Merge branch 'main' into bugfix/notify_pr_sync

Author: wolfogre

cmd/admin.go

@@ -180,6 +180,11 @@ var (
 				Name:  "raw",
 				Usage: "Display only the token value",
 			},
+			cli.StringFlag{
+				Name:  "scopes",
+				Value: "",
+				Usage: "Comma separated list of scopes to apply to access token",
+			},
 		},
 		Action: runGenerateAccessToken,
 	}
@@ -698,9 +703,15 @@ func runGenerateAccessToken(c *cli.Context) error {
 		return err
 	}
 
+	accessTokenScope, err := auth_model.AccessTokenScope(c.String("scopes")).Normalize()
+	if err != nil {
+		return err
+	}
+
 	t := &auth_model.AccessToken{
-		Name: c.String("token-name"),
-		UID:  user.ID,
+		Name:  c.String("token-name"),
+		UID:   user.ID,
+		Scope: accessTokenScope,
 	}
 
 	if err := auth_model.NewAccessToken(t); err != nil {

models/asymkey/error.go

@@ -24,6 +24,9 @@ func (err ErrKeyUnableVerify) Error() string {
 	return fmt.Sprintf("Unable to verify key content [result: %s]", err.Result)
 }
 
+// ErrKeyIsPrivate is returned when the provided key is a private key not a public key
+var ErrKeyIsPrivate = util.NewSilentWrapErrorf(util.ErrInvalidArgument, "the provided key is a private key")
+
 // ErrKeyNotExist represents a "KeyNotExist" kind of error.
 type ErrKeyNotExist struct {
 	ID int64

models/asymkey/ssh_key_parse.go

@@ -96,6 +96,9 @@ func parseKeyString(content string) (string, error) {
 			if block == nil {
 				return "", fmt.Errorf("failed to parse PEM block containing the public key")
 			}
+			if strings.Contains(block.Type, "PRIVATE") {
+				return "", ErrKeyIsPrivate
+			}
 
 			pub, err := x509.ParsePKIXPublicKey(block.Bytes)
 			if err != nil {

models/dbfs/dbfs.go

@@ -10,6 +10,35 @@ import (
 	"code.gitea.io/gitea/models/db"
 )
 
+/*
+The reasons behind the DBFS (database-filesystem) package:
+When a Gitea action is running, the Gitea action server should collect and store all the logs.
+
+The requirements are:
+* The running logs must be stored across the cluster if the Gitea servers are deployed as a cluster.
+* The logs will be archived to Object Storage (S3/MinIO, etc.) after a period of time.
+* The Gitea action UI should be able to render the running logs and the archived logs.
+
+Some possible solutions for the running logs:
+* [Not ideal] Using local temp file: it can not be shared across the cluster.
+* [Not ideal] Using shared file in the filesystem of git repository: although at the moment, the Gitea cluster's
+	git repositories must be stored in a shared filesystem, in the future, Gitea may need a dedicated Git Service Server
+	to decouple the shared filesystem. Then the action logs will become a blocker.
+* [Not ideal] Record the logs in a database table line by line: it has a couple of problems:
+	- It's difficult to make multiple increasing sequence (log line number) for different databases.
+	- The database table will have a lot of rows and be affected by the big-table performance problem.
+	- It's difficult to load logs by using the same interface as other storages.
+  - It's difficult to calculate the size of the logs.
+
+The DBFS solution:
+* It can be used in a cluster.
+* It can share the same interface (Read/Write/Seek) as other storages.
+* It's very friendly to database because it only needs to store much fewer rows than the log-line solution.
+* In the future, when Gitea action needs to limit the log size (other CI/CD services also do so), it's easier to calculate the log file size.
+* Even sometimes the UI needs to render the tailing lines, the tailing lines can be found be counting the "\n" from the end of the file by seek.
+  The seeking and finding is not the fastest way, but it's still acceptable and won't affect the performance too much.
+*/
+
 type dbfsMeta struct {
 	ID              int64  `xorm:"pk autoincr"`
 	FullPath        string `xorm:"VARCHAR(500) UNIQUE NOT NULL"`

models/fixtures/repository.yml

@@ -4,6 +4,7 @@
   owner_name: user2
   lower_name: repo1
   name: repo1
+  default_branch: master
   num_watches: 4
   num_stars: 0
   num_forks: 0
@@ -34,6 +35,7 @@
   owner_name: user2
   lower_name: repo2
   name: repo2
+  default_branch: master
   num_watches: 0
   num_stars: 1
   num_forks: 0
@@ -64,6 +66,7 @@
   owner_name: user3
   lower_name: repo3
   name: repo3
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -94,6 +97,7 @@
   owner_name: user5
   lower_name: repo4
   name: repo4
+  default_branch: master
   num_watches: 0
   num_stars: 1
   num_forks: 0
@@ -274,6 +278,7 @@
   owner_name: user12
   lower_name: repo10
   name: repo10
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 1
@@ -304,6 +309,7 @@
   owner_name: user13
   lower_name: repo11
   name: repo11
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -425,6 +431,7 @@
   owner_name: user2
   lower_name: repo15
   name: repo15
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -455,6 +462,7 @@
   owner_name: user2
   lower_name: repo16
   name: repo16
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -905,6 +913,7 @@
   owner_name: user2
   lower_name: repo20
   name: repo20
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -965,6 +974,7 @@
   owner_name: user2
   lower_name: utf8
   name: utf8
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1055,6 +1065,7 @@
   owner_name: user2
   lower_name: commits_search_test
   name: commits_search_test
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1085,6 +1096,7 @@
   owner_name: user2
   lower_name: git_hooks_test
   name: git_hooks_test
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1115,6 +1127,7 @@
   owner_name: limited_org
   lower_name: public_repo_on_limited_org
   name: public_repo_on_limited_org
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1145,6 +1158,7 @@
   owner_name: limited_org
   lower_name: private_repo_on_limited_org
   name: private_repo_on_limited_org
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1175,6 +1189,7 @@
   owner_name: privated_org
   lower_name: public_repo_on_private_org
   name: public_repo_on_private_org
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1205,6 +1220,7 @@
   owner_name: privated_org
   lower_name: private_repo_on_private_org
   name: private_repo_on_private_org
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1235,6 +1251,7 @@
   owner_name: user2
   lower_name: glob
   name: glob
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1295,6 +1312,7 @@
   owner_name: user27
   lower_name: template1
   name: template1
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1355,6 +1373,7 @@
   owner_name: org26
   lower_name: repo_external_tracker
   name: repo_external_tracker
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1385,6 +1404,7 @@
   owner_name: org26
   lower_name: repo_external_tracker_numeric
   name: repo_external_tracker_numeric
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1415,6 +1435,7 @@
   owner_name: org26
   lower_name: repo_external_tracker_alpha
   name: repo_external_tracker_alpha
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1445,6 +1466,7 @@
   owner_name: user27
   lower_name: repo49
   name: repo49
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1475,6 +1497,7 @@
   owner_name: user30
   lower_name: repo50
   name: repo50
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1505,6 +1528,7 @@
   owner_name: user30
   lower_name: repo51
   name: repo51
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1565,6 +1589,7 @@
   owner_name: user30
   lower_name: renderer
   name: renderer
+  default_branch: master
   is_archived: false
   is_empty: false
   is_private: false
@@ -1592,6 +1617,7 @@
   owner_name: user2
   lower_name: lfs
   name: lfs
+  default_branch: master
   is_empty: false
   is_archived: false
   is_private: true

models/issues/pull_list.go

@@ -173,8 +173,9 @@ func (prs PullRequestList) loadAttributes(ctx context.Context) error {
 	for i := range issues {
 		set[issues[i].ID] = issues[i]
 	}
-	for i := range prs {
-		prs[i].Issue = set[prs[i].IssueID]
+	for _, pr := range prs {
+		pr.Issue = set[pr.IssueID]
+		pr.Issue.PullRequest = pr // panic here means issueIDs and prs are not in sync
 	}
 	return nil
 }

models/repo/repo.go

@@ -227,11 +227,6 @@ func (repo *Repository) IsBroken() bool {
 
 // AfterLoad is invoked from XORM after setting the values of all fields of this object.
 func (repo *Repository) AfterLoad() {
-	// FIXME: use models migration to solve all at once.
-	if len(repo.DefaultBranch) == 0 {
-		repo.DefaultBranch = setting.Repository.DefaultBranch
-	}
-
 	repo.NumOpenIssues = repo.NumIssues - repo.NumClosedIssues
 	repo.NumOpenPulls = repo.NumPulls - repo.NumClosedPulls
 	repo.NumOpenMilestones = repo.NumMilestones - repo.NumClosedMilestones

modules/actions/workflows.go

@@ -75,7 +75,6 @@ func DetectWorkflows(commit *git.Commit, triggedEvent webhook_module.HookEventTy
 			if evt.Name != triggedEvent.Event() {
 				continue
 			}
-
 			if detectMatched(commit, triggedEvent, payload, evt) {
 				workflows[entry.Name()] = content
 			}
@@ -105,8 +104,9 @@ func detectMatched(commit *git.Commit, triggedEvent webhook_module.HookEventType
 		for cond, vals := range evt.Acts {
 			switch cond {
 			case "branches", "tags":
+				refShortName := git.RefName(pushPayload.Ref).ShortName()
 				for _, val := range vals {
-					if glob.MustCompile(val, '/').Match(pushPayload.Ref) {
+					if glob.MustCompile(val, '/').Match(refShortName) {
 						matchTimes++
 						break
 					}
@@ -160,8 +160,9 @@ func detectMatched(commit *git.Commit, triggedEvent webhook_module.HookEventType
 					}
 				}
 			case "branches":
+				refShortName := git.RefName(prPayload.PullRequest.Base.Ref).ShortName()
 				for _, val := range vals {
-					if glob.MustCompile(val, '/').Match(prPayload.PullRequest.Base.Ref) {
+					if glob.MustCompile(val, '/').Match(refShortName) {
 						matchTimes++
 						break
 					}

modules/charset/escape.go

@@ -44,7 +44,7 @@ func EscapeControlReader(reader io.Reader, writer io.Writer, locale translation.
 	return streamer.escaped, err
 }
 
-// EscapeControlStringReader escapes the unicode control sequences in a provided reader of string content and writer in a locale and returns the findings as an EscapeStatus and the escaped []byte
+// EscapeControlStringReader escapes the unicode control sequences in a provided reader of string content and writer in a locale and returns the findings as an EscapeStatus and the escaped []byte. HTML line breaks are not inserted after every newline by this method.
 func EscapeControlStringReader(reader io.Reader, writer io.Writer, locale translation.Locale, allowed ...rune) (escaped *EscapeStatus, err error) {
 	bufRd := bufio.NewReader(reader)
 	outputStream := &HTMLStreamerWriter{Writer: writer}
@@ -65,10 +65,6 @@ func EscapeControlStringReader(reader io.Reader, writer io.Writer, locale transl
 			}
 			break
 		}
-		if err := streamer.SelfClosingTag("br"); err != nil {
-			streamer.escaped.HasError = true
-			return streamer.escaped, err
-		}
 	}
 	return streamer.escaped, err
 }

modules/httpcache/httpcache.go

@@ -19,6 +19,8 @@ import (
 func AddCacheControlToHeader(h http.Header, maxAge time.Duration, additionalDirectives ...string) {
 	directives := make([]string, 0, 2+len(additionalDirectives))
 
+	// "max-age=0 + must-revalidate" (aka "no-cache") is preferred instead of "no-store"
+	// because browsers may restore some input fields after navigate-back / reload a page.
 	if setting.IsProd {
 		if maxAge == 0 {
 			directives = append(directives, "max-age=0", "private", "must-revalidate")

options/locale/locale_en-US.ini

@@ -518,6 +518,7 @@ organization_leave_success = You have successfully left the organization %s.
 invalid_ssh_key = Cannot verify your SSH key: %s
 invalid_gpg_key = Cannot verify your GPG key: %s
 invalid_ssh_principal = Invalid principal: %s
+must_use_public_key = The key you provided is a private key. Please do not upload your private key anywhere. Use your public key instead.
 unable_verify_ssh_key = "Cannot verify the SSH key; double-check it for mistakes."
 auth_failed = Authentication failed: %v
 

routers/web/repo/setting.go

@@ -1158,6 +1158,10 @@ func DeployKeysPost(ctx *context.Context) {
 			ctx.Flash.Info(ctx.Tr("settings.ssh_disabled"))
 		} else if asymkey_model.IsErrKeyUnableVerify(err) {
 			ctx.Flash.Info(ctx.Tr("form.unable_verify_ssh_key"))
+		} else if err == asymkey_model.ErrKeyIsPrivate {
+			ctx.Data["HasError"] = true
+			ctx.Data["Err_Content"] = true
+			ctx.Flash.Error(ctx.Tr("form.must_use_public_key"))
 		} else {
 			ctx.Data["HasError"] = true
 			ctx.Data["Err_Content"] = true