Merge remote-tracking branch 'upstream/main'

* upstream/main: (23 commits)
  add margin top to the top of branches (go-gitea#23002)
  Add me to maintainers (go-gitea#23026)
  Render access log template as text instead of HTML (go-gitea#23013)
  Use `gt-relative` class instead of the ambiguous `gt-pr` class  (go-gitea#23008)
  Fix intermittent panic in notify issue change content (go-gitea#23019)
  Improve pull_request_template.md (go-gitea#22888)
  Hide 2FA status from other members in organization members list (go-gitea#22999)
  handle deprecated settings (go-gitea#22992)
  Add scopes to API to create token and display them (go-gitea#22989)
  Remove unnecessary and incorrect `find('.menu').toggle()` (go-gitea#22987)
  Improve issues.LoadProject (go-gitea#22982)
  Add 1.18.4 changelog (go-gitea#22991) (go-gitea#22995)
  Fix pull request branch selector visible without clicking Edit (go-gitea#23012)
  Bump golang.org/x/net from 0.4.0 to 0.7.0 (go-gitea#22980)
  Fix panic when call api (/repos/{owner}/{repo}/pulls/{index}/files) (go-gitea#22921)
  only trigger docs build and publish when docs changed (go-gitea#22968)
  Get rules by id when editing branch protection rule (go-gitea#22932)
  Fix hidden commit status on multiple checks (go-gitea#22889)
  Add me to maintainers (go-gitea#22998)
  Add all units to the units permission list in org team members sidebar (go-gitea#22971)
  ...

.drone.yml

@@ -12,6 +12,9 @@ trigger:
     - push
     - tag
     - pull_request
+  paths:
+    exclude:
+      - docs/**
 
 volumes:
   - name: deps
@@ -112,7 +115,6 @@ steps:
     image: golang:1.19 # this step is kept as the lowest version of golang that we support
     pull: always
     environment:
-      GO111MODULE: on
       GOPROXY: https://goproxy.io
     commands:
       - go build -o gitea_no_gcc # test if build succeeds without the sqlite tag
@@ -124,7 +126,6 @@ steps:
   - name: build-backend-arm64
     image: golang:1.20
     environment:
-      GO111MODULE: on
       GOPROXY: https://goproxy.io
       GOOS: linux
       GOARCH: arm64
@@ -140,7 +141,6 @@ steps:
   - name: build-backend-windows
     image: golang:1.20
     environment:
-      GO111MODULE: on
       GOPROXY: https://goproxy.io
       GOOS: windows
       GOARCH: amd64
@@ -155,7 +155,6 @@ steps:
   - name: build-backend-386
     image: golang:1.20
     environment:
-      GO111MODULE: on
       GOPROXY: https://goproxy.io
       GOOS: linux
       GOARCH: 386
@@ -183,6 +182,9 @@ trigger:
     - push
     - tag
     - pull_request
+  paths:
+    exclude:
+      - docs/**
 
 volumes:
   - name: deps
@@ -410,6 +412,9 @@ trigger:
     - push
     - tag
     - pull_request
+  paths:
+    exclude:
+      - docs/**
 
 volumes:
   - name: deps
@@ -517,6 +522,9 @@ depends_on:
 trigger:
   event:
     - pull_request
+  paths:
+    exclude:
+      - docs/**
 
 volumes:
   - name: deps
@@ -696,6 +704,9 @@ trigger:
     - "release/*"
   event:
     - push
+  paths:
+    exclude:
+      - docs/**
 
 depends_on:
   - testing-amd64
@@ -947,6 +958,9 @@ trigger:
     - push
     - tag
     - pull_request
+  paths:
+    include:
+      - docs/**
 
 steps:
   - name: build-docs
@@ -1241,6 +1255,9 @@ depends_on:
 trigger:
   ref:
   - "refs/pull/**"
+  paths:
+    exclude:
+      - docs/**
 
 steps:
   - name: dryrun

.github/pull_request_template.md

@@ -1,9 +1,9 @@
-<!--
-
+<!-- start tips --> 
 Please check the following:
-
-1. Make sure you are targeting the `main` branch, pull requests on release branches are only allowed for bug fixes.
-2. Read contributing guidelines: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md
-3. Describe what your pull request does and which issue you're targeting (if any)
-
--->  
+1. Make sure you are targeting the `main` branch, pull requests on release branches are only allowed for backports.
+2. Make sure you have read contributing guidelines: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md .
+3. Describe what your pull request does and which issue you're targeting (if any).
+4. It is recommended to enable "Allow edits by maintainers", so maintainers can help more easily.
+5. Your input here will be included in the commit message when this PR has been merged. If you don't want some content to be included, please separate them with a line like `---`.
+6. Delete all these tips before posting.
+<!-- end tips -->

CHANGELOG.md

@@ -4,6 +4,43 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).
 
+## [1.18.4](https://github.com/go-gitea/gitea/releases/tag/1.18.4) - 2023-02-20
+
+* SECURITY
+  * Provide the ability to set password hash algorithm parameters (#22942) (#22943)
+  * Add command to bulk set must-change-password (#22823) (#22928)
+* ENHANCEMENTS
+  * Use import of OCI structs (#22765) (#22805)
+  * Fix color of tertiary button on dark theme (#22739) (#22744)
+  * Link issue and pull requests status change in UI notifications directly to their event in the timelined view. (#22627) (#22642)
+* BUGFIXES
+  * Notify on container image create (#22806) (#22965)
+  * Fix blame view missing lines (#22826) (#22929)
+  * Fix incorrect role labels for migrated issues and comments (#22914) (#22923)
+  * Fix PR file tree folders no longer collapsing (#22864) (#22872)
+  * Escape filename when assemble URL (#22850) (#22871)
+  * Fix isAllowed of escapeStreamer (#22814) (#22837)
+  * Load issue before accessing index in merge message (#22822) (#22830)
+  * Improve trace logging for pulls and processes (#22633) (#22812)
+  * Fix restore repo bug, clarify the problem of ForeignIndex (#22776) (#22794)
+  * Add default user visibility to cli command "admin user create" (#22750) (#22760)
+  * Escape path for the file list (#22741) (#22757)
+  * Fix bugs with WebAuthn preventing sign in and registration. (#22651) (#22721)
+  * Add missing close bracket in imagediff (#22710) (#22712)
+  * Move code comments to a standalone file and fix the bug when adding a reply to an outdated review appears to not post(#20821) (#22707)
+  * Fix line spacing for plaintext previews (#22699) (#22701)
+  * Fix wrong hint when deleting a branch successfully from pull request UI (#22673) (#22698)
+  * Fix README TOC links (#22577) (#22677)
+  * Fix missing message in git hook when pull requests disabled on fork (#22625) (#22658)
+  * Improve checkIfPRContentChanged (#22611) (#22644)
+  * Prevent duplicate labels when importing more than 99 (#22591) (#22598)
+  * Don't return duplicated users who can create org repo (#22560) (#22562)
+* BUILD
+  * Upgrade golangcilint to v1.51.0 (#22764)
+* MISC
+  * Use proxy for pull mirror (#22771) (#22772)
+  * Use `--index-url` in PyPi description (#22620) (#22636)
+
 ## [1.18.3](https://github.com/go-gitea/gitea/releases/tag/v1.18.3) - 2023-01-23
 
 * SECURITY

MAINTAINERS

@@ -47,3 +47,5 @@ Wim <wim@42.be> (@42wim)
 Xinyu Zhou <i@sourcehut.net> (@xin-u)
 Jason Song <i@wolfogre.com> (@wolfogre)
 Yarden Shoham <hrsi88@gmail.com> (@yardenshoham)
+Yu Tian <zettat123@gmail.com> (@Zettat123)
+Eddie Yang <576951401@qq.com> (@yp05327)

go.mod

@@ -103,10 +103,10 @@ require (
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20220924101305-151362477c87
 	github.com/yuin/goldmark-meta v1.1.0
 	golang.org/x/crypto v0.4.0
-	golang.org/x/net v0.4.0
+	golang.org/x/net v0.7.0
 	golang.org/x/oauth2 v0.3.0
-	golang.org/x/sys v0.3.0
-	golang.org/x/text v0.5.0
+	golang.org/x/sys v0.5.0
+	golang.org/x/text v0.7.0
 	golang.org/x/tools v0.1.12
 	google.golang.org/grpc v1.47.0
 	google.golang.org/protobuf v1.28.1

go.sum

@@ -1463,8 +1463,8 @@ golang.org/x/net v0.0.0-20220630215102-69896b714898/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU=
-golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
+golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1609,14 +1609,15 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
+golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1627,8 +1628,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
-golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

models/auth/token_scope.go

@@ -168,10 +168,23 @@ var allAccessTokenScopeBits = map[AccessTokenScope]AccessTokenScopeBitmap{
 
 // Parse parses the scope string into a bitmap, thus removing possible duplicates.
 func (s AccessTokenScope) Parse() (AccessTokenScopeBitmap, error) {
-	list := strings.Split(string(s), ",")
-
 	var bitmap AccessTokenScopeBitmap
-	for _, v := range list {
+
+	// The following is the more performant equivalent of 'for _, v := range strings.Split(remainingScope, ",")' as this is hot code
+	remainingScopes := string(s)
+	for len(remainingScopes) > 0 {
+		i := strings.IndexByte(remainingScopes, ',')
+		var v string
+		if i < 0 {
+			v = remainingScopes
+			remainingScopes = ""
+		} else if i+1 >= len(remainingScopes) {
+			v = remainingScopes[:i]
+			remainingScopes = ""
+		} else {
+			v = remainingScopes[:i]
+			remainingScopes = remainingScopes[i+1:]
+		}
 		singleScope := AccessTokenScope(v)
 		if singleScope == "" {
 			continue
@@ -187,9 +200,15 @@ func (s AccessTokenScope) Parse() (AccessTokenScopeBitmap, error) {
 		}
 		bitmap |= bits
 	}
+
 	return bitmap, nil
 }
 
+// StringSlice returns the AccessTokenScope as a []string
+func (s AccessTokenScope) StringSlice() []string {
+	return strings.Split(string(s), ",")
+}
+
 // Normalize returns a normalized scope string without any duplicates.
 func (s AccessTokenScope) Normalize() (AccessTokenScope, error) {
 	bitmap, err := s.Parse()

models/db/iterate_test.go

@@ -25,7 +25,7 @@ func TestIterate(t *testing.T) {
 		return nil
 	})
 	assert.NoError(t, err)
-	assert.EqualValues(t, 81, repoCnt)
+	assert.EqualValues(t, 83, repoCnt)
 
 	err = db.Iterate(db.DefaultContext, nil, func(ctx context.Context, repoUnit *repo_model.RepoUnit) error {
 		reopUnit2 := repo_model.RepoUnit{ID: repoUnit.ID}

models/fixtures/repo_unit.yml

@@ -556,3 +556,16 @@
   repo_id: 54
   type: 1
   created_unix: 946684810
+
+-
+  id: 82
+  repo_id: 31
+  type: 1
+  created_unix: 946684810
+
+-
+  id: 83
+  repo_id: 31
+  type: 3
+  config: "{\"IgnoreWhitespaceConflicts\":false,\"AllowMerge\":true,\"AllowRebase\":true,\"AllowRebaseMerge\":true,\"AllowSquash\":true}"
+  created_unix: 946684810