Merge branch 'main' into main

Author: ExplodingDragon

.github/ISSUE_TEMPLATE/bug-report.yaml

@@ -1,6 +1,6 @@
 name: Bug Report
 description: Found something you weren't expecting? Report it here!
-labels: kind/bug
+labels: ["kind/bug"]
 body:
 - type: markdown
   attributes:
@@ -15,11 +15,8 @@ body:
       3. Make sure you are using the latest release and
          take a moment to check that your issue hasn't been reported before.
       4. Make sure it's not mentioned in the FAQ (https://docs.gitea.com/help/faq)
-      5. Please give all relevant information below for bug reports, because
+      5. It's really important to provide pertinent details and logs (https://docs.gitea.com/help/support),
          incomplete details will be handled as an invalid report.
-      6. In particular it's really important to provide pertinent logs. You must give us DEBUG level logs.
-         Please read https://docs.gitea.com/administration/logging-config#collecting-logs-for-help
-         In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini
 - type: textarea
   id: description
   attributes:
@@ -89,6 +86,6 @@ body:
     description: What database system are you running?
     options:
     - PostgreSQL
-    - MySQL
+    - MySQL/MariaDB
     - MSSQL
     - SQLite

.github/workflows/files-changed.yml

@@ -43,6 +43,8 @@ jobs:
               - "go.mod"
               - "go.sum"
               - "Makefile"
+              - ".golangci.yml"
+              - ".editorconfig"
 
             frontend:
               - "**/*.js"
@@ -51,16 +53,21 @@ jobs:
               - "package.json"
               - "package-lock.json"
               - "Makefile"
+              - ".eslintrc.yaml"
+              - ".stylelintrc.yaml"
+              - ".npmrc"
 
             docs:
               - "**/*.md"
               - "docs/**"
+              - ".markdownlint.yaml"
 
             actions:
               - ".github/workflows/*"
 
             templates:
               - "templates/**/*.tmpl"
+              - "pyproject.toml"
               - "poetry.lock"
 
             docker:
@@ -72,3 +79,6 @@ jobs:
             swagger:
               - "templates/swagger/v1_json.tmpl"
               - "Makefile"
+              - "package.json"
+              - "package-lock.json"
+              - ".spectral.yml"

.golangci.yml

@@ -29,7 +29,7 @@ linters:
   fast: false
 
 run:
-  go: "1.20"
+  go: "1.21"
   timeout: 10m
   skip-dirs:
     - node_modules
@@ -75,7 +75,7 @@ linters-settings:
       - name: modifies-value-receiver
   gofumpt:
     extra-rules: true
-    lang-version: "1.20"
+    lang-version: "1.21"
   depguard:
     rules:
       main:

README.md

@@ -79,10 +79,10 @@ or if SQLite support is required:
 
 The `build` target is split into two sub-targets:
 
-- `make backend` which requires [Go Stable](https://go.dev/dl/), required version is defined in [go.mod](/go.mod).
-- `make frontend` which requires [Node.js LTS](https://nodejs.org/en/download/) or greater and Internet connectivity to download npm dependencies.
+- `make backend` which requires [Go Stable](https://go.dev/dl/), the required version is defined in [go.mod](/go.mod).
+- `make frontend` which requires [Node.js LTS](https://nodejs.org/en/download/) or greater.
 
-When building from the official source tarballs which include pre-built frontend files, the `frontend` target will not be triggered, making it possible to build without Node.js and Internet connectivity.
+Internet connectivity is required to download the go and npm modules. When building from the official source tarballs which include pre-built frontend files, the `frontend` target will not be triggered, making it possible to build without Node.js.
 
 Parallelism (`make -j <num>`) is not supported.
 

cmd/cert.go

@@ -43,7 +43,7 @@ Outputs to 'cert.pem' and 'key.pem' and will overwrite existing files.`,
 		},
 		&cli.IntFlag{
 			Name:  "rsa-bits",
-			Value: 2048,
+			Value: 3072,
 			Usage: "Size of RSA key to generate. Ignored if --ecdsa-curve is set",
 		},
 		&cli.StringFlag{

custom/conf/app.example.ini

@@ -1339,7 +1339,7 @@ LEVEL = Info
 ;; Define allowed algorithms and their minimum key length (use -1 to disable a type)
 ;ED25519 = 256
 ;ECDSA = 256
-;RSA = 2047 ; we allow 2047 here because an otherwise valid 2048 bit RSA key can be reported as having 2047 bit length
+;RSA = 3071 ; we allow 3071 here because an otherwise valid 3072 bit RSA key can be reported as having 3071 bit length
 ;DSA = -1 ; set to 1024 to switch on
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

docker/root/etc/s6/openssh/setup

@@ -11,7 +11,7 @@ fi
 
 if [ ! -f /data/ssh/ssh_host_rsa_key ]; then
     echo "Generating /data/ssh/ssh_host_rsa_key..."
-    ssh-keygen -t rsa -b 2048 -f /data/ssh/ssh_host_rsa_key -N "" > /dev/null
+    ssh-keygen -t rsa -b 3072 -f /data/ssh/ssh_host_rsa_key -N "" > /dev/null
 fi
 
 if [ ! -f /data/ssh/ssh_host_ecdsa_key ]; then

docs/content/administration/command-line.en-us.md

@@ -313,7 +313,7 @@ directory and will overwrite any existing files.
   - `--ecdsa-curve value`: ECDSA curve to use to generate a key. Optional. Valid options
     are P224, P256, P384, P521.
   - `--rsa-bits value`: Size of RSA key to generate. Optional. Ignored if --ecdsa-curve is
-    set. (default: 2048).
+    set. (default: 3072).
   - `--start-date value`: Creation date. Optional. (format: `Jan 1 15:04:05 2011`).
   - `--duration value`: Duration which the certificate is valid for. Optional. (default: 8760h0m0s)
   - `--ca`: If provided, this cert generates it's own certificate authority. Optional.

docs/content/administration/command-line.zh-cn.md

@@ -295,7 +295,7 @@ menu:
 - 选项：
   - `--host value`：逗号分隔的主机名和IP地址列表，此证书适用于这些主机。支持使用通配符。必填。
   - `--ecdsa-curve value`：用于生成密钥的ECDSA曲线。可选。有效选项为P224、P256、P384、P521。
-  - `--rsa-bits value`：要生成的RSA密钥的大小。可选。如果设置了--ecdsa-curve，则忽略此选项。（默认值：2048）。
+  - `--rsa-bits value`：要生成的RSA密钥的大小。可选。如果设置了--ecdsa-curve，则忽略此选项。（默认值：3072）。
   - `--start-date value`：证书的创建日期。可选。（格式：`Jan 1 15:04:05 2011`）。
   - `--duration value`：证书有效期。可选。（默认值：8760h0m0s）
   - `--ca`：如果提供此选项，则证书将生成自己的证书颁发机构。可选。

docs/content/administration/config-cheat-sheet.en-us.md

@@ -681,7 +681,7 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type
 
 - `ED25519`: **256**
 - `ECDSA`: **256**
-- `RSA`: **2047**: We set 2047 here because an otherwise valid 2048 RSA key can be reported as 2047 length.
+- `RSA`: **3071**: We set 3071 here because an otherwise valid 3072 RSA key can be reported as 3071 length.
 - `DSA`: **-1**: DSA is now disabled by default. Set to **1024** to re-enable but ensure you may need to reconfigure your SSHD provider
 
 ## Webhook (`webhook`)

docs/content/administration/config-cheat-sheet.zh-cn.md

@@ -648,7 +648,7 @@ Gitea 创建以下非唯一队列：
 
 - `ED25519`：**256**
 - `ECDSA`：**256**
-- `RSA`：**2047**：我们在这里设置为2047，因为一个其他方面有效的2048 RSA密钥可能被报告为2047长度。
+- `RSA`：**3071**：我们在这里设置为2047，因为一个其他方面有效的3072 RSA密钥可能被报告为3071长度。
 - `DSA`：**-1**：默认情况下禁用DSA。设置为**1024**以重新启用，但请注意可能需要重新配置您的SSHD提供者
 
 ## Webhook (`webhook`)

docs/content/help/support.en-us.md

@@ -22,34 +22,57 @@ menu:
 - [Discourse Forum](https://discourse.gitea.io/)
 - [Matrix](https://matrix.to/#/#gitea-space:matrix.org)
   - NOTE: Most of the Matrix channels are bridged with their counterpart in Discord and may experience some degree of flakiness with the bridge process.
+- Chinese Support
+  - [Discourse Chinese Category](https://discourse.gitea.io/c/5-category/5)
+  - QQ Group 328432459
+
+# Bug Report
+
+If you found a bug, please [create an issue on GitHub](https://github.com/go-gitea/gitea/issues).
 
 **NOTE:** When asking for support, it may be a good idea to have the following available so that the person helping has all the info they need:
 
 1. Your `app.ini` (with any sensitive data scrubbed as necessary).
-2. The Gitea logs, and any other appropriate log files for the situation.
-    - When using systemd, use `journalctl --lines 1000 --unit gitea` to collect logs.
-    - When using docker, use `docker logs --tail 1000 <gitea-container>` to collect logs.
-    - By default, the logs are outputted to console. If you need to collect logs from files,
-      you could copy the following config into your `app.ini` (remove all other `[log]` sections),
-      then you can find the `*.log` files in Gitea's log directory (default: `%(GITEA_WORK_DIR)/log`).
-
-    ```ini
-    ; To show all SQL logs, you can also set LOG_SQL=true in the [database] section
-    [log]
-    LEVEL=debug
-    MODE=console,file
-    ```
-
-3. Any error messages you are seeing.
-4. When possible, try to replicate the issue on [try.gitea.io](https://try.gitea.io) and include steps so that others can reproduce the issue.
-    - This will greatly improve the chance that the root of the issue can be quickly discovered and resolved.
-5. If you encounter slow/hanging/deadlock problems, please report the stack trace when the problem occurs.
+2. Any error messages you are seeing.
+3. The Gitea logs, and all other related logs for the situation.
+   - It's more useful to collect `trace` / `debug` level logs (see the next section).
+   - When using systemd, use `journalctl --lines 1000 --unit gitea` to collect logs.
+   - When using docker, use `docker logs --tail 1000 <gitea-container>` to collect logs.
+4. Reproducible steps so that others could reproduce and understand the problem more quickly and easily.
+   - [try.gitea.io](https://try.gitea.io) could be used to reproduce the problem.
+5. If you encounter slow/hanging/deadlock problems, please report the stacktrace when the problem occurs.
    Go to the "Site Admin" -> "Monitoring" -> "Stacktrace" -> "Download diagnosis report".
 
-## Bugs
+# Advanced Bug Report Tips
+
+## More Config Options for Logs
+
+By default, the logs are outputted to console with `info` level.
+If you need to set log level and/or collect logs from files,
+you could just copy the following config into your `app.ini` (remove all other `[log]` sections),
+then you will find the `*.log` files in Gitea's log directory (default: `%(GITEA_WORK_DIR)/log`).
+
+```ini
+; To show all SQL logs, you can also set LOG_SQL=true in the [database] section
+[log]
+LEVEL=debug
+MODE=console,file
+```
 
-If you found a bug, please create an [issue on GitHub](https://github.com/go-gitea/gitea/issues).
+## Collecting Stacktrace by Command Line
+
+Gitea could use Golang's pprof handler and toolchain to collect stacktrace and other runtime information.
+
+If the web UI stops working, you could try to collect the stacktrace by command line:
+
+1. Set `app.ini`:
+
+    ```
+    [server]
+    ENABLE_PPROF = true
+    ```
 
-## Chinese Support
+2. Restart Gitea
 
-Support for the Chinese language is provided at [Our discourse](https://discourse.gitea.io/c/5-category/5) or QQ Group 328432459.
+3. Try to trigger the bug, when the requests get stuck for a while,
+   use `curl` or browser to visit: `http://127.0.0.1:6060/debug/pprof/goroutine?debug=1` to get the stacktrace.

models/fixtures/email_address.yml

@@ -276,4 +276,12 @@
   email: [email protected]
   lower_email: [email protected]
   is_activated: false
-  is_primary: false
+  is_primary: false
+
+-
+  id: 36
+  uid: 36
+  email: [email protected]
+  lower_email: [email protected]
+  is_activated: true
+  is_primary: false

models/fixtures/gpg_key.yml

@@ -1 +1,23 @@
-[] # empty
+-
+  id: 5
+  owner_id: 36
+  key_id: B15431642629B826
+  primary_key_id:
+  content: xsDNBGTrY3UBDAC2HLBqmMplAV15qSnC7g1c4dV406f5EHNhFr95Nup2My6b2eafTlvedv77s8PT/I7F3fy4apOZs5A7w2SsPlLMcQ3ev4uGOsxRtkq5RLy1Yb6SNueX0Da2UVKR5KTC5Q6BWaqxwS0IjKOLZ/xz0Pbe/ClV3bZSKBEY2omkVo3Z0HZ771vB2clPRvGJ/IdeKOsZ3ZytSFXfyiJBdARmeSPmydXLil8+Ibq5iLAeow5PK8hK1TCOnKHzLWNqcNq70tyjoHvcGi70iGjoVEEUgPCLLuU8WmzTJwlvA3BuDzjtaO7TLo/jdE6iqkHtMSS8x+43sAH6hcFRCWAVh/0Uq7n36uGDfNxGnX3YrmX3LR9x5IsBES1rGGWbpxio4o5GIf/Xd+JgDd9rzJCqRuZ3/sW/TxK38htWaVNZV0kMkHUCTc1ctzWpCm635hbFCHBhPYIp+/z206khkAKDbz/CNuU91Wazsh7KO07wrwDtxfDDbInJ8TfHE2TGjzjQzgChfmcAEQEAAQ==
+  verified: true
+  can_sign: true
+  can_encrypt_comms: true
+  can_encrypt_storage: true
+  can_certify: true
+
+-
+  id: 6
+  owner_id: 36
+  key_id: EE3AF48454AFD619
+  primary_key_id: B15431642629B826
+  content: zsDNBGTrY3UBDADsHrzuOicQaPdUQm0+0UNrs92cESm/j/4yBBUk+sfLZAo6J99c4eh4nAQzzZ7al080rYKB0G+7xoRz1eHcQH6zrVcqB8KYtf/sdY47WaMiMyxM+kTSvzp7tsv7QuSQZ0neUEXRyYMz5ttBfIjWUd+3NDItuHyB+MtNWlS3zXgaUbe5VifqKaNmzN0Ye4yXTKcpypE3AOqPVz+iIFv3c6TmsqLHJaR4VoicCleAqLyF/28WsJO7M9dDW+EM3MZVnsVpycTURyHAJGfSk10waQZAaRwmarCN/q0KEJ+aEAK/SRliUneBZoMO5hY5iBeG432tofwaQqAahPv9uXIb1n2JEMKwnMlMA9UGD1AcDbywfj1m/ZGBBw95i4Ekkfn43RvV3THr7uJU/dRqqP+iic4MwpUrOxqELW/kmeHXlBcNbZZhEEvwRoW7U2/9eeuog4nRleRJ0pi/xOP9wmxkKjaIPIK3phdBtEpVk4w/UTAWNdyIIrFggukeAnZFyGJwlm8AEQEAAQ==
+  verified: true
+  can_sign: true
+  can_encrypt_comms: true
+  can_encrypt_storage: true
+  can_certify: true

models/fixtures/user.yml

@@ -1301,7 +1301,7 @@
   lower_name: limited_org36
   name: limited_org36
   full_name: Limited Org 36
-  email: limited_org36@example.com
+  email: abcde@gitea.com
   keep_email_private: false
   email_notifications_preference: enabled
   passwd: ZogKvWdyEx:password
@@ -1320,7 +1320,7 @@
   allow_create_organization: true
   prohibit_login: false
   avatar: avatar22
-  avatar_email: limited_org36@example.com
+  avatar_email: abcde@gitea.com
   use_custom_avatar: false
   num_followers: 0
   num_following: 0

models/migrations/v1_16/v210.go

@@ -4,7 +4,6 @@
 package v1_16 //nolint
 
 import (
-	"crypto/elliptic"
 	"encoding/base32"
 	"fmt"
 	"strings"
@@ -123,13 +122,17 @@ func RemigrateU2FCredentials(x *xorm.Engine) error {
 				if err != nil {
 					continue
 				}
+				pubKey, err := parsed.PubKey.ECDH()
+				if err != nil {
+					continue
+				}
 				remigrated := &webauthnCredential{
 					ID:              reg.ID,
 					Name:            reg.Name,
 					LowerName:       strings.ToLower(reg.Name),
 					UserID:          reg.UserID,
 					CredentialID:    base32.HexEncoding.EncodeToString(parsed.KeyHandle),
-					PublicKey:       elliptic.Marshal(elliptic.P256(), parsed.PubKey.X, parsed.PubKey.Y),
+					PublicKey:       pubKey.Bytes(),
 					AttestationType: "fido-u2f",
 					AAGUID:          []byte{},
 					SignCount:       reg.Counter,

models/secret/secret.go

@@ -160,3 +160,31 @@ func DeleteSecret(ctx context.Context, orgID, repoID int64, name string) error {
 
 	return nil
 }
+
+// CreateOrUpdateSecret creates or updates a secret and returns true if it was created
+func CreateOrUpdateSecret(ctx context.Context, orgID, repoID int64, name, data string) (bool, error) {
+	sc := new(Secret)
+	name = strings.ToUpper(name)
+	has, err := db.GetEngine(ctx).
+		Where("owner_id=?", orgID).
+		And("repo_id=?", repoID).
+		And("name=?", name).
+		Get(sc)
+	if err != nil {
+		return false, err
+	}
+
+	if !has {
+		_, err = InsertEncryptedSecret(ctx, orgID, repoID, name, data)
+		if err != nil {
+			return false, err
+		}
+		return true, nil
+	}
+
+	if err := UpdateSecret(ctx, orgID, repoID, name, data); err != nil {
+		return false, err
+	}
+
+	return false, nil
+}

modules/activitypub/user_settings.go

@@ -8,7 +8,7 @@ import (
 	"code.gitea.io/gitea/modules/util"
 )
 
-const rsaBits = 2048
+const rsaBits = 3072
 
 // GetKeyPair function returns a user's private and public keys
 func GetKeyPair(user *user_model.User) (pub, priv string, err error) {