Adds configurable cascade rules per repo. When a PR merges into a
source branch, the system auto-creates PRs to each configured target
branch. Skips if a matching PR already exists.
- Model: CascadeMergeRule (repo_id, source, target, enabled, auto_merge)
- Migration v362 creates cascade_merge_rule table
- Notifier hooks into MergePullRequest/AutoMergePullRequest events
- API: CRUD at /repos/{owner}/{repo}/cascade_rules (admin only)
Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
- Migration v360: adds deploy_host, deploy_port, deploy_user, deploy_path,
docker_image, docker_registry, container_name, health_url to repo_manifest
- API: GET/PUT /metadata now includes deploy fields
- Settings: preserve deploy fields on web UI save
- Remove 4 unneeded workflows (gitleaks, npm-publish, notify, workflow-sync)
- gitleaks will become built-in (#692)
- npm-publish/notify not applicable to Go repo
- workflow-sync moving to MokoCLI
Primary profile repo name is now .mokogitea with fallback chain:
.mokogitea > .profile > .github (and their -private variants).
Co-Authored-By: Claude <noreply@anthropic.com>
- Remove DisplayName field from RepoMetadata and UpdateStreamConfig
- Add DerivedDisplayName() method: "{Type} - {Name}" (e.g. "Package - MokoSuiteBackup")
- API returns computed display_name in GET, ignores it on PUT
- Update server feeds use DerivedDisplayName() instead of stored value
- Remove display_name from web forms (repo licensing, org update streams)
- License settings API computes display_name from repo metadata
- Migration v358: drop display_name columns from both tables
Rename package_type column and Go field to extension_type across
model, API, update server, manifest sync, settings UI, and changelog.
SQL migration renames the column. XML tag <package-type> in
.mokogitea/manifest.xml is unchanged (backward compat).
Fixes#646
AutoElementName() was using m.Name without lowercasing or cleaning,
producing elements like pkg_MokoSuiteBackup instead of
pkg_mokosuitebackup. Added cleanJoomlaElement() to replicate
Joomla's InputFilter::clean('cmd') behavior.
Removed incorrect "plugin": "plg_" — Joomla plugins use bare names.
Renamed RepoManifest → RepoMetadata across all non-migration Go
files. DB table remains repo_manifest for backward compatibility.
Migration files unchanged to preserve migration chain.
API endpoints /manifest and /metadata both continue to work
(backward compat route preserved in api.go).
Fixes#635
Version is not a required metadata field — it's derived from git tags
and releases, not stored in the manifest. Remove from RepoManifest
model and the manifest API request/response struct.
VersionPrefix, StandardsVersion, and TargetVersion are kept as they
serve different purposes (tag parsing, standards compliance, platform
targeting).
Review fixes:
- Propagate updateDomainRestriction error in grace-period path instead
of silently discarding it (was same bug class as the TOCTOU fix)
- Propagate IsDomainKnownForKey error inside transaction — discarding
it defeated the atomicity guarantee
- Wrap updateDomainRestriction error with context message
- Use boolean flags for changelog manifest fallback instead of fragile
sentinel comparison against strings.ToLower(repo.Name)
- Type-assert ctx.Data["RepoUpdatePlatform"] to string instead of
comparing interface{} values
- Use log.Warn instead of log.Error for manifest fallback (intentional
degradation, not a failure)
- Clarify comments: doc comment scope, hyphen removal wording
AutoElementName() was using the manifest Name field verbatim, producing
element names like "pkg_MokoSuiteBackup" instead of "pkg_mokosuitebackup".
Joomla's updater matches by element+type+client_id in #__extensions, so
the case mismatch made updates invisible.
Changes:
- Lowercase name and strip hyphens in AutoElementName()
- Remove incorrect "plg_" prefix for plugins (Joomla plugins have no
element prefix; the folder column determines the plugin group)
Fixes#635
Add DisplayName, Maintainer, MaintainerURL, InfoURL, TargetVersion, and
PHPMinimum to RepoManifest. These fields were previously only in
UpdateStreamConfig and are now in the manifest as the single source of
truth. Distribution section shown conditionally for joomla/wordpress/
dolibarr platforms. Closes#582 phase 1.
- Add version_prefix field for fork versioning (e.g., v1.26.1-moko.)
- Change platform dropdown from programming languages to deployment
targets (Joomla, Dolibarr, WordPress, Generic, etc.) so template
repos can be mapped to platforms
- Available in settings UI and REST API
- Add version_prefix field for fork versioning (e.g., v1.26.1-moko.)
- Change platform dropdown from programming languages to deployment
targets (Joomla, Dolibarr, WordPress, Generic, etc.) so template
repos can be mapped to platforms
- Available in settings UI and REST API
Add CDN system that serves release assets via a dedicated hostname
(e.g., cdn.mokoconsulting.tech) with per-asset public/private toggles,
IP/referrer allowlists, and aggressive caching headers.
- Host-based routing intercepts CDN domain before auth middleware
- Per-attachment cdn_public flag controls CDN visibility
- Releases in an update stream are excluded from CDN (update server takes precedence)
- CORS, ETag, Cache-Control headers for downstream CDN compatibility
- IP/CIDR and referrer domain allowlists for abuse prevention
Add a "Manifest" page in repo settings that stores moko-platform manifest
fields (identity, governance, build) in the database. Includes:
- RepoManifest model with all manifest.xml fields
- Migration v347 adding repo_manifest table
- Auto-detect and migrate .mokogitea/manifest.xml on first settings visit
- Repo settings UI with Identity/Governance/Build sections
- REST API: GET/PUT /api/v1/repos/{owner}/{repo}/manifest
for Actions workflows and moko-platform CLI
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add IsHidden field to Repository model. Three visibility modes:
- Public: visible to everyone (green label)
- Private: members only, non-members see 403 Access Denied (orange)
- Hidden: members only, non-members see 404 Not Found (red)
Private mode is for commercial repos — customers know the repo
exists and see a styled 403 page with sign-in button. Licensed
update feeds and key-gated downloads still work.
Hidden mode is for internal/secret repos — complete stealth, as
if the repo doesn't exist.
Settings UI: radio button selector in danger zone replaces the
old binary toggle. Each option shows a colored label with
description.
Migration v342: adds is_hidden column to repository table.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove TODO from OAuth2 regenerate secret template — the
functionality was already fully implemented
- Remove stub TODO test comments for TestMerge, TestNewPullRequest,
TestAddTestPullRequestTask — stale for years
- Remove stale GetProjectsMode TODO — method is needed by templates
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
In Go 1.23+, maps.Values returns iter.Seq not a slice.
Use slices.Collect() to materialize the iterator.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Full namespace migration: update the Go module path and all import
statements from git.mokoconsulting.tech to code.mokoconsulting.tech.
Also updates all URL references in templates, workflows, configs,
tests, and documentation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fix three gaps that prevented per-unit public access from working on
private repositories:
1. Git HTTP handler (githttp.go): allow anonymous git pull for private
repos when the target unit (code or wiki) has AnonymousAccessMode
set to read. Previously only checked repo.IsPrivate.
2. Permission engine (repo_permission.go): call
finalProcessRepoUnitPermission for anonymous users on private repos
so that unit-level anonymous access modes are populated. Previously
returned early with AccessModeNone, skipping anonymous mode setup.
3. Search/explore (repo_list.go): include private repos that have at
least one unit with anonymous_access_mode > 0 in search results,
so anonymous users can discover repos with public sections.
The existing settings UI at /settings/public_access already allows
configuring per-unit visibility. The home page redirect to the first
readable unit (e.g. wiki) also already works via checkHomeCodeViewable.
Closes#238
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rename the Go module path from code.gitea.io/gitea to
git.mokoconsulting.tech/MokoConsulting/MokoGitea across the entire
codebase.
Scope:
- go.mod module declaration
- 2,235 Go source files (import paths)
- Dockerfile WORKDIR and COPY paths
- Swagger API templates
- golangci.yml linter config
External dependencies (code.gitea.io/gitea-vet, code.gitea.io/sdk/gitea,
gitea.com/gitea/act, etc.) are intentionally NOT renamed — they are
separate upstream modules.
Closes#132
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
backport #37118
This PR closes remaining `public-only` token gaps in the API by making
the restriction apply consistently across repository, organization,
activity, notification, and authenticated `/api/v1/user/...` routes.
Previously, `public-only` tokens were still able to:
- receive private results from some list/search/self endpoints,
- access repository data through ID-based lookups,
- and reach several authenticated self routes that should remain
unavailable for public-only access.
This change treats `public-only` as a cross-cutting visibility boundary:
- list/search endpoints now filter private resources consistently,
- repository lookups enforce the same restriction even when addressed
indirectly,
- and self routes that inherently expose or mutate private account state
now reject `public-only` tokens.
---
Generated by a coding agent with Codex 5.2
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Nicolas <bircni@icloud.com>
Repositories with names starting with "." are now treated as system
repositories that are always private and cannot be made public. This is
enforced at every code path: API create, web create, migrate, template
create, push-to-create, API edit, web settings, and public access
settings. On creation paths, privacy is silently forced. On edit paths,
a clear error is returned.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Avoid per-item DB queries in ListRuns, ListJobs, and ListActionTasks by
batch-loading trigger users, repositories, and task attributes before
the conversion loop. Remove ReferencesGitRepo from the /actions route
group since no task/run endpoints use it.
Added tests for these endpoints as well.
---------
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Fix team members missing from assignee list when `team_unit.access_mode`
is 0 but the doer is owner.
Fix #34871
1. Use `GetTeamUserIDsWithAccessToAnyRepoUnit` for repo assignee list
2. Load assignee list for project issues directly
3. Use `GetTeamUserIDsWithAccessToAnyRepoUnit` for repo reviewer list
Signed-off-by: Jakub Pisarczyk <pisarz77@gmail.com>
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Giteabot <teabot@gitea.io>
1. remove `TEST_CONFLICTING_PATCHES_WITH_GIT_APPLY`
* it defaults to false and is unlikely to be useful for most users (see
#22130)
* with new git versions (>= 2.40), "merge-tree" is used,
"checkConflictsByTmpRepo" isn't called, the option does nothing.
2. fix fragile `db.Cell2Int64` (new: `CellToInt`)
3. allow more routes in maintenance mode (e.g.: captcha)
4. fix MockLocale html escaping to make it have the same behavior as
production locale
Add this config option, applying to new repos:
```ini
[repository.pull-request]
DEFAULT_DELETE_BRANCH_AFTER_MERGE = true
```
Defaults to `false`, preserving current behavior.
---------
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>
## Overview
This PR introduces granular permission controls for Gitea Actions tokens
(`GITEA_TOKEN`), aligning Gitea's security model with GitHub Actions
standards while maintaining compatibility with Gitea's unique repository
unit system.
It addresses the need for finer access control by allowing
administrators and repository owners to define default token
permissions, set maximum permission ceilings, and control
cross-repository access within organizations.
## Key Features
### 1. Granular Token Permissions
- **Standard Keyword Support**: Implements support for the
`permissions:` keyword in workflow and job YAML files (e.g., `contents:
read`, `issues: write`).
- **Permission Modes**:
- **Permissive**: Default write access for most units (backwards
compatible).
- **Restricted**: Default read-only access for `contents` and
`packages`, with no access to other units.
- ~~**Custom**: Allows defining specific default levels for each unit
type (Code, Issues, PRs, Packages, etc.).~~**EDIT removed UI was
confusing**
- **Clamping Logic**: Workflow-defined permissions are automatically
"clamped" by repository or organization-level maximum settings.
Workflows cannot escalate their own permissions beyond these limits.
### 2. Organization & Repository Settings
- **Settings UI**: Added new settings pages at both Organization and
Repository levels to manage Actions token defaults and maximums.
- **Inheritance**: Repositories can be configured to "Follow
organization-level configuration," simplifying management across large
organizations.
- **Cross-Repository Access**: Added a policy to control whether Actions
workflows can access other repositories or packages within the same
organization. This can be set to "None," "All," or restricted to a
"Selected" list of repositories.
### 3. Security Hardening
- **Fork Pull Request Protection**: Tokens for workflows triggered by
pull requests from forks are strictly enforced as read-only, regardless
of repository settings.
- ~~**Package Access**: Actions tokens can now only access packages
explicitly linked to a repository, with cross-repo access governed by
the organization's security policy.~~ **EDIT removed
https://github.com/go-gitea/gitea/pull/36173#issuecomment-3873675346**
- **Git Hook Integration**: Propagates Actions Task IDs to git hooks to
ensure that pushes performed by Actions tokens respect the specific
permissions granted at runtime.
### 4. Technical Implementation
- **Permission Persistence**: Parsed permissions are calculated at job
creation and stored in the `action_run_job` table. This ensures the
token's authority is deterministic throughout the job's lifecycle.
- **Parsing Priority**: Implemented a priority system in the YAML parser
where the broad `contents` scope is applied first, allowing granular
scopes like `code` or `releases` to override it for precise control.
- **Re-runs**: Permissions are re-evaluated during a job re-run to
incorporate any changes made to repository settings in the interim.
### How to Test
1. **Unit Tests**: Run `go test ./services/actions/...` and `go test
./models/repo/...` to verify parsing logic and permission clamping.
2. **Integration Tests**: Comprehensive tests have been added to
`tests/integration/actions_job_token_test.go` covering:
- Permissive vs. Restricted mode behavior.
- YAML `permissions:` keyword evaluation.
- Organization cross-repo access policies.
- Resource access (Git, API, and Packages) under various permission
configs.
3. **Manual Verification**:
- Navigate to **Site/Org/Repo Settings -> Actions -> General**.
- Change "Default Token Permissions" and verify that newly triggered
workflows reflect these changes in their `GITEA_TOKEN` capabilities.
- Attempt a cross-repo API call from an Action and verify the Org policy
is enforced.
## Documentation
Added a PR in gitea's docs for this :
https://gitea.com/gitea/docs/pulls/318
## UI:
<img width="1366" height="619" alt="Screenshot 2026-01-24 174112"
src="https://github.com/user-attachments/assets/bfa29c9a-4ea5-4346-9410-16d491ef3d44"
/>
<img width="1360" height="621" alt="Screenshot 2026-01-24 174048"
src="https://github.com/user-attachments/assets/d5ec46c8-9a13-4874-a6a4-fb379936cef5"
/>
/fixes #24635
/claim #24635
---------
Signed-off-by: Excellencedev <ademiluyisuccessandexcellence@gmail.com>
Signed-off-by: ChristopherHX <christopher.homberger@web.de>
Signed-off-by: silverwind <me@silverwind.io>
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: ChristopherHX <christopher.homberger@web.de>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Zettat123 <zettat123@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
The design of DefaultShowFullName has some problems, which make the UI
inconsistent, see the new comment in code
This PR does a clean up for various legacy problems, and clarify some
"user name display" behaviors.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
The `PATCH /api/v1/repos/{owner}/{repo}` endpoint silently ignores pull
request config fields (like `default_delete_branch_after_merge`,
`allow_squash_merge`, etc.) unless `has_pull_requests: true` is also
included in the request body. This is because the entire PR unit config
block was gated behind `if opts.HasPullRequests != nil`.
This PR restructures the logic so that PR config options are applied
whenever the pull request unit already exists on the repo, without
requiring `has_pull_requests` to be explicitly set. A new unit is only
created when `has_pull_requests: true` is explicitly sent.
Fixes https://github.com/go-gitea/gitea/issues/36466
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
This PR adds official REST API endpoints to rerun Gitea Actions workflow
runs and individual jobs:
* POST /api/v1/repos/{owner}/{repo}/actions/runs/{run}/rerun
* POST /api/v1/repos/{owner}/{repo}/actions/runs/{run}/jobs/{job_id}/rerun
It reuses the existing rerun behavior from the web UI and exposes it
through stable API routes.
---------
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
## Summary
- Update golangci-lint v2.9.0 → v2.10.1, misspell v0.7.0 → v0.8.0,
actionlint v1.7.10 → v1.7.11
- Fix 20 new QF1012 staticcheck findings by using `fmt.Fprintf` instead
of `WriteString(fmt.Sprintf(...))`
- Fix SA1019: replace deprecated `ecdsa.PublicKey` field access with
`PublicKey.Bytes()` for JWK encoding, with SEC 1 validation and curve
derived from signing algorithm
- Add unit test for `ToJWK()` covering P-256, P-384, and P-521 curves,
also verifying correct coordinate padding per RFC 7518
- Remove dead staticcheck linter exclusion for "argument x is
overwritten before first use"
## Test plan
- [x] `make lint-go` passes with 0 issues
- [x] `go test ./services/oauth2_provider/ -run
TestECDSASigningKeyToJWK` passes for all curves
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Fixes: https://github.com/go-gitea/gitea/issues/36152
Enable the `nilnil` linter while adding `//nolint` comments to existing
violations. This will ensure no new issues enter the code base while we
can fix existing issues gradually.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Improve BuildCaseInsensitiveLike with lowercase, users are more likely
to input lowercase letters, so lowercase letters are used.
---------
Signed-off-by: Tyrone Yeh <siryeh@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This adds a per-repository default PR base branch and wires it through
PR entry points. It updates compare links and recently pushed branch
prompts to respect the configured base branch, and prevents auto-merge
cleanup from deleting the configured base branch on same-repo PRs.
## Behavior changes
- New PR compare links on repo home/issue list and branch list honor the
configured default PR base branch.
- The "recently pushed new branches" prompt now compares against the
configured base branch.
- Auto-merge branch cleanup skips deleting the configured base branch
(same-repo PRs only).
---------
Signed-off-by: Louis <116039387+tototomate123@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
1 Move `IsRepositoryModelOrDirExist` and `CheckCreateRepository` to
service layer
2 Use `gitrepo.Pushxxx` instead of `git.Push` when possible
3 use `gitrepo.Clonexxx` instead of `gitrepo.Clone` when possible
Fix#35781, #27472
The PR will not correct the wrong numbers automatically.
There is a cron task `check_repo_stats` which will be run when Gitea
start or midnight. It will correct the numbers.
Fix#35690
Change the "restricted user" behavior introduced by #6274. Now
restricted user can also access public repositories when sign-in is not
required.
For required sign-in, the behavior isn't changed.
jmiller
Jonathan Miller