Backport #32527
We have some actions that leverage the Gitea API that began receiving
401 errors, with a message that the user was not found. These actions
use the `ACTIONS_RUNTIME_TOKEN` env var in the actions job to
authenticate with the Gitea API. The format of this env var in actions
jobs changed with go-gitea/gitea/pull/28885 to be a JWT (with a
corresponding update to `act_runner`) Since it was a JWT, the OAuth
parsing logic attempted to parse it as an OAuth token, and would return
user not found, instead of falling back to look up the running task and
assigning it to the actions user.
Make ACTIONS_RUNTIME_TOKEN in action runners could be used, attempting
to parse Oauth JWTs. The code to parse potential old
`ACTION_RUNTIME_TOKEN` was kept in case someone is running an older
version of act_runner that doesn't support the Actions JWT.
Backport #32560 by @lunny
PushMirrors only be used in the repository setting page. So it should
not be loaded on every repository page.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Backport #32528
- Move models/GetForks to services/FindForks
- Add doer as a parameter of FindForks to check permissions
- Slight performance optimization for get forks API with batch loading
of repository units
- Add tests for forking repository to organizations
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Backport #32531 by @lunny
WebAuthn should behave the same way as TOTP. When enabled, basic auth
with username/password should need to WebAuthn auth, otherwise returned
401.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Backport #32186 by @lunny
Since there is a status column in the database, the transaction is
unnecessary when downloading an archive. The transaction is blocking
database operations, especially with SQLite.
Replace #27563
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Backport #32424 by @Zettat123
Resolve#32232
Users can disable the "Actions" unit for all mirror repos by running
```
gitea doctor check --run disable-mirror-actions-unit --fix
```
Co-authored-by: Zettat123 <zettat123@gmail.com>
Partially backport #32473. LFS related changes are not in 1.22, so skip
them.
1. Ignore non-existing repos during migrations
2. Improve ReadBatchLine's comment
3. Use `X-Gitea-Internal-Auth` header for internal API calls and make
the comparing constant time (it wasn't a serous problem because in a
real world it's nearly impossible to timing-attack the token, but indeed
security related and good to fix and backport)
4. Fix route mock nil check
Backport #32432 by @kemzeb
Resolves#32371.
#31970 should have just showed the commit summary, but
`strings.SplitN()` was misused such that we did not perform any
splitting at all and just used the message. This was not caught in the
unit test made in that PR since the test commit summary was > 50 (which
truncated away the commit description).
This snapshot resolves this and adds another unit test to ensure that we
only show the commit summary.
Co-authored-by: Kemal Zebari <60799661+kemzeb@users.noreply.github.com>
backport #32144
This PR fixes javascript errors when an anonymous user visits the
migration page.
It also makes task view checking more restrictive.
The router moved from `/user/task/{id}/status` to
`/username/reponame/-/migrate/status` because it's a migrate status.
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Backport #32185 by @bsofiato
Resolves#32184
Signed-off-by: Bruno Sofiato <bruno.sofiato@gmail.com>
Co-authored-by: Bruno Sofiato <bruno.sofiato@gmail.com>
Backport #32130 by @wolfogre
Since page templates keep changing, some pages that contained forms with
CSRF token no longer have them.
It leads to some calls of `GetCSRF` returning an empty string, which
fails the tests. Like
3269b04d61/tests/integration/attachment_test.go (L62-L63)
The test did try to get the CSRF token and provided it, but it was
empty.
Co-authored-by: Jason Song <i@wolfogre.com>
Rowan Bohde