From 3b10fd9b3452d548ef116b27161b17f57a8e180c Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Fri, 20 Sep 2024 22:57:55 +0800
Subject: [PATCH 01/23] Only use Host header from reverse proxy (#32060)

X-Forwarded-Host has many problems: non-standard, not well-defined
(X-Forwarded-Port or not), conflicts with Host header, it already caused
problems like #31907. So do not use X-Forwarded-Host, just use Host
header directly.

Official document also only uses `Host` header and never mentioned
others.
---
 .github/workflows/pull-db-tests.yml |  3 ++-
 modules/httplib/url.go              | 13 +++----------
 modules/httplib/url_test.go         |  5 +++--
 3 files changed, 8 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
index 246884f24b..90804c0f0a 100644
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -201,7 +201,8 @@ jobs:
     runs-on: ubuntu-latest
     services:
       mssql:
-        image: mcr.microsoft.com/mssql/server:2017-latest
+        # some images before 2024-04 can't run on new kernels
+        image: mcr.microsoft.com/mssql/server:2019-latest
         env:
           ACCEPT_EULA: Y
           MSSQL_PID: Standard
diff --git a/modules/httplib/url.go b/modules/httplib/url.go
index 219dfe695c..e3bad1e5fb 100644
--- a/modules/httplib/url.go
+++ b/modules/httplib/url.go
@@ -52,11 +52,6 @@ func getRequestScheme(req *http.Request) string {
 	return ""
 }
 
-func getForwardedHost(req *http.Request) string {
-	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
-	return req.Header.Get("X-Forwarded-Host")
-}
-
 // GuessCurrentAppURL tries to guess the current full app URL (with sub-path) by http headers. It always has a '/' suffix, exactly the same as setting.AppURL
 func GuessCurrentAppURL(ctx context.Context) string {
 	return GuessCurrentHostURL(ctx) + setting.AppSubURL + "/"
@@ -81,11 +76,9 @@ func GuessCurrentHostURL(ctx context.Context) string {
 	if reqScheme == "" {
 		return strings.TrimSuffix(setting.AppURL, setting.AppSubURL+"/")
 	}
-	reqHost := getForwardedHost(req)
-	if reqHost == "" {
-		reqHost = req.Host
-	}
-	return reqScheme + "://" + reqHost
+	// X-Forwarded-Host has many problems: non-standard, not well-defined (X-Forwarded-Port or not), conflicts with Host header.
+	// So do not use X-Forwarded-Host, just use Host header directly.
+	return reqScheme + "://" + req.Host
 }
 
 // MakeAbsoluteURL tries to make a link to an absolute URL:
diff --git a/modules/httplib/url_test.go b/modules/httplib/url_test.go
index 28aaee6e12..fc6c91cd3a 100644
--- a/modules/httplib/url_test.go
+++ b/modules/httplib/url_test.go
@@ -70,7 +70,7 @@ func TestMakeAbsoluteURL(t *testing.T) {
 			"X-Forwarded-Proto": {"https"},
 		},
 	})
-	assert.Equal(t, "https://forwarded-host/foo", MakeAbsoluteURL(ctx, "/foo"))
+	assert.Equal(t, "https://user-host/foo", MakeAbsoluteURL(ctx, "/foo"))
 }
 
 func TestIsCurrentGiteaSiteURL(t *testing.T) {
@@ -119,5 +119,6 @@ func TestIsCurrentGiteaSiteURL(t *testing.T) {
 		},
 	})
 	assert.True(t, IsCurrentGiteaSiteURL(ctx, "http://localhost:3000"))
-	assert.True(t, IsCurrentGiteaSiteURL(ctx, "https://forwarded-host"))
+	assert.True(t, IsCurrentGiteaSiteURL(ctx, "https://user-host"))
+	assert.False(t, IsCurrentGiteaSiteURL(ctx, "https://forwarded-host"))
 }

From aa9faf825074110d31fc2c75a31880c98a48feb2 Mon Sep 17 00:00:00 2001
From: silverwind <me@silverwind.io>
Date: Fri, 20 Sep 2024 17:27:19 +0200
Subject: [PATCH 02/23] Set manual `tabindex`es on login page (#31689)

Fixes https://github.com/go-gitea/gitea/issues/31686.

A more elborate manual tabindex numbering could be done, but I think
it's not really worth the extra effort and such stuff could easily break
during refactors.

Includes another small tweak to un-stretch the`<a>` element so it's only
as large as it needs to be and this change also made the margin
unneeded.
---
 templates/user/auth/signin_inner.tmpl | 12 +++++++-----
 web_src/css/form.css                  |  1 -
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/templates/user/auth/signin_inner.tmpl b/templates/user/auth/signin_inner.tmpl
index b0a52d2c64..ec61e56f4d 100644
--- a/templates/user/auth/signin_inner.tmpl
+++ b/templates/user/auth/signin_inner.tmpl
@@ -14,20 +14,22 @@
 			{{.CsrfTokenHtml}}
 			<div class="required field {{if and (.Err_UserName) (or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeSignIn))}}error{{end}}">
 				<label for="user_name">{{ctx.Locale.Tr "home.uname_holder"}}</label>
-				<input id="user_name" type="text" name="user_name" value="{{.user_name}}" autofocus required>
+				<input id="user_name" type="text" name="user_name" value="{{.user_name}}" autofocus required tabindex="1">
 			</div>
 			{{if or (not .DisablePassword) .LinkAccountMode}}
 			<div class="required field {{if and (.Err_Password) (or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeSignIn))}}error{{end}} form-field-content-aside-label">
 				<label for="password">{{ctx.Locale.Tr "password"}}</label>
-				<a href="{{AppSubUrl}}/user/forgot_password">{{ctx.Locale.Tr "auth.forgot_password"}}</a>
-				<input id="password" name="password" type="password" value="{{.password}}" autocomplete="current-password" required>
+				<div>
+					<a href="{{AppSubUrl}}/user/forgot_password" tabindex="4">{{ctx.Locale.Tr "auth.forgot_password"}}</a>
+				</div>
+				<input id="password" name="password" type="password" value="{{.password}}" autocomplete="current-password" required tabindex="2">
 			</div>
 			{{end}}
 			{{if not .LinkAccountMode}}
 			<div class="inline field">
 				<div class="ui checkbox">
 					<label>{{ctx.Locale.Tr "auth.remember_me"}}</label>
-					<input name="remember" type="checkbox">
+					<input name="remember" type="checkbox" tabindex="5">
 				</div>
 			</div>
 			{{end}}
@@ -35,7 +37,7 @@
 			{{template "user/auth/captcha" .}}
 
 			<div class="field">
-				<button class="ui primary button tw-w-full">
+				<button class="ui primary button tw-w-full" tabindex="3">
 					{{if .LinkAccountMode}}
 						{{ctx.Locale.Tr "auth.oauth_signin_submit"}}
 					{{else}}
diff --git a/web_src/css/form.css b/web_src/css/form.css
index d2655d62b8..5dd5e05bec 100644
--- a/web_src/css/form.css
+++ b/web_src/css/form.css
@@ -456,7 +456,6 @@ textarea:focus,
 }
 .form-field-content-aside-label > *:nth-child(2) {
   text-align: right;
-  margin-bottom: 4px;
 }
 .form-field-content-aside-label input {
   grid-column: span 2;

From 08adbc468f8875fd4763c3656b334203c11adc0a Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Fri, 20 Sep 2024 21:00:39 +0200
Subject: [PATCH 03/23] Fix incorrect `/tokens` api (#32085)

Fixes #32078

- Add missing scopes output.
- Disallow empty scope.

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 routers/api/v1/user/app.go          |  5 +++++
 tests/integration/api_token_test.go | 31 ++++++++++-------------------
 2 files changed, 16 insertions(+), 20 deletions(-)

diff --git a/routers/api/v1/user/app.go b/routers/api/v1/user/app.go
index 5c28dd878d..9583bb548c 100644
--- a/routers/api/v1/user/app.go
+++ b/routers/api/v1/user/app.go
@@ -118,6 +118,10 @@ func CreateAccessToken(ctx *context.APIContext) {
 		ctx.Error(http.StatusBadRequest, "AccessTokenScope.Normalize", fmt.Errorf("invalid access token scope provided: %w", err))
 		return
 	}
+	if scope == "" {
+		ctx.Error(http.StatusBadRequest, "AccessTokenScope", "access token must have a scope")
+		return
+	}
 	t.Scope = scope
 
 	if err := auth_model.NewAccessToken(ctx, t); err != nil {
@@ -129,6 +133,7 @@ func CreateAccessToken(ctx *context.APIContext) {
 		Token:          t.Token,
 		ID:             t.ID,
 		TokenLastEight: t.TokenLastEight,
+		Scopes:         t.Scope.StringSlice(),
 	})
 }
 
diff --git a/tests/integration/api_token_test.go b/tests/integration/api_token_test.go
index 9c7bf37330..01d18ef6f1 100644
--- a/tests/integration/api_token_test.go
+++ b/tests/integration/api_token_test.go
@@ -23,10 +23,10 @@ func TestAPICreateAndDeleteToken(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
 
-	newAccessToken := createAPIAccessTokenWithoutCleanUp(t, "test-key-1", user, nil)
+	newAccessToken := createAPIAccessTokenWithoutCleanUp(t, "test-key-1", user, []auth_model.AccessTokenScope{auth_model.AccessTokenScopeAll})
 	deleteAPIAccessToken(t, newAccessToken, user)
 
-	newAccessToken = createAPIAccessTokenWithoutCleanUp(t, "test-key-2", user, nil)
+	newAccessToken = createAPIAccessTokenWithoutCleanUp(t, "test-key-2", user, []auth_model.AccessTokenScope{auth_model.AccessTokenScopeAll})
 	deleteAPIAccessToken(t, newAccessToken, user)
 }
 
@@ -72,19 +72,19 @@ func TestAPIDeleteTokensPermission(t *testing.T) {
 	user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
 
 	// admin can delete tokens for other users
-	createAPIAccessTokenWithoutCleanUp(t, "test-key-1", user2, nil)
+	createAPIAccessTokenWithoutCleanUp(t, "test-key-1", user2, []auth_model.AccessTokenScope{auth_model.AccessTokenScopeAll})
 	req := NewRequest(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-1").
 		AddBasicAuth(admin.Name)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// non-admin can delete tokens for himself
-	createAPIAccessTokenWithoutCleanUp(t, "test-key-2", user2, nil)
+	createAPIAccessTokenWithoutCleanUp(t, "test-key-2", user2, []auth_model.AccessTokenScope{auth_model.AccessTokenScopeAll})
 	req = NewRequest(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-2").
 		AddBasicAuth(user2.Name)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// non-admin can't delete tokens for other users
-	createAPIAccessTokenWithoutCleanUp(t, "test-key-3", user2, nil)
+	createAPIAccessTokenWithoutCleanUp(t, "test-key-3", user2, []auth_model.AccessTokenScope{auth_model.AccessTokenScopeAll})
 	req = NewRequest(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-3").
 		AddBasicAuth(user4.Name)
 	MakeRequest(t, req, http.StatusForbidden)
@@ -520,7 +520,7 @@ func runTestCase(t *testing.T, testCase *requiredScopeTestCase, user *user_model
 			unauthorizedScopes = append(unauthorizedScopes, cateogoryUnauthorizedScopes...)
 		}
 
-		accessToken := createAPIAccessTokenWithoutCleanUp(t, "test-token", user, &unauthorizedScopes)
+		accessToken := createAPIAccessTokenWithoutCleanUp(t, "test-token", user, unauthorizedScopes)
 		defer deleteAPIAccessToken(t, accessToken, user)
 
 		// Request the endpoint.  Verify that permission is denied.
@@ -532,20 +532,12 @@ func runTestCase(t *testing.T, testCase *requiredScopeTestCase, user *user_model
 
 // createAPIAccessTokenWithoutCleanUp Create an API access token and assert that
 // creation succeeded.  The caller is responsible for deleting the token.
-func createAPIAccessTokenWithoutCleanUp(t *testing.T, tokenName string, user *user_model.User, scopes *[]auth_model.AccessTokenScope) api.AccessToken {
+func createAPIAccessTokenWithoutCleanUp(t *testing.T, tokenName string, user *user_model.User, scopes []auth_model.AccessTokenScope) api.AccessToken {
 	payload := map[string]any{
-		"name": tokenName,
-	}
-	if scopes != nil {
-		for _, scope := range *scopes {
-			scopes, scopesExists := payload["scopes"].([]string)
-			if !scopesExists {
-				scopes = make([]string, 0)
-			}
-			scopes = append(scopes, string(scope))
-			payload["scopes"] = scopes
-		}
+		"name":   tokenName,
+		"scopes": scopes,
 	}
+
 	log.Debug("Requesting creation of token with scopes: %v", scopes)
 	req := NewRequestWithJSON(t, "POST", "/api/v1/users/"+user.LoginName+"/tokens", payload).
 		AddBasicAuth(user.Name)
@@ -563,8 +555,7 @@ func createAPIAccessTokenWithoutCleanUp(t *testing.T, tokenName string, user *us
 	return newAccessToken
 }
 
-// createAPIAccessTokenWithoutCleanUp Delete an API access token and assert that
-// deletion succeeded.
+// deleteAPIAccessToken deletes an API access token and assert that deletion succeeded.
 func deleteAPIAccessToken(t *testing.T, accessToken api.AccessToken, user *user_model.User) {
 	req := NewRequestf(t, "DELETE", "/api/v1/users/"+user.LoginName+"/tokens/%d", accessToken.ID).
 		AddBasicAuth(user.Name)

From 8e2dd5d3ddfb442937c79f05df88d18b856952cb Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sat, 21 Sep 2024 17:50:54 +0800
Subject: [PATCH 04/23] Use camo.Always instead of camo.Allways (#32097)

Fix #31575

https://gitea.com/gitea/docs/pulls/73
---
 custom/conf/app.example.ini |  3 ++-
 modules/markup/camo.go      |  2 +-
 modules/markup/camo_test.go |  2 +-
 modules/setting/camo.go     | 14 ++++++++++++--
 4 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index a2dd92b105..ad5d3e1aba 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -526,7 +526,8 @@ INTERNAL_TOKEN =
 ;; HMAC to encode urls with, it **is required** if camo is enabled.
 ;HMAC_KEY =
 ;; Set to true to use camo for https too lese only non https urls are proxyed
-;ALLWAYS = false
+;; ALLWAYS is deprecated and will be removed in the future
+;ALWAYS = false
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
diff --git a/modules/markup/camo.go b/modules/markup/camo.go
index e93797de2b..7e2583469d 100644
--- a/modules/markup/camo.go
+++ b/modules/markup/camo.go
@@ -38,7 +38,7 @@ func camoHandleLink(link string) string {
 	if setting.Camo.Enabled {
 		lnkURL, err := url.Parse(link)
 		if err == nil && lnkURL.IsAbs() && !strings.HasPrefix(link, setting.AppURL) &&
-			(setting.Camo.Allways || lnkURL.Scheme != "https") {
+			(setting.Camo.Always || lnkURL.Scheme != "https") {
 			return CamoEncode(link)
 		}
 	}
diff --git a/modules/markup/camo_test.go b/modules/markup/camo_test.go
index ba58835221..3c5d40afa0 100644
--- a/modules/markup/camo_test.go
+++ b/modules/markup/camo_test.go
@@ -28,7 +28,7 @@ func TestCamoHandleLink(t *testing.T) {
 		"https://image.proxy/eivin43gJwGVIjR9MiYYtFIk0mw/aHR0cDovL3Rlc3RpbWFnZXMub3JnL2ltZy5qcGc",
 		camoHandleLink("http://testimages.org/img.jpg"))
 
-	setting.Camo.Allways = true
+	setting.Camo.Always = true
 	assert.Equal(t,
 		"https://gitea.com/img.jpg",
 		camoHandleLink("https://gitea.com/img.jpg"))
diff --git a/modules/setting/camo.go b/modules/setting/camo.go
index 366e9a116c..608ecf8363 100644
--- a/modules/setting/camo.go
+++ b/modules/setting/camo.go
@@ -3,18 +3,28 @@
 
 package setting
 
-import "code.gitea.io/gitea/modules/log"
+import (
+	"strconv"
+
+	"code.gitea.io/gitea/modules/log"
+)
 
 var Camo = struct {
 	Enabled   bool
 	ServerURL string `ini:"SERVER_URL"`
 	HMACKey   string `ini:"HMAC_KEY"`
-	Allways   bool
+	Always    bool
 }{}
 
 func loadCamoFrom(rootCfg ConfigProvider) {
 	mustMapSetting(rootCfg, "camo", &Camo)
 	if Camo.Enabled {
+		oldValue := rootCfg.Section("camo").Key("ALLWAYS").MustString("")
+		if oldValue != "" {
+			log.Warn("camo.ALLWAYS is deprecated, use camo.ALWAYS instead")
+			Camo.Always, _ = strconv.ParseBool(oldValue)
+		}
+
 		if Camo.ServerURL == "" || Camo.HMACKey == "" {
 			log.Fatal(`Camo settings require "SERVER_URL" and HMAC_KEY`)
 		}

From f58a43f60a623c5d45942b92efa25cad7f4040bb Mon Sep 17 00:00:00 2001
From: Anbraten <6918444+anbraten@users.noreply.github.com>
Date: Sat, 21 Sep 2024 20:26:36 +0200
Subject: [PATCH 05/23] Count typescript files as frontend for labeling
 (#32088)

---
 .github/labeler.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/labeler.yml b/.github/labeler.yml
index 265616baed..46efbcb194 100644
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -70,10 +70,11 @@ modifies/go:
       - any-glob-to-any-file:
           - "**/*.go"
 
-modifies/js:
+modifies/frontend:
   - changed-files:
       - any-glob-to-any-file:
           - "**/*.js"
+          - "**/*.ts"
           - "**/*.vue"
 
 docs-update-needed:

From ebfde845294cc681de6b1fe1adcf27e35f61b89b Mon Sep 17 00:00:00 2001
From: Timon van der Berg <tmnvanderberg@gmail.com>
Date: Sat, 21 Sep 2024 20:57:01 +0200
Subject: [PATCH 06/23] Repo Activity: count new issues that were closed
 (#31776)

I'm new to go and contributing to gitea, your guidance is much
appreciated.

This is meant to solve https://github.com/go-gitea/gitea/issues/13309

Previously, closed issues would not be shown under new issues in the
activity tab, even if they were newly created.

changes:
* Split out newlyCreatedIssues from issuesForActivityStatement to count
  both currently open and closed issues.
* Use a seperate function to count active issues to prevent
double-counting issues after the above change.

Result is that new issues that have been closed are shown both under
"new" and "closed".

Signed-off-by: Timon van der Berg <tmnvanderberg@gmail.com>
---
 models/activities/repo_activity.go | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/models/activities/repo_activity.go b/models/activities/repo_activity.go
index ba5e4959f0..3ffad035b7 100644
--- a/models/activities/repo_activity.go
+++ b/models/activities/repo_activity.go
@@ -34,6 +34,7 @@ type ActivityStats struct {
 	OpenedPRAuthorCount         int64
 	MergedPRs                   issues_model.PullRequestList
 	MergedPRAuthorCount         int64
+	ActiveIssues                issues_model.IssueList
 	OpenedIssues                issues_model.IssueList
 	OpenedIssueAuthorCount      int64
 	ClosedIssues                issues_model.IssueList
@@ -172,7 +173,7 @@ func (stats *ActivityStats) MergedPRPerc() int {
 
 // ActiveIssueCount returns total active issue count
 func (stats *ActivityStats) ActiveIssueCount() int {
-	return stats.OpenedIssueCount() + stats.ClosedIssueCount()
+	return len(stats.ActiveIssues)
 }
 
 // OpenedIssueCount returns open issue count
@@ -285,13 +286,21 @@ func (stats *ActivityStats) FillIssues(ctx context.Context, repoID int64, fromTi
 	stats.ClosedIssueAuthorCount = count
 
 	// New issues
-	sess = issuesForActivityStatement(ctx, repoID, fromTime, false, false)
+	sess = newlyCreatedIssues(ctx, repoID, fromTime)
 	sess.OrderBy("issue.created_unix ASC")
 	stats.OpenedIssues = make(issues_model.IssueList, 0)
 	if err = sess.Find(&stats.OpenedIssues); err != nil {
 		return err
 	}
 
+	// Active issues
+	sess = activeIssues(ctx, repoID, fromTime)
+	sess.OrderBy("issue.created_unix ASC")
+	stats.ActiveIssues = make(issues_model.IssueList, 0)
+	if err = sess.Find(&stats.ActiveIssues); err != nil {
+		return err
+	}
+
 	// Opened issue authors
 	sess = issuesForActivityStatement(ctx, repoID, fromTime, false, false)
 	if _, err = sess.Select("count(distinct issue.poster_id) as `count`").Table("issue").Get(&count); err != nil {
@@ -317,6 +326,23 @@ func (stats *ActivityStats) FillUnresolvedIssues(ctx context.Context, repoID int
 	return sess.Find(&stats.UnresolvedIssues)
 }
 
+func newlyCreatedIssues(ctx context.Context, repoID int64, fromTime time.Time) *xorm.Session {
+	sess := db.GetEngine(ctx).Where("issue.repo_id = ?", repoID).
+		And("issue.is_pull = ?", false).                // Retain the is_pull check to exclude pull requests
+		And("issue.created_unix >= ?", fromTime.Unix()) // Include all issues created after fromTime
+
+	return sess
+}
+
+func activeIssues(ctx context.Context, repoID int64, fromTime time.Time) *xorm.Session {
+	sess := db.GetEngine(ctx).Where("issue.repo_id = ?", repoID).
+		And("issue.is_pull = ?", false).
+		And("issue.created_unix >= ?", fromTime.Unix()).
+		Or("issue.closed_unix >= ?", fromTime.Unix())
+
+	return sess
+}
+
 func issuesForActivityStatement(ctx context.Context, repoID int64, fromTime time.Time, closed, unresolved bool) *xorm.Session {
 	sess := db.GetEngine(ctx).Where("issue.repo_id = ?", repoID).
 		And("issue.is_closed = ?", closed)

From 5de41737a5d9337cc5b8416b63b2972366c62102 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 22 Sep 2024 03:26:45 +0800
Subject: [PATCH 07/23] Fix upload maven pacakge parallelly (#31851)

Use globallock for maven package uploads.

Thanks @tlusser for the test code.

Depends on ~#31813~
---
 routers/api/packages/maven/maven.go          | 13 ++++++++
 tests/integration/api_packages_maven_test.go | 33 ++++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/routers/api/packages/maven/maven.go b/routers/api/packages/maven/maven.go
index 1486e83c57..07e34da8e2 100644
--- a/routers/api/packages/maven/maven.go
+++ b/routers/api/packages/maven/maven.go
@@ -20,6 +20,7 @@ import (
 	"strings"
 
 	packages_model "code.gitea.io/gitea/models/packages"
+	"code.gitea.io/gitea/modules/globallock"
 	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/log"
 	packages_module "code.gitea.io/gitea/modules/packages"
@@ -223,6 +224,10 @@ func servePackageFile(ctx *context.Context, params parameters, serveContent bool
 	helper.ServePackageFile(ctx, s, u, pf, opts)
 }
 
+func mavenPkgNameKey(packageName string) string {
+	return "pkg_maven_" + packageName
+}
+
 // UploadPackageFile adds a file to the package. If the package does not exist, it gets created.
 func UploadPackageFile(ctx *context.Context) {
 	params, err := extractPathParameters(ctx)
@@ -241,6 +246,14 @@ func UploadPackageFile(ctx *context.Context) {
 
 	packageName := params.GroupID + "-" + params.ArtifactID
 
+	// for the same package, only one upload at a time
+	releaser, err := globallock.Lock(ctx, mavenPkgNameKey(packageName))
+	if err != nil {
+		apiError(ctx, http.StatusInternalServerError, err)
+		return
+	}
+	defer releaser()
+
 	buf, err := packages_module.CreateHashedBufferFromReader(ctx.Req.Body)
 	if err != nil {
 		apiError(ctx, http.StatusInternalServerError, err)
diff --git a/tests/integration/api_packages_maven_test.go b/tests/integration/api_packages_maven_test.go
index 0466a727b2..e54238858c 100644
--- a/tests/integration/api_packages_maven_test.go
+++ b/tests/integration/api_packages_maven_test.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"strconv"
 	"strings"
+	"sync"
 	"testing"
 
 	"code.gitea.io/gitea/models/db"
@@ -252,3 +253,35 @@ func TestPackageMaven(t *testing.T) {
 		assert.True(t, test.IsNormalPageCompleted(resp.Body.String()))
 	})
 }
+
+func TestPackageMavenConcurrent(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+	groupID := "com.gitea"
+	artifactID := "test-project"
+	packageVersion := "1.0.1"
+
+	root := fmt.Sprintf("/api/packages/%s/maven/%s/%s", user.Name, strings.ReplaceAll(groupID, ".", "/"), artifactID)
+
+	putFile := func(t *testing.T, path, content string, expectedStatus int) {
+		req := NewRequestWithBody(t, "PUT", root+path, strings.NewReader(content)).
+			AddBasicAuth(user.Name)
+		MakeRequest(t, req, expectedStatus)
+	}
+
+	t.Run("Concurrent Upload", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		var wg sync.WaitGroup
+		for i := 0; i < 10; i++ {
+			wg.Add(1)
+			go func(i int) {
+				putFile(t, fmt.Sprintf("/%s/%s.jar", packageVersion, strconv.Itoa(i)), "test", http.StatusCreated)
+				wg.Done()
+			}(i)
+		}
+		wg.Wait()
+	})
+}

From a802508f88e546bf18990559e44bf27a09c869ee Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 22 Sep 2024 05:56:25 +0800
Subject: [PATCH 08/23] Fix wrong last modify time (#32102)

---
 modules/httpcache/httpcache.go      | 3 ++-
 modules/httplib/serve.go            | 1 +
 routers/api/packages/maven/maven.go | 4 +++-
 routers/web/repo/githttp.go         | 3 ++-
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/modules/httpcache/httpcache.go b/modules/httpcache/httpcache.go
index 40458dfc33..2c9af94405 100644
--- a/modules/httpcache/httpcache.go
+++ b/modules/httpcache/httpcache.go
@@ -75,7 +75,8 @@ func HandleGenericETagTimeCache(req *http.Request, w http.ResponseWriter, etag s
 		w.Header().Set("Etag", etag)
 	}
 	if lastModified != nil && !lastModified.IsZero() {
-		w.Header().Set("Last-Modified", lastModified.Format(http.TimeFormat))
+		// http.TimeFormat required a UTC time, refer to https://pkg.go.dev/net/http#TimeFormat
+		w.Header().Set("Last-Modified", lastModified.UTC().Format(http.TimeFormat))
 	}
 
 	if len(etag) > 0 {
diff --git a/modules/httplib/serve.go b/modules/httplib/serve.go
index 6e147d76f5..2e3e6a7c42 100644
--- a/modules/httplib/serve.go
+++ b/modules/httplib/serve.go
@@ -79,6 +79,7 @@ func ServeSetHeaders(w http.ResponseWriter, opts *ServeHeaderOptions) {
 	httpcache.SetCacheControlInHeader(header, duration)
 
 	if !opts.LastModified.IsZero() {
+		// http.TimeFormat required a UTC time, refer to https://pkg.go.dev/net/http#TimeFormat
 		header.Set("Last-Modified", opts.LastModified.UTC().Format(http.TimeFormat))
 	}
 }
diff --git a/routers/api/packages/maven/maven.go b/routers/api/packages/maven/maven.go
index 07e34da8e2..343705990a 100644
--- a/routers/api/packages/maven/maven.go
+++ b/routers/api/packages/maven/maven.go
@@ -115,7 +115,9 @@ func serveMavenMetadata(ctx *context.Context, params parameters) {
 	xmlMetadataWithHeader := append([]byte(xml.Header), xmlMetadata...)
 
 	latest := pds[len(pds)-1]
-	ctx.Resp.Header().Set("Last-Modified", latest.Version.CreatedUnix.Format(http.TimeFormat))
+	// http.TimeFormat required a UTC time, refer to https://pkg.go.dev/net/http#TimeFormat
+	lastModifed := latest.Version.CreatedUnix.AsTime().UTC().Format(http.TimeFormat)
+	ctx.Resp.Header().Set("Last-Modified", lastModifed)
 
 	ext := strings.ToLower(filepath.Ext(params.Filename))
 	if isChecksumExtension(ext) {
diff --git a/routers/web/repo/githttp.go b/routers/web/repo/githttp.go
index bb85df1a86..ee1ec1fd0c 100644
--- a/routers/web/repo/githttp.go
+++ b/routers/web/repo/githttp.go
@@ -395,7 +395,8 @@ func (h *serviceHandler) sendFile(ctx *context.Context, contentType, file string
 
 	ctx.Resp.Header().Set("Content-Type", contentType)
 	ctx.Resp.Header().Set("Content-Length", fmt.Sprintf("%d", fi.Size()))
-	ctx.Resp.Header().Set("Last-Modified", fi.ModTime().Format(http.TimeFormat))
+	// http.TimeFormat required a UTC time, refer to https://pkg.go.dev/net/http#TimeFormat
+	ctx.Resp.Header().Set("Last-Modified", fi.ModTime().UTC().Format(http.TimeFormat))
 	http.ServeFile(ctx.Resp, ctx.Req, reqFile)
 }
 

From d351a42494e71b5e2da63302c2f9b46c78e6dbde Mon Sep 17 00:00:00 2001
From: Jamie Schouten <j4mie@hey.com>
Date: Sun, 22 Sep 2024 00:42:17 +0200
Subject: [PATCH 09/23] Add bin to Composer Metadata (#32099)

This PR addresses the missing `bin` field in Composer metadata, which
currently causes vendor-provided binaries to not be symlinked to
`vendor/bin` during installation.

In the current implementation, running `composer install` does not
publish the binaries, leading to issues where expected binaries are not
available.

By properly declaring the `bin` field, this PR ensures that binaries are
correctly symlinked upon installation, as described in the [Composer
documentation](https://getcomposer.org/doc/articles/vendor-binaries.md).
---
 modules/packages/composer/metadata.go           | 1 +
 tests/integration/api_packages_composer_test.go | 8 +++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/packages/composer/metadata.go b/modules/packages/composer/metadata.go
index 2c2e9ebf27..6035eae8ca 100644
--- a/modules/packages/composer/metadata.go
+++ b/modules/packages/composer/metadata.go
@@ -48,6 +48,7 @@ type Metadata struct {
 	Homepage    string            `json:"homepage,omitempty"`
 	License     Licenses          `json:"license,omitempty"`
 	Authors     []Author          `json:"authors,omitempty"`
+	Bin         []string          `json:"bin,omitempty"`
 	Autoload    map[string]any    `json:"autoload,omitempty"`
 	AutoloadDev map[string]any    `json:"autoload-dev,omitempty"`
 	Extra       map[string]any    `json:"extra,omitempty"`
diff --git a/tests/integration/api_packages_composer_test.go b/tests/integration/api_packages_composer_test.go
index 6e0d2eee1b..51b047ab41 100644
--- a/tests/integration/api_packages_composer_test.go
+++ b/tests/integration/api_packages_composer_test.go
@@ -36,6 +36,7 @@ func TestPackageComposer(t *testing.T) {
 	packageType := "composer-plugin"
 	packageAuthor := "Gitea Authors"
 	packageLicense := "MIT"
+	packageBin := "./bin/script"
 
 	var buf bytes.Buffer
 	archive := zip.NewWriter(&buf)
@@ -49,6 +50,9 @@ func TestPackageComposer(t *testing.T) {
 			{
 				"name": "` + packageAuthor + `"
 			}
+		],
+		"bin": [
+			"` + packageBin + `"
 		]
 	}`))
 	archive.Close()
@@ -210,6 +214,8 @@ func TestPackageComposer(t *testing.T) {
 		assert.Len(t, pkgs[0].Authors, 1)
 		assert.Equal(t, packageAuthor, pkgs[0].Authors[0].Name)
 		assert.Equal(t, "zip", pkgs[0].Dist.Type)
-		assert.Equal(t, "7b40bfd6da811b2b78deec1e944f156dbb2c747b", pkgs[0].Dist.Checksum)
+		assert.Equal(t, "4f5fa464c3cb808a1df191dbf6cb75363f8b7072", pkgs[0].Dist.Checksum)
+		assert.Len(t, pkgs[0].Bin, 1)
+		assert.Equal(t, packageBin, pkgs[0].Bin[0])
 	})
 }

From 74f2ee31248ccdd66218c89fafa7f91a1e1dc58a Mon Sep 17 00:00:00 2001
From: GiteaBot <teabot@gitea.io>
Date: Sun, 22 Sep 2024 00:33:39 +0000
Subject: [PATCH 10/23] [skip ci] Updated translations via Crowdin

---
 options/locale/locale_ja-JP.ini | 45 +++++++++++++++++++++++++++++++--
 1 file changed, 43 insertions(+), 2 deletions(-)

diff --git a/options/locale/locale_ja-JP.ini b/options/locale/locale_ja-JP.ini
index 3edf68e943..48f241f7b8 100644
--- a/options/locale/locale_ja-JP.ini
+++ b/options/locale/locale_ja-JP.ini
@@ -218,16 +218,20 @@ string.desc=Z - A
 
 [error]
 occurred=エラーが発生しました
+report_message=Gitea のバグが疑われる場合は、<a href="%s" target="_blank">GitHub</a>でIssueを検索して、見つからなければ新しいIssueを作成してください。
 not_found=ターゲットが見つかりませんでした。
 network_error=ネットワークエラー
 
 [startpage]
 app_desc=自分で立てる、超簡単 Git サービス
 install=簡単インストール
+install_desc=シンプルに、プラットフォームに応じて<a target="_blank" rel="noopener noreferrer" href="%[1]s">バイナリを実行</a>したり、<a target="_blank" rel="noopener noreferrer" href="%[2]s">Docker</a>で動かしたり、<a target="_blank" rel="noopener noreferrer" href="%[3]s">パッケージ</a>を使うだけ。
 platform=クロスプラットフォーム
+platform_desc=Giteaは<a target="_blank" rel="noopener noreferrer" href="%s">Go</a>がコンパイル可能なあらゆる環境で動きます: Windows、macOS、Linux、ARMなど。 あなたの好きなものを選んでください!
 lightweight=軽量
 lightweight_desc=Gitea の最小動作要件は小さいため、安価な Raspberry Pi でも動きます。エネルギーを節約しましょう!
 license=オープンソース
+license_desc=Go get <a target="_blank" rel="noopener noreferrer" href="%[1]s">%[2]s</a>! このプロジェクトをさらに向上させるため、ぜひ<a target="_blank" rel="noopener noreferrer" href="%[3]s">貢献</a>して参加してください。 貢献者になることを恥ずかしがらないで!
 
 [install]
 install=インストール
@@ -450,6 +454,7 @@ authorize_title=`"%s"にあなたのアカウントへのアクセスを許可
 authorization_failed=認可失敗
 authorization_failed_desc=無効なリクエストを検出したため認可が失敗しました。 認可しようとしたアプリの開発者に連絡してください。
 sspi_auth_failed=SSPI認証に失敗しました
+password_pwned=あなたが選択したパスワードは、過去の情報漏洩事件で流出した<a target="_blank" rel="noopener noreferrer" href="%s">盗まれたパスワードのリスト</a>に含まれています。 別のパスワードでもう一度試してください。 また他の登録でもこのパスワードからの変更を検討してください。
 password_pwned_err=HaveIBeenPwnedへのリクエストを完了できませんでした
 last_admin=最後の管理者は削除できません。少なくとも一人の管理者が必要です。
 signin_passkey=パスキーでサインイン
@@ -919,6 +924,7 @@ oauth2_client_secret_hint=このページから移動したりページを更新
 oauth2_application_edit=編集
 oauth2_application_create_description=OAuth2アプリケーションで、サードパーティアプリケーションがこのインスタンス上のユーザーアカウントにアクセスできるようになります。
 oauth2_application_remove_description=OAuth2アプリケーションを削除すると、このインスタンス上の許可されたユーザーアカウントへのアクセスができなくなります。 続行しますか？
+oauth2_application_locked=設定で有効にされた場合、Giteaは起動時にいくつかのOAuth2アプリケーションを事前登録します。 想定されていない動作を防ぐため、これらは編集も削除もできません。 詳細についてはOAuth2のドキュメントを参照してください。
 
 authorized_oauth2_applications=許可済みOAuth2アプリケーション
 authorized_oauth2_applications_description=これらのサードパーティ アプリケーションに、あなたのGiteaアカウントへのアクセスを許可しています。 不要になったアプリケーションはアクセス権を取り消すようにしてください。
@@ -946,6 +952,7 @@ passcode_invalid=パスコードが間違っています。 再度お試しく
 twofa_enrolled=あなたのアカウントは正常に登録されました。 一回限りのリカバリキー (%s) は安全な場所に保存してください。 これは二度と表示されません。
 twofa_failed_get_secret=シークレットが取得できません。
 
+webauthn_desc=セキュリティキーは暗号化キーを内蔵するハードウェア ・ デバイスです。 2要素認証に使用できます。 セキュリティキーは<a rel="noreferrer" target="_blank" href="%s">WebAuthn Authenticator</a>規格をサポートしている必要があります。
 webauthn_register_key=セキュリティキーを追加
 webauthn_nickname=ニックネーム
 webauthn_delete_key=セキュリティキーの登録解除
@@ -967,7 +974,7 @@ orgs_none=あなたはどの組織のメンバーでもありません。
 repos_none=あなたはリポジトリを所有していません。
 
 delete_account=アカウントを削除
-delete_prompt=この操作により、あなたのユーザーアカウントは恒久的に抹消されます。 取り消すことは<strong>できません</strong>。
+delete_prompt=この操作により、あなたのユーザーアカウントは恒久的に抹消されます。 元に戻すことは<strong>できません</strong>。
 delete_with_all_comments=あなたのアカウントは作成からまだ %s 経過していません。 幽霊コメント回避のため、イシューやPRのすべてのコメントは一緒に削除されます。
 confirm_delete_account=削除の続行
 delete_account_title=ユーザーアカウントの削除
@@ -1090,7 +1097,9 @@ tree_path_not_found_branch=パス %[1]s はブランチ %[2]s に存在しませ
 tree_path_not_found_tag=パス %[1]s はタグ %[2]s に存在しません
 
 transfer.accept=移転を承認
+transfer.accept_desc=`"%s" に移転`
 transfer.reject=移転を拒否
+transfer.reject_desc=`"%s" への移転をキャンセル`
 transfer.no_permission_to_accept=この移転を承認する権限がありません。
 transfer.no_permission_to_reject=この移転を拒否する権限がありません。
 
@@ -1225,6 +1234,7 @@ releases=リリース
 tag=タグ
 released_this=がこれをリリース
 tagged_this=がタグ付け
+file.title=%s at %s
 file_raw=Raw
 file_history=履歴
 file_view_source=ソースを表示
@@ -1712,6 +1722,7 @@ issues.dependency.add_error_dep_not_same_repo=両方とも同じリポジトリ
 issues.review.self.approval=自分のプルリクエストを承認することはできません。
 issues.review.self.rejection=自分のプルリクエストに対して修正を要求することはできません。
 issues.review.approve=が変更を承認 %s
+issues.review.comment=がレビュー %s
 issues.review.dismissed=が %s のレビューを棄却 %s
 issues.review.dismissed_label=棄却
 issues.review.left_comment=がコメント
@@ -1851,7 +1862,9 @@ pulls.unrelated_histories=マージ失敗: マージHEADとベースには共通
 pulls.merge_out_of_date=マージ失敗: マージの生成中にベースが更新されました。 ヒント: もう一度試してみてください
 pulls.head_out_of_date=マージ失敗: マージの生成中に head が更新されました。 ヒント: もう一度試してみてください
 pulls.has_merged=失敗: プルリクエストはマージされていました。再度マージしたり、ターゲットブランチを変更することはできません。
+pulls.push_rejected=プッシュ失敗: プッシュは拒否されました。 このリポジトリのGitフックを見直してください。
 pulls.push_rejected_summary=拒否メッセージ全体:
+pulls.push_rejected_no_message=プッシュ失敗: プッシュは拒否されましたが、リモートからのメッセージがありません。このリポジトリのGitフックを見直してください
 pulls.open_unmerged_pull_exists=`同じ条件のプルリクエスト (#%d) が未処理のため、再オープンはできません。`
 pulls.status_checking=いくつかのステータスチェックが待機中です
 pulls.status_checks_success=ステータスチェックはすべて成功しました
@@ -1907,6 +1920,7 @@ milestones.no_due_date=期日なし
 milestones.open=オープン
 milestones.close=クローズ
 milestones.new_subheader=マイルストーンを使うとイシューの整理や進捗確認がしやすくなります。
+milestones.completeness=<strong>%d%%</strong>消化
 milestones.create=マイルストーンを作成
 milestones.title=タイトル
 milestones.desc=説明
@@ -2306,6 +2320,7 @@ settings.event_pull_request_merge=プルリクエストのマージ
 settings.event_package=パッケージ
 settings.event_package_desc=リポジトリにパッケージが作成または削除されたとき。
 settings.branch_filter=ブランチ フィルター
+settings.branch_filter_desc=プッシュ、ブランチ作成、ブランチ削除のイベントを通知するブランチを、globパターンで指定するホワイトリストです。 空か<code>*</code>のときは、すべてのブランチのイベントを通知します。 文法については <a href="%[1]s">%[2]s</a> を参照してください。 例: <code>master</code> 、 <code>{master,release*}</code>
 settings.authorization_header=Authorizationヘッダー
 settings.authorization_header_desc=入力した場合、リクエストにAuthorizationヘッダーとして付加します。 例: %s
 settings.active=有効
@@ -2356,6 +2371,7 @@ settings.protected_branch.save_rule=ルールを保存
 settings.protected_branch.delete_rule=ルールを削除
 settings.protected_branch_can_push=プッシュを許可する
 settings.protected_branch_can_push_yes=プッシュできます
+settings.protected_branch_can_push_no=プッシュできません
 settings.branch_protection=ブランチ '<b>%s</b>' の保護ルール
 settings.protect_this_branch=ブランチの保護を有効にする
 settings.protect_this_branch_desc=ブランチの削除を防ぎ、ブランチへのプッシュやマージを制限します。
@@ -2392,6 +2408,7 @@ settings.protect_status_check_matched=マッチ
 settings.protect_invalid_status_check_pattern=`不正なステータスチェックパターン: "%s"`
 settings.protect_no_valid_status_check_patterns=有効なステータスチェックパターンがありません。
 settings.protect_required_approvals=必要な承認数:
+settings.protect_required_approvals_desc=必要な承認数を満たしたプルリクエストしかマージできないようにします。 必要となる承認とは、許可リストにあるユーザーやチーム、もしくは書き込み権限を持つ誰かからのものです。
 settings.protect_approvals_whitelist_enabled=許可リストに登録したユーザーやチームに承認を制限
 settings.protect_approvals_whitelist_enabled_desc=許可リストに登録したユーザーまたはチームによるレビューのみを、必要な承認数にカウントします。 承認の許可リストが無い場合は、書き込み権限を持つ人によるレビューを必要な承認数にカウントします。
 settings.protect_approvals_whitelist_users=許可リストに含めるレビューア:
@@ -2403,9 +2420,12 @@ settings.ignore_stale_approvals_desc=古いコミットに対して行われた
 settings.require_signed_commits=コミット署名必須
 settings.require_signed_commits_desc=署名されていない場合、または署名が検証できなかった場合は、このブランチへのプッシュを拒否します。
 settings.protect_branch_name_pattern=保護ブランチ名のパターン
+settings.protect_branch_name_pattern_desc=保護ブランチ名のパターン。書き方については <a href="%s">ドキュメント</a> を参照してください。例: main, release/**
 settings.protect_patterns=パターン
 settings.protect_protected_file_patterns=保護されるファイルのパターン (セミコロン';'で区切る):
+settings.protect_protected_file_patterns_desc=保護されたファイルは、このブランチにファイルを追加・編集・削除する権限を持つユーザーであっても、直接変更することができなくなります。 セミコロン(';')で区切って複数のパターンを指定できます。 パターンの文法については <a href='%[1]s'>%[2]s</a> を参照してください。 例: <code>.drone.yml</code>, <code>/docs/**/*.txt</code>
 settings.protect_unprotected_file_patterns=保護しないファイルのパターン (セミコロン';'で区切る):
+settings.protect_unprotected_file_patterns_desc=保護しないファイルは、ユーザーに書き込み権限があればプッシュ制限をバイパスして直接変更できます。 セミコロン(';')で区切って複数のパターンを指定できます。 パターンの文法については <a href='%[1]s'>%[2]s</a> を参照してください。 例: <code>.drone.yml</code>, <code>/docs/**/*.txt</code>
 settings.add_protected_branch=保護を有効にする
 settings.delete_protected_branch=保護を無効にする
 settings.update_protect_branch_success=ルール "%s" に対するブランチ保護を更新しました。
@@ -2437,6 +2457,7 @@ settings.tags.protection.allowed.teams=許可するチーム
 settings.tags.protection.allowed.noone=なし
 settings.tags.protection.create=タグを保護
 settings.tags.protection.none=タグは保護されていません。
+settings.tags.protection.pattern.description=ひとつのタグ名か、複数のタグにマッチするglobパターンまたは正規表現を使用できます。 詳しくは<a target="_blank" rel="noopener" href="%s">タグの保護ガイド</a> をご覧ください。
 settings.bot_token=Botトークン
 settings.chat_id=チャットID
 settings.thread_id=スレッドID
@@ -2651,6 +2672,7 @@ tag.create_success=タグ "%s" を作成しました。
 
 topic.manage_topics=トピックの管理
 topic.done=完了
+topic.count_prompt=選択できるのは25トピックまでです。
 topic.format_prompt=トピック名は英字または数字で始め、ダッシュ('-')やドット('.')を含めることができます。最大35文字までです。文字は小文字でなければなりません。
 
 find_file.go_to_file=ファイルへ移動
@@ -2719,7 +2741,7 @@ settings.change_orgname_redirect_prompt=古い名前は、再使用されてい
 settings.update_avatar_success=組織のアバターを更新しました。
 settings.delete=組織を削除
 settings.delete_account=この組織を削除
-settings.delete_prompt=組織は恒久的に削除され、元に戻すことは<strong>できません</strong>。 続行しますか？
+settings.delete_prompt=組織は恒久的に削除されます。 元に戻すことは<strong>できません</strong>！
 settings.confirm_delete_account=削除を確認
 settings.delete_org_title=組織の削除
 settings.delete_org_desc=組織を恒久的に削除します。 続行しますか？
@@ -2748,6 +2770,7 @@ teams.leave.detail=%s から脱退しますか？
 teams.can_create_org_repo=リポジトリを作成
 teams.can_create_org_repo_helper=メンバーは組織のリポジトリを新たに作成できます。作成者には新しいリポジトリの管理者権限が与えられます。
 teams.none_access=アクセスなし
+teams.none_access_helper=メンバーは、このユニットを表示したり他の操作を行うことはできません。 公開リポジトリには適用されません。
 teams.general_access=一般的なアクセス
 teams.general_access_helper=メンバーの権限は下記の権限テーブルで決定されます。
 teams.read_access=読み取り
@@ -2816,6 +2839,7 @@ last_page=最後
 total=合計: %d
 settings=管理設定
 
+dashboard.new_version_hint=Gitea %s が入手可能になりました。 現在実行しているのは %s です。 詳細は <a target="_blank" rel="noreferrer" href="%s">ブログ</a> を確認してください。
 dashboard.statistic=サマリー
 dashboard.maintenance_operations=メンテナンス操作
 dashboard.system_status=システム状況
@@ -3007,10 +3031,12 @@ packages.size=サイズ
 packages.published=配布
 
 defaulthooks=デフォルトWebhook
+defaulthooks.desc=Webhookは、特定のGiteaイベントが発生したときに、サーバーにHTTP POSTリクエストを自動的に送信するものです。 ここで定義したWebhookはデフォルトとなり、全ての新規リポジトリにコピーされます。 詳しくは<a target="_blank" rel="noopener" href="%s">Webhooksガイド</a>をご覧下さい。
 defaulthooks.add_webhook=デフォルトWebhookの追加
 defaulthooks.update_webhook=デフォルトWebhookの更新
 
 systemhooks=システムWebhook
+systemhooks.desc=Webhookは、特定のGiteaイベントが発生したときに、サーバーにHTTP POSTリクエストを自動的に送信するものです。 ここで定義したWebhookは、システム内のすべてのリポジトリで呼び出されます。 そのため、パフォーマンスに及ぼす影響を考慮したうえで設定してください。 詳しくは<a target="_blank" rel="noopener" href="%s">Webhooksガイド</a>をご覧下さい。
 systemhooks.add_webhook=システムWebhookを追加
 systemhooks.update_webhook=システムWebhookを更新
 
@@ -3105,8 +3131,18 @@ auths.tips=ヒント
 auths.tips.oauth2.general=OAuth2認証
 auths.tips.oauth2.general.tip=新しいOAuth2認証を登録するときは、コールバック/リダイレクトURLは以下になります:
 auths.tip.oauth2_provider=OAuth2プロバイダー
+auths.tip.bitbucket=新しいOAuthコンシューマーを %s から登録し、"アカウント" に "読み取り" 権限を追加してください。
 auths.tip.nextcloud=新しいOAuthコンシューマーを、インスタンスのメニュー "Settings -> Security -> OAuth 2.0 client" から登録してください。
+auths.tip.dropbox=新しいアプリケーションを %s から登録してください。
+auths.tip.facebook=新しいアプリケーションを %s で登録し、"Facebook Login"を追加してください。
+auths.tip.github=新しいOAuthアプリケーションを %s から登録してください。
+auths.tip.gitlab_new=新しいアプリケーションを %s から登録してください。
+auths.tip.google_plus=OAuth2クライアント資格情報を、Google APIコンソール %s から取得してください。
 auths.tip.openid_connect=OpenID Connect DiscoveryのURL "https://{server}/.well-known/openid-configuration" をエンドポイントとして指定してください
+auths.tip.twitter=%s へアクセスしてアプリケーションを作成し、“Allow this application to be used to Sign in with Twitter”オプションを有効にしてください。
+auths.tip.discord=新しいアプリケーションを %s から登録してください。
+auths.tip.gitea=新しいOAuthアプリケーションを登録してください。 利用ガイドは %s にあります
+auths.tip.yandex=`%s で新しいアプリケーションを作成してください。 "Yandex.Passport API" セクションで次の項目を許可します: "Access to email address"、"Access to user avatar"、"Access to username, first name and surname, gender"`
 auths.tip.mastodon=認証したいMastodonインスタンスのカスタムURLを入力してください (入力しない場合はデフォルトのURLを使用します)
 auths.edit=認証ソースの編集
 auths.activated=認証ソースはアクティベート済み
@@ -3272,6 +3308,7 @@ monitor.next=次回
 monitor.previous=前回
 monitor.execute_times=実行回数
 monitor.process=実行中のプロセス
+monitor.stacktrace=スタックトレース
 monitor.processes_count=%d プロセス
 monitor.download_diagnosis_report=診断レポートをダウンロード
 monitor.desc=説明
@@ -3279,6 +3316,8 @@ monitor.start=開始日時
 monitor.execute_time=実行時間
 monitor.last_execution_result=結果
 monitor.process.cancel=処理をキャンセル
+monitor.process.cancel_desc=処理をキャンセルするとデータが失われる可能性があります
+monitor.process.cancel_notices=キャンセル: <strong>%s</strong>?
 monitor.process.children=子プロセス
 
 monitor.queues=キュー
@@ -3380,6 +3419,7 @@ raw_minutes=分
 
 [dropzone]
 default_message=ファイルをここにドロップ、またはここをクリックしてアップロード
+invalid_input_type=この種類のファイルはアップロードできません。
 file_too_big=アップロードされたファイルのサイズ ({{filesize}} MB) は、最大サイズ ({{maxFilesize}} MB) を超えています。
 remove_file=ファイル削除
 
@@ -3527,6 +3567,7 @@ settings.link=このパッケージをリポジトリにリンク
 settings.link.description=パッケージをリポジトリにリンクすると、リポジトリのパッケージリストに表示されるようになります。
 settings.link.select=リポジトリを選択
 settings.link.button=リポジトリのリンクを更新
+settings.link.success=リポジトリのリンクが正常に更新されました。
 settings.link.error=リポジトリのリンクの更新に失敗しました。
 settings.delete=パッケージ削除
 settings.delete.description=パッケージの削除は恒久的で元に戻すことはできません。

From b594cec2bda6f861effedb2e8e0a7ebba191c0e9 Mon Sep 17 00:00:00 2001
From: ChristopherHX <christopher.homberger@web.de>
Date: Sun, 22 Sep 2024 13:01:09 +0200
Subject: [PATCH 11/23] Fix artifact v4 upload above 8MB (#31664)

Multiple chunks are uploaded with type "block" without using
"appendBlock" and eventually out of order for bigger uploads.
8MB seems to be the chunk size

This change parses the blockList uploaded after all blocks to get the
final artifact size and order them correctly before calculating the
sha256 checksum over all blocks

Fixes #31354
---
 routers/api/actions/artifacts_chunks.go       |  50 +++++-
 routers/api/actions/artifactsv4.go            | 144 +++++++++++++-----
 .../api_actions_artifact_v4_test.go           | 130 ++++++++++++++++
 3 files changed, 285 insertions(+), 39 deletions(-)

diff --git a/routers/api/actions/artifacts_chunks.go b/routers/api/actions/artifacts_chunks.go
index 3d1a3891d9..cf48da12aa 100644
--- a/routers/api/actions/artifacts_chunks.go
+++ b/routers/api/actions/artifacts_chunks.go
@@ -123,6 +123,54 @@ func listChunksByRunID(st storage.ObjectStorage, runID int64) (map[int64][]*chun
 	return chunksMap, nil
 }
 
+func listChunksByRunIDV4(st storage.ObjectStorage, runID, artifactID int64, blist *BlockList) ([]*chunkFileItem, error) {
+	storageDir := fmt.Sprintf("tmpv4%d", runID)
+	var chunks []*chunkFileItem
+	chunkMap := map[string]*chunkFileItem{}
+	dummy := &chunkFileItem{}
+	for _, name := range blist.Latest {
+		chunkMap[name] = dummy
+	}
+	if err := st.IterateObjects(storageDir, func(fpath string, obj storage.Object) error {
+		baseName := filepath.Base(fpath)
+		if !strings.HasPrefix(baseName, "block-") {
+			return nil
+		}
+		// when read chunks from storage, it only contains storage dir and basename,
+		// no matter the subdirectory setting in storage config
+		item := chunkFileItem{Path: storageDir + "/" + baseName, ArtifactID: artifactID}
+		var size int64
+		var b64chunkName string
+		if _, err := fmt.Sscanf(baseName, "block-%d-%d-%s", &item.RunID, &size, &b64chunkName); err != nil {
+			return fmt.Errorf("parse content range error: %v", err)
+		}
+		rchunkName, err := base64.URLEncoding.DecodeString(b64chunkName)
+		if err != nil {
+			return fmt.Errorf("failed to parse chunkName: %v", err)
+		}
+		chunkName := string(rchunkName)
+		item.End = item.Start + size - 1
+		if _, ok := chunkMap[chunkName]; ok {
+			chunkMap[chunkName] = &item
+		}
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+	for i, name := range blist.Latest {
+		chunk, ok := chunkMap[name]
+		if !ok || chunk.Path == "" {
+			return nil, fmt.Errorf("missing Chunk (%d/%d): %s", i, len(blist.Latest), name)
+		}
+		chunks = append(chunks, chunk)
+		if i > 0 {
+			chunk.Start = chunkMap[blist.Latest[i-1]].End + 1
+			chunk.End += chunk.Start
+		}
+	}
+	return chunks, nil
+}
+
 func mergeChunksForRun(ctx *ArtifactContext, st storage.ObjectStorage, runID int64, artifactName string) error {
 	// read all db artifacts by name
 	artifacts, err := db.Find[actions.ActionArtifact](ctx, actions.FindArtifactsOptions{
@@ -230,7 +278,7 @@ func mergeChunksForArtifact(ctx *ArtifactContext, chunks []*chunkFileItem, st st
 		rawChecksum := hash.Sum(nil)
 		actualChecksum := hex.EncodeToString(rawChecksum)
 		if !strings.HasSuffix(checksum, actualChecksum) {
-			return fmt.Errorf("update artifact error checksum is invalid")
+			return fmt.Errorf("update artifact error checksum is invalid %v vs %v", checksum, actualChecksum)
 		}
 	}
 
diff --git a/routers/api/actions/artifactsv4.go b/routers/api/actions/artifactsv4.go
index e78ed7a0c2..9e463cceeb 100644
--- a/routers/api/actions/artifactsv4.go
+++ b/routers/api/actions/artifactsv4.go
@@ -24,8 +24,15 @@ package actions
 // PUT: http://localhost:3000/twirp/github.actions.results.api.v1.ArtifactService/UploadArtifact?sig=mO7y35r4GyjN7fwg0DTv3-Fv1NDXD84KLEgLpoPOtDI=&expires=2024-01-23+21%3A48%3A37.20833956+%2B0100+CET&artifactName=test&taskID=75&comp=block
 // 1.3. Continue Upload Zip Content to Blobstorage (unauthenticated request), repeat until everything is uploaded
 // PUT: http://localhost:3000/twirp/github.actions.results.api.v1.ArtifactService/UploadArtifact?sig=mO7y35r4GyjN7fwg0DTv3-Fv1NDXD84KLEgLpoPOtDI=&expires=2024-01-23+21%3A48%3A37.20833956+%2B0100+CET&artifactName=test&taskID=75&comp=appendBlock
-// 1.4. Unknown xml payload to Blobstorage (unauthenticated request), ignored for now
+// 1.4. BlockList xml payload to Blobstorage (unauthenticated request)
+// Files of about 800MB are parallel in parallel and / or out of order, this file is needed to enshure the correct order
 // PUT: http://localhost:3000/twirp/github.actions.results.api.v1.ArtifactService/UploadArtifact?sig=mO7y35r4GyjN7fwg0DTv3-Fv1NDXD84KLEgLpoPOtDI=&expires=2024-01-23+21%3A48%3A37.20833956+%2B0100+CET&artifactName=test&taskID=75&comp=blockList
+// Request
+// <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+// <BlockList>
+// 	<Latest>blockId1</Latest>
+// 	<Latest>blockId2</Latest>
+// </BlockList>
 // 1.5. FinalizeArtifact
 // Post: /twirp/github.actions.results.api.v1.ArtifactService/FinalizeArtifact
 // Request
@@ -82,6 +89,7 @@ import (
 	"crypto/hmac"
 	"crypto/sha256"
 	"encoding/base64"
+	"encoding/xml"
 	"fmt"
 	"io"
 	"net/http"
@@ -152,31 +160,34 @@ func ArtifactsV4Routes(prefix string) *web.Router {
 	return m
 }
 
-func (r artifactV4Routes) buildSignature(endp, expires, artifactName string, taskID int64) []byte {
+func (r artifactV4Routes) buildSignature(endp, expires, artifactName string, taskID, artifactID int64) []byte {
 	mac := hmac.New(sha256.New, setting.GetGeneralTokenSigningSecret())
 	mac.Write([]byte(endp))
 	mac.Write([]byte(expires))
 	mac.Write([]byte(artifactName))
 	mac.Write([]byte(fmt.Sprint(taskID)))
+	mac.Write([]byte(fmt.Sprint(artifactID)))
 	return mac.Sum(nil)
 }
 
-func (r artifactV4Routes) buildArtifactURL(ctx *ArtifactContext, endp, artifactName string, taskID int64) string {
+func (r artifactV4Routes) buildArtifactURL(ctx *ArtifactContext, endp, artifactName string, taskID, artifactID int64) string {
 	expires := time.Now().Add(60 * time.Minute).Format("2006-01-02 15:04:05.999999999 -0700 MST")
 	uploadURL := strings.TrimSuffix(httplib.GuessCurrentAppURL(ctx), "/") + strings.TrimSuffix(r.prefix, "/") +
-		"/" + endp + "?sig=" + base64.URLEncoding.EncodeToString(r.buildSignature(endp, expires, artifactName, taskID)) + "&expires=" + url.QueryEscape(expires) + "&artifactName=" + url.QueryEscape(artifactName) + "&taskID=" + fmt.Sprint(taskID)
+		"/" + endp + "?sig=" + base64.URLEncoding.EncodeToString(r.buildSignature(endp, expires, artifactName, taskID, artifactID)) + "&expires=" + url.QueryEscape(expires) + "&artifactName=" + url.QueryEscape(artifactName) + "&taskID=" + fmt.Sprint(taskID) + "&artifactID=" + fmt.Sprint(artifactID)
 	return uploadURL
 }
 
 func (r artifactV4Routes) verifySignature(ctx *ArtifactContext, endp string) (*actions.ActionTask, string, bool) {
 	rawTaskID := ctx.Req.URL.Query().Get("taskID")
+	rawArtifactID := ctx.Req.URL.Query().Get("artifactID")
 	sig := ctx.Req.URL.Query().Get("sig")
 	expires := ctx.Req.URL.Query().Get("expires")
 	artifactName := ctx.Req.URL.Query().Get("artifactName")
 	dsig, _ := base64.URLEncoding.DecodeString(sig)
 	taskID, _ := strconv.ParseInt(rawTaskID, 10, 64)
+	artifactID, _ := strconv.ParseInt(rawArtifactID, 10, 64)
 
-	expecedsig := r.buildSignature(endp, expires, artifactName, taskID)
+	expecedsig := r.buildSignature(endp, expires, artifactName, taskID, artifactID)
 	if !hmac.Equal(dsig, expecedsig) {
 		log.Error("Error unauthorized")
 		ctx.Error(http.StatusUnauthorized, "Error unauthorized")
@@ -271,6 +282,8 @@ func (r *artifactV4Routes) createArtifact(ctx *ArtifactContext) {
 		return
 	}
 	artifact.ContentEncoding = ArtifactV4ContentEncoding
+	artifact.FileSize = 0
+	artifact.FileCompressedSize = 0
 	if err := actions.UpdateArtifactByID(ctx, artifact.ID, artifact); err != nil {
 		log.Error("Error UpdateArtifactByID: %v", err)
 		ctx.Error(http.StatusInternalServerError, "Error UpdateArtifactByID")
@@ -279,7 +292,7 @@ func (r *artifactV4Routes) createArtifact(ctx *ArtifactContext) {
 
 	respData := CreateArtifactResponse{
 		Ok:              true,
-		SignedUploadUrl: r.buildArtifactURL(ctx, "UploadArtifact", artifactName, ctx.ActionTask.ID),
+		SignedUploadUrl: r.buildArtifactURL(ctx, "UploadArtifact", artifactName, ctx.ActionTask.ID, artifact.ID),
 	}
 	r.sendProtbufBody(ctx, &respData)
 }
@@ -293,38 +306,77 @@ func (r *artifactV4Routes) uploadArtifact(ctx *ArtifactContext) {
 	comp := ctx.Req.URL.Query().Get("comp")
 	switch comp {
 	case "block", "appendBlock":
-		// get artifact by name
-		artifact, err := r.getArtifactByName(ctx, task.Job.RunID, artifactName)
-		if err != nil {
-			log.Error("Error artifact not found: %v", err)
-			ctx.Error(http.StatusNotFound, "Error artifact not found")
-			return
-		}
+		blockid := ctx.Req.URL.Query().Get("blockid")
+		if blockid == "" {
+			// get artifact by name
+			artifact, err := r.getArtifactByName(ctx, task.Job.RunID, artifactName)
+			if err != nil {
+				log.Error("Error artifact not found: %v", err)
+				ctx.Error(http.StatusNotFound, "Error artifact not found")
+				return
+			}
 
-		if comp == "block" {
-			artifact.FileSize = 0
-			artifact.FileCompressedSize = 0
+			_, err = appendUploadChunk(r.fs, ctx, artifact, artifact.FileSize, ctx.Req.ContentLength, artifact.RunID)
+			if err != nil {
+				log.Error("Error runner api getting task: task is not running")
+				ctx.Error(http.StatusInternalServerError, "Error runner api getting task: task is not running")
+				return
+			}
+			artifact.FileCompressedSize += ctx.Req.ContentLength
+			artifact.FileSize += ctx.Req.ContentLength
+			if err := actions.UpdateArtifactByID(ctx, artifact.ID, artifact); err != nil {
+				log.Error("Error UpdateArtifactByID: %v", err)
+				ctx.Error(http.StatusInternalServerError, "Error UpdateArtifactByID")
+				return
+			}
+		} else {
+			_, err := r.fs.Save(fmt.Sprintf("tmpv4%d/block-%d-%d-%s", task.Job.RunID, task.Job.RunID, ctx.Req.ContentLength, base64.URLEncoding.EncodeToString([]byte(blockid))), ctx.Req.Body, -1)
+			if err != nil {
+				log.Error("Error runner api getting task: task is not running")
+				ctx.Error(http.StatusInternalServerError, "Error runner api getting task: task is not running")
+				return
+			}
 		}
-
-		_, err = appendUploadChunk(r.fs, ctx, artifact, artifact.FileSize, ctx.Req.ContentLength, artifact.RunID)
+		ctx.JSON(http.StatusCreated, "appended")
+	case "blocklist":
+		rawArtifactID := ctx.Req.URL.Query().Get("artifactID")
+		artifactID, _ := strconv.ParseInt(rawArtifactID, 10, 64)
+		_, err := r.fs.Save(fmt.Sprintf("tmpv4%d/%d-%d-blocklist", task.Job.RunID, task.Job.RunID, artifactID), ctx.Req.Body, -1)
 		if err != nil {
 			log.Error("Error runner api getting task: task is not running")
 			ctx.Error(http.StatusInternalServerError, "Error runner api getting task: task is not running")
 			return
 		}
-		artifact.FileCompressedSize += ctx.Req.ContentLength
-		artifact.FileSize += ctx.Req.ContentLength
-		if err := actions.UpdateArtifactByID(ctx, artifact.ID, artifact); err != nil {
-			log.Error("Error UpdateArtifactByID: %v", err)
-			ctx.Error(http.StatusInternalServerError, "Error UpdateArtifactByID")
-			return
-		}
-		ctx.JSON(http.StatusCreated, "appended")
-	case "blocklist":
 		ctx.JSON(http.StatusCreated, "created")
 	}
 }
 
+type BlockList struct {
+	Latest []string `xml:"Latest"`
+}
+
+type Latest struct {
+	Value string `xml:",chardata"`
+}
+
+func (r *artifactV4Routes) readBlockList(runID, artifactID int64) (*BlockList, error) {
+	blockListName := fmt.Sprintf("tmpv4%d/%d-%d-blocklist", runID, runID, artifactID)
+	s, err := r.fs.Open(blockListName)
+	if err != nil {
+		return nil, err
+	}
+
+	xdec := xml.NewDecoder(s)
+	blockList := &BlockList{}
+	err = xdec.Decode(blockList)
+
+	delerr := r.fs.Delete(blockListName)
+	if delerr != nil {
+		log.Warn("Failed to delete blockList %s: %v", blockListName, delerr)
+	}
+	return blockList, err
+}
+
 func (r *artifactV4Routes) finalizeArtifact(ctx *ArtifactContext) {
 	var req FinalizeArtifactRequest
 
@@ -343,18 +395,34 @@ func (r *artifactV4Routes) finalizeArtifact(ctx *ArtifactContext) {
 		ctx.Error(http.StatusNotFound, "Error artifact not found")
 		return
 	}
-	chunkMap, err := listChunksByRunID(r.fs, runID)
+
+	var chunks []*chunkFileItem
+	blockList, err := r.readBlockList(runID, artifact.ID)
 	if err != nil {
-		log.Error("Error merge chunks: %v", err)
-		ctx.Error(http.StatusInternalServerError, "Error merge chunks")
-		return
-	}
-	chunks, ok := chunkMap[artifact.ID]
-	if !ok {
-		log.Error("Error merge chunks")
-		ctx.Error(http.StatusInternalServerError, "Error merge chunks")
-		return
+		log.Warn("Failed to read BlockList, fallback to old behavior: %v", err)
+		chunkMap, err := listChunksByRunID(r.fs, runID)
+		if err != nil {
+			log.Error("Error merge chunks: %v", err)
+			ctx.Error(http.StatusInternalServerError, "Error merge chunks")
+			return
+		}
+		chunks, ok = chunkMap[artifact.ID]
+		if !ok {
+			log.Error("Error merge chunks")
+			ctx.Error(http.StatusInternalServerError, "Error merge chunks")
+			return
+		}
+	} else {
+		chunks, err = listChunksByRunIDV4(r.fs, runID, artifact.ID, blockList)
+		if err != nil {
+			log.Error("Error merge chunks: %v", err)
+			ctx.Error(http.StatusInternalServerError, "Error merge chunks")
+			return
+		}
+		artifact.FileSize = chunks[len(chunks)-1].End + 1
+		artifact.FileCompressedSize = chunks[len(chunks)-1].End + 1
 	}
+
 	checksum := ""
 	if req.Hash != nil {
 		checksum = req.Hash.Value
@@ -455,7 +523,7 @@ func (r *artifactV4Routes) getSignedArtifactURL(ctx *ArtifactContext) {
 		}
 	}
 	if respData.SignedUrl == "" {
-		respData.SignedUrl = r.buildArtifactURL(ctx, "DownloadArtifact", artifactName, ctx.ActionTask.ID)
+		respData.SignedUrl = r.buildArtifactURL(ctx, "DownloadArtifact", artifactName, ctx.ActionTask.ID, artifact.ID)
 	}
 	r.sendProtbufBody(ctx, &respData)
 }
diff --git a/tests/integration/api_actions_artifact_v4_test.go b/tests/integration/api_actions_artifact_v4_test.go
index f58f876849..ec0fbbfa60 100644
--- a/tests/integration/api_actions_artifact_v4_test.go
+++ b/tests/integration/api_actions_artifact_v4_test.go
@@ -7,12 +7,14 @@ import (
 	"bytes"
 	"crypto/sha256"
 	"encoding/hex"
+	"encoding/xml"
 	"io"
 	"net/http"
 	"strings"
 	"testing"
 	"time"
 
+	"code.gitea.io/gitea/modules/storage"
 	"code.gitea.io/gitea/routers/api/actions"
 	actions_service "code.gitea.io/gitea/services/actions"
 	"code.gitea.io/gitea/tests"
@@ -170,6 +172,134 @@ func TestActionsArtifactV4UploadSingleFileWithRetentionDays(t *testing.T) {
 	assert.True(t, finalizeResp.Ok)
 }
 
+func TestActionsArtifactV4UploadSingleFileWithPotentialHarmfulBlockID(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	token, err := actions_service.CreateAuthorizationToken(48, 792, 193)
+	assert.NoError(t, err)
+
+	// acquire artifact upload url
+	req := NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/CreateArtifact", toProtoJSON(&actions.CreateArtifactRequest{
+		Version:                 4,
+		Name:                    "artifactWithPotentialHarmfulBlockID",
+		WorkflowRunBackendId:    "792",
+		WorkflowJobRunBackendId: "193",
+	})).AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+	var uploadResp actions.CreateArtifactResponse
+	protojson.Unmarshal(resp.Body.Bytes(), &uploadResp)
+	assert.True(t, uploadResp.Ok)
+	assert.Contains(t, uploadResp.SignedUploadUrl, "/twirp/github.actions.results.api.v1.ArtifactService/UploadArtifact")
+
+	// get upload urls
+	idx := strings.Index(uploadResp.SignedUploadUrl, "/twirp/")
+	url := uploadResp.SignedUploadUrl[idx:] + "&comp=block&blockid=%2f..%2fmyfile"
+	blockListURL := uploadResp.SignedUploadUrl[idx:] + "&comp=blocklist"
+
+	// upload artifact chunk
+	body := strings.Repeat("A", 1024)
+	req = NewRequestWithBody(t, "PUT", url, strings.NewReader(body))
+	MakeRequest(t, req, http.StatusCreated)
+
+	// verify that the exploit didn't work
+	_, err = storage.Actions.Stat("myfile")
+	assert.Error(t, err)
+
+	// upload artifact blockList
+	blockList := &actions.BlockList{
+		Latest: []string{
+			"/../myfile",
+		},
+	}
+	rawBlockList, err := xml.Marshal(blockList)
+	assert.NoError(t, err)
+	req = NewRequestWithBody(t, "PUT", blockListURL, bytes.NewReader(rawBlockList))
+	MakeRequest(t, req, http.StatusCreated)
+
+	t.Logf("Create artifact confirm")
+
+	sha := sha256.Sum256([]byte(body))
+
+	// confirm artifact upload
+	req = NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/FinalizeArtifact", toProtoJSON(&actions.FinalizeArtifactRequest{
+		Name:                    "artifactWithPotentialHarmfulBlockID",
+		Size:                    1024,
+		Hash:                    wrapperspb.String("sha256:" + hex.EncodeToString(sha[:])),
+		WorkflowRunBackendId:    "792",
+		WorkflowJobRunBackendId: "193",
+	})).
+		AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusOK)
+	var finalizeResp actions.FinalizeArtifactResponse
+	protojson.Unmarshal(resp.Body.Bytes(), &finalizeResp)
+	assert.True(t, finalizeResp.Ok)
+}
+
+func TestActionsArtifactV4UploadSingleFileWithChunksOutOfOrder(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	token, err := actions_service.CreateAuthorizationToken(48, 792, 193)
+	assert.NoError(t, err)
+
+	// acquire artifact upload url
+	req := NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/CreateArtifact", toProtoJSON(&actions.CreateArtifactRequest{
+		Version:                 4,
+		Name:                    "artifactWithChunksOutOfOrder",
+		WorkflowRunBackendId:    "792",
+		WorkflowJobRunBackendId: "193",
+	})).AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+	var uploadResp actions.CreateArtifactResponse
+	protojson.Unmarshal(resp.Body.Bytes(), &uploadResp)
+	assert.True(t, uploadResp.Ok)
+	assert.Contains(t, uploadResp.SignedUploadUrl, "/twirp/github.actions.results.api.v1.ArtifactService/UploadArtifact")
+
+	// get upload urls
+	idx := strings.Index(uploadResp.SignedUploadUrl, "/twirp/")
+	block1URL := uploadResp.SignedUploadUrl[idx:] + "&comp=block&blockid=block1"
+	block2URL := uploadResp.SignedUploadUrl[idx:] + "&comp=block&blockid=block2"
+	blockListURL := uploadResp.SignedUploadUrl[idx:] + "&comp=blocklist"
+
+	// upload artifact chunks
+	bodyb := strings.Repeat("B", 1024)
+	req = NewRequestWithBody(t, "PUT", block2URL, strings.NewReader(bodyb))
+	MakeRequest(t, req, http.StatusCreated)
+
+	bodya := strings.Repeat("A", 1024)
+	req = NewRequestWithBody(t, "PUT", block1URL, strings.NewReader(bodya))
+	MakeRequest(t, req, http.StatusCreated)
+
+	// upload artifact blockList
+	blockList := &actions.BlockList{
+		Latest: []string{
+			"block1",
+			"block2",
+		},
+	}
+	rawBlockList, err := xml.Marshal(blockList)
+	assert.NoError(t, err)
+	req = NewRequestWithBody(t, "PUT", blockListURL, bytes.NewReader(rawBlockList))
+	MakeRequest(t, req, http.StatusCreated)
+
+	t.Logf("Create artifact confirm")
+
+	sha := sha256.Sum256([]byte(bodya + bodyb))
+
+	// confirm artifact upload
+	req = NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/FinalizeArtifact", toProtoJSON(&actions.FinalizeArtifactRequest{
+		Name:                    "artifactWithChunksOutOfOrder",
+		Size:                    2048,
+		Hash:                    wrapperspb.String("sha256:" + hex.EncodeToString(sha[:])),
+		WorkflowRunBackendId:    "792",
+		WorkflowJobRunBackendId: "193",
+	})).
+		AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusOK)
+	var finalizeResp actions.FinalizeArtifactResponse
+	protojson.Unmarshal(resp.Body.Bytes(), &finalizeResp)
+	assert.True(t, finalizeResp.Ok)
+}
+
 func TestActionsArtifactV4DownloadSingle(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 

From 9e0db1b6469079b18cfc4a416cdd6396d42f9816 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 23 Sep 2024 02:08:27 +0800
Subject: [PATCH 12/23] Fix rename branch permission bug (#32066)

The previous implementation requires admin permission to rename branches
which should be write permission.

Fix #31993
---
 routers/web/web.go                      | 3 +--
 templates/repo/branch/list.tmpl         | 2 +-
 tests/integration/rename_branch_test.go | 8 ++++----
 3 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/routers/web/web.go b/routers/web/web.go
index f1e941a84e..5129bd4bda 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -1071,8 +1071,6 @@ func registerRoutes(m *web.Router) {
 			m.Post("/{id}/delete", repo_setting.DeleteProtectedBranchRulePost)
 		}, repo.MustBeNotEmpty)
 
-		m.Post("/rename_branch", web.Bind(forms.RenameBranchForm{}), context.RepoMustNotBeArchived(), repo_setting.RenameBranchPost)
-
 		m.Group("/tags", func() {
 			m.Get("", repo_setting.ProtectedTags)
 			m.Post("", web.Bind(forms.ProtectTagForm{}), context.RepoMustNotBeArchived(), repo_setting.NewProtectedTagPost)
@@ -1304,6 +1302,7 @@ func registerRoutes(m *web.Router) {
 			}, web.Bind(forms.NewBranchForm{}))
 			m.Post("/delete", repo.DeleteBranchPost)
 			m.Post("/restore", repo.RestoreBranchPost)
+			m.Post("/rename", web.Bind(forms.RenameBranchForm{}), repo_setting.RenameBranchPost)
 		}, context.RepoMustNotBeArchived(), reqRepoCodeWriter, repo.MustBeNotEmpty)
 
 		m.Combo("/fork").Get(repo.Fork).Post(web.Bind(forms.CreateRepoForm{}), repo.ForkPost)
diff --git a/templates/repo/branch/list.tmpl b/templates/repo/branch/list.tmpl
index 3c8e5846d7..f5d709bb16 100644
--- a/templates/repo/branch/list.tmpl
+++ b/templates/repo/branch/list.tmpl
@@ -240,7 +240,7 @@
 	<div class="header">
 		{{ctx.Locale.Tr "repo.settings.rename_branch"}}
 	</div>
-	<form class="ui form" action="{{$.Repository.Link}}/settings/rename_branch" method="post">
+	<form class="ui form" action="{{$.Repository.Link}}/branches/rename" method="post">
 		<div class="content">
 			{{.CsrfTokenHtml}}
 			<div class="field default-branch-warning">
diff --git a/tests/integration/rename_branch_test.go b/tests/integration/rename_branch_test.go
index 13f6cf204b..71bfb6b6cb 100644
--- a/tests/integration/rename_branch_test.go
+++ b/tests/integration/rename_branch_test.go
@@ -28,11 +28,11 @@ func testRenameBranch(t *testing.T, u *url.URL) {
 
 	// get branch setting page
 	session := loginUser(t, "user2")
-	req := NewRequest(t, "GET", "/user2/repo1/settings/branches")
+	req := NewRequest(t, "GET", "/user2/repo1/branches")
 	resp := session.MakeRequest(t, req, http.StatusOK)
 	htmlDoc := NewHTMLParser(t, resp.Body)
 
-	req = NewRequestWithValues(t, "POST", "/user2/repo1/settings/rename_branch", map[string]string{
+	req = NewRequestWithValues(t, "POST", "/user2/repo1/branches/rename", map[string]string{
 		"_csrf": htmlDoc.GetCSRF(),
 		"from":  "master",
 		"to":    "main",
@@ -76,7 +76,7 @@ func testRenameBranch(t *testing.T, u *url.URL) {
 	assert.Equal(t, "branch2", branch2.Name)
 
 	// rename branch2 to branch1
-	req = NewRequestWithValues(t, "POST", "/user2/repo1/settings/rename_branch", map[string]string{
+	req = NewRequestWithValues(t, "POST", "/user2/repo1/branches/rename", map[string]string{
 		"_csrf": htmlDoc.GetCSRF(),
 		"from":  "branch2",
 		"to":    "branch1",
@@ -103,7 +103,7 @@ func testRenameBranch(t *testing.T, u *url.URL) {
 	assert.True(t, branch1.IsDeleted) // virtual deletion
 
 	// rename branch2 to branch1 again
-	req = NewRequestWithValues(t, "POST", "/user2/repo1/settings/rename_branch", map[string]string{
+	req = NewRequestWithValues(t, "POST", "/user2/repo1/branches/rename", map[string]string{
 		"_csrf": htmlDoc.GetCSRF(),
 		"from":  "branch2",
 		"to":    "branch1",

From 48cdde98bb0c2e7aad3e5227b992f8017c247854 Mon Sep 17 00:00:00 2001
From: GiteaBot <teabot@gitea.io>
Date: Mon, 23 Sep 2024 00:31:34 +0000
Subject: [PATCH 13/23] [skip ci] Updated licenses and gitignores

---
 options/gitignore/Zig                |  2 ++
 options/license/Boehm-GC-without-fee | 14 ++++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 options/gitignore/Zig
 create mode 100644 options/license/Boehm-GC-without-fee

diff --git a/options/gitignore/Zig b/options/gitignore/Zig
new file mode 100644
index 0000000000..3389c86c99
--- /dev/null
+++ b/options/gitignore/Zig
@@ -0,0 +1,2 @@
+.zig-cache/
+zig-out/
diff --git a/options/license/Boehm-GC-without-fee b/options/license/Boehm-GC-without-fee
new file mode 100644
index 0000000000..354d47017e
--- /dev/null
+++ b/options/license/Boehm-GC-without-fee
@@ -0,0 +1,14 @@
+Copyright (c)  2000
+SWsoft  company
+
+Modifications copyright (c) 2001, 2013. Oracle and/or its affiliates.
+All rights reserved.
+
+This material is provided "as is", with absolutely no warranty expressed
+or implied. Any use is at your own risk.
+
+Permission to use or copy this software for any purpose is hereby granted
+without fee, provided the above notices are retained on all copies.
+Permission to modify the code and to distribute modified code is granted,
+provided the above notices are retained, and a notice that the code was
+modified is included with the above copyright notice.

From e1f0598c8f5af5ac95f5e13b74fbab99506762db Mon Sep 17 00:00:00 2001
From: cloudchamb3r <jizon0123@protonmail.com>
Date: Tue, 24 Sep 2024 02:09:57 +0900
Subject: [PATCH 14/23] Fix Bug in Issue/pulls list (#32081)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

fix #32080

## After
### for opened issues
<img width="1199" alt="Screenshot 2024-09-19 at 6 29 31 PM"
src="https://github.com/user-attachments/assets/86cf48ad-5e4b-4dcb-8abe-4d7fd74e0aec">

### for closed issues
<img width="1208" alt="Screenshot 2024-09-19 at 6 29 37 PM"
src="https://github.com/user-attachments/assets/a16bc545-bfcf-49a4-be52-3e7334910482">

### for all issues
<img width="1340" alt="Screenshot 2024-09-20 at 12 07 12 PM"
src="https://github.com/user-attachments/assets/b2309c8f-e59d-44e9-ae3b-bf54e1196169">
---
 routers/web/repo/issue.go                | 1 +
 templates/repo/issue/filter_actions.tmpl | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go
index 596abb4b9c..507b5af9d9 100644
--- a/routers/web/repo/issue.go
+++ b/routers/web/repo/issue.go
@@ -467,6 +467,7 @@ func issues(ctx *context.Context, milestoneID, projectID int64, isPullOption opt
 	ctx.Data["AssigneeID"] = assigneeID
 	ctx.Data["PosterID"] = posterID
 	ctx.Data["Keyword"] = keyword
+	ctx.Data["IsShowClosed"] = isShowClosed
 	switch {
 	case isShowClosed.Value():
 		ctx.Data["State"] = "closed"
diff --git a/templates/repo/issue/filter_actions.tmpl b/templates/repo/issue/filter_actions.tmpl
index 88d0653f7d..831ab17bea 100644
--- a/templates/repo/issue/filter_actions.tmpl
+++ b/templates/repo/issue/filter_actions.tmpl
@@ -1,9 +1,9 @@
 <div class="ui secondary filter menu">
 	{{if not .Repository.IsArchived}}
 		<!-- Action Button -->
-		{{if .IsShowClosed}}
+		{{if and .IsShowClosed.Has .IsShowClosed.Value}}
 			<button class="ui primary basic button issue-action" data-action="open" data-url="{{$.RepoLink}}/issues/status">{{ctx.Locale.Tr "repo.issues.action_open"}}</button>
-		{{else}}
+		{{else if and .IsShowClosed.Has (not .IsShowClosed.Value)}}
 			<button class="ui red basic button issue-action" data-action="close" data-url="{{$.RepoLink}}/issues/status">{{ctx.Locale.Tr "repo.issues.action_close"}}</button>
 		{{end}}
 		{{if $.IsRepoAdmin}}

From 38e3d8b4e65d49c2efc6ab1d3c012e5a75cab07b Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.com>
Date: Mon, 23 Sep 2024 16:54:20 -0400
Subject: [PATCH 15/23] use rebuilt mssql-2017 image (#32109)

---
 .github/workflows/pull-db-tests.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
index 90804c0f0a..22cb784245 100644
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -198,11 +198,12 @@ jobs:
   test-mssql:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
-    runs-on: ubuntu-latest
+    # specifying the version of ubuntu in use as mssql fails on newer kernels
+    # pending resolution from vendor
+    runs-on: ubuntu-20.04
     services:
       mssql:
-        # some images before 2024-04 can't run on new kernels
-        image: mcr.microsoft.com/mssql/server:2019-latest
+        image: mcr.microsoft.com/mssql/server:2017-latest
         env:
           ACCEPT_EULA: Y
           MSSQL_PID: Standard

From 6afb22448b7845fb8f570d64ce2ad6c4c81b9d2f Mon Sep 17 00:00:00 2001
From: GiteaBot <teabot@gitea.io>
Date: Tue, 24 Sep 2024 00:30:57 +0000
Subject: [PATCH 16/23] [skip ci] Updated translations via Crowdin

---
 options/locale/locale_ja-JP.ini | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/options/locale/locale_ja-JP.ini b/options/locale/locale_ja-JP.ini
index 48f241f7b8..3a80c741db 100644
--- a/options/locale/locale_ja-JP.ini
+++ b/options/locale/locale_ja-JP.ini
@@ -159,6 +159,7 @@ filter.public=公開
 filter.private=プライベート
 
 no_results_found=見つかりません。
+internal_error_skipped=内部エラーが発生しましたがスキップされました: %s
 
 [search]
 search=検索…
@@ -177,6 +178,8 @@ code_search_by_git_grep=現在のコード検索は "git grep" によって行
 package_kind=パッケージを検索...
 project_kind=プロジェクトを検索...
 branch_kind=ブランチを検索...
+tag_kind=タグを検索...
+tag_tooltip=一致するタグを検索します。任意のシーケンスに一致させるには '%' を使用してください。
 commit_kind=コミットを検索...
 runner_kind=ランナーを検索...
 no_results=一致する結果が見つかりませんでした
@@ -1174,6 +1177,11 @@ migrate.gogs.description=notabug.org  やその他の Gogs インスタンスか
 migrate.onedev.description=code.onedev.io やその他の OneDev インスタンスからデータを移行します。
 migrate.codebase.description=codebasehq.com からデータを移行します。
 migrate.gitbucket.description=GitBucket インスタンスからデータを移行します。
+migrate.codecommit.description=AWS CodeCommitからデータを移行します。
+migrate.codecommit.aws_access_key_id=AWS アクセスキー ID
+migrate.codecommit.aws_secret_access_key=AWSシークレットアクセスキー
+migrate.codecommit.https_git_credentials_username=HTTPS Git 認証情報 ユーザー名
+migrate.codecommit.https_git_credentials_password=HTTPS Git 認証情報 パスワード
 migrate.migrating_git=Gitデータ移行中
 migrate.migrating_topics=トピック移行中
 migrate.migrating_milestones=マイルストーン移行中
@@ -1251,6 +1259,7 @@ ambiguous_runes_header=このファイルには曖昧(ambiguous)なUnicode文字
 ambiguous_runes_description=このファイルには、他の文字と見間違える可能性があるUnicode文字が含まれています。 それが意図的なものと考えられる場合は、この警告を無視して構いません。 それらの文字を表示するにはエスケープボタンを使用します。
 invisible_runes_line=`この行には不可視のUnicode文字があります`
 ambiguous_runes_line=`この行には曖昧(ambiguous)なUnicode文字があります`
+ambiguous_character=`%[1]c [U+%04[1]X] は %[2]c [U+%04[2]X] と混同するおそれがあります`
 
 escape_control_characters=エスケープ
 unescape_control_characters=エスケープ解除
@@ -1748,6 +1757,11 @@ issues.review.resolve_conversation=解決済みにする
 issues.review.un_resolve_conversation=未解決にする
 issues.review.resolved_by=がこの会話を解決済みにしました
 issues.review.commented=コメント
+issues.review.official=承認済み
+issues.review.requested=レビュー待ち
+issues.review.rejected=変更要請済み
+issues.review.stale=承認後に更新されました
+issues.review.unofficial=カウントされない承認
 issues.assignee.error=予期しないエラーにより、一部の担当者を追加できませんでした。
 issues.reference_issue.body=内容
 issues.content_history.deleted=削除しました
@@ -1821,6 +1835,8 @@ pulls.is_empty=このブランチの変更は既にターゲットブランチ
 pulls.required_status_check_failed=いくつかの必要なステータスチェックが成功していません。
 pulls.required_status_check_missing=必要なチェックがいくつか抜けています。
 pulls.required_status_check_administrator=管理者であるため、このプルリクエストをマージすることは可能です。
+pulls.blocked_by_approvals=このプルリクエストはまだ必要な承認数を満たしていません。 公式の承認を %[1]d / %[2]d 得ています。
+pulls.blocked_by_approvals_whitelisted=このプルリクエストはまだ必要な承認数を満たしていません。 許可リストのユーザーまたはチームからの承認を %[1]d / %[2]d 得ています。
 pulls.blocked_by_rejection=このプルリクエストは公式レビューアにより変更要請されています。
 pulls.blocked_by_official_review_requests=このプルリクエストには公式レビュー依頼があります。
 pulls.blocked_by_outdated_branch=このプルリクエストは遅れのためブロックされています。

From fcedf634d5864a9e4ec3f866b99076872aafd07d Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Tue, 24 Sep 2024 09:00:09 +0800
Subject: [PATCH 17/23] Fix bug in getting merged pull request by commit
 (#32079)

---
 routers/api/v1/api.go              |  2 ++
 routers/api/v1/repo/commits.go     |  6 +++---
 templates/swagger/v1_json.tmpl     |  2 +-
 tests/integration/api_pull_test.go | 16 ++++++++++++++++
 4 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index be67ec1695..1244676508 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -1286,6 +1286,8 @@ func Routes() *web.Router {
 					m.Group("/{ref}", func() {
 						m.Get("/status", repo.GetCombinedCommitStatusByRef)
 						m.Get("/statuses", repo.GetCommitStatusesByRef)
+					}, context.ReferencesGitRepo())
+					m.Group("/{sha}", func() {
 						m.Get("/pull", repo.GetCommitPullRequest)
 					}, context.ReferencesGitRepo())
 				}, reqRepoReader(unit.TypeCode))
diff --git a/routers/api/v1/repo/commits.go b/routers/api/v1/repo/commits.go
index cec7c3d534..788c75fab2 100644
--- a/routers/api/v1/repo/commits.go
+++ b/routers/api/v1/repo/commits.go
@@ -325,11 +325,11 @@ func DownloadCommitDiffOrPatch(ctx *context.APIContext) {
 	}
 }
 
-// GetCommitPullRequest returns the pull request of the commit
+// GetCommitPullRequest returns the merged pull request of the commit
 func GetCommitPullRequest(ctx *context.APIContext) {
 	// swagger:operation GET /repos/{owner}/{repo}/commits/{sha}/pull repository repoGetCommitPullRequest
 	// ---
-	// summary: Get the pull request of the commit
+	// summary: Get the merged pull request of the commit
 	// produces:
 	// - application/json
 	// parameters:
@@ -354,7 +354,7 @@ func GetCommitPullRequest(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	pr, err := issues_model.GetPullRequestByMergedCommit(ctx, ctx.Repo.Repository.ID, ctx.PathParam(":sha"))
+	pr, err := issues_model.GetPullRequestByMergedCommit(ctx, ctx.Repo.Repository.ID, ctx.PathParam("sha"))
 	if err != nil {
 		if issues_model.IsErrPullRequestNotExist(err) {
 			ctx.Error(http.StatusNotFound, "GetPullRequestByMergedCommit", err)
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index d9f1a8f5e9..5983505502 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -5446,7 +5446,7 @@
         "tags": [
           "repository"
         ],
-        "summary": "Get the pull request of the commit",
+        "summary": "Get the merged pull request of the commit",
         "operationId": "repoGetCommitPullRequest",
         "parameters": [
           {
diff --git a/tests/integration/api_pull_test.go b/tests/integration/api_pull_test.go
index 8239878d2b..b7e01d4a20 100644
--- a/tests/integration/api_pull_test.go
+++ b/tests/integration/api_pull_test.go
@@ -334,3 +334,19 @@ func doAPIGetPullFiles(ctx APITestContext, pr *api.PullRequest, callback func(*t
 		}
 	}
 }
+
+func TestAPICommitPullRequest(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	ctx := NewAPITestContext(t, "user2", repo.Name, auth_model.AccessTokenScopeReadRepository)
+
+	mergedCommitSHA := "1a8823cd1a9549fde083f992f6b9b87a7ab74fb3"
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/commits/%s/pull", owner.Name, repo.Name, mergedCommitSHA).AddTokenAuth(ctx.Token)
+	ctx.Session.MakeRequest(t, req, http.StatusOK)
+
+	invalidCommitSHA := "abcd1234abcd1234abcd1234abcd1234abcd1234"
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/commits/%s/pull", owner.Name, repo.Name, invalidCommitSHA).AddTokenAuth(ctx.Token)
+	ctx.Session.MakeRequest(t, req, http.StatusNotFound)
+}

From 3f2d8f873035b614b4cdb447d8e16f5af82cefe8 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 24 Sep 2024 09:30:05 +0800
Subject: [PATCH 18/23] Fix panic when cloning with wrong ssh format. (#32076)

---
 cmd/serv.go | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/cmd/serv.go b/cmd/serv.go
index 2bfd111061..f74a8fd3d0 100644
--- a/cmd/serv.go
+++ b/cmd/serv.go
@@ -143,6 +143,12 @@ func runServ(c *cli.Context) error {
 		return nil
 	}
 
+	defer func() {
+		if err := recover(); err != nil {
+			_ = fail(ctx, "Internal Server Error", "Panic: %v\n%s", err, log.Stack(2))
+		}
+	}()
+
 	keys := strings.Split(c.Args().First(), "-")
 	if len(keys) != 2 || keys[0] != "key" {
 		return fail(ctx, "Key ID format error", "Invalid key argument: %s", c.Args().First())
@@ -189,10 +195,7 @@ func runServ(c *cli.Context) error {
 	}
 
 	verb := words[0]
-	repoPath := words[1]
-	if repoPath[0] == '/' {
-		repoPath = repoPath[1:]
-	}
+	repoPath := strings.TrimPrefix(words[1], "/")
 
 	var lfsVerb string
 	if verb == lfsAuthenticateVerb {

From 6eb5950835dd8e0eef2ef6d343af4acfce40a2fc Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 24 Sep 2024 10:06:28 +0800
Subject: [PATCH 19/23] Allow set branch protection in an empty repository
 (#32095)

---
 routers/web/web.go                    |  2 +-
 templates/repo/settings/branches.tmpl | 22 ++++++++++------------
 templates/repo/settings/navbar.tmpl   |  8 +++-----
 3 files changed, 14 insertions(+), 18 deletions(-)

diff --git a/routers/web/web.go b/routers/web/web.go
index 5129bd4bda..af46c36fe7 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -1069,7 +1069,7 @@ func registerRoutes(m *web.Router) {
 			m.Combo("/edit").Get(repo_setting.SettingsProtectedBranch).
 				Post(web.Bind(forms.ProtectBranchForm{}), context.RepoMustNotBeArchived(), repo_setting.SettingsProtectedBranchPost)
 			m.Post("/{id}/delete", repo_setting.DeleteProtectedBranchRulePost)
-		}, repo.MustBeNotEmpty)
+		})
 
 		m.Group("/tags", func() {
 			m.Get("", repo_setting.ProtectedTags)
diff --git a/templates/repo/settings/branches.tmpl b/templates/repo/settings/branches.tmpl
index 52c0c2c800..6f070ba61c 100644
--- a/templates/repo/settings/branches.tmpl
+++ b/templates/repo/settings/branches.tmpl
@@ -15,19 +15,17 @@
 				<form class="tw-flex" action="{{.Link}}" method="post">
 					{{.CsrfTokenHtml}}
 					<input type="hidden" name="action" value="default_branch">
-					{{if not .Repository.IsEmpty}}
-						<div class="ui dropdown selection search tw-flex-1 tw-mr-2 tw-max-w-96">
-							{{svg "octicon-triangle-down" 14 "dropdown icon"}}
-							<input type="hidden" name="branch" value="{{.Repository.DefaultBranch}}">
-							<div class="default text">{{.Repository.DefaultBranch}}</div>
-							<div class="menu">
-								{{range .Branches}}
-									<div class="item" data-value="{{.}}">{{.}}</div>
-								{{end}}
-							</div>
+					<div class="ui dropdown selection search tw-flex-1 tw-mr-2 tw-max-w-96">
+						{{svg "octicon-triangle-down" 14 "dropdown icon"}}
+						<input type="hidden" name="branch" value="{{.Repository.DefaultBranch}}">
+						<div class="default text">{{.Repository.DefaultBranch}}</div>
+						<div class="menu">
+							{{range .Branches}}
+								<div class="item" data-value="{{.}}">{{.}}</div>
+							{{end}}
 						</div>
-						<button class="ui primary button">{{ctx.Locale.Tr "repo.settings.branches.update_default_branch"}}</button>
-					{{end}}
+					</div>
+					<button class="ui primary button"{{if .Repository.IsEmpty}} disabled{{end}}>{{ctx.Locale.Tr "repo.settings.branches.update_default_branch"}}</button>
 				</form>
 			</div>
 
diff --git a/templates/repo/settings/navbar.tmpl b/templates/repo/settings/navbar.tmpl
index b9105bb8ed..e46273aff0 100644
--- a/templates/repo/settings/navbar.tmpl
+++ b/templates/repo/settings/navbar.tmpl
@@ -13,11 +13,9 @@
 			</a>
 		{{end}}
 		{{if .Repository.UnitEnabled $.Context ctx.Consts.RepoUnitTypeCode}}
-			{{if not .Repository.IsEmpty}}
-				<a class="{{if .PageIsSettingsBranches}}active {{end}}item" href="{{.RepoLink}}/settings/branches">
-					{{ctx.Locale.Tr "repo.settings.branches"}}
-				</a>
-			{{end}}
+			<a class="{{if .PageIsSettingsBranches}}active {{end}}item" href="{{.RepoLink}}/settings/branches">
+				{{ctx.Locale.Tr "repo.settings.branches"}}
+			</a>
 			<a class="{{if .PageIsSettingsTags}}active {{end}}item" href="{{.RepoLink}}/settings/tags">
 				{{ctx.Locale.Tr "repo.settings.tags"}}
 			</a>

From 2c6fa6c1e05437b5515c7be4f516ac4e4a59bf3c Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 24 Sep 2024 11:02:42 +0800
Subject: [PATCH 20/23] Fix template bug of pull request view (#32072)

Caused by #31924
---
 templates/repo/issue/view_content/sidebar.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/repo/issue/view_content/sidebar.tmpl b/templates/repo/issue/view_content/sidebar.tmpl
index 49c40be5a9..e49e90df56 100644
--- a/templates/repo/issue/view_content/sidebar.tmpl
+++ b/templates/repo/issue/view_content/sidebar.tmpl
@@ -109,7 +109,7 @@
 							</a>
 						</div>
 						<div class="tw-flex tw-items-center tw-gap-2">
-							<span {{if .Review.TooltipContent}}data-tooltip-content="{{ctx.Locale.Tr .Review.TooltipContent}}"{{end}}>
+							<span {{if .TooltipContent}}data-tooltip-content="{{ctx.Locale.Tr .TooltipContent}}"{{end}}>
 								{{svg (printf "octicon-%s" .Type.Icon) 16 (printf "text %s" (.HTMLTypeColorName))}}
 							</span>
 						</div>

From aadbe0488f454b9f7f5a56765f4530f9d1e2c6ec Mon Sep 17 00:00:00 2001
From: Kemal Zebari <60799661+kemzeb@users.noreply.github.com>
Date: Mon, 23 Sep 2024 20:38:08 -0700
Subject: [PATCH 21/23] Truncate commit message during Discord webhook push
 events (#31970)

Resolves #31668.
---
 services/webhook/discord.go      | 11 +++++++++--
 services/webhook/discord_test.go | 14 ++++++++++++++
 services/webhook/general_test.go | 10 +++++++++-
 3 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/services/webhook/discord.go b/services/webhook/discord.go
index f27b39dac3..59e87a7e1f 100644
--- a/services/webhook/discord.go
+++ b/services/webhook/discord.go
@@ -11,6 +11,7 @@ import (
 	"net/url"
 	"strconv"
 	"strings"
+	"unicode/utf8"
 
 	webhook_model "code.gitea.io/gitea/models/webhook"
 	"code.gitea.io/gitea/modules/git"
@@ -154,8 +155,14 @@ func (d discordConvertor) Push(p *api.PushPayload) (DiscordPayload, error) {
 	var text string
 	// for each commit, generate attachment text
 	for i, commit := range p.Commits {
-		text += fmt.Sprintf("[%s](%s) %s - %s", commit.ID[:7], commit.URL,
-			strings.TrimRight(commit.Message, "\r\n"), commit.Author.Name)
+		// limit the commit message display to just the summary, otherwise it would be hard to read
+		message := strings.TrimRight(strings.SplitN(commit.Message, "\n", 1)[0], "\r")
+
+		// a limit of 50 is set because GitHub does the same
+		if utf8.RuneCountInString(message) > 50 {
+			message = fmt.Sprintf("%.47s...", message)
+		}
+		text += fmt.Sprintf("[%s](%s) %s - %s", commit.ID[:7], commit.URL, message, commit.Author.Name)
 		// add linebreak to each commit but the last
 		if i < len(p.Commits)-1 {
 			text += "\n"
diff --git a/services/webhook/discord_test.go b/services/webhook/discord_test.go
index c04b95383b..fbb4b24ef1 100644
--- a/services/webhook/discord_test.go
+++ b/services/webhook/discord_test.go
@@ -80,6 +80,20 @@ func TestDiscordPayload(t *testing.T) {
 		assert.Equal(t, p.Sender.AvatarURL, pl.Embeds[0].Author.IconURL)
 	})
 
+	t.Run("PushWithLongCommitMessage", func(t *testing.T) {
+		p := pushTestMultilineCommitMessagePayload()
+
+		pl, err := dc.Push(p)
+		require.NoError(t, err)
+
+		assert.Len(t, pl.Embeds, 1)
+		assert.Equal(t, "[test/repo:test] 2 new commits", pl.Embeds[0].Title)
+		assert.Equal(t, "[2020558](http://localhost:3000/test/repo/commit/2020558fe2e34debb818a514715839cabd25e778) This is a commit summary ⚠️⚠️⚠️⚠️ containing 你好... - user1\n[2020558](http://localhost:3000/test/repo/commit/2020558fe2e34debb818a514715839cabd25e778) This is a commit summary ⚠️⚠️⚠️⚠️ containing 你好... - user1", pl.Embeds[0].Description)
+		assert.Equal(t, p.Sender.UserName, pl.Embeds[0].Author.Name)
+		assert.Equal(t, setting.AppURL+p.Sender.UserName, pl.Embeds[0].Author.URL)
+		assert.Equal(t, p.Sender.AvatarURL, pl.Embeds[0].Author.IconURL)
+	})
+
 	t.Run("Issue", func(t *testing.T) {
 		p := issueTestPayload()
 
diff --git a/services/webhook/general_test.go b/services/webhook/general_test.go
index fc6e7140e7..d6a77c9442 100644
--- a/services/webhook/general_test.go
+++ b/services/webhook/general_test.go
@@ -64,9 +64,17 @@ func forkTestPayload() *api.ForkPayload {
 }
 
 func pushTestPayload() *api.PushPayload {
+	return pushTestPayloadWithCommitMessage("commit message")
+}
+
+func pushTestMultilineCommitMessagePayload() *api.PushPayload {
+	return pushTestPayloadWithCommitMessage("This is a commit summary ⚠️⚠️⚠️⚠️ containing 你好 ⚠️⚠️️\n\nThis is the message body.")
+}
+
+func pushTestPayloadWithCommitMessage(message string) *api.PushPayload {
 	commit := &api.PayloadCommit{
 		ID:      "2020558fe2e34debb818a514715839cabd25e778",
-		Message: "commit message",
+		Message: message,
 		URL:     "http://localhost:3000/test/repo/commit/2020558fe2e34debb818a514715839cabd25e778",
 		Author: &api.PayloadUser{
 			Name:     "user1",

From e2f365b55cca7cf986a1f04e4d9e43d7e7aef7ad Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 24 Sep 2024 12:14:57 +0800
Subject: [PATCH 22/23] Display head branch more comfortable on pull request
 view (#32000)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR do some minor improvements for head branch display on pull
request view UI.

- [x] Remove the link if the head branch has been deleted with a
tooltip, so that users will not result in a 404 page
- [x] Display a label if this pull request is an agit based one.

![图片](https://github.com/user-attachments/assets/872f26b6-f1cf-4427-9e41-e3a5b176dfa4)
---
 models/issues/pull.go                |  4 ++++
 options/locale/locale_en-US.ini      |  1 +
 routers/web/repo/pull.go             | 14 +++++++++++++-
 templates/repo/issue/view_title.tmpl |  9 +++++++--
 4 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/models/issues/pull.go b/models/issues/pull.go
index 5fe95d56cc..4a5782f836 100644
--- a/models/issues/pull.go
+++ b/models/issues/pull.go
@@ -268,6 +268,10 @@ func (pr *PullRequest) LoadAttributes(ctx context.Context) (err error) {
 	return nil
 }
 
+func (pr *PullRequest) IsAgitFlow() bool {
+	return pr.Flow == PullRequestFlowAGit
+}
+
 // LoadHeadRepo loads the head repository, pr.HeadRepo will remain nil if it does not exist
 // and thus ErrRepoNotExist will never be returned
 func (pr *PullRequest) LoadHeadRepo(ctx context.Context) (err error) {
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 957e73b171..f77fd203a2 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -1927,6 +1927,7 @@ pulls.delete.text = Do you really want to delete this pull request? (This will p
 pulls.recently_pushed_new_branches = You pushed on branch <strong>%[1]s</strong> %[2]s
 
 pull.deleted_branch = (deleted):%s
+pull.agit_documentation = Review documentation about AGit
 
 comments.edit.already_changed = Unable to save changes to the comment. It appears the content has already been changed by another user. Please refresh the page and try editing again to avoid overwriting their changes
 
diff --git a/routers/web/repo/pull.go b/routers/web/repo/pull.go
index 95299b44d5..ced0bbc15a 100644
--- a/routers/web/repo/pull.go
+++ b/routers/web/repo/pull.go
@@ -164,7 +164,19 @@ func setMergeTarget(ctx *context.Context, pull *issues_model.PullRequest) {
 		ctx.Data["HeadTarget"] = pull.MustHeadUserName(ctx) + "/" + pull.HeadRepo.Name + ":" + pull.HeadBranch
 	}
 	ctx.Data["BaseTarget"] = pull.BaseBranch
-	ctx.Data["HeadBranchLink"] = pull.GetHeadBranchLink(ctx)
+	headBranchLink := ""
+	if pull.Flow == issues_model.PullRequestFlowGithub {
+		b, err := git_model.GetBranch(ctx, ctx.Repo.Repository.ID, pull.HeadBranch)
+		switch {
+		case err == nil:
+			if !b.IsDeleted {
+				headBranchLink = pull.GetHeadBranchLink(ctx)
+			}
+		case !git_model.IsErrBranchNotExist(err):
+			log.Error("GetBranch: %v", err)
+		}
+	}
+	ctx.Data["HeadBranchLink"] = headBranchLink
 	ctx.Data["BaseBranchLink"] = pull.GetBaseBranchLink(ctx)
 }
 
diff --git a/templates/repo/issue/view_title.tmpl b/templates/repo/issue/view_title.tmpl
index 1243681f3a..7fa77b3f1c 100644
--- a/templates/repo/issue/view_title.tmpl
+++ b/templates/repo/issue/view_title.tmpl
@@ -50,9 +50,14 @@
 			{{if .Issue.IsPull}}
 				{{$headHref := .HeadTarget}}
 				{{if .HeadBranchLink}}
-					{{$headHref = HTMLFormat `<a href="%s">%s</a>` .HeadBranchLink $headHref}}
+					{{$headHref = HTMLFormat `<a href="%s">%s</a> <button class="btn interact-fg" data-tooltip-content="%s" data-clipboard-text="%s">%s</button>` .HeadBranchLink $headHref (ctx.Locale.Tr "copy_branch") .HeadTarget (svg "octicon-copy" 14)}}
+				{{else}}
+					{{if .Issue.PullRequest.IsAgitFlow}}
+						{{$headHref = HTMLFormat `%s <a href="%s" target="_blank"><span class="ui label basic tiny" data-tooltip-content="%s">AGit</span></a>` $headHref "https://docs.gitea.com/usage/agit" (ctx.Locale.Tr "repo.pull.agit_documentation")}}
+					{{else}}
+						{{$headHref = HTMLFormat `<span data-tooltip-content="%s">%s</span>` (ctx.Locale.Tr "form.target_branch_not_exist") $headHref}}
+					{{end}}
 				{{end}}
-				{{$headHref = HTMLFormat `%s <button class="btn interact-fg" data-tooltip-content="%s" data-clipboard-text="%s">%s</button>` $headHref (ctx.Locale.Tr "copy_branch") .HeadTarget (svg "octicon-copy" 14)}}
 				{{$baseHref := .BaseTarget}}
 				{{if .BaseBranchLink}}
 					{{$baseHref = HTMLFormat `<a href="%s">%s</a>` .BaseBranchLink $baseHref}}

From 4947bec8360c152daca23e120eae1732d3848492 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 24 Sep 2024 15:12:06 +0800
Subject: [PATCH 23/23] Include collaboration repositories on dashboard
 source/forks/mirrors list (#31946)

Fix #13489

In the original implementation, only `All` will display your owned and
collaborated repositories. For other filters like `Source`, `Mirrors`
and etc. will only display your owned repositories.

This PR removed the limitations. Now except `collbrations`, other
filters will always display your owned and collaborated repositories.
---
 web_src/js/components/DashboardRepoList.vue | 1 -
 1 file changed, 1 deletion(-)

diff --git a/web_src/js/components/DashboardRepoList.vue b/web_src/js/components/DashboardRepoList.vue
index afc58d3689..ce165b1b3d 100644
--- a/web_src/js/components/DashboardRepoList.vue
+++ b/web_src/js/components/DashboardRepoList.vue
@@ -78,7 +78,6 @@ const sfc = {
     searchURL() {
       return `${this.subUrl}/repo/search?sort=updated&order=desc&uid=${this.uid}&team_id=${this.teamId}&q=${this.searchQuery
       }&page=${this.page}&limit=${this.searchLimit}&mode=${this.repoTypes[this.reposFilter].searchMode
-      }${this.reposFilter !== 'all' ? '&exclusive=1' : ''
       }${this.archivedFilter === 'archived' ? '&archived=true' : ''}${this.archivedFilter === 'unarchived' ? '&archived=false' : ''
       }${this.privateFilter === 'private' ? '&is_private=true' : ''}${this.privateFilter === 'public' ? '&is_private=false' : ''
       }`;