Fix various bugs (#35684)

1. Fix incorrect column in `applySubscribedCondition`, add a test
2. Fix debian version parsing, add more tests fix #35695
3. Fix log level for HTTP errors, fix #35651
4. Fix abused "panic" handler in API `Migrate`
5. Fix the redirection from PR to issue, add a test
6. Fix Actions variable & secret name validation, add more tests
    * envNameCIRegexMatch is unnecessary, removed
    * validating in "delete" function doesn't make sense, removed
7. Fix incorrect link in release email

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: delvh <dev.lh@web.de>

services/secrets/validation.go

@@ -5,21 +5,29 @@ package secrets
 
 import (
 	"regexp"
+	"strings"
+	"sync"
 
 	"code.gitea.io/gitea/modules/util"
 )
 
+// https://docs.github.com/en/actions/learn-github-actions/variables#naming-conventions-for-configuration-variables
 // https://docs.github.com/en/actions/security-guides/encrypted-secrets#naming-your-secrets
-var (
-	namePattern            = regexp.MustCompile("(?i)^[A-Z_][A-Z0-9_]*$")
-	forbiddenPrefixPattern = regexp.MustCompile("(?i)^GIT(EA|HUB)_")
-
-	ErrInvalidName = util.NewInvalidArgumentErrorf("invalid secret name")
-)
+var globalVars = sync.OnceValue(func() (ret struct {
+	namePattern, forbiddenPrefixPattern *regexp.Regexp
+},
+) {
+	ret.namePattern = regexp.MustCompile("(?i)^[A-Z_][A-Z0-9_]*$")
+	ret.forbiddenPrefixPattern = regexp.MustCompile("(?i)^GIT(EA|HUB)_")
+	return ret
+})
 
 func ValidateName(name string) error {
-	if !namePattern.MatchString(name) || forbiddenPrefixPattern.MatchString(name) {
-		return ErrInvalidName
+	vars := globalVars()
+	if !vars.namePattern.MatchString(name) ||
+		vars.forbiddenPrefixPattern.MatchString(name) ||
+		strings.EqualFold(name, "CI") /* CI is always set to true in GitHub Actions*/ {
+		return util.NewInvalidArgumentErrorf("invalid variable or secret name")
 	}
 	return nil
 }