One of the security patches released 2026-03-09 [fixed a vulnerability](d1c7b04d09) caused by a misapplication of Go `case` statements, where the implementation would have been correct if Go `case` statements automatically fall through to the next case block, but they do not. This PR adds a semgrep rule which detects any empty `case` statement and raises an error, in order to prevent this coding mistake in the future.
For example, code like this will now trigger a build error:
```go
switch setting.Protocol {
case setting.HTTPUnix:
case setting.FCGI:
case setting.FCGIUnix:
default:
defaultLocalURL := string(setting.Protocol) + "://"
}
```
Example error:
```
cmd/web.go
❯❯❱ semgrep.config.forgejo-switch-empty-case
switch has a case block with no content. This is treated as "break" by Go, but developers may
confuse it for "fallthrough". To fix this error, disambiguate by using "break" or
"fallthrough".
279┆ switch setting.Protocol {
280┆ case setting.HTTPUnix:
281┆ case setting.FCGI:
282┆ case setting.FCGIUnix:
283┆ default:
284┆ defaultLocalURL := string(setting.Protocol) + "://"
285┆ if setting.HTTPAddr == "0.0.0.0" {
286┆ defaultLocalURL += "localhost"
287┆ } else {
288┆ defaultLocalURL += setting.HTTPAddr
```
As described in the error output, this error can be fixed by explicitly listing `break` (the real Go behaviour, to do nothing in the block), or by listing `fallthrough` (if the intent was to fall through).
All existing code triggering this detection has been changed to `break` (or, rarely, irrelevant cases have been removed), which should maintain the same code functionality. While performing this fixup, a light analysis was performed on each case and they *appeared* correct, but with ~65 cases I haven't gone into extreme depth.
Tests are present for the semgrep rule in `.semgrep/tests/go.go`.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11593
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
It is unfortunately all mixed up, because refreshing the data, means breaking the tests. And changing the code means needing fresh data.
- tests: ignore some more headers and sort the rest when dumping http responses
- code: fixed#10234 by requesting the latest issues first.
- tests: created a new repo to replace the disappeared repo, needed for the skip-numbers test
- refreshed the testdata.
- follow-up fixes to get the tests green.
- including a cherry-pick of https://github.com/go-gitea/gitea/pull/36295 and #11272
Co-authored-by: Joakim Olsson <joakim@unbound.se>
Co-authored-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11282
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: patdyn <patdyn@noreply.codeberg.org>
Co-authored-by: oliverpool <git@olivier.pfad.fr>
Co-committed-by: oliverpool <git@olivier.pfad.fr>
This PR fixes a number of typos throughout the entire repository. Running https://github.com/crate-ci/typos and then changing all occurrences that I naively deemed "safe enough".
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10753
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Christoph Mewes <christoph@kubermatic.com>
Co-committed-by: Christoph Mewes <christoph@kubermatic.com>
For the previous code with the Page attribute present in
ListCursorOptions for page 1, github would not return an "After" cursor,
such that the request for page 2 would request what effectively is the
content of page 1 a second time.
This would lead to an attempt to insert the same issues twice.
Note that this is not the only reason why this can happen with the
current code base.
We fix this particular issue by not using the Page attribute so github
does return an "After" cursor.
Fixes#10794
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10798
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Nils Goroll <nils.goroll@uplex.de>
Co-committed-by: Nils Goroll <nils.goroll@uplex.de>
This is a successor to #10805, which simply did not work. It is also much simpler and basically a one line change to enable an existing feature in [go-github](https://github.com/google/go-github).
Fixes#10845
With this fix and #10798 in place, a migration of a repo with ~3K issues and ~1.3k pull requests finally completed successfully.
## Patch
We use SleepUntilPrimaryRateLimitResetWhenRateLimited to instruct the go-github code to wait until the retry time and retry the request when the primary rate limit gets hit.
## Test case
TestGitHubDownloadRepo() has been modified such that 403 rate limit errors are injected every 7 requests with a retry time of one second, resulting in the rate limit condition being hit twice with the current tests. The test case confirms that the migration code itself is in fact unaffected by the rate limit being hit.
## Scope
This change does not affect secondary rate limits.
If the server is restarted during the wait for the rate limit refresh, the migration likely still fails when retried, because inserts for already present database objects will be attempted.
This approach effectively puts the task's goroutine to sleep until the retry time, which implies that the respective resources stay allocated.
A better approach might be to add the necessary infrastructure to support restarts of migration tasks at a later time, but this is much more involved, because the migration state would need to be saved and/or re-created based on already pulled data. This would also require adding support for database upserts.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10846
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Nils Goroll <nils.goroll@uplex.de>
Co-committed-by: Nils Goroll <nils.goroll@uplex.de>
The change migrates the milestone's deadline in a semantic time format understood by the database.
Please note that this change is in addition to that of !10169.
Fixes https://forge.fedoraproject.org/forge/forge/issues/306
Signed-off-by: Akashdeep Dhar <akashdeep.dhar@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10299
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Akashdeep Dhar <akashdeep.dhar@gmail.com>
Co-committed-by: Akashdeep Dhar <akashdeep.dhar@gmail.com>
Don't panic during pagure migration if a milestone has no date.
Fixes https://forge.fedoraproject.org/forge/forge/issues/281
### Manual testing
Here's how to confirm that the change is working.
Simply migrate a repository having milestones with deadlines from Pagure over to Forgejo to test.
At the source namespace, https://pagure.io/protop2g-test-srce/roadmap
This change assumes that the milestone's deadline is stored in Pagure in Unix time format (the default).
At the destination namespace, check that the due date is correct.
Signed-off-by: Akashdeep Dhar <akashdeep.dhar@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10169
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Akashdeep Dhar <akashdeep.dhar@gmail.com>
Co-committed-by: Akashdeep Dhar <akashdeep.dhar@gmail.com>
Resolves https://codeberg.org/forgejo/forgejo/issues/1869. Converts descriptions that mentions merge requests to point to the new index (Forgejo like Github, uses a unified index while Gitlab has two separate indexes for issues and merge requests).
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10077
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: patdyn <patdyn@noreply.codeberg.org>
Co-committed-by: patdyn <patdyn@noreply.codeberg.org>
Signed-off-by: voltagex <git@voltagex.org>
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [ ] in their respective `*_test.go` for unit tests.
- [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [x] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10035
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: voltagex <git@voltagex.org>
Co-committed-by: voltagex <git@voltagex.org>
- Follow up of forgejo/forgejo!9274
- The test does not call to Gitea for fetching comments, but when initializing the Gitea client it does check the API version and some settings. Mock these responses so this test can be run without a network connection.
- Resolvesforgejo/forgejo#9928
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9948
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
The Gitea API responds with the full number of issue comments, when the `/repos/{owner}/{repo}/issues/{index}/comments` endpoint is hit. Originally the number of comments is expected to paginated, so in the end it should always be lower than `MAX_RESPONSE_ITEMS` when the last page is hit.
However, due to the bug, this can never happen and so there will be an infinite loop.
This problem was inherited also into the Forgejo codebase. That means the same problem can occur when migrating from Forgejo to Forgejo.
Some fixes for the Forgejo API have been proposed for the Forgejo codebase see https://codeberg.org/forgejo/forgejo/issues/5177 and https://codeberg.org/codeberg/community/issues/1542
An integration test was written which reproduces the exact behaviour. A more future proof solution was created that checks the relevant cases and decides whether the bug is still there or not.
It might be necessary to further distinguish between Gitea downloader and Forgejo downloader if we decide to update the Forgejo API. So we'll probably have to implement functionality and tests directly for the Forgejo downloader instead of just inheriting all the methods.
Co-authored-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9274
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: erik <erik_se@posteo.de>
Co-committed-by: erik <erik_se@posteo.de>
As mentioned in https://codeberg.org/forgejo/forgejo/issues/8131 and https://codeberg.org/forgejo/forgejo/issues/9018:
The github API changed and they now use cursor based pagination. So migration of issues could fail if there were about 10k resources to migrate.
What was done:
* Added a test for reproduction of the bug
* Updated the go-github library to v74
* Update api usage for Reactions
* Added a struct to GithubDownloaderV3 which holds cursorPagination related info
* Updated GetIssues to use cursorPagination
Caveats:
* So far, only listing issues supports the cursor method
* The test requires a valid access token to github as we need to access a repository with **a lot** of issues to test the issue
* We may want to skip this test in the pipeline
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9348
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: erik <erik_se@posteo.de>
Co-committed-by: erik <erik_se@posteo.de>
- Move a file around to avoid a circular dependency.
- Make lint-locale-usage aware of `base.Messenger`, form struct tags and `$.locale.Tr`.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9095
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Ellen Εμιλία Άννα Zscheile <fogti+devel@ytrizja.de>
Co-committed-by: Ellen Εμιλία Άννα Zscheile <fogti+devel@ytrizja.de>
Related to https://codeberg.org/Codeberg/Community/issues/1944
* Allowed the githubdownloaderv3 to know whether issues and, or PRs are requested to migrate
* Used this information to decide to filter for "/pulls/" or "/issues"
* Or not to filter at all if issues == true && prs == true
* Added isolated test for the downloader and for the uploader
* Created a new test_repo in github.com/forgejo and set it up properly together with @Gusted
* Updated github_downloader_test with the new URLs and test data from the repo
* Recorded the API calls for local testing
* Added a minimal gitbucket test (which uses the github downloader under the hood)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8892
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: patdyn <patdyn@noreply.codeberg.org>
Co-committed-by: patdyn <patdyn@noreply.codeberg.org>
- gopkg.in/yaml.v3 is archived and unmaintained
- go.yaml.in/yaml/v3 is a compatible fork under the umbrella
of https://yaml.org/
### Tests
There is no need for more tests than already provided: it is like an upgrade to a minor version, only from a fork. I browsed the changes and there are some bug fixes. They all seem reasonably minimal. It is not one of those forks that went crazy with breaking changes 😁 And there is a non zero chance that [a bug that matters to Forgejo Actions](https://github.com/yaml/go-yaml/issues/76) is fixed there. It is rare and can wait but it did happen on Codeberg.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8956
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
Add support for migrating Pagure repositories (including metadata) to Forgejo via the migration tool.
One 'discrepancy' with migration from other forges is how privates issues are handled, they are migrated when a API token is set for the migration, in that case users are advised to set their repositories visibility to private to avoid leaking such private issues.
Co-authored-by: Akashdeep Dhar <akashdeep.dhar@gmail.com>
Co-authored-by: Ryan Lerch <rlerch@redhat.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8513
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-committed-by: Akashdeep Dhar <akashdeep.dhar@gmail.com>
- It seems that mid-May (according to some system notices in Codeberg) Github started (or converted all) release asssets to be made available under `https://release-assets.githubusercontent.com/`.
- Update the migration code to allow this baseURL for Github release assets.
- ResolvesCodeberg/Community#2061
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8771
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) | require | minor | `v0.129.0` -> `v0.130.1` |
---
### Release Notes
<details>
<summary>gitlab-org/api/client-go (gitlab.com/gitlab-org/api/client-go)</summary>
### [`v0.130.1`](https://gitlab.com/gitlab-org/api/client-go/tags/v0.130.1)
[Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v0.130.0...v0.130.1)
#### [0.130.1](https://gitlab.com/gitlab-org/api/client-go/compare/v0.130.0...v0.130.1) (2025-06-11)
##### Bug Fixes
* add missing nil check on create group with avatar ([3298a05](3298a058f3))
### [`v0.130.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v0.130.0)
[Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v0.129.0...v0.130.0)
### [0.130.0](https://gitlab.com/gitlab-org/api/client-go/compare/v0.129.0...v0.130.0) (2025-06-11)
##### Bug Fixes
* **workflow:** the `release.config.mjs` file mustn't be hidden ([5d423a5](5d423a55d5))
##### Features
* add "emoji_events" support to group hooks ([c6b770f](c6b770f350))
* Add `active` to ListProjects ([7818155](78181558db))
* add generated_file field for MergeRequestDiff ([4b95dac](4b95dac3ef))
* add support for `administrator` to Group `project_creation_level` enums ([664bbd7](664bbd7e3c))
* add the `WithTokenSource` client option ([6ccfcf8](6ccfcf857a))
* add url field to MergeCommentEvent.merge_request ([bd639d8](bd639d811c))
* implement a specialized `TokenSource` interface ([83c2e06](83c2e06cbe))
* **projects:** add ci_push_repository_for_job_token_allowed parameter ([3d539f6](3d539f66fd))
* **terraform-states:** add Terraform States API ([082b81c](082b81cd45))
</details>
---
### Configuration
📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC40OC40IiwidXBkYXRlZEluVmVyIjoiNDAuNDguNCIsInRhcmdldEJyYW5jaCI6ImZvcmdlam8iLCJsYWJlbHMiOlsiZGVwZW5kZW5jeS11cGdyYWRlIiwidGVzdC9ub3QtbmVlZGVkIl19-->
Co-authored-by: Earl Warren <contact@earl-warren.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8163
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
urfave/cli v2 will eventually become unmaintained, switch over to v3 which is the latest supported version.
Note: the `docs` command would be a lot of work to restore with v3 ([the package is still in alpha](https://github.com/urfave/cli-docs)) An alternative to avoid a breaking change would be to not upgrade from v2 to v3 for that reason alone.
Note: these commits were cherry-picked from https://code.forgejo.org/forgefriends/forgefriends
Note: it is best reviewed side by side with no display of whitespace changes (there are a lot of those when converting vars to func).
- a few functional changes were necessary and are noted in context in the file changes tab
- https://cli.urfave.org/migrate-v2-to-v3/ upgrade instructions were followed in the most minimal way possible
- upgrade gof3 to v3.10.8 which includes and upgrade from urfave/cli v2 to urfave/cli v3
- upgrade gitlab.com/gitlab-org/api/client-go v0.129.0 because it is an indirect dependency of gof3 and requires a change because of a deprecated field that otherwise triggers a lint error but nothing else otherwise
- verified that the [script](https://codeberg.org/forgejo/docs/src/branch/next/scripts/cli-docs.sh) that generates the [CLI documentation](https://codeberg.org/forgejo/docs/src/branch/next/scripts/cli-docs.sh) still works. There are cosmetic differences and the **help** subcommand is no longer advertised (although it is still supported) but the `--help` option is advertised as expected so it is fine.
- end-to-end tests [passed](https://code.forgejo.org/forgejo/end-to-end/pulls/667) (they use the Forgejo CLI to some extent)
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [ ] in their respective `*_test.go` for unit tests.
- [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [x] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Breaking features
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8035): <!--number 8035 --><!--line 0 --><!--description VGhlIGBmb3JnZWpvIGRvY3NgIGNvbW1hbmQgaXMgZGVwcmVjYXRlZCBhbmQgQ0xJIGVycm9ycyBhcmUgbm93IGRpc3BsYXllZCBvbiBzdGRlcnIgaW5zdGVhZCBvZiBzdGRvdXQuIFRoZXNlIGJyZWFraW5nIGNoYW5nZXMgaGFwcGVuZWQgYmVjYXVzZSB0aGUgcGFja2FnZSB1c2VkIHRvIHBhcnNlIHRoZSBjb21tYW5kIGxpbmUgYXJndW1lbnRzIHdhcyBbdXBncmFkZWQgZnJvbSB2MiB0byB2M10oaHR0cHM6Ly9jbGkudXJmYXZlLm9yZy9taWdyYXRlLXYyLXRvLXYzLykuIEEgW3NlcGFyYXRlIHByb2plY3Qgd2FzIGluaXRpYXRlZF0oaHR0cHM6Ly9naXRodWIuY29tL3VyZmF2ZS9jbGktZG9jcykgdG8gcmUtaW1wbGVtZW50IHRoZSBgZG9jc2AgY29tbWFuZCwgYnV0IGl0IGlzIG5vdCB5ZXQgcHJvZHVjdGlvbiByZWFkeS4=-->The `forgejo docs` command is deprecated and CLI errors are now displayed on stderr instead of stdout. These breaking changes happened because the package used to parse the command line arguments was [upgraded from v2 to v3](https://cli.urfave.org/migrate-v2-to-v3/). A [separate project was initiated](https://github.com/urfave/cli-docs) to re-implement the `docs` command, but it is not yet production ready.<!--description-->
<!--end release-notes-assistant-->
Co-authored-by: limiting-factor <limiting-factor@posteo.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8035
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Git authorization was not taking into account multiple token feature,
leading to auth failures
Closes: https://github.com/go-gitea/gitea/issues/34141
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 8a6df00c532becd4d10efb70827ccf80b2bf74e2)
- When migrating a pull requests from a Gitea or Forgejo instance, check if the pull request was created via the AGit flow and transfer that bit of information to the migrated pull request.
- Expose this bit of information as the `flow` field for the pull request.
- We have to do a horrible Go hack with Gitea's [go-sdk](gitea.com/gitea/go-sdk) to list all pull requests while being able to decode it to a struct that contains the new `Flow` field. The library does not allow you to do this out of the box, so we have to use `go:linkname` to access the private method that allows us to do this. This in turn means we have to do some boilerplate code that the library otherwise would do for us. The better option would be forking, but that would be a hassle of keeping the library in sync.
- Resolvesforgejo/forgejo#5848
- Unit test added.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7421
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
- In the case that a deleted user modified the state of an issue or pull request, the user field in the API response for that state event will be `null`. Handle this by falling back to Forgejo's internal Ghost user.
- No testing, this bug was hit on Codeberg with a instance that is only IPv6-accessible and otherwise might be phased out. So I will do some mental gymnastics and argue, migration feature will someday be replaced by F3 and considering the logic that was added its not worth the tradeoff to add testing for this by trying to recreate the same scenario on another Gitlab instance and then use that as a testing vector. To still give some confidence in this patch, it was confirmed that this exact fix worked on Codeberg.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7210
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
- Add a new function `IsPushMirrorURLAllowed` that will allow `ssh://` url and make the existing `IsMigrateURLAllowed` not allow such URLs anymore.
- Resolvesforgejo/forgejo#6960
- Existing integration tests make sure that SSH urls are still allowed for the push mirror feature and added unit test to ensure that `IsMigrateURLAllowed` no longer allows SSH urls.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7004
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
* cleanup: remove not used properties
* feat: implement migration of website field from gogs
* feat: implement dumping and restoring website field
* feat: implement migration of website field from gitea
* feat: implement migration of homepage/website field from github
* feat: implement website properties for repository migration
Gogs migration is untested for now.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6474
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: ThomasBoom89 <thomasboom89@noreply.codeberg.org>
Co-committed-by: ThomasBoom89 <thomasboom89@noreply.codeberg.org>
- Continuation of https://github.com/go-gitea/gitea/pull/18835 (by
@Gusted, so it's fine to change copyright holder to Forgejo).
- Add the option to use SSH for push mirrors, this would allow for the
deploy keys feature to be used and not require tokens to be used which
cannot be limited to a specific repository. The private key is stored
encrypted (via the `keying` module) on the database and NEVER given to
the user, to avoid accidental exposure and misuse.
- CAVEAT: This does require the `ssh` binary to be present, which may
not be available in containerized environments, this could be solved by
adding a SSH client into forgejo itself and use the forgejo binary as
SSH command, but should be done in another PR.
- CAVEAT: Mirroring of LFS content is not supported, this would require
the previous stated problem to be solved due to LFS authentication (an
attempt was made at forgejo/forgejo#2544).
- Integration test added.
- Resolves#4416
Uses `gopls check <files>` as a linter. Tested locally and brings up 149
errors currently for me. I don't think I want to fix them in this PR,
but I would like at least to get this analysis running on CI.
List of errors:
```
modules/indexer/code/indexer.go:181:11: impossible condition: nil != nil
routers/private/hook_post_receive.go:120:15: tautological condition: nil == nil
services/auth/source/oauth2/providers.go:185:9: tautological condition: nil == nil
services/convert/issue.go:216:11: tautological condition: non-nil != nil
tests/integration/git_test.go:332:9: impossible condition: nil != nil
services/migrations/migrate.go:179:24-43: unused parameter: ctx
services/repository/transfer.go:288:48-69: unused parameter: doer
tests/integration/api_repo_tags_test.go:75:41-61: unused parameter: session
tests/integration/git_test.go:696:64-74: unused parameter: baseBranch
tests/integration/gpg_git_test.go:265:27-39: unused parameter: t
tests/integration/gpg_git_test.go:284:23-29: unused parameter: tmpDir
tests/integration/gpg_git_test.go:284:31-35: unused parameter: name
tests/integration/gpg_git_test.go:284:37-42: unused parameter: email
```
(cherry picked from commit 816222243af523316041692622be6f48ef068693)
Conflicts:
Makefile
trivial context conflict and also ask renovate to watch over it
do not include it in lint-backend because the errors are not fixed
When performing migrations, and need to remap external users to local
ones, when no local mapping is possible, map the external user to Ghost,
rather than the user who initiated the migration.
Mapping the external user to the migration initiator has the potential
of breaking assumptions elsewhere, like only having one review per pull
request per user. Mapping these migrated, locally unavailable users to
Ghost makes sure these - often hidden - assumptions do not break.
Fixes#3860.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
When creating a repo, the "FORCE_PRIVATE" config option should be
respected, `readonly` doesn't work for checkbox, so it should use
`disabled` attribute.
(cherry picked from commit edbf74c418061b013a5855f604dd6be6baf34132)
Conflicts:
templates/repo/create.tmpl
templates/repo/migrate/codebase.tmpl
templates/repo/migrate/git.tmpl
templates/repo/migrate/gitbucket.tmpl
templates/repo/migrate/gitea.tmpl
templates/repo/migrate/github.tmpl
templates/repo/migrate/gitlab.tmpl
templates/repo/migrate/gogs.tmpl
templates/repo/migrate/onedev.tmpl
already in forgejo fc0c5e80da Fix and improve repo visibility checkbox when FORCE_PRIVATE is on (#3786)
enforcing FORCE_PRIVATE on repo settings was manually tested
with a repository of an unprivileged user after setting
FORCE_PRIVATE = true
