Fix embedded Postgres configuration and initialization order

Co-authored-by: unknwon <2946214+unknwon@users.noreply.github.com>

.github/ISSUE_TEMPLATE/dev_release_minor_version.md

@@ -1,6 +1,7 @@
 ---
 name: "Dev: Release a minor version"
 about: ONLY USED BY MAINTAINERS.
+assignees: "unknwon"
 title: "Release [VERSION]"
 labels: 📸 release
 ---
@@ -13,40 +14,33 @@ On the `main` branch:
 
 - [ ] Close stale issues with the label [status: needs feedback](https://github.com/gogs/gogs/issues?q=is%3Aissue+is%3Aopen+label%3A%22status%3A+needs+feedback%22).
 - [ ] [Sync locales from Crowdin](https://github.com/gogs/gogs/blob/main/docs/dev/import_locale.md).
-- [ ] [Update CHANGELOG](https://github.com/gogs/gogs/commit/540134d4436d8da82247dd2cabe9312ca2f5b1f1) to include entries for the current minor release.
-- [ ] Cut a new release branch `release/<MAJOR>.<MINOR>`, e.g. `release/0.12`.
+- [ ] [Update CHANGELOG](https://github.com/gogs/gogs/commit/f1102a7a7c545ec221d2906f02fa19170d96f96d) to include entries for the current minor release.
+	- Do not forget adding entries for GHSA patches.
+- [ ] Cut a new release branch `release/<MAJOR>.<MINOR>`, e.g. `release/0.14`.
 
 ## During release
 
 On the release branch:
 
-- [ ] [Update the hard-coded version](https://github.com/gogs/gogs/commit/f17e7d5a2c36c52a1121d2315f3d75dcd8053b89) to the current release, e.g. `0.12.0+dev` -> `0.12.0`.
+- [ ] [Update the hard-coded version](https://github.com/gogs/gogs/commit/f0e3cd90f8d7695960eeef2e4e54b2e717302f6c) to the current release, e.g. `0.14.0+dev` -> `0.14.0`.
 - [ ] Wait for GitHub Actions to complete and no failed jobs.
-- [ ] Publish new RC releases (e.g. `v0.12.0-rc.1`, `v0.12.0-rc.2`) to ensure Docker workflow succeeds. **Make sure the tag is created on the release branch**.
+- [ ] Publish new RC releases (e.g. `v0.14.0-rc.1`, `v0.14.0-rc.2`) ⚠️ **on the release branch** ⚠️ and ensure Docker and release workflows both succeed.
+	- [ ] Pull down the Docker image and [run through application setup](https://github.com/gogs/gogs/blob/main/docker/README.md) to make sure nothing blows up.
+	- [ ] Download one of the release archives and run through application setup to make sure nothing blows up.
+- [ ] Publish a new [GitHub release](https://github.com/gogs/gogs/releases) ⚠️ **on the release branch** ⚠️ with entries from [CHANGELOG](https://github.com/gogs/gogs/blob/main/CHANGELOG.md) for the current minor release.
+- [ ] [Wait for new image tags for the current release](https://github.com/gogs/gogs/actions/workflows/docker.yml?query=event%3Arelease) to be created automatically on both [Docker Hub](https://hub.docker.com/r/gogs/gogs/tags) and [GitHub Container registry](https://github.com/gogs/gogs/pkgs/container/gogs).
 	- Pull down the Docker image and [run through application setup](https://github.com/gogs/gogs/blob/main/docker/README.md) to make sure nothing blows up.
-- [ ] Publish a new [GitHub release](https://github.com/gogs/gogs/releases) with entries from [CHANGELOG](https://github.com/gogs/gogs/blob/main/CHANGELOG.md) for the current minor release. **Make sure the tag is created on the release branch**.
-- [ ] [Wait for a new image tag for the current release](https://github.com/gogs/gogs/actions/workflows/docker.yml?query=event%3Arelease) to be created automatically on both [Docker Hub](https://hub.docker.com/r/gogs/gogs/tags) and [GitHub Container registry](https://github.com/gogs/gogs/pkgs/container/gogs).
-- [ ] [Push a new Docker image tag](https://github.com/gogs/gogs/blob/main/docs/dev/release/release_new_version.md#update-docker-image-tag) as `<MAJOR>.<MINOR>` to both [Docker Hub](https://hub.docker.com/r/gogs/gogs/tags) and [GitHub Container registry](https://github.com/gogs/gogs/pkgs/container/gogs), e.g.:
-- [ ] [Compile and pack binaries](https://github.com/gogs/gogs/blob/main/docs/dev/release/release_new_version.md#compile-and-pack-binaries) (all prefixed with `gogs_<MAJOR>.<MINOR>.<PATCH>_`, e.g. `gogs_0.12.0_`):
-	- [ ] macOS: `darwin_amd64.zip`, `darwin_arm64.zip`
-	- [ ] Linux: `linux_386.tar.gz`, `linux_386.zip`, `linux_amd64.tar.gz`, `linux_amd64.zip`
-	- [ ] ARM: `linux_armv7.tar.gz`, `linux_armv7.zip`, `linux_armv8.tar.gz`, `linux_armv8.zip`
-	- [ ] Windows: `windows_amd64.zip`, `windows_amd64_mws.zip`
-- [ ] [Generate SHA256 checksum](https://github.com/gogs/gogs/blob/main/docs/dev/release/sha256.sh) for all binaries to the file `checksum_sha256.txt`.
-- [ ] Upload all binaries and `checksum_sha256.txt` to:
-	- [ ] GitHub release
-	- [ ] https://dl.gogs.io
-- [ ] Update content of [Install from binary](https://gogs.io/docs/installation/install_from_binary).
+- [ ] Download all release archives and [generate SHA256 checksum](https://github.com/gogs/gogs/blob/main/docs/dev/release/sha256.sh) for all binaries to the file `checksum_sha256.txt`.
+- [ ] Upload all archives and `checksum_sha256.txt` to https://dl.gogs.io.
 
 ## After release
 
 On the `main` branch:
 
-- [ ] Publish [GitHub security advisories](https://github.com/gogs/gogs/security) for security patches included in the release.
 - [ ] Update the repository mirror on [Gitee](https://gitee.com/unknwon/gogs).
 - [ ] Create a new release announcement in [Discussions](https://github.com/gogs/gogs/discussions/categories/announcements).
 - [ ] Send a tweet on the [official Twitter account](https://twitter.com/GogsHQ) for the minor release.
-- [ ] Publish a new release article on [OSChina](http://my.oschina.net/Obahua/admin/releases).
-- [ ] Close the minor milestone.
-- [ ] [Bump the hard-coded version](https://github.com/gogs/gogs/commit/a98968436cd5841cf691bb0b80c54c81470d1676) to the new develop version, e.g. `0.12.0+dev` -> `0.13.0+dev`.
+- [ ] Close the milestone for the minor release.
+- [ ] [Bump the hard-coded version](https://github.com/gogs/gogs/commit/a98968436cd5841cf691bb0b80c54c81470d1676) to the new develop version, e.g. `0.14.0+dev` -> `0.15.0+dev`.
 - [ ] Run `task legacy` to identify deprecated code that is aimed to be removed in current develop version.
+- [ ] **After 14 days**, publish [GitHub security advisories](https://github.com/gogs/gogs/security) for security patches included in the release.

.github/ISSUE_TEMPLATE/dev_release_patch_version.md

@@ -1,6 +1,7 @@
 ---
 name: "Dev: Release a patch version"
 about: ONLY USED BY MAINTAINERS.
+assignees: "unknwon"
 title: "Release [VERSION]"
 labels: 📸 release
 ---
@@ -13,7 +14,7 @@ On the release branch:
 
 - [ ] Make sure all commits are cherry-picked from the `main` branch by checking the patch milestone.
 	- Run `task build` for every cherry-picked commit to make sure there is no compilation error.
-- [ ] [Update CHANGELOG on the `main` branch](https://github.com/gogs/gogs/commit/e6c5633f580399c8f4dfc07166a63a01c6c70346) to include entries for the current patch release.
+- [ ] [Update CHANGELOG on the `main` branch](https://github.com/gogs/gogs/commit/f1102a7a7c545ec221d2906f02fa19170d96f96d) to include entries for the current patch release.
 
 ## During release
 
@@ -21,28 +22,18 @@ On the release branch:
 
 - [ ] [Update the hard-coded version](https://github.com/gogs/gogs/commit/f0e3cd90f8d7695960eeef2e4e54b2e717302f6c) to the current release, e.g. `0.12.0` -> `0.12.1`.
 - [ ] Wait for GitHub Actions to complete and no failed jobs.
-- [ ] Publish new RC releases in [GitHub release](https://github.com/gogs/gogs/releases) (e.g. `v0.12.0-rc.1`, `v0.12.0-rc.2`) to ensure Docker workflow succeeds.
-	- ⚠️ **Make sure the tag is created on the release branch**.
-	- Pull down the Docker image and [run through application setup](https://github.com/gogs/gogs/blob/main/docker/README.md) to make sure nothing blows up.
-- [ ] Publish a new [GitHub release](https://github.com/gogs/gogs/releases) with entries from [CHANGELOG](https://github.com/gogs/gogs/blob/main/CHANGELOG.md) for the current patch release and all previous releases with same minor version.
-	- ⚠️ **Make sure the tag is created on the release branch**.
+- [ ] Publish new RC releases in [GitHub release](https://github.com/gogs/gogs/releases) (e.g. `v0.12.0-rc.1`, `v0.12.0-rc.2`) ⚠️ **on the release branch** ⚠️ and ensure Docker workflow succeeds.
+	- [ ] Pull down the Docker image and [run through application setup](https://github.com/gogs/gogs/blob/main/docker/README.md) to make sure nothing blows up.
+	- [ ] Download one of the release archives and run through application setup to make sure nothing blows up.
+- [ ] Publish a new [GitHub release](https://github.com/gogs/gogs/releases) ⚠️ **on the release branch** ⚠️ with entries from [CHANGELOG](https://github.com/gogs/gogs/blob/main/CHANGELOG.md) for the current patch release and all previous releases with same minor version.
 - [ ] Update all previous GitHub releases with same minor version with the warning:
 	```
 	**ℹ️ Heads up! There is a new patch release [0.12.1](https://github.com/gogs/gogs/releases/tag/v0.12.1) available, we recommend directly installing or upgrading to that version.**
 	```
-- [ ] [Wait for a new image tag for the current release](https://github.com/gogs/gogs/actions/workflows/docker.yml?query=event%3Arelease) to be created automatically on both [Docker Hub](https://hub.docker.com/r/gogs/gogs/tags) and [GitHub Container registry](https://github.com/gogs/gogs/pkgs/container/gogs).
+- [ ] [Wait for new image tags for the current release](https://github.com/gogs/gogs/actions/workflows/docker.yml?query=event%3Arelease) to be created automatically on both [Docker Hub](https://hub.docker.com/r/gogs/gogs/tags) and [GitHub Container registry](https://github.com/gogs/gogs/pkgs/container/gogs).
 	- Pull down the Docker image and [run through application setup](https://github.com/gogs/gogs/blob/main/docker/README.md) to make sure nothing blows up.
-- [ ] [Update Docker image tag](https://www.notion.so/jcunknwon/Cheatsheet-and-playbooks-c3b053da42114411bd27285cd065b2a6?source=copy_link#1654f105c63f80958d96cd72e2f5df69) for the minor release `<MAJOR>.<MINOR>` on both [Docker Hub](https://hub.docker.com/r/gogs/gogs/tags) and [GitHub Container registry](https://github.com/gogs/gogs/pkgs/container/gogs).
-- [ ] [Compile and pack binaries](https://www.notion.so/jcunknwon/Cheatsheet-and-playbooks-c3b053da42114411bd27285cd065b2a6?source=copy_link#1654f105c63f803f8bfcc117395d9747) (all prefixed with `gogs_<MAJOR>.<MINOR>.<PATCH>_`, e.g. `gogs_0.12.0_`):
-	- [ ] macOS: `darwin_arm64.zip`, `darwin_amd64.zip`
-	- [ ] Linux: `linux_amd64.tar.gz`, `linux_amd64.zip`
-	- [ ] ARM: `linux_armv8.tar.gz`, `linux_armv8.zip`
-	- [ ] Windows: `windows_amd64.zip`, `windows_amd64_mws.zip`
-- [ ] [Generate SHA256 checksum](https://www.notion.so/jcunknwon/Cheatsheet-and-playbooks-c3b053da42114411bd27285cd065b2a6?source=copy_link#1654f105c63f80d4a74ad8821a403f52) for all binaries to the file `checksum_sha256.txt`.
-- [ ] Upload all binaries and `checksum_sha256.txt` to:
-	- [ ] GitHub release
-	- [ ] https://dl.gogs.io
-- [ ] Update content of [Install from binary](https://gogs.io/docs/installation/install_from_binary).
+- [ ] Download all release archives and [generate SHA256 checksum](https://github.com/gogs/gogs/blob/main/docs/dev/release/sha256.sh) for all binaries to the file `checksum_sha256.txt`.
+- [ ] Upload all archives and `checksum_sha256.txt` to https://dl.gogs.io.
 
 ## After release
 
@@ -54,5 +45,5 @@ On the `main` branch:
     ```
 - [ ] Create a new release announcement in [Discussions](https://github.com/gogs/gogs/discussions/categories/announcements).
 - [ ] Send a tweet on the [official Twitter account](https://twitter.com/GogsHQ) for the patch release.
-- [ ] Close the patch milestone.
+- [ ] Close the milestone for the patch release.
 - [ ] **After 14 days**, publish [GitHub security advisories](https://github.com/gogs/gogs/security) for security patches included in the release.

.github/workflows/digitalocean_gc.yml

@@ -19,18 +19,8 @@ jobs:
           # --include-untagged-manifests: Deletes unreferenced manifests to maximize space
           doctl registry garbage-collection start --force --include-untagged-manifests
       - name: Send email on failure
-        uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
         if: ${{ failure() }}
         with:
-          server_address: smtp.mailgun.org
-          server_port: 465
-          username: ${{ secrets.SMTP_USERNAME }}
-          password: ${{ secrets.SMTP_PASSWORD }}
-          subject: GitHub Actions (${{ github.repository }}) job result
-          to: github-actions-8ce6454@unknwon.io
-          from: GitHub Actions (${{ github.repository }})
-          reply_to: noreply@unknwon.io
-          body: |
-            The job "${{ github.job }}" of ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }} completed with "${{ job.status }}".
-
-            View the job run at: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}

.github/workflows/docker.yml

@@ -68,21 +68,11 @@ jobs:
           image-ref: gogs/gogs:latest
           exit-code: '1'
       - name: Send email on failure
-        uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
         if: ${{ failure() }}
         with:
-          server_address: smtp.mailgun.org
-          server_port: 465
-          username: ${{ secrets.SMTP_USERNAME }}
-          password: ${{ secrets.SMTP_PASSWORD }}
-          subject: GitHub Actions (${{ github.repository }}) job result
-          to: github-actions-8ce6454@unknwon.io
-          from: GitHub Actions (${{ github.repository }})
-          reply_to: noreply@unknwon.io
-          body: |
-            The job "${{ github.job }}" of ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }} completed with "${{ job.status }}".
-
-            View the job run at: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}
 
   buildx-next:
     if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'gogs/gogs' }}
@@ -145,21 +135,11 @@ jobs:
           image-ref: gogs/gogs:next-latest
           exit-code: '1'
       - name: Send email on failure
-        uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
         if: ${{ failure() }}
         with:
-          server_address: smtp.mailgun.org
-          server_port: 465
-          username: ${{ secrets.SMTP_USERNAME }}
-          password: ${{ secrets.SMTP_PASSWORD }}
-          subject: GitHub Actions (${{ github.repository }}) job result
-          to: github-actions-8ce6454@unknwon.io
-          from: GitHub Actions (${{ github.repository }})
-          reply_to: noreply@unknwon.io
-          body: |
-            The job "${{ github.job }}" of ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }} completed with "${{ job.status }}".
-
-            View the job run at: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}
 
   deploy-demo:
     if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'gogs/gogs' }}
@@ -181,21 +161,11 @@ jobs:
           kubectl rollout restart deployment gogs-demo -n gogs
           kubectl rollout status deployment gogs-demo -n gogs
       - name: Send email on failure
-        uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
         if: ${{ failure() }}
         with:
-          server_address: smtp.mailgun.org
-          server_port: 465
-          username: ${{ secrets.SMTP_USERNAME }}
-          password: ${{ secrets.SMTP_PASSWORD }}
-          subject: GitHub Actions (${{ github.repository }}) job result
-          to: github-actions-8ce6454@unknwon.io
-          from: GitHub Actions (${{ github.repository }})
-          reply_to: noreply@unknwon.io
-          body: |
-            The job "${{ github.job }}" of ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }} completed with "${{ job.status }}".
-
-            View the job run at: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}
 
   buildx-pull-request:
     if: ${{ github.event_name == 'pull_request'}}
@@ -285,8 +255,25 @@ jobs:
       contents: read
       packages: write
     steps:
-      - name: Compute image tag name
-        run: echo "IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -c 2-)" >> $GITHUB_ENV
+      - name: Compute image tags
+        run: |
+          IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -c 2-)
+          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
+
+          TAGS="gogs/gogs:$IMAGE_TAG
+          ghcr.io/gogs/gogs:$IMAGE_TAG"
+
+          # Add minor version tag for stable releases (no prerelease suffix per semver).
+          if [[ ! "$IMAGE_TAG" =~ - ]]; then
+            MINOR_TAG=$(echo "$IMAGE_TAG" | cut -d. -f1,2)
+            TAGS="$TAGS
+          gogs/gogs:$MINOR_TAG
+          ghcr.io/gogs/gogs:$MINOR_TAG"
+          fi
+
+          echo "TAGS<<EOF" >> $GITHUB_ENV
+          echo "$TAGS" >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
       - name: Checkout code
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Set up QEMU
@@ -320,25 +307,13 @@ jobs:
           context: .
           platforms: linux/amd64,linux/arm64,linux/arm/v7
           push: true
-          tags: |
-            gogs/gogs:${{ env.IMAGE_TAG }}
-            ghcr.io/gogs/gogs:${{ env.IMAGE_TAG }}
+          tags: ${{ env.TAGS }}
       - name: Send email on failure
-        uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
         if: ${{ failure() }}
         with:
-          server_address: smtp.mailgun.org
-          server_port: 465
-          username: ${{ secrets.SMTP_USERNAME }}
-          password: ${{ secrets.SMTP_PASSWORD }}
-          subject: GitHub Actions (${{ github.repository }}) job result
-          to: github-actions-8ce6454@unknwon.io
-          from: GitHub Actions (${{ github.repository }})
-          reply_to: noreply@unknwon.io
-          body: |
-            The job "${{ github.job }}" of ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }} completed with "${{ job.status }}".
-
-            View the job run at: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}
 
   # Updates to the following section needs to be synced to all release branches within their lifecycles.
   buildx-next-release:
@@ -349,8 +324,25 @@ jobs:
       contents: read
       packages: write
     steps:
-      - name: Compute image tag name
-        run: echo "IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -c 2-)" >> $GITHUB_ENV
+      - name: Compute image tags
+        run: |
+          IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -c 2-)
+          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
+
+          TAGS="gogs/gogs:next-$IMAGE_TAG
+          ghcr.io/gogs/gogs:next-$IMAGE_TAG"
+
+          # Add minor version tag for stable releases (no prerelease suffix per semver).
+          if [[ ! "$IMAGE_TAG" =~ - ]]; then
+            MINOR_TAG=$(echo "$IMAGE_TAG" | cut -d. -f1,2)
+            TAGS="$TAGS
+          gogs/gogs:next-$MINOR_TAG
+          ghcr.io/gogs/gogs:next-$MINOR_TAG"
+          fi
+
+          echo "TAGS<<EOF" >> $GITHUB_ENV
+          echo "$TAGS" >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
       - name: Checkout code
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Set up QEMU
@@ -385,25 +377,13 @@ jobs:
           file: Dockerfile.next
           platforms: linux/amd64,linux/arm64,linux/arm/v7
           push: true
-          tags: |
-            gogs/gogs:next-${{ env.IMAGE_TAG }}
-            ghcr.io/gogs/gogs:next-${{ env.IMAGE_TAG }}
+          tags: ${{ env.TAGS }}
       - name: Send email on failure
-        uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
         if: ${{ failure() }}
         with:
-          server_address: smtp.mailgun.org
-          server_port: 465
-          username: ${{ secrets.SMTP_USERNAME }}
-          password: ${{ secrets.SMTP_PASSWORD }}
-          subject: GitHub Actions (${{ github.repository }}) job result
-          to: github-actions-8ce6454@unknwon.io
-          from: GitHub Actions (${{ github.repository }})
-          reply_to: noreply@unknwon.io
-          body: |
-            The job "${{ github.job }}" of ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }} completed with "${{ job.status }}".
-
-            View the job run at: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}
 
   digitalocean-gc:
     if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'gogs/gogs' }}

.github/workflows/go.yml

@@ -72,28 +72,16 @@ jobs:
         with:
           go-version: ${{ matrix.go-version }}
       - name: Run tests with coverage
-        run: go test -shuffle=on -v -race -coverprofile=coverage -covermode=atomic ./...
-      - name: Upload coverage report to Codecov
-        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
-        with:
-          file: ./coverage
-          flags: unittests
+        run: |
+          go test -shuffle=on -v -race -coverprofile=coverage -covermode=atomic -json ./... > test-report.json
+          go install github.com/mfridman/tparse@latest
+          tparse -all -file=test-report.json
       - name: Send email on failure
-        uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
         if: ${{ failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
         with:
-          server_address: smtp.mailgun.org
-          server_port: 465
-          username: ${{ secrets.SMTP_USERNAME }}
-          password: ${{ secrets.SMTP_PASSWORD }}
-          subject: GitHub Actions (${{ github.repository }}) job result
-          to: github-actions-8ce6454@unknwon.io
-          from: GitHub Actions (${{ github.repository }})
-          reply_to: noreply@unknwon.io
-          body: |
-            The job "${{ github.job }}" of ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }} completed with "${{ job.status }}".
-
-            View the job run at: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}
 
   # Running tests with race detection consumes too much memory on Windows,
   # see https://github.com/golang/go/issues/46099 for details.
@@ -113,27 +101,12 @@ jobs:
           go-version: ${{ matrix.go-version }}
       - name: Run tests with coverage
         run: go test -shuffle=on -v -coverprofile=coverage -covermode=atomic ./...
-      - name: Upload coverage report to Codecov
-        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
-        with:
-          file: ./coverage
-          flags: unittests
       - name: Send email on failure
-        uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
         if: ${{ failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
         with:
-          server_address: smtp.mailgun.org
-          server_port: 465
-          username: ${{ secrets.SMTP_USERNAME }}
-          password: ${{ secrets.SMTP_PASSWORD }}
-          subject: GitHub Actions (${{ github.repository }}) job result
-          to: github-actions-8ce6454@unknwon.io
-          from: GitHub Actions (${{ github.repository }})
-          reply_to: noreply@unknwon.io
-          body: |
-            The job "${{ github.job }}" of ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }} completed with "${{ job.status }}".
-
-            View the job run at: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}
 
   postgres:
     name: Postgres
@@ -162,7 +135,10 @@ jobs:
         with:
           go-version: ${{ matrix.go-version }}
       - name: Run tests with coverage
-        run: go test -shuffle=on -v -race -coverprofile=coverage -covermode=atomic ./internal/database/...
+        run: |
+          go test -shuffle=on -v -race -coverprofile=coverage -covermode=atomic -json ./internal/database/... > test-report.json
+          go install github.com/mfridman/tparse@latest
+          tparse -all -file=test-report.json
         env:
           GOGS_DATABASE_TYPE: postgres
           PGPORT: 5432
@@ -188,29 +164,13 @@ jobs:
         with:
           go-version: ${{ matrix.go-version }}
       - name: Run tests with coverage
-        run: go test -shuffle=on -v -race -coverprofile=coverage -covermode=atomic ./internal/database/...
+        run: |
+          go test -shuffle=on -v -race -coverprofile=coverage -covermode=atomic -json ./internal/database/... > test-report.json
+          go install github.com/mfridman/tparse@latest
+          tparse -all -file=test-report.json
         env:
           GOGS_DATABASE_TYPE: mysql
           MYSQL_USER: root
           MYSQL_PASSWORD: root
           MYSQL_HOST: localhost
           MYSQL_PORT: 3306
-
-  sqlite-go:
-    name: SQLite - Go
-    strategy:
-      matrix:
-        go-version: [ 1.25.x ]
-        platform: [ ubuntu-latest ]
-    runs-on: ${{ matrix.platform }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
-      - name: Install Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
-        with:
-          go-version: ${{ matrix.go-version }}
-      - name: Run tests with coverage
-        run: go test -shuffle=on -v -race -parallel=1 -coverprofile=coverage -covermode=atomic ./internal/database/...
-        env:
-          GOGS_DATABASE_TYPE: sqlite

.github/workflows/release.yml

@@ -0,0 +1,146 @@
+name: Release
+
+on:
+  release:
+    types: [published]
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - '.github/workflows/release.yml'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  GOPROXY: "https://proxy.golang.org"
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    name: Build ${{ matrix.goos }}/${{ matrix.goarch }}${{ matrix.suffix }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - {goos: linux, goarch: amd64}
+          - {goos: linux, goarch: arm64}
+          - {goos: linux, goarch: "386"}
+          - {goos: darwin, goarch: amd64}
+          - {goos: darwin, goarch: arm64}
+          - {goos: windows, goarch: amd64}
+          - {goos: windows, goarch: arm64}
+          - {goos: windows, goarch: "386"}
+          - {goos: windows, goarch: amd64, suffix: "_mws", tags: minwinsvc}
+          - {goos: windows, goarch: arm64, suffix: "_mws", tags: minwinsvc}
+          - {goos: windows, goarch: "386", suffix: "_mws", tags: minwinsvc}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: 1.25.x
+      - name: Determine version
+        id: version
+        run: |
+          if [ "${{ github.event_name }}" = "release" ]; then
+            echo "version=${{ github.event.release.tag_name }}" | sed 's/version=v/version=/' >> "$GITHUB_OUTPUT"
+            echo "release_tag=${{ github.event.release.tag_name }}" >> "$GITHUB_OUTPUT"
+          elif [ "${{ github.event_name }}" = "push" ] && [ "${{ github.ref }}" = "refs/heads/main" ]; then
+            echo "version=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
+            echo "release_tag=latest-commit-build" >> "$GITHUB_OUTPUT"
+          else
+            echo "version=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
+            echo "release_tag=release-archive-testing" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Build binary
+        env:
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+          CGO_ENABLED: "0"
+        run: |
+          BINARY_NAME="gogs"
+          if [ "${{ matrix.goos }}" = "windows" ]; then
+            BINARY_NAME="gogs.exe"
+          fi
+
+          TAGS_FLAG=""
+          if [ -n "${{ matrix.tags }}" ]; then
+            TAGS_FLAG="-tags ${{ matrix.tags }}"
+          fi
+
+          go build -v \
+            -ldflags "
+              -X \"gogs.io/gogs/internal/conf.BuildTime=$(date -u '+%Y-%m-%d %I:%M:%S %Z')\"
+              -X \"gogs.io/gogs/internal/conf.BuildCommit=$(git rev-parse HEAD)\"
+            " \
+            $TAGS_FLAG \
+            -trimpath -o "$BINARY_NAME" ./cmd/gogs
+      - name: Prepare archive contents
+        run: |
+          mkdir -p dist/gogs
+          BINARY_NAME="gogs"
+          if [ "${{ matrix.goos }}" = "windows" ]; then
+            BINARY_NAME="gogs.exe"
+          fi
+          cp "$BINARY_NAME" dist/gogs/
+          cp LICENSE README.md README_ZH.md dist/gogs/
+          cp -r scripts dist/gogs/
+      - name: Create archives
+        working-directory: dist
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          ARCHIVE_BASE="gogs_${VERSION}_${{ matrix.goos }}_${{ matrix.goarch }}${{ matrix.suffix }}"
+
+          zip -r "${ARCHIVE_BASE}.zip" gogs
+
+          if [ "${{ matrix.goos }}" = "linux" ]; then
+            tar -czvf "${ARCHIVE_BASE}.tar.gz" gogs
+          fi
+      - name: Upload to release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+
+          if [ "${{ github.event_name }}" != "release" ]; then
+            git tag -f "$RELEASE_TAG"
+            git push origin "$RELEASE_TAG" --force || true
+            
+            RELEASE_TITLE="Release Archive Testing"
+            RELEASE_NOTES="Automated testing release for workflow development."
+            if [ "$RELEASE_TAG" = "latest-commit-build" ]; then
+              RELEASE_TITLE="Latest Commit Build"
+              RELEASE_NOTES="Automated build from the latest commit on main branch. This release is updated automatically with every push to main."
+            fi
+            
+            gh release view "$RELEASE_TAG" || gh release create "$RELEASE_TAG" --title "$RELEASE_TITLE" --notes "$RELEASE_NOTES" --prerelease
+          fi
+
+          PATTERN="_${{ matrix.goos }}_${{ matrix.goarch }}${{ matrix.suffix }}\."
+          gh release view "$RELEASE_TAG" --json assets --jq ".assets[].name" | grep "$PATTERN" | while read -r asset; do
+            gh release delete-asset "$RELEASE_TAG" "$asset" --yes || true
+          done
+
+          gh release upload "$RELEASE_TAG" dist/gogs_*.zip --clobber
+          if [ "${{ matrix.goos }}" = "linux" ]; then
+            gh release upload "$RELEASE_TAG" dist/gogs_*.tar.gz --clobber
+          fi
+
+  notify-failure:
+    name: Notify on failure
+    runs-on: ubuntu-latest
+    needs: [build]
+    if: ${{ failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+    steps:
+      - name: Send email on failure
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
+        with:
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}

.gitignore

@@ -1,18 +1,16 @@
-.DS_Store
-*.db
-*.log
+# Build artifacts
+.bin/
+dist/
+
+# Runtime data
 log/
 custom/
 data/
+
+# Configuration and application files
 .idea/
-*.iml
-public/img/avatar/
-*.exe
-*.exe~
-/gogs
-profile/
-*.pem
-output*
-/release
-.task
+.task/
 .envrc
+
+# System junk
+.DS_Store

AGENTS.md

@@ -1,6 +1,7 @@
 ## Core principles
 
-- When you see changes made outside your knowledge, use the current version as your new starting point. Do not blindly overwrite those changes or you suck. Even if you have to update the code, always respect the god damn pattern in the surrounding context!
+- Stop telling me "You're right", it just shows how incompetent you are. Do it right on your first try, fact-check and review after changes. If you are not sure, ask for help.
+- When you see changes made outside your knowledge, use the current version as your new starting point. Do not blindly overwrite those changes or you suck. Even if you have to update the code, always respect the pattern in the surrounding context!
 
 ## Style and mechanics
 
@@ -15,6 +16,17 @@ This applies to all texts, including but not limited to UI, documentation, code
 - Use `github.com/cockroachdb/errors` for error handling.
 - Use `github.com/stretchr/testify` for assertions in tests. Be mindful about the choice of `require` and `assert`, the former should be used when the test cannot proceed meaningfully after a failed assertion.
 
+## Build instructions
+
+- Prefer `task` command over vanilla `go` command when available. Use `--force` flag when necessary.
+- Run `task lint` after every time you finish changing code, and fix all linter errors.
+
 ## Tool-use guidance
 
 - Use `gh` CLI to access information on github.com that is not publicly available.
+
+## Source code control
+
+- When pushing changes to a pull request from a fork, use SSH address and do not add remote.
+- Never automatically executes commands that touches Git history even if the session does not require approvals, including but not limited to `rebase`, `commit`, `push`, `pull`, `reset`, `amend`. Exceptions are only allowed case-by-case.
+- Do not amend commits unless being explicitly asked to do so.

CHANGELOG.md

@@ -2,26 +2,38 @@
 
 All notable changes to Gogs are documented in this file.
 
-## 0.14.0+dev (`main`)
+## 0.15.0+dev (`main`)
+
+## 0.14.1
 
 ### Added
 
+- Support comparing tags in addition to branches. [#6141](https://github.com/gogs/gogs/issues/6141)
+- Show file name in browser tab title when viewing files. [#5896](https://github.com/gogs/gogs/pull/5896)
 - Support using TLS for Redis session provider using `[session] PROVIDER_CONFIG = ...,tls=true`. [#7860](https://github.com/gogs/gogs/pull/7860)
 - Support expanading values in `app.ini` from environment variables, e.g. `[database] PASSWORD = ${DATABASE_PASSWORD}`. [#8057](https://github.com/gogs/gogs/pull/8057)
 - Support custom logout URL that users get redirected to after sign out using `[auth] CUSTOM_LOGOUT_URL`. [#8089](https://github.com/gogs/gogs/pull/8089)
-- Start publishing next-generation, security-focused Docker image via `gogs/gogs:next-latest`, which will become the default image distribution (`gogs/gogs:latest`) starting 0.15.0. While not all container options support have been added in the next-generation image, the use of current legacy Docker image is deprecated, it will be published as `gogs/gogs:legacy-latest` starting 0.15.0, and be completely removed starting 0.16.0. [#8061](https://github.com/gogs/gogs/pull/8061)
+- Start publishing next-generation, security-focused Docker image via `gogs/gogs:next-latest`, which will become the default image distribution (`gogs/gogs:latest`) starting 0.16.0. While not all container options support have been added in the next-generation image, the use of current legacy Docker image is deprecated, it will be published as `gogs/gogs:legacy-latest` starting 0.16.0, and be completely removed no earlier than 0.17.0. [#8061](https://github.com/gogs/gogs/pull/8061)
 
 ### Changed
 
 - The required Go version to compile source code changed to 1.25.
 - The build tag `cert` has been removed, and the `gogs cert` subcommand is now always available. [#7883](https://github.com/gogs/gogs/pull/7883)
+- Switched to pure-Go SQLite driver, CGO is no longer required to compile Gogs. [#7882](https://github.com/gogs/gogs/issues/7882)
 - Updated Mermaid JS to 11.9.0. [#8009](https://github.com/gogs/gogs/pull/8009)
 - Halt the repository creation and leave the directory untouched if the repository root already exists. [#8091](https://github.com/gogs/gogs/pull/8091)
 
 ### Fixed
 
+- _Security:_ Unauthenticated file upload. [#8128](https://github.com/gogs/gogs/pull/8128) - [GHSA-fc3h-92p8-h36f](https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f)
+- _Security:_ Protected branch bypass in web UI. [#8124](https://github.com/gogs/gogs/pull/8124) - [GHSA-2c6v-8r3v-gh6p](https://github.com/gogs/gogs/security/advisories/GHSA-2c6v-8r3v-gh6p)
+- _Security:_ Authorization bypass allows cross-repository label modification. [#8123](https://github.com/gogs/gogs/pull/8123) - [GHSA-cv22-72px-f4gh](https://github.com/gogs/gogs/security/advisories/GHSA-cv22-72px-f4gh)
+- _Security:_ Cross-repository comment deletion. [#8119](https://github.com/gogs/gogs/pull/8119) - [GHSA-jj5m-h57j-5gv7](https://github.com/gogs/gogs/security/advisories/GHSA-jj5m-h57j-5gv7)
+- 500 error on repository watchers and stargazers pages when using MSSQL. [#5482](https://github.com/gogs/gogs/issues/5482)
 - Submodules using `ssh://` protocol and a port number are not rendered correctly. [#4941](https://github.com/gogs/gogs/issues/4941)
 - Missing link to user profile on the first commit in commits history page. [#7404](https://github.com/gogs/gogs/issues/7404)
+- Unable to delete or display files with special characters in their names. [#7596](https://github.com/gogs/gogs/issues/7596)
+- Docker healthcheck fails when `HTTP_PROXY` or `HTTPS_PROXY` environment variables are set. [#7529](https://github.com/gogs/gogs/issues/7529)
 
 ## 0.13.4
 

CLAUDE.md

@@ -0,0 +1 @@
+AGENTS.md

Dockerfile

@@ -25,20 +25,20 @@ RUN apk --no-cache --no-progress add \
   tzdata \
   rsync
 
-ENV GOGS_CUSTOM /data/gogs
+ENV GOGS_CUSTOM=/data/gogs
 
 # Configure LibC Name Service
 COPY docker/nsswitch.conf /etc/nsswitch.conf
 
 WORKDIR /app/gogs
 COPY docker ./docker
-COPY --from=binarybuilder /gogs.io/gogs/gogs .
+COPY --from=binarybuilder /gogs.io/gogs/.bin/gogs .
 
 RUN ./docker/build/finalize.sh
 
 # Configure Docker Container
 VOLUME ["/data", "/backup"]
 EXPOSE 22 3000
-HEALTHCHECK CMD (curl -o /dev/null -sS http://localhost:3000/healthcheck) || exit 1
+HEALTHCHECK CMD (curl --noproxy localhost -o /dev/null -sS http://localhost:3000/healthcheck) || exit 1
 ENTRYPOINT ["/app/gogs/docker/start.sh"]
 CMD ["/usr/bin/s6-svscan", "/app/gogs/docker/s6/"]

Dockerfile.next

@@ -31,7 +31,7 @@ RUN apk --no-cache --no-progress add \
 ENV GOGS_CUSTOM=/data/gogs
 
 WORKDIR /app/gogs
-COPY --from=binarybuilder /gogs.io/gogs/gogs .
+COPY --from=binarybuilder /gogs.io/gogs/.bin/gogs .
 COPY docker-next/start.sh .
 RUN chmod +x start.sh && \
     mkdir -p /data && \
@@ -41,7 +41,7 @@ RUN chmod +x start.sh && \
 # Configure Docker Container
 VOLUME ["/data", "/backup"]
 EXPOSE 22 3000
-HEALTHCHECK CMD (curl -o /dev/null -sS http://localhost:3000/healthcheck) || exit 1
+HEALTHCHECK CMD (curl --noproxy localhost -o /dev/null -sS http://localhost:3000/healthcheck) || exit 1
 
 # Run as non-root user by default for better K8s security context support.
 USER git:git

SECURITY.md

@@ -2,9 +2,9 @@
 
 ## Supported versions
 
-Only the latest minor version releases are supported (>= 0.13) for accepting vulnerability reports and patching fixes.
+Only the latest minor version releases are supported (e.g., 0.14) for patching vulnerabilities. You can find the latest minor version in the [GitHub releases](https://github.com/gogs/gogs/releases) page. 
 
-Existing vulnerability reports are being tracked in [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories).
+Existing vulnerability reports are being tracked in [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories). Not all accepted GHSA are published.
 
 ## Vulnerability lifecycle
 
@@ -14,6 +14,7 @@ Existing vulnerability reports are being tracked in [GitHub Security Advisories]
 
 1. Report an advisory for the vulnerability.
     - Please be aware that **only advisories reported in plain English** will be reviewed.
+    - We DO NOT accept vulnerabilities cannot be reproduced on the latest `main` commit.
 1. Project maintainers review the advisory:
     - Ask clarifying questions
     - Make sure there was no prior advisory exists for the same vulnerability

Taskfile.yml

@@ -10,8 +10,10 @@ tasks:
   web:
     desc: Build the binary and start the web server
     deps: [build]
+    env:
+      GOGS_WORK_DIR: '{{.ROOT_DIR}}'
     cmds:
-      - ./gogs web
+      - .bin/gogs web
 
   build:
     desc: Build the binary
@@ -22,7 +24,7 @@ tasks:
           -X "{{.PKG_PATH}}.BuildCommit={{.BUILD_COMMIT}}"
         '
         -tags '{{.TAGS}}'
-        -trimpath -o gogs{{.BINARY_EXT}}
+        -trimpath -o .bin/gogs{{.BINARY_EXT}} ./cmd/gogs
     vars:
       PKG_PATH: gogs.io/gogs/internal/conf
       BUILD_TIME:
@@ -31,7 +33,7 @@ tasks:
         sh: git rev-parse HEAD
     sources:
       - go.mod
-      - gogs.go
+      - cmd/gogs/*.go
       - internal/**/*.go
       - conf/**/*
       - public/**/*
@@ -59,18 +61,6 @@ tasks:
     cmds:
       - find . -name "*.DS_Store" -type f -delete
 
-  release:
-    desc: Build the binary and pack resources to a ZIP file
-    deps: [build]
-    cmds:
-      - rm -rf {{.RELEASE_GOGS}}
-      - mkdir -p {{.RELEASE_GOGS}}
-      - cp -r gogs{{.BINARY_EXT}} LICENSE README.md README_ZH.md scripts {{.RELEASE_GOGS}}
-      - cd {{.RELEASE_ROOT}} && zip -r gogs.zip "gogs"
-    vars:
-      RELEASE_ROOT: release
-      RELEASE_GOGS: release/gogs
-
   less:
     desc: Generate CSS from LESS files
     cmds:
@@ -99,3 +89,8 @@ tasks:
           dropdb "$dbname"
           echo "dropped $dbname"
         done
+
+  lint:
+    desc: Run all linters
+    cmds:
+      - golangci-lint run

cmd/gogs/admin.go

@@ -1,4 +1,4 @@
-package cmd
+package main
 
 import (
 	"context"
@@ -14,7 +14,7 @@ import (
 )
 
 var (
-	Admin = cli.Command{
+	adminCommand = cli.Command{
 		Name:  "admin",
 		Usage: "Perform admin operations on command line",
 		Description: `Allow using internal logic of Gogs without hacking into the source code

cmd/gogs/backup.go

@@ -1,4 +1,4 @@
-package cmd
+package main
 
 import (
 	"context"
@@ -20,7 +20,7 @@ import (
 	"gogs.io/gogs/internal/osutil"
 )
 
-var Backup = cli.Command{
+var backupCommand = cli.Command{
 	Name:  "backup",
 	Usage: "Backup files and database",
 	Description: `Backup dumps and compresses all related files and database into zip file,

cmd/gogs/cert.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package cmd
+package main
 
 import (
 	"crypto/ecdsa"
@@ -22,7 +22,7 @@ import (
 	"github.com/urfave/cli"
 )
 
-var Cert = cli.Command{
+var certCommand = cli.Command{
 	Name:  "cert",
 	Usage: "Generate self-signed certificate",
 	Description: `Generate a self-signed X.509 certificate for a TLS server.

cmd/gogs/cmd.go

@@ -1,4 +1,4 @@
-package cmd
+package main
 
 import (
 	"time"
@@ -21,7 +21,6 @@ func boolFlag(name, usage string) cli.BoolFlag {
 	}
 }
 
-//nolint:deadcode,unused
 func intFlag(name string, value int, usage string) cli.IntFlag {
 	return cli.IntFlag{
 		Name:  name,
@@ -30,7 +29,6 @@ func intFlag(name string, value int, usage string) cli.IntFlag {
 	}
 }
 
-//nolint:deadcode,unused
 func durationFlag(name string, value time.Duration, usage string) cli.DurationFlag {
 	return cli.DurationFlag{
 		Name:  name,

cmd/gogs/hook.go

@@ -1,4 +1,4 @@
-package cmd
+package main
 
 import (
 	"bufio"
@@ -24,7 +24,7 @@ import (
 )
 
 var (
-	Hook = cli.Command{
+	hookCommand = cli.Command{
 		Name:        "hook",
 		Usage:       "Delegate commands to corresponding Git hooks",
 		Description: "All sub-commands should only be called by Git",

cmd/gogs/import.go

@@ -1,4 +1,4 @@
-package cmd
+package main
 
 import (
 	"bufio"
@@ -16,7 +16,7 @@ import (
 )
 
 var (
-	Import = cli.Command{
+	importCommand = cli.Command{
 		Name:  "import",
 		Usage: "Import portable data as local Gogs data",
 		Description: `Allow user import data from other Gogs installations to local instance

cmd/gogs/main.go

@@ -1,5 +1,3 @@
-//go:build go1.18
-
 // Gogs is a painless self-hosted Git Service.
 package main
 
@@ -9,12 +7,11 @@ import (
 	"github.com/urfave/cli"
 	log "unknwon.dev/clog/v2"
 
-	"gogs.io/gogs/internal/cmd"
 	"gogs.io/gogs/internal/conf"
 )
 
 func init() {
-	conf.App.Version = "0.14.0+dev"
+	conf.App.Version = "0.15.0+dev"
 }
 
 func main() {
@@ -23,14 +20,14 @@ func main() {
 	app.Usage = "A painless self-hosted Git service"
 	app.Version = conf.App.Version
 	app.Commands = []cli.Command{
-		cmd.Web,
-		cmd.Serv,
-		cmd.Hook,
-		cmd.Cert,
-		cmd.Admin,
-		cmd.Import,
-		cmd.Backup,
-		cmd.Restore,
+		webCommand,
+		servCommand,
+		hookCommand,
+		certCommand,
+		adminCommand,
+		importCommand,
+		backupCommand,
+		restoreCommand,
 	}
 	if err := app.Run(os.Args); err != nil {
 		log.Fatal("Failed to start application: %v", err)

cmd/gogs/restore.go

@@ -1,4 +1,4 @@
-package cmd
+package main
 
 import (
 	"context"
@@ -18,7 +18,7 @@ import (
 	"gogs.io/gogs/internal/semverutil"
 )
 
-var Restore = cli.Command{
+var restoreCommand = cli.Command{
 	Name:  "restore",
 	Usage: "Restore files and database from backup",
 	Description: `Restore imports all related files and database from a backup archive.

cmd/gogs/serv.go

@@ -1,4 +1,4 @@
-package cmd
+package main
 
 import (
 	"context"
@@ -21,7 +21,7 @@ const (
 	accessDeniedMessage = "Repository does not exist or you do not have access"
 )
 
-var Serv = cli.Command{
+var servCommand = cli.Command{
 	Name:        "serv",
 	Usage:       "This command should only be called by SSH shell",
 	Description: `Serv provide access auth for repositories`,

cmd/gogs/web.go

@@ -1,4 +1,4 @@
-package cmd
+package main
 
 import (
 	"crypto/tls"
@@ -30,6 +30,7 @@ import (
 	"gogs.io/gogs/internal/conf"
 	"gogs.io/gogs/internal/context"
 	"gogs.io/gogs/internal/database"
+	"gogs.io/gogs/internal/embeddedpg"
 	"gogs.io/gogs/internal/form"
 	"gogs.io/gogs/internal/osutil"
 	"gogs.io/gogs/internal/route"
@@ -45,7 +46,7 @@ import (
 	"gogs.io/gogs/templates"
 )
 
-var Web = cli.Command{
+var webCommand = cli.Command{
 	Name:  "web",
 	Usage: "Start web server",
 	Description: `Gogs web server is the only thing you need to run,
@@ -54,6 +55,7 @@ and it takes care of all the other things for you`,
 	Flags: []cli.Flag{
 		stringFlag("port, p", "3000", "Temporary port number to prevent conflict"),
 		stringFlag("config, c", "", "Custom configuration file path"),
+		boolFlag("embedded-postgres", "Use embedded PostgreSQL database"),
 	},
 }
 
@@ -160,7 +162,29 @@ func newMacaron() *macaron.Macaron {
 }
 
 func runWeb(c *cli.Context) error {
-	err := route.GlobalInit(c.String("config"))
+	// Initialize configuration first to get WorkDir
+	err := conf.Init(c.String("config"))
+	if err != nil {
+		log.Fatal("Failed to initialize configuration: %v", err)
+	}
+	conf.InitLogging(false)
+
+	var localPg *embeddedpg.LocalPostgres
+
+	if c.Bool("embedded-postgres") {
+		localPg = embeddedpg.Initialize(conf.WorkDir())
+		if err := localPg.Launch(); err != nil {
+			log.Fatal("Failed to launch embedded postgres: %v", err)
+		}
+		defer func() {
+			if err := localPg.Shutdown(); err != nil {
+				log.Error("Failed to shutdown embedded postgres: %v", err)
+			}
+		}()
+		localPg.ConfigureGlobalDatabase()
+	}
+
+	err = route.GlobalInit(c.String("config"))
 	if err != nil {
 		log.Fatal("Failed to initialize application: %v", err)
 	}
@@ -329,9 +353,12 @@ func runWeb(c *cli.Context) error {
 					return
 				}
 			})
+		}, ignSignIn)
+
+		m.Group("", func() {
 			m.Post("/issues/attachments", repo.UploadIssueAttachment)
 			m.Post("/releases/attachments", repo.UploadReleaseAttachment)
-		}, ignSignIn)
+		}, reqSignIn)
 
 		m.Group("/:username", func() {
 			m.Post("/action/:action", user.Action)
@@ -476,7 +503,7 @@ func runWeb(c *cli.Context) error {
 			m.Get("/milestones", repo.Milestones)
 		}, ignSignIn, context.RepoAssignment(true))
 		m.Group("/:username/:reponame", func() {
-			// FIXME: should use different URLs but mostly same logic for comments of issue and pull reuqest.
+			// FIXME: should use different URLs but mostly same logic for comments of issue and pull request.
 			// So they can apply their own enable/disable logic on routers.
 			m.Group("/issues", func() {
 				m.Combo("/new", repo.MustEnableIssues).Get(context.RepoRef(), repo.NewIssue).
@@ -501,7 +528,7 @@ func runWeb(c *cli.Context) error {
 		}, ignSignIn, context.RepoAssignment(false, true))
 
 		m.Group("/:username/:reponame", func() {
-			// FIXME: should use different URLs but mostly same logic for comments of issue and pull reuqest.
+			// FIXME: should use different URLs but mostly same logic for comments of issue and pull request.
 			// So they can apply their own enable/disable logic on routers.
 			m.Group("/issues", func() {
 				m.Group("/:index", func() {

codecov.yml

@@ -1,16 +0,0 @@
-coverage:
-  range: "60...95"
-  status:
-    project:
-      default:
-        threshold: 1%
-        informational: true
-    patch:
-      default:
-        only_pulls: true
-        informational: true
-
-comment:
-  layout: 'diff'
-
-github_checks: false

conf/locale/locale_bg-BG.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Застинали клонове
 branches.all=Всички клонове
 branches.updated_by=Актуализирани %[1]s от %[2]s
 branches.change_default_branch=Промяна на клон по подразбиране
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Нов файл
 editor.upload_file=Качи файл
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Failed to send test email to '%s': %v
 config.email.test_mail_sent=Test email has been sent to '%s'.
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Require email confirmation

conf/locale/locale_cs-CZ.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Zastaralé větve
 branches.all=Všechny větve
 branches.updated_by=%[2]s změnil %[1]s
 branches.change_default_branch=Změnit výchozí větev
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Nový soubor
 editor.upload_file=Nahrát soubor
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Failed to send test email to '%s': %v
 config.email.test_mail_sent=Test email has been sent to '%s'.
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Require email confirmation

conf/locale/locale_de-DE.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Alte Branches
 branches.all=Alle Branches
 branches.updated_by=Aktualisiert %[1]s von %[2]s
 branches.change_default_branch=Ändere Standard-Branch
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Neue Datei
 editor.upload_file=Datei hochladen
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Fehler beim Senden der Test-E-Mail an '%s': %v
 config.email.test_mail_sent=Test-E-Mail wurde an '%s ' gesendet.
 
 config.auth_config=Authentifizierungskonfiguration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Aktivierungscode Lebensdauer
 config.auth.reset_password_code_lives=Gültigkeitsdauer Zurücksetzungs-Code
 config.auth.require_email_confirm=E-Mail-Bestätigung erforderlich

conf/locale/locale_en-GB.ini

@@ -501,6 +501,8 @@ branches.stale_branches=Stale Branches
 branches.all=All Branches
 branches.updated_by=Updated %[1]s by %[2]s
 branches.change_default_branch=Change Default Branch
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=New file
 editor.upload_file=Upload file
@@ -1346,6 +1348,7 @@ config.email.test_mail_sent=Test email has been sent to '%s'.
 
 config.auth_config=Authentication configuration
 
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 
 config.auth.reset_password_code_lives=Reset password code lives

conf/locale/locale_en-US.ini

@@ -494,6 +494,8 @@ branches.stale_branches = Stale Branches
 branches.all = All Branches
 branches.updated_by = Updated %[1]s by %[2]s
 branches.change_default_branch = Change Default Branch
+branches.default_deletion_not_allowed = Cannot delete the default branch.
+branches.protected_deletion_not_allowed = Cannot delete a protected branch.
 
 editor.new_file = New file
 editor.upload_file = Upload file

conf/locale/locale_es-ES.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Ramas Viejas
 branches.all=Todas las Ramas
 branches.updated_by=%[1]s actualizado por %[2]s
 branches.change_default_branch=Cambiar la Rama por Defecto
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Nuevo archivo
 editor.upload_file=Subir archivo
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Error al enviar correo electrónico de prueba a '%
 config.email.test_mail_sent=Test email has been sent to '%s'.
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Require email confirmation

conf/locale/locale_fa-IR.ini

@@ -496,6 +496,8 @@ branches.stale_branches=شاخه های قدیمی
 branches.all=همه شاخه
 branches.updated_by=%[1]s به روزشده توسط %[2]s
 branches.change_default_branch=تغییر شاخه ی پیش فرض
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=پرونده جدید
 editor.upload_file=بارگذاری پرونده
@@ -1276,6 +1278,7 @@ config.email.test_mail_failed=Failed to send test email to '%s': %v
 config.email.test_mail_sent=Test email has been sent to '%s'.
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Require email confirmation

conf/locale/locale_fi-FI.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Passivoituneet haarat
 branches.all=Kaikki haarat
 branches.updated_by=Päivitetty %[1]s %[2]s
 branches.change_default_branch=Muuta oletushaaraa
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Uusi tiedosto
 editor.upload_file=Liitä tiedosto
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Testisähköpostin lähettäminen vastaanottajalle
 config.email.test_mail_sent=Testi sähköposti on lähetetty vastaanottajalle '%s'.
 
 config.auth_config=Todennuksen asetukset
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Aktiivinen koodi elämät ennen vanhenemista
 config.auth.reset_password_code_lives=Nollaa salasana koodi elämät
 config.auth.require_email_confirm=Vaadi sähköpostivahvistus

conf/locale/locale_fr-FR.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Branches stagnantes
 branches.all=Toutes les Branches
 branches.updated_by=Mise à jour %[1]s par %[2]s
 branches.change_default_branch=Changer la Branche par Défaut
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Nouveau fichier
 editor.upload_file=Téléverser un fichier
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Impossible d'envoyer un e-mail de test à '%s' :
 config.email.test_mail_sent=Un e-mail de test à été envoyé à '%s'.
 
 config.auth_config=Configuration de l'authentification
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activer les vies sur les codes
 config.auth.reset_password_code_lives=Vies sur les codes de réinitialisation des mots de passes
 config.auth.require_email_confirm=Nécessite une confirmation par e-mail

conf/locale/locale_gl-ES.ini

@@ -495,6 +495,8 @@ branches.stale_branches=Stale Branches
 branches.all=All Branches
 branches.updated_by=Updated %[1]s by %[2]s
 branches.change_default_branch=Change Default Branch
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Novo arquivo
 editor.upload_file=Subir arquivo
@@ -1275,6 +1277,7 @@ config.email.test_mail_failed=Failed to send test email to '%s': %v
 config.email.test_mail_sent=Test email has been sent to '%s'.
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Require email confirmation

conf/locale/locale_hu-HU.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Elavult ágak
 branches.all=Minden ág
 branches.updated_by=Frissítve ekkor: %[1]s %[2]s által
 branches.change_default_branch=Alapértelmezett ág megváltoztatása
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Új fájl
 editor.upload_file=Fájl feltöltése
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Nem sikerült kiküldeni a teszt e-mailt '%s'-nek:
 config.email.test_mail_sent=Teszt e-mail kiküldve '%s'-nek.
 
 config.auth_config=Hitelesítési beállítások
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Jelszó visszaállítási kód élettartama
 config.auth.require_email_confirm=E-mail megerősítés szükségessé tétele

conf/locale/locale_id-ID.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Cabang Basi
 branches.all=Semua Cabang
 branches.updated_by=Diperbarui %[1]s oleh %[2]s
 branches.change_default_branch=Ubah Cabang Default
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Berkas baru
 editor.upload_file=Unggah Berkas
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Gagal mengirim surel uji ke '%s': %v
 config.email.test_mail_sent=Surel uji telah dikirim ke '%s'.
 
 config.auth_config=Konfigurasi otentikasi
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Perlu konfirmasi surel

conf/locale/locale_it-IT.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Stale Branches
 branches.all=Tutti i rami (branch)
 branches.updated_by=Updated %[1]s by %[2]s
 branches.change_default_branch=Cambia branch di default
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Nuovo file
 editor.upload_file=Carica File
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Failed to send test email to '%s': %v
 config.email.test_mail_sent=Test email has been sent to '%s'.
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Require email confirmation

conf/locale/locale_ja-JP.ini

@@ -494,6 +494,8 @@ branches.stale_branches=古いブランチ
 branches.all=すべてのブランチ
 branches.updated_by=%[1]s が %[2]s によって更新されました
 branches.change_default_branch=デフォルトブランチの変更
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=新規ファイル
 editor.upload_file=ファイルをアップロード
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Failed to send test email to '%s': %v
 config.email.test_mail_sent=Test email has been sent to '%s'.
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Require email confirmation

conf/locale/locale_ko-KR.ini

@@ -495,6 +495,8 @@ branches.stale_branches=오래된 브랜치
 branches.all=모든 브랜치
 branches.updated_by=%[2]s이 %[1]s를 업데이트
 branches.change_default_branch=기본 브랜치 변경
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=파일 생성
 editor.upload_file=파일 업로드
@@ -1276,6 +1278,7 @@ config.email.test_mail_failed=Failed to send test email to '%s': %v
 config.email.test_mail_sent='%s'로 테스트 이메일을 보냈습니다.
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=이메일 인증 필요

conf/locale/locale_lv-LV.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Pamests atzars
 branches.all=Visi atzari
 branches.updated_by=%[2]s atjaunoja %[1]s
 branches.change_default_branch=Mainīt noklusēto atzaru
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Jauns fails
 editor.upload_file=Augšupielādēt failu
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Failed to send test email to '%s': %v
 config.email.test_mail_sent=Test email has been sent to '%s'.
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Require email confirmation

conf/locale/locale_mn-MN.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Хуучирсан салаанууд
 branches.all=Бүх салаанууд
 branches.updated_by=Шинэчлэгдсэн %[1]s by %[2]s
 branches.change_default_branch=Анхны салаа өөрчлөх
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Шинэ файл
 editor.upload_file=Файл хуулах
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Туршилтын имэйлийг '%s': %v рү
 config.email.test_mail_sent=Туршилтын имэйл '%s' рүү илгээгдлээ.
 
 config.auth_config=Authentication тохиргоо
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Кодын ашиглалтыг идэвхжүүлэх
 config.auth.reset_password_code_lives=Нууц үгийн кодыг шинэчлэх
 config.auth.require_email_confirm=Имэйлээр баталгаажуулахыг шаардана

conf/locale/locale_nl-NL.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Stale Branches
 branches.all=All Branches
 branches.updated_by=Updated %[1]s by %[2]s
 branches.change_default_branch=Change Default Branch
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Nieuw bestand
 editor.upload_file=Bestand uploaden
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Failed to send test email to '%s': %v
 config.email.test_mail_sent=Test email has been sent to '%s'.
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Require email confirmation

conf/locale/locale_pl-PL.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Stare gałęzie
 branches.all=Wszystkie gałęzie
 branches.updated_by=Zaktualizowano %[1]s przez %[2]s
 branches.change_default_branch=Zmiana domyślnej gałęzi
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Nowy plik
 editor.upload_file=Załaduj plik
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Nie udało się wysłać wiadomości testowej do '
 config.email.test_mail_sent=Wiadomość testowa została wysłana do '%s'.
 
 config.auth_config=Konfiguracja uwierzytelniania
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Wymagaj potwierdzenia adresu e-mail

conf/locale/locale_pt-BR.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Branches obsoletos
 branches.all=Todos os branches
 branches.updated_by=Atualizado %[1]s por %[2]s
 branches.change_default_branch=Modificar branch padrão
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Novo arquivo
 editor.upload_file=Enviar arquivo
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Failed to send test email to '%s': %v
 config.email.test_mail_sent=Test email has been sent to '%s'.
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Require email confirmation

conf/locale/locale_pt-PT.ini

@@ -446,7 +446,7 @@ migrate.clone_address_desc=Isto pode ser um URL de HTTP/HTTPS/GIT.
 migrate.clone_address_desc_import_local=Você também pode migrar um repositório pelo caminho do servidor local.
 migrate.permission_denied=Não está autorizado a importar repositórios locais.
 migrate.invalid_local_path=Caminho local inválido, o caminho não existe ou não é um directório.
-migrate.clone_address_resolved_to_blocked_local_address=Clone address resolved to a local network address that is implicitly blocked.
+migrate.clone_address_resolved_to_blocked_local_address=Clonar endereço resolvido para um endereço de rede local implicitamente bloqueado.
 migrate.failed=Migração falhada: %v
 
 mirror_from=mirror de
@@ -494,6 +494,8 @@ branches.stale_branches=Ramificações Obsoletas
 branches.all=Todas as Ramificações
 branches.updated_by=Atualizado %[1]s por %[2]s
 branches.change_default_branch=Mudar Ramificação Predefinida
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Novo Ficheiro
 editor.upload_file=Enviar ficheiro
@@ -1202,119 +1204,120 @@ config.ssh.port=Porta exposta
 config.ssh.root_path=Caminho para a raíz
 config.ssh.keygen_path=Localização do gerador de chaves criptográficas
 config.ssh.key_test_path=Localização do teste das chaves criptográficas
-config.ssh.minimum_key_size_check=Minimum key size check
-config.ssh.minimum_key_sizes=Minimum key sizes
+config.ssh.minimum_key_size_check=Verificação de tamanho mínimo da chave
+config.ssh.minimum_key_sizes=Tamanhos mínimos de chaves
 config.ssh.rewrite_authorized_keys_at_start=Rewrite "authorized_keys" at start
-config.ssh.start_builtin_server=Start builtin server
+config.ssh.start_builtin_server=Iniciar servidor embutido
 config.ssh.listen_host=Servidor
 config.ssh.listen_port=Porta do servidor
 config.ssh.server_ciphers=Cifras do servidor
-config.ssh.server_macs=Server MACs
-config.ssh.server_algorithms=Server algorithms
+config.ssh.server_macs=MACs do servidor
+config.ssh.server_algorithms=Algoritmos do servidor
 
 config.repo_config=Configuração de repositório
 config.repo.root_path=Localização base
 config.repo.script_type=Tipo de script
 config.repo.ansi_chatset=ANSI charset
-config.repo.force_private=Force private
-config.repo.max_creation_limit=Max creation limit
-config.repo.preferred_licenses=Preferred licenses
-config.repo.disable_http_git=Disable HTTP Git
-config.repo.enable_local_path_migration=Enable local path migration
-config.repo.enable_raw_file_render_mode=Enable raw file render mode
+config.repo.force_private=Forçar privado
+config.repo.max_creation_limit=Limite máximo de criação
+config.repo.preferred_licenses=Licenças preferidas
+config.repo.disable_http_git=Desativar Git HTTP
+config.repo.enable_local_path_migration=Ativar a migração de caminho local
+config.repo.enable_raw_file_render_mode=Ativar o modo de renderização do ficheiro bruto
 config.repo.commits_fetch_concurrency=Commits fetch concurrency
-config.repo.editor.line_wrap_extensions=Editor line wrap extensions
+config.repo.editor.line_wrap_extensions=Extensões de quebra automática de linha do editor
 config.repo.editor.previewable_file_modes=Editor previewable file modes
-config.repo.upload.enabled=Upload enabled
-config.repo.upload.temp_path=Upload temporary path
-config.repo.upload.allowed_types=Upload allowed types
-config.repo.upload.file_max_size=Upload file size limit
-config.repo.upload.max_files=Upload files limit
+config.repo.upload.enabled=Envio ativado
+config.repo.upload.temp_path=Caminho temporário para envios
+config.repo.upload.allowed_types=Tipos de envios permitidos
+config.repo.upload.file_max_size=Tamanho limite de ficheiros enviados
+config.repo.upload.max_files=Quantidade limite de ficheiros enviados
 
 config.db_config=Configuração da base de dados
-config.db.type=Type
-config.db.host=Host
-config.db.name=Name
-config.db.schema=Schema
-config.db.schema_helper=(for "postgres" only)
-config.db.user=User
-config.db.ssl_mode=SSL mode
-config.db.ssl_mode_helper=(for "postgres" only)
-config.db.path=Path
-config.db.path_helper=(for "sqlite3"only)
-config.db.max_open_conns=Maximum open connections
-config.db.max_idle_conns=Maximum idle connections
+config.db.type=Tipo
+config.db.host=Anfitrião
+config.db.name=Nome
+config.db.schema=Esquema
+config.db.schema_helper=(apenas para "postgres")
+config.db.user=Utilizador
+config.db.ssl_mode=Modo SSL
+config.db.ssl_mode_helper=(apenas para "postgres")
+config.db.path=Caminho
+config.db.path_helper=(apenas para "sqlite3")
+config.db.max_open_conns=Máximo de conexões abertas
+config.db.max_idle_conns=Máximo de conexões ociosas
 
-config.security_config=Security configuration
-config.security.login_remember_days=Login remember days
-config.security.cookie_remember_name=Remember cookie
-config.security.cookie_username=Username cookie
-config.security.cookie_secure=Enable secure cookie
-config.security.reverse_proxy_auth_user=Reverse proxy authentication header
+config.security_config=Configuração da segurança
+config.security.login_remember_days=Dias lembrados de login
+config.security.cookie_remember_name=Lembrar do cookie
+config.security.cookie_username=Cookie do nome do utilizador
+config.security.cookie_secure=Ativar cookie seguro
+config.security.reverse_proxy_auth_user=Cabeçalho de autenticação de proxy reverso
 config.security.enable_login_status_cookie=Enable login status cookie
 config.security.login_status_cookie_name=Login status cookie
 config.security.local_network_allowlist=Local network allowlist
 
-config.email_config=Email configuration
-config.email.enabled=Enabled
-config.email.subject_prefix=Subject prefix
-config.email.host=Host
-config.email.from=From
-config.email.user=User
-config.email.disable_helo=Disable HELO
-config.email.helo_hostname=HELO hostname
+config.email_config=Configuração de E-mail
+config.email.enabled=Ativado
+config.email.subject_prefix=Prefixo do assunto
+config.email.host=Anfitrião
+config.email.from=De
+config.email.user=Utilizador
+config.email.disable_helo=Desativar HELO
+config.email.helo_hostname=Nome de anfitrião HELO
 config.email.skip_verify=Skip certificate verify
-config.email.use_certificate=Use custom certificate
-config.email.cert_file=Certificate file
-config.email.key_file=Key file
-config.email.use_plain_text=Use plain text
-config.email.add_plain_text_alt=Add plain text alternative
-config.email.send_test_mail=Send test email
-config.email.test_mail_failed=Failed to send test email to '%s': %v
-config.email.test_mail_sent=Test email has been sent to '%s'.
+config.email.use_certificate=Usar certificado personalizado
+config.email.cert_file=Ficheiro de certificado criptográfico
+config.email.key_file=Ficheiro da chave criptográfica
+config.email.use_plain_text=Usar texto simples
+config.email.add_plain_text_alt=Adicionar alternativa de texto simples
+config.email.send_test_mail=Enviar e-mail de teste
+config.email.test_mail_failed=Falhou o envio do e-mail de teste para '%s': %v
+config.email.test_mail_sent=O e-mail de teste foi enviado para '%s'.
 
-config.auth_config=Authentication configuration
+config.auth_config=Configuração da autenticação
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
-config.auth.require_email_confirm=Require email confirmation
-config.auth.require_sign_in_view=Require sign in view
-config.auth.disable_registration=Disable registration
-config.auth.enable_registration_captcha=Enable registration captcha
-config.auth.enable_reverse_proxy_authentication=Enable reverse proxy authentication
-config.auth.enable_reverse_proxy_auto_registration=Enable reverse proxy auto registration
-config.auth.reverse_proxy_authentication_header=Reverse proxy authentication header
+config.auth.require_email_confirm=Exigir confirmação por e-mail
+config.auth.require_sign_in_view=Exigir login para ver
+config.auth.disable_registration=Desativar registo
+config.auth.enable_registration_captcha=Ativar captcha para registar
+config.auth.enable_reverse_proxy_authentication=Ativar autenticação do proxy reverso
+config.auth.enable_reverse_proxy_auto_registration=Ativar o registo automático do proxy reverso
+config.auth.reverse_proxy_authentication_header=Cabeçalho de autenticação de proxy reverso
 
-config.user_config=User configuration
-config.user.enable_email_notify=Enable email notification
+config.user_config=Configuração do utilizador
+config.user.enable_email_notify=Ativar a notificação por e-mail
 
 config.session_config=Configuração de sessão
-config.session.provider=Provider
-config.session.provider_config=Provider config
+config.session.provider=Provedor
+config.session.provider_config=Configuração do provedor
 config.session.cookie_name=Cookie
-config.session.https_only=HTTPS only
+config.session.https_only=Somente HTTPS
 config.session.gc_interval=GC interval
 config.session.max_life_time=Max life time
 config.session.csrf_cookie_name=CSRF cookie
 
 config.cache_config=Configuração de cache
-config.cache.adapter=Adapter
-config.cache.interval=GC interval
-config.cache.host=Host
+config.cache.adapter=Adaptador
+config.cache.interval=Intervalo de GC
+config.cache.host=Anfitrião
 
 config.http_config=Configuração HTTP
 config.http.access_control_allow_origin=Access control allow origin
 
-config.attachment_config=Attachment configuration
-config.attachment.enabled=Enabled
-config.attachment.path=Path
-config.attachment.allowed_types=Allowed types
-config.attachment.max_size=Size limit
-config.attachment.max_files=Files limit
+config.attachment_config=Configuração de anexos
+config.attachment.enabled=Ativado
+config.attachment.path=Caminho
+config.attachment.allowed_types=Tipos permitidos
+config.attachment.max_size=Limite de tamanho
+config.attachment.max_files=Limite de ficheiros
 
 config.release_config=Release configuration
 config.release.attachment.enabled=Attachment enabled
 config.release.attachment.allowed_types=Attachment allowed types
-config.release.attachment.max_size=Attachment size limit
+config.release.attachment.max_size=Tamanho máximo dos anexos
 config.release.attachment.max_files=Attachment files limit
 
 config.picture_config=Configuração de imagem
@@ -1325,10 +1328,10 @@ config.picture.disable_gravatar=Disable Gravatar
 config.picture.enable_federated_avatar=Enable federated avatars
 
 config.mirror_config=Mirror configuration
-config.mirror.default_interval=Default interval
+config.mirror.default_interval=Intervalo predefinido
 
 config.webhook_config=Configuração de WebHook
-config.webhook.types=Types
+config.webhook.types=Tipos
 config.webhook.deliver_timeout=Deliver timeout
 config.webhook.skip_tls_verify=Skip TLS verify
 

conf/locale/locale_ro-RO.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Ramuri vechi
 branches.all=Toate ramurile
 branches.updated_by=Actualizat %[1]s prin %[2]s
 branches.change_default_branch=Schimbarea ramurii implicite
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Fișier nou
 editor.upload_file=Încărcați fișier
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Nu a reușit să trimită un e-mail de test către
 config.email.test_mail_sent=E-mailul de test a fost trimis la '%s'.
 
 config.auth_config=Configurația de autentificare
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activați viețile de cod
 config.auth.reset_password_code_lives=Resetează viețile codului parolei
 config.auth.require_email_confirm=Solicită confirmarea prin e-mail

conf/locale/locale_ru-RU.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Устаревшие ветки
 branches.all=Все ветки
 branches.updated_by=Обновлено %[1]s пользователем %[2]s
 branches.change_default_branch=Change Default Branch
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Новый файл
 editor.upload_file=Загрузить файл
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Не удалось отправить тесто
 config.email.test_mail_sent=Тестовое письмо было отправлено на %s
 
 config.auth_config=Конфигурация аутентификации
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Срок действия кода сброса пароля
 config.auth.require_email_confirm=Требовать подтверждение по электронной почте

conf/locale/locale_sk-SK.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Zastaralé vetvy
 branches.all=Všetky vetvy
 branches.updated_by=%[2]s zmenil %[1]s
 branches.change_default_branch=Zmeniť základnú vetvu
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Nový súbor
 editor.upload_file=Nahrať súbor
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Failed to send test email to '%s': %v
 config.email.test_mail_sent=Test email has been sent to '%s'.
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Require email confirmation

conf/locale/locale_sr-SP.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Застареле гране
 branches.all=Све гране
 branches.updated_by=Ажуриран %[1]s од %[2]s
 branches.change_default_branch=Промените подразумевану грану
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Нова датотека
 editor.upload_file=Отпреми датотеку
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Failed to send test email to '%s': %v
 config.email.test_mail_sent=Test email has been sent to '%s'.
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Require email confirmation

conf/locale/locale_sv-SE.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Djärva brancher
 branches.all=Alla brancher
 branches.updated_by=Uppdaterade %[1]s med %[2]s
 branches.change_default_branch=Ändra standard branch
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Ny fil
 editor.upload_file=Ladda upp fil
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Failed to send test email to '%s': %v
 config.email.test_mail_sent=Test email has been sent to '%s'.
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Require email confirmation

conf/locale/locale_tr-TR.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Eskimiş Bölümler
 branches.all=Bütün Bölümler
 branches.updated_by=%[2]s tarafından %[1]s güncellendi
 branches.change_default_branch=Varsayılan Bölümü Değiştir
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Yeni dosya
 editor.upload_file=Dosyayı yükle
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Failed to send test email to '%s': %v
 config.email.test_mail_sent=Test email has been sent to '%s'.
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Require email confirmation

conf/locale/locale_uk-UA.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Застарілі гілки
 branches.all=Усі гілки
 branches.updated_by=Оновлено %[1]s з %[2]s
 branches.change_default_branch=Гілку за замовчуванням змінено
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Новий файл
 editor.upload_file=Завантажити файл
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Помилка відправлення пробн
 config.email.test_mail_sent=Пробного листа було відправлено до '%s'.
 
 config.auth_config=Налаштування аутентифікації
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Активувати код підтвердження
 config.auth.reset_password_code_lives=Термін придатності кода при скиданні пароля
 config.auth.require_email_confirm=Вимагає підтвердження електронною поштою

conf/locale/locale_vi-VN.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Các nhánh cũ
 branches.all=Tất cả các nhánh
 branches.updated_by=Updated %[1]s by %[2]s
 branches.change_default_branch=Thay đổi nhánh mặc định
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=Tập tin mới
 editor.upload_file=Tải tập tin lên
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Gửi email kiểm tra đến '%s':%v thất bại
 config.email.test_mail_sent=Email kiểm tra đã được gửi đến '%s'.
 
 config.auth_config=Cấu hình xác thực
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Yêu cầu xác nhận email

conf/locale/locale_zh-CN.ini

@@ -494,6 +494,8 @@ branches.stale_branches=陈旧分支
 branches.all=所有分支
 branches.updated_by=由 %[2]s 更新于 %[1]s
 branches.change_default_branch=更改默认分支
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=新的文件
 editor.upload_file=上传文件
@@ -1275,6 +1277,7 @@ config.email.test_mail_failed=发送测试邮件至 '%s' 时失败：%v
 config.email.test_mail_sent=测试邮件已经发送至 '%s'。
 
 config.auth_config=认证配置
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=激活用户链接有效期
 config.auth.reset_password_code_lives=重置密码链接有效期
 config.auth.require_email_confirm=注册邮件确认

conf/locale/locale_zh-HK.ini

@@ -494,6 +494,8 @@ branches.stale_branches=Stale Branches
 branches.all=All Branches
 branches.updated_by=Updated %[1]s by %[2]s
 branches.change_default_branch=Change Default Branch
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=New file
 editor.upload_file=Upload file
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=Failed to send test email to '%s': %v
 config.email.test_mail_sent=Test email has been sent to '%s'.
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Require email confirmation

conf/locale/locale_zh-TW.ini

@@ -494,6 +494,8 @@ branches.stale_branches=陳舊分支
 branches.all=所有分支
 branches.updated_by=%[2]s 更新了 %[1]s
 branches.change_default_branch=變更預設分支
+branches.default_deletion_not_allowed=Cannot delete the default branch.
+branches.protected_deletion_not_allowed=Cannot delete a protected branch.
 
 editor.new_file=開新檔案
 editor.upload_file=上傳檔案
@@ -1274,6 +1276,7 @@ config.email.test_mail_failed=發送測試郵件至 '%s' 時失敗：%v
 config.email.test_mail_sent=測試電子郵件已發送到 '%s'。
 
 config.auth_config=Authentication configuration
+config.auth_custom_logout_url=Custom logout URL
 config.auth.activate_code_lives=Activate code lives
 config.auth.reset_password_code_lives=Reset password code lives
 config.auth.require_email_confirm=Require email confirmation

docker-next/README.md

@@ -1,7 +1,7 @@
 # Docker for Gogs (Next Generation)
 
 > [!NOTE]
-> This is the next-generation, security-focused Docker image. This will become the default image distribution (`gogs/gogs:latest`) starting 0.15.0.
+> This is the next-generation, security-focused Docker image. This will become the default image distribution (`gogs/gogs:latest`) starting 0.16.0.
 
 ![Docker pulls](https://img.shields.io/docker/pulls/gogs/gogs?logo=docker&style=for-the-badge)
 

docker/README.md

@@ -1,10 +1,15 @@
 # Docker for Gogs
 
 > [!WARNING]
-> This is now the legacy Docker image that lacks modern security best practices. It will be published as `gogs/gogs:legacy-latest` starting 0.15.0, and be completely removed starting 0.16.0.
+> This is now the legacy Docker image that lacks modern security best practices. It will be published as `gogs/gogs:legacy-latest` starting 0.16.0, and be completely removed no earlier than 0.17.0.
 >
 > To use the next-generation, security-focused Docker image, see [docker-next/README.md](../docker-next/README.md).
 
+> [!IMPORTANT]
+> Image versions:
+>  - Every released version has its own tag , e.g., `gogs/gogs:0.13.4`, and a tag points to the latest patch of the minor version, e.g., `gogs/gogs:0.13`.
+>  - The `latest` tag is the image version built from the latest `main` branch.
+
 ![Docker pulls](https://img.shields.io/docker/pulls/gogs/gogs?logo=docker&style=for-the-badge)
 
 Visit [Docker Hub](https://hub.docker.com/u/gogs) or [GitHub Container registry](https://github.com/gogs/gogs/pkgs/container/gogs) to see all available images and tags.

docs-old/dev/database_schema.md

@@ -0,0 +1,131 @@
+# Table "access"
+
+```
+ Field  | Column  |   PostgreSQL    |         MySQL         |        SQLite3        
+--------+---------+-----------------+-----------------------+-----------------------
+ ID     | id      | BIGSERIAL       | BIGINT AUTO_INCREMENT | INTEGER AUTOINCREMENT 
+ UserID | user_id | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL      
+ RepoID | repo_id | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL      
+ Mode   | mode    | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL      
+
+Primary keys: id
+Indexes: 
+	"access_user_repo_unique" UNIQUE (user_id, repo_id)
+```
+
+# Table "access_token"
+
+```
+    Field    |    Column    |         PostgreSQL          |            MySQL            |           SQLite3           
+-------------+--------------+-----------------------------+-----------------------------+-----------------------------
+ ID          | id           | BIGSERIAL                   | BIGINT AUTO_INCREMENT       | INTEGER AUTOINCREMENT       
+ UserID      | uid          | BIGINT                      | BIGINT                      | INTEGER                     
+ Name        | name         | TEXT                        | LONGTEXT                    | TEXT                        
+ Sha1        | sha1         | VARCHAR(40) UNIQUE          | VARCHAR(40) UNIQUE          | VARCHAR(40) UNIQUE          
+ SHA256      | sha256       | VARCHAR(64) NOT NULL UNIQUE | VARCHAR(64) NOT NULL UNIQUE | VARCHAR(64) NOT NULL UNIQUE 
+ CreatedUnix | created_unix | BIGINT                      | BIGINT                      | INTEGER                     
+ UpdatedUnix | updated_unix | BIGINT                      | BIGINT                      | INTEGER                     
+
+Primary keys: id
+Indexes: 
+	"idx_access_token_user_id" (uid)
+```
+
+# Table "action"
+
+```
+    Field     |     Column     |           PostgreSQL           |             MySQL              |            SQLite3             
+--------------+----------------+--------------------------------+--------------------------------+--------------------------------
+ ID           | id             | BIGSERIAL                      | BIGINT AUTO_INCREMENT          | INTEGER AUTOINCREMENT          
+ UserID       | user_id        | BIGINT                         | BIGINT                         | INTEGER                        
+ OpType       | op_type        | BIGINT                         | BIGINT                         | INTEGER                        
+ ActUserID    | act_user_id    | BIGINT                         | BIGINT                         | INTEGER                        
+ ActUserName  | act_user_name  | TEXT                           | LONGTEXT                       | TEXT                           
+ RepoID       | repo_id        | BIGINT                         | BIGINT                         | INTEGER                        
+ RepoUserName | repo_user_name | TEXT                           | LONGTEXT                       | TEXT                           
+ RepoName     | repo_name      | TEXT                           | LONGTEXT                       | TEXT                           
+ RefName      | ref_name       | TEXT                           | LONGTEXT                       | TEXT                           
+ IsPrivate    | is_private     | BOOLEAN NOT NULL DEFAULT FALSE | BOOLEAN NOT NULL DEFAULT FALSE | NUMERIC NOT NULL DEFAULT FALSE 
+ Content      | content        | TEXT                           | LONGTEXT                       | TEXT                           
+ CreatedUnix  | created_unix   | BIGINT                         | BIGINT                         | INTEGER                        
+
+Primary keys: id
+Indexes: 
+	"idx_action_repo_id" (repo_id)
+	"idx_action_user_id" (user_id)
+```
+
+# Table "email_address"
+
+```
+    Field    |    Column    |           PostgreSQL           |             MySQL              |            SQLite3             
+-------------+--------------+--------------------------------+--------------------------------+--------------------------------
+ ID          | id           | BIGSERIAL                      | BIGINT AUTO_INCREMENT          | INTEGER AUTOINCREMENT          
+ UserID      | uid          | BIGINT NOT NULL                | BIGINT NOT NULL                | INTEGER NOT NULL               
+ Email       | email        | VARCHAR(254) NOT NULL          | VARCHAR(254) NOT NULL          | TEXT NOT NULL                  
+ IsActivated | is_activated | BOOLEAN NOT NULL DEFAULT FALSE | BOOLEAN NOT NULL DEFAULT FALSE | NUMERIC NOT NULL DEFAULT FALSE 
+
+Primary keys: id
+Indexes: 
+	"email_address_user_email_unique" UNIQUE (uid, email)
+	"idx_email_address_user_id" (uid)
+```
+
+# Table "follow"
+
+```
+  Field   |  Column   |   PostgreSQL    |         MySQL         |        SQLite3        
+----------+-----------+-----------------+-----------------------+-----------------------
+ ID       | id        | BIGSERIAL       | BIGINT AUTO_INCREMENT | INTEGER AUTOINCREMENT 
+ UserID   | user_id   | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL      
+ FollowID | follow_id | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL      
+
+Primary keys: id
+Indexes: 
+	"follow_user_follow_unique" UNIQUE (user_id, follow_id)
+```
+
+# Table "lfs_object"
+
+```
+   Field   |   Column   |      PostgreSQL      |        MySQL         |      SQLite3      
+-----------+------------+----------------------+----------------------+-------------------
+ RepoID    | repo_id    | BIGINT               | BIGINT               | INTEGER           
+ OID       | oid        | TEXT                 | VARCHAR(191)         | TEXT              
+ Size      | size       | BIGINT NOT NULL      | BIGINT NOT NULL      | INTEGER NOT NULL  
+ Storage   | storage    | TEXT NOT NULL        | LONGTEXT NOT NULL    | TEXT NOT NULL     
+ CreatedAt | created_at | TIMESTAMPTZ NOT NULL | DATETIME(3) NOT NULL | DATETIME NOT NULL 
+
+Primary keys: repo_id, oid
+```
+
+# Table "login_source"
+
+```
+    Field    |    Column    |    PostgreSQL    |         MySQL         |        SQLite3        
+-------------+--------------+------------------+-----------------------+-----------------------
+ ID          | id           | BIGSERIAL        | BIGINT AUTO_INCREMENT | INTEGER AUTOINCREMENT 
+ Type        | type         | BIGINT           | BIGINT                | INTEGER               
+ Name        | name         | TEXT UNIQUE      | VARCHAR(191) UNIQUE   | TEXT UNIQUE           
+ IsActived   | is_actived   | BOOLEAN NOT NULL | BOOLEAN NOT NULL      | NUMERIC NOT NULL      
+ IsDefault   | is_default   | BOOLEAN          | BOOLEAN               | NUMERIC               
+ Config      | cfg          | TEXT             | TEXT                  | TEXT                  
+ CreatedUnix | created_unix | BIGINT           | BIGINT                | INTEGER               
+ UpdatedUnix | updated_unix | BIGINT           | BIGINT                | INTEGER               
+
+Primary keys: id
+```
+
+# Table "notice"
+
+```
+    Field    |    Column    | PostgreSQL |         MySQL         |        SQLite3        
+-------------+--------------+------------+-----------------------+-----------------------
+ ID          | id           | BIGSERIAL  | BIGINT AUTO_INCREMENT | INTEGER AUTOINCREMENT 
+ Type        | type         | BIGINT     | BIGINT                | INTEGER               
+ Description | description  | TEXT       | TEXT                  | TEXT                  
+ CreatedUnix | created_unix | BIGINT     | BIGINT                | INTEGER               
+
+Primary keys: id
+```
+

docs-old/dev/import_locale.md

@@ -6,7 +6,7 @@
 1. Run the `import` subcommand:
 
     ```
-    $ ./gogs import locale --source <path to the unzipped directory> --target ./conf/locale
+    $ ./.bin/gogs import locale --source <path to the unzipped directory> --target ./conf/locale
     Locale files has been successfully imported!
     ```
 

docs/dev/database_schema.md

@@ -1,131 +0,0 @@
-# Table "access"
-
-```
-  FIELD  | COLUMN  |   POSTGRESQL    |         MYSQL         |     SQLITE3       
----------+---------+-----------------+-----------------------+-------------------
-  ID     | id      | BIGSERIAL       | BIGINT AUTO_INCREMENT | INTEGER           
-  UserID | user_id | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL  
-  RepoID | repo_id | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL  
-  Mode   | mode    | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL  
-
-Primary keys: id
-Indexes: 
-	"access_user_repo_unique" UNIQUE (user_id, repo_id)
-```
-
-# Table "access_token"
-
-```
-     FIELD    |    COLUMN    |         POSTGRESQL          |            MYSQL            |           SQLITE3            
---------------+--------------+-----------------------------+-----------------------------+------------------------------
-  ID          | id           | BIGSERIAL                   | BIGINT AUTO_INCREMENT       | INTEGER                      
-  UserID      | uid          | BIGINT                      | BIGINT                      | INTEGER                      
-  Name        | name         | TEXT                        | LONGTEXT                    | TEXT                         
-  Sha1        | sha1         | VARCHAR(40) UNIQUE          | VARCHAR(40) UNIQUE          | VARCHAR(40) UNIQUE           
-  SHA256      | sha256       | VARCHAR(64) NOT NULL UNIQUE | VARCHAR(64) NOT NULL UNIQUE | VARCHAR(64) NOT NULL UNIQUE  
-  CreatedUnix | created_unix | BIGINT                      | BIGINT                      | INTEGER                      
-  UpdatedUnix | updated_unix | BIGINT                      | BIGINT                      | INTEGER                      
-
-Primary keys: id
-Indexes: 
-	"idx_access_token_user_id" (uid)
-```
-
-# Table "action"
-
-```
-     FIELD     |     COLUMN     |           POSTGRESQL           |             MYSQL              |            SQLITE3              
----------------+----------------+--------------------------------+--------------------------------+---------------------------------
-  ID           | id             | BIGSERIAL                      | BIGINT AUTO_INCREMENT          | INTEGER                         
-  UserID       | user_id        | BIGINT                         | BIGINT                         | INTEGER                         
-  OpType       | op_type        | BIGINT                         | BIGINT                         | INTEGER                         
-  ActUserID    | act_user_id    | BIGINT                         | BIGINT                         | INTEGER                         
-  ActUserName  | act_user_name  | TEXT                           | LONGTEXT                       | TEXT                            
-  RepoID       | repo_id        | BIGINT                         | BIGINT                         | INTEGER                         
-  RepoUserName | repo_user_name | TEXT                           | LONGTEXT                       | TEXT                            
-  RepoName     | repo_name      | TEXT                           | LONGTEXT                       | TEXT                            
-  RefName      | ref_name       | TEXT                           | LONGTEXT                       | TEXT                            
-  IsPrivate    | is_private     | BOOLEAN NOT NULL DEFAULT FALSE | BOOLEAN NOT NULL DEFAULT FALSE | NUMERIC NOT NULL DEFAULT FALSE  
-  Content      | content        | TEXT                           | LONGTEXT                       | TEXT                            
-  CreatedUnix  | created_unix   | BIGINT                         | BIGINT                         | INTEGER                         
-
-Primary keys: id
-Indexes: 
-	"idx_action_repo_id" (repo_id)
-	"idx_action_user_id" (user_id)
-```
-
-# Table "email_address"
-
-```
-     FIELD    |    COLUMN    |           POSTGRESQL           |             MYSQL              |            SQLITE3              
---------------+--------------+--------------------------------+--------------------------------+---------------------------------
-  ID          | id           | BIGSERIAL                      | BIGINT AUTO_INCREMENT          | INTEGER                         
-  UserID      | uid          | BIGINT NOT NULL                | BIGINT NOT NULL                | INTEGER NOT NULL                
-  Email       | email        | VARCHAR(254) NOT NULL          | VARCHAR(254) NOT NULL          | TEXT NOT NULL                   
-  IsActivated | is_activated | BOOLEAN NOT NULL DEFAULT FALSE | BOOLEAN NOT NULL DEFAULT FALSE | NUMERIC NOT NULL DEFAULT FALSE  
-
-Primary keys: id
-Indexes: 
-	"email_address_user_email_unique" UNIQUE (uid, email)
-	"idx_email_address_user_id" (uid)
-```
-
-# Table "follow"
-
-```
-   FIELD   |  COLUMN   |   POSTGRESQL    |         MYSQL         |     SQLITE3       
------------+-----------+-----------------+-----------------------+-------------------
-  ID       | id        | BIGSERIAL       | BIGINT AUTO_INCREMENT | INTEGER           
-  UserID   | user_id   | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL  
-  FollowID | follow_id | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL  
-
-Primary keys: id
-Indexes: 
-	"follow_user_follow_unique" UNIQUE (user_id, follow_id)
-```
-
-# Table "lfs_object"
-
-```
-    FIELD   |   COLUMN   |      POSTGRESQL      |        MYSQL         |      SQLITE3       
-------------+------------+----------------------+----------------------+--------------------
-  RepoID    | repo_id    | BIGINT               | BIGINT               | INTEGER            
-  OID       | oid        | TEXT                 | VARCHAR(191)         | TEXT               
-  Size      | size       | BIGINT NOT NULL      | BIGINT NOT NULL      | INTEGER NOT NULL   
-  Storage   | storage    | TEXT NOT NULL        | LONGTEXT NOT NULL    | TEXT NOT NULL      
-  CreatedAt | created_at | TIMESTAMPTZ NOT NULL | DATETIME(3) NOT NULL | DATETIME NOT NULL  
-
-Primary keys: repo_id, oid
-```
-
-# Table "login_source"
-
-```
-     FIELD    |    COLUMN    |    POSTGRESQL    |         MYSQL         |     SQLITE3       
---------------+--------------+------------------+-----------------------+-------------------
-  ID          | id           | BIGSERIAL        | BIGINT AUTO_INCREMENT | INTEGER           
-  Type        | type         | BIGINT           | BIGINT                | INTEGER           
-  Name        | name         | TEXT UNIQUE      | VARCHAR(191) UNIQUE   | TEXT UNIQUE       
-  IsActived   | is_actived   | BOOLEAN NOT NULL | BOOLEAN NOT NULL      | NUMERIC NOT NULL  
-  IsDefault   | is_default   | BOOLEAN          | BOOLEAN               | NUMERIC           
-  Config      | cfg          | TEXT             | TEXT                  | TEXT              
-  CreatedUnix | created_unix | BIGINT           | BIGINT                | INTEGER           
-  UpdatedUnix | updated_unix | BIGINT           | BIGINT                | INTEGER           
-
-Primary keys: id
-```
-
-# Table "notice"
-
-```
-     FIELD    |    COLUMN    | POSTGRESQL |         MYSQL         | SQLITE3  
---------------+--------------+------------+-----------------------+----------
-  ID          | id           | BIGSERIAL  | BIGINT AUTO_INCREMENT | INTEGER  
-  Type        | type         | BIGINT     | BIGINT                | INTEGER  
-  Description | description  | TEXT       | TEXT                  | TEXT     
-  CreatedUnix | created_unix | BIGINT     | BIGINT                | INTEGER  
-
-Primary keys: id
-```
-

go.mod

@@ -6,8 +6,11 @@ require (
 	github.com/Masterminds/semver/v3 v3.4.0
 	github.com/cockroachdb/errors v1.12.0
 	github.com/derision-test/go-mockgen/v2 v2.1.1
-	github.com/editorconfig/editorconfig-core-go/v2 v2.6.3
-	github.com/go-ldap/ldap/v3 v3.4.11
+	github.com/editorconfig/editorconfig-core-go/v2 v2.6.4
+	github.com/fergusstrange/embedded-postgres v1.33.0
+	github.com/glebarez/go-sqlite v1.21.2
+	github.com/glebarez/sqlite v1.11.0
+	github.com/go-ldap/ldap/v3 v3.4.12
 	github.com/go-macaron/binding v1.2.0
 	github.com/go-macaron/cache v0.0.0-20190810181446-10f7c57e2196
 	github.com/go-macaron/captcha v0.2.0
@@ -18,19 +21,19 @@ require (
 	github.com/go-macaron/toolbox v0.0.0-20190813233741-94defb8383c6
 	github.com/gogs/chardet v0.0.0-20150115103509-2404f7772561
 	github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14
-	github.com/gogs/git-module v1.8.4
+	github.com/gogs/git-module v1.8.6
 	github.com/gogs/go-gogs-client v0.0.0-20200128182646-c69cb7680fd4
 	github.com/gogs/go-libravatar v0.0.0-20191106065024-33a75213d0a0
 	github.com/gogs/minwinsvc v0.0.0-20170301035411-95be6356811a
 	github.com/google/go-github v17.0.0+incompatible
+	github.com/inbucket/html2text v1.0.0
 	github.com/issue9/identicon v1.2.1
-	github.com/jaytaylor/html2text v0.0.0-20190408195923-01ec452cbe43
 	github.com/json-iterator/go v1.1.12
 	github.com/microcosm-cc/bluemonday v1.0.27
 	github.com/msteinert/pam v1.2.0
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646
 	github.com/niklasfasching/go-org v1.9.1
-	github.com/olekukonko/tablewriter v0.0.5
+	github.com/olekukonko/tablewriter v1.1.3
 	github.com/pquerna/otp v1.5.0
 	github.com/prometheus/client_golang v1.23.0
 	github.com/russross/blackfriday v1.6.0
@@ -43,19 +46,17 @@ require (
 	github.com/unknwon/i18n v0.0.0-20190805065654-5c6446a380b6
 	github.com/unknwon/paginater v0.0.0-20170405233947-45e5d631308e
 	github.com/urfave/cli v1.22.17
-	golang.org/x/crypto v0.45.0
-	golang.org/x/net v0.47.0
-	golang.org/x/text v0.31.0
+	golang.org/x/crypto v0.47.0
+	golang.org/x/net v0.48.0
+	golang.org/x/text v0.33.0
 	gopkg.in/DATA-DOG/go-sqlmock.v2 v2.0.0-20180914054222-c19298f520d0
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	gopkg.in/ini.v1 v1.67.0
-	gopkg.in/macaron.v1 v1.5.0
+	gopkg.in/macaron.v1 v1.5.1
 	gorm.io/driver/mysql v1.5.2
 	gorm.io/driver/postgres v1.6.0
-	gorm.io/driver/sqlite v1.4.2
 	gorm.io/driver/sqlserver v1.4.1
 	gorm.io/gorm v1.25.12
-	modernc.org/sqlite v1.38.2
 	unknwon.dev/clog/v2 v2.2.0
 	xorm.io/builder v0.3.6
 	xorm.io/core v0.7.2
@@ -70,6 +71,9 @@ require (
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/bradfitz/gomemcache v0.0.0-20190329173943-551aad21a668 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/clipperhouse/displaywidth v0.6.2 // indirect
+	github.com/clipperhouse/stringish v0.1.1 // indirect
+	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
 	github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b // indirect
 	github.com/cockroachdb/redact v1.1.5 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
@@ -79,7 +83,7 @@ require (
 	github.com/djherbis/buffer v1.2.0 // indirect
 	github.com/djherbis/nio/v3 v3.0.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/fatih/color v1.13.0 // indirect
+	github.com/fatih/color v1.18.0 // indirect
 	github.com/getsentry/sentry-go v0.27.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
@@ -104,10 +108,10 @@ require (
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	github.com/lib/pq v1.10.2 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/lib/pq v1.10.9 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/mattn/go-runewidth v0.0.19 // indirect
 	github.com/mattn/go-sqlite3 v1.14.24 // indirect
 	github.com/mcuadros/go-version v0.0.0-20190830083331-035f6764e8d2 // indirect
 	github.com/microsoft/go-mssqldb v0.17.0 // indirect
@@ -115,24 +119,27 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
+	github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
+	github.com/olekukonko/errors v1.1.0 // indirect
+	github.com/olekukonko/ll v0.1.4-0.20260115111900-9e59c2286df0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.65.0 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
-	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/rogpeppe/go-internal v1.10.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/saintfish/chardet v0.0.0-20120816061221-3af4cd4741ca // indirect
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
+	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	go.bobheadxi.dev/streamline v1.2.1 // indirect
 	go.opentelemetry.io/otel v1.11.0 // indirect
 	go.opentelemetry.io/otel/trace v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
-	golang.org/x/mod v0.29.0 // indirect
-	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.40.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/bufio.v1 v1.0.0-20140618132640-567b2bfa514e // indirect
@@ -141,7 +148,8 @@ require (
 	modernc.org/libc v1.66.3 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
+	modernc.org/sqlite v1.39.0 // indirect
 )
 
 // +heroku goVersion go1.25
-// +heroku install ./
+// +heroku install ./cmd/gogs

go.sum

@@ -22,8 +22,8 @@ github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWX
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
-github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
@@ -41,6 +41,12 @@ github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWR
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/clipperhouse/displaywidth v0.6.2 h1:ZDpTkFfpHOKte4RG5O/BOyf3ysnvFswpyYrV7z2uAKo=
+github.com/clipperhouse/displaywidth v0.6.2/go.mod h1:R+kHuzaYWFkTm7xoMmK1lFydbci4X2CicfbGstSGg0o=
+github.com/clipperhouse/stringish v0.1.1 h1:+NSqMOr3GR6k1FdRhhnXrLfztGzuG+VuFDfatpWHKCs=
+github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEXNWYXQgCt4hdOzA=
+github.com/clipperhouse/uax29/v2 v2.3.0 h1:SNdx9DVUqMoBuBoW3iLOj4FQv3dN5mDtuqwuhIGpJy4=
+github.com/clipperhouse/uax29/v2 v2.3.0/go.mod h1:Wn1g7MK6OoeDT0vL+Q0SQLDz/KpfsVRgg6W7ihQeh4g=
 github.com/cockroachdb/errors v1.12.0 h1:d7oCs6vuIMUQRVbi6jWWWEJZahLCfJpnJSVobd1/sUo=
 github.com/cockroachdb/errors v1.12.0/go.mod h1:SvzfYNNBshAVbZ8wzNc/UPK3w1vf0dKDUP41ucAIf7g=
 github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b h1:r6VH0faHjZeQy818SGhaone5OnYfxFR/+AzdY3sf5aE=
@@ -79,12 +85,14 @@ github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+m
 github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
 github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
-github.com/editorconfig/editorconfig-core-go/v2 v2.6.3 h1:XVUp6qW3BIkmM3/1EkrHpa6bL56APOynfXcZEmIgOhs=
-github.com/editorconfig/editorconfig-core-go/v2 v2.6.3/go.mod h1:ThHVc+hqbUsmE1wmK/MASpQEhCleWu1JDJDNhUOMy0c=
+github.com/editorconfig/editorconfig-core-go/v2 v2.6.4 h1:CHwUbBVVyKWRX9kt5A/OtwhYUJB32DrFp9xzmjR6cac=
+github.com/editorconfig/editorconfig-core-go/v2 v2.6.4/go.mod h1:JWRVKHdVW+dkv6F8p+xGCa6a+TyMrqsFbFkSs/aQkrQ=
 github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
-github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
+github.com/fergusstrange/embedded-postgres v1.33.0 h1:ka8vmRpm4IDsES7NPXQ/NThAp1fc/f+crcXYjCW7wK0=
+github.com/fergusstrange/embedded-postgres v1.33.0/go.mod h1:w0YvnCgf19o6tskInrOOACtnqfVlOvluz3hlNLY7tRk=
 github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
 github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
@@ -92,13 +100,17 @@ github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWo
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/getsentry/sentry-go v0.27.0 h1:Pv98CIbtB3LkMWmXi4Joa5OOcwbmnX88sF5qbK3r3Ps=
 github.com/getsentry/sentry-go v0.27.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY=
+github.com/glebarez/go-sqlite v1.21.2 h1:3a6LFC4sKahUunAmynQKLZceZCOzUthkRkEAl9gAXWo=
+github.com/glebarez/go-sqlite v1.21.2/go.mod h1:sfxdZyhQjTM2Wry3gVYWaW072Ri1WMdWJi0k6+3382k=
+github.com/glebarez/sqlite v1.11.0 h1:wSG0irqzP6VurnMEpFGer5Li19RpIRi2qvQz++w0GMw=
+github.com/glebarez/sqlite v1.11.0/go.mod h1:h8/o8j5wiAsqSPoWELDUdJXhjAhsVliSn7bWZjOhrgQ=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-ldap/ldap/v3 v3.4.11 h1:4k0Yxweg+a3OyBLjdYn5OKglv18JNvfDykSoI8bW0gU=
-github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
+github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
+github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
@@ -142,8 +154,8 @@ github.com/gogs/chardet v0.0.0-20150115103509-2404f7772561 h1:aBzukfDxQlCTVS0NBU
 github.com/gogs/chardet v0.0.0-20150115103509-2404f7772561/go.mod h1:Pcatq5tYkCW2Q6yrR2VRHlbHpZ/R4/7qyL1TCF7vl14=
 github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14 h1:yXtpJr/LV6PFu4nTLgfjQdcMdzjbqqXMEnHfq0Or6p8=
 github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14/go.mod h1:jPoNZLWDAqA5N3G5amEoiNbhVrmM+ZQEcnQvNQ2KaZk=
-github.com/gogs/git-module v1.8.4 h1:oSt8sOL4NWOGrSo/CwbS+C4YXtk76QvxyPofem/ViTU=
-github.com/gogs/git-module v1.8.4/go.mod h1:bQY0aoMK5Q5+NKgy4jXe3K1GFW+GnsSk0SJK0jh6yD0=
+github.com/gogs/git-module v1.8.6 h1:4Io9vWZYQyIjdIPxfKgeYZXnDKNgydc6OZTxII5xCH4=
+github.com/gogs/git-module v1.8.6/go.mod h1:IiMSJqi8XH62Kjqjt5Rw8IawSo+DHfM2dDjkSzWLjhs=
 github.com/gogs/go-gogs-client v0.0.0-20200128182646-c69cb7680fd4 h1:C7NryI/RQhsIWwC2bHN601P1wJKeuQ6U/UCOYTn3Cic=
 github.com/gogs/go-gogs-client v0.0.0-20200128182646-c69cb7680fd4/go.mod h1:fR6z1Ie6rtF7kl/vBYMfgD5/G5B1blui7z426/sj2DU=
 github.com/gogs/go-libravatar v0.0.0-20191106065024-33a75213d0a0 h1:K02vod+sn3M1OOkdqi2tPxN2+xESK4qyITVQ3JkGEv4=
@@ -201,8 +213,9 @@ github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
-github.com/gopherjs/gopherjs v0.0.0-20190430165422-3e4dfb77656c h1:7lF+Vz0LqiRidnzC1Oq86fpX1q/iEv2KJdrCtttYjT4=
 github.com/gopherjs/gopherjs v0.0.0-20190430165422-3e4dfb77656c/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gopherjs/gopherjs v1.17.2 h1:fQnZVsXk8uxXIStYb0N4bGk7jeyTalG/wsZjQ25dO0g=
+github.com/gopherjs/gopherjs v1.17.2/go.mod h1:pRRIvn/QzFLrKfvEz3qUuEhtE/zLCWfreZ6J5gM2i+k=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
 github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
@@ -218,6 +231,8 @@ github.com/hexops/valast v1.4.3 h1:oBoGERMJh6UZdRc6cduE1CTPK+VAdXA59Y1HFgu3sm0=
 github.com/hexops/valast v1.4.3/go.mod h1:Iqx2kLj3Jn47wuXpj3wX40xn6F93QNFBHuiKBerkTGA=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/inbucket/html2text v1.0.0 h1:N5kza++4uBBDJ2Z3KUnTRyPNoBcW+YfOgNiNmNB+sgs=
+github.com/inbucket/html2text v1.0.0/go.mod h1:5TrhXQKGU+LXurODaSm55Y9eXoPBRnYiOz4x2XfUoJU=
 github.com/issue9/assert/v2 v2.0.0 h1:vN7fr70g5ND6zM39tPZk/E4WCyjGMqApmFbujSTmEo0=
 github.com/issue9/assert/v2 v2.0.0/go.mod h1:rKr1eVGzXUhAo2af1thiKAhIA8uiSK9Wyn7mcZ4BzAg=
 github.com/issue9/identicon v1.2.1 h1:9RUq3DcmDJvfXAYZWJDaq/Bi45oS/Fr79W0CazbXNaY=
@@ -234,8 +249,6 @@ github.com/jackc/pgx/v5 v5.6.0 h1:SWJzexBzPL5jb0GEsrPMLIsi/3jOo7RHlzTjcAeDrPY=
 github.com/jackc/pgx/v5 v5.6.0/go.mod h1:DNZ/vlrUnhWCoFGxHAG8U2ljioxukquj7utPDgtQdTw=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
-github.com/jaytaylor/html2text v0.0.0-20190408195923-01ec452cbe43 h1:jTkyeF7NZ5oIr0ESmcrpiDgAfoidCBF4F5kJhjtaRwE=
-github.com/jaytaylor/html2text v0.0.0-20190408195923-01ec452cbe43/go.mod h1:CVKlgaMiht+LXvHG173ujK6JUhZXKb2u/BQtjPDIvyk=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
@@ -277,31 +290,24 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.10.2 h1:AqzbZs4ZoCBp+GtejcpCpcxM3zlSMx29dXbUSeVtJb8=
-github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
+github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lunny/log v0.0.0-20160921050905-7887c61bf0de/go.mod h1:3q8WtuPQsoRbatJuy3nvq/hRSvuBJrHHr+ybPPiNvHQ=
 github.com/lunny/nodb v0.0.0-20160621015157-fc1ef06ad4af/go.mod h1:Cqz6pqow14VObJ7peltM+2n3PWOz7yTrfUuGbVFkzN0=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
-github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
-github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
-github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
-github.com/mattn/go-runewidth v0.0.14 h1:+xnbZSEeDbOIg5/mE6JF0w6n9duR1l3/WmbinWVwUuU=
-github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw=
+github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
 github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
-github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
 github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
 github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/mcuadros/go-version v0.0.0-20190308113854-92cdf37c5b75/go.mod h1:76rfSfYPWj01Z85hUf/ituArm797mNKcvINh1OlsZKo=
 github.com/mcuadros/go-version v0.0.0-20190830083331-035f6764e8d2 h1:YocNLcTBdEdvY3iDK6jfWXvEaM5OCKkjxPKoJRdB3Gg=
 github.com/mcuadros/go-version v0.0.0-20190830083331-035f6764e8d2/go.mod h1:76rfSfYPWj01Z85hUf/ituArm797mNKcvINh1OlsZKo=
 github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk=
@@ -331,8 +337,14 @@ github.com/niklasfasching/go-org v1.9.1/go.mod h1:ZAGFFkWvUQcpazmi/8nHqwvARpr1xp
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
-github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
-github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
+github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 h1:zrbMGy9YXpIeTnGj4EljqMiZsIcE09mmF8XsD5AYOJc=
+github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6/go.mod h1:rEKTHC9roVVicUIfZK7DYrdIoM0EOr8mK1Hj5s3JjH0=
+github.com/olekukonko/errors v1.1.0 h1:RNuGIh15QdDenh+hNvKrJkmxxjV4hcS50Db478Ou5sM=
+github.com/olekukonko/errors v1.1.0/go.mod h1:ppzxA5jBKcO1vIpCXQ9ZqgDh8iwODz6OXIGKU8r5m4Y=
+github.com/olekukonko/ll v0.1.4-0.20260115111900-9e59c2286df0 h1:jrYnow5+hy3WRDCBypUFvVKNSPPCdqgSXIE9eJDD8LM=
+github.com/olekukonko/ll v0.1.4-0.20260115111900-9e59c2286df0/go.mod h1:b52bVQRRPObe+yyBl0TxNfhesL0nedD4Cht0/zx55Ew=
+github.com/olekukonko/tablewriter v1.1.3 h1:VSHhghXxrP0JHl+0NnKid7WoEmd9/urKRJLysb70nnA=
+github.com/olekukonko/tablewriter v1.1.3/go.mod h1:9VU0knjhmMkXjnMKrZ3+L2JhhtsQ/L38BbL3CRNE8tM=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
@@ -385,8 +397,6 @@ github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlT
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
-github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
-github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
 github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
@@ -405,14 +415,16 @@ github.com/siddontang/go-snappy v0.0.0-20140704025258-d8f7bb82a96d/go.mod h1:vq0
 github.com/siddontang/ledisdb v0.0.0-20190202134119-8ceb77e66a92/go.mod h1:mF1DpOSOUiJRMR+FDqaqu3EBqrybQtrDDszLUZ6oxPg=
 github.com/siddontang/rdb v0.0.0-20150307021120-fc89ed2e418d/go.mod h1:AMEsy7v5z92TR1JKMkLLoaOQk++LVnOKL3ScbJ8GNGA=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/smarty/assertions v1.15.0 h1:cR//PqUBUiQRakZWqBiFFQ9wb8emQGDb0HeGdqGByCY=
+github.com/smarty/assertions v1.15.0/go.mod h1:yABtdzeQs6l1brC900WlRNwj6ZR55d7B+E8C6HtKdec=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/assertions v0.0.0-20190116191733-b6c0e53d7304/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
-github.com/smartystreets/assertions v1.0.1 h1:voD4ITNjPL5jjBfgR/r8fPIIBrliWrWHeiJApdr3r4w=
 github.com/smartystreets/assertions v1.0.1/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
 github.com/smartystreets/goconvey v0.0.0-20181108003508-044398e4856c/go.mod h1:XDJAKZRPZ1CvBcN2aX5YOUTYGHki24fSF0Iv48Ibg0s=
 github.com/smartystreets/goconvey v0.0.0-20190731233626-505e41936337/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
-github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
+github.com/smartystreets/goconvey v1.8.1 h1:qGjIddxOk4grTu9JPOU31tVfq3cNdBlNa5sSznIX1xY=
+github.com/smartystreets/goconvey v1.8.1/go.mod h1:+/u4qLyY6x1jReYOp7GOM2FSt8aP9CzCZL03bI28W60=
 github.com/sourcegraph/run v0.12.0 h1:3A8w5e8HIYPfafHekvmdmmh42RHKGVhmiTZAPJclg7I=
 github.com/sourcegraph/run v0.12.0/go.mod h1:PwaP936BTnAJC1cqR5rSbG5kOs/EWStTK3lqvMX5GUA=
 github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf h1:pvbZ0lM0XWPBqUKqFU8cmavspvIl9nulOYwdy6IFRRo=
@@ -446,6 +458,8 @@ github.com/unknwon/paginater v0.0.0-20170405233947-45e5d631308e h1:Qf3QQl/zmEbWD
 github.com/unknwon/paginater v0.0.0-20170405233947-45e5d631308e/go.mod h1:TBwoao3Q4Eb/cp+dHbXDfRTrZSsj/k7kLr2j1oWRWC0=
 github.com/urfave/cli v1.22.17 h1:SYzXoiPfQjHBbkYxbew5prZHS1TOLT3ierW8SYLqtVQ=
 github.com/urfave/cli v1.22.17/go.mod h1:b0ht0aqgH/6pBYzzxURyrM4xXNgsoT/n2ZzwQiEhNVo=
+github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo=
+github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/ziutek/mymysql v1.5.4 h1:GB0qdRGsTwQSBVYuVShFBKaXSnSnYYC2d9knnE1LHFs=
@@ -472,8 +486,8 @@ golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20221005025214-4161e89ecf1b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
+golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
@@ -482,8 +496,8 @@ golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvx
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
-golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
+golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -504,8 +518,8 @@ golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT
 golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -515,9 +529,8 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -534,8 +547,6 @@ golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -544,26 +555,24 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220224120231-95c6836cb0e7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
+golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
+golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
+golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -577,8 +586,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
+golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -626,8 +635,8 @@ gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/macaron.v1 v1.3.4/go.mod h1:/RoHTdC8ALpyJ3+QR36mKjwnT1F1dyYtsGM9Ate6ZFI=
 gopkg.in/macaron.v1 v1.3.5/go.mod h1:uMZCFccv9yr5TipIalVOyAyZQuOH3OkmXvgcWwhJuP4=
 gopkg.in/macaron.v1 v1.4.0/go.mod h1:uMZCFccv9yr5TipIalVOyAyZQuOH3OkmXvgcWwhJuP4=
-gopkg.in/macaron.v1 v1.5.0 h1:/dXJaeQagWLjVjCrKH8dgSSU7yG4qTv6rBKpqhYaCyc=
-gopkg.in/macaron.v1 v1.5.0/go.mod h1:sAYUd2r8Q+jLnCN4/ZmdAYHzQn67agV5sAqKFQgrRrw=
+gopkg.in/macaron.v1 v1.5.1 h1:0ytdXYcf6//a8bzedl1fVXzPeIXblEqoNPntWAo9YLU=
+gopkg.in/macaron.v1 v1.5.1/go.mod h1:AiquOw8YeZJC8sUe11vIO6NeA1/TKSlzQXuJ7Tc4cCQ=
 gopkg.in/redis.v2 v2.3.2 h1:GPVIIB/JnL1wvfULefy3qXmPu1nfNu2d0yA09FHgwfs=
 gopkg.in/redis.v2 v2.3.2/go.mod h1:4wl9PJ/CqzeHk3LVq1hNLHH8krm3+AXEgut4jVc++LU=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
@@ -648,8 +657,6 @@ gorm.io/driver/mysql v1.5.2 h1:QC2HRskSE75wBuOxe0+iCkyJZ+RqpudsQtqkp+IMuXs=
 gorm.io/driver/mysql v1.5.2/go.mod h1:pQLhh1Ut/WUAySdTHwBpBv6+JKcj+ua4ZFx1QQTBzb8=
 gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
 gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
-gorm.io/driver/sqlite v1.4.2 h1:F6vYJcmR4Cnh0ErLyoY8JSfabBGyR0epIGuhgHJuNws=
-gorm.io/driver/sqlite v1.4.2/go.mod h1:0Aq3iPO+v9ZKbcdiz8gLWRw5VOPcBOPUQJFLq5e2ecI=
 gorm.io/driver/sqlserver v1.4.1 h1:t4r4r6Jam5E6ejqP7N82qAJIJAht27EGT41HyPfXRw0=
 gorm.io/driver/sqlserver v1.4.1/go.mod h1:DJ4P+MeZbc5rvY58PnmN1Lnyvb5gw5NPzGshHDnJLig=
 gorm.io/gorm v1.24.0/go.mod h1:DVrVomtaYTbqs7gB/x2uVvqnXzv0nqjB396B8cG4dBA=
@@ -679,8 +686,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.38.2 h1:Aclu7+tgjgcQVShZqim41Bbw9Cho0y/7WzYptXqkEek=
-modernc.org/sqlite v1.38.2/go.mod h1:cPTJYSlgg3Sfg046yBShXENNtPrWrDX8bsbAQBzgQ5E=
+modernc.org/sqlite v1.39.0 h1:6bwu9Ooim0yVYA7IZn9demiQk/Ejp0BtTjBWFLymSeY=
+modernc.org/sqlite v1.39.0/go.mod h1:cPTJYSlgg3Sfg046yBShXENNtPrWrDX8bsbAQBzgQ5E=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=

internal/conf/conf.go

@@ -70,7 +70,7 @@ func Init(customConf string) error {
 		if err = File.Append(customConf); err != nil {
 			return errors.Wrapf(err, "append %q", customConf)
 		}
-	} else {
+	} else if !HookMode {
 		log.Warn("Custom config %q not found. Ignore this warning if you're running for the first time", customConf)
 	}
 
@@ -142,9 +142,11 @@ func Init(customConf string) error {
 			}
 
 			if IsWindowsRuntime() || semverutil.Compare(sshVersion, "<", "5.1") {
-				log.Warn(`SSH minimum key size check is forced to be disabled because server is not eligible:
+				if !HookMode {
+					log.Warn(`SSH minimum key size check is forced to be disabled because server is not eligible:
 	1. Windows server
 	2. OpenSSH version is lower than 5.1`)
+				}
 			} else {
 				SSH.MinimumKeySizes = map[string]int{}
 				for _, key := range File.Section("ssh.minimum_key_sizes").Keys() {
@@ -346,6 +348,11 @@ func Init(customConf string) error {
 	LFS.ObjectsPath = ensureAbs(LFS.ObjectsPath)
 
 	handleDeprecated()
+	if !HookMode {
+		for _, warning := range checkInvalidOptions(File) {
+			log.Warn("%s", warning)
+		}
+	}
 
 	if err = File.Section("cache").MapTo(&Cache); err != nil {
 		return errors.Wrap(err, "mapping [cache] section")

internal/conf/static.go

@@ -1,11 +1,15 @@
 package conf
 
 import (
+	"fmt"
 	"net/url"
 	"os"
 	"time"
 
 	"github.com/gogs/go-libravatar"
+	"gopkg.in/ini.v1"
+
+	"gogs.io/gogs/conf"
 )
 
 // ℹ️ README: This file contains static values that should only be set at initialization time.
@@ -227,7 +231,7 @@ var (
 )
 
 type AppOpts struct {
-	// ⚠️ WARNING: Should only be set by the main package (i.e. "gogs.go").
+	// ⚠️ WARNING: Should only be set by the main package (i.e. "cmd/gogs/main.go").
 	Version string `ini:"-"`
 
 	BrandName string
@@ -430,10 +434,75 @@ func handleDeprecated() {
 	// }
 }
 
+// checkInvalidOptions checks invalid (renamed/deleted) configuration sections
+// and options and returns a list of warnings.
+func checkInvalidOptions(config *ini.File) (warnings []string) {
+	renamedSections := map[string]string{
+		"mailer":  "email",
+		"service": "auth",
+	}
+	for oldSection, newSection := range renamedSections {
+		if len(config.Section(oldSection).KeyStrings()) > 0 {
+			warnings = append(warnings, fmt.Sprintf("section [%s] is invalid, use [%s] instead", oldSection, newSection))
+		}
+	}
+
+	type optionPath struct {
+		section string
+		option  string
+	}
+	renamedOptionPaths := map[optionPath]optionPath{
+		// Example:
+		// {"security", "REVERSE_PROXY_AUTHENTICATION_USER"}: {"auth", "REVERSE_PROXY_AUTHENTICATION_HEADER"},
+	}
+	for oldPath, newPath := range renamedOptionPaths {
+		if config.Section(oldPath.section).HasKey(oldPath.option) {
+			warnings = append(
+				warnings,
+				fmt.Sprintf("option [%s] %s is invalid, use [%s] %s instead",
+					oldPath.section, oldPath.option,
+					newPath.section, newPath.option,
+				),
+			)
+		}
+	}
+
+	// Check options that don't exist anymore.
+	defaultConfigData, err := conf.Files.ReadFile("app.ini")
+	if err != nil {
+		// Warning is best-effort, OK to skip on error.
+		return warnings
+	}
+	defaultConfig, err := ini.LoadSources(
+		ini.LoadOptions{IgnoreInlineComment: true},
+		defaultConfigData,
+	)
+	if err != nil {
+		// Warning is best-effort, OK to skip on error.
+		return warnings
+	}
+	for _, section := range config.Sections() {
+		// Skip sections already warned about.
+		if _, ok := renamedSections[section.Name()]; ok {
+			continue
+		}
+		for _, option := range section.Keys() {
+			if _, ok := renamedOptionPaths[optionPath{section.Name(), option.Name()}]; ok {
+				continue
+			}
+			if !defaultConfig.Section(section.Name()).HasKey(option.Name()) {
+				warnings = append(warnings, fmt.Sprintf("option [%s] %s is invalid", section.Name(), option.Name()))
+			}
+		}
+	}
+
+	return warnings
+}
+
 // HookMode indicates whether program starts as Git server-side hook callback.
 // All operations should be done synchronously to prevent program exits before finishing.
 //
-// ⚠️ WARNING: Should only be set by "internal/cmd/serv.go".
+// ⚠️ WARNING: Should only be set by "cmd/gogs/serv.go".
 var HookMode bool
 
 // Indicates which database backend is currently being used.

internal/conf/static_test.go

@@ -1,9 +1,11 @@
 package conf
 
 import (
+	"sort"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"gopkg.in/ini.v1"
 )
 
 func Test_i18n_DateLang(t *testing.T) {
@@ -29,3 +31,48 @@ func Test_i18n_DateLang(t *testing.T) {
 		})
 	}
 }
+
+func TestCheckInvalidOptions(t *testing.T) {
+	cfg := ini.Empty()
+	_, _ = cfg.Section("mailer").NewKey("ENABLED", "true")
+	_, _ = cfg.Section("service").NewKey("START_TYPE", "true")
+	_, _ = cfg.Section("security").NewKey("REVERSE_PROXY_AUTHENTICATION_USER", "true")
+	_, _ = cfg.Section("auth").NewKey("ACTIVE_CODE_LIVE_MINUTES", "10")
+	_, _ = cfg.Section("auth").NewKey("RESET_PASSWD_CODE_LIVE_MINUTES", "10")
+	_, _ = cfg.Section("auth").NewKey("ENABLE_CAPTCHA", "true")
+	_, _ = cfg.Section("auth").NewKey("ENABLE_NOTIFY_MAIL", "true")
+	_, _ = cfg.Section("auth").NewKey("REGISTER_EMAIL_CONFIRM", "true")
+	_, _ = cfg.Section("session").NewKey("GC_INTERVAL_TIME", "10")
+	_, _ = cfg.Section("session").NewKey("SESSION_LIFE_TIME", "10")
+	_, _ = cfg.Section("server").NewKey("ROOT_URL", "true")
+	_, _ = cfg.Section("server").NewKey("LANDING_PAGE", "true")
+	_, _ = cfg.Section("database").NewKey("DB_TYPE", "true")
+	_, _ = cfg.Section("database").NewKey("PASSWD", "true")
+	_, _ = cfg.Section("other").NewKey("SHOW_FOOTER_BRANDING", "true")
+	_, _ = cfg.Section("other").NewKey("SHOW_FOOTER_TEMPLATE_LOAD_TIME", "true")
+	_, _ = cfg.Section("email").NewKey("ENABLED", "true")
+	_, _ = cfg.Section("server").NewKey("NONEXISTENT_OPTION", "true")
+
+	wantWarnings := []string{
+		"option [auth] ACTIVE_CODE_LIVE_MINUTES is invalid",
+		"option [auth] ENABLE_CAPTCHA is invalid",
+		"option [auth] ENABLE_NOTIFY_MAIL is invalid",
+		"option [auth] REGISTER_EMAIL_CONFIRM is invalid",
+		"option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is invalid",
+		"option [database] DB_TYPE is invalid",
+		"option [database] PASSWD is invalid",
+		"option [security] REVERSE_PROXY_AUTHENTICATION_USER is invalid",
+		"option [session] GC_INTERVAL_TIME is invalid",
+		"option [session] SESSION_LIFE_TIME is invalid",
+		"section [mailer] is invalid, use [email] instead",
+		"section [service] is invalid, use [auth] instead",
+		"option [server] ROOT_URL is invalid",
+		"option [server] LANDING_PAGE is invalid",
+		"option [server] NONEXISTENT_OPTION is invalid",
+	}
+
+	gotWarnings := checkInvalidOptions(cfg)
+	sort.Strings(wantWarnings)
+	sort.Strings(gotWarnings)
+	assert.Equal(t, wantWarnings, gotWarnings)
+}

internal/conf/testdata/custom.ini

@@ -28,9 +28,8 @@ PASSWORD = 87654321
 ACTIVATE_CODE_LIVES = 10
 RESET_PASSWORD_CODE_LIVES = 10
 REQUIRE_EMAIL_CONFIRMATION = true
-ENABLE_CAPTCHA = true
-ENABLE_NOTIFY_MAIL = true
-REVERSE_PROXY_AUTHENTICATION_HEADER=X-FORWARDED-FOR
+ENABLE_REGISTRATION_CAPTCHA = true
+REVERSE_PROXY_AUTHENTICATION_HEADER = X-FORWARDED-FOR
 
 [user]
 ENABLE_EMAIL_NOTIFICATION = true

internal/context/context.go

@@ -147,13 +147,13 @@ func (c *Context) RedirectSubpath(location string, status ...int) {
 }
 
 // RenderWithErr used for page has form validation but need to prompt error to users.
-func (c *Context) RenderWithErr(msg, tpl string, f any) {
+func (c *Context) RenderWithErr(msg string, status int, tpl string, f any) {
 	if f != nil {
 		form.Assign(f, c.Data)
 	}
 	c.Flash.ErrorMsg = msg
 	c.Data["Flash"] = c.Flash
-	c.HTML(http.StatusOK, tpl)
+	c.HTML(status, tpl)
 }
 
 // NotFound renders the 404 page.

internal/database/actions_test.go

@@ -142,6 +142,11 @@ func actionsCommitRepo(t *testing.T, ctx context.Context, s *ActionsStore) {
 	now := time.Unix(1588568886, 0).UTC()
 
 	conf.SetMockSSH(t, conf.SSHOpts{})
+	conf.SetMockUI(t, conf.UIOpts{
+		User: conf.UIUserOpts{
+			NewsFeedPagingNum: 20,
+		},
+	})
 
 	t.Run("new commit", func(t *testing.T) {
 		t.Cleanup(func() {
@@ -432,6 +437,12 @@ func actionsListByUser(t *testing.T, ctx context.Context, s *ActionsStore) {
 }
 
 func actionsMergePullRequest(t *testing.T, ctx context.Context, s *ActionsStore) {
+	conf.SetMockUI(t, conf.UIOpts{
+		User: conf.UIUserOpts{
+			NewsFeedPagingNum: 20,
+		},
+	})
+
 	alice, err := newUsersStore(s.db).Create(ctx, "alice", "alice@example.com", CreateUserOptions{})
 	require.NoError(t, err)
 	repo, err := newReposStore(s.db).Create(ctx,
@@ -477,6 +488,12 @@ func actionsMergePullRequest(t *testing.T, ctx context.Context, s *ActionsStore)
 }
 
 func actionsMirrorSyncCreate(t *testing.T, ctx context.Context, s *ActionsStore) {
+	conf.SetMockUI(t, conf.UIOpts{
+		User: conf.UIUserOpts{
+			NewsFeedPagingNum: 20,
+		},
+	})
+
 	alice, err := newUsersStore(s.db).Create(ctx, "alice", "alice@example.com", CreateUserOptions{})
 	require.NoError(t, err)
 	repo, err := newReposStore(s.db).Create(ctx,
@@ -518,6 +535,12 @@ func actionsMirrorSyncCreate(t *testing.T, ctx context.Context, s *ActionsStore)
 }
 
 func actionsMirrorSyncDelete(t *testing.T, ctx context.Context, s *ActionsStore) {
+	conf.SetMockUI(t, conf.UIOpts{
+		User: conf.UIUserOpts{
+			NewsFeedPagingNum: 20,
+		},
+	})
+
 	alice, err := newUsersStore(s.db).Create(ctx, "alice", "alice@example.com", CreateUserOptions{})
 	require.NoError(t, err)
 	repo, err := newReposStore(s.db).Create(ctx,
@@ -559,6 +582,12 @@ func actionsMirrorSyncDelete(t *testing.T, ctx context.Context, s *ActionsStore)
 }
 
 func actionsMirrorSyncPush(t *testing.T, ctx context.Context, s *ActionsStore) {
+	conf.SetMockUI(t, conf.UIOpts{
+		User: conf.UIUserOpts{
+			NewsFeedPagingNum: 20,
+		},
+	})
+
 	alice, err := newUsersStore(s.db).Create(ctx, "alice", "alice@example.com", CreateUserOptions{})
 	require.NoError(t, err)
 	repo, err := newReposStore(s.db).Create(ctx,
@@ -624,6 +653,12 @@ func actionsMirrorSyncPush(t *testing.T, ctx context.Context, s *ActionsStore) {
 }
 
 func actionsNewRepo(t *testing.T, ctx context.Context, s *ActionsStore) {
+	conf.SetMockUI(t, conf.UIOpts{
+		User: conf.UIUserOpts{
+			NewsFeedPagingNum: 20,
+		},
+	})
+
 	alice, err := newUsersStore(s.db).Create(ctx, "alice", "alice@example.com", CreateUserOptions{})
 	require.NoError(t, err)
 	repo, err := newReposStore(s.db).Create(ctx,
@@ -703,6 +738,11 @@ func actionsPushTag(t *testing.T, ctx context.Context, s *ActionsStore) {
 	// to the mock server because this function holds a lock.
 	conf.SetMockServer(t, conf.ServerOpts{})
 	conf.SetMockSSH(t, conf.SSHOpts{})
+	conf.SetMockUI(t, conf.UIOpts{
+		User: conf.UIUserOpts{
+			NewsFeedPagingNum: 20,
+		},
+	})
 
 	alice, err := newUsersStore(s.db).Create(ctx, "alice", "alice@example.com", CreateUserOptions{})
 	require.NoError(t, err)
@@ -796,6 +836,12 @@ func actionsPushTag(t *testing.T, ctx context.Context, s *ActionsStore) {
 }
 
 func actionsRenameRepo(t *testing.T, ctx context.Context, s *ActionsStore) {
+	conf.SetMockUI(t, conf.UIOpts{
+		User: conf.UIUserOpts{
+			NewsFeedPagingNum: 20,
+		},
+	})
+
 	alice, err := newUsersStore(s.db).Create(ctx, "alice", "alice@example.com", CreateUserOptions{})
 	require.NoError(t, err)
 	repo, err := newReposStore(s.db).Create(ctx,
@@ -833,6 +879,12 @@ func actionsRenameRepo(t *testing.T, ctx context.Context, s *ActionsStore) {
 }
 
 func actionsTransferRepo(t *testing.T, ctx context.Context, s *ActionsStore) {
+	conf.SetMockUI(t, conf.UIOpts{
+		User: conf.UIUserOpts{
+			NewsFeedPagingNum: 20,
+		},
+	})
+
 	alice, err := newUsersStore(s.db).Create(ctx, "alice", "alice@example.com", CreateUserOptions{})
 	require.NoError(t, err)
 	bob, err := newUsersStore(s.db).Create(ctx, "bob", "bob@example.com", CreateUserOptions{})

internal/database/main_test.go

@@ -8,7 +8,6 @@ import (
 
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
-	_ "modernc.org/sqlite"
 	log "unknwon.dev/clog/v2"
 
 	"gogs.io/gogs/internal/conf"

internal/database/migrations/main_test.go

@@ -7,7 +7,6 @@ import (
 	"testing"
 
 	"gorm.io/gorm/logger"
-	_ "modernc.org/sqlite"
 	log "unknwon.dev/clog/v2"
 
 	"gogs.io/gogs/internal/testutil"

internal/database/models.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/cockroachdb/errors"
+	"github.com/glebarez/go-sqlite"
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
 	log "unknwon.dev/clog/v2"
@@ -45,6 +46,9 @@ var (
 )
 
 func init() {
+	// Register the pure-Go SQLite driver as "sqlite3" for XORM compatibility.
+	sql.Register("sqlite3", &sqlite.Driver{})
+
 	legacyTables = append(legacyTables,
 		new(User), new(PublicKey), new(TwoFactor), new(TwoFactorRecoveryCode),
 		new(Repository), new(DeployKey), new(Collaboration), new(Upload),

internal/database/repo.go

@@ -2408,7 +2408,7 @@ func GetWatchers(repoID int64) ([]*Watch, error) {
 func (r *Repository) GetWatchers(page int) ([]*User, error) {
 	users := make([]*User, 0, ItemsPerPage)
 	sess := x.Limit(ItemsPerPage, (page-1)*ItemsPerPage).Where("watch.repo_id=?", r.ID)
-	if conf.UsePostgreSQL {
+	if conf.UsePostgreSQL || conf.UseMSSQL {
 		sess = sess.Join("LEFT", "watch", `"user".id=watch.user_id`)
 	} else {
 		sess = sess.Join("LEFT", "watch", "user.id=watch.user_id")
@@ -2508,7 +2508,7 @@ func IsStaring(userID, repoID int64) bool {
 func (r *Repository) GetStargazers(page int) ([]*User, error) {
 	users := make([]*User, 0, ItemsPerPage)
 	sess := x.Limit(ItemsPerPage, (page-1)*ItemsPerPage).Where("star.repo_id=?", r.ID)
-	if conf.UsePostgreSQL {
+	if conf.UsePostgreSQL || conf.UseMSSQL {
 		sess = sess.Join("LEFT", "star", `"user".id=star.uid`)
 	} else {
 		sess = sess.Join("LEFT", "star", "user.id=star.uid")

internal/database/repo_editor.go

@@ -23,7 +23,6 @@ import (
 	"gogs.io/gogs/internal/osutil"
 	"gogs.io/gogs/internal/pathutil"
 	"gogs.io/gogs/internal/process"
-	"gogs.io/gogs/internal/tool"
 )
 
 // BranchAlreadyExists represents an error when branch already exists.
@@ -415,8 +414,10 @@ func (upload *Upload) LocalPath() string {
 
 // NewUpload creates a new upload object.
 func NewUpload(name string, buf []byte, file multipart.File) (_ *Upload, err error) {
-	if tool.IsMaliciousPath(name) {
-		return nil, errors.Newf("malicious path detected: %s", name)
+	// 🚨 SECURITY: Prevent path traversal.
+	name = pathutil.Clean(name)
+	if name == "" {
+		return nil, errors.New("empty file name")
 	}
 
 	upload := &Upload{

internal/database/schemadoc/main.go

@@ -8,11 +8,13 @@ import (
 	"strings"
 
 	"github.com/cockroachdb/errors"
+	"github.com/glebarez/sqlite"
 	"github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter/renderer"
+	"github.com/olekukonko/tablewriter/tw"
 	"gopkg.in/DATA-DOG/go-sqlmock.v2"
 	"gorm.io/driver/mysql"
 	"gorm.io/driver/postgres"
-	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 	"gorm.io/gorm/clause"
 	"gorm.io/gorm/schema"
@@ -61,18 +63,25 @@ func main() {
 
 		_, _ = w.WriteString("```\n")
 
-		table := tablewriter.NewWriter(w)
-		table.SetHeader([]string{"Field", "Column", "PostgreSQL", "MySQL", "SQLite3"})
-		table.SetBorder(false)
+		table := tablewriter.NewTable(w,
+			tablewriter.WithRenderer(renderer.NewBlueprint(tw.Rendition{
+				Borders: tw.BorderNone,
+				Symbols: tw.NewSymbols(tw.StyleASCII),
+			})),
+			tablewriter.WithHeaderAutoFormat(tw.Off),
+		)
+		table.Header("Field", "Column", "PostgreSQL", "MySQL", "SQLite3")
 		for j, f := range ti.Fields {
-			table.Append([]string{
+			sqlite3Type := strings.ToUpper(collected[2][i].Fields[j].Type)
+			sqlite3Type = strings.ReplaceAll(sqlite3Type, "PRIMARY KEY ", "")
+			_ = table.Append([]string{
 				f.Name, f.Column,
 				strings.ToUpper(f.Type),                         // PostgreSQL
 				strings.ToUpper(collected[1][i].Fields[j].Type), // MySQL
-				strings.ToUpper(collected[2][i].Fields[j].Type), // SQLite3
+				sqlite3Type,
 			})
 		}
-		table.Render()
+		_ = table.Render()
 		_, _ = w.WriteString("\n")
 
 		_, _ = w.WriteString("Primary keys: ")

internal/database/ssh_key.go

@@ -175,8 +175,8 @@ func parseKeyString(content string) (string, error) {
 
 // writeTmpKeyFile writes key content to a temporary file
 // and returns the name of that file, along with any possible errors.
-func writeTmpKeyFile(content string) (string, error) {
-	tmpFile, err := os.CreateTemp(conf.SSH.KeyTestPath, "gogs_keytest")
+func writeTmpKeyFile(content, keyTestPath string) (string, error) {
+	tmpFile, err := os.CreateTemp(keyTestPath, "gogs_keytest")
 	if err != nil {
 		return "", errors.Newf("TempFile: %v", err)
 	}
@@ -188,15 +188,15 @@ func writeTmpKeyFile(content string) (string, error) {
 	return tmpFile.Name(), nil
 }
 
-// SSHKeyGenParsePublicKey extracts key type and length using ssh-keygen.
-func SSHKeyGenParsePublicKey(key string) (string, int, error) {
-	tmpName, err := writeTmpKeyFile(key)
+// SSHKeygenParsePublicKey extracts key type and length using ssh-keygen.
+func SSHKeygenParsePublicKey(key, keyTestPath, keygenPath string) (string, int, error) {
+	tmpName, err := writeTmpKeyFile(key, keyTestPath)
 	if err != nil {
 		return "", 0, errors.Newf("writeTmpKeyFile: %v", err)
 	}
 	defer os.Remove(tmpName)
 
-	stdout, stderr, err := process.Exec("SSHKeyGenParsePublicKey", conf.SSH.KeygenPath, "-lf", tmpName)
+	stdout, stderr, err := process.Exec("SSHKeygenParsePublicKey", keygenPath, "-lf", tmpName)
 	if err != nil {
 		return "", 0, errors.Newf("fail to parse public key: %s - %s", err, stderr)
 	}
@@ -301,8 +301,8 @@ func CheckPublicKeyString(content string) (_ string, err error) {
 		fnName = "SSHNativeParsePublicKey"
 		keyType, length, err = SSHNativeParsePublicKey(content)
 	} else {
-		fnName = "SSHKeyGenParsePublicKey"
-		keyType, length, err = SSHKeyGenParsePublicKey(content)
+		fnName = "SSHKeygenParsePublicKey"
+		keyType, length, err = SSHKeygenParsePublicKey(content, conf.SSH.KeyTestPath, conf.SSH.KeygenPath)
 	}
 	if err != nil {
 		return "", errors.Newf("%s: %v", fnName, err)

internal/database/ssh_key_test.go

@@ -4,13 +4,11 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-
-	"gogs.io/gogs/internal/conf"
+	"github.com/stretchr/testify/require"
 )
 
-func Test_SSHParsePublicKey(t *testing.T) {
-	// TODO: Refactor SSHKeyGenParsePublicKey to accept a tempPath and remove this init.
-	conf.MustInit("")
+func TestSSHParsePublicKey(t *testing.T) {
+	tempPath := t.TempDir()
 	tests := []struct {
 		name      string
 		content   string
@@ -53,20 +51,22 @@ func Test_SSHParsePublicKey(t *testing.T) {
 			expType:   "ecdsa",
 			expLength: 521,
 		},
+		{
+			name:      "ed25519-256",
+			content:   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGYutovQfTewtcodVN1E1UUzMk4GQfiRI5ZoP/kTlDb nocomment",
+			expType:   "ed25519",
+			expLength: 256,
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			typ, length, err := SSHNativeParsePublicKey(test.content)
-			if err != nil {
-				t.Fatal(err)
-			}
+			require.NoError(t, err)
 			assert.Equal(t, test.expType, typ)
 			assert.Equal(t, test.expLength, length)
 
-			typ, length, err = SSHKeyGenParsePublicKey(test.content)
-			if err != nil {
-				t.Fatal(err)
-			}
+			typ, length, err = SSHKeygenParsePublicKey(test.content, tempPath, "ssh-keygen")
+			require.NoError(t, err)
 			assert.Equal(t, test.expType, typ)
 			assert.Equal(t, test.expLength, length)
 		})

internal/database/users_test.go

@@ -465,7 +465,7 @@ func usersDeleteByID(t *testing.T, ctx context.Context, s *UsersStore) {
 	reposStore := newReposStore(s.db)
 
 	t.Run("user still has repository ownership", func(t *testing.T) {
-		alice, err := s.Create(ctx, "alice", "alice@exmaple.com", CreateUserOptions{})
+		alice, err := s.Create(ctx, "alice", "alice@example.com", CreateUserOptions{})
 		require.NoError(t, err)
 
 		_, err = reposStore.Create(ctx, alice.ID, CreateRepoOptions{Name: "repo1"})
@@ -477,7 +477,7 @@ func usersDeleteByID(t *testing.T, ctx context.Context, s *UsersStore) {
 	})
 
 	t.Run("user still has organization membership", func(t *testing.T) {
-		bob, err := s.Create(ctx, "bob", "bob@exmaple.com", CreateUserOptions{})
+		bob, err := s.Create(ctx, "bob", "bob@example.com", CreateUserOptions{})
 		require.NoError(t, err)
 
 		// TODO: Use Orgs.Create to replace SQL hack when the method is available.
@@ -498,14 +498,14 @@ func usersDeleteByID(t *testing.T, ctx context.Context, s *UsersStore) {
 		assert.Equal(t, wantErr, err)
 	})
 
-	cindy, err := s.Create(ctx, "cindy", "cindy@exmaple.com", CreateUserOptions{})
+	cindy, err := s.Create(ctx, "cindy", "cindy@example.com", CreateUserOptions{})
 	require.NoError(t, err)
-	frank, err := s.Create(ctx, "frank", "frank@exmaple.com", CreateUserOptions{})
+	frank, err := s.Create(ctx, "frank", "frank@example.com", CreateUserOptions{})
 	require.NoError(t, err)
 	repo2, err := reposStore.Create(ctx, cindy.ID, CreateRepoOptions{Name: "repo2"})
 	require.NoError(t, err)
 
-	testUser, err := s.Create(ctx, "testUser", "testUser@exmaple.com", CreateUserOptions{})
+	testUser, err := s.Create(ctx, "testUser", "testUser@example.com", CreateUserOptions{})
 	require.NoError(t, err)
 
 	// Mock watches, stars and follows
@@ -673,14 +673,14 @@ func usersDeleteByID(t *testing.T, ctx context.Context, s *UsersStore) {
 
 func usersDeleteInactivated(t *testing.T, ctx context.Context, s *UsersStore) {
 	// User with repository ownership should be skipped
-	alice, err := s.Create(ctx, "alice", "alice@exmaple.com", CreateUserOptions{})
+	alice, err := s.Create(ctx, "alice", "alice@example.com", CreateUserOptions{})
 	require.NoError(t, err)
 	reposStore := newReposStore(s.db)
 	_, err = reposStore.Create(ctx, alice.ID, CreateRepoOptions{Name: "repo1"})
 	require.NoError(t, err)
 
 	// User with organization membership should be skipped
-	bob, err := s.Create(ctx, "bob", "bob@exmaple.com", CreateUserOptions{})
+	bob, err := s.Create(ctx, "bob", "bob@example.com", CreateUserOptions{})
 	require.NoError(t, err)
 	// TODO: Use Orgs.Create to replace SQL hack when the method is available.
 	org1, err := s.Create(ctx, "org1", "org1@example.com", CreateUserOptions{})
@@ -695,11 +695,11 @@ func usersDeleteInactivated(t *testing.T, ctx context.Context, s *UsersStore) {
 	require.NoError(t, err)
 
 	// User activated state should be skipped
-	_, err = s.Create(ctx, "cindy", "cindy@exmaple.com", CreateUserOptions{Activated: true})
+	_, err = s.Create(ctx, "cindy", "cindy@example.com", CreateUserOptions{Activated: true})
 	require.NoError(t, err)
 
 	// User meant to be deleted
-	david, err := s.Create(ctx, "david", "david@exmaple.com", CreateUserOptions{})
+	david, err := s.Create(ctx, "david", "david@example.com", CreateUserOptions{})
 	require.NoError(t, err)
 
 	tempSSHRootPath := filepath.Join(os.TempDir(), "usersDeleteInactivated-tempSSHRootPath")
@@ -726,7 +726,7 @@ func usersGetByEmail(t *testing.T, ctx context.Context, s *UsersStore) {
 
 	t.Run("ignore organization", func(t *testing.T) {
 		// TODO: Use Orgs.Create to replace SQL hack when the method is available.
-		org, err := s.Create(ctx, "gogs", "gogs@exmaple.com", CreateUserOptions{})
+		org, err := s.Create(ctx, "gogs", "gogs@example.com", CreateUserOptions{})
 		require.NoError(t, err)
 
 		err = s.db.Model(&User{}).Where("id", org.ID).UpdateColumn("type", UserTypeOrganization).Error
@@ -738,7 +738,7 @@ func usersGetByEmail(t *testing.T, ctx context.Context, s *UsersStore) {
 	})
 
 	t.Run("by primary email", func(t *testing.T) {
-		alice, err := s.Create(ctx, "alice", "alice@exmaple.com", CreateUserOptions{})
+		alice, err := s.Create(ctx, "alice", "alice@example.com", CreateUserOptions{})
 		require.NoError(t, err)
 
 		_, err = s.GetByEmail(ctx, alice.Email)
@@ -760,7 +760,7 @@ func usersGetByEmail(t *testing.T, ctx context.Context, s *UsersStore) {
 		require.NoError(t, err)
 
 		// TODO: Use UserEmails.Create to replace SQL hack when the method is available.
-		email2 := "bob2@exmaple.com"
+		email2 := "bob2@example.com"
 		err = s.db.Exec(`INSERT INTO email_address (uid, email) VALUES (?, ?)`, bob.ID, email2).Error
 		require.NoError(t, err)
 
@@ -779,7 +779,7 @@ func usersGetByEmail(t *testing.T, ctx context.Context, s *UsersStore) {
 }
 
 func usersGetByID(t *testing.T, ctx context.Context, s *UsersStore) {
-	alice, err := s.Create(ctx, "alice", "alice@exmaple.com", CreateUserOptions{})
+	alice, err := s.Create(ctx, "alice", "alice@example.com", CreateUserOptions{})
 	require.NoError(t, err)
 
 	user, err := s.GetByID(ctx, alice.ID)
@@ -792,7 +792,7 @@ func usersGetByID(t *testing.T, ctx context.Context, s *UsersStore) {
 }
 
 func usersGetByUsername(t *testing.T, ctx context.Context, s *UsersStore) {
-	alice, err := s.Create(ctx, "alice", "alice@exmaple.com", CreateUserOptions{})
+	alice, err := s.Create(ctx, "alice", "alice@example.com", CreateUserOptions{})
 	require.NoError(t, err)
 
 	user, err := s.GetByUsername(ctx, alice.Name)
@@ -805,7 +805,7 @@ func usersGetByUsername(t *testing.T, ctx context.Context, s *UsersStore) {
 }
 
 func usersGetByKeyID(t *testing.T, ctx context.Context, s *UsersStore) {
-	alice, err := s.Create(ctx, "alice", "alice@exmaple.com", CreateUserOptions{})
+	alice, err := s.Create(ctx, "alice", "alice@example.com", CreateUserOptions{})
 	require.NoError(t, err)
 
 	// TODO: Use PublicKeys.Create to replace SQL hack when the method is available.
@@ -830,11 +830,11 @@ func usersGetByKeyID(t *testing.T, ctx context.Context, s *UsersStore) {
 }
 
 func usersGetMailableEmailsByUsernames(t *testing.T, ctx context.Context, s *UsersStore) {
-	alice, err := s.Create(ctx, "alice", "alice@exmaple.com", CreateUserOptions{})
+	alice, err := s.Create(ctx, "alice", "alice@example.com", CreateUserOptions{})
 	require.NoError(t, err)
-	bob, err := s.Create(ctx, "bob", "bob@exmaple.com", CreateUserOptions{Activated: true})
+	bob, err := s.Create(ctx, "bob", "bob@example.com", CreateUserOptions{Activated: true})
 	require.NoError(t, err)
-	_, err = s.Create(ctx, "cindy", "cindy@exmaple.com", CreateUserOptions{Activated: true})
+	_, err = s.Create(ctx, "cindy", "cindy@example.com", CreateUserOptions{Activated: true})
 	require.NoError(t, err)
 
 	got, err := s.GetMailableEmailsByUsernames(ctx, []string{alice.Name, bob.Name, "ignore-non-exist"})

internal/dbtest/dbtest.go

@@ -96,19 +96,6 @@ func NewDB(t *testing.T, suite string, tables ...any) *gorm.DB {
 			_, _ = sqlDB.Exec(fmt.Sprintf(`DROP DATABASE %q`, dbName))
 			_ = sqlDB.Close()
 		}
-	case "sqlite":
-		dbName = filepath.Join(os.TempDir(), fmt.Sprintf("gogs-%s-%d.db", suite, time.Now().Unix()))
-		dbOpts = conf.DatabaseOpts{
-			Type: "sqlite",
-			Path: dbName,
-		}
-		cleanup = func(db *gorm.DB) {
-			sqlDB, err := db.DB()
-			if err == nil {
-				_ = sqlDB.Close()
-			}
-			_ = os.Remove(dbName)
-		}
 	default:
 		dbName = filepath.Join(os.TempDir(), fmt.Sprintf("gogs-%s-%d.db", suite, time.Now().Unix()))
 		dbOpts = conf.DatabaseOpts{

internal/dbutil/dsn.go

@@ -5,9 +5,9 @@ import (
 	"strings"
 
 	"github.com/cockroachdb/errors"
+	"github.com/glebarez/sqlite"
 	"gorm.io/driver/mysql"
 	"gorm.io/driver/postgres"
-	"gorm.io/driver/sqlite"
 	"gorm.io/driver/sqlserver"
 	"gorm.io/gorm"
 
@@ -73,7 +73,7 @@ func NewDSN(opts conf.DatabaseOpts) (dsn string, err error) {
 		dsn = fmt.Sprintf("server=%s; port=%s; database=%s; user id=%s; password=%s;",
 			host, port, opts.Name, opts.User, opts.Password)
 
-	case "sqlite3", "sqlite":
+	case "sqlite3":
 		dsn = "file:" + opts.Path + "?cache=shared&mode=rwc"
 
 	default:
@@ -101,9 +101,6 @@ func OpenDB(opts conf.DatabaseOpts, cfg *gorm.Config) (*gorm.DB, error) {
 		dialector = sqlserver.Open(dsn)
 	case "sqlite3":
 		dialector = sqlite.Open(dsn)
-	case "sqlite":
-		dialector = sqlite.Open(dsn)
-		dialector.(*sqlite.Dialector).DriverName = "sqlite"
 	default:
 		panic("unreachable")
 	}

internal/email/message.go

@@ -10,7 +10,7 @@ import (
 	"time"
 
 	"github.com/cockroachdb/errors"
-	"github.com/jaytaylor/html2text"
+	"github.com/inbucket/html2text"
 	"gopkg.in/gomail.v2"
 	log "unknwon.dev/clog/v2"
 

internal/embeddedpg/embeddedpg.go

@@ -0,0 +1,92 @@
+package embeddedpg
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/cockroachdb/errors"
+	embpg "github.com/fergusstrange/embedded-postgres"
+	log "unknwon.dev/clog/v2"
+
+	"gogs.io/gogs/internal/conf"
+)
+
+// LocalPostgres wraps embedded PostgreSQL server functionality.
+type LocalPostgres struct {
+	srv      *embpg.EmbeddedPostgres
+	baseDir  string
+	tcpPort  uint32
+	database string
+	user     string
+	pass     string
+}
+
+// Initialize creates a LocalPostgres with default settings based on workDir.
+func Initialize(workDir string) *LocalPostgres {
+	storageBase := filepath.Join(workDir, "data", "local-postgres")
+	return &LocalPostgres{
+		baseDir:  storageBase,
+		tcpPort:  15432,
+		database: "gogs",
+		user:     "gogs",
+		pass:     "gogs",
+	}
+}
+
+// Launch starts the embedded PostgreSQL server and blocks until ready.
+func (pg *LocalPostgres) Launch() error {
+	log.Info("Launching local PostgreSQL server...")
+	log.Trace("Base directory: %s", pg.baseDir)
+
+	// Create base directory
+	if err := os.MkdirAll(pg.baseDir, 0o700); err != nil {
+		return errors.Wrap(err, "mkdir local postgres base")
+	}
+
+	opts := embpg.DefaultConfig().
+		Username(pg.user).
+		Password(pg.pass).
+		Database(pg.database).
+		Port(pg.tcpPort).
+		DataPath(pg.baseDir).
+		StartTimeout(45 * time.Second).
+		Logger(os.Stderr)
+
+	pg.srv = embpg.NewDatabase(opts)
+
+	if err := pg.srv.Start(); err != nil {
+		return errors.Wrap(err, "launch embedded pg")
+	}
+
+	log.Info("Local PostgreSQL ready on port %d", pg.tcpPort)
+	return nil
+}
+
+// Shutdown stops the embedded PostgreSQL server gracefully.
+func (pg *LocalPostgres) Shutdown() error {
+	if pg.srv == nil {
+		return nil
+	}
+
+	log.Info("Shutting down local PostgreSQL...")
+	if err := pg.srv.Stop(); err != nil {
+		return errors.Wrap(err, "shutdown embedded pg")
+	}
+
+	log.Info("Local PostgreSQL shutdown complete")
+	return nil
+}
+
+// ConfigureGlobalDatabase modifies global conf.Database to point to this instance.
+func (pg *LocalPostgres) ConfigureGlobalDatabase() {
+	conf.Database.Type = "postgres"
+	conf.Database.Host = fmt.Sprintf("localhost:%d", pg.tcpPort)
+	conf.Database.Name = pg.database
+	conf.Database.User = pg.user
+	conf.Database.Password = pg.pass
+	conf.Database.SSLMode = "disable"
+
+	log.Trace("Global database configured for local PostgreSQL")
+}

internal/embeddedpg/embeddedpg_test.go

@@ -0,0 +1,28 @@
+package embeddedpg
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestInitialize(t *testing.T) {
+	workDir := "/tmp/gogs-test"
+	pg := Initialize(workDir)
+
+	assert.NotNil(t, pg)
+	assert.Equal(t, filepath.Join(workDir, "data", "local-postgres"), pg.baseDir)
+	assert.Equal(t, uint32(15432), pg.tcpPort)
+	assert.Equal(t, "gogs", pg.database)
+	assert.Equal(t, "gogs", pg.user)
+	assert.Equal(t, "gogs", pg.pass)
+}
+
+func TestShutdownWithoutStart(t *testing.T) {
+	pg := Initialize("/tmp/gogs-test")
+
+	// Should not error when stopping a non-started instance
+	err := pg.Shutdown()
+	assert.NoError(t, err)
+}

internal/gitutil/diff.go

@@ -73,7 +73,7 @@ func (s *DiffSection) ComputedInlineDiffFor(line *git.DiffLine) template.HTML {
 func diffsToHTML(diffs []diffmatchpatch.Diff, lineType git.DiffLineType) template.HTML {
 	buf := bytes.NewBuffer(nil)
 
-	// Reproduce signs which are cutted for inline diff before.
+	// Reproduce signs which are cut for inline diff before.
 	switch lineType {
 	case git.DiffLineAdd:
 		buf.WriteByte('+')

internal/route/admin/auths.go

@@ -151,7 +151,7 @@ func NewAuthSourcePost(c *context.Context, f form.Authentication) {
 	c.Data["HasTLS"] = hasTLS
 
 	if c.HasError() {
-		c.Success(tmplAdminAuthNew)
+		c.HTML(http.StatusBadRequest, tmplAdminAuthNew)
 		return
 	}
 
@@ -167,7 +167,7 @@ func NewAuthSourcePost(c *context.Context, f form.Authentication) {
 	if err != nil {
 		if database.IsErrLoginSourceAlreadyExist(err) {
 			c.FormErr("Name")
-			c.RenderWithErr(c.Tr("admin.auths.login_source_exist", f.Name), tmplAdminAuthNew, f)
+			c.RenderWithErr(c.Tr("admin.auths.login_source_exist", f.Name), http.StatusUnprocessableEntity, tmplAdminAuthNew, f)
 		} else {
 			c.Error(err, "create login source")
 		}
@@ -223,7 +223,7 @@ func EditAuthSourcePost(c *context.Context, f form.Authentication) {
 	c.Data["HasTLS"] = source.Provider.HasTLS()
 
 	if c.HasError() {
-		c.Success(tmplAdminAuthEdit)
+		c.HTML(http.StatusBadRequest, tmplAdminAuthEdit)
 		return
 	}
 

internal/route/admin/users.go

@@ -1,6 +1,7 @@
 package admin
 
 import (
+	"net/http"
 	"strconv"
 	"strings"
 
@@ -68,7 +69,7 @@ func NewUserPost(c *context.Context, f form.AdminCrateUser) {
 	c.Data["CanSendEmail"] = conf.Email.Enabled
 
 	if c.HasError() {
-		c.Success(tmplAdminUserNew)
+		c.HTML(http.StatusBadRequest, tmplAdminUserNew)
 		return
 	}
 
@@ -89,13 +90,13 @@ func NewUserPost(c *context.Context, f form.AdminCrateUser) {
 		switch {
 		case database.IsErrUserAlreadyExist(err):
 			c.Data["Err_UserName"] = true
-			c.RenderWithErr(c.Tr("form.username_been_taken"), tmplAdminUserNew, &f)
+			c.RenderWithErr(c.Tr("form.username_been_taken"), http.StatusUnprocessableEntity, tmplAdminUserNew, &f)
 		case database.IsErrEmailAlreadyUsed(err):
 			c.Data["Err_Email"] = true
-			c.RenderWithErr(c.Tr("form.email_been_used"), tmplAdminUserNew, &f)
+			c.RenderWithErr(c.Tr("form.email_been_used"), http.StatusUnprocessableEntity, tmplAdminUserNew, &f)
 		case database.IsErrNameNotAllowed(err):
 			c.Data["Err_UserName"] = true
-			c.RenderWithErr(c.Tr("user.form.name_not_allowed", err.(database.ErrNameNotAllowed).Value()), tmplAdminUserNew, &f)
+			c.RenderWithErr(c.Tr("user.form.name_not_allowed", err.(database.ErrNameNotAllowed).Value()), http.StatusBadRequest, tmplAdminUserNew, &f)
 		default:
 			c.Error(err, "create user")
 		}
@@ -166,7 +167,7 @@ func EditUserPost(c *context.Context, f form.AdminEditUser) {
 	}
 
 	if c.HasError() {
-		c.Success(tmplAdminUserEdit)
+		c.HTML(http.StatusBadRequest, tmplAdminUserEdit)
 		return
 	}
 
@@ -203,7 +204,7 @@ func EditUserPost(c *context.Context, f form.AdminEditUser) {
 	if err != nil {
 		if database.IsErrEmailAlreadyUsed(err) {
 			c.Data["Err_Email"] = true
-			c.RenderWithErr(c.Tr("form.email_been_used"), tmplAdminUserEdit, &f)
+			c.RenderWithErr(c.Tr("form.email_been_used"), http.StatusUnprocessableEntity, tmplAdminUserEdit, &f)
 		} else {
 			c.Error(err, "update user")
 		}

internal/route/api/v1/repo/contents.go

@@ -137,13 +137,13 @@ func GetContents(c *context.APIContext) {
 	}
 
 	// The entry is a directory
-	dir, err := gitRepo.LsTree(entry.ID().String())
+	dir, err := gitRepo.LsTree(entry.ID().String(), git.LsTreeOptions{Verbatim: true})
 	if err != nil {
 		c.NotFoundOrError(gitutil.NewError(err), "get tree")
 		return
 	}
 
-	entries, err := dir.Entries()
+	entries, err := dir.Entries(git.LsTreeOptions{Verbatim: true})
 	if err != nil {
 		c.NotFoundOrError(gitutil.NewError(err), "list entries")
 		return

internal/route/api/v1/repo/issue_comment.go

@@ -88,6 +88,17 @@ func EditIssueComment(c *context.APIContext, form api.EditIssueCommentOption) {
 		return
 	}
 
+	issue, err := database.GetIssueByID(comment.IssueID)
+	if err != nil {
+		c.NotFoundOrError(err, "get issue by ID")
+		return
+	}
+
+	if issue.RepoID != c.Repo.Repository.ID {
+		c.NotFound()
+		return
+	}
+
 	if c.User.ID != comment.PosterID && !c.Repo.IsAdmin() {
 		c.Status(http.StatusForbidden)
 		return
@@ -112,6 +123,17 @@ func DeleteIssueComment(c *context.APIContext) {
 		return
 	}
 
+	issue, err := database.GetIssueByID(comment.IssueID)
+	if err != nil {
+		c.NotFoundOrError(err, "get issue by ID")
+		return
+	}
+
+	if issue.RepoID != c.Repo.Repository.ID {
+		c.NotFound()
+		return
+	}
+
 	if c.User.ID != comment.PosterID && !c.Repo.IsAdmin() {
 		c.Status(http.StatusForbidden)
 		return

internal/route/api/v1/repo/key.go

@@ -45,6 +45,11 @@ func GetDeployKey(c *context.APIContext) {
 		return
 	}
 
+	if key.RepoID != c.Repo.Repository.ID {
+		c.NotFound()
+		return
+	}
+
 	if err = key.GetContent(); err != nil {
 		c.Error(err, "get content")
 		return
@@ -94,7 +99,18 @@ func CreateDeployKey(c *context.APIContext, form api.CreateKeyOption) {
 
 // https://github.com/gogs/go-gogs-client/wiki/Repositories-Deploy-Keys#remove-a-deploy-key
 func DeleteDeploykey(c *context.APIContext) {
-	if err := database.DeleteDeployKey(c.User, c.ParamsInt64(":id")); err != nil {
+	key, err := database.GetDeployKeyByID(c.ParamsInt64(":id"))
+	if err != nil {
+		c.NotFoundOrError(err, "get deploy key by ID")
+		return
+	}
+
+	if key.RepoID != c.Repo.Repository.ID {
+		c.NotFound()
+		return
+	}
+
+	if err := database.DeleteDeployKey(c.User, key.ID); err != nil {
 		if database.IsErrKeyAccessDenied(err) {
 			c.ErrorStatus(http.StatusForbidden, errors.New("You do not have access to this key"))
 		} else {

internal/route/api/v1/repo/tree.go

@@ -17,13 +17,13 @@ func GetRepoGitTree(c *context.APIContext) {
 	}
 
 	sha := c.Params(":sha")
-	tree, err := gitRepo.LsTree(sha)
+	tree, err := gitRepo.LsTree(sha, git.LsTreeOptions{Verbatim: true})
 	if err != nil {
 		c.NotFoundOrError(gitutil.NewError(err), "get tree")
 		return
 	}
 
-	entries, err := tree.Entries()
+	entries, err := tree.Entries(git.LsTreeOptions{Verbatim: true})
 	if err != nil {
 		c.Error(err, "list entries")
 		return

internal/route/install.go

@@ -1,6 +1,7 @@
 package route
 
 import (
+	"net/http"
 	"net/mail"
 	"os"
 	"os/exec"
@@ -194,13 +195,12 @@ func InstallPost(c *context.Context, f form.Install) {
 			c.HasValue("Err_AdminEmail") {
 			c.FormErr("Admin")
 		}
-
-		c.Success(INSTALL)
+		c.HTML(http.StatusBadRequest, INSTALL)
 		return
 	}
 
 	if _, err := exec.LookPath("git"); err != nil {
-		c.RenderWithErr(c.Tr("install.test_git_failed", err), INSTALL, &f)
+		c.RenderWithErr(c.Tr("install.test_git_failed", err), http.StatusInternalServerError, INSTALL, &f)
 		return
 	}
 
@@ -222,7 +222,7 @@ func InstallPost(c *context.Context, f form.Install) {
 
 	if conf.Database.Type == "sqlite3" && conf.Database.Path == "" {
 		c.FormErr("DbPath")
-		c.RenderWithErr(c.Tr("install.err_empty_db_path"), INSTALL, &f)
+		c.RenderWithErr(c.Tr("install.err_empty_db_path"), http.StatusBadRequest, INSTALL, &f)
 		return
 	}
 
@@ -230,10 +230,10 @@ func InstallPost(c *context.Context, f form.Install) {
 	if err := database.NewTestEngine(); err != nil {
 		if strings.Contains(err.Error(), `Unknown database type: sqlite3`) {
 			c.FormErr("DbType")
-			c.RenderWithErr(c.Tr("install.sqlite3_not_available", "https://gogs.io/docs/installation/install_from_binary.html"), INSTALL, &f)
+			c.RenderWithErr(c.Tr("install.sqlite3_not_available", "https://gogs.io/docs/installation/install_from_binary.html"), http.StatusInternalServerError, INSTALL, &f)
 		} else {
 			c.FormErr("DbSetting")
-			c.RenderWithErr(c.Tr("install.invalid_db_setting", err), INSTALL, &f)
+			c.RenderWithErr(c.Tr("install.invalid_db_setting", err), http.StatusBadRequest, INSTALL, &f)
 		}
 		return
 	}
@@ -242,7 +242,7 @@ func InstallPost(c *context.Context, f form.Install) {
 	f.RepoRootPath = strings.ReplaceAll(f.RepoRootPath, "\\", "/")
 	if err := os.MkdirAll(f.RepoRootPath, os.ModePerm); err != nil {
 		c.FormErr("RepoRootPath")
-		c.RenderWithErr(c.Tr("install.invalid_repo_path", err), INSTALL, &f)
+		c.RenderWithErr(c.Tr("install.invalid_repo_path", err), http.StatusBadRequest, INSTALL, &f)
 		return
 	}
 
@@ -250,21 +250,21 @@ func InstallPost(c *context.Context, f form.Install) {
 	f.LogRootPath = strings.ReplaceAll(f.LogRootPath, "\\", "/")
 	if err := os.MkdirAll(f.LogRootPath, os.ModePerm); err != nil {
 		c.FormErr("LogRootPath")
-		c.RenderWithErr(c.Tr("install.invalid_log_root_path", err), INSTALL, &f)
+		c.RenderWithErr(c.Tr("install.invalid_log_root_path", err), http.StatusBadRequest, INSTALL, &f)
 		return
 	}
 
 	currentUser, match := conf.CheckRunUser(f.RunUser)
 	if !match {
 		c.FormErr("RunUser")
-		c.RenderWithErr(c.Tr("install.run_user_not_match", f.RunUser, currentUser), INSTALL, &f)
+		c.RenderWithErr(c.Tr("install.run_user_not_match", f.RunUser, currentUser), http.StatusForbidden, INSTALL, &f)
 		return
 	}
 
 	// Check host address and port
 	if len(f.SMTPHost) > 0 && !strings.Contains(f.SMTPHost, ":") {
 		c.FormErr("SMTP", "SMTPHost")
-		c.RenderWithErr(c.Tr("install.smtp_host_missing_port"), INSTALL, &f)
+		c.RenderWithErr(c.Tr("install.smtp_host_missing_port"), http.StatusBadRequest, INSTALL, &f)
 		return
 	}
 
@@ -273,7 +273,7 @@ func InstallPost(c *context.Context, f form.Install) {
 		_, err := mail.ParseAddress(f.SMTPFrom)
 		if err != nil {
 			c.FormErr("SMTP", "SMTPFrom")
-			c.RenderWithErr(c.Tr("install.invalid_smtp_from", err), INSTALL, &f)
+			c.RenderWithErr(c.Tr("install.invalid_smtp_from", err), http.StatusBadRequest, INSTALL, &f)
 			return
 		}
 	}
@@ -281,19 +281,19 @@ func InstallPost(c *context.Context, f form.Install) {
 	// Check logic loophole between disable self-registration and no admin account.
 	if f.DisableRegistration && f.AdminName == "" {
 		c.FormErr("Services", "Admin")
-		c.RenderWithErr(c.Tr("install.no_admin_and_disable_registration"), INSTALL, f)
+		c.RenderWithErr(c.Tr("install.no_admin_and_disable_registration"), http.StatusUnprocessableEntity, INSTALL, f)
 		return
 	}
 
 	// Check admin password.
 	if len(f.AdminName) > 0 && f.AdminPasswd == "" {
 		c.FormErr("Admin", "AdminPasswd")
-		c.RenderWithErr(c.Tr("install.err_empty_admin_password"), INSTALL, f)
+		c.RenderWithErr(c.Tr("install.err_empty_admin_password"), http.StatusBadRequest, INSTALL, f)
 		return
 	}
 	if f.AdminPasswd != f.AdminConfirmPasswd {
 		c.FormErr("Admin", "AdminPasswd")
-		c.RenderWithErr(c.Tr("form.password_not_match"), INSTALL, f)
+		c.RenderWithErr(c.Tr("form.password_not_match"), http.StatusBadRequest, INSTALL, f)
 		return
 	}
 
@@ -367,21 +367,21 @@ func InstallPost(c *context.Context, f form.Install) {
 	cfg.Section("security").Key("INSTALL_LOCK").SetValue("true")
 	secretKey, err := strutil.RandomChars(15)
 	if err != nil {
-		c.RenderWithErr(c.Tr("install.secret_key_failed", err), INSTALL, &f)
+		c.RenderWithErr(c.Tr("install.secret_key_failed", err), http.StatusInternalServerError, INSTALL, &f)
 		return
 	}
 	cfg.Section("security").Key("SECRET_KEY").SetValue(secretKey)
 
 	_ = os.MkdirAll(filepath.Dir(conf.CustomConf), os.ModePerm)
 	if err := cfg.SaveTo(conf.CustomConf); err != nil {
-		c.RenderWithErr(c.Tr("install.save_config_failed", err), INSTALL, &f)
+		c.RenderWithErr(c.Tr("install.save_config_failed", err), http.StatusInternalServerError, INSTALL, &f)
 		return
 	}
 
 	// NOTE: We reuse the current value because this handler does not have access to CLI flags.
 	err = GlobalInit(conf.CustomConf)
 	if err != nil {
-		c.RenderWithErr(c.Tr("install.init_failed", err), INSTALL, &f)
+		c.RenderWithErr(c.Tr("install.init_failed", err), http.StatusInternalServerError, INSTALL, &f)
 		return
 	}
 
@@ -401,7 +401,7 @@ func InstallPost(c *context.Context, f form.Install) {
 			if !database.IsErrUserAlreadyExist(err) {
 				conf.Security.InstallLock = false
 				c.FormErr("AdminName", "AdminEmail")
-				c.RenderWithErr(c.Tr("install.invalid_admin_setting", err), INSTALL, &f)
+				c.RenderWithErr(c.Tr("install.invalid_admin_setting", err), http.StatusBadRequest, INSTALL, &f)
 				return
 			}
 

internal/route/org/org.go

@@ -1,6 +1,8 @@
 package org
 
 import (
+	"net/http"
+
 	log "unknwon.dev/clog/v2"
 
 	"gogs.io/gogs/internal/context"
@@ -21,7 +23,7 @@ func CreatePost(c *context.Context, f form.CreateOrg) {
 	c.Title("new_org")
 
 	if c.HasError() {
-		c.Success(CREATE)
+		c.HTML(http.StatusBadRequest, CREATE)
 		return
 	}
 
@@ -35,9 +37,9 @@ func CreatePost(c *context.Context, f form.CreateOrg) {
 		c.Data["Err_OrgName"] = true
 		switch {
 		case database.IsErrUserAlreadyExist(err):
-			c.RenderWithErr(c.Tr("form.org_name_been_taken"), CREATE, &f)
+			c.RenderWithErr(c.Tr("form.org_name_been_taken"), http.StatusUnprocessableEntity, CREATE, &f)
 		case database.IsErrNameNotAllowed(err):
-			c.RenderWithErr(c.Tr("org.form.name_not_allowed", err.(database.ErrNameNotAllowed).Value()), CREATE, &f)
+			c.RenderWithErr(c.Tr("org.form.name_not_allowed", err.(database.ErrNameNotAllowed).Value()), http.StatusBadRequest, CREATE, &f)
 		default:
 			c.Error(err, "create organization")
 		}

internal/route/org/setting.go

@@ -1,6 +1,8 @@
 package org
 
 import (
+	"net/http"
+
 	log "unknwon.dev/clog/v2"
 
 	"gogs.io/gogs/internal/auth"
@@ -27,7 +29,7 @@ func SettingsPost(c *context.Context, f form.UpdateOrgSetting) {
 	c.Data["PageIsSettingsOptions"] = true
 
 	if c.HasError() {
-		c.Success(tmplOrgSettingsOptions)
+		c.HTML(http.StatusBadRequest, tmplOrgSettingsOptions)
 		return
 	}
 
@@ -38,18 +40,14 @@ func SettingsPost(c *context.Context, f form.UpdateOrgSetting) {
 		err := database.Handle.Users().ChangeUsername(c.Req.Context(), c.Org.Organization.ID, f.Name)
 		if err != nil {
 			c.Data["OrgName"] = true
-			var msg string
 			switch {
 			case database.IsErrUserAlreadyExist(err):
-				msg = c.Tr("form.username_been_taken")
+				c.RenderWithErr(c.Tr("form.username_been_taken"), http.StatusUnprocessableEntity, tmplOrgSettingsOptions, &f)
 			case database.IsErrNameNotAllowed(err):
-				msg = c.Tr("user.form.name_not_allowed", err.(database.ErrNameNotAllowed).Value())
+				c.RenderWithErr(c.Tr("user.form.name_not_allowed", err.(database.ErrNameNotAllowed).Value()), http.StatusBadRequest, tmplOrgSettingsOptions, &f)
 			default:
 				c.Error(err, "change organization name")
-				return
 			}
-
-			c.RenderWithErr(msg, tmplOrgSettingsOptions, &f)
 			return
 		}
 
@@ -104,7 +102,7 @@ func SettingsDelete(c *context.Context) {
 	if c.Req.Method == "POST" {
 		if _, err := database.Handle.Users().Authenticate(c.Req.Context(), c.User.Name, c.Query("password"), c.User.LoginSource); err != nil {
 			if auth.IsErrBadCredentials(err) {
-				c.RenderWithErr(c.Tr("form.enterred_invalid_password"), tmplOrgSettingsDelete, nil)
+				c.RenderWithErr(c.Tr("form.enterred_invalid_password"), http.StatusUnauthorized, tmplOrgSettingsDelete, nil)
 			} else {
 				c.Error(err, "authenticate user")
 			}

internal/route/org/teams.go

@@ -159,7 +159,7 @@ func NewTeamPost(c *context.Context, f form.CreateTeam) {
 	c.Data["Team"] = t
 
 	if c.HasError() {
-		c.Success(tmplOrgTeamNew)
+		c.HTML(http.StatusBadRequest, tmplOrgTeamNew)
 		return
 	}
 
@@ -167,9 +167,9 @@ func NewTeamPost(c *context.Context, f form.CreateTeam) {
 		c.Data["Err_TeamName"] = true
 		switch {
 		case database.IsErrTeamAlreadyExist(err):
-			c.RenderWithErr(c.Tr("form.team_name_been_taken"), tmplOrgTeamNew, &f)
+			c.RenderWithErr(c.Tr("form.team_name_been_taken"), http.StatusUnprocessableEntity, tmplOrgTeamNew, &f)
 		case database.IsErrNameNotAllowed(err):
-			c.RenderWithErr(c.Tr("org.form.team_name_not_allowed", err.(database.ErrNameNotAllowed).Value()), tmplOrgTeamNew, &f)
+			c.RenderWithErr(c.Tr("org.form.team_name_not_allowed", err.(database.ErrNameNotAllowed).Value()), http.StatusBadRequest, tmplOrgTeamNew, &f)
 		default:
 			c.Error(err, "new team")
 		}
@@ -214,7 +214,7 @@ func EditTeamPost(c *context.Context, f form.CreateTeam) {
 	c.Data["Team"] = t
 
 	if c.HasError() {
-		c.Success(tmplOrgTeamNew)
+		c.HTML(http.StatusBadRequest, tmplOrgTeamNew)
 		return
 	}
 
@@ -245,7 +245,7 @@ func EditTeamPost(c *context.Context, f form.CreateTeam) {
 		c.Data["Err_TeamName"] = true
 		switch {
 		case database.IsErrTeamAlreadyExist(err):
-			c.RenderWithErr(c.Tr("form.team_name_been_taken"), tmplOrgTeamNew, &f)
+			c.RenderWithErr(c.Tr("form.team_name_been_taken"), http.StatusUnprocessableEntity, tmplOrgTeamNew, &f)
 		default:
 			c.Error(err, "update team")
 		}

internal/route/repo/branch.go

@@ -10,7 +10,7 @@ import (
 
 	"gogs.io/gogs/internal/context"
 	"gogs.io/gogs/internal/database"
-	"gogs.io/gogs/internal/tool"
+	"gogs.io/gogs/internal/urlutil"
 )
 
 const (
@@ -109,7 +109,7 @@ func DeleteBranchPost(c *context.Context) {
 
 	defer func() {
 		redirectTo := c.Query("redirect_to")
-		if !tool.IsSameSiteURLPath(redirectTo) {
+		if !urlutil.IsSameSite(redirectTo) {
 			redirectTo = c.Repo.RepoLink
 		}
 		c.Redirect(redirectTo)
@@ -118,6 +118,21 @@ func DeleteBranchPost(c *context.Context) {
 	if !c.Repo.GitRepo.HasBranch(branchName) {
 		return
 	}
+	if branchName == c.Repo.Repository.DefaultBranch {
+		c.Flash.Error(c.Tr("repo.branches.default_deletion_not_allowed"))
+		return
+	}
+
+	protectBranch, err := database.GetProtectBranchOfRepoByName(c.Repo.Repository.ID, branchName)
+	if err != nil && !database.IsErrBranchNotExist(err) {
+		log.Error("Failed to get protected branch %q: %v", branchName, err)
+		return
+	}
+	if protectBranch != nil && protectBranch.Protected {
+		c.Flash.Error(c.Tr("repo.branches.protected_deletion_not_allowed"))
+		return
+	}
+
 	if len(commitID) > 0 {
 		branchCommitID, err := c.Repo.GitRepo.BranchCommitID(branchName)
 		if err != nil {