Merge remote-tracking branch 'upstream/main'

* upstream/main: (26 commits)
  Clean up WebAuthn javascript code and remove JQuery code (go-gitea#22697)
  Enable all webpack sourcemaps in dev build, disable all in prod build (go-gitea#25089)
  Don't display `select all issues` checkbox when no issues are available (go-gitea#25086)
  change placeholders in actions docs
  change placeholders in actions docs
  fix "Remove stars when repo goes private go-gitea#19904" (go-gitea#25084)
  Introduce how to configure cache when starting a Runner with Docker (go-gitea#25077)
  Remove stars when repo goes private (go-gitea#19904)
  Use correct selector for hiding RSS icon link in the branch selector dropdown (go-gitea#25080)
  Fix parallelly generating index failure with Mysql (go-gitea#24567)
  Use git command instead of the ini package to remove the `origin` remote (go-gitea#25066)
  improve permission documentation (go-gitea#23942)
  Use RepositoryList instead of []*Repository (go-gitea#25074)
  Add ability to set multiple redirect URIs in OAuth application UI (go-gitea#25072)
  Add Progressbar to Milestone Page (go-gitea#25050)
  [skip ci] Updated licenses and gitignores
  Redesign Scoped Access Tokens (go-gitea#24767)
  Use a separate admin page to show global stats, remove `actions` stat (go-gitea#25062)
  Remove cancel button from branch protection form (go-gitea#25063)
  Allow for PKCE flow without client secret + add docs (go-gitea#25033)
  ...

.golangci.yml

@@ -86,6 +86,7 @@ linters-settings:
       - io/ioutil: "use os or io instead"
       - golang.org/x/exp: "it's experimental and unreliable."
       - code.gitea.io/gitea/modules/git/internal: "do not use the internal package, use AddXxx function instead"
+      - gopkg.in/ini.v1: "do not use the ini package, use gitea's config system instead"
 
 issues:
   max-issues-per-linter: 0

build/backport-locales.go

@@ -12,7 +12,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	"gopkg.in/ini.v1"
+	"code.gitea.io/gitea/modules/setting"
 )
 
 func main() {
@@ -22,25 +22,21 @@ func main() {
 		os.Exit(1)
 	}
 
-	ini.PrettyFormat = false
 	mustNoErr := func(err error) {
 		if err != nil {
 			panic(err)
 		}
 	}
-	collectInis := func(ref string) map[string]*ini.File {
-		inis := map[string]*ini.File{}
+	collectInis := func(ref string) map[string]setting.ConfigProvider {
+		inis := map[string]setting.ConfigProvider{}
 		err := filepath.WalkDir("options/locale", func(path string, d os.DirEntry, err error) error {
 			if err != nil {
 				return err
 			}
 			if d.IsDir() || !strings.HasSuffix(d.Name(), ".ini") {
 				return nil
 			}
-			cfg, err := ini.LoadSources(ini.LoadOptions{
-				IgnoreInlineComment:         true,
-				UnescapeValueCommentSymbols: true,
-			}, path)
+			cfg, err := setting.NewConfigProviderForLocale(path)
 			mustNoErr(err)
 			inis[path] = cfg
 			fmt.Printf("collecting: %s @ %s\n", path, ref)

contrib/environment-to-ini/environment-to-ini.go

@@ -9,10 +9,8 @@ import (
 
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/util"
 
 	"github.com/urfave/cli"
-	"gopkg.in/ini.v1"
 )
 
 // EnvironmentPrefix environment variables prefixed with this represent ini values to write
@@ -97,19 +95,10 @@ func runEnvironmentToIni(c *cli.Context) error {
 	providedWorkPath := c.String("work-path")
 	setting.SetCustomPathAndConf(providedCustom, providedConf, providedWorkPath)
 
-	cfg := ini.Empty()
-	confFileExists, err := util.IsFile(setting.CustomConf)
+	cfg, err := setting.NewConfigProviderFromFile(&setting.Options{CustomConf: setting.CustomConf, AllowEmpty: true})
 	if err != nil {
-		log.Fatal("Unable to check if %s is a file. Error: %v", setting.CustomConf, err)
+		log.Fatal("Failed to load custom conf '%s': %v", setting.CustomConf, err)
 	}
-	if confFileExists {
-		if err := cfg.Append(setting.CustomConf); err != nil {
-			log.Fatal("Failed to load custom conf '%s': %v", setting.CustomConf, err)
-		}
-	} else {
-		log.Warn("Custom config '%s' not found, ignore this if you're running first time", setting.CustomConf)
-	}
-	cfg.NameMapper = ini.SnackCase
 
 	prefixGitea := c.String("prefix") + "__"
 	suffixFile := "__FILE"

docs/content/doc/development/oauth2-provider.en-us.md

@@ -1,5 +1,5 @@
 ---
-date: "2019-04-19:44:00+01:00"
+date: "2023-06-01T08:40:00+08:00"
 title: "OAuth2 provider"
 slug: "oauth2-provider"
 weight: 41
@@ -40,64 +40,67 @@ At the moment Gitea only supports the [**Authorization Code Grant**](https://too
 - [Proof Key for Code Exchange (PKCE)](https://tools.ietf.org/html/rfc7636)
 - [OpenID Connect (OIDC)](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
 
-To use the Authorization Code Grant as a third party application it is required to register a new application via the "Settings" (`/user/settings/applications`) section of the settings.
+To use the Authorization Code Grant as a third party application it is required to register a new application via the "Settings" (`/user/settings/applications`) section of the settings. To test or debug you can use the web-tool https://oauthdebugger.com/.
 
 ## Scopes
 
-Gitea supports the following scopes for tokens:
-
-| Name | Description |
-| ---- | ----------- |
-| **(no scope)** | Grants read-only access to public user profile and public repositories. |
-| **repo** | Full control over all repositories. |
-|     **repo:status** | Grants read/write access to commit status in all repositories. |
-|     **public_repo** | Grants read/write access to public repositories only. |
-| **admin:repo_hook** | Grants access to repository hooks of all repositories. This is included in the `repo` scope. |
-|     **write:repo_hook** | Grants read/write access to repository hooks |
-|     **read:repo_hook** | Grants read-only access to repository hooks |
-| **admin:org** | Grants full access to organization settings |
-|     **write:org** | Grants read/write access to organization settings |
-|     **read:org** | Grants read-only access to organization settings |
-| **admin:public_key** | Grants full access for managing public keys |
-|     **write:public_key** | Grant read/write access to public keys |
-|     **read:public_key** | Grant read-only access to public keys |
-| **admin:org_hook** | Grants full access to organizational-level hooks |
-| **admin:user_hook** | Grants full access to user-level hooks |
-| **notification** | Grants full access to notifications |
-| **user** | Grants full access to user profile info |
-|     **read:user** | Grants read access to user's profile |
-|     **user:email** | Grants read access to user's email addresses |
-|     **user:follow** | Grants access to follow/un-follow a user |
-| **delete_repo** | Grants access to delete repositories as an admin |
-| **package** | Grants full access to hosted packages |
-|     **write:package** | Grants read/write access to packages |
-|     **read:package** | Grants read access to packages |
-|     **delete:package** | Grants delete access to packages |
-| **admin:gpg_key** | Grants full access for managing GPG keys |
-|     **write:gpg_key** | Grants read/write access to GPG keys |
-|     **read:gpg_key** | Grants read-only access to GPG keys |
-| **admin:application** | Grants full access to manage applications |
-|     **write:application** | Grants read/write access for managing applications |
-|     **read:application** | Grants read access for managing applications |
-| **sudo** | Allows to perform actions as the site admin. |
+Gitea supports scoped access tokens, which allow users the ability to restrict tokens to operate only on selected url routes. Scopes are grouped by high-level API routes, and further refined to the following:
+
+- `read`: `GET` routes
+- `write`: `POST`, `PUT`, `PATCH`, and `DELETE` routes (in addition to `GET`)
+
+Gitea token scopes are as follows:
+
+| Name | Description                                                                                                                                      |
+| ---- |--------------------------------------------------------------------------------------------------------------------------------------------------|
+| **(no scope)** | Not supported. A scope is required even for public repositories.                                                                                 |
+| **activitypub** | `activitypub` API routes: ActivityPub related operations.                                                                                        |
+|     **read:activitypub** | Grants read access for ActivityPub operations.                                                                                                   |
+|     **write:activitypub** | Grants read/write/delete access for ActivityPub operations.                                                                                      |
+| **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts).                                                      |
+|     **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails.                                                    |
+|     **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts.                                              |                                                         |
+| **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations.                                                                     |
+|     **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones.                                     |
+|     **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones.              |
+| **misc** | miscellaneous and settings top-level API routes.                                                                                                 |
+|     **read:misc** | Grants read access to miscellaneous operations, such as getting label and gitignore templates.                                                   |
+|     **write:misc** | Grants read/write/delete access to miscellaneous operations, such as markup utility operations.                                                         |
+| **notification** | `notification/*` API routes: user notification operations.                                                                                       |
+|     **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications.                        |
+|     **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read.                                                           |
+| **organization** | `orgs/*` and `teams/*` API routes: Organization and team management operations.                                                                  |
+|     **read:organization** | Grants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members.                           |
+|     **write:organization** | Grants read/write/delete access to org and team status, such as creating and updating teams and updating org settings.                                  |
+| **package** | `/packages/*` API routes: Packages operations                                                                                                    |
+|     **read:package** | Grants read access to package operations, such as reading and downloading available packages.                                                    |
+|     **write:package** | Grants read/write/delete access to package operations. Currently the same as `read:package`.                                                            |
+| **repository** | `/repos/*` API routes except `/repos/issues/*`: Repository file, pull-request, and release operations.                                           |
+|     **read:repository** | Grants read access to repository operations, such as getting repository files, releases, collaborators.                                          |
+|     **write:repository** | Grants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators.    |
+| **user** | `/user/*` and `/users/*` API routes: User-related operations.                                                                                    |
+|     **read:user** | Grants read access to user operations, such as getting user repo subscriptions and user settings.                                                |
+|     **write:user** | Grants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings.                        |
 
 ## Client types
 
 Gitea supports both confidential and public client types, [as defined by RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1).
 
 For public clients, a redirect URI of a loopback IP address such as `http://127.0.0.1/` allows any port. Avoid using `localhost`, [as recommended by RFC 8252](https://datatracker.ietf.org/doc/html/rfc8252#section-8.3).
 
-## Example
+## Examples
+
+### Confidential client
 
 **Note:** This example does not use PKCE.
 
-1. Redirect to user to the authorization endpoint in order to get their consent for accessing the resources:
+1. Redirect the user to the authorization endpoint in order to get their consent for accessing the resources:
 
    ```curl
    https://[YOUR-GITEA-URL]/login/oauth/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=code&state=STATE
    ```
 
-   The `CLIENT_ID` can be obtained by registering an application in the settings. The `STATE` is a random string that will be send back to your application after the user authorizes. The `state` parameter is optional but should be used to prevent CSRF attacks.
+   The `CLIENT_ID` can be obtained by registering an application in the settings. The `STATE` is a random string that will be sent back to your application after the user authorizes. The `state` parameter is optional, but should be used to prevent CSRF attacks.
 
    ![Authorization Page](/authorize.png)
 
@@ -107,7 +110,7 @@ For public clients, a redirect URI of a loopback IP address such as `http://127.
    https://[REDIRECT_URI]?code=RETURNED_CODE&state=STATE
    ```
 
-2. Using the provided `code` from the redirect, you can request a new application and refresh token. The access token endpoints accepts POST requests with `application/json` and `application/x-www-form-urlencoded` body, for example:
+2. Using the provided `code` from the redirect, you can request a new application and refresh token. The access token endpoint accepts POST requests with `application/json` and `application/x-www-form-urlencoded` body, for example:
 
    ```curl
    POST https://[YOUR-GITEA-URL]/login/oauth/access_token
@@ -134,7 +137,69 @@ For public clients, a redirect URI of a loopback IP address such as `http://127.
    }
    ```
 
-   The `CLIENT_SECRET` is the unique secret code generated for this application. Please note that the secret will only be visible after you created/registered the application with Gitea and cannot be recovered. If you lose the secret you must regenerate the secret via the application's settings.
+   The `CLIENT_SECRET` is the unique secret code generated for this application. Please note that the secret will only be visible after you created/registered the application with Gitea and cannot be recovered. If you lose the secret, you must regenerate the secret via the application's settings.
+
+   The `REDIRECT_URI` in the `access_token` request must match the `REDIRECT_URI` in the `authorize` request.
+
+3. Use the `access_token` to make [API requests](https://docs.gitea.io/en-us/api-usage#oauth2) to access the user's resources.
+
+### Public client (PKCE)
+
+PKCE (Proof Key for Code Exchange) is an extension to the OAuth flow which allows for a secure credential exchange without the requirement to provide a client secret.
+
+**Note**: Please ensure you have registered your OAuth application as a public client.
+
+To achieve this, you have to provide a `code_verifier` for every authorization request. A `code_verifier` has to be a random string with a minimum length of 43 characters and a maximum length of 128 characters. It can contain alphanumeric characters as well as the characters `-`, `.`, `_`  and `~`.
+
+Using this `code_verifier` string, a new one called `code_challenge` is created by using one of two methods:
+
+- If you have the required functionality on your client, set `code_challenge` to be a URL-safe base64-encoded string of the SHA256 hash of `code_verifier`. In that case, your `code_challenge_method` becomes `S256`.
+- If you are unable to do so, you can provide your `code_verifier` as a plain string to `code_challenge`. Then you have to set your `code_challenge_method` as `plain`.
+
+After you have generated this values, you can continue with your request.
+
+1. Redirect the user to the authorization endpoint in order to get their consent for accessing the resources:
+
+   ```curl
+   https://[YOUR-GITEA-URL]/login/oauth/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=code&code_challenge_method=CODE_CHALLENGE_METHOD&code_challenge=CODE_CHALLENGE&state=STATE
+   ```
+
+   The `CLIENT_ID` can be obtained by registering an application in the settings. The `STATE` is a random string that will be sent back to your application after the user authorizes. The `state` parameter is optional, but should be used to prevent CSRF attacks.
+
+   ![Authorization Page](/authorize.png)
+
+   The user will now be asked to authorize your application. If they authorize it, the user will be redirected to the `REDIRECT_URL`, for example:
+
+   ```curl
+   https://[REDIRECT_URI]?code=RETURNED_CODE&state=STATE
+   ```
+
+2. Using the provided `code` from the redirect, you can request a new application and refresh token. The access token endpoint accepts POST requests with `application/json` and `application/x-www-form-urlencoded` body, for example:
+
+   ```curl
+   POST https://[YOUR-GITEA-URL]/login/oauth/access_token
+   ```
+
+   ```json
+   {
+     "client_id": "YOUR_CLIENT_ID",
+     "code": "RETURNED_CODE",
+     "grant_type": "authorization_code",
+     "redirect_uri": "REDIRECT_URI",
+     "code_verifier": "CODE_VERIFIER",
+   }
+   ```
+
+   Response:
+
+   ```json
+   {
+     "access_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJnbnQiOjIsInR0IjowLCJleHAiOjE1NTUxNzk5MTIsImlhdCI6MTU1NTE3NjMxMn0.0-iFsAwBtxuckA0sNZ6QpBQmywVPz129u75vOM7wPJecw5wqGyBkmstfJHAjEOqrAf_V5Z-1QYeCh_Cz4RiKug",
+     "token_type": "bearer",
+     "expires_in": 3600,
+     "refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJnbnQiOjIsInR0IjoxLCJjbnQiOjEsImV4cCI6MTU1NzgwNDMxMiwiaWF0IjoxNTU1MTc2MzEyfQ.S_HZQBy4q9r5SEzNGNIoFClT43HPNDbUdHH-GYNYYdkRfft6XptJBkUQscZsGxOW975Yk6RbgtGvq1nkEcklOw"
+   }
+   ```
 
    The `REDIRECT_URI` in the `access_token` request must match the `REDIRECT_URI` in the `authorize` request.
 

docs/content/doc/installation/from-source.en-us.md

@@ -132,6 +132,8 @@ If pre-built frontend files are present it is possible to only build the backend
 TAGS="bindata" make backend
 ```
 
+Webpack source maps are by default enabled in development builds and disabled in production builds. They can be enabled by setting the `ENABLE_SOURCEMAP=true` environment variable.
+
 ## Test
 
 After following the steps above, a `gitea` binary will be available in the working directory.

docs/content/doc/usage/actions/act-runner.en-us.md

@@ -172,6 +172,40 @@ It is because the act runner will run jobs in docker containers, so it needs to
 As mentioned, you can remove it if you want to run jobs in the host directly.
 To be clear, the "host" actually means the container which is running the act runner now, instead of the host machine.
 
+### Configuring cache when starting a Runner using docker image
+
+If you do not intend to use `actions/cache` in workflow, you can ignore this section.
+
+If you use `actions/cache` without any additional configuration, it will return the following error:
+> Failed to restore: getCacheEntry failed: connect ETIMEDOUT IP:PORT
+
+The error occurs because the runner container and job container are on different networks, so the job container cannot access the runner container.
+
+Therefore, it is essential to configure the cache action to ensure its proper functioning. Follow these steps:
+
+- 1.Obtain the LAN IP address of the host machine where the runner container is running.
+- 2.Find an available port number on the host machine where the runner container is running.
+- 3.Configure the following settings in the configuration file:
+
+```yaml
+cache:
+  enabled: true
+  dir: ""
+  # Use the LAN IP obtained in step 1
+  host: "192.168.8.17"
+  # Use the port number obtained in step 2
+  port: 8088
+```
+
+- 4.When starting the container, map the cache port to the host machine:
+
+```bash
+docker run \
+  --name gitea-docker-runner \
+  -p 8088:8088 \
+  -d gitea/act_runner:nightly
+```
+
 ### Labels
 
 The labels of a runner are used to determine which jobs the runner can run, and how to run them.