MokoConsulting/MokoGitea
1
0
Fork 0
Code Issues 147 Pull Requests 3 Releases 96 Wiki Activity
Files
development
MokoGitea/CHANGELOG.md
T
Jonathan Miller 2b5a4dd11c
Generic: Repo Health / Scripts governance (push) Blocked by required conditions
Details
Generic: Repo Health / Repository health (push) Blocked by required conditions
Details
Generic: Repo Health / Report Issues (push) Blocked by required conditions
Details
Generic: Repo Health / Site Health (push) Has been skipped
Details
Generic: Repo Health / Access control (push) Successful in 1s
Details
chore: resolve changelog conflict after main sync
2026-06-06 11:23:29 +00:00

11 KiB
Raw Permalink Blame History

Changelog

All notable changes to MokoGitea are documented here. Versions follow the format v{upstream}-moko.{major}.{minor} (e.g. v1.26.1-moko.06.03).

[v1.26.1-moko.06.04] - 2026-06-06

  • FEATURES
    • feat(licenses): full commercial license management system
      • Package archiving with soft-delete and collapsible archived section
      • Search keys by customer, domain, key number, email, or payment ref
      • Download gating (none/prerelease/all modes)
      • Domain lock grace period (DomainLockHours)
      • Domain restriction on packages and keys (comma-separated allowed domains)
      • RepoScope enforcement — packages scoped to specific repos
      • Configurable license key prefix per organization
      • Master key auto-generates, sorts first in key list
      • License package creation at repo level via modal
      • Key generation modal with licensee name, email, and domain fields
      • Manual release-to-stream mapping with UI selector
      • Double confirmation modals for permanent deletion
      • Combolist channel picker (replaces checkboxes)
      • Extension metadata in repo settings (per-repo override)
      • API: package CRUD, key revoke, key renew, settings GET/PUT
      • API: purchase webhook with PaymentRef idempotency
      • API: public validation endpoint (no auth)
      • Migration v340-v344: all new columns synced
    • feat(updates): Update Server system (renamed from "Licensing")
      • Joomla XML with SHA256, changelog URL, version from asset filename
      • Dolibarr JSON with channel filtering
      • WordPress PUC-compatible JSON (plugin-update-checker)
      • Composer packages.json
      • PrestaShop module update XML
      • Drupal update status XML
      • WHMCS module update JSON
      • Feed always public — downloads gated separately
      • Stream-name tags supported alongside version tags
      • Omit <client> for package extension types
      • <downloadkey> only when download_gating is prerelease or all
      • Version extracted from asset filename (matches actual download)
      • Joomla tag values verified: dev, alpha, beta, rc, stable
    • feat(orgs): enterprise sub-org hierarchy with parent-child relationships
    • feat(repos): three-level visibility — Public (200), Private (403), Hidden (404)
    • feat(settings): Update Server settings page with enable toggle in Advanced Settings
    • feat(settings): advanced settings on dedicated page with dividing headers
    • feat(settings): icons on all settings navbars (repo, org, user, admin)
    • feat(ui): styled 403 Access Denied page with inline login form
    • feat(issues): custom fields with inline editing in issue sidebar
    • feat(issues): pre-fill custom fields from issue template YAML frontmatter (#493)
      • Templates specify custom_fields: map (field name → default value)
      • New issue sidebar shows org-level fields with template defaults pre-selected
      • API create issue accepts custom_fields map by name
    • feat(updateserver): resolve extension metadata from org-level custom fields (#492)
      • Cascading fallback: custom fields → config table → repo-derived defaults
      • All six generators updated (Joomla, WordPress, Composer, Drupal, PrestaShop, WHMCS)
      • Repos can be migrated to custom fields gradually
    • feat(ui): two-in-one Update Server / Licenses tab
      • No gating: shows "Update Server" tab with feed URLs only
      • Gated: shows "Licenses" tab with full key management
      • <downloadkey> only appears when downloads are gated
  • SECURITY
    • fix(security): ownership guards on all API handlers (cross-org prevention)
    • fix(security): RepoScope JSON parsing (substring matching bug)
    • fix(security): CSRF tokens in delete confirmation modals
    • fix(security): XSS escaping in WordPress changelog HTML
    • fix(security): require login for licenses and actions pages
    • fix(security): 403 for all users on private repos (not 404)
    • fix(security): licensed private repos allow release viewing for signed-in users
    • fix(security): anonymous download access respects download_gating setting
  • FIXES
    • fix(licenses): explicit xorm column names for UpdateStreamConfig fields
    • fix(licenses): feed always public when licensing enabled
    • fix(settings): prevent double-highlight on Advanced Settings nav item
    • fix(settings): redirect back to /settings/advanced after save
    • fix(build): remove stale custom field API routes and dead code
    • fix(build): replace invalid UTF-8 character in API comment
    • fix(build): permanent fixes for AI migration, feed/file.go, unused imports
    • fix(updateserver): version extracted from asset filename (not release title)
    • fix(updateserver): omit <client> for package types per Joomla spec
    • fix(updateserver): <downloadkey> only shown when downloads are gated
    • fix(updateserver): prevent stream name tag from overriding asset-derived version
    • fix(build): restore build/ directory after accidental deletion
    • fix(licenses): master key banner removed, master keys sort first in table
    • fix(issues): issue sidebar loads org-level fields instead of legacy repo-level fields

[v1.26.1-moko.05] - 2026-05-31

  • BREAKING CHANGES
    • Deprecated Issue.Ref branch selector UI (#307)
      • Removed branch/tag selector from issue sidebar and new issue form
      • DB column and commit-close logic preserved for backward compatibility
  • FEATURES
    • feat(ui): generic combo-multiselect component (#361)
      • Reusable dropdown with search, checkable items, and selected-items display
      • Template: shared/combolist.tmpl
    • feat(updates): extension metadata settings for update feed generation
    • feat(licenses): platform enforcement, key deletion, expired key cleanup
    • feat(actions): rebrand actions bot user to mokogitea-actions (#233, #234)
      • Backward-compatible: recognizes github-actions[bot], gitea-actions[bot]
    • feat(actions): actions bot user in branch protection whitelist (#233, #234)
      • WhitelistActionsUser, MergeWhitelistActionsUser, ForcePushAllowlistActionsUser
  • TECH DEBT
    • chore: full namespace migration to code.mokoconsulting.tech (#336, #337, #344)
    • fix(blame): set HasSourceRenderedToggle for renderable files (#344)
    • fix(settings): translate team permission strings via data-locale (#344)
    • fix(dropzone): use relative path for non-image attachment markdown links (#344)
    • fix(templates): add required validation to issue dropdown fields (#350)
    • refactor(go): replace ValuesRepository with maps.Values (Go 1.21+) (#357)
    • refactor(go): remove CanEnableEditor wrapper (#357)
    • fix(ts): parseIssueHref uses URL pathname and trims appSubUrl (#360)
    • fix(actions): enforce MaxJobNumPerRun (256) limit (#360)
    • fix(css): use calc(infinity * 1px) for --border-radius-full (#361)
    • fix(css): remove legacy .center class, replace with tw-text-center (#361)
    • fix(routes): remove dead legacy /cherry-pick/{sha} route
    • fix(feed): use full ref name instead of ShortName for file feed revision
  • BUGFIXES
    • fix(build): use slices.Collect for maps.Values (Go 1.23+ compat)
    • fix(licenses): remove duplicate DeleteLicenseKey declaration
    • fix(licenses): only show licenses tab when licensing is enabled
    • fix(licenses): show feed URLs based on repo update platform setting
    • fix(updates): correct dlid prefix and align XML with Joomla standard
  • INFRASTRUCTURE
    • fix(ci): auto-deploy to production on merge to main (#235)

[v1.26.1-moko.04] - 2026-05-24

  • SECURITY
    • Backport 12 upstream v1.26.2 security fixes:
      • golang.org/x/net v0.55.0 security update (#140)
      • Token scope enforcement on raw/media/attachment downloads (#141)
      • OAuth PKCE hardening and refresh token replay protection (#142)
      • Wiki git write and LFS token access enforcement (#143)
      • Public-only token filtering in API queries (#144)
      • Artifact signature payload hardening (#146)
      • AWS credentials encryption (#161)
      • Mermaid v11.15.0 security update (#162)
      • Composer package permission check (#164)
  • BUGFIXES
    • fix(actions): nil pointer dereference in concurrency during PR creation (#136)
    • fix(ui): actions runs list broken row layout (#138)
    • fix: scheduled action panic with null event payload
    • fix: treat email addresses case-insensitively
    • fix: .mod lexer panic — removed invalid AMPL mapping
  • FEATURES
    • Joomla-style updates.xml with channel selection
    • Update checker with configurable CHANNEL setting
    • Admin dashboard update banner with docker pull command
    • Upstream bug sync workflow — daily automated issue creation
    • PR RC release workflow — auto-build RC on PR to main
  • INFRASTRUCTURE
    • New 3-part versioning: v{upstream}-moko.{major}.{minor}.{patch}
    • Branding updates: error pages, home page, settings link
    • Deploy workflow updated for new version format
  • PROCESS
    • Created type: bug and upstream labels for automated issue tracking
    • Closed 24 upstream bug/security issues after backporting

[v1.26.1-moko.03] - 2026-05-15

  • FEATURES
    • feat(api): Bulk issue operations — add/remove/replace labels, close/reopen, set milestone, assignees (#21)
  • INFRASTRUCTURE
    • Grafana: Standardized kiosk header across all 14 playlist dashboards
  • PROCESS
    • Reopened 9 closed issues lacking documented testing proof
    • Created pending: testing label for features awaiting verification
    • Established policy: issues must not be closed without documented testing proof

1.26.1 - 2026-04-21

  • BUGFIXES
    • Add event.schedule context for schedule actions task (#37320) (#37348)
    • Fix an issue where changing an organization's visibility caused problems when users had forked its repositories. (#37324) (#37344)
    • Use modern "git update-index --cacheinfo" syntax to support more file names (#37338) (#37343)
    • Fix URL related escaping for oauth2 (#37334) (#37340)
    • When the requested arch rpm is missing fall back to noarch (#37236) (#37339)
    • Fix actions concurrency groups cross-branch leak (#37311) (#37331)
    • Fix bug when accessing user badges (#37321) (#37329)
    • Fix AppFullLink (#37325) (#37328)
    • Fix container auth for public instance (#37290) (#37294)
    • Enhance GetActionWorkflow to support fallback references (#37189) (#37283)
    • Fix vite manifest update masking build errors (#37279) (#37310)
    • Fix Mermaid diagrams failing when node labels contain line breaks (#37296) (#37299)
    • Use TriggerEvent instead of Event in workflow runs API response for scheduled runs (#37288) #37360
    • Add URL to Learn more about blocking a user. (#37355) #37367
    • Fix button layout shift when collapsing file tree in editor (#37363) #37375
    • Fix org team assignee/reviewer lookups for team member permissions (#37365) #37391
    • Fix repo init README EOL (#37388) #37399
    • Fix: dump with default zip type produces uncompressed zip (#37401)#37402
Reference in New Issue View Git Blame Copy Permalink