7c75133ef1
Universal: Auto Version Bump / Version Bump (push) Successful in 13s
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
PR RC Release / Build RC Release (pull_request) Successful in 2s
Universal: PR Check / Validate PR (pull_request) Successful in 12s
Generic: Project CI / Lint & Validate (pull_request) Successful in 37s
Universal: PR Check / Secret Scan (pull_request) Successful in 1m20s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Implements the code analysis scanner module that detects insecure patterns across Go, PHP, Python, JavaScript, and TypeScript: - SQL injection (CWE-89): string concat in queries across 4 languages - XSS (CWE-79): innerHTML, document.write, unescaped output, dangerouslySetInnerHTML - Command injection (CWE-78): exec with variables, shell=True, os.system - Path traversal (CWE-22): unsanitized path joins, file open with user input - Insecure deserialization (CWE-502): unserialize(), yaml.load() - Hardcoded credentials (CWE-798): password assignments in source - Weak cryptography (CWE-327): MD5/SHA-1 usage 22 rules total, language-filtered by file extension. Wired into the existing scanner orchestrator via the CodeScanner config toggle. API updated to expose code_scanner in GET/PATCH security config. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
98 lines
7.4 KiB
Markdown
98 lines
7.4 KiB
Markdown
# Changelog
|
|
|
|
## [Unreleased]
|
|
|
|
### Added
|
|
- Code security scanner: pattern-based detection of SQL injection, XSS, command injection, path traversal, insecure deserialization, hardcoded credentials, and weak cryptography across Go/PHP/Python/JS/TS (#552)
|
|
- Cascade merge: auto-create PRs to downstream branches after merge with configurable rules per repo (#460)
|
|
- Issue status presets: 4 built-in templates (default, software-development, support-tickets, bug-tracking) with API + web UI (#507)
|
|
- Cross-org status migration: copy status definitions from one org to another via API (#507)
|
|
- Auto-create default teams on org creation: Developers (write), Reviewers (read), CI/CD (actions+packages) (#513)
|
|
- Branch protection delete allowlist: configurable per-user/team/deploy-key allowlist for deleting protected branches (#696)
|
|
- Workflow subdirectory discovery: workflows in subdirectories of `.mokogitea/workflows/` are now auto-discovered (#693)
|
|
- API token scope `read:licensing` / `write:licensing` for licensing endpoints (#697)
|
|
- Edit API token scopes: PATCH /users/{username}/tokens/{id} API endpoint + web UI edit button (#697)
|
|
- Wiki full-text search: case-insensitive search across all wiki page titles and content (#550)
|
|
- Wiki search API: GET /wiki/search?q=term with paginated JSON results (#550)
|
|
- Metadata deploy fields: deploy_host, deploy_port, deploy_user, deploy_path, docker_image, docker_registry, container_name, health_url (#692)
|
|
- Security scanning API: REST endpoints for alerts, config, and on-demand scans (GET/PATCH /security/alerts, /security/config, POST /security/scan) (#692)
|
|
- Pre-receive hook secret blocking: push rejection when block_on_push enabled and secrets detected in commits (#692)
|
|
- Metadata API partial updates: PUT /metadata now merges only sent fields instead of replacing all
|
|
- Wiki revision diff: line-by-line diff view per commit in wiki page history (#667)
|
|
- Wiki categories: YAML frontmatter `categories:` with category index page (#668)
|
|
- Wiki template transclusion: `{{template:Name|key=val}}` with `_Template/` folder (#671)
|
|
- Wiki enhanced ToC: collapsible, inline via frontmatter, sticky sidebar (#673)
|
|
- Wiki folder ACL: `_access.yml` per-folder write protection (#674)
|
|
- Wiki print view and ZIP export of all wiki pages (#675)
|
|
- Wiki features documentation page in org wiki (standards/Wiki-Features)
|
|
- DLID licensing system: license, entitlement, activation, product_tier, audit_log tables (v359 migration)
|
|
- License CRUD with CRC32-checksummed DLID generation and format validation
|
|
- Entitlement model with tier-based rebuild and custom entitlement preservation
|
|
- Domain activation tracking with limit enforcement and auto-activate on first use
|
|
- 13 seeded product tiers from base to enterprise
|
|
- DLID-gated update XML endpoint: GET /api/v1/licensing/updates/{product}.xml
|
|
- Profile repo fallback chain: .mokogitea > .profile > .github
|
|
- Metadata/manifest GET endpoint publicly accessible without auth (#676)
|
|
- Org wiki: folder-based collapsible tree sidebar, _Sidebar.md overrides (#680)
|
|
- Wiki backlinks: "What links here" page showing all pages referencing current page (#669)
|
|
- Wiki wikilinks: [[Page Name]] and [[Page|Display Text]] syntax with red links for missing pages (#666)
|
|
- Required baseline issue statuses: Open and Closed are indestructible (is_required flag) (#681)
|
|
- Issue status API response includes is_required field
|
|
- Wiki recent changes page: cross-page edit activity with pagination (#670)
|
|
- Wiki page rename with automatic redirects via YAML frontmatter (#672)
|
|
|
|
### Security
|
|
- Cherry-pick upstream v1.26.3: LFS reject unknown SSH sub-verbs to prevent auth bypass (#38015)
|
|
- Cherry-pick upstream v1.26.3: bound CODEOWNERS regex match time — ReDoS prevention (#38025)
|
|
- Cherry-pick upstream v1.26.3: require merged PR to bypass fork PR approval gate (#38041)
|
|
- Cherry-pick upstream v1.26.3: LFS require Code-unit access for cross-repo object reuse (#38050)
|
|
- Cherry-pick upstream v1.26.3: hostmatcher block reserved IP ranges — SSRF prevention (#38059)
|
|
- Cherry-pick upstream v1.26.3: bound debian ParseControlFile — DoS prevention (#38055)
|
|
- Cherry-pick upstream v1.26.3: feed token scope, migration SSRF, notification redaction (#38147)
|
|
- Cherry-pick upstream v1.26.3: OIDC ignore stale external login links to organizations (#38141)
|
|
- Cherry-pick upstream v1.26.3: 2FA timing, branch delete auth, org labels visibility, merge upstream auth (#38151)
|
|
- Cherry-pick upstream v1.26.3: allow git clone of private repos with anonymous code access (#38146)
|
|
- Cherry-pick upstream v1.26.3: hostmatcher patch incorrect private IP list (#38173)
|
|
- Cherry-pick upstream v1.26.4: do not auto-reactivate disabled users on OAuth2 callback (#38183)
|
|
- Cherry-pick upstream v1.26.4: walk git log context error handling — regression fix (#38185)
|
|
|
|
### Fixed
|
|
- PR check: platform detection now queries metadata API instead of removed manifest.xml
|
|
- Cherry-pick upstream v1.26.2: handle empty pull request files view to allow reviews (#37783)
|
|
- Cherry-pick upstream v1.26.2: fix "run as root" check with snap container detection (#37622)
|
|
- Cherry-pick upstream: ack re-sent UpdateLog finalize idempotently (#37885)
|
|
- Cherry-pick upstream: reject workflow_dispatch for workflows without that trigger (#37660)
|
|
- Cherry-pick upstream: keep action run title clickable when commit subject is a URL (#37867)
|
|
- Cherry-pick upstream: exclude workflow_call from workflow trigger detection (#37894)
|
|
- API token edit: reject empty scope update requests with 400 instead of silently succeeding
|
|
- Workflow token auth: pr-check.yml pre-release dispatch was silently failing due to env var / curl reference mismatch
|
|
- Workflow tokens: standardize all GA_TOKEN/GITEA_TOKEN/GITEA_URL env vars to MOKOGITEA_TOKEN/MOKOGITEA_URL across all workflow files in 5 template repos + MokoCLI (65+ files)
|
|
- CI issue reporter: rename GITEA_TOKEN/GITEA_URL to MOKOGITEA_TOKEN/MOKOGITEA_URL in automation/ci-issue-reporter.sh
|
|
- Workflow sync trigger: add workflow_dispatch event, fix if-condition to allow manual dispatch, add PHP install step for non-PHP runners
|
|
- Deploy workflow: merge dev health check into deploy job to avoid runner status reporting failures on inter-job handoff
|
|
- Licensing API: handle DB write errors in UpdateLicense, UpdateTier, DeleteTier instead of silently discarding
|
|
- Wiki API: fix findEntryForFile URL-decode fallback for non-ASCII page names
|
|
- Metadata settings template 500 error: removed reference to deleted Version field
|
|
- Wiki recent changes: use commit.MessageTitle() instead of commit.Message()
|
|
- Wiki backlinks: proper URL encoding for subdirectory pages
|
|
- Wiki wikilinks: page existence lookup normalizes spaces and hyphens
|
|
- Issue statuses template: garbled em-dash character replaced
|
|
|
|
### Changed
|
|
- Custom workflows moved to `.mokogitea/workflows/custom/`: deploy-mokogitea, deploy-dev, cascade-dev, pr-rc-release, test-mokogitea, upstream-bug-sync
|
|
- Issue status seed defaults: Open, In Progress, Waiting, In Review, Closed, Won't Fix
|
|
- Pre-release workflow: auto-bump skipped for non-Joomla repos (platform check)
|
|
- CI issue reporter: moved to MokoCLI (cli/ci_issue_reporter.sh), pr-check and repo-health now use ci-issue-reporter.yml reusable workflow
|
|
|
|
### Removed
|
|
- Workflows: gitleaks.yml, npm-publish.yml, notify.yml, workflow-sync-trigger.yml, composer-publish.yml, deploy-manual.yml, security-audit.yml (not applicable to Go repo)
|
|
- automation/ci-issue-reporter.sh: moved to MokoCLI as centralized CLI tool
|
|
|
|
## [06.19.00] --- 2026-06-20
|
|
|
|
## [06.19.00] --- 2026-06-20
|
|
|
|
## [06.19.00] --- 2026-06-20
|
|
|
|
## [06.19.00] --- 2026-06-19
|