
 Key ID: 6FCD2D5B
 Key Type: RSA
-Expires: 7/9/2025
+Expires: 7/4/2026
 Key Size: 4096/4096
 Fingerprint: 3DE0 3D1E 144A 7F06 9359 99DC AAFD 2381 6FCD 2D5B
 ```
@@ -42,18 +42,18 @@ lzpAjnN9/KLtQroutrm+Ft0mdjDiJUeFVl1cOHDhoyfCsQh62HumoyZoZvqzQd6e
 AbN11nq6aViMe2Q3je1AbiBnRnQSHxt1Tc8X4IshO3MQK1Sk7oPI6LA5oQARAQAB
 tCJHaXRlYSBTZWN1cml0eSA8c2VjdXJpdHlAZ2l0ZWEuaW8+iQJXBBMBCABBAhsD
 BQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAFiEEPeA9HhRKfwaTWZncqv0jgW/N
-LVsFAmaMse0FCQW4fW8ACgkQqv0jgW/NLVtXLg/+PF4G9Jhlui15BTNlEBJAV2P/
-1QlAV2krk0fP7tykn0FR9RfGIfVV/kwC1f+ouosYPQDDevl9LWdUIM+g94DtNo2o
-7ACpcL3morvt5lVGpIZHL8TbX0qmFRXL/pB/cB+K6IwYvh2mrbp2zH+r4SCRyFYq
-BjgXYFTI1MylJ1ShAjU6Z+m3oJ+2xs5LzHS0X6zkTjzA2Zl4zQzciQ9T+wJcE7Zi
-HXdM1+YMF8KGNP8J9Rpug5oNDJ98lgZirRY7c3A/1xmYBiPnULwuuymdqEZO7l70
-SeAlE1RWYX8kbOBnBb/KY4XwE3Vic1oEzc9DiPWVH1ElX86WNNsFzuyULiwoBoWg
-pqZGhL9x1p5+46RGQSDczsHM7YGVtfYOiDo2PAVrmwsT0BnXnK8Oe3YIkvmUPEJu
-OkLt0Z6A5n8pz8zhQzuApwBsK4ncJ8zTCpvz/pfKKqZC/Vnoh3gKGhDGvOZ+b5IJ
-0kUTe2JsbnwFixDUMDtacQ1op8XOyLoLVmgqLn0+Pws4XPBlMof2bioFir3yHKnP
-gNchsF1agrlSIo5GA8u4ga+IlCSfvFIKrl7+cxacKcJYt/vbOU5KcvVJI5EtHKCG
-xfHjHY2ah1Qww7SxW6IXiRZZzPpsL2mBM2CD7N3qh9bV2s27wxYCdUodsIZbiyHe
-oWPzfBnkmiAN8KlZxHm5Ag0EYrVn/gEQALrFLQjCR3GjuHSindz0rd3Fnx/t7Sen
+LVsFAmhoHmkFCQeT6esACgkQqv0jgW/NLVuFLRAAmjBQSKRAgs2bFIEj7HLAbDp4
+f+XkdH+GsT3jRPOZ9QZgmtM+TfoE4yNgIVfOl+s4RdjM/W4QzqZuPQ55hbEHd056
+cJmm7B+6GsHFcdrPmh65sOCEIyh4+t45dUfeWpFsDPqm9j1UHXAJQIpB8vDEVAPH
+t+3wLCk8GMPJs1o5tIyMmaO23ngvkwn8eG7KgY+rp2PzObrb5g7ppci0ILzILkrp
+HVjZsEfUWRgSVF7LuU5ppqDKrlcqwUpQq6n3kGMZcLrCp6ACKP04TBmTfUxNwdL7
+I0N7apI2Pbct9T1Gv/lYAUFWyU2c3gh/EBLbO6BukaLOFRQHrtNfdJV/YnMPlcXr
+LUJjK9K4eAH9DsrZqrisz/LthsC2BaNIN3KRMTk5YTYgmIh8GXzSgihORmtDFELC
+RroID3pTuS0zjXh+wpY9GuPTh7UW23p42Daxca4fAT4k5EclvDRUrL21xMopPMiL
+HuNdELz4FVchRTy05PjzKVyjVInDNojE2KUxnjxZDzYJ6aT/g+coD5yfntYm8BEj
++ZzL0ndZES54hzKLpv7zwBQwFzam68clZYmDPILOPTflQDfpGEWmJK4undFU5obz
+ZsQRz0R3ulspChATbZxO0d5LX2obLpKO9X3b5VoO1KF+R8Vjw1Y0KxrNZ6rIcfqH
+Z50QVQKSe9dm08K0ON+5Ag0EYrVn/gEQALrFLQjCR3GjuHSindz0rd3Fnx/t7Sen
 T+p07yCSSoSlmnJHCQmwh4vfg1blyz0zZ4vkIhtpHsEgc+ZAG+WQXSsJ2iRz+eSN
 GwoOQl4XC3n+QWkc1ws+btr48+6UqXIQU+F8TPQyx/PIgi2nZXJB7f5+mjCqsk46
 XvH4nTr4kJjuqMSR/++wvre2qNQRa/q/dTsK0OaN/mJsdX6Oi+aGNaQJUhIG7F+E
@@ -65,19 +65,19 @@ s+GsP9I3cmWWQcKYxWHtE8xTXnNCVPFZQj2nwhJzae8ypfOtulBRA3dUKWGKuDH/
 axFENhUsT397aOU3qkP/od4a64JyNIEo4CTTSPVeWd7njsGqli2U3A4xL2CcyYvt
 D/MWcMBGEoLSNTswwKdom4FaJpn5KThnK/T0bQcmJblJhoCtppXisbexZnCpuS0x
 Zdlm2T14KJ3LABEBAAGJAjwEGAEIACYCGwwWIQQ94D0eFEp/BpNZmdyq/SOBb80t
-WwUCZoyyjQUJBbh+DwAKCRCq/SOBb80tW18XD/9MXztmf01MT+1kZdBouZ/7Rp/7
-9kuqo//B1G+RXau4oFtPqb67kNe2WaIc3u5B73PUHsMf3i6z4ib2KbMhZZerLn0O
-dRglcuPeNWmsASY3dH/XVG0cT0zvvWegagd12TJEl3Vs+7XNrOw4cwDj9L1+GH9m
-kSt4uaANWn/6a3RvMRhiVEYuNwhAzcKaactPmYqrLJgoVLbRSDkgyHaMQ2jKgLxk
-ifS/fvluGV0ub2Po6DJiqfRpd1tDvPhe9y1+r1WFDZsOcvTcZUfSt/7dXMGfqGu0
-2daVFlfeSXSALrDE5uc0UxodHCpP3sqRYDZevGLBRaaTkIjYXG/+N898+7K5WJF4
-xXOLWxM2cwGkG7eC9pugcDnBp9XlF7O+GBiZ05JUe5flXDQFZ+h3exjopu6KHF1B
-RnzNy8LC0UKb+AuvRIOLV92a9Q9wGWU/jaVDu6nZ0umAeuSzxiHoDsonm0Fl9QAz
-2/xCokebuoeLrEK7R2af3X86mqq3sVO4ax+HPYChzOaVQBiHUW/TAldWcldYYphR
-/e2WsbmQfvCRtz/bZfo+aUVnrHNjzVMtF2SszdVmA/04Y8pS28MqtuRqhm5DPOOd
-g1YeUywK5jRZ1twyo1kzJEFPLaoeaXaycsR1PMVBW0Urik5mrR/pOWq7PPoZoKb2
-lXYLE8bwkuQTmsyL1g==
-=9i7d
+WwUCaGgeJAUJB5PppgAKCRCq/SOBb80tW/NWEACB6Jrf0gWlk7e+hNCdnbM0ZVWU
+f2sHNFfXxxsdhpcDgKbNHtkZb8nZgv8AX+5fTtUwMVa3vKcdw30xFiIM5N7cCIPV
+vg/5z5BtfEaitnabEUG2iiVDIy8IHXIcK10rX+7BosA3QDl2PsiBHwyi5G13lRk8
+zGTSNDuOalug33h5/lr2dPigamkq74Aoy29q8Rjad6GfWHipL2bFimgtY+Zdi0BH
+NLk4EJXxj1SgVx5dtkQzWJReBA5M+FQ4QYQZBO+f4TDoOLmjui152uhkoLBQbGAa
+WWJFTVxm0bG5MXloEL3gA8DfU7XDwuW/sHJC5pBko8RpQViooOhckMepZV3Y83DK
+bwLYa3JmPgj2rEv4993dvrJbQhpGd082HOxOsllCs8pgNq1SnXpWYfcGTgGKC3ts
+U8YZUUJUQ7mi2L8Tv3ix20c9EiGmA30JAmA8eZTC3cWup91ZkkVBFRml2czTXajd
+RWZ6GbHV5503ueDQcB8yBVgF3CSixs67+dGSbD3p86OqGrjAcJzM5TFbNKcnGLdE
+kGbZpNwAISy750lXzXKmyrh5RTCeTOQerbwCMBvHZO+HAevA/LXDTw2OAiSIQlP5
+sYA4sFYLQ30OAkgJcmdp/pSgVj/erNtSN07ClrOpDb/uFpQymO6K2h0Pst3feNVK
+9M2VbqL9C51z/wyHLg==
+=SfZA
 -----END PGP PUBLIC KEY BLOCK-----
 
 ```

build.go

@@ -1,23 +0,0 @@
-// Copyright 2020 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-//go:build vendor
-
-package main
-
-// Libraries that are included to vendor utilities used during build.
-// These libraries will not be included in a normal compilation.
-
-import (
-	// for embed
-	_ "github.com/shurcooL/vfsgen"
-
-	// for cover merge
-	_ "golang.org/x/tools/cover"
-
-	// for vet
-	_ "code.gitea.io/gitea-vet"
-
-	// for swagger
-	_ "github.com/go-swagger/go-swagger/cmd/swagger"
-)

build/backport-locales.go

@@ -1,115 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-//go:build ignore
-
-package main
-
-import (
-	"fmt"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
-
-	"code.gitea.io/gitea/modules/container"
-	"code.gitea.io/gitea/modules/setting"
-)
-
-func main() {
-	if len(os.Args) != 2 {
-		println("usage: backport-locales <to-ref>")
-		println("eg: backport-locales release/v1.19")
-		os.Exit(1)
-	}
-
-	mustNoErr := func(err error) {
-		if err != nil {
-			panic(err)
-		}
-	}
-	collectInis := func(ref string) map[string]setting.ConfigProvider {
-		inis := map[string]setting.ConfigProvider{}
-		err := filepath.WalkDir("options/locale", func(path string, d os.DirEntry, err error) error {
-			if err != nil {
-				return err
-			}
-			if d.IsDir() || !strings.HasSuffix(d.Name(), ".ini") {
-				return nil
-			}
-			cfg, err := setting.NewConfigProviderForLocale(path)
-			mustNoErr(err)
-			inis[path] = cfg
-			fmt.Printf("collecting: %s @ %s\n", path, ref)
-			return nil
-		})
-		mustNoErr(err)
-		return inis
-	}
-
-	// collect new locales from current working directory
-	inisNew := collectInis("HEAD")
-
-	// switch to the target ref, and collect the old locales
-	cmd := exec.Command("git", "checkout", os.Args[1])
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	mustNoErr(cmd.Run())
-	inisOld := collectInis(os.Args[1])
-
-	// use old en-US as the base, and copy the new translations to the old locales
-	enUsOld := inisOld["options/locale/locale_en-US.ini"]
-	brokenWarned := make(container.Set[string])
-	for path, iniOld := range inisOld {
-		if iniOld == enUsOld {
-			continue
-		}
-		iniNew := inisNew[path]
-		if iniNew == nil {
-			continue
-		}
-		for _, secEnUS := range enUsOld.Sections() {
-			secOld := iniOld.Section(secEnUS.Name())
-			secNew := iniNew.Section(secEnUS.Name())
-			for _, keyEnUs := range secEnUS.Keys() {
-				if secNew.HasKey(keyEnUs.Name()) {
-					oldStr := secOld.Key(keyEnUs.Name()).String()
-					newStr := secNew.Key(keyEnUs.Name()).String()
-					broken := oldStr != "" && strings.Count(oldStr, "%") != strings.Count(newStr, "%")
-					broken = broken || strings.Contains(oldStr, "\n") || strings.Contains(oldStr, "\n")
-					if broken {
-						brokenWarned.Add(secOld.Name() + "." + keyEnUs.Name())
-						fmt.Println("----")
-						fmt.Printf("WARNING: skip broken locale: %s , [%s] %s\n", path, secEnUS.Name(), keyEnUs.Name())
-						fmt.Printf("\told: %s\n", strings.ReplaceAll(oldStr, "\n", "\\n"))
-						fmt.Printf("\tnew: %s\n", strings.ReplaceAll(newStr, "\n", "\\n"))
-						continue
-					}
-					secOld.Key(keyEnUs.Name()).SetValue(newStr)
-				}
-			}
-		}
-		mustNoErr(iniOld.SaveTo(path))
-	}
-
-	fmt.Println("========")
-
-	for path, iniNew := range inisNew {
-		for _, sec := range iniNew.Sections() {
-			for _, key := range sec.Keys() {
-				str := sec.Key(key.Name()).String()
-				broken := strings.Contains(str, "\n")
-				broken = broken || strings.HasPrefix(str, "`") != strings.HasSuffix(str, "`")
-				broken = broken || strings.HasPrefix(str, "\"`")
-				broken = broken || strings.HasPrefix(str, "`\"")
-				broken = broken || strings.Count(str, `"`)%2 == 1
-				broken = broken || strings.Count(str, "`")%2 == 1
-				if broken && !brokenWarned.Contains(sec.Name()+"."+key.Name()) {
-					fmt.Printf("WARNING: found broken locale: %s , [%s] %s\n", path, sec.Name(), key.Name())
-					fmt.Printf("\tstr: %s\n", strings.ReplaceAll(str, "\n", "\\n"))
-					fmt.Println("----")
-				}
-			}
-		}
-	}
-}

build/generate-bindata.go

@@ -6,87 +6,22 @@
 package main
 
 import (
-	"bytes"
-	"crypto/sha1"
 	"fmt"
-	"log"
-	"net/http"
 	"os"
-	"path/filepath"
-	"strconv"
 
-	"github.com/shurcooL/vfsgen"
+	"code.gitea.io/gitea/modules/assetfs"
 )
 
-func needsUpdate(dir, filename string) (bool, []byte) {
-	needRegen := false
-	_, err := os.Stat(filename)
-	if err != nil {
-		needRegen = true
-	}
-
-	oldHash, err := os.ReadFile(filename + ".hash")
-	if err != nil {
-		oldHash = []byte{}
-	}
-
-	hasher := sha1.New()
-
-	err = filepath.WalkDir(dir, func(path string, d os.DirEntry, err error) error {
-		if err != nil {
-			return err
-		}
-		info, err := d.Info()
-		if err != nil {
-			return err
-		}
-		_, _ = hasher.Write([]byte(d.Name()))
-		_, _ = hasher.Write([]byte(info.ModTime().String()))
-		_, _ = hasher.Write([]byte(strconv.FormatInt(info.Size(), 16)))
-		return nil
-	})
-	if err != nil {
-		return true, oldHash
-	}
-
-	newHash := hasher.Sum([]byte{})
-
-	if bytes.Compare(oldHash, newHash) != 0 {
-		return true, newHash
-	}
-
-	return needRegen, newHash
-}
-
 func main() {
-	if len(os.Args) < 4 {
-		log.Fatal("Insufficient number of arguments. Need: directory packageName filename")
+	if len(os.Args) != 3 {
+		fmt.Println("usage: ./generate-bindata {local-directory} {bindata-filename}")
+		os.Exit(1)
 	}
 
-	dir, packageName, filename := os.Args[1], os.Args[2], os.Args[3]
-	var useGlobalModTime bool
-	if len(os.Args) == 5 {
-		useGlobalModTime, _ = strconv.ParseBool(os.Args[4])
+	dir, filename := os.Args[1], os.Args[2]
+	fmt.Printf("generating bindata for %s to %s\n", dir, filename)
+	if err := assetfs.GenerateEmbedBindata(dir, filename); err != nil {
+		fmt.Printf("failed: %s\n", err.Error())
+		os.Exit(1)
 	}
-
-	update, newHash := needsUpdate(dir, filename)
-
-	if !update {
-		fmt.Printf("bindata for %s already up-to-date\n", packageName)
-		return
-	}
-
-	fmt.Printf("generating bindata for %s\n", packageName)
-	var fsTemplates http.FileSystem = http.Dir(dir)
-	err := vfsgen.Generate(fsTemplates, vfsgen.Options{
-		PackageName:      packageName,
-		BuildTags:        "bindata",
-		VariableName:     "Assets",
-		Filename:         filename,
-		UseGlobalModTime: useGlobalModTime,
-	})
-	if err != nil {
-		log.Fatalf("%v\n", err)
-	}
-	_ = os.WriteFile(filename+".hash", newHash, 0o666)
 }

build/generate-emoji.go

@@ -24,8 +24,8 @@ import (
 )
 
 const (
-	gemojiURL         = "https://raw.githubusercontent.com/github/gemoji/master/db/emoji.json"
-	maxUnicodeVersion = 15
+	gemojiURL         = "https://raw.githubusercontent.com/rhysd/gemoji/537ff2d7e0496e9964824f7f73ec7ece88c9765a/db/emoji.json"
+	maxUnicodeVersion = 16
 )
 
 var flagOut = flag.String("o", "modules/emoji/emoji_data.go", "out")
@@ -149,8 +149,8 @@ func generate() ([]byte, error) {
 	}
 
 	// write a JSON file to use with tribute (write before adding skin tones since we can't support them there yet)
-	file, _ := json.Marshal(data)
-	_ = os.WriteFile("assets/emoji.json", file, 0o644)
+	file, _ := json.MarshalIndent(data, "", "  ")
+	_ = os.WriteFile("assets/emoji.json", append(file, '\n'), 0o644)
 
 	// Add skin tones to emoji that support it
 	var (

build/generate-go-licenses.go

@@ -8,99 +8,220 @@ package main
 import (
 	"encoding/json"
 	"fmt"
-	"io/fs"
 	"os"
-	"path"
+	"os/exec"
 	"path/filepath"
 	"regexp"
+	"slices"
 	"sort"
 	"strings"
-
-	"code.gitea.io/gitea/modules/container"
 )
 
 // regexp is based on go-license, excluding README and NOTICE
 // https://github.com/google/go-licenses/blob/master/licenses/find.go
+// also defined in vite.config.ts
 var licenseRe = regexp.MustCompile(`^(?i)((UN)?LICEN(S|C)E|COPYING).*$`)
 
+// primaryLicenseRe matches exact primary license filenames without suffixes.
+// When a directory has both primary and variant files (e.g. LICENSE and
+// LICENSE.docs), only the primary files are kept.
+var primaryLicenseRe = regexp.MustCompile(`^(?i)(LICEN[SC]E|COPYING)$`)
+
+// ignoredNames are LicenseEntry.Name values to exclude from the output.
+var ignoredNames = map[string]bool{
+	"code.gitea.io/gitea":                 true,
+	"code.gitea.io/gitea/options/license": true,
+}
+
+var excludedExt = map[string]bool{
+	".gitignore": true,
+	".go":        true,
+	".mod":       true,
+	".sum":       true,
+	".toml":      true,
+	".yaml":      true,
+	".yml":       true,
+}
+
+type ModuleInfo struct {
+	Path    string
+	Dir     string
+	PkgDirs []string // directories of packages imported from this module
+}
+
 type LicenseEntry struct {
 	Name        string `json:"name"`
 	Path        string `json:"path"`
 	LicenseText string `json:"licenseText"`
 }
 
-func main() {
-	if len(os.Args) != 3 {
-		fmt.Println("usage: go run generate-go-licenses.go <base-dir> <out-json-file>")
+// getModules returns all dependency modules with their local directory paths
+// and the package directories used from each module.
+func getModules(goCmd string) []ModuleInfo {
+	cmd := exec.Command(goCmd, "list", "-deps", "-f",
+		"{{if .Module}}{{.Module.Path}}\t{{.Module.Dir}}\t{{.Dir}}{{end}}", "./...")
+	cmd.Stderr = os.Stderr
+	// Use GOOS=linux with CGO to ensure we capture all platform-specific
+	// dependencies, matching the CI environment.
+	cmd.Env = append(os.Environ(), "GOOS=linux", "GOARCH=amd64", "CGO_ENABLED=1")
+	output, err := cmd.Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "failed to run 'go list -deps': %v\n", err)
 		os.Exit(1)
 	}
 
-	base, out := os.Args[1], os.Args[2]
-
-	// Add ext for excluded files because license_test.go will be included for some reason.
-	// And there are more files that should be excluded, check with:
-	//
-	// go run github.com/google/go-licenses@v1.6.0 save . --force --save_path=.go-licenses 2>/dev/null
-	// find .go-licenses -type f | while read FILE; do echo "${$(basename $FILE)##*.}"; done | sort -u
-	//    AUTHORS
-	//    COPYING
-	//    LICENSE
-	//    Makefile
-	//    NOTICE
-	//    gitignore
-	//    go
-	//    md
-	//    mod
-	//    sum
-	//    toml
-	//    txt
-	//    yml
-	//
-	// It could be removed once we have a better regex.
-	excludedExt := container.SetOf(".gitignore", ".go", ".mod", ".sum", ".toml", ".yml")
-
-	var paths []string
-	err := filepath.WalkDir(base, func(path string, entry fs.DirEntry, err error) error {
-		if err != nil {
-			return err
+	var modules []ModuleInfo
+	seen := make(map[string]int) // module path -> index in modules
+	for _, line := range strings.Split(string(output), "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" {
+			continue
 		}
-		if entry.IsDir() || !licenseRe.MatchString(entry.Name()) || excludedExt.Contains(filepath.Ext(entry.Name())) {
-			return nil
+		parts := strings.Split(line, "\t")
+		if len(parts) != 3 {
+			continue
 		}
-		paths = append(paths, path)
-		return nil
-	})
-	if err != nil {
-		panic(err)
+		modPath, modDir, pkgDir := parts[0], parts[1], parts[2]
+		if idx, ok := seen[modPath]; ok {
+			modules[idx].PkgDirs = append(modules[idx].PkgDirs, pkgDir)
+		} else {
+			seen[modPath] = len(modules)
+			modules = append(modules, ModuleInfo{
+				Path:    modPath,
+				Dir:     modDir,
+				PkgDirs: []string{pkgDir},
+			})
+		}
+	}
+	return modules
+}
+
+// findLicenseFiles scans a module's root directory and its used package
+// directories for license files. It also walks up from each package directory
+// to the module root, scanning intermediate directories. Subdirectory licenses
+// are only included if their text differs from the root license(s).
+func findLicenseFiles(mod ModuleInfo) []LicenseEntry {
+	var entries []LicenseEntry
+	seenTexts := make(map[string]bool)
+
+	// First, collect root-level license files.
+	entries = append(entries, scanDirForLicenses(mod.Dir, mod.Path, "")...)
+	for _, e := range entries {
+		seenTexts[e.LicenseText] = true
 	}
 
-	sort.Strings(paths)
+	// Then check each package directory and all intermediate parent directories
+	// up to the module root for license files with unique text.
+	seenDirs := map[string]bool{mod.Dir: true}
+	for _, pkgDir := range mod.PkgDirs {
+		for dir := pkgDir; dir != mod.Dir && strings.HasPrefix(dir, mod.Dir); dir = filepath.Dir(dir) {
+			if seenDirs[dir] {
+				continue
+			}
+			seenDirs[dir] = true
+			for _, e := range scanDirForLicenses(dir, mod.Path, mod.Dir) {
+				if !seenTexts[e.LicenseText] {
+					seenTexts[e.LicenseText] = true
+					entries = append(entries, e)
+				}
+			}
+		}
+	}
+	return entries
+}
+
+// scanDirForLicenses reads a single directory for license files and returns entries.
+// If moduleRoot is non-empty, paths are made relative to it.
+func scanDirForLicenses(dir, modulePath, moduleRoot string) []LicenseEntry {
+	dirEntries, err := os.ReadDir(dir)
+	if err != nil {
+		return nil
+	}
 
 	var entries []LicenseEntry
-	for _, filePath := range paths {
-		licenseText, err := os.ReadFile(filePath)
-		if err != nil {
-			panic(err)
+	for _, entry := range dirEntries {
+		if entry.IsDir() {
+			continue
 		}
-
-		pkgPath := filepath.ToSlash(filePath)
-		pkgPath = strings.TrimPrefix(pkgPath, base+"/")
-		pkgName := path.Dir(pkgPath)
-
-		// There might be a bug somewhere in go-licenses that sometimes interprets the
-		// root package as "." and sometimes as "code.gitea.io/gitea". Workaround by
-		// removing both of them for the sake of stable output.
-		if pkgName == "." || pkgName == "code.gitea.io/gitea" {
+		name := entry.Name()
+		if !licenseRe.MatchString(name) {
+			continue
+		}
+		if excludedExt[strings.ToLower(filepath.Ext(name))] {
 			continue
 		}
 
+		content, err := os.ReadFile(filepath.Join(dir, name))
+		if err != nil {
+			continue
+		}
+
+		entryName := modulePath
+		entryPath := modulePath + "/" + name
+		if moduleRoot != "" {
+			rel, _ := filepath.Rel(moduleRoot, dir)
+			if rel != "." {
+				relSlash := filepath.ToSlash(rel)
+				entryName = modulePath + "/" + relSlash
+				entryPath = modulePath + "/" + relSlash + "/" + name
+			}
+		}
+
 		entries = append(entries, LicenseEntry{
-			Name:        pkgName,
-			Path:        pkgPath,
-			LicenseText: string(licenseText),
+			Name:        entryName,
+			Path:        entryPath,
+			LicenseText: string(content),
 		})
 	}
 
+	// When multiple license files exist, prefer primary files (e.g. LICENSE)
+	// over variants with suffixes (e.g. LICENSE.docs, LICENSE-2.0.txt).
+	// If no primary file exists, keep only the first variant.
+	if len(entries) > 1 {
+		var primary []LicenseEntry
+		for _, e := range entries {
+			fileName := e.Path[strings.LastIndex(e.Path, "/")+1:]
+			if primaryLicenseRe.MatchString(fileName) {
+				primary = append(primary, e)
+			}
+		}
+		if len(primary) > 0 {
+			return primary
+		}
+		return entries[:1]
+	}
+
+	return entries
+}
+
+func main() {
+	if len(os.Args) != 2 {
+		fmt.Println("usage: go run generate-go-licenses.go <out-json-file>")
+		os.Exit(1)
+	}
+
+	out := os.Args[1]
+
+	goCmd := "go"
+	if env := os.Getenv("GO"); env != "" {
+		goCmd = env
+	}
+
+	modules := getModules(goCmd)
+
+	var entries []LicenseEntry
+	for _, mod := range modules {
+		entries = append(entries, findLicenseFiles(mod)...)
+	}
+
+	entries = slices.DeleteFunc(entries, func(e LicenseEntry) bool {
+		return ignoredNames[e.Name]
+	})
+
+	sort.Slice(entries, func(i, j int) bool {
+		return entries[i].Path < entries[j].Path
+	})
+
 	jsonBytes, err := json.MarshalIndent(entries, "", "  ")
 	if err != nil {
 		panic(err)

build/update-locales.sh

@@ -1,52 +1,22 @@
 #!/bin/sh
 
 # this script runs in alpine image which only has `sh` shell
-
-set +e
-if sed --version 2>/dev/null | grep -q GNU; then
-  SED_INPLACE="sed -i"
-else
-  SED_INPLACE="sed -i ''"
-fi
-set -e
-
-if [ ! -f ./options/locale/locale_en-US.ini ]; then
+if [ ! -f ./options/locale/locale_en-US.json ]; then
   echo "please run this script in the root directory of the project"
   exit 1
 fi
 
-mv ./options/locale/locale_en-US.ini ./options/
-
-# the "ini" library for locale has many quirks, its behavior is different from Crowdin.
-# see i18n_test.go for more details
-
-# this script helps to unquote the Crowdin outputs for the quirky ini library
-# * find all `key="...\"..."` lines
-# * remove the leading quote
-# * remove the trailing quote
-# * unescape the quotes
-# * eg: key="...\"..." => key=..."...
-$SED_INPLACE -r -e '/^[-.A-Za-z0-9_]+[ ]*=[ ]*".*"$/ {
-	s/^([-.A-Za-z0-9_]+)[ ]*=[ ]*"/\1=/
-	s/"$//
-	s/\\"/"/g
-	}' ./options/locale/*.ini
-
-# * if the escaped line is incomplete like `key="...` or `key=..."`, quote it with backticks
-# * eg: key="... => key=`"...`
-# * eg: key=..." => key=`..."`
-$SED_INPLACE -r -e 's/^([-.A-Za-z0-9_]+)[ ]*=[ ]*(".*[^"])$/\1=`\2`/' ./options/locale/*.ini
-$SED_INPLACE -r -e 's/^([-.A-Za-z0-9_]+)[ ]*=[ ]*([^"].*")$/\1=`\2`/' ./options/locale/*.ini
+mv ./options/locale/locale_en-US.json ./options/
 
 # Remove translation under 25% of en_us
-baselines=$(wc -l "./options/locale_en-US.ini" | cut -d" " -f1)
+baselines=$(cat "./options/locale_en-US.json" | wc -l)
 baselines=$((baselines / 4))
-for filename in ./options/locale/*.ini; do
-  lines=$(wc -l "$filename" | cut -d" " -f1)
-  if [ $lines -lt $baselines ]; then
+for filename in ./options/locale/*.json; do
+  lines=$(cat "$filename" | wc -l)
+  if [ "$lines" -lt "$baselines" ]; then
     echo "Removing $filename: $lines/$baselines"
     rm "$filename"
   fi
 done
 
-mv ./options/locale_en-US.ini ./options/locale/
+mv ./options/locale_en-US.json ./options/locale/

cmd/actions.go

@@ -4,25 +4,27 @@
 package cmd
 
 import (
+	"context"
 	"fmt"
 
 	"code.gitea.io/gitea/modules/private"
 	"code.gitea.io/gitea/modules/setting"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-var (
-	// CmdActions represents the available actions sub-commands.
-	CmdActions = &cli.Command{
+func newActionsCommand() *cli.Command {
+	return &cli.Command{
 		Name:  "actions",
 		Usage: "Manage Gitea Actions",
-		Subcommands: []*cli.Command{
-			subcmdActionsGenRunnerToken,
+		Commands: []*cli.Command{
+			newActionsGenerateRunnerTokenCommand(),
 		},
 	}
+}
 
-	subcmdActionsGenRunnerToken = &cli.Command{
+func newActionsGenerateRunnerTokenCommand() *cli.Command {
+	return &cli.Command{
 		Name:    "generate-runner-token",
 		Usage:   "Generate a new token for a runner to use to register with the server",
 		Action:  runGenerateActionsRunnerToken,
@@ -36,12 +38,9 @@ var (
 			},
 		},
 	}
-)
-
-func runGenerateActionsRunnerToken(c *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
+}
 
+func runGenerateActionsRunnerToken(ctx context.Context, c *cli.Command) error {
 	setting.MustInstalled()
 
 	scope := c.String("scope")

cmd/admin.go

@@ -15,64 +15,71 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	repo_module "code.gitea.io/gitea/modules/repository"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-var (
-	// CmdAdmin represents the available admin sub-command.
-	CmdAdmin = &cli.Command{
+func newAdminCommand() *cli.Command {
+	return &cli.Command{
 		Name:  "admin",
 		Usage: "Perform common administrative operations",
-		Subcommands: []*cli.Command{
-			subcmdUser,
-			subcmdRepoSyncReleases,
-			subcmdRegenerate,
-			subcmdAuth,
-			subcmdSendMail,
+		Commands: []*cli.Command{
+			newUserCommand(),
+			newRepoSyncReleasesCommand(),
+			newRegenerateCommand(),
+			newAuthCommand(),
+			newSendMailCommand(),
 		},
 	}
+}
 
-	subcmdRepoSyncReleases = &cli.Command{
+func newRepoSyncReleasesCommand() *cli.Command {
+	return &cli.Command{
 		Name:   "repo-sync-releases",
 		Usage:  "Synchronize repository releases with tags",
 		Action: runRepoSyncReleases,
 	}
+}
 
-	subcmdRegenerate = &cli.Command{
+func newRegenerateCommand() *cli.Command {
+	return &cli.Command{
 		Name:  "regenerate",
 		Usage: "Regenerate specific files",
-		Subcommands: []*cli.Command{
-			microcmdRegenHooks,
-			microcmdRegenKeys,
+		Commands: []*cli.Command{
+			newRegenerateHooksCommand(),
+			newRegenerateKeysCommand(),
 		},
 	}
+}
 
-	subcmdAuth = &cli.Command{
+func newAuthCommand() *cli.Command {
+	return &cli.Command{
 		Name:  "auth",
 		Usage: "Modify external auth providers",
-		Subcommands: []*cli.Command{
-			microcmdAuthAddOauth,
-			microcmdAuthUpdateOauth,
-			microcmdAuthAddLdapBindDn,
-			microcmdAuthUpdateLdapBindDn,
-			microcmdAuthAddLdapSimpleAuth,
-			microcmdAuthUpdateLdapSimpleAuth,
-			microcmdAuthAddSMTP,
-			microcmdAuthUpdateSMTP,
-			microcmdAuthList,
-			microcmdAuthDelete,
+		Commands: []*cli.Command{
+			microcmdAuthAddOauth(),
+			microcmdAuthUpdateOauth(),
+			microcmdAuthAddLdapBindDn(),
+			microcmdAuthUpdateLdapBindDn(),
+			microcmdAuthAddLdapSimpleAuth(),
+			microcmdAuthUpdateLdapSimpleAuth(),
+			microcmdAuthAddSMTP(),
+			microcmdAuthUpdateSMTP(),
+			newAuthListCommand(),
+			newAuthDeleteCommand(),
 		},
 	}
+}
 
-	subcmdSendMail = &cli.Command{
+func newSendMailCommand() *cli.Command {
+	return &cli.Command{
 		Name:   "sendmail",
 		Usage:  "Send a message to all users",
 		Action: runSendMail,
 		Flags: []cli.Flag{
 			&cli.StringFlag{
-				Name:  "title",
-				Usage: `a title of a message`,
-				Value: "",
+				Name:     "title",
+				Usage:    "a title of a message",
+				Required: true,
 			},
 			&cli.StringFlag{
 				Name:  "content",
@@ -86,28 +93,27 @@ var (
 			},
 		},
 	}
+}
 
-	idFlag = &cli.Int64Flag{
+func idFlag() *cli.Int64Flag {
+	return &cli.Int64Flag{
 		Name:  "id",
 		Usage: "ID of authentication source",
 	}
-)
-
-func runRepoSyncReleases(_ *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
+}
 
+func runRepoSyncReleases(ctx context.Context, _ *cli.Command) error {
 	if err := initDB(ctx); err != nil {
 		return err
 	}
 
-	if err := git.InitSimple(ctx); err != nil {
+	if err := git.InitSimple(); err != nil {
 		return err
 	}
 
 	log.Trace("Synchronizing repository releases (this may take a while)")
 	for page := 1; ; page++ {
-		repos, count, err := repo_model.SearchRepositoryByName(ctx, &repo_model.SearchRepoOptions{
+		repos, count, err := repo_model.SearchRepositoryByName(ctx, repo_model.SearchRepoOptions{
 			ListOptions: db.ListOptions{
 				PageSize: repo_model.RepositoryListDefaultPageSize,
 				Page:     page,
@@ -122,7 +128,7 @@ func runRepoSyncReleases(_ *cli.Context) error {
 		}
 		log.Trace("Processing next %d repos of %d", len(repos), count)
 		for _, repo := range repos {
-			log.Trace("Synchronizing repo %s with path %s", repo.FullName(), repo.RepoPath())
+			log.Trace("Synchronizing repo %s with path %s", repo.FullName(), repo.RelativePath())
 			gitRepo, err := gitrepo.OpenRepository(ctx, repo)
 			if err != nil {
 				log.Warn("OpenRepository: %v", err)
@@ -135,7 +141,7 @@ func runRepoSyncReleases(_ *cli.Context) error {
 			}
 			log.Trace(" currentNumReleases is %d, running SyncReleasesWithTags", oldnum)
 
-			if err = repo_module.SyncReleasesWithTags(ctx, repo, gitRepo); err != nil {
+			if _, err = repo_module.SyncReleasesWithTags(ctx, repo, gitRepo); err != nil {
 				log.Warn(" SyncReleasesWithTags: %v", err)
 				gitRepo.Close()
 				continue
@@ -148,7 +154,7 @@ func runRepoSyncReleases(_ *cli.Context) error {
 				continue
 			}
 
-			log.Trace(" repo %s releases synchronized to tags: from %d to %d",
+			log.Trace("repo %s releases synchronized to tags: from %d to %d",
 				repo.FullName(), oldnum, count)
 			gitRepo.Close()
 		}

cmd/admin_auth.go

@@ -4,6 +4,7 @@
 package cmd
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"os"
@@ -13,17 +14,20 @@ import (
 	"code.gitea.io/gitea/models/db"
 	auth_service "code.gitea.io/gitea/services/auth"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-var (
-	microcmdAuthDelete = &cli.Command{
+func newAuthDeleteCommand() *cli.Command {
+	return &cli.Command{
 		Name:   "delete",
 		Usage:  "Delete specific auth source",
-		Flags:  []cli.Flag{idFlag},
+		Flags:  []cli.Flag{idFlag()},
 		Action: runDeleteAuth,
 	}
-	microcmdAuthList = &cli.Command{
+}
+
+func newAuthListCommand() *cli.Command {
+	return &cli.Command{
 		Name:   "list",
 		Usage:  "List auth sources",
 		Action: runListAuth,
@@ -54,12 +58,9 @@ var (
 			},
 		},
 	}
-)
-
-func runListAuth(c *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
+}
 
+func runListAuth(ctx context.Context, c *cli.Command) error {
 	if err := initDB(ctx); err != nil {
 		return err
 	}
@@ -90,14 +91,11 @@ func runListAuth(c *cli.Context) error {
 	return nil
 }
 
-func runDeleteAuth(c *cli.Context) error {
+func runDeleteAuth(ctx context.Context, c *cli.Command) error {
 	if !c.IsSet("id") {
 		return errors.New("--id flag is missing")
 	}
 
-	ctx, cancel := installSignals()
-	defer cancel()
-
 	if err := initDB(ctx); err != nil {
 		return err
 	}

cmd/admin_auth_ldap.go

@@ -12,7 +12,7 @@ import (
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/services/auth/source/ldap"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 type (
@@ -24,8 +24,8 @@ type (
 	}
 )
 
-var (
-	commonLdapCLIFlags = []cli.Flag{
+func commonLdapCLIFlags() []cli.Flag {
+	return []cli.Flag{
 		&cli.StringFlag{
 			Name:  "name",
 			Usage: "Authentication name.",
@@ -94,6 +94,10 @@ var (
 			Name:  "public-ssh-key-attribute",
 			Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",
 		},
+		&cli.BoolFlag{
+			Name:  "ssh-keys-are-verified",
+			Usage: "Set to true to automatically flag SSH keys in LDAP as verified.",
+		},
 		&cli.BoolFlag{
 			Name:  "skip-local-2fa",
 			Usage: "Set to true to skip local 2fa for users authenticated by this source",
@@ -103,8 +107,10 @@ var (
 			Usage: "The attribute of the user’s LDAP record containing the user’s avatar.",
 		},
 	}
+}
 
-	ldapBindDnCLIFlags = append(commonLdapCLIFlags,
+func ldapBindDnCLIFlags() []cli.Flag {
+	return append(commonLdapCLIFlags(),
 		&cli.StringFlag{
 			Name:  "bind-dn",
 			Usage: "The DN to bind to the LDAP server with when searching for the user.",
@@ -157,49 +163,59 @@ var (
 			Name:  "group-team-map-removal",
 			Usage: "Remove users from synchronized teams if user does not belong to corresponding LDAP group",
 		})
+}
 
-	ldapSimpleAuthCLIFlags = append(commonLdapCLIFlags,
+func ldapSimpleAuthCLIFlags() []cli.Flag {
+	return append(commonLdapCLIFlags(),
 		&cli.StringFlag{
 			Name:  "user-dn",
 			Usage: "The user's DN.",
 		})
+}
 
-	microcmdAuthAddLdapBindDn = &cli.Command{
+func microcmdAuthAddLdapBindDn() *cli.Command {
+	return &cli.Command{
 		Name:  "add-ldap",
 		Usage: "Add new LDAP (via Bind DN) authentication source",
-		Action: func(c *cli.Context) error {
-			return newAuthService().addLdapBindDn(c)
+		Action: func(ctx context.Context, cmd *cli.Command) error {
+			return newAuthService().addLdapBindDn(ctx, cmd)
 		},
-		Flags: ldapBindDnCLIFlags,
+		Flags: ldapBindDnCLIFlags(),
 	}
+}
 
-	microcmdAuthUpdateLdapBindDn = &cli.Command{
+func microcmdAuthUpdateLdapBindDn() *cli.Command {
+	return &cli.Command{
 		Name:  "update-ldap",
 		Usage: "Update existing LDAP (via Bind DN) authentication source",
-		Action: func(c *cli.Context) error {
-			return newAuthService().updateLdapBindDn(c)
+		Action: func(ctx context.Context, cmd *cli.Command) error {
+			return newAuthService().updateLdapBindDn(ctx, cmd)
 		},
-		Flags: append([]cli.Flag{idFlag}, ldapBindDnCLIFlags...),
+		Flags: append([]cli.Flag{idFlag()}, ldapBindDnCLIFlags()...),
 	}
+}
 
-	microcmdAuthAddLdapSimpleAuth = &cli.Command{
+func microcmdAuthAddLdapSimpleAuth() *cli.Command {
+	return &cli.Command{
 		Name:  "add-ldap-simple",
 		Usage: "Add new LDAP (simple auth) authentication source",
-		Action: func(c *cli.Context) error {
-			return newAuthService().addLdapSimpleAuth(c)
+		Action: func(ctx context.Context, cmd *cli.Command) error {
+			return newAuthService().addLdapSimpleAuth(ctx, cmd)
 		},
-		Flags: ldapSimpleAuthCLIFlags,
+		Flags: ldapSimpleAuthCLIFlags(),
 	}
+}
 
-	microcmdAuthUpdateLdapSimpleAuth = &cli.Command{
+func microcmdAuthUpdateLdapSimpleAuth() *cli.Command {
+	return &cli.Command{
 		Name:  "update-ldap-simple",
 		Usage: "Update existing LDAP (simple auth) authentication source",
-		Action: func(c *cli.Context) error {
-			return newAuthService().updateLdapSimpleAuth(c)
+		Action: func(ctx context.Context, cmd *cli.Command) error {
+			return newAuthService().updateLdapSimpleAuth(ctx, cmd)
 		},
-		Flags: append([]cli.Flag{idFlag}, ldapSimpleAuthCLIFlags...),
+		Flags: append([]cli.Flag{idFlag()}, ldapSimpleAuthCLIFlags()...),
 	}
-)
+}
 
 // newAuthService creates a service with default functions.
 func newAuthService() *authService {
@@ -212,7 +228,7 @@ func newAuthService() *authService {
 }
 
 // parseAuthSourceLdap assigns values on authSource according to command line flags.
-func parseAuthSourceLdap(c *cli.Context, authSource *auth.Source) {
+func parseAuthSourceLdap(c *cli.Command, authSource *auth.Source) {
 	if c.IsSet("name") {
 		authSource.Name = c.String("name")
 	}
@@ -232,7 +248,7 @@ func parseAuthSourceLdap(c *cli.Context, authSource *auth.Source) {
 }
 
 // parseLdapConfig assigns values on config according to command line flags.
-func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
+func parseLdapConfig(c *cli.Command, config *ldap.Source) error {
 	if c.IsSet("name") {
 		config.Name = c.String("name")
 	}
@@ -245,7 +261,7 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
 	if c.IsSet("security-protocol") {
 		p, ok := findLdapSecurityProtocolByName(c.String("security-protocol"))
 		if !ok {
-			return fmt.Errorf("Unknown security protocol name: %s", c.String("security-protocol"))
+			return fmt.Errorf("unknown security protocol name: %s", c.String("security-protocol"))
 		}
 		config.SecurityProtocol = p
 	}
@@ -282,6 +298,9 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
 	if c.IsSet("public-ssh-key-attribute") {
 		config.AttributeSSHPublicKey = c.String("public-ssh-key-attribute")
 	}
+	if c.IsSet("ssh-keys-are-verified") {
+		config.SSHKeysAreVerified = c.Bool("ssh-keys-are-verified")
+	}
 	if c.IsSet("avatar-attribute") {
 		config.AttributeAvatar = c.String("avatar-attribute")
 	}
@@ -337,32 +356,27 @@ func findLdapSecurityProtocolByName(name string) (ldap.SecurityProtocol, bool) {
 
 // getAuthSource gets the login source by its id defined in the command line flags.
 // It returns an error if the id is not set, does not match any source or if the source is not of expected type.
-func (a *authService) getAuthSource(ctx context.Context, c *cli.Context, authType auth.Type) (*auth.Source, error) {
+func (a *authService) getAuthSource(ctx context.Context, c *cli.Command, authType auth.Type) (*auth.Source, error) {
 	if err := argsSet(c, "id"); err != nil {
 		return nil, err
 	}
-
 	authSource, err := a.getAuthSourceByID(ctx, c.Int64("id"))
 	if err != nil {
 		return nil, err
 	}
 
 	if authSource.Type != authType {
-		return nil, fmt.Errorf("Invalid authentication type. expected: %s, actual: %s", authType.String(), authSource.Type.String())
+		return nil, fmt.Errorf("invalid authentication type. expected: %s, actual: %s", authType.String(), authSource.Type.String())
 	}
 
 	return authSource, nil
 }
 
 // addLdapBindDn adds a new LDAP via Bind DN authentication source.
-func (a *authService) addLdapBindDn(c *cli.Context) error {
+func (a *authService) addLdapBindDn(ctx context.Context, c *cli.Command) error {
 	if err := argsSet(c, "name", "security-protocol", "host", "port", "user-search-base", "user-filter", "email-attribute"); err != nil {
 		return err
 	}
-
-	ctx, cancel := installSignals()
-	defer cancel()
-
 	if err := a.initDB(ctx); err != nil {
 		return err
 	}
@@ -384,10 +398,7 @@ func (a *authService) addLdapBindDn(c *cli.Context) error {
 }
 
 // updateLdapBindDn updates a new LDAP via Bind DN authentication source.
-func (a *authService) updateLdapBindDn(c *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
-
+func (a *authService) updateLdapBindDn(ctx context.Context, c *cli.Command) error {
 	if err := a.initDB(ctx); err != nil {
 		return err
 	}
@@ -406,14 +417,11 @@ func (a *authService) updateLdapBindDn(c *cli.Context) error {
 }
 
 // addLdapSimpleAuth adds a new LDAP (simple auth) authentication source.
-func (a *authService) addLdapSimpleAuth(c *cli.Context) error {
+func (a *authService) addLdapSimpleAuth(ctx context.Context, c *cli.Command) error {
 	if err := argsSet(c, "name", "security-protocol", "host", "port", "user-dn", "user-filter", "email-attribute"); err != nil {
 		return err
 	}
 
-	ctx, cancel := installSignals()
-	defer cancel()
-
 	if err := a.initDB(ctx); err != nil {
 		return err
 	}
@@ -435,10 +443,7 @@ func (a *authService) addLdapSimpleAuth(c *cli.Context) error {
 }
 
 // updateLdapSimpleAuth updates a new LDAP (simple auth) authentication source.
-func (a *authService) updateLdapSimpleAuth(c *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
-
+func (a *authService) updateLdapSimpleAuth(ctx context.Context, c *cli.Command) error {
 	if err := a.initDB(ctx); err != nil {
 		return err
 	}

cmd/admin_auth_ldap_test.go

@@ -8,17 +8,16 @@ import (
 	"testing"
 
 	"code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/services/auth/source/ldap"
 
 	"github.com/stretchr/testify/assert"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func TestAddLdapBindDn(t *testing.T) {
 	// Mock cli functions to do not exit on error
-	osExiter := cli.OsExiter
-	defer func() { cli.OsExiter = osExiter }()
-	cli.OsExiter = func(code int) {}
+	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
 
 	// Test cases
 	cases := []struct {
@@ -135,7 +134,7 @@ func TestAddLdapBindDn(t *testing.T) {
 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",
 				"--email-attribute", "mail",
 			},
-			errMsg: "Unknown security protocol name: zzzzz",
+			errMsg: "unknown security protocol name: zzzzz",
 		},
 		// case 3
 		{
@@ -234,17 +233,18 @@ func TestAddLdapBindDn(t *testing.T) {
 			},
 			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
 				assert.FailNow(t, "getAuthSourceByID called", "case %d: should not call getAuthSourceByID", n)
-				return nil, nil
+				return nil, nil //nolint:nilnil // mock function covering improper behavior
 			},
 		}
 
 		// Create a copy of command to test
-		app := cli.NewApp()
-		app.Flags = microcmdAuthAddLdapBindDn.Flags
-		app.Action = service.addLdapBindDn
+		app := cli.Command{
+			Flags:  microcmdAuthAddLdapBindDn().Flags,
+			Action: service.addLdapBindDn,
+		}
 
 		// Run it
-		err := app.Run(c.args)
+		err := app.Run(t.Context(), c.args)
 		if c.errMsg != "" {
 			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
 		} else {
@@ -256,9 +256,7 @@ func TestAddLdapBindDn(t *testing.T) {
 
 func TestAddLdapSimpleAuth(t *testing.T) {
 	// Mock cli functions to do not exit on error
-	osExiter := cli.OsExiter
-	defer func() { cli.OsExiter = osExiter }()
-	cli.OsExiter = func(code int) {}
+	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
 
 	// Test cases
 	cases := []struct {
@@ -348,12 +346,12 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 				"--name", "ldap (simple auth) source",
 				"--security-protocol", "zzzzz",
 				"--host", "ldap-server",
-				"--port", "123",
+				"--port", "1234",
 				"--user-filter", "(&(objectClass=posixAccount)(cn=%s))",
 				"--email-attribute", "mail",
 				"--user-dn", "cn=%s,ou=Users,dc=domain,dc=org",
 			},
-			errMsg: "Unknown security protocol name: zzzzz",
+			errMsg: "unknown security protocol name: zzzzz",
 		},
 		// case 3
 		{
@@ -465,17 +463,18 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 			},
 			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
 				assert.FailNow(t, "getAuthSourceById called", "case %d: should not call getAuthSourceByID", n)
-				return nil, nil
+				return nil, nil //nolint:nilnil // mock function covering improper behavior
 			},
 		}
 
 		// Create a copy of command to test
-		app := cli.NewApp()
-		app.Flags = microcmdAuthAddLdapSimpleAuth.Flags
-		app.Action = service.addLdapSimpleAuth
+		app := &cli.Command{
+			Flags:  microcmdAuthAddLdapSimpleAuth().Flags,
+			Action: service.addLdapSimpleAuth,
+		}
 
 		// Run it
-		err := app.Run(c.args)
+		err := app.Run(t.Context(), c.args)
 		if c.errMsg != "" {
 			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
 		} else {
@@ -487,9 +486,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 
 func TestUpdateLdapBindDn(t *testing.T) {
 	// Mock cli functions to do not exit on error
-	osExiter := cli.OsExiter
-	defer func() { cli.OsExiter = osExiter }()
-	cli.OsExiter = func(code int) {}
+	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
 
 	// Test cases
 	cases := []struct {
@@ -864,7 +861,7 @@ func TestUpdateLdapBindDn(t *testing.T) {
 				"--id", "1",
 				"--security-protocol", "xxxxx",
 			},
-			errMsg: "Unknown security protocol name: xxxxx",
+			errMsg: "unknown security protocol name: xxxxx",
 		},
 		// case 22
 		{
@@ -883,7 +880,7 @@ func TestUpdateLdapBindDn(t *testing.T) {
 				Type: auth.OAuth2,
 				Cfg:  &ldap.Source{},
 			},
-			errMsg: "Invalid authentication type. expected: LDAP (via BindDN), actual: OAuth2",
+			errMsg: "invalid authentication type. expected: LDAP (via BindDN), actual: OAuth2",
 		},
 		// case 24
 		{
@@ -947,12 +944,12 @@ func TestUpdateLdapBindDn(t *testing.T) {
 		}
 
 		// Create a copy of command to test
-		app := cli.NewApp()
-		app.Flags = microcmdAuthUpdateLdapBindDn.Flags
-		app.Action = service.updateLdapBindDn
-
+		app := cli.Command{
+			Flags:  microcmdAuthUpdateLdapBindDn().Flags,
+			Action: service.updateLdapBindDn,
+		}
 		// Run it
-		err := app.Run(c.args)
+		err := app.Run(t.Context(), c.args)
 		if c.errMsg != "" {
 			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
 		} else {
@@ -964,9 +961,7 @@ func TestUpdateLdapBindDn(t *testing.T) {
 
 func TestUpdateLdapSimpleAuth(t *testing.T) {
 	// Mock cli functions to do not exit on error
-	osExiter := cli.OsExiter
-	defer func() { cli.OsExiter = osExiter }()
-	cli.OsExiter = func(code int) {}
+	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
 
 	// Test cases
 	cases := []struct {
@@ -1257,7 +1252,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
 				"--id", "1",
 				"--security-protocol", "xxxxx",
 			},
-			errMsg: "Unknown security protocol name: xxxxx",
+			errMsg: "unknown security protocol name: xxxxx",
 		},
 		// case 18
 		{
@@ -1276,7 +1271,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
 				Type: auth.PAM,
 				Cfg:  &ldap.Source{},
 			},
-			errMsg: "Invalid authentication type. expected: LDAP (simple auth), actual: PAM",
+			errMsg: "invalid authentication type. expected: LDAP (simple auth), actual: PAM",
 		},
 		// case 20
 		{
@@ -1337,12 +1332,12 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
 		}
 
 		// Create a copy of command to test
-		app := cli.NewApp()
-		app.Flags = microcmdAuthUpdateLdapSimpleAuth.Flags
-		app.Action = service.updateLdapSimpleAuth
-
+		app := cli.Command{
+			Flags:  microcmdAuthUpdateLdapSimpleAuth().Flags,
+			Action: service.updateLdapSimpleAuth,
+		}
 		// Run it
-		err := app.Run(c.args)
+		err := app.Run(t.Context(), c.args)
 		if c.errMsg != "" {
 			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
 		} else {

cmd/admin_auth_oauth.go

@@ -4,6 +4,7 @@
 package cmd
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"net/url"
@@ -12,11 +13,11 @@ import (
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/services/auth/source/oauth2"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-var (
-	oauthCLIFlags = []cli.Flag{
+func oauthCLIFlags() []cli.Flag {
+	return []cli.Flag{
 		&cli.StringFlag{
 			Name:  "name",
 			Value: "",
@@ -86,6 +87,14 @@ var (
 			Value: nil,
 			Usage: "Scopes to request when to authenticate against this OAuth2 source",
 		},
+		&cli.StringFlag{
+			Name:  "ssh-public-key-claim-name",
+			Usage: "Claim name that provides SSH public keys",
+		},
+		&cli.StringFlag{
+			Name:  "full-name-claim-name",
+			Usage: "Claim name that provides user's full name",
+		},
 		&cli.StringFlag{
 			Name:  "required-claim-name",
 			Value: "",
@@ -121,23 +130,34 @@ var (
 			Usage: "Activate automatic team membership removal depending on groups",
 		},
 	}
+}
 
-	microcmdAuthAddOauth = &cli.Command{
-		Name:   "add-oauth",
-		Usage:  "Add new Oauth authentication source",
-		Action: runAddOauth,
-		Flags:  oauthCLIFlags,
+func microcmdAuthAddOauth() *cli.Command {
+	return &cli.Command{
+		Name:  "add-oauth",
+		Usage: "Add new Oauth authentication source",
+		Action: func(ctx context.Context, cmd *cli.Command) error {
+			return newAuthService().runAddOauth(ctx, cmd)
+		},
+		Flags: oauthCLIFlags(),
 	}
+}
 
-	microcmdAuthUpdateOauth = &cli.Command{
-		Name:   "update-oauth",
-		Usage:  "Update existing Oauth authentication source",
-		Action: runUpdateOauth,
-		Flags:  append(oauthCLIFlags[:1], append([]cli.Flag{idFlag}, oauthCLIFlags[1:]...)...),
+func microcmdAuthUpdateOauth() *cli.Command {
+	return &cli.Command{
+		Name:  "update-oauth",
+		Usage: "Update existing Oauth authentication source",
+		Action: func(ctx context.Context, cmd *cli.Command) error {
+			return newAuthService().runUpdateOauth(ctx, cmd)
+		},
+		Flags: append(oauthCLIFlags()[:1], append([]cli.Flag{&cli.Int64Flag{
+			Name:  "id",
+			Usage: "ID of authentication source",
+		}}, oauthCLIFlags()[1:]...)...),
 	}
-)
+}
 
-func parseOAuth2Config(c *cli.Context) *oauth2.Source {
+func parseOAuth2Config(c *cli.Command) *oauth2.Source {
 	var customURLMapping *oauth2.CustomURLMapping
 	if c.IsSet("use-custom-urls") {
 		customURLMapping = &oauth2.CustomURLMapping{
@@ -165,14 +185,13 @@ func parseOAuth2Config(c *cli.Context) *oauth2.Source {
 		RestrictedGroup:               c.String("restricted-group"),
 		GroupTeamMap:                  c.String("group-team-map"),
 		GroupTeamMapRemoval:           c.Bool("group-team-map-removal"),
+		SSHPublicKeyClaimName:         c.String("ssh-public-key-claim-name"),
+		FullNameClaimName:             c.String("full-name-claim-name"),
 	}
 }
 
-func runAddOauth(c *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
+func (a *authService) runAddOauth(ctx context.Context, c *cli.Command) error {
+	if err := a.initDB(ctx); err != nil {
 		return err
 	}
 
@@ -184,7 +203,7 @@ func runAddOauth(c *cli.Context) error {
 		}
 	}
 
-	return auth_model.CreateSource(ctx, &auth_model.Source{
+	return a.createAuthSource(ctx, &auth_model.Source{
 		Type:            auth_model.OAuth2,
 		Name:            c.String("name"),
 		IsActive:        true,
@@ -193,19 +212,16 @@ func runAddOauth(c *cli.Context) error {
 	})
 }
 
-func runUpdateOauth(c *cli.Context) error {
+func (a *authService) runUpdateOauth(ctx context.Context, c *cli.Command) error {
 	if !c.IsSet("id") {
 		return errors.New("--id flag is missing")
 	}
 
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
+	if err := a.initDB(ctx); err != nil {
 		return err
 	}
 
-	source, err := auth_model.GetSourceByID(ctx, c.Int64("id"))
+	source, err := a.getAuthSourceByID(ctx, c.Int64("id"))
 	if err != nil {
 		return err
 	}
@@ -262,6 +278,12 @@ func runUpdateOauth(c *cli.Context) error {
 	if c.IsSet("group-team-map-removal") {
 		oAuth2Config.GroupTeamMapRemoval = c.Bool("group-team-map-removal")
 	}
+	if c.IsSet("ssh-public-key-claim-name") {
+		oAuth2Config.SSHPublicKeyClaimName = c.String("ssh-public-key-claim-name")
+	}
+	if c.IsSet("full-name-claim-name") {
+		oAuth2Config.FullNameClaimName = c.String("full-name-claim-name")
+	}
 
 	// update custom URL mapping
 	customURLMapping := &oauth2.CustomURLMapping{}
@@ -296,5 +318,5 @@ func runUpdateOauth(c *cli.Context) error {
 	oAuth2Config.CustomURLMapping = customURLMapping
 	source.Cfg = oAuth2Config
 	source.TwoFactorPolicy = util.Iif(c.Bool("skip-local-2fa"), "skip", "")
-	return auth_model.UpdateSource(ctx, source)
+	return a.updateAuthSource(ctx, source)
 }

cmd/admin_auth_oauth_test.go

@@ -0,0 +1,343 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"context"
+	"testing"
+
+	auth_model "code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/services/auth/source/oauth2"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/urfave/cli/v3"
+)
+
+func TestAddOauth(t *testing.T) {
+	testCases := []struct {
+		name   string
+		args   []string
+		source *auth_model.Source
+		errMsg string
+	}{
+		{
+			name: "valid config",
+			args: []string{
+				"--name", "test",
+				"--provider", "github",
+				"--key", "some_key",
+				"--secret", "some_secret",
+			},
+			source: &auth_model.Source{
+				Type:     auth_model.OAuth2,
+				Name:     "test",
+				IsActive: true,
+				Cfg: &oauth2.Source{
+					Scopes:       []string{},
+					Provider:     "github",
+					ClientID:     "some_key",
+					ClientSecret: "some_secret",
+				},
+				TwoFactorPolicy: "",
+			},
+		},
+		{
+			name: "valid config with openid connect",
+			args: []string{
+				"--name", "test",
+				"--provider", "openidConnect",
+				"--key", "some_key",
+				"--secret", "some_secret",
+				"--auto-discover-url", "https://example.com",
+			},
+			source: &auth_model.Source{
+				Type:     auth_model.OAuth2,
+				Name:     "test",
+				IsActive: true,
+				Cfg: &oauth2.Source{
+					Scopes:                        []string{},
+					Provider:                      "openidConnect",
+					ClientID:                      "some_key",
+					ClientSecret:                  "some_secret",
+					OpenIDConnectAutoDiscoveryURL: "https://example.com",
+				},
+				TwoFactorPolicy: "",
+			},
+		},
+		{
+			name: "valid config with options",
+			args: []string{
+				"--name", "test",
+				"--provider", "gitlab",
+				"--key", "some_key",
+				"--secret", "some_secret",
+				"--use-custom-urls", "true",
+				"--custom-token-url", "https://example.com/token",
+				"--custom-auth-url", "https://example.com/auth",
+				"--custom-profile-url", "https://example.com/profile",
+				"--custom-email-url", "https://example.com/email",
+				"--custom-tenant-id", "some_tenant",
+				"--icon-url", "https://example.com/icon",
+				"--scopes", "scope1,scope2",
+				"--skip-local-2fa", "true",
+				"--required-claim-name", "claim_name",
+				"--required-claim-value", "claim_value",
+				"--group-claim-name", "group_name",
+				"--admin-group", "admin",
+				"--restricted-group", "restricted",
+				"--group-team-map", `{"group1": [1,2]}`,
+				"--group-team-map-removal=true",
+				"--ssh-public-key-claim-name", "attr_ssh_pub_key",
+				"--full-name-claim-name", "attr_full_name",
+			},
+			source: &auth_model.Source{
+				Type:     auth_model.OAuth2,
+				Name:     "test",
+				IsActive: true,
+				Cfg: &oauth2.Source{
+					Provider:     "gitlab",
+					ClientID:     "some_key",
+					ClientSecret: "some_secret",
+					CustomURLMapping: &oauth2.CustomURLMapping{
+						TokenURL:   "https://example.com/token",
+						AuthURL:    "https://example.com/auth",
+						ProfileURL: "https://example.com/profile",
+						EmailURL:   "https://example.com/email",
+						Tenant:     "some_tenant",
+					},
+					IconURL:               "https://example.com/icon",
+					Scopes:                []string{"scope1", "scope2"},
+					RequiredClaimName:     "claim_name",
+					RequiredClaimValue:    "claim_value",
+					GroupClaimName:        "group_name",
+					AdminGroup:            "admin",
+					RestrictedGroup:       "restricted",
+					GroupTeamMap:          `{"group1": [1,2]}`,
+					GroupTeamMapRemoval:   true,
+					SSHPublicKeyClaimName: "attr_ssh_pub_key",
+					FullNameClaimName:     "attr_full_name",
+				},
+				TwoFactorPolicy: "skip",
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			var createdSource *auth_model.Source
+			a := &authService{
+				initDB: func(ctx context.Context) error {
+					return nil
+				},
+				createAuthSource: func(ctx context.Context, source *auth_model.Source) error {
+					createdSource = source
+					return nil
+				},
+			}
+
+			app := &cli.Command{
+				Flags:  microcmdAuthAddOauth().Flags,
+				Action: a.runAddOauth,
+			}
+
+			args := []string{"oauth-test"}
+			args = append(args, tc.args...)
+
+			err := app.Run(t.Context(), args)
+
+			if tc.errMsg != "" {
+				assert.EqualError(t, err, tc.errMsg)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tc.source, createdSource)
+			}
+		})
+	}
+}
+
+func TestUpdateOauth(t *testing.T) {
+	testCases := []struct {
+		name               string
+		args               []string
+		id                 int64
+		existingAuthSource *auth_model.Source
+		authSource         *auth_model.Source
+		errMsg             string
+	}{
+		{
+			name: "missing id",
+			args: []string{
+				"--name", "test",
+			},
+			errMsg: "--id flag is missing",
+		},
+		{
+			name: "valid config",
+			id:   1,
+			existingAuthSource: &auth_model.Source{
+				ID:       1,
+				Type:     auth_model.OAuth2,
+				Name:     "old name",
+				IsActive: true,
+				Cfg: &oauth2.Source{
+					Provider:     "github",
+					ClientID:     "old_key",
+					ClientSecret: "old_secret",
+				},
+				TwoFactorPolicy: "",
+			},
+			args: []string{
+				"--id", "1",
+				"--name", "test",
+				"--provider", "gitlab",
+				"--key", "new_key",
+				"--secret", "new_secret",
+			},
+			authSource: &auth_model.Source{
+				ID:       1,
+				Type:     auth_model.OAuth2,
+				Name:     "test",
+				IsActive: true,
+				Cfg: &oauth2.Source{
+					Provider:         "gitlab",
+					ClientID:         "new_key",
+					ClientSecret:     "new_secret",
+					CustomURLMapping: &oauth2.CustomURLMapping{},
+				},
+				TwoFactorPolicy: "",
+			},
+		},
+		{
+			name: "valid config with options",
+			id:   1,
+			existingAuthSource: &auth_model.Source{
+				ID:       1,
+				Type:     auth_model.OAuth2,
+				Name:     "old name",
+				IsActive: true,
+				Cfg: &oauth2.Source{
+					Provider:     "gitlab",
+					ClientID:     "old_key",
+					ClientSecret: "old_secret",
+					CustomURLMapping: &oauth2.CustomURLMapping{
+						TokenURL:   "https://old.example.com/token",
+						AuthURL:    "https://old.example.com/auth",
+						ProfileURL: "https://old.example.com/profile",
+						EmailURL:   "https://old.example.com/email",
+						Tenant:     "old_tenant",
+					},
+					IconURL:               "https://old.example.com/icon",
+					Scopes:                []string{"old_scope1", "old_scope2"},
+					RequiredClaimName:     "old_claim_name",
+					RequiredClaimValue:    "old_claim_value",
+					GroupClaimName:        "old_group_name",
+					AdminGroup:            "old_admin",
+					RestrictedGroup:       "old_restricted",
+					GroupTeamMap:          `{"old_group1": [1,2]}`,
+					GroupTeamMapRemoval:   true,
+					SSHPublicKeyClaimName: "old_ssh_pub_key",
+					FullNameClaimName:     "old_full_name",
+				},
+				TwoFactorPolicy: "",
+			},
+			args: []string{
+				"--id", "1",
+				"--name", "test",
+				"--provider", "github",
+				"--key", "new_key",
+				"--secret", "new_secret",
+				"--use-custom-urls", "true",
+				"--custom-token-url", "https://example.com/token",
+				"--custom-auth-url", "https://example.com/auth",
+				"--custom-profile-url", "https://example.com/profile",
+				"--custom-email-url", "https://example.com/email",
+				"--custom-tenant-id", "new_tenant",
+				"--icon-url", "https://example.com/icon",
+				"--scopes", "scope1,scope2",
+				"--skip-local-2fa=true",
+				"--required-claim-name", "claim_name",
+				"--required-claim-value", "claim_value",
+				"--group-claim-name", "group_name",
+				"--admin-group", "admin",
+				"--restricted-group", "restricted",
+				"--group-team-map", `{"group1": [1,2]}`,
+				"--group-team-map-removal=false",
+				"--ssh-public-key-claim-name", "new_ssh_pub_key",
+				"--full-name-claim-name", "new_full_name",
+			},
+			authSource: &auth_model.Source{
+				ID:       1,
+				Type:     auth_model.OAuth2,
+				Name:     "test",
+				IsActive: true,
+				Cfg: &oauth2.Source{
+					Provider:     "github",
+					ClientID:     "new_key",
+					ClientSecret: "new_secret",
+					CustomURLMapping: &oauth2.CustomURLMapping{
+						TokenURL:   "https://example.com/token",
+						AuthURL:    "https://example.com/auth",
+						ProfileURL: "https://example.com/profile",
+						EmailURL:   "https://example.com/email",
+						Tenant:     "new_tenant",
+					},
+					IconURL:               "https://example.com/icon",
+					Scopes:                []string{"scope1", "scope2"},
+					RequiredClaimName:     "claim_name",
+					RequiredClaimValue:    "claim_value",
+					GroupClaimName:        "group_name",
+					AdminGroup:            "admin",
+					RestrictedGroup:       "restricted",
+					GroupTeamMap:          `{"group1": [1,2]}`,
+					GroupTeamMapRemoval:   false,
+					SSHPublicKeyClaimName: "new_ssh_pub_key",
+					FullNameClaimName:     "new_full_name",
+				},
+				TwoFactorPolicy: "skip",
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			a := &authService{
+				initDB: func(ctx context.Context) error {
+					return nil
+				},
+				getAuthSourceByID: func(ctx context.Context, id int64) (*auth_model.Source, error) {
+					return &auth_model.Source{
+						ID:       1,
+						Type:     auth_model.OAuth2,
+						Name:     "test",
+						IsActive: true,
+						Cfg: &oauth2.Source{
+							CustomURLMapping: &oauth2.CustomURLMapping{},
+						},
+						TwoFactorPolicy: "skip",
+					}, nil
+				},
+				updateAuthSource: func(ctx context.Context, source *auth_model.Source) error {
+					assert.Equal(t, tc.authSource, source)
+					return nil
+				},
+			}
+
+			app := &cli.Command{
+				Flags:  microcmdAuthUpdateOauth().Flags,
+				Action: a.runUpdateOauth,
+			}
+
+			args := []string{"oauth-test"}
+			args = append(args, tc.args...)
+
+			err := app.Run(t.Context(), args)
+
+			if tc.errMsg != "" {
+				assert.EqualError(t, err, tc.errMsg)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}

cmd/admin_auth_smtp.go

@@ -4,6 +4,7 @@
 package cmd
 
 import (
+	"context"
 	"errors"
 	"strings"
 
@@ -11,11 +12,11 @@ import (
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/services/auth/source/smtp"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-var (
-	smtpCLIFlags = []cli.Flag{
+func smtpCLIFlags() []cli.Flag {
+	return []cli.Flag{
 		&cli.StringFlag{
 			Name:  "name",
 			Value: "",
@@ -38,12 +39,10 @@ var (
 		&cli.BoolFlag{
 			Name:  "force-smtps",
 			Usage: "SMTPS is always used on port 465. Set this to force SMTPS on other ports.",
-			Value: true,
 		},
 		&cli.BoolFlag{
 			Name:  "skip-verify",
 			Usage: "Skip TLS verify.",
-			Value: true,
 		},
 		&cli.StringFlag{
 			Name:  "helo-hostname",
@@ -53,7 +52,6 @@ var (
 		&cli.BoolFlag{
 			Name:  "disable-helo",
 			Usage: "Disable SMTP helo.",
-			Value: true,
 		},
 		&cli.StringFlag{
 			Name:  "allowed-domains",
@@ -63,7 +61,6 @@ var (
 		&cli.BoolFlag{
 			Name:  "skip-local-2fa",
 			Usage: "Skip 2FA to log on.",
-			Value: true,
 		},
 		&cli.BoolFlag{
 			Name:  "active",
@@ -71,23 +68,34 @@ var (
 			Value: true,
 		},
 	}
+}
 
-	microcmdAuthAddSMTP = &cli.Command{
-		Name:   "add-smtp",
-		Usage:  "Add new SMTP authentication source",
-		Action: runAddSMTP,
-		Flags:  smtpCLIFlags,
+func microcmdAuthUpdateSMTP() *cli.Command {
+	return &cli.Command{
+		Name:  "update-smtp",
+		Usage: "Update existing SMTP authentication source",
+		Action: func(ctx context.Context, cmd *cli.Command) error {
+			return newAuthService().runUpdateSMTP(ctx, cmd)
+		},
+		Flags: append(smtpCLIFlags()[:1], append([]cli.Flag{&cli.Int64Flag{
+			Name:  "id",
+			Usage: "ID of authentication source",
+		}}, smtpCLIFlags()[1:]...)...),
 	}
+}
 
-	microcmdAuthUpdateSMTP = &cli.Command{
-		Name:   "update-smtp",
-		Usage:  "Update existing SMTP authentication source",
-		Action: runUpdateSMTP,
-		Flags:  append(smtpCLIFlags[:1], append([]cli.Flag{idFlag}, smtpCLIFlags[1:]...)...),
+func microcmdAuthAddSMTP() *cli.Command {
+	return &cli.Command{
+		Name:  "add-smtp",
+		Usage: "Add new SMTP authentication source",
+		Action: func(ctx context.Context, cmd *cli.Command) error {
+			return newAuthService().runAddSMTP(ctx, cmd)
+		},
+		Flags: smtpCLIFlags(),
 	}
-)
+}
 
-func parseSMTPConfig(c *cli.Context, conf *smtp.Source) error {
+func parseSMTPConfig(c *cli.Command, conf *smtp.Source) error {
 	if c.IsSet("auth-type") {
 		conf.Auth = c.String("auth-type")
 		validAuthTypes := []string{"PLAIN", "LOGIN", "CRAM-MD5"}
@@ -120,11 +128,8 @@ func parseSMTPConfig(c *cli.Context, conf *smtp.Source) error {
 	return nil
 }
 
-func runAddSMTP(c *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
+func (a *authService) runAddSMTP(ctx context.Context, c *cli.Command) error {
+	if err := a.initDB(ctx); err != nil {
 		return err
 	}
 
@@ -152,7 +157,7 @@ func runAddSMTP(c *cli.Context) error {
 		smtpConfig.Auth = "PLAIN"
 	}
 
-	return auth_model.CreateSource(ctx, &auth_model.Source{
+	return a.createAuthSource(ctx, &auth_model.Source{
 		Type:            auth_model.SMTP,
 		Name:            c.String("name"),
 		IsActive:        active,
@@ -161,19 +166,16 @@ func runAddSMTP(c *cli.Context) error {
 	})
 }
 
-func runUpdateSMTP(c *cli.Context) error {
+func (a *authService) runUpdateSMTP(ctx context.Context, c *cli.Command) error {
 	if !c.IsSet("id") {
 		return errors.New("--id flag is missing")
 	}
 
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
+	if err := a.initDB(ctx); err != nil {
 		return err
 	}
 
-	source, err := auth_model.GetSourceByID(ctx, c.Int64("id"))
+	source, err := a.getAuthSourceByID(ctx, c.Int64("id"))
 	if err != nil {
 		return err
 	}
@@ -194,5 +196,5 @@ func runUpdateSMTP(c *cli.Context) error {
 
 	source.Cfg = smtpConfig
 	source.TwoFactorPolicy = util.Iif(c.Bool("skip-local-2fa"), "skip", "")
-	return auth_model.UpdateSource(ctx, source)
+	return a.updateAuthSource(ctx, source)
 }

cmd/admin_auth_smtp_test.go

@@ -0,0 +1,271 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"context"
+	"testing"
+
+	auth_model "code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/services/auth/source/smtp"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/urfave/cli/v3"
+)
+
+func TestAddSMTP(t *testing.T) {
+	testCases := []struct {
+		name   string
+		args   []string
+		source *auth_model.Source
+		errMsg string
+	}{
+		{
+			name: "missing name",
+			args: []string{
+				"--host", "localhost",
+				"--port", "25",
+			},
+			errMsg: "name must be set",
+		},
+		{
+			name: "missing host",
+			args: []string{
+				"--name", "test",
+				"--port", "25",
+			},
+			errMsg: "host must be set",
+		},
+		{
+			name: "missing port",
+			args: []string{
+				"--name", "test",
+				"--host", "localhost",
+			},
+			errMsg: "port must be set",
+		},
+		{
+			name: "valid config",
+			args: []string{
+				"--name", "test",
+				"--host", "localhost",
+				"--port", "25",
+			},
+			source: &auth_model.Source{
+				Type:     auth_model.SMTP,
+				Name:     "test",
+				IsActive: true,
+				Cfg: &smtp.Source{
+					Auth: "PLAIN",
+					Host: "localhost",
+					Port: 25,
+				},
+				TwoFactorPolicy: "",
+			},
+		},
+		{
+			name: "valid config with options",
+			args: []string{
+				"--name", "test",
+				"--host", "localhost",
+				"--port", "25",
+				"--auth-type", "LOGIN",
+				"--force-smtps",
+				"--skip-verify",
+				"--helo-hostname", "example.com",
+				"--disable-helo=true",
+				"--allowed-domains", "example.com,example.org",
+				"--skip-local-2fa",
+				"--active=false",
+			},
+			source: &auth_model.Source{
+				Type:     auth_model.SMTP,
+				Name:     "test",
+				IsActive: false,
+				Cfg: &smtp.Source{
+					Auth:           "LOGIN",
+					Host:           "localhost",
+					Port:           25,
+					ForceSMTPS:     true,
+					SkipVerify:     true,
+					HeloHostname:   "example.com",
+					DisableHelo:    true,
+					AllowedDomains: "example.com,example.org",
+				},
+				TwoFactorPolicy: "skip",
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			a := &authService{
+				initDB: func(ctx context.Context) error {
+					return nil
+				},
+				createAuthSource: func(ctx context.Context, source *auth_model.Source) error {
+					assert.Equal(t, tc.source, source)
+					return nil
+				},
+			}
+
+			cmd := &cli.Command{
+				Flags:  microcmdAuthAddSMTP().Flags,
+				Action: a.runAddSMTP,
+			}
+
+			args := []string{"smtp-test"}
+			args = append(args, tc.args...)
+
+			t.Log(args)
+			err := cmd.Run(t.Context(), args)
+
+			if tc.errMsg != "" {
+				assert.EqualError(t, err, tc.errMsg)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestUpdateSMTP(t *testing.T) {
+	testCases := []struct {
+		name               string
+		args               []string
+		existingAuthSource *auth_model.Source
+		authSource         *auth_model.Source
+		errMsg             string
+	}{
+		{
+			name: "missing id",
+			args: []string{
+				"--name", "test",
+				"--host", "localhost",
+				"--port", "25",
+			},
+			errMsg: "--id flag is missing",
+		},
+		{
+			name: "valid config",
+			existingAuthSource: &auth_model.Source{
+				ID:       1,
+				Type:     auth_model.SMTP,
+				Name:     "old name",
+				IsActive: true,
+				Cfg: &smtp.Source{
+					Auth: "PLAIN",
+					Host: "old host",
+					Port: 26,
+				},
+			},
+			args: []string{
+				"--id", "1",
+				"--name", "test",
+				"--host", "localhost",
+				"--port", "25",
+			},
+			authSource: &auth_model.Source{
+				ID:       1,
+				Type:     auth_model.SMTP,
+				Name:     "test",
+				IsActive: true,
+				Cfg: &smtp.Source{
+					Auth: "PLAIN",
+					Host: "localhost",
+					Port: 25,
+				},
+			},
+		},
+		{
+			name: "valid config with options",
+			existingAuthSource: &auth_model.Source{
+				ID:       1,
+				Type:     auth_model.SMTP,
+				Name:     "old name",
+				IsActive: true,
+				Cfg: &smtp.Source{
+					Auth:           "PLAIN",
+					Host:           "old host",
+					Port:           26,
+					HeloHostname:   "old.example.com",
+					AllowedDomains: "old.example.com",
+				},
+				TwoFactorPolicy: "",
+			},
+			args: []string{
+				"--id", "1",
+				"--name", "test",
+				"--host", "localhost",
+				"--port", "25",
+				"--auth-type", "LOGIN",
+				"--force-smtps",
+				"--skip-verify",
+				"--helo-hostname", "example.com",
+				"--disable-helo",
+				"--allowed-domains", "example.com,example.org",
+				"--skip-local-2fa",
+				"--active=false",
+			},
+			authSource: &auth_model.Source{
+				ID:       1,
+				Type:     auth_model.SMTP,
+				Name:     "test",
+				IsActive: false,
+				Cfg: &smtp.Source{
+					Auth:           "LOGIN",
+					Host:           "localhost",
+					Port:           25,
+					ForceSMTPS:     true,
+					SkipVerify:     true,
+					HeloHostname:   "example.com",
+					DisableHelo:    true,
+					AllowedDomains: "example.com,example.org",
+				},
+				TwoFactorPolicy: "skip",
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			a := &authService{
+				initDB: func(ctx context.Context) error {
+					return nil
+				},
+				getAuthSourceByID: func(ctx context.Context, id int64) (*auth_model.Source, error) {
+					return &auth_model.Source{
+						ID:       1,
+						Type:     auth_model.SMTP,
+						Name:     "test",
+						IsActive: true,
+						Cfg: &smtp.Source{
+							Auth: "PLAIN",
+						},
+					}, nil
+				},
+
+				updateAuthSource: func(ctx context.Context, source *auth_model.Source) error {
+					assert.Equal(t, tc.authSource, source)
+					return nil
+				},
+			}
+
+			app := &cli.Command{
+				Flags:  microcmdAuthUpdateSMTP().Flags,
+				Action: a.runUpdateSMTP,
+			}
+			args := []string{"smtp-tests"}
+			args = append(args, tc.args...)
+
+			err := app.Run(t.Context(), args)
+
+			if tc.errMsg != "" {
+				assert.EqualError(t, err, tc.errMsg)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}

cmd/admin_regenerate.go

@@ -4,41 +4,39 @@
 package cmd
 
 import (
+	"context"
+
 	"code.gitea.io/gitea/modules/graceful"
 	asymkey_service "code.gitea.io/gitea/services/asymkey"
 	repo_service "code.gitea.io/gitea/services/repository"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-var (
-	microcmdRegenHooks = &cli.Command{
+func newRegenerateHooksCommand() *cli.Command {
+	return &cli.Command{
 		Name:   "hooks",
 		Usage:  "Regenerate git-hooks",
 		Action: runRegenerateHooks,
 	}
+}
 
-	microcmdRegenKeys = &cli.Command{
+func newRegenerateKeysCommand() *cli.Command {
+	return &cli.Command{
 		Name:   "keys",
 		Usage:  "Regenerate authorized_keys file",
 		Action: runRegenerateKeys,
 	}
-)
-
-func runRegenerateHooks(_ *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
+}
 
+func runRegenerateHooks(ctx context.Context, _ *cli.Command) error {
 	if err := initDB(ctx); err != nil {
 		return err
 	}
 	return repo_service.SyncRepositoryHooks(graceful.GetManager().ShutdownContext())
 }
 
-func runRegenerateKeys(_ *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
-
+func runRegenerateKeys(ctx context.Context, _ *cli.Command) error {
 	if err := initDB(ctx); err != nil {
 		return err
 	}

cmd/admin_user.go

@@ -4,18 +4,20 @@
 package cmd
 
 import (
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-var subcmdUser = &cli.Command{
-	Name:  "user",
-	Usage: "Modify users",
-	Subcommands: []*cli.Command{
-		microcmdUserCreate,
-		microcmdUserList,
-		microcmdUserChangePassword,
-		microcmdUserDelete,
-		microcmdUserGenerateAccessToken,
-		microcmdUserMustChangePassword,
-	},
+func newUserCommand() *cli.Command {
+	return &cli.Command{
+		Name:  "user",
+		Usage: "Modify users",
+		Commands: []*cli.Command{
+			microcmdUserCreate(),
+			newUserListCommand(),
+			microcmdUserChangePassword(),
+			microcmdUserDelete(),
+			newUserGenerateAccessTokenCommand(),
+			microcmdUserMustChangePassword(),
+		},
+	}
 }

cmd/admin_user_change_password.go

@@ -4,6 +4,7 @@
 package cmd
 
 import (
+	"context"
 	"errors"
 	"fmt"
 
@@ -13,44 +14,41 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	user_service "code.gitea.io/gitea/services/user"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-var microcmdUserChangePassword = &cli.Command{
-	Name:   "change-password",
-	Usage:  "Change a user's password",
-	Action: runChangePassword,
-	Flags: []cli.Flag{
-		&cli.StringFlag{
-			Name:    "username",
-			Aliases: []string{"u"},
-			Value:   "",
-			Usage:   "The user to change password for",
+func microcmdUserChangePassword() *cli.Command {
+	return &cli.Command{
+		Name:   "change-password",
+		Usage:  "Change a user's password",
+		Action: runChangePassword,
+		Flags: []cli.Flag{
+			&cli.StringFlag{
+				Name:     "username",
+				Aliases:  []string{"u"},
+				Usage:    "The user to change password for",
+				Required: true,
+			},
+			&cli.StringFlag{
+				Name:     "password",
+				Aliases:  []string{"p"},
+				Usage:    "New password to set for user",
+				Required: true,
+			},
+			&cli.BoolFlag{
+				Name:  "must-change-password",
+				Usage: "User must change password (can be disabled by --must-change-password=false)",
+				Value: true,
+			},
 		},
-		&cli.StringFlag{
-			Name:    "password",
-			Aliases: []string{"p"},
-			Value:   "",
-			Usage:   "New password to set for user",
-		},
-		&cli.BoolFlag{
-			Name:  "must-change-password",
-			Usage: "User must change password (can be disabled by --must-change-password=false)",
-			Value: true,
-		},
-	},
+	}
 }
 
-func runChangePassword(c *cli.Context) error {
-	if err := argsSet(c, "username", "password"); err != nil {
-		return err
-	}
-
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
+func runChangePassword(ctx context.Context, c *cli.Command) error {
+	if !setting.IsInTesting {
+		if err := initDB(ctx); err != nil {
+			return err
+		}
 	}
 
 	user, err := user_model.GetUserByName(ctx, c.String("username"))

cmd/admin_user_change_password_test.go

@@ -0,0 +1,91 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestChangePasswordCommand(t *testing.T) {
+	ctx := t.Context()
+
+	defer func() {
+		require.NoError(t, db.TruncateBeans(t.Context(), &user_model.User{}))
+	}()
+
+	t.Run("change password successfully", func(t *testing.T) {
+		// defer func() {
+		// 	require.NoError(t, db.TruncateBeans(t.Context(), &user_model.User{}))
+		// }()
+		// Prepare test user
+		unittest.AssertNotExistsBean(t, &user_model.User{LowerName: "testuser"})
+		err := microcmdUserCreate().Run(ctx, []string{"create", "--username", "testuser", "--email", "testuser@gitea.local", "--random-password"})
+		require.NoError(t, err)
+
+		// load test user
+		userBase := unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuser"})
+
+		// Change the password
+		err = microcmdUserChangePassword().Run(ctx, []string{"change-password", "--username", "testuser", "--password", "newpassword"})
+		require.NoError(t, err)
+
+		// Verify the password has been changed
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuser"})
+		assert.NotEqual(t, userBase.Passwd, user.Passwd)
+		assert.NotEqual(t, userBase.Salt, user.Salt)
+
+		// Additional check for must-change-password flag
+		require.NoError(t, microcmdUserChangePassword().Run(ctx, []string{"change-password", "--username", "testuser", "--password", "anotherpassword", "--must-change-password=false"}))
+		user = unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuser"})
+		assert.False(t, user.MustChangePassword)
+
+		require.NoError(t, microcmdUserChangePassword().Run(ctx, []string{"change-password", "--username", "testuser", "--password", "yetanotherpassword", "--must-change-password"}))
+		user = unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuser"})
+		assert.True(t, user.MustChangePassword)
+	})
+
+	t.Run("failure cases", func(t *testing.T) {
+		testCases := []struct {
+			name        string
+			args        []string
+			expectedErr string
+		}{
+			{
+				name:        "user does not exist",
+				args:        []string{"change-password", "--username", "nonexistentuser", "--password", "newpassword"},
+				expectedErr: "user does not exist",
+			},
+			{
+				name:        "missing username",
+				args:        []string{"change-password", "--password", "newpassword"},
+				expectedErr: `"username" not set`,
+			},
+			{
+				name:        "missing password",
+				args:        []string{"change-password", "--username", "testuser"},
+				expectedErr: `"password" not set`,
+			},
+			{
+				name:        "too short password",
+				args:        []string{"change-password", "--username", "testuser", "--password", "1"},
+				expectedErr: "password is not long enough",
+			},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				err := microcmdUserChangePassword().Run(ctx, tc.args)
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tc.expectedErr)
+			})
+		}
+	})
+}

cmd/admin_user_create.go

@@ -16,87 +16,95 @@ import (
 	"code.gitea.io/gitea/modules/optional"
 	"code.gitea.io/gitea/modules/setting"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-var microcmdUserCreate = &cli.Command{
-	Name:   "create",
-	Usage:  "Create a new user in database",
-	Action: runCreateUser,
-	Flags: []cli.Flag{
-		&cli.StringFlag{
-			Name:  "name",
-			Usage: "Username. DEPRECATED: use username instead",
+func microcmdUserCreate() *cli.Command {
+	return &cli.Command{
+		Name:   "create",
+		Usage:  "Create a new user in database",
+		Action: runCreateUser,
+		MutuallyExclusiveFlags: []cli.MutuallyExclusiveFlags{
+			{
+				Flags: [][]cli.Flag{
+					{
+						&cli.StringFlag{
+							Name:  "name",
+							Usage: "Username. DEPRECATED: use username instead",
+						},
+						&cli.StringFlag{
+							Name:  "username",
+							Usage: "Username",
+						},
+					},
+				},
+				Required: true,
+			},
 		},
-		&cli.StringFlag{
-			Name:  "username",
-			Usage: "Username",
+		Flags: []cli.Flag{
+			&cli.StringFlag{
+				Name:  "user-type",
+				Usage: "Set user's type: individual or bot",
+				Value: "individual",
+			},
+			&cli.StringFlag{
+				Name:  "password",
+				Usage: "User password",
+			},
+			&cli.StringFlag{
+				Name:     "email",
+				Usage:    "User email address",
+				Required: true,
+			},
+			&cli.BoolFlag{
+				Name:  "admin",
+				Usage: "User is an admin",
+			},
+			&cli.BoolFlag{
+				Name:  "random-password",
+				Usage: "Generate a random password for the user",
+			},
+			&cli.BoolFlag{
+				Name:        "must-change-password",
+				Usage:       "User must change password after initial login, defaults to true for all users except the first one (can be disabled by --must-change-password=false)",
+				HideDefault: true,
+			},
+			&cli.IntFlag{
+				Name:  "random-password-length",
+				Usage: "Length of the random password to be generated",
+				Value: 12,
+			},
+			&cli.BoolFlag{
+				Name:  "access-token",
+				Usage: "Generate access token for the user",
+			},
+			&cli.StringFlag{
+				Name:  "access-token-name",
+				Usage: `Name of the generated access token`,
+				Value: "gitea-admin",
+			},
+			&cli.StringFlag{
+				Name:  "access-token-scopes",
+				Usage: `Scopes of the generated access token, comma separated. Examples: "all", "public-only,read:issue", "write:repository,write:user"`,
+				Value: "all",
+			},
+			&cli.BoolFlag{
+				Name:  "restricted",
+				Usage: "Make a restricted user account",
+			},
+			&cli.StringFlag{
+				Name:  "fullname",
+				Usage: `The full, human-readable name of the user`,
+			},
 		},
-		&cli.StringFlag{
-			Name:  "user-type",
-			Usage: "Set user's type: individual or bot",
-			Value: "individual",
-		},
-		&cli.StringFlag{
-			Name:  "password",
-			Usage: "User password",
-		},
-		&cli.StringFlag{
-			Name:  "email",
-			Usage: "User email address",
-		},
-		&cli.BoolFlag{
-			Name:  "admin",
-			Usage: "User is an admin",
-		},
-		&cli.BoolFlag{
-			Name:  "random-password",
-			Usage: "Generate a random password for the user",
-		},
-		&cli.BoolFlag{
-			Name:               "must-change-password",
-			Usage:              "User must change password after initial login, defaults to true for all users except the first one (can be disabled by --must-change-password=false)",
-			DisableDefaultText: true,
-		},
-		&cli.IntFlag{
-			Name:  "random-password-length",
-			Usage: "Length of the random password to be generated",
-			Value: 12,
-		},
-		&cli.BoolFlag{
-			Name:  "access-token",
-			Usage: "Generate access token for the user",
-		},
-		&cli.StringFlag{
-			Name:  "access-token-name",
-			Usage: `Name of the generated access token`,
-			Value: "gitea-admin",
-		},
-		&cli.StringFlag{
-			Name:  "access-token-scopes",
-			Usage: `Scopes of the generated access token, comma separated. Examples: "all", "public-only,read:issue", "write:repository,write:user"`,
-			Value: "all",
-		},
-		&cli.BoolFlag{
-			Name:  "restricted",
-			Usage: "Make a restricted user account",
-		},
-		&cli.StringFlag{
-			Name:  "fullname",
-			Usage: `The full, human-readable name of the user`,
-		},
-	},
+	}
 }
 
-func runCreateUser(c *cli.Context) error {
+func runCreateUser(ctx context.Context, c *cli.Command) error {
 	// this command highly depends on the many setting options (create org, visibility, etc.), so it must have a full setting load first
 	// duplicate setting loading should be safe at the moment, but it should be refactored & improved in the future.
 	setting.LoadSettings()
 
-	if err := argsSet(c, "email"); err != nil {
-		return err
-	}
-
 	userTypes := map[string]user_model.UserType{
 		"individual": user_model.UserTypeIndividual,
 		"bot":        user_model.UserTypeBot,
@@ -113,12 +121,6 @@ func runCreateUser(c *cli.Context) error {
 			return errors.New("password can only be set for individual users")
 		}
 	}
-	if c.IsSet("name") && c.IsSet("username") {
-		return errors.New("cannot set both --name and --username flags")
-	}
-	if !c.IsSet("name") && !c.IsSet("username") {
-		return errors.New("one of --name or --username flags must be set")
-	}
 
 	if c.IsSet("password") && c.IsSet("random-password") {
 		return errors.New("cannot set both -random-password and -password flags")
@@ -129,16 +131,12 @@ func runCreateUser(c *cli.Context) error {
 		username = c.String("username")
 	} else {
 		username = c.String("name")
-		_, _ = fmt.Fprintf(c.App.ErrWriter, "--name flag is deprecated. Use --username instead.\n")
+		_, _ = fmt.Fprintf(c.ErrWriter, "--name flag is deprecated. Use --username instead.\n")
 	}
 
-	ctx := c.Context
 	if !setting.IsInTesting {
-		// FIXME: need to refactor the "installSignals/initDB" related code later
+		// FIXME: need to refactor the "initDB" related code later
 		// it doesn't make sense to call it in (almost) every command action function
-		var cancel context.CancelFunc
-		ctx, cancel = installSignals()
-		defer cancel()
 		if err := initDB(ctx); err != nil {
 			return err
 		}
@@ -153,6 +151,7 @@ func runCreateUser(c *cli.Context) error {
 		if err != nil {
 			return err
 		}
+		// codeql[disable-next-line=go/clear-text-logging]
 		fmt.Printf("generated random password is '%s'\n", password)
 	} else if userType == user_model.UserTypeIndividual {
 		return errors.New("must set either password or random-password flag")

cmd/admin_user_create_test.go

@@ -18,12 +18,10 @@ import (
 )
 
 func TestAdminUserCreate(t *testing.T) {
-	app := NewMainApp(AppVersion{})
-
 	reset := func() {
-		require.NoError(t, db.TruncateBeans(db.DefaultContext, &user_model.User{}))
-		require.NoError(t, db.TruncateBeans(db.DefaultContext, &user_model.EmailAddress{}))
-		require.NoError(t, db.TruncateBeans(db.DefaultContext, &auth_model.AccessToken{}))
+		require.NoError(t, db.TruncateBeans(t.Context(), &user_model.User{}))
+		require.NoError(t, db.TruncateBeans(t.Context(), &user_model.EmailAddress{}))
+		require.NoError(t, db.TruncateBeans(t.Context(), &auth_model.AccessToken{}))
 	}
 
 	t.Run("MustChangePassword", func(t *testing.T) {
@@ -31,8 +29,9 @@ func TestAdminUserCreate(t *testing.T) {
 			IsAdmin            bool
 			MustChangePassword bool
 		}
+
 		createCheck := func(name, args string) check {
-			require.NoError(t, app.Run(strings.Fields(fmt.Sprintf("./gitea admin user create --username %s --email %s@gitea.local %s --password foobar", name, name, args))))
+			require.NoError(t, microcmdUserCreate().Run(t.Context(), strings.Fields(fmt.Sprintf("create --username %s --email %s@gitea.local %s --password foobar", name, name, args))))
 			u := unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: name})
 			return check{IsAdmin: u.IsAdmin, MustChangePassword: u.MustChangePassword}
 		}
@@ -51,7 +50,7 @@ func TestAdminUserCreate(t *testing.T) {
 	})
 
 	createUser := func(name string, args ...string) error {
-		return app.Run(append([]string{"./gitea", "admin", "user", "create", "--username", name, "--email", name + "@gitea.local"}, args...))
+		return microcmdUserCreate().Run(t.Context(), append([]string{"create", "--username", name, "--email", name + "@gitea.local"}, args...))
 	}
 
 	t.Run("UserType", func(t *testing.T) {

cmd/admin_user_delete.go

@@ -4,53 +4,56 @@
 package cmd
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"strings"
 
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/storage"
 	user_service "code.gitea.io/gitea/services/user"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-var microcmdUserDelete = &cli.Command{
-	Name:  "delete",
-	Usage: "Delete specific user by id, name or email",
-	Flags: []cli.Flag{
-		&cli.Int64Flag{
-			Name:  "id",
-			Usage: "ID of user of the user to delete",
+func microcmdUserDelete() *cli.Command {
+	return &cli.Command{
+		Name:  "delete",
+		Usage: "Delete specific user by id, name or email",
+		Flags: []cli.Flag{
+			&cli.Int64Flag{
+				Name:  "id",
+				Usage: "ID of user of the user to delete",
+			},
+			&cli.StringFlag{
+				Name:    "username",
+				Aliases: []string{"u"},
+				Usage:   "Username of the user to delete",
+			},
+			&cli.StringFlag{
+				Name:    "email",
+				Aliases: []string{"e"},
+				Usage:   "Email of the user to delete",
+			},
+			&cli.BoolFlag{
+				Name:  "purge",
+				Usage: "Purge user, all their repositories, organizations and comments",
+			},
 		},
-		&cli.StringFlag{
-			Name:    "username",
-			Aliases: []string{"u"},
-			Usage:   "Username of the user to delete",
-		},
-		&cli.StringFlag{
-			Name:    "email",
-			Aliases: []string{"e"},
-			Usage:   "Email of the user to delete",
-		},
-		&cli.BoolFlag{
-			Name:  "purge",
-			Usage: "Purge user, all their repositories, organizations and comments",
-		},
-	},
-	Action: runDeleteUser,
+		Action: runDeleteUser,
+	}
 }
 
-func runDeleteUser(c *cli.Context) error {
+func runDeleteUser(ctx context.Context, c *cli.Command) error {
 	if !c.IsSet("id") && !c.IsSet("username") && !c.IsSet("email") {
 		return errors.New("You must provide the id, username or email of a user to delete")
 	}
 
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
+	if !setting.IsInTesting {
+		if err := initDB(ctx); err != nil {
+			return err
+		}
 	}
 
 	if err := storage.Init(); err != nil {
@@ -70,11 +73,11 @@ func runDeleteUser(c *cli.Context) error {
 		return err
 	}
 	if c.IsSet("username") && user.LowerName != strings.ToLower(strings.TrimSpace(c.String("username"))) {
-		return fmt.Errorf("The user %s who has email %s does not match the provided username %s", user.Name, c.String("email"), c.String("username"))
+		return fmt.Errorf("the user %s who has email %s does not match the provided username %s", user.Name, c.String("email"), c.String("username"))
 	}
 
 	if c.IsSet("id") && user.ID != c.Int64("id") {
-		return fmt.Errorf("The user %s does not match the provided id %d", user.Name, c.Int64("id"))
+		return fmt.Errorf("the user %s does not match the provided id %d", user.Name, c.Int64("id"))
 	}
 
 	return user_service.DeleteUser(ctx, user, c.Bool("purge"))

cmd/admin_user_delete_test.go

@@ -0,0 +1,111 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"strconv"
+	"strings"
+	"testing"
+
+	auth_model "code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestAdminUserDelete(t *testing.T) {
+	ctx := t.Context()
+	defer func() {
+		require.NoError(t, db.TruncateBeans(t.Context(), &user_model.User{}))
+		require.NoError(t, db.TruncateBeans(t.Context(), &user_model.EmailAddress{}))
+		require.NoError(t, db.TruncateBeans(t.Context(), &auth_model.AccessToken{}))
+	}()
+
+	setupTestUser := func(t *testing.T) {
+		unittest.AssertNotExistsBean(t, &user_model.User{LowerName: "testuser"})
+		err := microcmdUserCreate().Run(t.Context(), []string{"create", "--username", "testuser", "--email", "testuser@gitea.local", "--random-password"})
+		require.NoError(t, err)
+	}
+
+	t.Run("delete user by id", func(t *testing.T) {
+		setupTestUser(t)
+
+		u := unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuser"})
+		err := microcmdUserDelete().Run(ctx, []string{"delete-test", "--id", strconv.FormatInt(u.ID, 10)})
+		require.NoError(t, err)
+		unittest.AssertNotExistsBean(t, &user_model.User{LowerName: "testuser"})
+	})
+	t.Run("delete user by username", func(t *testing.T) {
+		setupTestUser(t)
+
+		err := microcmdUserDelete().Run(ctx, []string{"delete-test", "--username", "testuser"})
+		require.NoError(t, err)
+		unittest.AssertNotExistsBean(t, &user_model.User{LowerName: "testuser"})
+	})
+	t.Run("delete user by email", func(t *testing.T) {
+		setupTestUser(t)
+
+		err := microcmdUserDelete().Run(ctx, []string{"delete-test", "--email", "testuser@gitea.local"})
+		require.NoError(t, err)
+		unittest.AssertNotExistsBean(t, &user_model.User{LowerName: "testuser"})
+	})
+	t.Run("delete user by all 3 attributes", func(t *testing.T) {
+		setupTestUser(t)
+
+		u := unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuser"})
+		err := microcmdUserDelete().Run(ctx, []string{"delete", "--id", strconv.FormatInt(u.ID, 10), "--username", "testuser", "--email", "testuser@gitea.local"})
+		require.NoError(t, err)
+		unittest.AssertNotExistsBean(t, &user_model.User{LowerName: "testuser"})
+	})
+}
+
+func TestAdminUserDeleteFailure(t *testing.T) {
+	testCases := []struct {
+		name        string
+		args        []string
+		expectedErr string
+	}{
+		{
+			name:        "no user to delete",
+			args:        []string{"delete", "--username", "nonexistentuser"},
+			expectedErr: "user does not exist",
+		},
+		{
+			name:        "user exists but provided username does not match",
+			args:        []string{"delete", "--email", "testuser@gitea.local", "--username", "wrongusername"},
+			expectedErr: "the user testuser who has email testuser@gitea.local does not match the provided username wrongusername",
+		},
+		{
+			name:        "user exists but provided id does not match",
+			args:        []string{"delete", "--username", "testuser", "--id", "999"},
+			expectedErr: "the user testuser does not match the provided id 999",
+		},
+		{
+			name:        "no required flags are provided",
+			args:        []string{"delete"},
+			expectedErr: "You must provide the id, username or email of a user to delete",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx := t.Context()
+			if strings.Contains(tc.name, "user exists") {
+				unittest.AssertNotExistsBean(t, &user_model.User{LowerName: "testuser"})
+				err := microcmdUserCreate().Run(t.Context(), []string{"create", "--username", "testuser", "--email", "testuser@gitea.local", "--random-password"})
+				require.NoError(t, err)
+			}
+
+			err := microcmdUserDelete().Run(ctx, tc.args)
+			require.Error(t, err)
+			require.Contains(t, err.Error(), tc.expectedErr)
+		})
+
+		require.NoError(t, db.TruncateBeans(t.Context(), &user_model.User{}))
+		require.NoError(t, db.TruncateBeans(t.Context(), &user_model.EmailAddress{}))
+		require.NoError(t, db.TruncateBeans(t.Context(), &auth_model.AccessToken{}))
+	}
+}

cmd/admin_user_generate_access_token.go

@@ -4,51 +4,51 @@
 package cmd
 
 import (
+	"context"
 	"errors"
 	"fmt"
 
 	auth_model "code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-var microcmdUserGenerateAccessToken = &cli.Command{
-	Name:  "generate-access-token",
-	Usage: "Generate an access token for a specific user",
-	Flags: []cli.Flag{
-		&cli.StringFlag{
-			Name:    "username",
-			Aliases: []string{"u"},
-			Usage:   "Username",
+func newUserGenerateAccessTokenCommand() *cli.Command {
+	return &cli.Command{
+		Name:  "generate-access-token",
+		Usage: "Generate an access token for a specific user",
+		Flags: []cli.Flag{
+			&cli.StringFlag{
+				Name:    "username",
+				Aliases: []string{"u"},
+				Usage:   "Username",
+			},
+			&cli.StringFlag{
+				Name:    "token-name",
+				Aliases: []string{"t"},
+				Usage:   "Token name",
+				Value:   "gitea-admin",
+			},
+			&cli.BoolFlag{
+				Name:  "raw",
+				Usage: "Display only the token value",
+			},
+			&cli.StringFlag{
+				Name:  "scopes",
+				Value: "all",
+				Usage: `Comma separated list of scopes to apply to access token, examples: "all", "public-only,read:issue", "write:repository,write:user"`,
+			},
 		},
-		&cli.StringFlag{
-			Name:    "token-name",
-			Aliases: []string{"t"},
-			Usage:   "Token name",
-			Value:   "gitea-admin",
-		},
-		&cli.BoolFlag{
-			Name:  "raw",
-			Usage: "Display only the token value",
-		},
-		&cli.StringFlag{
-			Name:  "scopes",
-			Value: "all",
-			Usage: `Comma separated list of scopes to apply to access token, examples: "all", "public-only,read:issue", "write:repository,write:user"`,
-		},
-	},
-	Action: runGenerateAccessToken,
+		Action: runGenerateAccessToken,
+	}
 }
 
-func runGenerateAccessToken(c *cli.Context) error {
+func runGenerateAccessToken(ctx context.Context, c *cli.Command) error {
 	if !c.IsSet("username") {
 		return errors.New("you must provide a username to generate a token for")
 	}
 
-	ctx, cancel := installSignals()
-	defer cancel()
-
 	if err := initDB(ctx); err != nil {
 		return err
 	}

cmd/admin_user_list.go

@@ -4,31 +4,31 @@
 package cmd
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"text/tabwriter"
 
 	user_model "code.gitea.io/gitea/models/user"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-var microcmdUserList = &cli.Command{
-	Name:   "list",
-	Usage:  "List users",
-	Action: runListUsers,
-	Flags: []cli.Flag{
-		&cli.BoolFlag{
-			Name:  "admin",
-			Usage: "List only admin users",
+func newUserListCommand() *cli.Command {
+	return &cli.Command{
+		Name:   "list",
+		Usage:  "List users",
+		Action: runListUsers,
+		Flags: []cli.Flag{
+			&cli.BoolFlag{
+				Name:  "admin",
+				Usage: "List only admin users",
+			},
 		},
-	},
+	}
 }
 
-func runListUsers(c *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
-
+func runListUsers(ctx context.Context, c *cli.Command) error {
 	if err := initDB(ctx); err != nil {
 		return err
 	}

cmd/admin_user_must_change_password.go

@@ -4,40 +4,41 @@
 package cmd
 
 import (
+	"context"
 	"errors"
 	"fmt"
 
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/setting"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-var microcmdUserMustChangePassword = &cli.Command{
-	Name:   "must-change-password",
-	Usage:  "Set the must change password flag for the provided users or all users",
-	Action: runMustChangePassword,
-	Flags: []cli.Flag{
-		&cli.BoolFlag{
-			Name:    "all",
-			Aliases: []string{"A"},
-			Usage:   "All users must change password, except those explicitly excluded with --exclude",
+func microcmdUserMustChangePassword() *cli.Command {
+	return &cli.Command{
+		Name:   "must-change-password",
+		Usage:  "Set the must change password flag for the provided users or all users",
+		Action: runMustChangePassword,
+		Flags: []cli.Flag{
+			&cli.BoolFlag{
+				Name:    "all",
+				Aliases: []string{"A"},
+				Usage:   "All users must change password, except those explicitly excluded with --exclude",
+			},
+			&cli.StringSliceFlag{
+				Name:    "exclude",
+				Aliases: []string{"e"},
+				Usage:   "Do not change the must-change-password flag for these users",
+			},
+			&cli.BoolFlag{
+				Name:  "unset",
+				Usage: "Instead of setting the must-change-password flag, unset it",
+			},
 		},
-		&cli.StringSliceFlag{
-			Name:    "exclude",
-			Aliases: []string{"e"},
-			Usage:   "Do not change the must-change-password flag for these users",
-		},
-		&cli.BoolFlag{
-			Name:  "unset",
-			Usage: "Instead of setting the must-change-password flag, unset it",
-		},
-	},
+	}
 }
 
-func runMustChangePassword(c *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
-
+func runMustChangePassword(ctx context.Context, c *cli.Command) error {
 	if c.NArg() == 0 && !c.IsSet("all") {
 		return errors.New("either usernames or --all must be provided")
 	}
@@ -46,8 +47,10 @@ func runMustChangePassword(c *cli.Context) error {
 	all := c.Bool("all")
 	exclude := c.StringSlice("exclude")
 
-	if err := initDB(ctx); err != nil {
-		return err
+	if !setting.IsInTesting {
+		if err := initDB(ctx); err != nil {
+			return err
+		}
 	}
 
 	n, err := user_model.SetMustChangePassword(ctx, all, mustChangePassword, c.Args().Slice(), exclude)
@@ -55,6 +58,7 @@ func runMustChangePassword(c *cli.Context) error {
 		return err
 	}
 
+	// codeql[disable-next-line=go/clear-text-logging]
 	fmt.Printf("Updated %d users setting MustChangePassword to %t\n", n, mustChangePassword)
 	return nil
 }

cmd/admin_user_must_change_password_test.go

@@ -0,0 +1,78 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestMustChangePassword(t *testing.T) {
+	defer func() {
+		require.NoError(t, db.TruncateBeans(t.Context(), &user_model.User{}))
+	}()
+	err := microcmdUserCreate().Run(t.Context(), []string{"create", "--username", "testuser", "--email", "testuser@gitea.local", "--random-password"})
+	require.NoError(t, err)
+	err = microcmdUserCreate().Run(t.Context(), []string{"create", "--username", "testuserexclude", "--email", "testuserexclude@gitea.local", "--random-password"})
+	require.NoError(t, err)
+	// Reset password change flag
+	err = microcmdUserMustChangePassword().Run(t.Context(), []string{"change-test", "--all", "--unset"})
+	require.NoError(t, err)
+
+	testUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuser"})
+	assert.False(t, testUser.MustChangePassword)
+	testUserExclude := unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuserexclude"})
+	assert.False(t, testUserExclude.MustChangePassword)
+
+	// Make all users change password
+	err = microcmdUserMustChangePassword().Run(t.Context(), []string{"change-test", "--all"})
+	require.NoError(t, err)
+
+	testUser = unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuser"})
+	assert.True(t, testUser.MustChangePassword)
+	testUserExclude = unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuserexclude"})
+	assert.True(t, testUserExclude.MustChangePassword)
+
+	// Reset password change flag but exclude all tested users
+	err = microcmdUserMustChangePassword().Run(t.Context(), []string{"change-test", "--all", "--unset", "--exclude", "testuser,testuserexclude"})
+	require.NoError(t, err)
+
+	testUser = unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuser"})
+	assert.True(t, testUser.MustChangePassword)
+	testUserExclude = unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuserexclude"})
+	assert.True(t, testUserExclude.MustChangePassword)
+
+	// Reset password change flag by listing multiple users
+	err = microcmdUserMustChangePassword().Run(t.Context(), []string{"change-test", "--unset", "testuser", "testuserexclude"})
+	require.NoError(t, err)
+
+	testUser = unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuser"})
+	assert.False(t, testUser.MustChangePassword)
+	testUserExclude = unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuserexclude"})
+	assert.False(t, testUserExclude.MustChangePassword)
+
+	// Exclude a user from all user
+	err = microcmdUserMustChangePassword().Run(t.Context(), []string{"change-test", "--all", "--exclude", "testuserexclude"})
+	require.NoError(t, err)
+
+	testUser = unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuser"})
+	assert.True(t, testUser.MustChangePassword)
+	testUserExclude = unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuserexclude"})
+	assert.False(t, testUserExclude.MustChangePassword)
+
+	// Unset a flag for single user
+	err = microcmdUserMustChangePassword().Run(t.Context(), []string{"change-test", "--unset", "testuser"})
+	require.NoError(t, err)
+
+	testUser = unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuser"})
+	assert.False(t, testUser.MustChangePassword)
+	testUserExclude = unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuserexclude"})
+	assert.False(t, testUserExclude.MustChangePassword)
+}

cmd/cert.go

@@ -6,6 +6,7 @@
 package cmd
 
 import (
+	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
@@ -13,6 +14,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
+	"fmt"
 	"log"
 	"math/big"
 	"net"
@@ -20,47 +22,59 @@ import (
 	"strings"
 	"time"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-// CmdCert represents the available cert sub-command.
-var CmdCert = &cli.Command{
-	Name:  "cert",
-	Usage: "Generate self-signed certificate",
-	Description: `Generate a self-signed X.509 certificate for a TLS server.
+// cmdCert represents the available cert sub-command.
+func cmdCert() *cli.Command {
+	return &cli.Command{
+		Name:  "cert",
+		Usage: "Generate self-signed certificate",
+		Description: `Generate a self-signed X.509 certificate for a TLS server.
 Outputs to 'cert.pem' and 'key.pem' and will overwrite existing files.`,
-	Action: runCert,
-	Flags: []cli.Flag{
-		&cli.StringFlag{
-			Name:  "host",
-			Value: "",
-			Usage: "Comma-separated hostnames and IPs to generate a certificate for",
+		Action: runCert,
+		Flags: []cli.Flag{
+			&cli.StringFlag{
+				Name:     "host",
+				Usage:    "Comma-separated hostnames and IPs to generate a certificate for",
+				Required: true,
+			},
+			&cli.StringFlag{
+				Name:  "ecdsa-curve",
+				Value: "",
+				Usage: "ECDSA curve to use to generate a key. Valid values are P224, P256, P384, P521",
+			},
+			&cli.IntFlag{
+				Name:  "rsa-bits",
+				Value: 3072,
+				Usage: "Size of RSA key to generate. Ignored if --ecdsa-curve is set",
+			},
+			&cli.StringFlag{
+				Name:  "start-date",
+				Value: "",
+				Usage: "Creation date formatted as Jan 1 15:04:05 2011",
+			},
+			&cli.DurationFlag{
+				Name:  "duration",
+				Value: 365 * 24 * time.Hour,
+				Usage: "Duration that certificate is valid for",
+			},
+			&cli.BoolFlag{
+				Name:  "ca",
+				Usage: "whether this cert should be its own Certificate Authority",
+			},
+			&cli.StringFlag{
+				Name:  "out",
+				Value: "cert.pem",
+				Usage: "Path to the file where there certificate will be saved",
+			},
+			&cli.StringFlag{
+				Name:  "keyout",
+				Value: "key.pem",
+				Usage: "Path to the file where there certificate key will be saved",
+			},
 		},
-		&cli.StringFlag{
-			Name:  "ecdsa-curve",
-			Value: "",
-			Usage: "ECDSA curve to use to generate a key. Valid values are P224, P256, P384, P521",
-		},
-		&cli.IntFlag{
-			Name:  "rsa-bits",
-			Value: 3072,
-			Usage: "Size of RSA key to generate. Ignored if --ecdsa-curve is set",
-		},
-		&cli.StringFlag{
-			Name:  "start-date",
-			Value: "",
-			Usage: "Creation date formatted as Jan 1 15:04:05 2011",
-		},
-		&cli.DurationFlag{
-			Name:  "duration",
-			Value: 365 * 24 * time.Hour,
-			Usage: "Duration that certificate is valid for",
-		},
-		&cli.BoolFlag{
-			Name:  "ca",
-			Usage: "whether this cert should be its own Certificate Authority",
-		},
-	},
+	}
 }
 
 func publicKey(priv any) any {
@@ -89,11 +103,7 @@ func pemBlockForKey(priv any) *pem.Block {
 	}
 }
 
-func runCert(c *cli.Context) error {
-	if err := argsSet(c, "host"); err != nil {
-		return err
-	}
-
+func runCert(_ context.Context, c *cli.Command) error {
 	var priv any
 	var err error
 	switch c.String("ecdsa-curve") {
@@ -108,17 +118,17 @@ func runCert(c *cli.Context) error {
 	case "P521":
 		priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
 	default:
-		log.Fatalf("Unrecognized elliptic curve: %q", c.String("ecdsa-curve"))
+		err = fmt.Errorf("unrecognized elliptic curve: %q", c.String("ecdsa-curve"))
 	}
 	if err != nil {
-		log.Fatalf("Failed to generate private key: %v", err)
+		return fmt.Errorf("failed to generate private key: %w", err)
 	}
 
 	var notBefore time.Time
 	if startDate := c.String("start-date"); startDate != "" {
 		notBefore, err = time.Parse("Jan 2 15:04:05 2006", startDate)
 		if err != nil {
-			log.Fatalf("Failed to parse creation date: %v", err)
+			return fmt.Errorf("failed to parse creation date %w", err)
 		}
 	} else {
 		notBefore = time.Now()
@@ -129,7 +139,7 @@ func runCert(c *cli.Context) error {
 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
 	if err != nil {
-		log.Fatalf("Failed to generate serial number: %v", err)
+		return fmt.Errorf("failed to generate serial number: %w", err)
 	}
 
 	template := x509.Certificate{
@@ -146,8 +156,8 @@ func runCert(c *cli.Context) error {
 		BasicConstraintsValid: true,
 	}
 
-	hosts := strings.Split(c.String("host"), ",")
-	for _, h := range hosts {
+	hosts := strings.SplitSeq(c.String("host"), ",")
+	for h := range hosts {
 		if ip := net.ParseIP(h); ip != nil {
 			template.IPAddresses = append(template.IPAddresses, ip)
 		} else {
@@ -162,35 +172,35 @@ func runCert(c *cli.Context) error {
 
 	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv)
 	if err != nil {
-		log.Fatalf("Failed to create certificate: %v", err)
+		return fmt.Errorf("failed to create certificate: %w", err)
 	}
 
-	certOut, err := os.Create("cert.pem")
+	certOut, err := os.Create(c.String("out"))
 	if err != nil {
-		log.Fatalf("Failed to open cert.pem for writing: %v", err)
+		return fmt.Errorf("failed to open %s for writing: %w", c.String("keyout"), err)
 	}
 	err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
 	if err != nil {
-		log.Fatalf("Failed to encode certificate: %v", err)
+		return fmt.Errorf("failed to encode certificate: %w", err)
 	}
 	err = certOut.Close()
 	if err != nil {
-		log.Fatalf("Failed to write cert: %v", err)
+		return fmt.Errorf("failed to write cert: %w", err)
 	}
-	log.Println("Written cert.pem")
+	fmt.Fprintf(c.Writer, "Written cert to %s\n", c.String("out"))
 
-	keyOut, err := os.OpenFile("key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
+	keyOut, err := os.OpenFile(c.String("keyout"), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
 	if err != nil {
-		log.Fatalf("Failed to open key.pem for writing: %v", err)
+		return fmt.Errorf("failed to open %s for writing: %w", c.String("keyout"), err)
 	}
 	err = pem.Encode(keyOut, pemBlockForKey(priv))
 	if err != nil {
-		log.Fatalf("Failed to encode key: %v", err)
+		return fmt.Errorf("failed to encode key: %w", err)
 	}
 	err = keyOut.Close()
 	if err != nil {
-		log.Fatalf("Failed to write key: %v", err)
+		return fmt.Errorf("failed to write key: %w", err)
 	}
-	log.Println("Written key.pem")
+	fmt.Fprintf(c.Writer, "Written key to %s\n", c.String("keyout"))
 	return nil
 }

cmd/cert_test.go

@@ -0,0 +1,123 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCertCommand(t *testing.T) {
+	cases := []struct {
+		name string
+		args []string
+	}{
+		{
+			name: "RSA cert generation",
+			args: []string{
+				"cert-test",
+				"--host", "localhost",
+				"--rsa-bits", "2048",
+				"--duration", "1h",
+				"--start-date", "Jan 1 00:00:00 2024",
+			},
+		},
+		{
+			name: "ECDSA cert generation",
+			args: []string{
+				"cert-test",
+				"--host", "localhost",
+				"--ecdsa-curve", "P256",
+				"--duration", "1h",
+				"--start-date", "Jan 1 00:00:00 2024",
+			},
+		},
+		{
+			name: "mixed host, certificate authority",
+			args: []string{
+				"cert-test",
+				"--host", "localhost,127.0.0.1",
+				"--duration", "1h",
+				"--start-date", "Jan 1 00:00:00 2024",
+			},
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			app := cmdCert()
+			tempDir := t.TempDir()
+
+			certFile := filepath.Join(tempDir, "cert.pem")
+			keyFile := filepath.Join(tempDir, "key.pem")
+
+			err := app.Run(t.Context(), append(c.args, "--out", certFile, "--keyout", keyFile))
+			require.NoError(t, err)
+
+			assert.FileExists(t, certFile)
+			assert.FileExists(t, keyFile)
+		})
+	}
+}
+
+func TestCertCommandFailures(t *testing.T) {
+	cases := []struct {
+		name   string
+		args   []string
+		errMsg string
+	}{
+		{
+			name: "Start Date Parsing failure",
+			args: []string{
+				"cert-test",
+				"--host", "localhost",
+				"--start-date", "invalid-date",
+			},
+			errMsg: "parsing time",
+		},
+		{
+			name: "Unknown curve",
+			args: []string{
+				"cert-test",
+				"--host", "localhost",
+				"--ecdsa-curve", "invalid-curve",
+			},
+			errMsg: "unrecognized elliptic curve",
+		},
+		{
+			name: "Key generation failure",
+			args: []string{
+				"cert-test",
+				"--host", "localhost",
+				"--rsa-bits", "invalid-bits",
+			},
+		},
+		{
+			name: "Missing parameters",
+			args: []string{
+				"cert-test",
+			},
+			errMsg: `"host" not set`,
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			app := cmdCert()
+			tempDir := t.TempDir()
+
+			certFile := filepath.Join(tempDir, "cert.pem")
+			keyFile := filepath.Join(tempDir, "key.pem")
+			err := app.Run(t.Context(), append(c.args, "--out", certFile, "--keyout", keyFile))
+			require.Error(t, err)
+			if c.errMsg != "" {
+				assert.ErrorContains(t, err, c.errMsg)
+			}
+			assert.NoFileExists(t, certFile)
+			assert.NoFileExists(t, keyFile)
+		})
+	}
+}

cmd/cmd.go

@@ -18,20 +18,19 @@ import (
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/util"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 // argsSet checks that all the required arguments are set. args is a list of
 // arguments that must be set in the passed Context.
-func argsSet(c *cli.Context, args ...string) error {
+func argsSet(c *cli.Command, args ...string) error {
 	for _, a := range args {
 		if !c.IsSet(a) {
 			return errors.New(a + " is not set")
 		}
 
-		if util.IsEmptyString(c.String(a)) {
+		if c.Value(a) == nil {
 			return errors.New(a + " is required")
 		}
 	}
@@ -109,7 +108,7 @@ func setupConsoleLogger(level log.Level, colorize bool, out io.Writer) {
 	log.GetManager().GetLogger(log.DEFAULT).ReplaceAllWriters(writer)
 }
 
-func globalBool(c *cli.Context, name string) bool {
+func globalBool(c *cli.Command, name string) bool {
 	for _, ctx := range c.Lineage() {
 		if ctx.Bool(name) {
 			return true
@@ -120,8 +119,14 @@ func globalBool(c *cli.Context, name string) bool {
 
 // PrepareConsoleLoggerLevel by default, use INFO level for console logger, but some sub-commands (for git/ssh protocol) shouldn't output any log to stdout.
 // Any log appears in git stdout pipe will break the git protocol, eg: client can't push and hangs forever.
-func PrepareConsoleLoggerLevel(defaultLevel log.Level) func(*cli.Context) error {
-	return func(c *cli.Context) error {
+func PrepareConsoleLoggerLevel(defaultLevel log.Level) func(context.Context, *cli.Command) (context.Context, error) {
+	return func(ctx context.Context, c *cli.Command) (context.Context, error) {
+		if setting.InstallLock {
+			// During config loading, there might also be logs (for example: deprecation warnings).
+			// It must make sure that console logger is set up before config is loaded.
+			log.Error("Config is loaded before console logger is setup, it will cause bugs. Please fix it.")
+			return nil, errors.New("console logger must be setup before config is loaded")
+		}
 		level := defaultLevel
 		if globalBool(c, "quiet") {
 			level = log.FATAL
@@ -130,6 +135,16 @@ func PrepareConsoleLoggerLevel(defaultLevel log.Level) func(*cli.Context) error
 			level = log.TRACE
 		}
 		log.SetConsoleLogger(log.DEFAULT, "console-default", level)
-		return nil
+		return ctx, nil
 	}
 }
+
+func isValidDefaultSubCommand(cmd *cli.Command) (string, bool) {
+	// Dirty patch for urfave/cli's strange design.
+	// "./gitea bad-cmd" should not start the web server.
+	rootArgs := cmd.Root().Args().Slice()
+	if len(rootArgs) != 0 && rootArgs[0] != cmd.Name {
+		return rootArgs[0], false
+	}
+	return "", true
+}

cmd/cmd_test.go

@@ -0,0 +1,38 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/urfave/cli/v3"
+)
+
+func TestDefaultCommand(t *testing.T) {
+	test := func(t *testing.T, args []string, expectedRetName string, expectedRetValid bool) {
+		called := false
+		cmd := &cli.Command{
+			DefaultCommand: "test",
+			Commands: []*cli.Command{
+				{
+					Name: "test",
+					Action: func(ctx context.Context, command *cli.Command) error {
+						retName, retValid := isValidDefaultSubCommand(command)
+						assert.Equal(t, expectedRetName, retName)
+						assert.Equal(t, expectedRetValid, retValid)
+						called = true
+						return nil
+					},
+				},
+			},
+		}
+		assert.NoError(t, cmd.Run(t.Context(), args))
+		assert.True(t, called)
+	}
+	test(t, []string{"./gitea"}, "", true)
+	test(t, []string{"./gitea", "test"}, "", true)
+	test(t, []string{"./gitea", "other"}, "other", false)
+}

cmd/config.go

@@ -0,0 +1,156 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+
+	"code.gitea.io/gitea/modules/setting"
+
+	"github.com/urfave/cli/v3"
+)
+
+func cmdConfig() *cli.Command {
+	subcmdConfigEditIni := &cli.Command{
+		Name:  "edit-ini",
+		Usage: "Load an existing INI file, apply environment variables, keep specified keys, and output to a new INI file.",
+		Description: `
+Help users to edit the Gitea configuration INI file.
+
+# Keep Specified Keys
+
+If you need to re-create the configuration file with only a subset of keys,
+you can provide an INI template file for the kept keys and use the "--config-keep-keys" flag.
+For example, if a helm chart needs to reset the settings and only keep SECRET_KEY,
+it can use a template file (only keys take effect, values are ignored):
+
+  [security]
+  SECRET_KEY=
+
+$ ./gitea config edit-ini --config app-old.ini --config-keep-keys app-keys.ini --out app-new.ini
+
+# Map Environment Variables to INI Configuration
+
+Environment variables of the form "GITEA__section_name__KEY_NAME"
+will be mapped to the ini section "[section_name]" and the key
+"KEY_NAME" with the value as provided.
+
+Environment variables of the form "GITEA__section_name__KEY_NAME__FILE"
+will be mapped to the ini section "[section_name]" and the key
+"KEY_NAME" with the value loaded from the specified file.
+
+Environment variable keys can only contain characters "0-9A-Z_",
+if a section or key name contains dot ".", it needs to be escaped as _0x2E_.
+For example, to apply this config:
+
+	[git.config]
+	foo.bar=val
+
+$ export GITEA__git_0x2E_config__foo_0x2E_bar=val
+
+# Put All Together
+
+$ ./gitea config edit-ini --config app.ini --config-keep-keys app-keys.ini --apply-env {--in-place|--out app-new.ini}
+`,
+		Flags: []cli.Flag{
+			// "--config" flag is provided by global flags, and this flag is also used by "environment-to-ini" script wrapper
+			// "--in-place" is also used by "environment-to-ini" script wrapper for its old behavior: always overwrite the existing config file
+			&cli.BoolFlag{
+				Name:  "in-place",
+				Usage: "Output to the same config file as input. This flag will be ignored if --out is set.",
+			},
+			&cli.StringFlag{
+				Name:  "config-keep-keys",
+				Usage: "An INI template file containing keys for keeping. Only the keys defined in the INI template will be kept from old config. If not set, all keys will be kept.",
+			},
+			&cli.BoolFlag{
+				Name:  "apply-env",
+				Usage: "Apply all GITEA__* variables from the environment to the config.",
+			},
+			&cli.StringFlag{
+				Name:  "out",
+				Usage: "Destination config file to write to.",
+			},
+		},
+		Action: runConfigEditIni,
+	}
+
+	return &cli.Command{
+		Name:  "config",
+		Usage: "Manage Gitea configuration",
+		Commands: []*cli.Command{
+			subcmdConfigEditIni,
+		},
+	}
+}
+
+func runConfigEditIni(_ context.Context, c *cli.Command) error {
+	// the config system may change the environment variables, so get a copy first, to be used later
+	env := append([]string{}, os.Environ()...)
+
+	// don't use the guessed setting.CustomConf, instead, require the user to provide --config explicitly
+	if !c.IsSet("config") {
+		return errors.New("flag is required but not set: --config")
+	}
+	configFileIn := c.String("config")
+
+	cfgIn, err := setting.NewConfigProviderFromFile(configFileIn)
+	if err != nil {
+		return fmt.Errorf("failed to load config file %q: %v", configFileIn, err)
+	}
+
+	// determine output config file: use "--out" flag or use "--in-place" flag to overwrite input file
+	inPlace := c.Bool("in-place")
+	configFileOut := c.String("out")
+	if configFileOut == "" {
+		if !inPlace {
+			return errors.New("either --in-place or --out must be specified")
+		}
+		configFileOut = configFileIn // in-place edit
+	}
+
+	needWriteOut := configFileOut != configFileIn
+
+	cfgOut := cfgIn
+	configKeepKeys := c.String("config-keep-keys")
+	if configKeepKeys != "" {
+		needWriteOut = true
+		cfgOut, err = setting.NewConfigProviderFromFile(configKeepKeys)
+		if err != nil {
+			return fmt.Errorf("failed to load config-keep-keys template file %q: %v", configKeepKeys, err)
+		}
+
+		for _, secOut := range cfgOut.Sections() {
+			for _, keyOut := range secOut.Keys() {
+				secIn := cfgIn.Section(secOut.Name())
+				keyIn := setting.ConfigSectionKey(secIn, keyOut.Name())
+				if keyIn != nil {
+					keyOut.SetValue(keyIn.String())
+				} else {
+					secOut.DeleteKey(keyOut.Name())
+				}
+			}
+			if len(secOut.Keys()) == 0 {
+				cfgOut.DeleteSection(secOut.Name())
+			}
+		}
+	}
+
+	if c.Bool("apply-env") {
+		if setting.EnvironmentToConfig(cfgOut, env) {
+			needWriteOut = true
+		}
+	}
+
+	if needWriteOut {
+		err = cfgOut.SaveTo(configFileOut)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

cmd/config_test.go

@@ -0,0 +1,85 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestConfigEdit(t *testing.T) {
+	tmpDir := t.TempDir()
+	configOld := tmpDir + "/app-old.ini"
+	configTemplate := tmpDir + "/app-template.ini"
+	_ = os.WriteFile(configOld, []byte(`
+[sec]
+k1=v1
+k2=v2
+`), os.ModePerm)
+
+	_ = os.WriteFile(configTemplate, []byte(`
+[sec]
+k1=in-template
+
+[sec2]
+k3=v3
+`), os.ModePerm)
+
+	t.Setenv("GITEA__EnV__KeY", "val")
+
+	t.Run("OutputToNewWithEnv", func(t *testing.T) {
+		configNew := tmpDir + "/app-new.ini"
+		err := NewMainApp(AppVersion{}).Run(t.Context(), []string{
+			"./gitea", "--config", configOld,
+			"config", "edit-ini",
+			"--apply-env",
+			"--config-keep-keys", configTemplate,
+			"--out", configNew,
+		})
+		require.NoError(t, err)
+
+		// "k1" old value is kept because its key is in the template
+		// "k2" is removed because it isn't in the template
+		// "k3" isn't in new config because it isn't in the old config
+		// [env] is applied from environment variable
+		data, _ := os.ReadFile(configNew)
+		require.Equal(t, `[sec]
+k1 = v1
+
+[env]
+KeY = val
+`, string(data))
+	})
+
+	t.Run("OutputToExisting(environment-to-ini)", func(t *testing.T) {
+		// the legacy "environment-to-ini" (now a wrapper script) behavior:
+		// if no "--out", then "--in-place" must be used to overwrite the existing "--config" file
+		err := NewMainApp(AppVersion{}).Run(t.Context(), []string{
+			"./gitea", "config", "edit-ini",
+			"--apply-env",
+			"--config", configOld,
+		})
+		require.ErrorContains(t, err, "either --in-place or --out must be specified")
+
+		// simulate the "environment-to-ini" behavior with "--in-place"
+		err = NewMainApp(AppVersion{}).Run(t.Context(), []string{
+			"./gitea", "config", "edit-ini",
+			"--in-place",
+			"--apply-env",
+			"--config", configOld,
+		})
+		require.NoError(t, err)
+
+		data, _ := os.ReadFile(configOld)
+		require.Equal(t, `[sec]
+k1 = v1
+k2 = v2
+
+[env]
+KeY = val
+`, string(data))
+	})
+}

cmd/docs.go

@@ -4,42 +4,45 @@
 package cmd
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"strings"
 
-	"github.com/urfave/cli/v2"
+	cli_docs "github.com/urfave/cli-docs/v3"
+	"github.com/urfave/cli/v3"
 )
 
-// CmdDocs represents the available docs sub-command.
-var CmdDocs = &cli.Command{
-	Name:        "docs",
-	Usage:       "Output CLI documentation",
-	Description: "A command to output Gitea's CLI documentation, optionally to a file.",
-	Action:      runDocs,
-	Flags: []cli.Flag{
-		&cli.BoolFlag{
-			Name:  "man",
-			Usage: "Output man pages instead",
+func newDocsCommand() *cli.Command {
+	return &cli.Command{
+		Name:        "docs",
+		Usage:       "Output CLI documentation",
+		Description: "A command to output Gitea's CLI documentation, optionally to a file.",
+		Action:      runDocs,
+		Flags: []cli.Flag{
+			&cli.BoolFlag{
+				Name:  "man",
+				Usage: "Output man pages instead",
+			},
+			&cli.StringFlag{
+				Name:    "output",
+				Aliases: []string{"o"},
+				Usage:   "Path to output to instead of stdout (will overwrite if exists)",
+			},
 		},
-		&cli.StringFlag{
-			Name:    "output",
-			Aliases: []string{"o"},
-			Usage:   "Path to output to instead of stdout (will overwrite if exists)",
-		},
-	},
+	}
 }
 
-func runDocs(ctx *cli.Context) error {
-	docs, err := ctx.App.ToMarkdown()
-	if ctx.Bool("man") {
-		docs, err = ctx.App.ToMan()
+func runDocs(_ context.Context, cmd *cli.Command) error {
+	docs, err := cli_docs.ToMarkdown(cmd.Root())
+	if cmd.Bool("man") {
+		docs, err = cli_docs.ToMan(cmd.Root())
 	}
 	if err != nil {
 		return err
 	}
 
-	if !ctx.Bool("man") {
+	if !cmd.Bool("man") {
 		// Clean up markdown. The following bug was fixed in v2, but is present in v1.
 		// It affects markdown output (even though the issue is referring to man pages)
 		// https://github.com/urfave/cli/issues/1040
@@ -51,8 +54,8 @@ func runDocs(ctx *cli.Context) error {
 	}
 
 	out := os.Stdout
-	if ctx.String("output") != "" {
-		fi, err := os.Create(ctx.String("output"))
+	if cmd.String("output") != "" {
+		fi, err := os.Create(cmd.String("output"))
 		if err != nil {
 			return err
 		}

cmd/doctor.go

@@ -20,89 +20,90 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/services/doctor"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 	"xorm.io/xorm"
 )
 
-// CmdDoctor represents the available doctor sub-command.
-var CmdDoctor = &cli.Command{
-	Name:        "doctor",
-	Usage:       "Diagnose and optionally fix problems, convert or re-create database tables",
-	Description: "A command to diagnose problems with the current Gitea instance according to the given configuration. Some problems can optionally be fixed by modifying the database or data storage.",
-
-	Subcommands: []*cli.Command{
-		cmdDoctorCheck,
-		cmdRecreateTable,
-		cmdDoctorConvert,
-	},
+func newDoctorCommand() *cli.Command {
+	return &cli.Command{
+		Name:        "doctor",
+		Usage:       "Diagnose and optionally fix problems, convert or re-create database tables",
+		Description: "A command to diagnose problems with the current Gitea instance according to the given configuration. Some problems can optionally be fixed by modifying the database or data storage.",
+		Commands: []*cli.Command{
+			newDoctorCheckCommand(),
+			newRecreateTableCommand(),
+			newDoctorConvertCommand(),
+		},
+	}
 }
 
-var cmdDoctorCheck = &cli.Command{
-	Name:        "check",
-	Usage:       "Diagnose and optionally fix problems",
-	Description: "A command to diagnose problems with the current Gitea instance according to the given configuration. Some problems can optionally be fixed by modifying the database or data storage.",
-	Action:      runDoctorCheck,
-	Flags: []cli.Flag{
-		&cli.BoolFlag{
-			Name:  "list",
-			Usage: "List the available checks",
+func newDoctorCheckCommand() *cli.Command {
+	return &cli.Command{
+		Name:        "check",
+		Usage:       "Diagnose and optionally fix problems",
+		Description: "A command to diagnose problems with the current Gitea instance according to the given configuration. Some problems can optionally be fixed by modifying the database or data storage.",
+		Action:      runDoctorCheck,
+		Flags: []cli.Flag{
+			&cli.BoolFlag{
+				Name:  "list",
+				Usage: "List the available checks",
+			},
+			&cli.BoolFlag{
+				Name:  "default",
+				Usage: "Run the default checks (if neither --run or --all is set, this is the default behaviour)",
+			},
+			&cli.StringSliceFlag{
+				Name:  "run",
+				Usage: "Run the provided checks - (if --default is set, the default checks will also run)",
+			},
+			&cli.BoolFlag{
+				Name:  "all",
+				Usage: "Run all the available checks",
+			},
+			&cli.BoolFlag{
+				Name:  "fix",
+				Usage: "Automatically fix what we can",
+			},
+			&cli.StringFlag{
+				Name:  "log-file",
+				Usage: `Name of the log file (no verbose log output by default). Set to "-" to output to stdout`,
+			},
+			&cli.BoolFlag{
+				Name:    "color",
+				Aliases: []string{"H"},
+				Usage:   "Use color for outputted information",
+			},
 		},
-		&cli.BoolFlag{
-			Name:  "default",
-			Usage: "Run the default checks (if neither --run or --all is set, this is the default behaviour)",
-		},
-		&cli.StringSliceFlag{
-			Name:  "run",
-			Usage: "Run the provided checks - (if --default is set, the default checks will also run)",
-		},
-		&cli.BoolFlag{
-			Name:  "all",
-			Usage: "Run all the available checks",
-		},
-		&cli.BoolFlag{
-			Name:  "fix",
-			Usage: "Automatically fix what we can",
-		},
-		&cli.StringFlag{
-			Name:  "log-file",
-			Usage: `Name of the log file (no verbose log output by default). Set to "-" to output to stdout`,
-		},
-		&cli.BoolFlag{
-			Name:    "color",
-			Aliases: []string{"H"},
-			Usage:   "Use color for outputted information",
-		},
-	},
+	}
 }
 
-var cmdRecreateTable = &cli.Command{
-	Name:      "recreate-table",
-	Usage:     "Recreate tables from XORM definitions and copy the data.",
-	ArgsUsage: "[TABLE]... : (TABLEs to recreate - leave blank for all)",
-	Flags: []cli.Flag{
-		&cli.BoolFlag{
-			Name:  "debug",
-			Usage: "Print SQL commands sent",
+func newRecreateTableCommand() *cli.Command {
+	return &cli.Command{
+		Name:      "recreate-table",
+		Usage:     "Recreate tables from XORM definitions and copy the data.",
+		ArgsUsage: "[TABLE]... : (TABLEs to recreate - leave blank for all)",
+		Flags: []cli.Flag{
+			&cli.BoolFlag{
+				Name:  "debug",
+				Usage: "Print SQL commands sent",
+			},
 		},
-	},
-	Description: `The database definitions Gitea uses change across versions, sometimes changing default values and leaving old unused columns.
+		Description: `The database definitions Gitea uses change across versions, sometimes changing default values and leaving old unused columns.
 
 This command will cause Xorm to recreate tables, copying over the data and deleting the old table.
 
 You should back-up your database before doing this and ensure that your database is up-to-date first.`,
-	Action: runRecreateTable,
+		Action: runRecreateTable,
+	}
 }
 
-func runRecreateTable(ctx *cli.Context) error {
-	stdCtx, cancel := installSignals()
-	defer cancel()
-
+func runRecreateTable(ctx context.Context, cmd *cli.Command) error {
 	// Redirect the default golog to here
 	golog.SetFlags(0)
 	golog.SetPrefix("")
 	golog.SetOutput(log.LoggerToWriter(log.GetLogger(log.DEFAULT).Info))
 
-	debug := ctx.Bool("debug")
+	debug := cmd.Bool("debug")
 	setting.MustInstalled()
 	setting.LoadDBSetting()
 
@@ -113,15 +114,15 @@ func runRecreateTable(ctx *cli.Context) error {
 	}
 
 	setting.Database.LogSQL = debug
-	if err := db.InitEngine(stdCtx); err != nil {
+	if err := db.InitEngine(ctx); err != nil {
 		fmt.Println(err)
 		fmt.Println("Check if you are using the right config file. You can use a --config directive to specify one.")
 		return nil
 	}
 
-	args := ctx.Args()
-	names := make([]string, 0, ctx.NArg())
-	for i := 0; i < ctx.NArg(); i++ {
+	args := cmd.Args()
+	names := make([]string, 0, cmd.NArg())
+	for i := 0; i < cmd.NArg(); i++ {
 		names = append(names, args.Get(i))
 	}
 
@@ -131,7 +132,7 @@ func runRecreateTable(ctx *cli.Context) error {
 	}
 	recreateTables := migrate_base.RecreateTables(beans...)
 
-	return db.InitEngineWithMigration(stdCtx, func(ctx context.Context, x *xorm.Engine) error {
+	return db.InitEngineWithMigration(context.Background(), func(ctx context.Context, x *xorm.Engine) error {
 		if err := migrations.EnsureUpToDate(ctx, x); err != nil {
 			return err
 		}
@@ -139,11 +140,11 @@ func runRecreateTable(ctx *cli.Context) error {
 	})
 }
 
-func setupDoctorDefaultLogger(ctx *cli.Context, colorize bool) {
+func setupDoctorDefaultLogger(cmd *cli.Command, colorize bool) {
 	// Silence the default loggers
 	setupConsoleLogger(log.FATAL, log.CanColorStderr, os.Stderr)
 
-	logFile := ctx.String("log-file")
+	logFile := cmd.String("log-file")
 	switch logFile {
 	case "":
 		return // if no doctor log-file is set, do not show any log from default logger
@@ -161,23 +162,20 @@ func setupDoctorDefaultLogger(ctx *cli.Context, colorize bool) {
 	}
 }
 
-func runDoctorCheck(ctx *cli.Context) error {
-	stdCtx, cancel := installSignals()
-	defer cancel()
-
+func runDoctorCheck(ctx context.Context, cmd *cli.Command) error {
 	colorize := log.CanColorStdout
-	if ctx.IsSet("color") {
-		colorize = ctx.Bool("color")
+	if cmd.IsSet("color") {
+		colorize = cmd.Bool("color")
 	}
 
-	setupDoctorDefaultLogger(ctx, colorize)
+	setupDoctorDefaultLogger(cmd, colorize)
 
 	// Finally redirect the default golang's log to here
 	golog.SetFlags(0)
 	golog.SetPrefix("")
 	golog.SetOutput(log.LoggerToWriter(log.GetLogger(log.DEFAULT).Info))
 
-	if ctx.IsSet("list") {
+	if cmd.IsSet("list") {
 		w := tabwriter.NewWriter(os.Stdout, 0, 8, 1, '\t', 0)
 		_, _ = w.Write([]byte("Default\tName\tTitle\n"))
 		doctor.SortChecks(doctor.Checks)
@@ -195,12 +193,12 @@ func runDoctorCheck(ctx *cli.Context) error {
 	}
 
 	var checks []*doctor.Check
-	if ctx.Bool("all") {
+	if cmd.Bool("all") {
 		checks = make([]*doctor.Check, len(doctor.Checks))
 		copy(checks, doctor.Checks)
-	} else if ctx.IsSet("run") {
-		addDefault := ctx.Bool("default")
-		runNamesSet := container.SetOf(ctx.StringSlice("run")...)
+	} else if cmd.IsSet("run") {
+		addDefault := cmd.Bool("default")
+		runNamesSet := container.SetOf(cmd.StringSlice("run")...)
 		for _, check := range doctor.Checks {
 			if (addDefault && check.IsDefault) || runNamesSet.Contains(check.Name) {
 				checks = append(checks, check)
@@ -217,5 +215,5 @@ func runDoctorCheck(ctx *cli.Context) error {
 			}
 		}
 	}
-	return doctor.RunChecks(stdCtx, colorize, ctx.Bool("fix"), checks)
+	return doctor.RunChecks(ctx, colorize, cmd.Bool("fix"), checks)
 }

cmd/doctor_convert.go

@@ -4,28 +4,27 @@
 package cmd
 
 import (
+	"context"
 	"fmt"
 
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-// cmdDoctorConvert represents the available convert sub-command.
-var cmdDoctorConvert = &cli.Command{
-	Name:        "convert",
-	Usage:       "Convert the database",
-	Description: "A command to convert an existing MySQL database from utf8 to utf8mb4 or MSSQL database from varchar to nvarchar",
-	Action:      runDoctorConvert,
+func newDoctorConvertCommand() *cli.Command {
+	return &cli.Command{
+		Name:        "convert",
+		Usage:       "Convert the database",
+		Description: "A command to convert an existing MySQL database from utf8 to utf8mb4 or MSSQL database from varchar to nvarchar",
+		Action:      runDoctorConvert,
+	}
 }
 
-func runDoctorConvert(ctx *cli.Context) error {
-	stdCtx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(stdCtx); err != nil {
+func runDoctorConvert(ctx context.Context, cmd *cli.Command) error {
+	if err := initDB(ctx); err != nil {
 		return err
 	}
 

cmd/doctor_test.go

@@ -11,7 +11,7 @@ import (
 	"code.gitea.io/gitea/services/doctor"
 
 	"github.com/stretchr/testify/assert"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func TestDoctorRun(t *testing.T) {
@@ -22,12 +22,13 @@ func TestDoctorRun(t *testing.T) {
 
 		SkipDatabaseInitialization: true,
 	})
-	app := cli.NewApp()
-	app.Commands = []*cli.Command{cmdDoctorCheck}
-	err := app.Run([]string{"./gitea", "check", "--run", "test-check"})
+	app := &cli.Command{
+		Commands: []*cli.Command{newDoctorCheckCommand()},
+	}
+	err := app.Run(t.Context(), []string{"./gitea", "check", "--run", "test-check"})
 	assert.NoError(t, err)
-	err = app.Run([]string{"./gitea", "check", "--run", "no-such"})
+	err = app.Run(t.Context(), []string{"./gitea", "check", "--run", "no-such"})
 	assert.ErrorContains(t, err, `unknown checks: "no-such"`)
-	err = app.Run([]string{"./gitea", "check", "--run", "test-check,no-such"})
+	err = app.Run(t.Context(), []string{"./gitea", "check", "--run", "test-check,no-such"})
 	assert.ErrorContains(t, err, `unknown checks: "no-such"`)
 }

cmd/dump.go

@@ -5,6 +5,7 @@
 package cmd
 
 import (
+	"context"
 	"os"
 	"path"
 	"path/filepath"
@@ -19,99 +20,99 @@ import (
 	"code.gitea.io/gitea/modules/util"
 
 	"gitea.com/go-chi/session"
-	"github.com/mholt/archiver/v3"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-// CmdDump represents the available dump sub-command.
-var CmdDump = &cli.Command{
-	Name:        "dump",
-	Usage:       "Dump Gitea files and database",
-	Description: `Dump compresses all related files and database into zip file. It can be used for backup and capture Gitea server image to send to maintainer`,
-	Action:      runDump,
-	Flags: []cli.Flag{
-		&cli.StringFlag{
-			Name:    "file",
-			Aliases: []string{"f"},
-			Usage:   `Name of the dump file which will be created, default to "gitea-dump-{time}.zip". Supply '-' for stdout. See type for available types.`,
+func newDumpCommand() *cli.Command {
+	return &cli.Command{
+		Name:        "dump",
+		Usage:       "Dump Gitea files and database",
+		Description: `Dump compresses all related files and database into zip file. It can be used for backup and capture Gitea server image to send to maintainer`,
+		Action:      runDump,
+		Flags: []cli.Flag{
+			&cli.StringFlag{
+				Name:    "file",
+				Aliases: []string{"f"},
+				Usage:   `Name of the dump file which will be created, default to "gitea-dump-{time}.zip". Supply '-' for stdout. See type for available types.`,
+			},
+			&cli.BoolFlag{
+				Name:    "verbose",
+				Aliases: []string{"V"},
+				Usage:   "Show process details",
+			},
+			&cli.BoolFlag{
+				Name:    "quiet",
+				Aliases: []string{"q"},
+				Usage:   "Only display warnings and errors",
+			},
+			&cli.StringFlag{
+				Name:    "tempdir",
+				Aliases: []string{"t"},
+				Value:   os.TempDir(),
+				Usage:   "Temporary dir path",
+			},
+			&cli.StringFlag{
+				Name:    "database",
+				Aliases: []string{"d"},
+				Usage:   "Specify the database SQL syntax: sqlite3, mysql, mssql, postgres",
+			},
+			&cli.BoolFlag{
+				Name:    "skip-repository",
+				Aliases: []string{"R"},
+				Usage:   "Skip the repository dumping",
+			},
+			&cli.BoolFlag{
+				Name:    "skip-log",
+				Aliases: []string{"L"},
+				Usage:   "Skip the log dumping",
+			},
+			&cli.BoolFlag{
+				Name:  "skip-custom-dir",
+				Usage: "Skip custom directory",
+			},
+			&cli.BoolFlag{
+				Name:  "skip-lfs-data",
+				Usage: "Skip LFS data",
+			},
+			&cli.BoolFlag{
+				Name:  "skip-attachment-data",
+				Usage: "Skip attachment data",
+			},
+			&cli.BoolFlag{
+				Name:  "skip-package-data",
+				Usage: "Skip package data",
+			},
+			&cli.BoolFlag{
+				Name:  "skip-index",
+				Usage: "Skip bleve index data",
+			},
+			&cli.BoolFlag{
+				Name:  "skip-db",
+				Usage: "Skip database",
+			},
+			&cli.StringFlag{
+				Name:  "type",
+				Usage: `Dump output format, default to "zip", supported types: ` + strings.Join(dump.SupportedOutputTypes, ", "),
+			},
 		},
-		&cli.BoolFlag{
-			Name:    "verbose",
-			Aliases: []string{"V"},
-			Usage:   "Show process details",
-		},
-		&cli.BoolFlag{
-			Name:    "quiet",
-			Aliases: []string{"q"},
-			Usage:   "Only display warnings and errors",
-		},
-		&cli.StringFlag{
-			Name:    "tempdir",
-			Aliases: []string{"t"},
-			Value:   os.TempDir(),
-			Usage:   "Temporary dir path",
-		},
-		&cli.StringFlag{
-			Name:    "database",
-			Aliases: []string{"d"},
-			Usage:   "Specify the database SQL syntax: sqlite3, mysql, mssql, postgres",
-		},
-		&cli.BoolFlag{
-			Name:    "skip-repository",
-			Aliases: []string{"R"},
-			Usage:   "Skip the repository dumping",
-		},
-		&cli.BoolFlag{
-			Name:    "skip-log",
-			Aliases: []string{"L"},
-			Usage:   "Skip the log dumping",
-		},
-		&cli.BoolFlag{
-			Name:  "skip-custom-dir",
-			Usage: "Skip custom directory",
-		},
-		&cli.BoolFlag{
-			Name:  "skip-lfs-data",
-			Usage: "Skip LFS data",
-		},
-		&cli.BoolFlag{
-			Name:  "skip-attachment-data",
-			Usage: "Skip attachment data",
-		},
-		&cli.BoolFlag{
-			Name:  "skip-package-data",
-			Usage: "Skip package data",
-		},
-		&cli.BoolFlag{
-			Name:  "skip-index",
-			Usage: "Skip bleve index data",
-		},
-		&cli.BoolFlag{
-			Name:  "skip-db",
-			Usage: "Skip database",
-		},
-		&cli.StringFlag{
-			Name:  "type",
-			Usage: `Dump output format, default to "zip", supported types: ` + strings.Join(dump.SupportedOutputTypes, ", "),
-		},
-	},
+	}
 }
 
 func fatal(format string, args ...any) {
 	log.Fatal(format, args...)
 }
 
-func runDump(ctx *cli.Context) error {
+func runDump(ctx context.Context, cmd *cli.Command) error {
 	setting.MustInstalled()
 
-	quite := ctx.Bool("quiet")
-	verbose := ctx.Bool("verbose")
+	quite := cmd.Bool("quiet")
+	verbose := cmd.Bool("verbose")
 	if verbose && quite {
 		fatal("Option --quiet and --verbose cannot both be set")
 	}
 
 	// outFileName is either "-" or a file name (will be made absolute)
-	outFileName, outType := dump.PrepareFileNameAndType(ctx.String("file"), ctx.String("type"))
+	outFileName, outType := dump.PrepareFileNameAndType(cmd.String("file"), cmd.String("type"))
 	if outType == "" {
 		fatal("Invalid output type")
 	}
@@ -136,10 +137,7 @@ func runDump(ctx *cli.Context) error {
 	setting.DisableLoggerInit()
 	setting.LoadSettings() // cannot access session settings otherwise
 
-	stdCtx, cancel := installSignals()
-	defer cancel()
-
-	err := db.InitEngine(stdCtx)
+	err := db.InitEngine(ctx)
 	if err != nil {
 		return err
 	}
@@ -148,24 +146,20 @@ func runDump(ctx *cli.Context) error {
 		return err
 	}
 
-	archiverGeneric, err := archiver.ByExtension("." + outType)
+	dumper, err := dump.NewDumper(ctx, outType, outFile)
 	if err != nil {
-		fatal("Unable to get archiver for extension: %v", err)
-	}
-
-	archiverWriter := archiverGeneric.(archiver.Writer)
-	if err := archiverWriter.Create(outFile); err != nil {
-		fatal("Creating archiver.Writer failed: %v", err)
-	}
-	defer archiverWriter.Close()
-
-	dumper := &dump.Dumper{
-		Writer:  archiverWriter,
-		Verbose: verbose,
+		fatal("Failed to create archive %q: %v", outFile, err)
+		return err
 	}
+	dumper.Verbose = verbose
 	dumper.GlobalExcludeAbsPath(outFileName)
+	defer func() {
+		if err := dumper.Close(); err != nil {
+			fatal("Failed to save archive %q: %v", outFileName, err)
+		}
+	}()
 
-	if ctx.IsSet("skip-repository") && ctx.Bool("skip-repository") {
+	if cmd.IsSet("skip-repository") && cmd.Bool("skip-repository") {
 		log.Info("Skip dumping local repositories")
 	} else {
 		log.Info("Dumping local repositories... %s", setting.RepoRootPath)
@@ -173,7 +167,7 @@ func runDump(ctx *cli.Context) error {
 			fatal("Failed to include repositories: %v", err)
 		}
 
-		if ctx.IsSet("skip-lfs-data") && ctx.Bool("skip-lfs-data") {
+		if cmd.IsSet("skip-lfs-data") && cmd.Bool("skip-lfs-data") {
 			log.Info("Skip dumping LFS data")
 		} else if !setting.LFS.StartServer {
 			log.Info("LFS isn't enabled. Skip dumping LFS data")
@@ -182,18 +176,18 @@ func runDump(ctx *cli.Context) error {
 			if err != nil {
 				return err
 			}
-			return dumper.AddReader(object, info, path.Join("data", "lfs", objPath))
+			return dumper.AddFileByReader(object, info, path.Join("data", "lfs", objPath))
 		}); err != nil {
 			fatal("Failed to dump LFS objects: %v", err)
 		}
 	}
 
-	if ctx.Bool("skip-db") {
+	if cmd.Bool("skip-db") {
 		// Ensure that we don't dump the database file that may reside in setting.AppDataPath or elsewhere.
 		dumper.GlobalExcludeAbsPath(setting.Database.Path)
 		log.Info("Skipping database")
 	} else {
-		tmpDir := ctx.String("tempdir")
+		tmpDir := cmd.String("tempdir")
 		if _, err := os.Stat(tmpDir); os.IsNotExist(err) {
 			fatal("Path does not exist: %s", tmpDir)
 		}
@@ -209,7 +203,7 @@ func runDump(ctx *cli.Context) error {
 			}
 		}()
 
-		targetDBType := ctx.String("database")
+		targetDBType := cmd.String("database")
 		if len(targetDBType) > 0 && targetDBType != setting.Database.Type.String() {
 			log.Info("Dumping database %s => %s...", setting.Database.Type, targetDBType)
 		} else {
@@ -220,17 +214,17 @@ func runDump(ctx *cli.Context) error {
 			fatal("Failed to dump database: %v", err)
 		}
 
-		if err = dumper.AddFile("gitea-db.sql", dbDump.Name()); err != nil {
+		if err = dumper.AddFileByPath("gitea-db.sql", dbDump.Name()); err != nil {
 			fatal("Failed to include gitea-db.sql: %v", err)
 		}
 	}
 
 	log.Info("Adding custom configuration file from %s", setting.CustomConf)
-	if err = dumper.AddFile("app.ini", setting.CustomConf); err != nil {
+	if err = dumper.AddFileByPath("app.ini", setting.CustomConf); err != nil {
 		fatal("Failed to include specified app.ini: %v", err)
 	}
 
-	if ctx.IsSet("skip-custom-dir") && ctx.Bool("skip-custom-dir") {
+	if cmd.IsSet("skip-custom-dir") && cmd.Bool("skip-custom-dir") {
 		log.Info("Skipping custom directory")
 	} else {
 		customDir, err := os.Stat(setting.CustomPath)
@@ -263,7 +257,7 @@ func runDump(ctx *cli.Context) error {
 			excludes = append(excludes, opts.ProviderConfig)
 		}
 
-		if ctx.IsSet("skip-index") && ctx.Bool("skip-index") {
+		if cmd.IsSet("skip-index") && cmd.Bool("skip-index") {
 			excludes = append(excludes, setting.Indexer.RepoPath)
 			excludes = append(excludes, setting.Indexer.IssuePath)
 		}
@@ -272,25 +266,26 @@ func runDump(ctx *cli.Context) error {
 		excludes = append(excludes, setting.LFS.Storage.Path)
 		excludes = append(excludes, setting.Attachment.Storage.Path)
 		excludes = append(excludes, setting.Packages.Storage.Path)
+		excludes = append(excludes, setting.RepoArchive.Storage.Path)
 		excludes = append(excludes, setting.Log.RootPath)
 		if err := dumper.AddRecursiveExclude("data", setting.AppDataPath, excludes); err != nil {
 			fatal("Failed to include data directory: %v", err)
 		}
 	}
 
-	if ctx.IsSet("skip-attachment-data") && ctx.Bool("skip-attachment-data") {
+	if cmd.IsSet("skip-attachment-data") && cmd.Bool("skip-attachment-data") {
 		log.Info("Skip dumping attachment data")
 	} else if err := storage.Attachments.IterateObjects("", func(objPath string, object storage.Object) error {
 		info, err := object.Stat()
 		if err != nil {
 			return err
 		}
-		return dumper.AddReader(object, info, path.Join("data", "attachments", objPath))
+		return dumper.AddFileByReader(object, info, path.Join("data", "attachments", objPath))
 	}); err != nil {
 		fatal("Failed to dump attachments: %v", err)
 	}
 
-	if ctx.IsSet("skip-package-data") && ctx.Bool("skip-package-data") {
+	if cmd.IsSet("skip-package-data") && cmd.Bool("skip-package-data") {
 		log.Info("Skip dumping package data")
 	} else if !setting.Packages.Enabled {
 		log.Info("Packages isn't enabled. Skip dumping package data")
@@ -299,7 +294,7 @@ func runDump(ctx *cli.Context) error {
 		if err != nil {
 			return err
 		}
-		return dumper.AddReader(object, info, path.Join("data", "packages", objPath))
+		return dumper.AddFileByReader(object, info, path.Join("data", "packages", objPath))
 	}); err != nil {
 		fatal("Failed to dump packages: %v", err)
 	}
@@ -307,7 +302,7 @@ func runDump(ctx *cli.Context) error {
 	// Doesn't check if LogRootPath exists before processing --skip-log intentionally,
 	// ensuring that it's clear the dump is skipped whether the directory's initialized
 	// yet or not.
-	if ctx.IsSet("skip-log") && ctx.Bool("skip-log") {
+	if cmd.IsSet("skip-log") && cmd.Bool("skip-log") {
 		log.Info("Skip dumping log files")
 	} else {
 		isExist, err := util.IsExist(setting.Log.RootPath)
@@ -324,10 +319,6 @@ func runDump(ctx *cli.Context) error {
 	if outFileName == "-" {
 		log.Info("Finish dumping to stdout")
 	} else {
-		if err = archiverWriter.Close(); err != nil {
-			_ = os.Remove(outFileName)
-			fatal("Failed to save %q: %v", outFileName, err)
-		}
 		if err = os.Chmod(outFileName, 0o600); err != nil {
 			log.Info("Can't change file access permissions mask to 0600: %v", err)
 		}

cmd/dump_repo.go

@@ -19,76 +19,79 @@ import (
 	"code.gitea.io/gitea/services/convert"
 	"code.gitea.io/gitea/services/migrations"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-// CmdDumpRepository represents the available dump repository sub-command.
-var CmdDumpRepository = &cli.Command{
-	Name:        "dump-repo",
-	Usage:       "Dump the repository from git/github/gitea/gitlab",
-	Description: "This is a command for dumping the repository data.",
-	Action:      runDumpRepository,
-	Flags: []cli.Flag{
-		&cli.StringFlag{
-			Name:  "git_service",
-			Value: "",
-			Usage: "Git service, git, github, gitea, gitlab. If clone_addr could be recognized, this could be ignored.",
-		},
-		&cli.StringFlag{
-			Name:    "repo_dir",
-			Aliases: []string{"r"},
-			Value:   "./data",
-			Usage:   "Repository dir path to store the data",
-		},
-		&cli.StringFlag{
-			Name:  "clone_addr",
-			Value: "",
-			Usage: "The URL will be clone, currently could be a git/github/gitea/gitlab http/https URL",
-		},
-		&cli.StringFlag{
-			Name:  "auth_username",
-			Value: "",
-			Usage: "The username to visit the clone_addr",
-		},
-		&cli.StringFlag{
-			Name:  "auth_password",
-			Value: "",
-			Usage: "The password to visit the clone_addr",
-		},
-		&cli.StringFlag{
-			Name:  "auth_token",
-			Value: "",
-			Usage: "The personal token to visit the clone_addr",
-		},
-		&cli.StringFlag{
-			Name:  "owner_name",
-			Value: "",
-			Usage: "The data will be stored on a directory with owner name if not empty",
-		},
-		&cli.StringFlag{
-			Name:  "repo_name",
-			Value: "",
-			Usage: "The data will be stored on a directory with repository name if not empty",
-		},
-		&cli.StringFlag{
-			Name:  "units",
-			Value: "",
-			Usage: `Which items will be migrated, one or more units should be separated as comma.
+func newDumpRepositoryCommand() *cli.Command {
+	return &cli.Command{
+		Name:        "dump-repo",
+		Usage:       "Dump the repository from git/github/gitea/gitlab",
+		Description: "This is a command for dumping the repository data.",
+		Action:      runDumpRepository,
+		Flags: []cli.Flag{
+			&cli.StringFlag{
+				Name:  "git_service",
+				Value: "",
+				Usage: "Git service, git, github, gitea, gitlab. If clone_addr could be recognized, this could be ignored.",
+			},
+			&cli.StringFlag{
+				Name:    "repo_dir",
+				Aliases: []string{"r"},
+				Value:   "./data",
+				Usage:   "Repository dir path to store the data",
+			},
+			&cli.StringFlag{
+				Name:  "clone_addr",
+				Value: "",
+				Usage: "The URL will be clone, currently could be a git/github/gitea/gitlab http/https URL",
+			},
+			&cli.StringFlag{
+				Name:  "auth_username",
+				Value: "",
+				Usage: "The username to visit the clone_addr",
+			},
+			&cli.StringFlag{
+				Name:  "auth_password",
+				Value: "",
+				Usage: "The password to visit the clone_addr",
+			},
+			&cli.StringFlag{
+				Name:  "auth_token",
+				Value: "",
+				Usage: "The personal token to visit the clone_addr",
+			},
+			&cli.StringFlag{
+				Name:  "owner_name",
+				Value: "",
+				Usage: "The data will be stored on a directory with owner name if not empty",
+			},
+			&cli.StringFlag{
+				Name:  "repo_name",
+				Value: "",
+				Usage: "The data will be stored on a directory with repository name if not empty",
+			},
+			&cli.StringFlag{
+				Name:  "units",
+				Value: "",
+				Usage: `Which items will be migrated, one or more units should be separated as comma.
 wiki, issues, labels, releases, release_assets, milestones, pull_requests, comments are allowed. Empty means all units.`,
+			},
 		},
-	},
+	}
 }
 
-func runDumpRepository(ctx *cli.Context) error {
-	stdCtx, cancel := installSignals()
-	defer cancel()
+func runDumpRepository(ctx context.Context, cmd *cli.Command) error {
+	setupConsoleLogger(log.INFO, log.CanColorStderr, os.Stderr)
 
-	if err := initDB(stdCtx); err != nil {
+	setting.DisableLoggerInit()
+	setting.LoadSettings() // cannot access skip_tls_verify settings otherwise
+
+	if err := initDB(ctx); err != nil {
 		return err
 	}
 
 	// migrations.GiteaLocalUploader depends on git module
-	if err := git.InitSimple(context.Background()); err != nil {
+	if err := git.InitSimple(); err != nil {
 		return err
 	}
 
@@ -100,8 +103,8 @@ func runDumpRepository(ctx *cli.Context) error {
 
 	var (
 		serviceType structs.GitServiceType
-		cloneAddr   = ctx.String("clone_addr")
-		serviceStr  = ctx.String("git_service")
+		cloneAddr   = cmd.String("clone_addr")
+		serviceStr  = cmd.String("git_service")
 	)
 
 	if strings.HasPrefix(strings.ToLower(cloneAddr), "https://github.com/") {
@@ -119,13 +122,13 @@ func runDumpRepository(ctx *cli.Context) error {
 	opts := base.MigrateOptions{
 		GitServiceType: serviceType,
 		CloneAddr:      cloneAddr,
-		AuthUsername:   ctx.String("auth_username"),
-		AuthPassword:   ctx.String("auth_password"),
-		AuthToken:      ctx.String("auth_token"),
-		RepoName:       ctx.String("repo_name"),
+		AuthUsername:   cmd.String("auth_username"),
+		AuthPassword:   cmd.String("auth_password"),
+		AuthToken:      cmd.String("auth_token"),
+		RepoName:       cmd.String("repo_name"),
 	}
 
-	if len(ctx.String("units")) == 0 {
+	if len(cmd.String("units")) == 0 {
 		opts.Wiki = true
 		opts.Issues = true
 		opts.Milestones = true
@@ -135,8 +138,8 @@ func runDumpRepository(ctx *cli.Context) error {
 		opts.PullRequests = true
 		opts.ReleaseAssets = true
 	} else {
-		units := strings.Split(ctx.String("units"), ",")
-		for _, unit := range units {
+		units := strings.SplitSeq(cmd.String("units"), ",")
+		for unit := range units {
 			switch strings.ToLower(strings.TrimSpace(unit)) {
 			case "":
 				continue
@@ -164,7 +167,7 @@ func runDumpRepository(ctx *cli.Context) error {
 
 	// the repo_dir will be removed if error occurs in DumpRepository
 	// make sure the directory doesn't exist or is empty, prevent from deleting user files
-	repoDir := ctx.String("repo_dir")
+	repoDir := cmd.String("repo_dir")
 	if exists, err := util.IsExist(repoDir); err != nil {
 		return fmt.Errorf("unable to stat repo_dir %q: %w", repoDir, err)
 	} else if exists {
@@ -177,9 +180,9 @@ func runDumpRepository(ctx *cli.Context) error {
 	}
 
 	if err := migrations.DumpRepository(
-		context.Background(),
+		ctx,
 		repoDir,
-		ctx.String("owner_name"),
+		cmd.String("owner_name"),
 		opts,
 	); err != nil {
 		log.Fatal("Failed to dump repository: %v", err)

cmd/embedded.go

@@ -4,6 +4,7 @@
 package cmd
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"os"
@@ -11,6 +12,7 @@ import (
 	"strings"
 
 	"code.gitea.io/gitea/modules/assetfs"
+	"code.gitea.io/gitea/modules/glob"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/options"
 	"code.gitea.io/gitea/modules/public"
@@ -18,24 +20,26 @@ import (
 	"code.gitea.io/gitea/modules/templates"
 	"code.gitea.io/gitea/modules/util"
 
-	"github.com/gobwas/glob"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-// CmdEmbedded represents the available extract sub-command.
-var (
-	CmdEmbedded = &cli.Command{
+var matchedAssetFiles []assetFile
+
+func newEmbeddedCommand() *cli.Command {
+	return &cli.Command{
 		Name:        "embedded",
 		Usage:       "Extract embedded resources",
 		Description: "A command for extracting embedded resources, like templates and images",
-		Subcommands: []*cli.Command{
-			subcmdList,
-			subcmdView,
-			subcmdExtract,
+		Commands: []*cli.Command{
+			newEmbeddedListCommand(),
+			newEmbeddedViewCommand(),
+			newEmbeddedExtractCommand(),
 		},
 	}
+}
 
-	subcmdList = &cli.Command{
+func newEmbeddedListCommand() *cli.Command {
+	return &cli.Command{
 		Name:   "list",
 		Usage:  "List files matching the given pattern",
 		Action: runList,
@@ -47,8 +51,10 @@ var (
 			},
 		},
 	}
+}
 
-	subcmdView = &cli.Command{
+func newEmbeddedViewCommand() *cli.Command {
+	return &cli.Command{
 		Name:   "view",
 		Usage:  "View a file matching the given pattern",
 		Action: runView,
@@ -60,8 +66,10 @@ var (
 			},
 		},
 	}
+}
 
-	subcmdExtract = &cli.Command{
+func newEmbeddedExtractCommand() *cli.Command {
+	return &cli.Command{
 		Name:   "extract",
 		Usage:  "Extract resources",
 		Action: runExtract,
@@ -90,9 +98,7 @@ var (
 			},
 		},
 	}
-
-	matchedAssetFiles []assetFile
-)
+}
 
 type assetFile struct {
 	fs   *assetfs.LayeredFS
@@ -100,7 +106,7 @@ type assetFile struct {
 	path string
 }
 
-func initEmbeddedExtractor(c *cli.Context) error {
+func initEmbeddedExtractor(c *cli.Command) error {
 	setupConsoleLogger(log.ERROR, log.CanColorStderr, os.Stderr)
 
 	patterns, err := compileCollectPatterns(c.Args().Slice())
@@ -115,31 +121,31 @@ func initEmbeddedExtractor(c *cli.Context) error {
 	return nil
 }
 
-func runList(c *cli.Context) error {
+func runList(_ context.Context, c *cli.Command) error {
 	if err := runListDo(c); err != nil {
-		fmt.Fprintf(os.Stderr, "%v\n", err)
+		_, _ = fmt.Fprintf(os.Stderr, "%v\n", err)
 		return err
 	}
 	return nil
 }
 
-func runView(c *cli.Context) error {
+func runView(_ context.Context, c *cli.Command) error {
 	if err := runViewDo(c); err != nil {
-		fmt.Fprintf(os.Stderr, "%v\n", err)
+		_, _ = fmt.Fprintf(os.Stderr, "%v\n", err)
 		return err
 	}
 	return nil
 }
 
-func runExtract(c *cli.Context) error {
+func runExtract(_ context.Context, c *cli.Command) error {
 	if err := runExtractDo(c); err != nil {
-		fmt.Fprintf(os.Stderr, "%v\n", err)
+		_, _ = fmt.Fprintf(os.Stderr, "%v\n", err)
 		return err
 	}
 	return nil
 }
 
-func runListDo(c *cli.Context) error {
+func runListDo(c *cli.Command) error {
 	if err := initEmbeddedExtractor(c); err != nil {
 		return err
 	}
@@ -151,7 +157,7 @@ func runListDo(c *cli.Context) error {
 	return nil
 }
 
-func runViewDo(c *cli.Context) error {
+func runViewDo(c *cli.Command) error {
 	if err := initEmbeddedExtractor(c); err != nil {
 		return err
 	}
@@ -174,7 +180,7 @@ func runViewDo(c *cli.Context) error {
 	return nil
 }
 
-func runExtractDo(c *cli.Context) error {
+func runExtractDo(c *cli.Command) error {
 	if err := initEmbeddedExtractor(c); err != nil {
 		return err
 	}
@@ -216,7 +222,7 @@ func runExtractDo(c *cli.Context) error {
 	for _, a := range matchedAssetFiles {
 		if err := extractAsset(destdir, a, overwrite, rename); err != nil {
 			// Non-fatal error
-			fmt.Fprintf(os.Stderr, "%s: %v", a.path, err)
+			_, _ = fmt.Fprintf(os.Stderr, "%s: %v\n", a.path, err)
 		}
 	}
 
@@ -271,7 +277,7 @@ func extractAsset(d string, a assetFile, overwrite, rename bool) error {
 	return nil
 }
 
-func collectAssetFilesByPattern(c *cli.Context, globs []glob.Glob, path string, layer *assetfs.Layer) {
+func collectAssetFilesByPattern(c *cli.Command, globs []glob.Glob, path string, layer *assetfs.Layer) {
 	fs := assetfs.Layered(layer)
 	files, err := fs.ListAllFiles(".", true)
 	if err != nil {
@@ -294,16 +300,14 @@ func collectAssetFilesByPattern(c *cli.Context, globs []glob.Glob, path string,
 	}
 }
 
-func compileCollectPatterns(args []string) ([]glob.Glob, error) {
+func compileCollectPatterns(args []string) (_ []glob.Glob, err error) {
 	if len(args) == 0 {
 		args = []string{"**"}
 	}
 	pat := make([]glob.Glob, len(args))
 	for i := range args {
-		if g, err := glob.Compile(args[i], '/'); err != nil {
-			return nil, fmt.Errorf("'%s': Invalid glob pattern: %w", args[i], err)
-		} else { //nolint:revive
-			pat[i] = g
+		if pat[i], err = glob.Compile(args[i], '/'); err != nil {
+			return nil, fmt.Errorf("invalid glob patterh %q: %w", args[i], err)
 		}
 	}
 	return pat, nil

cmd/generate.go

@@ -5,56 +5,64 @@
 package cmd
 
 import (
+	"context"
 	"fmt"
 	"os"
 
 	"code.gitea.io/gitea/modules/generate"
 
 	"github.com/mattn/go-isatty"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-var (
-	// CmdGenerate represents the available generate sub-command.
-	CmdGenerate = &cli.Command{
+func newGenerateCommand() *cli.Command {
+	return &cli.Command{
 		Name:  "generate",
 		Usage: "Generate Gitea's secrets/keys/tokens",
-		Subcommands: []*cli.Command{
-			subcmdSecret,
+		Commands: []*cli.Command{
+			newGenerateSecretCommand(),
 		},
 	}
+}
 
-	subcmdSecret = &cli.Command{
+func newGenerateSecretCommand() *cli.Command {
+	return &cli.Command{
 		Name:  "secret",
 		Usage: "Generate a secret token",
-		Subcommands: []*cli.Command{
-			microcmdGenerateInternalToken,
-			microcmdGenerateLfsJwtSecret,
-			microcmdGenerateSecretKey,
+		Commands: []*cli.Command{
+			newGenerateInternalTokenCommand(),
+			newGenerateLfsJWTSecretCommand(),
+			newGenerateSecretKeyCommand(),
 		},
 	}
+}
 
-	microcmdGenerateInternalToken = &cli.Command{
+func newGenerateInternalTokenCommand() *cli.Command {
+	return &cli.Command{
 		Name:   "INTERNAL_TOKEN",
 		Usage:  "Generate a new INTERNAL_TOKEN",
 		Action: runGenerateInternalToken,
 	}
+}
 
-	microcmdGenerateLfsJwtSecret = &cli.Command{
+func newGenerateLfsJWTSecretCommand() *cli.Command {
+	return &cli.Command{
 		Name:    "JWT_SECRET",
 		Aliases: []string{"LFS_JWT_SECRET"},
 		Usage:   "Generate a new JWT_SECRET",
 		Action:  runGenerateLfsJwtSecret,
 	}
+}
 
-	microcmdGenerateSecretKey = &cli.Command{
+func newGenerateSecretKeyCommand() *cli.Command {
+	return &cli.Command{
 		Name:   "SECRET_KEY",
 		Usage:  "Generate a new SECRET_KEY",
 		Action: runGenerateSecretKey,
 	}
-)
+}
 
-func runGenerateInternalToken(c *cli.Context) error {
+func runGenerateInternalToken(_ context.Context, c *cli.Command) error {
 	internalToken, err := generate.NewInternalToken()
 	if err != nil {
 		return err
@@ -69,12 +77,8 @@ func runGenerateInternalToken(c *cli.Context) error {
 	return nil
 }
 
-func runGenerateLfsJwtSecret(c *cli.Context) error {
-	_, jwtSecretBase64, err := generate.NewJwtSecretWithBase64()
-	if err != nil {
-		return err
-	}
-
+func runGenerateLfsJwtSecret(_ context.Context, c *cli.Command) error {
+	_, jwtSecretBase64 := generate.NewJwtSecretWithBase64()
 	fmt.Printf("%s", jwtSecretBase64)
 
 	if isatty.IsTerminal(os.Stdout.Fd()) {
@@ -84,12 +88,13 @@ func runGenerateLfsJwtSecret(c *cli.Context) error {
 	return nil
 }
 
-func runGenerateSecretKey(c *cli.Context) error {
+func runGenerateSecretKey(_ context.Context, c *cli.Command) error {
 	secretKey, err := generate.NewSecretKey()
 	if err != nil {
 		return err
 	}
 
+	// codeql[disable-next-line=go/clear-text-logging]
 	fmt.Printf("%s", secretKey)
 
 	if isatty.IsTerminal(os.Stdout.Fd()) {

cmd/hook.go

@@ -15,34 +15,37 @@ import (
 	"time"
 
 	"code.gitea.io/gitea/modules/git"
+	"code.gitea.io/gitea/modules/git/gitcmd"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/private"
 	repo_module "code.gitea.io/gitea/modules/repository"
 	"code.gitea.io/gitea/modules/setting"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const (
-	hookBatchSize = 30
+	hookBatchSize = 500
 )
 
-var (
-	// CmdHook represents the available hooks sub-command.
-	CmdHook = &cli.Command{
+func newHookCommand() *cli.Command {
+	return &cli.Command{
 		Name:        "hook",
 		Usage:       "(internal) Should only be called by Git",
+		Hidden:      true, // internal commands shouldn't be visible
 		Description: "Delegate commands to corresponding Git hooks",
 		Before:      PrepareConsoleLoggerLevel(log.FATAL),
-		Subcommands: []*cli.Command{
-			subcmdHookPreReceive,
-			subcmdHookUpdate,
-			subcmdHookPostReceive,
-			subcmdHookProcReceive,
+		Commands: []*cli.Command{
+			newHookPreReceiveCommand(),
+			newHookUpdateCommand(),
+			newHookPostReceiveCommand(),
+			newHookProcReceiveCommand(),
 		},
 	}
+}
 
-	subcmdHookPreReceive = &cli.Command{
+func newHookPreReceiveCommand() *cli.Command {
+	return &cli.Command{
 		Name:        "pre-receive",
 		Usage:       "Delegate pre-receive Git hook",
 		Description: "This command should only be called by Git",
@@ -53,7 +56,10 @@ var (
 			},
 		},
 	}
-	subcmdHookUpdate = &cli.Command{
+}
+
+func newHookUpdateCommand() *cli.Command {
+	return &cli.Command{
 		Name:        "update",
 		Usage:       "Delegate update Git hook",
 		Description: "This command should only be called by Git",
@@ -64,7 +70,10 @@ var (
 			},
 		},
 	}
-	subcmdHookPostReceive = &cli.Command{
+}
+
+func newHookPostReceiveCommand() *cli.Command {
+	return &cli.Command{
 		Name:        "post-receive",
 		Usage:       "Delegate post-receive Git hook",
 		Description: "This command should only be called by Git",
@@ -75,8 +84,11 @@ var (
 			},
 		},
 	}
-	// Note: new hook since git 2.29
-	subcmdHookProcReceive = &cli.Command{
+}
+
+// Note: new hook since git 2.29
+func newHookProcReceiveCommand() *cli.Command {
+	return &cli.Command{
 		Name:        "proc-receive",
 		Usage:       "Delegate proc-receive Git hook",
 		Description: "This command should only be called by Git",
@@ -87,7 +99,7 @@ var (
 			},
 		},
 	}
-)
+}
 
 type delayWriter struct {
 	internal io.Writer
@@ -161,12 +173,18 @@ func (n *nilWriter) WriteString(s string) (int, error) {
 	return len(s), nil
 }
 
-func runHookPreReceive(c *cli.Context) error {
+func parseGitHookCommitRefLine(line string) (oldCommitID, newCommitID string, refFullName git.RefName, ok bool) {
+	fields := strings.Split(line, " ")
+	if len(fields) != 3 {
+		return "", "", "", false
+	}
+	return fields[0], fields[1], git.RefName(fields[2]), true
+}
+
+func runHookPreReceive(ctx context.Context, c *cli.Command) error {
 	if isInternal, _ := strconv.ParseBool(os.Getenv(repo_module.EnvIsInternal)); isInternal {
 		return nil
 	}
-	ctx, cancel := installSignals()
-	defer cancel()
 
 	setup(ctx, c.Bool("debug"))
 
@@ -186,7 +204,7 @@ Gitea or set your environment appropriately.`, "")
 	userID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvPusherID), 10, 64)
 	prID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvPRID), 10, 64)
 	deployKeyID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvDeployKeyID), 10, 64)
-	actionPerm, _ := strconv.ParseInt(os.Getenv(repo_module.EnvActionPerm), 10, 64)
+	actionsTaskID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvActionsTaskID), 10, 64)
 
 	hookOptions := private.HookOptions{
 		UserID:                          userID,
@@ -196,7 +214,8 @@ Gitea or set your environment appropriately.`, "")
 		GitPushOptions:                  pushOptions(),
 		PullRequestID:                   prID,
 		DeployKeyID:                     deployKeyID,
-		ActionPerm:                      int(actionPerm),
+		ActionsTaskID:                   actionsTaskID,
+		IsWiki:                          isWiki,
 	}
 
 	scanner := bufio.NewScanner(os.Stdin)
@@ -228,14 +247,11 @@ Gitea or set your environment appropriately.`, "")
 			continue
 		}
 
-		fields := bytes.Fields(scanner.Bytes())
-		if len(fields) != 3 {
+		oldCommitID, newCommitID, refFullName, ok := parseGitHookCommitRefLine(scanner.Text())
+		if !ok {
 			continue
 		}
 
-		oldCommitID := string(fields[0])
-		newCommitID := string(fields[1])
-		refFullName := git.RefName(fields[2])
 		total++
 		lastline++
 
@@ -270,6 +286,9 @@ Gitea or set your environment appropriately.`, "")
 			lastline = 0
 		}
 	}
+	if err := scanner.Err(); err != nil {
+		return fail(ctx, "Hook failed: stdin read error", "scanner error: %v", err)
+	}
 
 	if count > 0 {
 		hookOptions.OldCommitIDs = oldCommitIDs[:count]
@@ -292,7 +311,7 @@ Gitea or set your environment appropriately.`, "")
 
 // runHookUpdate avoid to do heavy operations on update hook because it will be
 // invoked for every ref update which does not like pre-receive and post-receive
-func runHookUpdate(c *cli.Context) error {
+func runHookUpdate(_ context.Context, c *cli.Command) error {
 	if isInternal, _ := strconv.ParseBool(os.Getenv(repo_module.EnvIsInternal)); isInternal {
 		return nil
 	}
@@ -309,15 +328,12 @@ func runHookUpdate(c *cli.Context) error {
 	return nil
 }
 
-func runHookPostReceive(c *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
-
+func runHookPostReceive(ctx context.Context, c *cli.Command) error {
 	setup(ctx, c.Bool("debug"))
 
 	// First of all run update-server-info no matter what
-	if _, _, err := git.NewCommand("update-server-info").RunStdString(ctx, nil); err != nil {
-		return fmt.Errorf("Failed to call 'git update-server-info': %w", err)
+	if err := gitcmd.NewCommand("update-server-info").RunWithStderr(ctx); err != nil {
+		return fmt.Errorf("failed to call 'git update-server-info': %w", err)
 	}
 
 	// Now if we're an internal don't do anything else
@@ -364,6 +380,7 @@ Gitea or set your environment appropriately.`, "")
 		GitPushOptions:                  pushOptions(),
 		PullRequestID:                   prID,
 		PushTrigger:                     repo_module.PushTrigger(os.Getenv(repo_module.EnvPushTrigger)),
+		IsWiki:                          isWiki,
 	}
 	oldCommitIDs := make([]string, hookBatchSize)
 	newCommitIDs := make([]string, hookBatchSize)
@@ -381,16 +398,13 @@ Gitea or set your environment appropriately.`, "")
 			continue
 		}
 
-		fields := bytes.Fields(scanner.Bytes())
-		if len(fields) != 3 {
+		var ok bool
+		oldCommitIDs[count], newCommitIDs[count], refFullNames[count], ok = parseGitHookCommitRefLine(scanner.Text())
+		if !ok {
 			continue
 		}
 
 		fmt.Fprintf(out, ".")
-		oldCommitIDs[count] = string(fields[0])
-		newCommitIDs[count] = string(fields[1])
-		refFullNames[count] = git.RefName(fields[2])
-
 		commitID, _ := git.NewIDFromString(newCommitIDs[count])
 		if refFullNames[count] == git.BranchPrefix+"master" && !commitID.IsZero() && count == total {
 			masterPushed = true
@@ -414,6 +428,11 @@ Gitea or set your environment appropriately.`, "")
 			count = 0
 		}
 	}
+	if err := scanner.Err(); err != nil {
+		_ = dWriter.Close()
+		hookPrintResults(results)
+		return fail(ctx, "Hook failed: stdin read error", "scanner error: %v", err)
+	}
 
 	if count == 0 {
 		if wasEmpty && masterPushed {
@@ -485,7 +504,7 @@ func hookPrintResult(output, isCreate bool, branch, url string) {
 func pushOptions() map[string]string {
 	opts := make(map[string]string)
 	if pushCount, err := strconv.Atoi(os.Getenv(private.GitPushOptionCount)); err == nil {
-		for idx := 0; idx < pushCount; idx++ {
+		for idx := range pushCount {
 			opt := os.Getenv(fmt.Sprintf("GIT_PUSH_OPTION_%d", idx))
 			kv := strings.SplitN(opt, "=", 2)
 			if len(kv) == 2 {
@@ -496,10 +515,7 @@ func pushOptions() map[string]string {
 	return opts
 }
 
-func runHookProcReceive(c *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
-
+func runHookProcReceive(ctx context.Context, c *cli.Command) error {
 	setup(ctx, c.Bool("debug"))
 
 	if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
@@ -517,6 +533,7 @@ Gitea or set your environment appropriately.`, "")
 
 	reader := bufio.NewReader(os.Stdin)
 	repoUser := os.Getenv(repo_module.EnvRepoUsername)
+	isWiki, _ := strconv.ParseBool(os.Getenv(repo_module.EnvRepoIsWiki))
 	repoName := os.Getenv(repo_module.EnvRepoName)
 	pusherID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvPusherID), 10, 64)
 	pusherName := os.Getenv(repo_module.EnvPusherName)
@@ -594,14 +611,15 @@ Gitea or set your environment appropriately.`, "")
 		UserName:       pusherName,
 		UserID:         pusherID,
 		GitPushOptions: make(map[string]string),
+		IsWiki:         isWiki,
 	}
 	hookOptions.OldCommitIDs = make([]string, 0, hookBatchSize)
 	hookOptions.NewCommitIDs = make([]string, 0, hookBatchSize)
 	hookOptions.RefFullNames = make([]git.RefName, 0, hookBatchSize)
 
 	for {
-		// note: pktLineTypeUnknow means pktLineTypeFlush and pktLineTypeData all allowed
-		rs, err = readPktLine(ctx, reader, pktLineTypeUnknow)
+		// note: pktLineTypeUnknown means pktLineTypeFlush and pktLineTypeData all allowed
+		rs, err = readPktLine(ctx, reader, pktLineTypeUnknown)
 		if err != nil {
 			return err
 		}
@@ -620,7 +638,7 @@ Gitea or set your environment appropriately.`, "")
 
 	if hasPushOptions {
 		for {
-			rs, err = readPktLine(ctx, reader, pktLineTypeUnknow)
+			rs, err = readPktLine(ctx, reader, pktLineTypeUnknown)
 			if err != nil {
 				return err
 			}
@@ -717,8 +735,8 @@ Gitea or set your environment appropriately.`, "")
 type pktLineType int64
 
 const (
-	// UnKnow type
-	pktLineTypeUnknow pktLineType = 0
+	// Unknown type
+	pktLineTypeUnknown pktLineType = 0
 	// flush-pkt "0000"
 	pktLineTypeFlush pktLineType = iota
 	// data line
@@ -740,7 +758,7 @@ func readPktLine(ctx context.Context, in *bufio.Reader, requestType pktLineType)
 
 	// read prefix
 	lengthBytes := make([]byte, 4)
-	for i := 0; i < 4; i++ {
+	for i := range 4 {
 		lengthBytes[i], err = in.ReadByte()
 		if err != nil {
 			return nil, fail(ctx, "Protocol: stdin error", "Pkt-Line: read stdin failed : %v", err)

cmd/hook_test.go

@@ -39,3 +39,17 @@ func TestPktLine(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, []byte("0007a\nb"), w.Bytes())
 }
+
+func TestParseGitHookCommitRefLine(t *testing.T) {
+	oldCommitID, newCommitID, refName, ok := parseGitHookCommitRefLine("a b c")
+	assert.True(t, ok)
+	assert.Equal(t, "a", oldCommitID)
+	assert.Equal(t, "b", newCommitID)
+	assert.Equal(t, "c", string(refName))
+
+	_, _, _, ok = parseGitHookCommitRefLine("a\tb\tc")
+	assert.False(t, ok)
+
+	_, _, _, ok = parseGitHookCommitRefLine("a b")
+	assert.False(t, ok)
+}

cmd/keys.go

@@ -4,6 +4,7 @@
 package cmd
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"strings"
@@ -11,45 +12,48 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/private"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-// CmdKeys represents the available keys sub-command
-var CmdKeys = &cli.Command{
-	Name:        "keys",
-	Usage:       "(internal) Should only be called by SSH server",
-	Description: "Queries the Gitea database to get the authorized command for a given ssh key fingerprint",
-	Before:      PrepareConsoleLoggerLevel(log.FATAL),
-	Action:      runKeys,
-	Flags: []cli.Flag{
-		&cli.StringFlag{
-			Name:    "expected",
-			Aliases: []string{"e"},
-			Value:   "git",
-			Usage:   "Expected user for whom provide key commands",
+// NewKeysCommand returns the internal SSH key lookup sub-command.
+func NewKeysCommand() *cli.Command {
+	return &cli.Command{
+		Name:        "keys",
+		Usage:       "(internal) Should only be called by SSH server",
+		Hidden:      true, // internal commands shouldn't be visible
+		Description: "Queries the Gitea database to get the authorized command for a given ssh key fingerprint",
+		Before:      PrepareConsoleLoggerLevel(log.FATAL),
+		Action:      runKeys,
+		Flags: []cli.Flag{
+			&cli.StringFlag{
+				Name:    "expected",
+				Aliases: []string{"e"},
+				Value:   "git",
+				Usage:   "Expected user for whom provide key commands",
+			},
+			&cli.StringFlag{
+				Name:    "username",
+				Aliases: []string{"u"},
+				Value:   "",
+				Usage:   "Username trying to log in by SSH",
+			},
+			&cli.StringFlag{
+				Name:    "type",
+				Aliases: []string{"t"},
+				Value:   "",
+				Usage:   "Type of the SSH key provided to the SSH Server (requires content to be provided too)",
+			},
+			&cli.StringFlag{
+				Name:    "content",
+				Aliases: []string{"k"},
+				Value:   "",
+				Usage:   "Base64 encoded content of the SSH key provided to the SSH Server (requires type to be provided too)",
+			},
 		},
-		&cli.StringFlag{
-			Name:    "username",
-			Aliases: []string{"u"},
-			Value:   "",
-			Usage:   "Username trying to log in by SSH",
-		},
-		&cli.StringFlag{
-			Name:    "type",
-			Aliases: []string{"t"},
-			Value:   "",
-			Usage:   "Type of the SSH key provided to the SSH Server (requires content to be provided too)",
-		},
-		&cli.StringFlag{
-			Name:    "content",
-			Aliases: []string{"k"},
-			Value:   "",
-			Usage:   "Base64 encoded content of the SSH key provided to the SSH Server (requires type to be provided too)",
-		},
-	},
+	}
 }
 
-func runKeys(c *cli.Context) error {
+func runKeys(ctx context.Context, c *cli.Command) error {
 	if !c.IsSet("username") {
 		return errors.New("No username provided")
 	}
@@ -68,9 +72,6 @@ func runKeys(c *cli.Context) error {
 		return errors.New("No key type and content provided")
 	}
 
-	ctx, cancel := installSignals()
-	defer cancel()
-
 	setup(ctx, c.Bool("debug"))
 
 	authorizedString, extra := private.AuthorizedPublicKeyByContent(ctx, content)
@@ -78,6 +79,6 @@ func runKeys(c *cli.Context) error {
 	if extra.Error != nil {
 		return extra.Error
 	}
-	_, _ = fmt.Fprintln(c.App.Writer, strings.TrimSpace(authorizedString.Text))
+	_, _ = fmt.Fprintln(c.Root().Writer, strings.TrimSpace(authorizedString.Text))
 	return nil
 }

cmd/mailer.go

@@ -4,29 +4,23 @@
 package cmd
 
 import (
+	"context"
 	"fmt"
 
 	"code.gitea.io/gitea/modules/private"
 	"code.gitea.io/gitea/modules/setting"
 
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
-func runSendMail(c *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
-
+func runSendMail(ctx context.Context, c *cli.Command) error {
 	setting.MustInstalled()
 
-	if err := argsSet(c, "title"); err != nil {
-		return err
-	}
-
 	subject := c.String("title")
-	confirmSkiped := c.Bool("force")
+	confirmSkipped := c.Bool("force")
 	body := c.String("content")
 
-	if !confirmSkiped {
+	if !confirmSkipped {
 		if len(body) == 0 {
 			fmt.Print("warning: Content is empty")
 		}