diff --git a/CHANGELOG.md b/CHANGELOG.md index 535f586fff..faf3ddd835 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,9 @@ # Changelog -This changelog goes through the changes that have been made in each release -without substantial changes to our git log; to see the highlights of what has -been added to each release, please refer to the [blog](https://blog.gitea.com).## [v1.26.1-moko.06.02.00] - 2026-06-02 +All notable changes to MokoGitea are documented here. Versions follow the format +`v{upstream}-moko.{major}.{minor}` (e.g. `v1.26.1-moko.06.02`). + +## [v1.26.1-moko.06] - 2026-06-04 * FEATURES * feat(licenses): full commercial license management system @@ -10,40 +11,38 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).# * Search keys by customer, domain, key number, email, or payment ref * Download gating (none/prerelease/all modes) * Domain lock grace period (DomainLockHours) + * Domain restriction on packages and keys (comma-separated allowed domains) * RepoScope enforcement — packages scoped to specific repos * Configurable license key prefix per organization + * Master key always visible with Regenerate button + * License package creation at repo level via modal * Manual release-to-stream mapping with UI selector - * Joomla changelog XML endpoint (/changelog.xml) - * SHA256 checksums from sidecar files in Joomla updates.xml - * Joomla-standard tag values (dev/alpha/beta/rc/stable) * Double confirmation modals for permanent deletion * Combolist channel picker (replaces checkboxes) * Extension metadata in repo settings (per-repo override) * API: package CRUD, key revoke, key renew, settings GET/PUT * API: purchase webhook with PaymentRef idempotency * API: public validation endpoint (no auth) - * Migration v340-v342: all new columns synced - * feat(updates): 7 platform update feeds - * Joomla XML with downloadkey, SHA256, changelog URL + * Migration v340-v344: all new columns synced + * feat(updates): Update Server system (renamed from "Licensing") + * Joomla XML with SHA256, changelog URL, version from asset filename * Dolibarr JSON with channel filtering * WordPress PUC-compatible JSON (plugin-update-checker) * Composer packages.json * PrestaShop module update XML * Drupal update status XML * WHMCS module update JSON - * feat(updates): feed always public — downloads gated separately - * feat(updates): stream-name tags supported alongside version tags - * feat(updates): version extraction via regex from release titles - * feat(updates): infourl defaults to release listing / support URL - * feat(updates): downloadkey prefix matches Akeeba pattern (dlid=) + * Feed always public — downloads gated separately + * Stream-name tags supported alongside version tags + * Omit `` for package extension types + * No `` when require_key is off * feat(orgs): enterprise sub-org hierarchy with parent-child relationships * feat(repos): three-level visibility — Public (200), Private (403), Hidden (404) - * feat(settings): separate licensing settings page (/settings/licensing) - * feat(settings): advanced settings on dedicated page (/settings/advanced) - * feat(settings): section headers with dividers and icons - * feat(ui): icons on all settings navbars (repo, org, user, admin) + * feat(settings): Update Server settings page with enable toggle in Advanced Settings + * feat(settings): advanced settings on dedicated page with dividing headers + * feat(settings): icons on all settings navbars (repo, org, user, admin) * feat(ui): styled 403 Access Denied page with inline login form - * feat(ui): open-in-new-tab button on feed URLs + * feat(issues): custom fields foundation — model, migration, settings UI * SECURITY * fix(security): ownership guards on all API handlers (cross-org prevention) * fix(security): RepoScope JSON parsing (substring matching bug) @@ -54,48 +53,45 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).# * fix(security): licensed private repos allow release viewing for signed-in users * fix(security): anonymous download access respects download_gating setting * FIXES - * fix(licenses): expanded delete permissions to org owners + site admins * fix(licenses): explicit xorm column names for UpdateStreamConfig fields * fix(licenses): feed always public when licensing enabled + * fix(settings): prevent double-highlight on Advanced Settings nav item + * fix(settings): redirect back to /settings/advanced after save + * fix(build): remove stale custom field API routes and dead code + * fix(build): replace invalid UTF-8 character in API comment * fix(build): permanent fixes for AI migration, feed/file.go, unused imports + * fix(updateserver): version extracted from asset filename (not release title) + * fix(updateserver): omit `` for package types per Joomla spec -## [v1.26.1-moko.05.15.00] - 2026-05-31 +## [v1.26.1-moko.05] - 2026-05-31 * BREAKING CHANGES * Deprecated Issue.Ref branch selector UI (#307) * Removed branch/tag selector from issue sidebar and new issue form - * Removed ref badge from issue lists - * Removed POST /ref web route and UpdateIssueRef handler * DB column and commit-close logic preserved for backward compatibility - * API create/edit still accept `ref` field (no-op) for backward compat * FEATURES - * feat(ui): add generic combo-multiselect component (#361) + * feat(ui): generic combo-multiselect component (#361) * Reusable dropdown with search, checkable items, and selected-items display - * Template: `shared/combolist.tmpl` — accepts Items, Name, Title, SelectedValues - * Decoupled from issue sidebar — works in any form context + * Template: `shared/combolist.tmpl` * feat(updates): extension metadata settings for update feed generation * feat(licenses): platform enforcement, key deletion, expired key cleanup - * feat(licenses): store keys in plaintext, show full key with copy button + * feat(actions): rebrand actions bot user to mokogitea-actions (#233, #234) + * Backward-compatible: recognizes github-actions[bot], gitea-actions[bot] + * feat(actions): actions bot user in branch protection whitelist (#233, #234) + * WhitelistActionsUser, MergeWhitelistActionsUser, ForcePushAllowlistActionsUser * TECH DEBT - * chore: full namespace migration from git.mokoconsulting.tech to code.mokoconsulting.tech (#336, #337, #344) - * Go module path, all imports, template URLs, workflow configs (2,276 files) + * chore: full namespace migration to code.mokoconsulting.tech (#336, #337, #344) * fix(blame): set HasSourceRenderedToggle for renderable files (#344) - * fix(settings): translate team permission strings via data-locale attributes (#344) + * fix(settings): translate team permission strings via data-locale (#344) * fix(dropzone): use relative path for non-image attachment markdown links (#344) * fix(templates): add required validation to issue dropdown fields (#350) - * refactor(ts): remove redundant `handled` field from MarkdownHandleIndentionResult (#350) - * refactor(go): rename HasOrgOrUserVisible to IsOwnerVisibleToDoer (#350) * refactor(go): replace ValuesRepository with maps.Values (Go 1.21+) (#357) - * refactor(go): remove CanEnableEditor wrapper, use CanContentChange directly (#357) - * fix(ts): parseIssueHref now uses URL pathname and trims appSubUrl (#360) - * fix(actions): enforce MaxJobNumPerRun (256) limit when creating jobs (#360) + * refactor(go): remove CanEnableEditor wrapper (#357) + * fix(ts): parseIssueHref uses URL pathname and trims appSubUrl (#360) + * fix(actions): enforce MaxJobNumPerRun (256) limit (#360) * fix(css): use calc(infinity * 1px) for --border-radius-full (#361) - * fix(css): remove legacy .center class from 2015, replace with tw-text-center (#361) - * chore: remove stale TODO from OAuth2 regenerate secret (already implemented) (#332) - * chore: remove stale pull request test stub TODOs (#328) - * chore: remove stale GetProjectsMode TODO - * chore: remove stale mustNotBeArchived/mustEnableEditor FIXME from API - * fix(routes): remove dead legacy /cherry-pick/{sha} route (replaced by /_cherrypick/) + * fix(css): remove legacy .center class, replace with tw-text-center (#361) + * fix(routes): remove dead legacy /cherry-pick/{sha} route * fix(feed): use full ref name instead of ShortName for file feed revision * BUGFIXES * fix(build): use slices.Collect for maps.Values (Go 1.23+ compat) @@ -103,25 +99,10 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).# * fix(licenses): only show licenses tab when licensing is enabled * fix(licenses): show feed URLs based on repo update platform setting * fix(updates): correct dlid prefix and align XML with Joomla standard - -## [v1.26.1-moko.05.06.00] - 2026-05-30 - -* FEATURES - * feat(actions): rebrand actions bot user to mokogitea-actions (#233, #234) - * Name: gitea-actions → mokogitea-actions, FullName: MokoGitea Actions - * Email: mokogitea-actions[bot]@mokoconsulting.tech - * Backward-compatible: recognizes github-actions[bot], gitea-actions[bot], mokogitea-actions[bot] - * feat(actions): add actions bot user to branch protection whitelist (#233, #234) - * New toggles: WhitelistActionsUser, MergeWhitelistActionsUser, ForcePushAllowlistActionsUser - * Allows CI/CD workflows to push/merge/force-push to protected branches when enabled - * DB migration v334 adds the three boolean columns - * Exposed in API (create/edit branch protection) and web UI settings * INFRASTRUCTURE * fix(ci): auto-deploy to production on merge to main (#235) - * Deploy workflow now triggers on push to main, not just manual dispatch - * Version derived from git describe for auto-deploys -## [v1.26.1-moko.04.00.00] - 2026-05-24 +## [v1.26.1-moko.04] - 2026-05-24 * SECURITY * Backport 12 upstream v1.26.2 security fixes: @@ -130,46 +111,59 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).# * OAuth PKCE hardening and refresh token replay protection (#142) * Wiki git write and LFS token access enforcement (#143) * Public-only token filtering in API queries (#144) - * Reading permission fix (#145) * Artifact signature payload hardening (#146) * AWS credentials encryption (#161) * Mermaid v11.15.0 security update (#162) * Composer package permission check (#164) * BUGFIXES * fix(actions): nil pointer dereference in concurrency during PR creation (#136) - * fix(ui): actions runs list broken row layout — CSS class mismatch (#138) - * fix: scheduled action panic with null event payload (upstream #37459) - * fix: treat email addresses case-insensitively (upstream #37600) + * fix(ui): actions runs list broken row layout (#138) + * fix: scheduled action panic with null event payload + * fix: treat email addresses case-insensitively * fix: .mod lexer panic — removed invalid AMPL mapping - * fix: remove unused setting import in action.go - * fix: restore Permission field access in context middleware * FEATURES - * Joomla-style updates.xml with channel selection (stable/dev/security/rc) - * Update checker reads from updates.xml with configurable CHANNEL setting - * Admin dashboard shows update banner with channel name and docker pull command - * Upstream bug sync workflow — daily automated issue creation from release/v1.26 + * Joomla-style updates.xml with channel selection + * Update checker with configurable CHANNEL setting + * Admin dashboard update banner with docker pull command + * Upstream bug sync workflow — daily automated issue creation * PR RC release workflow — auto-build RC on PR to main * INFRASTRUCTURE * New 3-part versioning: v{upstream}-moko.{major}.{minor}.{patch} - * Branding updates: error pages, home page, settings link to MokoGitea + * Branding updates: error pages, home page, settings link * Deploy workflow updated for new version format * PROCESS * Created `type: bug` and `upstream` labels for automated issue tracking - * Deduplicated 19 duplicate feature request issues * Closed 24 upstream bug/security issues after backporting -## [MokoGitea Unreleased] +## [v1.26.1-moko.03] - 2026-05-15 * FEATURES - * feat(api): Bulk issue operations — add/remove/replace labels, close/reopen, set milestone, and set assignees across multiple issues in a single request (#21) - * `POST /api/v1/repos/{owner}/{repo}/issues/bulk/labels` - * `POST /api/v1/repos/{owner}/{repo}/issues/bulk/state` - * `POST /api/v1/repos/{owner}/{repo}/issues/bulk/milestone` - * `POST /api/v1/repos/{owner}/{repo}/issues/bulk/assignees` - * Partial-failure support: returns per-issue success/failure map + * feat(api): Bulk issue operations — add/remove/replace labels, close/reopen, set milestone, assignees (#21) * INFRASTRUCTURE - * Grafana: Standardized kiosk header across all 14 playlist dashboards — each now shows dashboard name, kiosk link, terminal/exit/switch instructions + * Grafana: Standardized kiosk header across all 14 playlist dashboards * PROCESS - * Reopened 9 closed issues lacking documented testing proof (#3, #5, #38, #41, #70, #74, #75, #76, #78) + * Reopened 9 closed issues lacking documented testing proof * Created `pending: testing` label for features awaiting verification * Established policy: issues must not be closed without documented testing proof + +## [1.26.1](https://github.com/go-gitea/gitea/releases/tag/v1.26.1) - 2026-04-21 + +* BUGFIXES + * Add event.schedule context for schedule actions task (#37320) (#37348) + * Fix an issue where changing an organization's visibility caused problems when users had forked its repositories. (#37324) (#37344) + * Use modern "git update-index --cacheinfo" syntax to support more file names (#37338) (#37343) + * Fix URL related escaping for oauth2 (#37334) (#37340) + * When the requested arch rpm is missing fall back to noarch (#37236) (#37339) + * Fix actions concurrency groups cross-branch leak (#37311) (#37331) + * Fix bug when accessing user badges (#37321) (#37329) + * Fix AppFullLink (#37325) (#37328) + * Fix container auth for public instance (#37290) (#37294) + * Enhance GetActionWorkflow to support fallback references (#37189) (#37283) + * Fix vite manifest update masking build errors (#37279) (#37310) + * Fix Mermaid diagrams failing when node labels contain line breaks (#37296) (#37299) + * Use TriggerEvent instead of Event in workflow runs API response for scheduled runs (#37288) #37360 + * Add URL to Learn more about blocking a user. (#37355) #37367 + * Fix button layout shift when collapsing file tree in editor (#37363) #37375 + * Fix org team assignee/reviewer lookups for team member permissions (#37365) #37391 + * Fix repo init README EOL (#37388) #37399 + * Fix: dump with default zip type produces uncompressed zip (#37401)#37402