fix: parse HEAD ref (#38119)

backport #38088

cmd/serv.go

@@ -113,23 +113,25 @@ func handleCliResponseExtra(extra private.ResponseExtra) error {
 	return nil
 }
 
-func getAccessMode(verb, lfsVerb string) perm.AccessMode {
+// getAccessMode maps an SSH git/LFS verb to the access mode it requires, with
+// ok=false for an unrecognised verb. Callers MUST reject the request when ok is
+// false: AccessModeNone would otherwise pass the `userMode < mode` permission
+// check in routers/private/serv.go and grant access.
+func getAccessMode(verb, lfsVerb string) (mode perm.AccessMode, ok bool) {
 	switch verb {
 	case git.CmdVerbUploadPack, git.CmdVerbUploadArchive:
-		return perm.AccessModeRead
+		return perm.AccessModeRead, true
 	case git.CmdVerbReceivePack:
-		return perm.AccessModeWrite
+		return perm.AccessModeWrite, true
 	case git.CmdVerbLfsAuthenticate, git.CmdVerbLfsTransfer:
 		switch lfsVerb {
 		case git.CmdSubVerbLfsUpload:
-			return perm.AccessModeWrite
+			return perm.AccessModeWrite, true
 		case git.CmdSubVerbLfsDownload:
-			return perm.AccessModeRead
+			return perm.AccessModeRead, true
 		}
 	}
-	// should be unreachable
-	setting.PanicInDevOrTesting("unknown verb: %s %s", verb, lfsVerb)
-	return perm.AccessModeNone
+	return perm.AccessModeNone, false
 }
 
 func runServ(ctx context.Context, c *cli.Command) error {
@@ -247,7 +249,10 @@ func runServ(ctx context.Context, c *cli.Command) error {
 		}
 	}
 
-	requestedMode := getAccessMode(verb, lfsVerb)
+	requestedMode, ok := getAccessMode(verb, lfsVerb)
+	if !ok {
+		return fail(ctx, "Unknown git command", "Unknown git command %s %s", verb, lfsVerb)
+	}
 
 	results, extra := private.ServCommand(ctx, keyID, username, reponame, requestedMode, verb, lfsVerb)
 	if extra.HasError() {

cmd/serv_test.go

@@ -0,0 +1,56 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models/perm"
+	"code.gitea.io/gitea/modules/git"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetAccessMode(t *testing.T) {
+	cases := []struct {
+		verb, lfsVerb string
+		expected      perm.AccessMode
+	}{
+		{git.CmdVerbUploadPack, "", perm.AccessModeRead},
+		{git.CmdVerbUploadArchive, "", perm.AccessModeRead},
+		{git.CmdVerbReceivePack, "", perm.AccessModeWrite},
+		{git.CmdVerbLfsAuthenticate, git.CmdSubVerbLfsUpload, perm.AccessModeWrite},
+		{git.CmdVerbLfsAuthenticate, git.CmdSubVerbLfsDownload, perm.AccessModeRead},
+		{git.CmdVerbLfsTransfer, git.CmdSubVerbLfsUpload, perm.AccessModeWrite},
+		{git.CmdVerbLfsTransfer, git.CmdSubVerbLfsDownload, perm.AccessModeRead},
+	}
+	for _, tc := range cases {
+		t.Run(tc.verb+"/"+tc.lfsVerb, func(t *testing.T) {
+			mode, ok := getAccessMode(tc.verb, tc.lfsVerb)
+			assert.True(t, ok)
+			assert.Equal(t, tc.expected, mode)
+		})
+	}
+}
+
+// TestGetAccessModeUnknownVerb locks in the invariant that getAccessMode reports
+// ok=false for unrecognised verbs and LFS sub-verbs, so runServ rejects them. An
+// unknown verb has no valid access mode; if it were treated as AccessModeNone (0)
+// it would pass the `userMode < mode` permission check in routers/private/serv.go
+// and hand out valid LFS JWTs for any private repository.
+func TestGetAccessModeUnknownVerb(t *testing.T) {
+	cases := []struct{ verb, lfsVerb string }{
+		{git.CmdVerbLfsAuthenticate, ""},
+		{git.CmdVerbLfsAuthenticate, "badverb"},
+		{git.CmdVerbLfsTransfer, "badverb"},
+		{"git-unknown-verb", ""},
+	}
+	for _, tc := range cases {
+		t.Run(tc.verb+"/"+tc.lfsVerb, func(t *testing.T) {
+			mode, ok := getAccessMode(tc.verb, tc.lfsVerb)
+			assert.False(t, ok)
+			assert.Equal(t, perm.AccessModeNone, mode)
+		})
+	}
+}

eslint.config.ts

@@ -570,8 +570,6 @@ export default defineConfig([
       'no-redeclare': [0], // must be disabled for typescript overloads
       'no-regex-spaces': [2],
       'no-restricted-exports': [0],
-      'no-restricted-globals': [2, ...restrictedGlobals],
-      'no-restricted-properties': [2, ...restrictedProperties],
       'no-restricted-imports': [2, {paths: [
         {name: 'jquery', message: 'Use the global $ instead', allowTypeImports: true},
         {name: 'htmx.org', message: 'Use the global htmx instead', allowTypeImports: true},
@@ -1024,5 +1022,9 @@ export default defineConfig([
   {
     files: ['web_src/**/*'],
     languageOptions: {globals: {...globals.browser, ...globals.jquery, htmx: false}},
+    rules: {
+      'no-restricted-globals': [2, ...restrictedGlobals],
+      'no-restricted-properties': [2, ...restrictedProperties],
+    },
   },
 ]);

go.mod

@@ -110,13 +110,13 @@ require (
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	gitlab.com/gitlab-org/api/client-go v1.46.0
 	go.yaml.in/yaml/v4 v4.0.0-rc.3
-	golang.org/x/crypto v0.50.0
-	golang.org/x/image v0.38.0
-	golang.org/x/net v0.53.0
+	golang.org/x/crypto v0.52.0
+	golang.org/x/image v0.40.0
+	golang.org/x/net v0.55.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
-	golang.org/x/sys v0.44.0
-	golang.org/x/text v0.36.0
+	golang.org/x/sys v0.45.0
+	golang.org/x/text v0.37.0
 	google.golang.org/grpc v1.79.3
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/ini.v1 v1.67.1

go.sum

@@ -785,12 +785,12 @@ golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDf
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
+golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
 golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
 golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
-golang.org/x/image v0.38.0 h1:5l+q+Y9JDC7mBOMjo4/aPhMDcxEptsX+Tt3GgRQRPuE=
-golang.org/x/image v0.38.0/go.mod h1:/3f6vaXC+6CEanU4KJxbcUZyEePbyKbaLoDOe4ehFYY=
+golang.org/x/image v0.40.0 h1:Tw4GyDXMo+daZN1znreBRC3VayR1aLFUyUEOLUdW1a8=
+golang.org/x/image v0.40.0/go.mod h1:uIc348UZMSvS5Z65CVZ7iDPaNobNFEPeJ4kbqTOszmA=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -819,8 +819,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -868,8 +868,8 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
-golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -880,8 +880,8 @@ golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
-golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
-golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -892,8 +892,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
 golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

models/actions/run_list.go

@@ -70,7 +70,6 @@ type FindRunOptions struct {
 	Ref              string // the commit/tag/… that caused this workflow
 	TriggerUserID    int64
 	TriggerEvent     webhook_module.HookEventType
-	Approved         bool // not util.OptionalBool, it works only when it's true
 	Status           []Status
 	ConcurrencyGroup string
 	CommitSHA        string
@@ -87,9 +86,6 @@ func (opts FindRunOptions) ToConds() builder.Cond {
 	if opts.TriggerUserID > 0 {
 		cond = cond.And(builder.Eq{"`action_run`.trigger_user_id": opts.TriggerUserID})
 	}
-	if opts.Approved {
-		cond = cond.And(builder.Gt{"`action_run`.approved_by": 0})
-	}
 	if len(opts.Status) > 0 {
 		cond = cond.And(builder.In("`action_run`.status", opts.Status))
 	}

models/git/lfs.go

@@ -196,7 +196,10 @@ func LFSObjectAccessible(ctx context.Context, user *user_model.User, oid string)
 		count, err := db.GetEngine(ctx).Count(&LFSMetaObject{Pointer: lfs.Pointer{Oid: oid}})
 		return count > 0, err
 	}
-	cond := repo_model.AccessibleRepositoryCondition(user, unit.TypeInvalid)
+	// LFS objects are repository code content, so authorization must require
+	// Code-unit access; other unit accesses (e.g. Issues) must not authorize
+	// reuse of an existing LFS object across repositories.
+	cond := repo_model.AccessibleRepositoryCondition(user, unit.TypeCode)
 	count, err := db.GetEngine(ctx).Where(cond).Join("INNER", "repository", "`lfs_meta_object`.repository_id = `repository`.id").Count(&LFSMetaObject{Pointer: lfs.Pointer{Oid: oid}})
 	return count > 0, err
 }
@@ -220,7 +223,7 @@ func LFSAutoAssociate(ctx context.Context, metas []*LFSMetaObject, user *user_mo
 			newMetas := make([]*LFSMetaObject, 0, len(metas))
 			cond := builder.In(
 				"`lfs_meta_object`.repository_id",
-				builder.Select("`repository`.id").From("repository").Where(repo_model.AccessibleRepositoryCondition(user, unit.TypeInvalid)),
+				builder.Select("`repository`.id").From("repository").Where(repo_model.AccessibleRepositoryCondition(user, unit.TypeCode)),
 			)
 			if err := db.GetEngine(ctx).Cols("oid").Where(cond).In("oid", oids...).GroupBy("oid").Find(&newMetas); err != nil {
 				return err

models/issues/pull.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"strings"
+	"time"
 
 	"code.gitea.io/gitea/models/db"
 	git_model "code.gitea.io/gitea/models/git"
@@ -860,6 +861,11 @@ func GetCodeOwnersFromContent(ctx context.Context, data string) ([]*CodeOwnerRul
 	return rules, warnings
 }
 
+// codeOwnerMatchTimeout bounds a single pattern match so a crafted pattern
+// cannot stall via catastrophic backtracking. See also the aggregate budget
+// enforced by the caller across the whole rules×files match loop.
+const codeOwnerMatchTimeout = 150 * time.Millisecond
+
 type CodeOwnerRule struct {
 	Rule     *regexp2.Regexp // it supports negative lookahead, does better for end users
 	Negative bool
@@ -888,6 +894,8 @@ func ParseCodeOwnersLine(ctx context.Context, tokens []string) (*CodeOwnerRule,
 		warnings = append(warnings, fmt.Sprintf("incorrect codeowner regexp: %s", err))
 		return nil, warnings
 	}
+	// Bound matching time so user-supplied patterns cannot stall PR creation via catastrophic backtracking.
+	rule.Rule.MatchTimeout = codeOwnerMatchTimeout
 
 	for _, user := range tokens[1:] {
 		user = strings.TrimPrefix(user, "@")

models/issues/pull_test.go

@@ -4,7 +4,9 @@
 package issues_test
 
 import (
+	"strings"
 	"testing"
+	"time"
 
 	"code.gitea.io/gitea/models/db"
 	issues_model "code.gitea.io/gitea/models/issues"
@@ -39,6 +41,7 @@ func TestPullRequest(t *testing.T) {
 	t.Run("DeleteOrphanedObjects", testDeleteOrphanedObjects)
 	t.Run("ParseCodeOwnersLine", testParseCodeOwnersLine)
 	t.Run("CodeOwnerAbsolutePathPatterns", testCodeOwnerAbsolutePathPatterns)
+	t.Run("CodeOwnerPatternMatchTimeout", testCodeOwnerPatternMatchTimeout)
 	t.Run("GetApprovers", testGetApprovers)
 	t.Run("GetPullRequestByMergedCommit", testGetPullRequestByMergedCommit)
 	t.Run("Migrate_InsertPullRequests", testMigrateInsertPullRequests)
@@ -376,6 +379,22 @@ func testCodeOwnerAbsolutePathPatterns(t *testing.T) {
 	}
 }
 
+// testCodeOwnerPatternMatchTimeout ensures user-supplied CODEOWNERS patterns
+// cannot stall pull request processing through catastrophic regex backtracking:
+// each compiled rule must enforce a bounded match time.
+func testCodeOwnerPatternMatchTimeout(t *testing.T) {
+	rules, _ := issues_model.GetCodeOwnersFromContent(t.Context(), "(a+)+ @user5\n")
+	require.Len(t, rules, 1)
+
+	maliciousInput := strings.Repeat("a", 30) + "X"
+	start := time.Now()
+	_, err := rules[0].Rule.MatchString(maliciousInput)
+	elapsed := time.Since(start)
+
+	require.Error(t, err, "expected MatchTimeout error on pathological input")
+	assert.Less(t, elapsed, time.Second, "match timeout did not bound regex evaluation; took %s", elapsed)
+}
+
 func testGetApprovers(t *testing.T) {
 	pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 5})
 	// Official reviews are already deduplicated. Allow unofficial reviews

models/issues/review.go

@@ -483,6 +483,14 @@ func SubmitReview(ctx context.Context, doer *user_model.User, issue *Issue, revi
 		if _, err := sess.ID(review.ID).Cols("content, type, official, commit_id, stale").Update(review); err != nil {
 			return nil, nil, err
 		}
+
+		// make sure the leftover review request is cleared, consistent with CreateReview
+		if reviewType != ReviewTypePending {
+			if _, err := sess.Where(builder.Eq{"reviewer_id": doer.ID, "issue_id": issue.ID, "type": ReviewTypeRequest}).
+				Delete(new(Review)); err != nil {
+				return nil, nil, err
+			}
+		}
 	}
 
 	comm, err := CreateComment(ctx, &CreateCommentOptions{

models/issues/review_test.go

@@ -303,6 +303,46 @@ func TestDeleteDismissedReview(t *testing.T) {
 	unittest.AssertNotExistsBean(t, &issues_model.Comment{ID: comment.ID})
 }
 
+func TestSubmitReviewClearsStaleReviewRequest(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 3})
+	assert.NoError(t, issue.LoadRepo(t.Context()))
+	assert.NoError(t, issue.Repo.LoadOwner(t.Context()))
+	reviewer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+	// the reviewer is requested to review the pull request
+	requestReview, err := issues_model.CreateReview(t.Context(), issues_model.CreateReviewOptions{
+		Type:     issues_model.ReviewTypeRequest,
+		Issue:    issue,
+		Reviewer: reviewer,
+	})
+	assert.NoError(t, err)
+
+	// the reviewer starts a pending review (e.g. by adding code comments)
+	pendingReview, err := issues_model.CreateReview(t.Context(), issues_model.CreateReviewOptions{
+		Type:     issues_model.ReviewTypePending,
+		Issue:    issue,
+		Reviewer: reviewer,
+	})
+	assert.NoError(t, err)
+
+	// submitting the pending review must clear the leftover review request,
+	// otherwise the reviewer can no longer be re-requested afterwards
+	review, _, err := issues_model.SubmitReview(t.Context(), reviewer, issue, issues_model.ReviewTypeComment, "looks good", "", false, nil)
+	assert.NoError(t, err)
+	assert.Equal(t, pendingReview.ID, review.ID)
+	assert.Equal(t, issues_model.ReviewTypeComment, review.Type)
+
+	unittest.AssertNotExistsBean(t, &issues_model.Review{ID: requestReview.ID})
+
+	// the reviewer can be re-requested afterwards (no-op before the fix)
+	comment, err := issues_model.AddReviewRequest(t.Context(), issue, reviewer, doer, false)
+	assert.NoError(t, err)
+	assert.NotNil(t, comment)
+}
+
 func TestAddReviewRequest(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 

modules/actions/jobparser/model.go

@@ -298,6 +298,9 @@ func toGitContext(input map[string]any) *model.GithubContext {
 	return gitContext
 }
 
+// workflowCallEvent is only fired by another workflow's `uses:`, so it is excluded from trigger detection.
+const workflowCallEvent = "workflow_call"
+
 func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 	switch rawOn.Kind {
 	case yaml.ScalarNode:
@@ -306,6 +309,9 @@ func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 		if err != nil {
 			return nil, err
 		}
+		if val == workflowCallEvent {
+			return []*Event{}, nil
+		}
 		return []*Event{
 			{Name: val},
 		}, nil
@@ -319,6 +325,9 @@ func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 		for _, v := range val {
 			switch t := v.(type) {
 			case string:
+				if t == workflowCallEvent {
+					continue
+				}
 				res = append(res, &Event{Name: t})
 			default:
 				return nil, fmt.Errorf("invalid type %T", t)
@@ -332,6 +341,9 @@ func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 		}
 		res := make([]*Event, 0, len(events))
 		for i, k := range events {
+			if k == workflowCallEvent {
+				continue
+			}
 			v := triggers[i]
 			switch v.Kind {
 			case yaml.ScalarNode:

modules/actions/jobparser/model_test.go

@@ -254,6 +254,53 @@ func TestParseRawOn(t *testing.T) {
 				},
 			},
 		},
+		{
+			// `workflow_call` is only fired by another workflow's `uses:`, so ParseRawOn intentionally excludes it from trigger detection.
+			input: `on:
+  workflow_call:
+    inputs:
+      env:
+        type: string
+        required: true
+    outputs:
+      sha:
+        value: ${{ jobs.build.outputs.commit }}
+    secrets:
+      DEPLOY_KEY:
+        required: true
+`,
+			result: []*Event{},
+		},
+		{
+			// Mixed: a workflow that is both callable AND triggered by push. Only the "push" event surfaces.
+			input: `on:
+  workflow_call:
+    inputs:
+      env:
+        type: string
+  push:
+    branches: [main]
+`,
+			result: []*Event{
+				{
+					Name: "push",
+					acts: map[string][]string{"branches": {"main"}},
+				},
+			},
+		},
+		{
+			// Scalar form: a purely reusable workflow has no event triggers.
+			input:  "on: workflow_call",
+			result: []*Event{},
+		},
+		{
+			// Sequence form: `workflow_call` is excluded while sibling events are kept.
+			input: "on:\n  - push\n  - workflow_call\n  - pull_request",
+			result: []*Event{
+				{Name: "push"},
+				{Name: "pull_request"},
+			},
+		},
 	}
 	for _, kase := range kases {
 		t.Run(kase.input, func(t *testing.T) {

modules/git/gitcmd/command.go

@@ -445,6 +445,17 @@ func (c *Command) Start(ctx context.Context) (retErr error) {
 	c.cmd.Stdout = c.cmdStdout
 	c.cmd.Stdin = c.cmdStdin
 	c.cmd.Stderr = c.cmdStderr
+	c.cmd.Cancel = func() error {
+		// Golang's default cmd.Cancel only calls Process.Kill(), but here we need to close the parent pipes together:
+		// * for some commands like "git --batch-xxx", Windows git might have 2 processes (a wrapper and a real git process)
+		// * on Windows, if parent process is killed (context canceled), the children process won't be killed, and the pipe handles are still open.
+		// * if we don't close the parent pipes here, the children process won't exit.
+		//
+		// There is no such problem on POSIX, while it won't make things worse by closing the parent pipes also on POSIX.
+		err := c.cmd.Process.Kill()
+		c.closePipeFiles(c.parentPipeFiles)
+		return err
+	}
 	return c.cmd.Start()
 }
 

modules/git/ref.go

@@ -161,7 +161,7 @@ func (ref RefName) ShortName() string {
 	if ref.IsFor() {
 		return ref.ForBranchName()
 	}
-	return string(ref) // usually it is a commit ID
+	return string(ref) // usually it is a commit ID, or "HEAD"
 }
 
 // RefGroup returns the group type of the reference

modules/git/repo_ref.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"code.gitea.io/gitea/modules/git/gitcmd"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 )
 
@@ -86,8 +87,11 @@ func (repo *Repository) UnstableGuessRefByShortName(shortName string) RefName {
 	commit, err := repo.GetCommit(shortName)
 	if err == nil {
 		commitIDString := commit.ID.String()
-		if strings.HasPrefix(commitIDString, shortName) {
+		// Make sure the short name is either a partial commit ID, or the symbolic HEAD ref.
+		if strings.HasPrefix(commitIDString, shortName) || shortName == "HEAD" {
 			return RefName(commitIDString)
+		} else {
+			setting.PanicInDevOrTesting("abuse of UnstableGuessRefByShortName, queried %s, got %s", shortName, commitIDString)
 		}
 	}
 	return ""

modules/git/repo_ref_test.go

@@ -53,3 +53,18 @@ func TestRepository_GetRefsFiltered(t *testing.T) {
 		assert.Equal(t, "3ad28a9149a2864384548f3d17ed7f38014c9e8a", refs[1].Object.String())
 	}
 }
+
+func TestRepository_UnstableGuessRefByShortName(t *testing.T) {
+	bareRepo1Path := filepath.Join(testReposDir, "repo1_bare")
+	bareRepo1, err := OpenRepository(t.Context(), bareRepo1Path)
+	assert.NoError(t, err)
+	defer bareRepo1.Close()
+
+	headCommit, err := bareRepo1.GetCommit("HEAD")
+	assert.NoError(t, err)
+
+	assert.Equal(t, RefName(headCommit.ID.String()), bareRepo1.UnstableGuessRefByShortName("HEAD"))
+	assert.Equal(t, RefName(headCommit.ID.String()), bareRepo1.UnstableGuessRefByShortName(headCommit.ID.String()[:8]))
+	assert.Equal(t, RefNameFromBranch("master"), bareRepo1.UnstableGuessRefByShortName("master"))
+	assert.Empty(t, bareRepo1.UnstableGuessRefByShortName("NotExisting"))
+}

modules/gitrepo/gitrepo.go

@@ -40,7 +40,7 @@ type contextKey struct {
 }
 
 // RepositoryFromContextOrOpen attempts to get the repository from the context or just opens it
-// The caller must call "defer gitRepo.Close()"
+// The caller must call Closer.Close()
 func RepositoryFromContextOrOpen(ctx context.Context, repo Repository) (*git.Repository, io.Closer, error) {
 	reqCtx := reqctx.FromContext(ctx)
 	if reqCtx != nil {

modules/highlight/highlight_test.go

@@ -63,7 +63,7 @@ func TestFile(t *testing.T) {
 		{
 			name:      "tags.py",
 			code:      "<>",
-			want:      lines(`<span class="o">&lt;</span><span class="o">&gt;</span>`),
+			want:      lines(`<span class="o">&lt;&gt;</span>`),
 			lexerName: "Python",
 		},
 		{
@@ -102,7 +102,7 @@ c=2
 <span class="n">def</span><span class="p">:</span>\n
     <span class="n">a</span><span class="o">=</span><span class="mi">1</span>\n
 \n
-<span class="n">b</span><span class="o">=</span><span class="sa"></span><span class="s1">&#39;</span><span class="s1">&#39;</span>\n
+<span class="n">b</span><span class="o">=</span><span class="s1">&#39;&#39;</span>\n
     \n
 <span class="n">c</span><span class="o">=</span><span class="mi">2</span>`,
 			),
@@ -114,6 +114,18 @@ c=2
 			want:      []template.HTML{"<span class=\"c1\">--\n</span>", `<span class="k">SELECT</span>`},
 			lexerName: "SQL",
 		},
+		{
+			name: "test.http",
+			code: `HTTP/1.0 400 Bad request
+Content-Type: text/html
+
+<html></html>`,
+			want: lines(`<span class="kr">HTTP</span><span class="o">/</span><span class="m">1.0</span> <span class="m">400</span> <span class="ne">Bad request</span>\n
+<span class="n">Content-Type</span><span class="o">:</span> <span class="l">text/html</span>\n
+\n
+<span class="p">&lt;</span><span class="nt">html</span><span class="p">&gt;&lt;/</span><span class="nt">html</span><span class="p">&gt;</span>`),
+			lexerName: "HTTP",
+		},
 	}
 
 	for _, tt := range tests {

modules/highlight/lexerdetect.go

@@ -288,24 +288,24 @@ func detectChromaLexerWithAnalyze(fileName, lang string, code []byte) chroma.Lex
 
 	// if lang is provided, and it matches a lexer, use it directly
 	if byLang {
-		return lexer
+		return chroma.Coalesce(lexer)
 	}
 
 	// if a lexer is detected and there is no conflict for the file extension, use it directly
 	fileExt := path.Ext(fileName)
 	_, hasConflicts := chromaLexers().conflictingExtLangMap[fileExt]
 	if !hasConflicts && lexer != lexers.Fallback {
-		return lexer
+		return chroma.Coalesce(lexer)
 	}
 
 	// try to detect language by content, for best guessing for the language
 	// when using "code" to detect, analyze.GetCodeLanguage is slow, it iterates many rules to detect language from content
 	analyzedLanguage := analyze.GetCodeLanguage(fileName, code)
-	lexer = DetectChromaLexerByFileName(fileName, analyzedLanguage)
+	lexer, _ = detectChromaLexerByFileName(fileName, analyzedLanguage)
 	if lexer == lexers.Fallback {
 		if analyzedLanguage != enry.OtherLanguage {
 			log.Warn("No chroma lexer found for enry detected language: %s (file: %s), need to fix the language mapping between enry and chroma.", analyzedLanguage, fileName)
 		}
 	}
-	return lexer
+	return chroma.Coalesce(lexer)
 }

modules/hostmatcher/hostmatcher.go

@@ -8,6 +8,7 @@ import (
 	"path/filepath"
 	"slices"
 	"strings"
+	"sync"
 )
 
 // HostMatchList is used to check if a host or IP is in a list.
@@ -23,10 +24,64 @@ type HostMatchList struct {
 	ipNets []*net.IPNet
 }
 
-// MatchBuiltinExternal A valid non-private unicast IP, all hosts on public internet are matched
+// MatchBuiltinExternal A valid global-unicast IP that is neither private (see MatchBuiltinPrivate)
+// nor a reserved special-purpose range (see reservedIPNets); i.e. a routable host on the public internet.
 const MatchBuiltinExternal = "external"
 
-// MatchBuiltinPrivate RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and RFC 4193 (FC00::/7). Also called LAN/Intranet.
+// reservedIPNets are special-purpose ranges that net.IP.IsPrivate omits but that must not be
+// treated as public/external destinations (CGNAT, cloud metadata, IPv6 transition, etc.). We layer
+// these on top of net.IP.IsPrivate (RFC 1918 / RFC 4193) so future additions to Go's IsPrivate are
+// picked up automatically, while still covering the ranges it leaves out; otherwise the default
+// allow-list would let authenticated users reach cloud metadata, internal, and IPv6 transition
+// endpoints (SSRF), and a "private" block-list would fail to catch them.
+var reservedIPNets = sync.OnceValue(func() []*net.IPNet {
+	var nets []*net.IPNet
+	for _, cidr := range []string{
+		// IPv4
+		"100.64.0.0/10",    // RFC 6598 Carrier-Grade NAT
+		"168.63.129.16/32", // Azure WireServer metadata endpoint
+		"192.0.0.0/24",     // RFC 6890 IETF protocol assignments
+		"192.0.2.0/24",     // RFC 5737 TEST-NET-1
+		"192.88.99.0/24",   // RFC 7526 6to4 relay anycast (deprecated)
+		"198.18.0.0/15",    // RFC 2544 benchmarking
+		"198.51.100.0/24",  // RFC 5737 TEST-NET-2
+		"203.0.113.0/24",   // RFC 5737 TEST-NET-3
+		// IPv6
+		"100::/64",       // RFC 6666 discard-only
+		"64:ff9b::/96",   // RFC 6052 NAT64 (can embed IPv4 such as 169.254.169.254)
+		"64:ff9b:1::/48", // RFC 8215 local-use NAT64
+		"2001::/32",      // RFC 4380 Teredo tunneling (embeds IPv4)
+		"2001:10::/28",   // RFC 4843 ORCHID (deprecated)
+		"2001:20::/28",   // RFC 7343 ORCHIDv2
+		"2001:db8::/32",  // RFC 3849 documentation
+		"2002::/16",      // RFC 3056 6to4 (embeds IPv4)
+	} {
+		_, ipNet, err := net.ParseCIDR(cidr)
+		if err != nil {
+			panic("hostmatcher: invalid reserved CIDR " + cidr + ": " + err.Error())
+		}
+		nets = append(nets, ipNet)
+	}
+	return nets
+})
+
+// isPrivateIP reports whether ip falls in a private (net.IP.IsPrivate) or reserved special-purpose
+// range (see reservedIPNets) that must not be considered a public/external destination.
+func isPrivateIP(ip net.IP) bool {
+	if ip.IsPrivate() {
+		return true
+	}
+	for _, ipNet := range reservedIPNets() {
+		if ipNet.Contains(ip) {
+			return true
+		}
+	}
+	return false
+}
+
+// MatchBuiltinPrivate RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and RFC 4193 (FC00::/7),
+// plus the reserved special-purpose ranges in reservedIPNets (CGNAT, NAT64, cloud metadata, etc.).
+// Also called LAN/Intranet.
 const MatchBuiltinPrivate = "private"
 
 // MatchBuiltinLoopback 127.0.0.0/8 for IPv4 and ::1/128 for IPv6, localhost is included.
@@ -105,11 +160,11 @@ func (hl *HostMatchList) checkIP(ip net.IP) bool {
 	for _, builtin := range hl.builtins {
 		switch builtin {
 		case MatchBuiltinExternal:
-			if ip.IsGlobalUnicast() && !ip.IsPrivate() {
+			if ip.IsGlobalUnicast() && !isPrivateIP(ip) {
 				return true
 			}
 		case MatchBuiltinPrivate:
-			if ip.IsPrivate() {
+			if isPrivateIP(ip) {
 				return true
 			}
 		case MatchBuiltinLoopback:

modules/hostmatcher/hostmatcher_test.go

@@ -159,3 +159,58 @@ func TestHostOrIPMatchesList(t *testing.T) {
 	}
 	test(cases)
 }
+
+// TestReservedRanges ensures special-purpose ranges that net.IP.IsPrivate misses are kept out of the
+// "external" allow-list (the default for webhook delivery and repository migrations) and folded into
+// the "private" block-list, so they cannot be used for SSRF to metadata/internal endpoints.
+func TestReservedRanges(t *testing.T) {
+	external := ParseHostMatchList("", "external")
+	private := ParseHostMatchList("", "private")
+
+	// legitimate public destinations: external, not private
+	for _, ip := range []string{"8.8.8.8", "1.1.1.1", "2001:4860:4860::8888", "1000::1"} {
+		addr := net.ParseIP(ip)
+		assert.Truef(t, external.MatchIPAddr(addr), "public ip %s should be external", ip)
+		assert.Falsef(t, private.MatchIPAddr(addr), "public ip %s should not be private", ip)
+	}
+
+	// RFC 1918 / RFC 4193 private ranges (now folded into privateIPNets instead of net.IP.IsPrivate):
+	// not external, blockable as private. Includes range edges to guard the CIDR boundaries.
+	for _, ip := range []string{
+		"10.0.0.0", "10.255.255.255", // 10.0.0.0/8
+		"172.16.0.0", "172.31.255.255", // 172.16.0.0/12
+		"192.168.0.0", "192.168.255.255", // 192.168.0.0/16
+		"fc00::", "fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", // fc00::/7
+	} {
+		addr := net.ParseIP(ip)
+		assert.Falsef(t, external.MatchIPAddr(addr), "private ip %s must not be external", ip)
+		assert.Truef(t, private.MatchIPAddr(addr), "private ip %s should match private block-list", ip)
+	}
+
+	// 172.32.0.0 is just outside 172.16.0.0/12: a public destination, not private
+	if addr := net.ParseIP("172.32.0.0"); assert.NotNil(t, addr) {
+		assert.True(t, external.MatchIPAddr(addr), "172.32.0.0 should be external")
+		assert.False(t, private.MatchIPAddr(addr), "172.32.0.0 should not be private")
+	}
+
+	// reserved ranges that IsPrivate does not cover: not external, but blockable as private
+	for _, ip := range []string{
+		"100.64.0.1",         // CGNAT
+		"100.127.255.254",    // CGNAT
+		"168.63.129.16",      // Azure WireServer
+		"192.0.2.1",          // TEST-NET-1
+		"198.18.0.1",         // benchmarking
+		"198.51.100.1",       // TEST-NET-2
+		"203.0.113.1",        // TEST-NET-3
+		"192.88.99.1",        // 6to4 relay anycast
+		"64:ff9b::1",         // NAT64
+		"64:ff9b::a9fe:a9fe", // NAT64 embedding 169.254.169.254
+		"2001::1",            // Teredo
+		"2002::1",            // 6to4
+		"2001:db8::1",        // documentation
+	} {
+		addr := net.ParseIP(ip)
+		assert.Falsef(t, external.MatchIPAddr(addr), "reserved ip %s must not be external", ip)
+		assert.Truef(t, private.MatchIPAddr(addr), "reserved ip %s should match private block-list", ip)
+	}
+}

modules/markup/html.go

@@ -173,16 +173,25 @@ var emojiProcessors = []processor{
 	emojiProcessor,
 }
 
+// isBareURLSubject reports whether the (HTML-escaped) commit subject content
+// is entirely a single URL, ignoring leading/trailing whitespace.
+func isBareURLSubject(content string) bool {
+	s := strings.TrimSpace(html.UnescapeString(content))
+	if s == "" {
+		return false
+	}
+	m := common.GlobalVars().LinkRegex.FindStringIndex(s)
+	return m != nil && m[0] == 0 && m[1] == len(s)
+}
+
 // PostProcessCommitMessageSubject will use the same logic as PostProcess and
 // PostProcessCommitMessage, but will disable the shortLinkProcessor and
-// emailAddressProcessor, will add a defaultLinkProcessor if defaultLink is set,
-// which changes every text node into a link to the passed default link.
+// emailAddressProcessor, and wraps the whole subject in defaultLink.
 func PostProcessCommitMessageSubject(ctx *RenderContext, defaultLink, content string) (string, error) {
 	procs := []processor{
 		fullIssuePatternProcessor,
 		comparePatternProcessor,
 		fullHashPatternProcessor,
-		linkProcessor,
 		mentionProcessor,
 		issueIndexPatternProcessor,
 		commitCrossReferencePatternProcessor,
@@ -190,6 +199,15 @@ func PostProcessCommitMessageSubject(ctx *RenderContext, defaultLink, content st
 		emojiShortCodeProcessor,
 		emojiProcessor,
 	}
+	// When the whole subject is a bare URL, linkProcessor would turn it into
+	// a competing anchor and hijack the surrounding defaultLink wrapper, leaving
+	// the subject visually unclickable. Match GitHub: render such subjects as
+	// plain text inside defaultLink. Partial URLs inside larger text still become
+	// their own links (nested anchors aren't legal HTML, so the outer defaultLink
+	// naturally breaks on that span, same as on GitHub).
+	if !isBareURLSubject(content) {
+		procs = append(procs, linkProcessor)
+	}
 	procs = append(procs, func(ctx *RenderContext, node *html.Node) {
 		ch := &html.Node{Parent: node, Type: html.TextNode, Data: node.Data}
 		node.Type = html.ElementNode

modules/packages/debian/metadata.go

@@ -146,15 +146,26 @@ func ParseControlFile(r io.Reader) (*Package, error) {
 	var depends strings.Builder
 	var control strings.Builder
 
-	s := bufio.NewScanner(io.TeeReader(r, &control))
+	// https://www.debian.org/doc/debian-policy/ch-controlfields.html#syntax-of-control-files
+	s := bufio.NewScanner(r)
 	for s.Scan() {
 		line := s.Text()
 
 		trimmed := strings.TrimSpace(line)
 		if trimmed == "" {
-			continue
+			// A binary package control file holds exactly one stanza. Stop at the
+			// blank line that terminates it, otherwise a crafted control file could
+			// smuggle additional stanzas (with attacker-chosen Filename/Package
+			// fields) into the generated repository "Packages" index.
+			if control.Len() == 0 {
+				continue
+			}
+			break
 		}
 
+		control.WriteString(line)
+		control.WriteByte('\n')
+
 		if line[0] == ' ' || line[0] == '\t' {
 			switch key {
 			case "Description":

modules/packages/debian/metadata_test.go

@@ -184,4 +184,19 @@ func TestParseControlFile(t *testing.T) {
 			assert.NotNil(t, p)
 		}
 	})
+
+	t.Run("SingleStanzaOnly", func(t *testing.T) {
+		// A control file with a trailing stanza must not leak the extra fields into
+		// p.Control, otherwise buildPackagesIndices would emit a second package entry
+		// with an attacker-chosen Filename into the repository "Packages" index.
+		content := bytes.NewBufferString("Package: realpkg\nVersion: 1.0.0\nArchitecture: amd64\nMaintainer: a <a@b.c>\nDescription: real\n\nPackage: openssl\nVersion: 99.0\nArchitecture: amd64\nFilename: pool/main/o/openssl/evil.deb\nDescription: spoofed\n")
+
+		p, err := ParseControlFile(content)
+		assert.NoError(t, err)
+		assert.NotNil(t, p)
+		assert.Equal(t, "realpkg", p.Name)
+		assert.Equal(t, "1.0.0", p.Version)
+		assert.NotContains(t, p.Control, "openssl")
+		assert.NotContains(t, p.Control, "evil.deb")
+	})
 }

modules/templates/util_render_test.go

@@ -140,6 +140,18 @@ com 88fc37a3c0a4dda553bdcfc80c178a58247f42fb mit
 		assert.EqualValues(t, expected, newTestRenderUtils(t).RenderCommitMessageLinkSubject(testInput(), "https://example.com/link", mockRepo))
 	})
 
+	t.Run("RenderCommitMessageLinkSubjectURLOnly", func(t *testing.T) {
+		// a bare URL in the subject must not hijack the default link
+		expected := `<a href="https://example.com/link" class="muted">https://example.com/file.bin</a>`
+		assert.EqualValues(t, expected, newTestRenderUtils(t).RenderCommitMessageLinkSubject("https://example.com/file.bin", "https://example.com/link", mockRepo))
+	})
+
+	t.Run("RenderCommitMessageLinkSubjectPartialURL", func(t *testing.T) {
+		// a URL embedded in larger subject text still becomes its own link
+		expected := `<a href="https://example.com/link" class="muted">see </a><a href="https://example.com/x" data-markdown-generated-content="">https://example.com/x</a><a href="https://example.com/link" class="muted"> here</a>`
+		assert.EqualValues(t, expected, newTestRenderUtils(t).RenderCommitMessageLinkSubject("see https://example.com/x here", "https://example.com/link", mockRepo))
+	})
+
 	t.Run("RenderIssueTitle", func(t *testing.T) {
 		defer test.MockVariableValue(&markup.RenderBehaviorForTesting.DisableAdditionalAttributes, true)()
 		expected := `  space @mention-user<SPACE><SPACE>

routers/api/actions/runner/runner.go

@@ -270,6 +270,15 @@ func (s *Service) UpdateLog(
 		rows = req.Msg.Rows[ack-req.Msg.Index:]
 	}
 
+	// Ack a re-sent finalize idempotently. Appending new rows past the seal errors.
+	if task.LogInStorage {
+		if len(rows) > 0 {
+			return nil, status.Errorf(codes.AlreadyExists, "log file has been archived")
+		}
+		res.Msg.AckIndex = ack
+		return res, nil
+	}
+
 	// Bail unless we have new rows or a NoMore to finalize. Even with
 	// NoMore, bail when the runner has outrun the server — archiving a
 	// log with a gap is worse than asking it to retry.
@@ -278,10 +287,6 @@ func (s *Service) UpdateLog(
 		return res, nil
 	}
 
-	if task.LogInStorage {
-		return nil, status.Errorf(codes.AlreadyExists, "log file has been archived")
-	}
-
 	// WriteLogs is called even with no rows: with offset==0 it bootstraps
 	// an empty DBFS file so TransferLogs below has something to read when
 	// the runner finalizes a task that produced no log output.

routers/api/v1/repo/action.go

@@ -1074,6 +1074,8 @@ func ActionsDispatchWorkflow(ctx *context.APIContext) {
 			ctx.APIError(http.StatusNotFound, err)
 		} else if errors.Is(err, util.ErrPermissionDenied) {
 			ctx.APIError(http.StatusForbidden, err)
+		} else if errors.Is(err, util.ErrInvalidArgument) {
+			ctx.APIError(http.StatusUnprocessableEntity, err)
 		} else {
 			ctx.APIErrorInternal(err)
 		}

routers/api/v1/repo/fork.go

@@ -55,7 +55,8 @@ func ListForks(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	forks, total, err := repo_service.FindForks(ctx, ctx.Repo.Repository, ctx.Doer, utils.GetListOptions(ctx))
+	listOptions := utils.GetListOptions(ctx)
+	forks, total, err := repo_service.FindForks(ctx, ctx.Repo.Repository, ctx.Doer, listOptions)
 	if err != nil {
 		ctx.APIErrorInternal(err)
 		return
@@ -79,6 +80,7 @@ func ListForks(ctx *context.APIContext) {
 		apiForks[i] = convert.ToRepo(ctx, fork, permission)
 	}
 
+	ctx.SetLinkHeader(total, listOptions.PageSize)
 	ctx.SetTotalCountHeader(total)
 	ctx.JSON(http.StatusOK, apiForks)
 }

routers/api/v1/repo/issue_tracked_time.go

@@ -95,7 +95,8 @@ func ListTrackedTimes(ctx *context.APIContext) {
 	if qUser != "" {
 		user, err := user_model.GetUserByName(ctx, qUser)
 		if user_model.IsErrUserNotExist(err) {
-			ctx.APIError(http.StatusNotFound, err)
+			ctx.APIError(http.StatusNotFound, err.Error())
+			return
 		} else if err != nil {
 			ctx.APIErrorInternal(err)
 			return
@@ -523,7 +524,8 @@ func ListTrackedTimesByRepository(ctx *context.APIContext) {
 	if qUser != "" {
 		user, err := user_model.GetUserByName(ctx, qUser)
 		if user_model.IsErrUserNotExist(err) {
-			ctx.APIError(http.StatusNotFound, err)
+			ctx.APIError(http.StatusNotFound, err.Error())
+			return
 		} else if err != nil {
 			ctx.APIErrorInternal(err)
 			return

routers/common/actions.go

@@ -4,7 +4,9 @@
 package common
 
 import (
+	"errors"
 	"fmt"
+	"io/fs"
 	"strings"
 
 	actions_model "code.gitea.io/gitea/models/actions"
@@ -50,6 +52,9 @@ func DownloadActionsRunJobLogs(ctx *context.Base, ctxRepo *repo_model.Repository
 
 	reader, err := actions.OpenLogs(ctx, task.LogInStorage, task.LogFilename)
 	if err != nil {
+		if errors.Is(err, fs.ErrNotExist) {
+			return util.NewNotExistErrorf("logs not found")
+		}
 		return fmt.Errorf("OpenLogs: %w", err)
 	}
 	defer reader.Close()

routers/private/hook_post_receive.go

@@ -47,7 +47,7 @@ func HookPostReceive(ctx *gitea_context.PrivateContext) {
 		repo    *repo_model.Repository
 		gitRepo *git.Repository
 	)
-	defer gitRepo.Close() // it's safe to call Close on a nil pointer
+	defer func() { _ = gitRepo.Close() }() // it's safe to call Close on a nil pointer, but it needs to use the latest value
 
 	updates := make([]*repo_module.PushUpdateOptions, 0, len(opts.OldCommitIDs))
 	wasEmpty := false

services/actions/notifier_helper.go

@@ -399,6 +399,24 @@ func notifyPackage(ctx context.Context, sender *user_model.User, pd *packages_mo
 }
 
 func ifNeedApproval(ctx context.Context, run *actions_model.ActionRun, repo *repo_model.Repository, user *user_model.User) (bool, error) {
+	canWrite := func(ctx context.Context, repo *repo_model.Repository, user *user_model.User) (bool, error) {
+		perm, err := access_model.GetDoerRepoPermission(ctx, repo, user)
+		if err != nil {
+			return false, err
+		}
+		return perm.CanWrite(unit_model.TypeActions), nil
+	}
+	return ifNeedApprovalWith(ctx, run, repo, user, canWrite, issues_model.HasMergedPullRequestInRepo)
+}
+
+func ifNeedApprovalWith(
+	ctx context.Context,
+	run *actions_model.ActionRun,
+	repo *repo_model.Repository,
+	user *user_model.User,
+	canWriteActions func(context.Context, *repo_model.Repository, *user_model.User) (bool, error),
+	hasMergedPR func(context.Context, int64, int64) (bool, error),
+) (bool, error) {
 	// 1. don't need approval if it's not a fork PR
 	// 2. don't need approval if the event is `pull_request_target` since the workflow will run in the context of base branch
 	// 		see https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks#about-workflow-runs-from-public-forks
@@ -413,27 +431,24 @@ func ifNeedApproval(ctx context.Context, run *actions_model.ActionRun, repo *rep
 	}
 
 	// don't need approval if the user can write
-	if perm, err := access_model.GetDoerRepoPermission(ctx, repo, user); err != nil {
+	if ok, err := canWriteActions(ctx, repo, user); err != nil {
 		return false, fmt.Errorf("GetDoerRepoPermission: %w", err)
-	} else if perm.CanWrite(unit_model.TypeActions) {
+	} else if ok {
 		log.Trace("do not need approval because user %d can write", user.ID)
 		return false, nil
 	}
 
-	// don't need approval if the user has been approved before
-	if count, err := db.Count[actions_model.ActionRun](ctx, actions_model.FindRunOptions{
-		RepoID:        repo.ID,
-		TriggerUserID: user.ID,
-		Approved:      true,
-	}); err != nil {
-		return false, fmt.Errorf("CountRuns: %w", err)
-	} else if count > 0 {
-		log.Trace("do not need approval because user %d has been approved before", user.ID)
+	// trust the user only after a merged PR — matching GitHub Actions. Approving one
+	// fork PR's run must not implicitly trust later fork PRs that replace the workflow.
+	if merged, err := hasMergedPR(ctx, repo.ID, user.ID); err != nil {
+		return false, fmt.Errorf("HasMergedPullRequestInRepo: %w", err)
+	} else if merged {
+		log.Trace("do not need approval because user %d has a merged pull request in repo %d", user.ID, repo.ID)
 		return false, nil
 	}
 
 	// otherwise, need approval
-	log.Trace("need approval because it's the first time user %d triggered actions", user.ID)
+	log.Trace("need approval because user %d has no merged pull request in repo %d", user.ID, repo.ID)
 	return true, nil
 }
 

services/actions/notifier_helper_test.go

@@ -0,0 +1,102 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	repo_model "code.gitea.io/gitea/models/repo"
+	user_model "code.gitea.io/gitea/models/user"
+	actions_module "code.gitea.io/gitea/modules/actions"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestIfNeedApproval(t *testing.T) {
+	alwaysWrite := func(_ context.Context, _ *repo_model.Repository, _ *user_model.User) (bool, error) {
+		return true, nil
+	}
+	neverWrite := func(_ context.Context, _ *repo_model.Repository, _ *user_model.User) (bool, error) {
+		return false, nil
+	}
+	hasMerged := func(_ context.Context, _, _ int64) (bool, error) { return true, nil }
+	noMerged := func(_ context.Context, _, _ int64) (bool, error) { return false, nil }
+	errPerm := errors.New("perm error")
+	errMerge := errors.New("merge error")
+
+	forkRun := &actions_model.ActionRun{IsForkPullRequest: true, TriggerEvent: actions_module.GithubEventPullRequest}
+	nonForkRun := &actions_model.ActionRun{IsForkPullRequest: false, TriggerEvent: actions_module.GithubEventPullRequest}
+	prTargetRun := &actions_model.ActionRun{IsForkPullRequest: true, TriggerEvent: actions_module.GithubEventPullRequestTarget}
+
+	repo := &repo_model.Repository{ID: 1}
+	normalUser := &user_model.User{ID: 10}
+	restrictedUser := &user_model.User{ID: 11, IsRestricted: true}
+
+	t.Run("not a fork PR never needs approval", func(t *testing.T) {
+		need, err := ifNeedApprovalWith(t.Context(), nonForkRun, repo, normalUser, alwaysWrite, hasMerged)
+		require.NoError(t, err)
+		assert.False(t, need)
+	})
+
+	t.Run("pull_request_target never needs approval even when fork", func(t *testing.T) {
+		need, err := ifNeedApprovalWith(t.Context(), prTargetRun, repo, normalUser, alwaysWrite, hasMerged)
+		require.NoError(t, err)
+		assert.False(t, need)
+	})
+
+	t.Run("restricted user always needs approval", func(t *testing.T) {
+		need, err := ifNeedApprovalWith(t.Context(), forkRun, repo, restrictedUser, alwaysWrite, hasMerged)
+		require.NoError(t, err)
+		assert.True(t, need)
+	})
+
+	t.Run("fork PR with write permission does not need approval", func(t *testing.T) {
+		need, err := ifNeedApprovalWith(t.Context(), forkRun, repo, normalUser, alwaysWrite, noMerged)
+		require.NoError(t, err)
+		assert.False(t, need)
+	})
+
+	t.Run("fork PR with merged PR but no write permission does not need approval", func(t *testing.T) {
+		need, err := ifNeedApprovalWith(t.Context(), forkRun, repo, normalUser, neverWrite, hasMerged)
+		require.NoError(t, err)
+		assert.False(t, need)
+	})
+
+	t.Run("fork PR with no write and no merged PR needs approval", func(t *testing.T) {
+		need, err := ifNeedApprovalWith(t.Context(), forkRun, repo, normalUser, neverWrite, noMerged)
+		require.NoError(t, err)
+		assert.True(t, need)
+	})
+
+	t.Run("canWriteActions error is propagated", func(t *testing.T) {
+		failWrite := func(_ context.Context, _ *repo_model.Repository, _ *user_model.User) (bool, error) {
+			return false, errPerm
+		}
+		_, err := ifNeedApprovalWith(t.Context(), forkRun, repo, normalUser, failWrite, noMerged)
+		require.ErrorIs(t, err, errPerm)
+	})
+
+	t.Run("hasMergedPR error is propagated", func(t *testing.T) {
+		failMerge := func(_ context.Context, _, _ int64) (bool, error) { return false, errMerge }
+		_, err := ifNeedApprovalWith(t.Context(), forkRun, repo, normalUser, neverWrite, failMerge)
+		require.ErrorIs(t, err, errMerge)
+	})
+
+	t.Run("restricted user skips permission check entirely", func(t *testing.T) {
+		// The perm and merge functions must not be called for a restricted user.
+		called := false
+		trackWrite := func(_ context.Context, _ *repo_model.Repository, _ *user_model.User) (bool, error) {
+			called = true
+			return true, nil
+		}
+		need, err := ifNeedApprovalWith(t.Context(), forkRun, repo, restrictedUser, trackWrite, noMerged)
+		require.NoError(t, err)
+		assert.True(t, need)
+		assert.False(t, called, "permission check must not run for restricted user")
+	})
+}

services/actions/workflow.go

@@ -140,11 +140,17 @@ func DispatchActionWorkflow(ctx reqctx.RequestContext, doer *user_model.User, re
 	workflow := &model.Workflow{
 		RawOn: singleWorkflow.RawOn,
 	}
+	workflowDispatch := workflow.WorkflowDispatchConfig()
+	if workflowDispatch == nil {
+		return 0, util.ErrorWrapTranslatable(
+			util.NewInvalidArgumentErrorf("workflow %q has no workflow_dispatch event trigger", workflowID),
+			"actions.workflow.has_no_workflow_dispatch", workflowID,
+		)
+	}
+
 	inputsWithDefaults := make(map[string]any)
-	if workflowDispatch := workflow.WorkflowDispatchConfig(); workflowDispatch != nil {
-		if err = processInputs(workflowDispatch, inputsWithDefaults); err != nil {
-			return 0, err
-		}
+	if err = processInputs(workflowDispatch, inputsWithDefaults); err != nil {
+		return 0, err
 	}
 
 	// ctx.Req.PostForm -> WorkflowDispatchPayload.Inputs -> ActionRun.EventPayload -> runner: ghc.Event

services/issue/pull.go

@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 	"slices"
+	"time"
 
 	issues_model "code.gitea.io/gitea/models/issues"
 	org_model "code.gitea.io/gitea/models/organization"
@@ -26,6 +27,10 @@ type ReviewRequestNotifier struct {
 
 var codeOwnerFiles = []string{"CODEOWNERS", "docs/CODEOWNERS", ".gitea/CODEOWNERS"}
 
+// codeOwnerMatchBudget caps the total wall-clock time spent evaluating all
+// CODEOWNERS rules against all changed files for a single PR.
+const codeOwnerMatchBudget = 2 * time.Second
+
 func IsCodeOwnerFile(f string) bool {
 	return slices.Contains(codeOwnerFiles, f)
 }
@@ -93,8 +98,17 @@ func PullRequestCodeOwnersReview(ctx context.Context, pr *issues_model.PullReque
 
 	uniqUsers := make(map[int64]*user_model.User)
 	uniqTeams := make(map[string]*org_model.Team)
+	// Bound the total time spent matching rules×files. The per-rule MatchTimeout
+	// only caps a single match; without an aggregate budget a crafted CODEOWNERS
+	// plus a PR touching many files could still exhaust CPU inside this loop.
+	matchDeadline := time.Now().Add(codeOwnerMatchBudget)
+ruleLoop:
 	for _, rule := range rules {
 		for _, f := range changedFiles {
+			if time.Now().After(matchDeadline) {
+				log.Warn("CODEOWNERS matching for PR %s#%d exceeded its time budget; some rules were not evaluated", pr.BaseRepo.FullName(), pr.ID)
+				break ruleLoop
+			}
 			shouldMatch := !rule.Negative
 			matched, _ := rule.Rule.MatchString(f) // err only happens when timeouts, any error can be considered as not matched
 			if matched == shouldMatch {

services/release/notes.go

@@ -10,6 +10,7 @@ import (
 	"slices"
 	"strings"
 
+	"code.gitea.io/gitea/models/db"
 	issues_model "code.gitea.io/gitea/models/issues"
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
@@ -32,18 +33,23 @@ func GenerateReleaseNotes(ctx context.Context, repo *repo_model.Repository, gitR
 		return "", err
 	}
 
-	if opts.PreviousTag == "" {
-		// no previous tag, usually due to there is no tag in the repo, use the same content as GitHub
-		content := fmt.Sprintf("**Full Changelog**: %s/commits/tag/%s\n", repo.HTMLURL(ctx), util.PathEscapeSegments(opts.TagName))
-		return content, nil
+	isFirstRelease, err := isFirstRelease(ctx, repo.ID)
+	if err != nil {
+		return "", fmt.Errorf("isFirstRelease: %w", err)
 	}
 
-	baseCommit, err := gitRepo.GetCommit(opts.PreviousTag)
-	if err != nil {
+	baseCommitID := ""
+	if opts.PreviousTag != "" {
+		baseCommit, err := gitRepo.GetCommit(opts.PreviousTag)
+		if err != nil {
+			return "", util.ErrorWrapTranslatable(util.ErrNotExist, "repo.release.generate_notes_tag_not_found", opts.TagName)
+		}
+		baseCommitID = baseCommit.ID.String()
+	} else if !isFirstRelease {
 		return "", util.ErrorWrapTranslatable(util.ErrNotExist, "repo.release.generate_notes_tag_not_found", opts.TagName)
 	}
 
-	commits, err := gitRepo.CommitsBetweenIDs(headCommit.ID.String(), baseCommit.ID.String())
+	commits, err := gitRepo.CommitsBetweenIDs(headCommit.ID.String(), baseCommitID)
 	if err != nil {
 		return "", fmt.Errorf("CommitsBetweenIDs: %w", err)
 	}
@@ -58,10 +64,27 @@ func GenerateReleaseNotes(ctx context.Context, repo *repo_model.Repository, gitR
 		return "", err
 	}
 
-	content := buildReleaseNotesContent(ctx, repo, opts.TagName, opts.PreviousTag, prs, contributors, newContributors)
+	fullChangelogURL := ""
+	if isFirstRelease {
+		// Keep the first-release changelog link aligned with GitHub, while collecting PRs from full history.
+		fullChangelogURL = fmt.Sprintf("%s/commits/tag/%s", repo.HTMLURL(ctx), util.PathEscapeSegments(opts.TagName))
+	}
+
+	content := buildReleaseNotesContent(ctx, repo, opts.TagName, opts.PreviousTag, prs, contributors, newContributors, fullChangelogURL)
 	return content, nil
 }
 
+func isFirstRelease(ctx context.Context, repoID int64) (bool, error) {
+	count, err := db.Count[repo_model.Release](ctx, repo_model.FindReleasesOptions{
+		RepoID:        repoID,
+		IncludeDrafts: false,
+	})
+	if err != nil {
+		return false, err
+	}
+	return count == 0, nil
+}
+
 func resolveHeadCommit(gitRepo *git.Repository, tagName, tagTarget string) (*git.Commit, error) {
 	ref := tagName
 	if !gitRepo.IsTagExist(tagName) {
@@ -107,7 +130,7 @@ func collectPullRequestsFromCommits(ctx context.Context, repoID int64, commits [
 	return prs, nil
 }
 
-func buildReleaseNotesContent(ctx context.Context, repo *repo_model.Repository, tagName, baseRef string, prs []*issues_model.PullRequest, contributors []*user_model.User, newContributors []*issues_model.PullRequest) string {
+func buildReleaseNotesContent(ctx context.Context, repo *repo_model.Repository, tagName, baseRef string, prs []*issues_model.PullRequest, contributors []*user_model.User, newContributors []*issues_model.PullRequest, fullChangelogURL string) string {
 	var builder strings.Builder
 	builder.WriteString("## What's Changed\n")
 
@@ -136,8 +159,12 @@ func buildReleaseNotesContent(ctx context.Context, repo *repo_model.Repository,
 	}
 
 	builder.WriteString("**Full Changelog**: ")
-	compareURL := fmt.Sprintf("%s/compare/%s...%s", repo.HTMLURL(ctx), util.PathEscapeSegments(baseRef), util.PathEscapeSegments(tagName))
-	fmt.Fprintf(&builder, "[%s...%s](%s)", baseRef, tagName, compareURL)
+	if fullChangelogURL != "" {
+		builder.WriteString(fullChangelogURL)
+	} else {
+		compareURL := fmt.Sprintf("%s/compare/%s...%s", repo.HTMLURL(ctx), util.PathEscapeSegments(baseRef), util.PathEscapeSegments(tagName))
+		fmt.Fprintf(&builder, "[%s...%s](%s)", baseRef, tagName, compareURL)
+	}
 	builder.WriteByte('\n')
 	return builder.String()
 }

services/release/notes_test.go

@@ -21,13 +21,14 @@ import (
 func TestGenerateReleaseNotes(t *testing.T) {
 	unittest.PrepareTestEnv(t)
 
-	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
-	gitRepo, err := gitrepo.OpenRepository(t.Context(), repo)
-	require.NoError(t, err)
-
 	t.Run("ChangeLogsWithPRs", func(t *testing.T) {
+		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+		gitRepo, err := gitrepo.OpenRepository(t.Context(), repo)
+		require.NoError(t, err)
+		t.Cleanup(func() { gitRepo.Close() })
+
 		mergedCommit := "90c1019714259b24fb81711d4416ac0f18667dfa"
-		createMergedPullRequest(t, repo, mergedCommit, 5)
+		createMergedPullRequest(t, repo, mergedCommit, 5, "Release notes test pull request")
 
 		content, err := GenerateReleaseNotes(t.Context(), repo, gitRepo, GenerateReleaseNotesOptions{
 			TagName:     "v1.2.0",
@@ -50,16 +51,51 @@ func TestGenerateReleaseNotes(t *testing.T) {
 	})
 
 	t.Run("NoPreviousTag", func(t *testing.T) {
+		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 16})
+		gitRepo, err := gitrepo.OpenRepository(t.Context(), repo)
+		require.NoError(t, err)
+		t.Cleanup(func() { gitRepo.Close() })
+
+		createMergedPullRequest(t, repo, "69554a64c1e6030f051e5c3f94bfbd773cd6a324", 5, "Initial tag PR 1")
+		createMergedPullRequest(t, repo, "27566bd5738fc8b4e3fef3c5e72cce608537bd95", 4, "Initial tag PR 2")
+		createMergedPullRequest(t, repo, "5099b81332712fe655e34e8dd63574f503f61811", 8, "Initial tag PR 3")
+
 		content, err := GenerateReleaseNotes(t.Context(), repo, gitRepo, GenerateReleaseNotesOptions{
-			TagName:   "v1.2.0",
-			TagTarget: "DefaultBranch",
+			TagName:   "v0.1.0",
+			TagTarget: repo.DefaultBranch,
 		})
 		require.NoError(t, err)
-		assert.Equal(t, "**Full Changelog**: https://try.gitea.io/user2/repo1/commits/tag/v1.2.0\n", content)
+
+		assert.Contains(t, content, "## What's Changed\n")
+		assert.Contains(t, content, "* Initial tag PR 1 in [#")
+		assert.Contains(t, content, "* Initial tag PR 2 in [#")
+		assert.Contains(t, content, "* Initial tag PR 3 in [#")
+		assert.Contains(t, content, "\n## Contributors\n")
+		assert.Contains(t, content, "* @user5\n")
+		assert.Contains(t, content, "* @user4\n")
+		assert.Contains(t, content, "* @user8\n")
+		assert.Contains(t, content, "\n## New Contributors\n")
+		assert.Contains(t, content, "* @user5 made their first contribution in [#")
+		assert.Contains(t, content, "* @user4 made their first contribution in [#")
+		assert.Contains(t, content, "* @user8 made their first contribution in [#")
+		assert.Contains(t, content, "**Full Changelog**: https://try.gitea.io/user2/repo16/commits/tag/v0.1.0\n")
+	})
+
+	t.Run("EmptyPreviousTagWithExistingTags", func(t *testing.T) {
+		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+		gitRepo, err := gitrepo.OpenRepository(t.Context(), repo)
+		require.NoError(t, err)
+		t.Cleanup(func() { gitRepo.Close() })
+
+		_, err = GenerateReleaseNotes(t.Context(), repo, gitRepo, GenerateReleaseNotesOptions{
+			TagName:   "v1.2.0",
+			TagTarget: repo.DefaultBranch,
+		})
+		require.Error(t, err)
 	})
 }
 
-func createMergedPullRequest(t *testing.T, repo *repo_model.Repository, mergeCommit string, posterID int64) *issues_model.PullRequest {
+func createMergedPullRequest(t *testing.T, repo *repo_model.Repository, mergeCommit string, posterID int64, title string) *issues_model.PullRequest {
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: posterID})
 
 	issue := &issues_model.Issue{
@@ -67,7 +103,7 @@ func createMergedPullRequest(t *testing.T, repo *repo_model.Repository, mergeCom
 		Repo:     repo,
 		Poster:   user,
 		PosterID: user.ID,
-		Title:    "Release notes test pull request",
+		Title:    title,
 		Content:  "content",
 	}
 

services/repository/files/temp_repo.go

@@ -47,7 +47,8 @@ func NewTemporaryUploadRepository(repo *repo_model.Repository) (*TemporaryUpload
 
 // Close the repository cleaning up all files
 func (t *TemporaryUploadRepository) Close() {
-	defer t.gitRepo.Close()
+	// must stop the repo access before removal, otherwise Windows can't remove the directory occupied by other processes
+	t.gitRepo.Close()
 	if t.cleanup != nil {
 		t.cleanup()
 	}

tests/integration/actions_approve_test.go

@@ -140,3 +140,107 @@ jobs:
 		assert.Equal(t, actions_model.StatusWaiting, run2.Status)
 	})
 }
+
+// TestForkPullRequestApprovalNotBypassedByPriorApproval verifies that a single
+// approval on a fork PR does not permanently trust the contributor: a subsequent
+// fork PR from the same user must still be gated (Blocked / NeedApproval=true)
+// until that user has had a pull request merged in the repo.
+func TestForkPullRequestApprovalNotBypassedByPriorApproval(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		user2Session := loginUser(t, user2.Name)
+		user2Token := getTokenForLoggedInUser(t, user2Session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
+		user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+		user4Session := loginUser(t, user4.Name)
+		user4Token := getTokenForLoggedInUser(t, user4Session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
+
+		apiBaseRepo := createActionsTestRepo(t, user2Token, "fork-approval-regression", false)
+		baseRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: apiBaseRepo.ID})
+		user2APICtx := NewAPITestContext(t, baseRepo.OwnerName, baseRepo.Name, auth_model.AccessTokenScopeWriteRepository)
+		defer doAPIDeleteRepository(user2APICtx)(t)
+
+		wfTreePath := ".gitea/workflows/ci.yml"
+		wfContent := `name: CI
+on: pull_request
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo ok
+`
+		createWorkflowFile(t, user2Token, baseRepo.OwnerName, baseRepo.Name, wfTreePath,
+			getWorkflowCreateFileOptions(user2, baseRepo.DefaultBranch, "add ci", wfContent))
+
+		// user4 forks the repo
+		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/forks", baseRepo.OwnerName, baseRepo.Name),
+			&api.CreateForkOption{Name: new("fork-approval-regression-fork")}).AddTokenAuth(user4Token)
+		resp := MakeRequest(t, req, http.StatusAccepted)
+		apiForkRepo := DecodeJSON(t, resp, &api.Repository{})
+		forkRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: apiForkRepo.ID})
+		user4APICtx := NewAPITestContext(t, user4.Name, forkRepo.Name, auth_model.AccessTokenScopeWriteRepository)
+		defer doAPIDeleteRepository(user4APICtx)(t)
+
+		// PR #1: a benign change from user4's fork — first-time contributor, gate engages.
+		doAPICreateFile(user4APICtx, "first.txt", &api.CreateFileOptions{
+			FileOptions: api.FileOptions{
+				NewBranchName: "first",
+				Message:       "first",
+				Author:        api.Identity{Name: user4.Name, Email: user4.Email},
+				Committer:     api.Identity{Name: user4.Name, Email: user4.Email},
+				Dates:         api.CommitDateOptions{Author: time.Now(), Committer: time.Now()},
+			},
+			ContentBase64: base64.StdEncoding.EncodeToString([]byte("first")),
+		})(t)
+		pr1, err := doAPICreatePullRequest(user4APICtx, baseRepo.OwnerName, baseRepo.Name, baseRepo.DefaultBranch, user4.Name+":first")(t)
+		assert.NoError(t, err)
+
+		run1 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID, TriggerUserID: user4.ID, Ref: fmt.Sprintf("refs/pull/%d/head", pr1.Index)})
+		assert.True(t, run1.NeedApproval, "first fork PR must require approval")
+		assert.Equal(t, actions_model.StatusBlocked, run1.Status)
+
+		// user2 approves run1.
+		req = NewRequest(t, "POST", fmt.Sprintf("%s/actions/approve-all-checks?commit_id=%s", baseRepo.Link(), pr1.Head.Sha))
+		user2Session.MakeRequest(t, req, http.StatusOK)
+		run1 = unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: run1.ID})
+		assert.False(t, run1.NeedApproval)
+		assert.Equal(t, user2.ID, run1.ApprovedBy)
+
+		// PR #2: same user, fresh branch. Pre-fix, this run was created with
+		// NeedApproval=false and dispatched immediately — the bypass path.
+		doAPICreateFile(user4APICtx, "second.txt", &api.CreateFileOptions{
+			FileOptions: api.FileOptions{
+				NewBranchName: "second",
+				Message:       "second",
+				Author:        api.Identity{Name: user4.Name, Email: user4.Email},
+				Committer:     api.Identity{Name: user4.Name, Email: user4.Email},
+				Dates:         api.CommitDateOptions{Author: time.Now(), Committer: time.Now()},
+			},
+			ContentBase64: base64.StdEncoding.EncodeToString([]byte("second")),
+		})(t)
+		pr2, err := doAPICreatePullRequest(user4APICtx, baseRepo.OwnerName, baseRepo.Name, baseRepo.DefaultBranch, user4.Name+":second")(t)
+		assert.NoError(t, err)
+
+		run2 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID, TriggerUserID: user4.ID, Ref: fmt.Sprintf("refs/pull/%d/head", pr2.Index)})
+		assert.True(t, run2.NeedApproval, "second fork PR must still require approval — prior approval-to-run does not grant trust")
+		assert.Equal(t, actions_model.StatusBlocked, run2.Status)
+		assert.EqualValues(t, 0, run2.ApprovedBy)
+
+		// After merging PR #1, user4 becomes a known contributor and the gate lifts for a new PR.
+		doAPIMergePullRequest(user2APICtx, baseRepo.OwnerName, baseRepo.Name, pr1.Index)(t)
+		doAPICreateFile(user4APICtx, "third.txt", &api.CreateFileOptions{
+			FileOptions: api.FileOptions{
+				NewBranchName: "third",
+				Message:       "third",
+				Author:        api.Identity{Name: user4.Name, Email: user4.Email},
+				Committer:     api.Identity{Name: user4.Name, Email: user4.Email},
+				Dates:         api.CommitDateOptions{Author: time.Now(), Committer: time.Now()},
+			},
+			ContentBase64: base64.StdEncoding.EncodeToString([]byte("third")),
+		})(t)
+		pr3, err := doAPICreatePullRequest(user4APICtx, baseRepo.OwnerName, baseRepo.Name, baseRepo.DefaultBranch, user4.Name+":third")(t)
+		assert.NoError(t, err)
+
+		run3 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID, TriggerUserID: user4.ID, Ref: fmt.Sprintf("refs/pull/%d/head", pr3.Index)})
+		assert.False(t, run3.NeedApproval, "fork PR from a user with a prior merged PR should not require approval")
+	})
+}

tests/integration/actions_concurrency_test.go

@@ -484,14 +484,18 @@ jobs:
 			},
 			ContentBase64: base64.StdEncoding.EncodeToString([]byte("user4-fix2")),
 		})(t)
-		doAPICreatePullRequest(user4APICtx, baseRepo.OwnerName, baseRepo.Name, baseRepo.DefaultBranch, user4.Name+":do-not-cancel/ccc")(t)
-		// cannot fetch the task because cancel-in-progress is false
+		pr3, _ := doAPICreatePullRequest(user4APICtx, baseRepo.OwnerName, baseRepo.Name, baseRepo.DefaultBranch, user4.Name+":do-not-cancel/ccc")(t)
+		// cannot fetch the task: approval still required (user4 has no merged PR) and cancel-in-progress is false
 		runner.fetchNoTask(t)
 		runner.execTask(t, pr2Task1, &mockTaskOutcome{
 			result: runnerv1.Result_RESULT_SUCCESS,
 		})
 		pr2Run1 = unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: pr2Run1.ID})
 		assert.Equal(t, actions_model.StatusSuccess, pr2Run1.Status)
+		// user2 approves the third PR's run (user4 still has no merged PR, approval still required)
+		pr3Run1Pending := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID, TriggerUserID: user4.ID, Ref: fmt.Sprintf("refs/pull/%d/head", pr3.Index)})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/approve", baseRepo.OwnerName, baseRepo.Name, pr3Run1Pending.ID))
+		user2Session.MakeRequest(t, req, http.StatusOK)
 		// fetch the task
 		pr3Task1 := runner.fetchTask(t)
 		_, _, pr3Run1 := getTaskAndJobAndRunByTaskID(t, pr3Task1.Id)

tests/integration/actions_log_finalize_test.go

@@ -73,5 +73,19 @@ jobs:
 
 		_, err = dbfs.Open(t.Context(), actions_module.DBFSPrefix+freshTask.LogFilename)
 		assert.ErrorIs(t, err, os.ErrNotExist, "DBFS row must be cleaned up after TransferLogs")
+
+		// The runner re-sends its final UpdateLog when the response was lost.
+		// A sealed log must ack the re-send and still reject new appended rows.
+		t.Run("re-sent finalize is idempotent", func(t *testing.T) {
+			finalize := &runnerv1.UpdateLogRequest{TaskId: task.Id, Index: 0, Rows: nil, NoMore: true}
+			resp, err := runner.client.runnerServiceClient.UpdateLog(t.Context(), connect.NewRequest(finalize))
+			require.NoError(t, err)
+			assert.EqualValues(t, 0, resp.Msg.AckIndex)
+
+			_, err = runner.client.runnerServiceClient.UpdateLog(t.Context(), connect.NewRequest(&runnerv1.UpdateLogRequest{
+				TaskId: task.Id, Index: 0, Rows: []*runnerv1.LogRow{{Content: "late"}}, NoMore: true,
+			}))
+			require.Error(t, err, "appending rows past the seal must be rejected")
+		})
 	})
 }

tests/integration/actions_trigger_test.go

@@ -931,6 +931,76 @@ jobs:
 	})
 }
 
+func TestWorkflowDispatchPublicApiRequiresWorkflowDispatchTrigger(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		session := loginUser(t, user2.Name)
+		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
+
+		repo, err := repo_service.CreateRepository(t.Context(), user2, user2, repo_service.CreateRepoOptions{
+			Name:          "workflow-dispatch-requires-trigger",
+			Description:   "test workflow dispatch requires workflow_dispatch",
+			AutoInit:      true,
+			Gitignores:    "Go",
+			License:       "MIT",
+			Readme:        "Default",
+			DefaultBranch: "main",
+			IsPrivate:     false,
+		})
+		require.NoError(t, err)
+		require.NotNil(t, repo)
+
+		addWorkflowToBaseResp, err := files_service.ChangeRepoFiles(t.Context(), repo, user2, &files_service.ChangeRepoFilesOptions{
+			Files: []*files_service.ChangeRepoFile{
+				{
+					Operation: "create",
+					TreePath:  ".gitea/workflows/push-only.yml",
+					ContentReader: strings.NewReader(`
+on:
+  push:
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo helloworld
+`),
+				},
+			},
+			Message:   "add workflow",
+			OldBranch: "main",
+			NewBranch: "main",
+			Author: &files_service.IdentityOptions{
+				GitUserName:  user2.Name,
+				GitUserEmail: user2.Email,
+			},
+			Committer: &files_service.IdentityOptions{
+				GitUserName:  user2.Name,
+				GitUserEmail: user2.Email,
+			},
+			Dates: &files_service.CommitDateOptions{
+				Author:    time.Now(),
+				Committer: time.Now(),
+			},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, addWorkflowToBaseResp)
+
+		values := url.Values{}
+		values.Set("ref", "main")
+		req := NewRequestWithURLValues(t, "POST", fmt.Sprintf("/api/v1/repos/%s/actions/workflows/push-only.yml/dispatches", repo.FullName()), values).
+			AddTokenAuth(token)
+		resp := MakeRequest(t, req, http.StatusUnprocessableEntity)
+		apiError := DecodeJSON(t, resp, &api.APIError{})
+		assert.Contains(t, apiError.Message, "has no workflow_dispatch event trigger")
+
+		unittest.AssertNotExistsBean(t, &actions_model.ActionRun{
+			RepoID:     repo.ID,
+			Event:      "workflow_dispatch",
+			WorkflowID: "push-only.yml",
+		})
+	})
+}
+
 func TestWorkflowDispatchPublicApiWithInputs(t *testing.T) {
 	onGiteaRun(t, func(t *testing.T, u *url.URL) {
 		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})

tests/integration/api_fork_test.go

@@ -89,7 +89,7 @@ func testAPIForkListLimitedAndPrivateRepos(t *testing.T) {
 		assert.Equal(t, "0", resp.Header().Get("X-Total-Count"))
 	})
 
-	t.Run("Logged in", func(t *testing.T) {
+	t.Run("LoggedIn", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
 		req := NewRequest(t, "GET", "/api/v1/repos/user2/repo1/forks").AddTokenAuth(user1Token)
@@ -107,6 +107,36 @@ func testAPIForkListLimitedAndPrivateRepos(t *testing.T) {
 		assert.Len(t, forks, 2)
 		assert.Equal(t, "2", resp.Header().Get("X-Total-Count"))
 	})
+
+	t.Run("RespHeaderLinks", func(t *testing.T) {
+		t.Run("Page1", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			req := NewRequest(t, "GET", "/api/v1/repos/user2/repo1/forks?page=1&limit=1").AddTokenAuth(user1Token)
+			resp := MakeRequest(t, req, http.StatusOK)
+			assert.Equal(t, "2", resp.Header().Get("X-Total-Count"))
+
+			linkHeader := resp.Header().Get("Link")
+			assert.NotEmpty(t, linkHeader, "Link header should not be empty")
+			assert.Contains(t, linkHeader, `rel="next"`)
+			assert.Contains(t, linkHeader, `rel="last"`)
+			assert.Contains(t, linkHeader, `/api/v1/repos/user2/repo1/forks?limit=1&page=2>`)
+
+			forks := DecodeJSON(t, resp, []*api.Repository{})
+			assert.Len(t, forks, 1)
+		})
+
+		t.Run("Page2", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			req := NewRequest(t, "GET", "/api/v1/repos/user2/repo1/forks?page=2&limit=1").AddTokenAuth(user1Token)
+			resp := MakeRequest(t, req, http.StatusOK)
+			assert.Equal(t, "2", resp.Header().Get("X-Total-Count"))
+
+			forks := DecodeJSON(t, resp, []*api.Repository{})
+			assert.Len(t, forks, 1)
+		})
+	})
 }
 
 func testGetPrivateReposForks(t *testing.T) {

tests/integration/api_issue_tracked_time_test.go

@@ -13,6 +13,7 @@ import (
 	issues_model "code.gitea.io/gitea/models/issues"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/json"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/tests"
 
@@ -63,6 +64,44 @@ func TestAPIGetTrackedTimes(t *testing.T) {
 	assert.Equal(t, int64(6), filterAPITimes[1].ID)
 }
 
+// TestAPIGetTrackedTimesNonExistentUserFilter ensures filtering by a user that
+// does not exist returns a clean 404 instead of panicking (nil pointer dereference).
+func TestAPIGetTrackedTimesNonExistentUserFilter(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	issue2 := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 2})
+	assert.NoError(t, issue2.LoadRepo(t.Context()))
+
+	session := loginUser(t, user2.Name)
+	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue, auth_model.AccessTokenScopeReadRepository)
+
+	for _, tc := range []struct {
+		name string
+		url  string
+	}{
+		{"repository level", fmt.Sprintf("/api/v1/repos/%s/%s/times?user=nonexistentuser", user2.Name, issue2.Repo.Name)},
+		{"issue level", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/times?user=nonexistentuser", user2.Name, issue2.Repo.Name, issue2.Index)},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			req := NewRequest(t, "GET", tc.url).AddTokenAuth(token)
+			resp := MakeRequest(t, req, http.StatusNotFound)
+
+			assert.True(t, json.Valid(resp.Body.Bytes()), "response body must be a single JSON value, got: %s", resp.Body.Bytes())
+
+			var apiError api.APIError
+			DecodeJSON(t, resp, &apiError)
+			assert.Contains(t, apiError.Message, "user does not exist")
+		})
+	}
+
+	t.Run("existing user", func(t *testing.T) {
+		req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/times?user=%s", user2.Name, issue2.Repo.Name, user2.Name).AddTokenAuth(token)
+		resp := MakeRequest(t, req, http.StatusOK)
+		DecodeJSON(t, resp, api.TrackedTimeList{})
+	})
+}
+
 func TestAPIDeleteTrackedTime(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 

tests/integration/compare_test.go

@@ -36,9 +36,17 @@ func TestCompareTag(t *testing.T) {
 	// A dropdown for both base and head.
 	assert.Lenf(t, selection.Nodes, 2, "The template has changed")
 
+	req = NewRequest(t, "GET", "/user2/repo1/compare/v1.1...HEAD")
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	assert.True(t, test.IsNormalPageCompleted(resp.Body.String()))
+
+	req = NewRequest(t, "GET", "/user2/repo1/compare/v1.1...NotExisting").SetHeader("Accept", "text/html")
+	resp = session.MakeRequest(t, req, http.StatusNotFound)
+	assert.True(t, test.IsNormalPageCompleted(resp.Body.String()))
+
 	req = NewRequest(t, "GET", "/user2/repo1/compare/invalid").SetHeader("Accept", "text/html")
 	resp = session.MakeRequest(t, req, http.StatusNotFound)
-	assert.True(t, test.IsNormalPageCompleted(resp.Body.String()), "expect 404 page not 500")
+	assert.True(t, test.IsNormalPageCompleted(resp.Body.String()))
 }
 
 // Compare with inferred default branch (master)

tools/ci-tools.ts

@@ -0,0 +1,133 @@
+#!/usr/bin/env node
+import {argv, env, exit} from 'node:process';
+
+const allowedTypes = [
+  'build',
+  'chore',
+  'ci',
+  'docs',
+  'enhance',
+  'feat',
+  'fix',
+  'perf',
+  'refactor',
+  'revert',
+  'style',
+  'test',
+] as const;
+type CommitType = typeof allowedTypes[number];
+
+const allowedTypesList = allowedTypes.join(', ');
+const titlePattern = new RegExp(`^(${allowedTypes.join('|')})(\\([\\w/.-]+\\))?(!)?: .+$`);
+
+function parsePrTitle(title: string): {type: CommitType; breaking: boolean} | null {
+  const match = titlePattern.exec(title);
+  return match ? {type: match[1] as CommitType, breaking: Boolean(match[3])} : null;
+}
+
+const breakingLabel = 'pr/breaking';
+
+// Mutually exclusive type labels, fully synced with the title type (added and removed).
+const typeLabels: Partial<Record<CommitType, string>> = {
+  feat: 'type/feature',
+  enhance: 'type/enhancement',
+  fix: 'type/bug',
+  docs: 'type/docs',
+  test: 'type/testing',
+};
+
+// Non-type labels, only added, never auto-removed, so manual labeling is not clobbered.
+const extraLabels: Partial<Record<CommitType, string>> = {
+  chore: 'skip-changelog',
+  ci: 'skip-changelog',
+  build: 'topic/build',
+};
+
+// Labels this tool may remove when the title no longer implies them.
+const removableLabels = [...Object.values(typeLabels), breakingLabel];
+
+function labelsForPrTitle(title: string): string[] {
+  const parsed = parsePrTitle(title);
+  if (!parsed) return [];
+  return [typeLabels[parsed.type], extraLabels[parsed.type], parsed.breaking ? breakingLabel : undefined]
+    .filter((label): label is string => label !== undefined);
+}
+
+// Command: validate PR_TITLE against the allowed Conventional Commits format.
+function lintPrTitle(): void {
+  if (!env.PR_TITLE) {
+    console.error('Missing PR_TITLE');
+    exit(1);
+  }
+  if (!parsePrTitle(env.PR_TITLE)) {
+    console.error(`Invalid PR title: ${env.PR_TITLE}`);
+    console.error('Expected format: type(scope): subject (scope optional, append "!" for breaking changes)');
+    console.error(`Allowed types: ${allowedTypesList}`);
+    exit(1);
+  }
+}
+
+// Command: sync the title-derived labels onto the PR via the GitHub API.
+async function setPrLabels(): Promise<void> {
+  if (!env.PR_TITLE || !env.GITHUB_TOKEN || !env.GITHUB_REPOSITORY || !env.PR_NUMBER) {
+    console.error('set-pr-labels requires PR_TITLE, GITHUB_TOKEN, GITHUB_REPOSITORY and PR_NUMBER');
+    exit(1);
+  }
+
+  const labelsUrl = `https://api.github.com/repos/${env.GITHUB_REPOSITORY}/issues/${env.PR_NUMBER}/labels`;
+
+  async function request(url: string, method = 'GET', body?: unknown): Promise<Response> {
+    const response = await fetch(url, {
+      method,
+      headers: {
+        Accept: 'application/vnd.github+json',
+        Authorization: `Bearer ${env.GITHUB_TOKEN}`,
+        'X-GitHub-Api-Version': '2022-11-28',
+        ...(body ? {'Content-Type': 'application/json'} : {}),
+      },
+      body: body ? JSON.stringify(body) : undefined,
+    });
+    if (!response.ok) {
+      throw new Error(`GitHub API ${method} ${url} failed (${response.status}): ${await response.text()}`);
+    }
+    return response;
+  }
+
+  const desired = labelsForPrTitle(env.PR_TITLE);
+  const response = await request(`${labelsUrl}?per_page=100`);
+  const current = ((await response.json()) as Array<{name: string}>).map((label) => label.name);
+
+  const toAdd = desired.filter((name) => !current.includes(name));
+  const toRemove = removableLabels.filter((name) => current.includes(name) && !desired.includes(name));
+
+  if (toAdd.length) {
+    await request(labelsUrl, 'POST', {labels: toAdd});
+    console.info(`Added labels: ${toAdd.join(', ')}`);
+  }
+  for (const name of toRemove) {
+    await request(`${labelsUrl}/${encodeURIComponent(name)}`, 'DELETE');
+    console.info(`Removed label: ${name}`);
+  }
+  if (!toAdd.length && !toRemove.length) {
+    console.info('PR labels already in sync');
+  }
+}
+
+const commands: Record<string, () => void | Promise<void>> = {
+  'lint-pr-title': lintPrTitle,
+  'set-pr-labels': setPrLabels,
+};
+
+const command = argv[2];
+const handler = commands[command];
+if (!handler) {
+  console.error(`Usage: ci-tools.ts <${Object.keys(commands).join('|')}>`);
+  exit(1);
+}
+
+try {
+  await handler();
+} catch (error) {
+  console.error(error instanceof Error ? error.message : error);
+  exit(1);
+}

web_src/css/swagger-render.css

@@ -1,4 +1,4 @@
-@import "../../node_modules/swagger-ui-dist/swagger-ui.css";
+@import "swagger-ui-dist/swagger-ui.css";
 
 html,
 html body,

web_src/fomantic/build/components/dropdown.js

@@ -1951,8 +1951,8 @@ $.fn.dropdown = function(parameters) {
                 $choice.find(selector.menu).remove();
                 $choice.find(selector.menuIcon).remove();
               }
-              return ($choice.data(metadata.text) !== undefined)
-                ? $choice.data(metadata.text)
+              return ($choice.attr('data-' + metadata.text) !== undefined) // GITEA-PATCH: use "attr" but not "data", don't decode JSON like "false"
+                ? $choice.attr('data-' + metadata.text)
                 : (preserveHTML)
                   ? $choice.html().trim()
                   : $choice.text().trim()
@@ -2005,8 +2005,8 @@ $.fn.dropdown = function(parameters) {
                     value    = ( $option.attr('value') !== undefined )
                       ? $option.attr('value')
                       : name,
-                    text     = ( $option.data(metadata.text) !== undefined )
-                      ? $option.data(metadata.text)
+                    text     = ( $option.attr('data-' + metadata.text) !== undefined ) // GITEA-PATCH: use "attr" but not "data", don't decode JSON like "false"
+                      ? $option.attr('data-' + metadata.text)
                       : name,
                     group = $option.parent('optgroup')
                   ;

web_src/js/modules/fomantic/dropdown.test.ts

@@ -1,6 +1,23 @@
+import '../../../fomantic/build/fomantic.js';
 import {createElementFromHTML} from '../../utils/dom.ts';
 import {hideScopedEmptyDividers} from './dropdown.ts';
 
+test('dropdown-item-literal-text', () => {
+  // a "choice" workflow_dispatch input can offer the string "false" as an option.
+  // jQuery `.data()` would coerce `data-text="false"` to the boolean `false`, which then renders as empty text.
+  const $dropdown = $(`<select class="ui dropdown">
+    <option value="1">1</option>
+    <option value="0">0</option>
+    <option value="true">true</option>
+    <option value="false">false</option>
+  </select>`).dropdown();
+  for (const value of ['1', '0', 'true', 'false']) {
+    $dropdown.dropdown('set selected', value);
+    expect($dropdown.dropdown('get text')).toEqual(value);
+    expect($dropdown.dropdown('get value')).toEqual(value);
+  }
+});
+
 test('hideScopedEmptyDividers-simple', () => {
   const container = createElementFromHTML(`<div>
 <div class="divider"></div>