main
Generic: Standards Compliance / Secret Scanning (push) Failing after 8s
Generic: Standards Compliance / License Header Validation (push) Successful in 9s
Generic: Standards Compliance / Repository Structure Validation (push) Successful in 10s
Generic: Standards Compliance / Coding Standards Check (push) Successful in 11s
Generic: Standards Compliance / Version Consistency Check (push) Successful in 1m15s
Generic: Standards Compliance / Workflow Configuration Check (push) Failing after 10s
Generic: Standards Compliance / Documentation Quality Check (push) Successful in 8s
Generic: Standards Compliance / README Completeness Check (push) Failing after 10s
Generic: Standards Compliance / Git Repository Hygiene (push) Successful in 2m1s
Generic: Standards Compliance / Script Integrity Validation (push) Successful in 24s
Generic: Standards Compliance / Line Length Check (push) Successful in 33s
Generic: Standards Compliance / File Naming Standards (push) Successful in 9s
Generic: Standards Compliance / Insecure Code Pattern Detection (push) Successful in 8s
Deploy (Prod) / Build & Deploy to Prod (push) Successful in 6m15s
Generic: Standards Compliance / Dead Code Detection (push) Successful in 10s
Generic: Standards Compliance / File Size Limits (push) Successful in 8s
Generic: Standards Compliance / Code Complexity Analysis (push) Successful in 1m8s
Generic: Standards Compliance / TODO/FIXME Tracking (push) Successful in 8s
Generic: Standards Compliance / Code Duplication Detection (push) Successful in 55s
Generic: Standards Compliance / Dependency Vulnerability Scanning (push) Successful in 57s
Generic: Standards Compliance / Unused Dependencies Check (push) Successful in 54s
Generic: Standards Compliance / API Documentation Coverage (push) Successful in 8s
Generic: Standards Compliance / Broken Link Detection (push) Successful in 11s
Generic: Standards Compliance / Binary File Detection (push) Successful in 1m45s
Generic: Standards Compliance / Accessibility Check (push) Successful in 8s
Generic: Standards Compliance / Performance Metrics (push) Successful in 8s
Generic: Standards Compliance / Terraform Configuration Validation (push) Successful in 14s
Generic: Standards Compliance / Repository Health Check (push) Successful in 57s
Generic: Standards Compliance / Enterprise Readiness Check (push) Successful in 1m0s
Generic: Standards Compliance / Compliance Summary (push) Has been cancelled
Add ability for local makefile with personal customizations that wouldnt affect remote repo (#35836)
Changelog
[Unreleased]
Changed
- Rebrand: MokoGitea → MokoGIT (complete retirement of the MokoGitea name). Go module path
code.mokoconsulting.tech/MokoConsulting/MokoGitea→.../MokoGIT(all imports +go.mod); default app nameMokoGitea→MokoGIT; the in-repo config directory and the special org profile/wiki repo names.mokogitea/.mokogitea-private→.mokogit/.mokogit-private; the Actions system usermokogitea-actions→mokogit-actions(DB migration #369); Docker image, ntfy topic, mail tags, and remaining lowercasemokogiteareferences →mokogit; bundled the Mokofavicon.svgas the app icon and PWA manifest icon. SharedMOKOGITEA_*CI/compose env-var and org-secret names are renamed in the coordinated server cutover (not in this repo change) to avoid breaking cross-repo CI mid-transition.
Added
- Metadata platform options are now admin-configurable instead of hardcoded: a new Admin → Metadata page edits the allowed
platformvalues (persisted toapp.ini[metadata] PLATFORM_OPTIONS, defaultjoomla,dolibarr,go,npm,generic), and the repo Settings → Metadata platform dropdown reads from it. Changing the taxonomy no longer needs a code change/redeploy. A repo's existing platform value stays selectable even if later removed from the list (#777) - Org branch protection: repositories now show the inherited organization rules read-only in their Branch Protection settings, with an expandable detail (direct push, force-push, branch deletion, merge restrictions, required approvals, status checks, protected files, and whitelisted teams) — like GitHub surfaces org rulesets in a repo (#727)
- Org branch protection: org-level rules can now also protect against branch deletion (
enable_delete+ delete allowlist teams), mirroring the per-repo delete allowlist (#727) - Org-level tag protection: protect tag patterns org-wide (e.g.
v*) with a team allowlist, layered on top of each repo's own protected tags — a tag is controllable only if allowed at both levels (fail-closed). API at/orgs/{org}/tag_protections; enforced at the git push/delete hook and the release create/delete paths; shown read-only in the repo Tag settings (#727) - Org-level push policy: one policy per org, enforced in the pre-receive hook across all its repositories — branch/tag name conventions (glob), a mandatory secret-scanning block-on-push that repos cannot disable, a max pushed-file size, and blocked file-path patterns. API at
/orgs/{org}/push_policy. Naming is fail-closed; the content checks (blocked paths, max size) fail open on error so a policy bug can never block every push (#727) - Org-level repository defaults: an org can force new/transferred repositories private and set default pull-request settings (allowed merge styles, default merge style, auto-delete branch after merge), applied via a notifier when a repo is created in or transferred into the org (best-effort — never blocks repo creation). API at
/orgs/{org}/repo_defaults(#727) - Org-level email domain policy: restrict which email domains an organization's members may have — a user can only be added to the org (via any team) if their primary email matches one of the allowed domain globs. Enforced at the single membership-add choke point (
AddTeamMember); API at/orgs/{org}/email_domain_policy(#727) - Code security scanner: pattern-based detection of SQL injection, XSS, command injection, path traversal, insecure deserialization, hardcoded credentials, and weak cryptography across Go/PHP/Python/JS/TS (#552)
- Cascade merge: auto-create PRs to downstream branches after merge with configurable rules per repo (#460)
- Issue status presets: 4 built-in templates (default, software-development, support-tickets, bug-tracking) with API + web UI (#507)
- Cross-org status migration: copy status definitions from one org to another via API (#507)
- Auto-create default teams on org creation: Developers (write), Reviewers (read), CI/CD (actions+packages) (#513)
- Branch protection delete allowlist: configurable per-user/team/deploy-key allowlist for deleting protected branches (#696)
- Workflow subdirectory discovery: workflows in subdirectories of
.mokogit/workflows/are now auto-discovered (#693) - API token scope
read:licensing/write:licensingfor licensing endpoints (#697) - Edit API token scopes: PATCH /users/{username}/tokens/{id} API endpoint + web UI edit button (#697)
- Wiki full-text search: case-insensitive search across all wiki page titles and content (#550)
- Wiki search API: GET /wiki/search?q=term with paginated JSON results (#550)
- Metadata deploy fields: deploy_host, deploy_port, deploy_user, deploy_path, docker_image, docker_registry, container_name, health_url (#692)
- Security scanning API: REST endpoints for alerts, config, and on-demand scans (GET/PATCH /security/alerts, /security/config, POST /security/scan) (#692)
- Pre-receive hook secret blocking: push rejection when block_on_push enabled and secrets detected in commits (#692)
- Metadata API partial updates: PUT /metadata now merges only sent fields instead of replacing all
- Wiki revision diff: line-by-line diff view per commit in wiki page history (#667)
- Wiki categories: YAML frontmatter
categories:with category index page (#668) - Wiki template transclusion:
{{template:Name|key=val}}with_Template/folder (#671) - Wiki enhanced ToC: collapsible, inline via frontmatter, sticky sidebar (#673)
- Wiki folder ACL:
_access.ymlper-folder write protection (#674) - Wiki print view and ZIP export of all wiki pages (#675)
- Wiki features documentation page in org wiki (standards/Wiki-Features)
- DLID licensing system: license, entitlement, activation, product_tier, audit_log tables (v359 migration)
- License CRUD with CRC32-checksummed DLID generation and format validation
- Entitlement model with tier-based rebuild and custom entitlement preservation
- Domain activation tracking with limit enforcement and auto-activate on first use
- 13 seeded product tiers from base to enterprise
- DLID-gated update XML endpoint: GET /api/v1/licensing/updates/{product}.xml
- Profile repo fallback chain: .mokogit > .profile > .github
- Metadata/manifest GET endpoint publicly accessible without auth (#676)
- Org wiki: folder-based collapsible tree sidebar, _Sidebar.md overrides (#680)
- Wiki backlinks: "What links here" page showing all pages referencing current page (#669)
- Wiki wikilinks: Page Name and Page syntax with red links for missing pages (#666)
- Required baseline issue statuses: Open and Closed are indestructible (is_required flag) (#681)
- Issue status API response includes is_required field
- Wiki recent changes page: cross-page edit activity with pagination (#670)
- Wiki page rename with automatic redirects via YAML frontmatter (#672)
Security
- Cherry-pick upstream v1.26.3: LFS reject unknown SSH sub-verbs to prevent auth bypass (#38015)
- Cherry-pick upstream v1.26.3: bound CODEOWNERS regex match time — ReDoS prevention (#38025)
- Cherry-pick upstream v1.26.3: require merged PR to bypass fork PR approval gate (#38041)
- Cherry-pick upstream v1.26.3: LFS require Code-unit access for cross-repo object reuse (#38050)
- Cherry-pick upstream v1.26.3: hostmatcher block reserved IP ranges — SSRF prevention (#38059)
- Cherry-pick upstream v1.26.3: bound debian ParseControlFile — DoS prevention (#38055)
- Cherry-pick upstream v1.26.3: feed token scope, migration SSRF, notification redaction (#38147)
- Cherry-pick upstream v1.26.3: OIDC ignore stale external login links to organizations (#38141)
- Cherry-pick upstream v1.26.3: 2FA timing, branch delete auth, org labels visibility, merge upstream auth (#38151)
- Cherry-pick upstream v1.26.3: allow git clone of private repos with anonymous code access (#38146)
- Cherry-pick upstream v1.26.3: hostmatcher patch incorrect private IP list (#38173)
- Cherry-pick upstream v1.26.4: do not auto-reactivate disabled users on OAuth2 callback (#38183)
- Cherry-pick upstream v1.26.4: walk git log context error handling — regression fix (#38185)
Fixed
- Repo metadata
orgis now derived from the org profile (the repository owner) instead of being stored/editable, so it can never drift when an organization is renamed. Theorgcolumn is dropped fromrepo_manifest(migration #368) and the field is derived on read viaRepository.DerivedOrgName(owner display name, falling back to the handle) across the metadata API, the Settings → Metadata page (now read-only), and the Joomla update-server feed. The APIPUTand MCPmetadata_updatenow ignoreorg(read-only, like the already-deriveddisplay_name) (#771) - Admin Branding: uploading a custom Nav Icon now also sets the app icon (
logo.png, the PWA / web-manifest icon and navbar fallback), so a branded instance shows its own installable app icon instead of the shipped default; resetting the Nav Icon reverts both (#773) - Fork server binary now compiles:
routers/api/v1/api.gocalledorganization.HasOrgOrUserVisible, which had been renamed toIsOwnerVisibleToDoer; the one missed call site brokego buildof the entirerouters/api/v1package (CI's Lint & Validate does not run a full build, so it went unnoticed) (#735) - Dev deploy workflow: the build/deploy step referenced runner-side values as
\$TAG/\$REGISTRY_TOKENinside an unquoted SSH heredoc, deferring expansion to the remote shell where those names are unset — the Docker tag collapsed to an emptymokogit:and every dev deploy failed withinvalid reference format. Runner values are now injected via an ssh env-prefix and the heredoc is quoted so each$varexpands in exactly one place (#737) - Repaired unit-test compile and
go vetfailures:CryptoRandomInt/String/Bytesnow return two values (updatedmodules/util/util_test.go), removed a redundant&&condition inissue_comment.go, and cleaned up isolated integration-test compile errors (#736) - Removed a stray
package-lock.json(13.9k lines) that agit add -Ahad accidentally swept into the org-push-policy branch (#734) - Org-level branch protection now layers with per-repo rules instead of being ignored whenever a repo rule exists. When both an org rule and a repo rule match a branch, the effective rule is the most-restrictive (fail-closed) combination — the org rule is a mandatory floor a repo cannot weaken: allow flags AND'd, gate/require/block flags OR'd, required approvals max'd, status checks and protected-file patterns unioned, whitelists intersected. Previously a repo rule shadowed the org rule entirely at the enforcement choke point (
GetFirstMatchProtectedBranchRule), letting a repo opt out of org protection (#727) - Org Teams page: list now renders — the handler wrote
ctx.Data["OrgListTeams"]but the template reads.Teams, so the page showed header/nav but no teams (#720) - Issue type: now editable after creation for users with issue write permission — the sidebar gated editing on a
FieldEditFlagsdata key that was never populated (always read-only); now usesHasIssuesOrPullsWritePermissionlike the priority field (#721) - Admin config form: radio inputs (e.g. instance landing page Mode) no longer throw "Unsupported config form value mapping", which had aborted all JS init on the admin settings page
- PR check branch policy: allow
fix/*→mainandpatch/*→mainto match documented policy (was rejecting fix/patch PRs to main) - PR check platform detection: guard for missing
.mokogit/manifest.xmlso the Validate PR job no longer aborts underset -e(manifest replaced by metadata API) - Remove dangling
mcp-mokogit-apisubmodule gitlink (no.gitmodulesentry) that brokesubmodule update --initat checkout, failing all PR build/release jobs; ignore the local clone path - PR RC Release workflow: no-op cleanly when
updates.xmlis absent (generic repos) instead of aborting the "Determine RC version" step underset -e - PR check: platform detection now queries metadata API instead of removed manifest.xml
- Cherry-pick upstream v1.26.2: handle empty pull request files view to allow reviews (#37783)
- Cherry-pick upstream v1.26.2: fix "run as root" check with snap container detection (#37622)
- Cherry-pick upstream: ack re-sent UpdateLog finalize idempotently (#37885)
- Cherry-pick upstream: reject workflow_dispatch for workflows without that trigger (#37660)
- Cherry-pick upstream: keep action run title clickable when commit subject is a URL (#37867)
- Cherry-pick upstream: exclude workflow_call from workflow trigger detection (#37894)
- API token edit: reject empty scope update requests with 400 instead of silently succeeding
- Workflow token auth: pr-check.yml pre-release dispatch was silently failing due to env var / curl reference mismatch
- Workflow tokens: standardize all GA_TOKEN/GITEA_TOKEN/GITEA_URL env vars to MOKOGITEA_TOKEN/MOKOGITEA_URL across all workflow files in 5 template repos + MokoCLI (65+ files)
- CI issue reporter: rename GITEA_TOKEN/GITEA_URL to MOKOGITEA_TOKEN/MOKOGITEA_URL in automation/ci-issue-reporter.sh
- Workflow sync trigger: add workflow_dispatch event, fix if-condition to allow manual dispatch, add PHP install step for non-PHP runners
- Deploy workflow: merge dev health check into deploy job to avoid runner status reporting failures on inter-job handoff
- Licensing API: handle DB write errors in UpdateLicense, UpdateTier, DeleteTier instead of silently discarding
- Wiki API: fix findEntryForFile URL-decode fallback for non-ASCII page names
- Metadata settings template 500 error: removed reference to deleted Version field
- Wiki recent changes: use commit.MessageTitle() instead of commit.Message()
- Wiki backlinks: proper URL encoding for subdirectory pages
- Wiki wikilinks: page existence lookup normalizes spaces and hyphens
- Issue statuses template: garbled em-dash character replaced
Changed
- Custom workflows moved to
.mokogit/workflows/custom/: deploy-mokogit, deploy-dev, cascade-dev, pr-rc-release, test-mokogit, upstream-bug-sync - Issue status seed defaults: Open, In Progress, Waiting, In Review, Closed, Won't Fix
- Pre-release workflow: auto-bump skipped for non-Joomla repos (platform check)
- CI issue reporter: moved to MokoCLI (cli/ci_issue_reporter.sh), pr-check and repo-health now use ci-issue-reporter.yml reusable workflow
Removed
- Workflows: gitleaks.yml, npm-publish.yml, notify.yml, workflow-sync-trigger.yml, composer-publish.yml, deploy-manual.yml, security-audit.yml (not applicable to Go repo)
- automation/ci-issue-reporter.sh: moved to MokoCLI as centralized CLI tool
[06.19.00] --- 2026-06-20
[06.19.00] --- 2026-06-20
[06.19.00] --- 2026-06-20
[06.19.00] --- 2026-06-19
Description
MokoGitea — custom Gitea fork with .mokogitea manifests, custom fields, org priorities, folder-based wikis, and Joomla update server generation
https://mokoconsulting.tech/support/mokogitea
bitbucketcicddevopsdocker-registry-v2gitgit-guigit-lfsgit-servergiteagithubgithub-actionsgitlabgogolanghacktoberfestmaven-servernpm-registryself-hostedtypescriptvue
Readme
MIT
1 GiB
Releases
96
Languages
Go
78.3%
Handlebars
12.8%
TypeScript
4.2%
CSS
1.9%
JavaScript
1.5%
Other
1.2%