fix: parse HEAD ref (#38119 )

backport #38088
fix(api): nil pointer panic when filtering tracked times by a non-existent user (#38112 ) (#38115 )
2026-06-15 15:05:51 +00:00 · 2026-06-14 19:52:44 +00:00 · 2026-06-14 20:06:04 +02:00 · 2026-06-14 14:29:27 +00:00 · 2026-06-13 11:56:35 +02:00 · 2026-06-12 18:21:46 +00:00
50 changed files with 1147 additions and 107 deletions
@@ -113,23 +113,25 @@ func handleCliResponseExtra(extra private.ResponseExtra) error {
 	return nil
 }

-func getAccessMode(verb, lfsVerb string) perm.AccessMode {
+// getAccessMode maps an SSH git/LFS verb to the access mode it requires, with
+// ok=false for an unrecognised verb. Callers MUST reject the request when ok is
+// false: AccessModeNone would otherwise pass the `userMode < mode` permission
+// check in routers/private/serv.go and grant access.
+func getAccessMode(verb, lfsVerb string) (mode perm.AccessMode, ok bool) {
 	switch verb {
 	case git.CmdVerbUploadPack, git.CmdVerbUploadArchive:
-		return perm.AccessModeRead
+		return perm.AccessModeRead, true
 	case git.CmdVerbReceivePack:
-		return perm.AccessModeWrite
+		return perm.AccessModeWrite, true
 	case git.CmdVerbLfsAuthenticate, git.CmdVerbLfsTransfer:
 		switch lfsVerb {
 		case git.CmdSubVerbLfsUpload:
-			return perm.AccessModeWrite
+			return perm.AccessModeWrite, true
 		case git.CmdSubVerbLfsDownload:
-			return perm.AccessModeRead
+			return perm.AccessModeRead, true
 		}
 	}
-	// should be unreachable
-	setting.PanicInDevOrTesting("unknown verb: %s %s", verb, lfsVerb)
-	return perm.AccessModeNone
+	return perm.AccessModeNone, false
 }

 func runServ(ctx context.Context, c *cli.Command) error {
@@ -247,7 +249,10 @@ func runServ(ctx context.Context, c *cli.Command) error {
 		}
 	}

-	requestedMode := getAccessMode(verb, lfsVerb)
+	requestedMode, ok := getAccessMode(verb, lfsVerb)
+	if !ok {
+		return fail(ctx, "Unknown git command", "Unknown git command %s %s", verb, lfsVerb)
+	}

 	results, extra := private.ServCommand(ctx, keyID, username, reponame, requestedMode, verb, lfsVerb)
 	if extra.HasError() {
@@ -0,0 +1,56 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models/perm"
+	"code.gitea.io/gitea/modules/git"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetAccessMode(t *testing.T) {
+	cases := []struct {
+		verb, lfsVerb string
+		expected      perm.AccessMode
+	}{
+		{git.CmdVerbUploadPack, "", perm.AccessModeRead},
+		{git.CmdVerbUploadArchive, "", perm.AccessModeRead},
+		{git.CmdVerbReceivePack, "", perm.AccessModeWrite},
+		{git.CmdVerbLfsAuthenticate, git.CmdSubVerbLfsUpload, perm.AccessModeWrite},
+		{git.CmdVerbLfsAuthenticate, git.CmdSubVerbLfsDownload, perm.AccessModeRead},
+		{git.CmdVerbLfsTransfer, git.CmdSubVerbLfsUpload, perm.AccessModeWrite},
+		{git.CmdVerbLfsTransfer, git.CmdSubVerbLfsDownload, perm.AccessModeRead},
+	}
+	for _, tc := range cases {
+		t.Run(tc.verb+"/"+tc.lfsVerb, func(t *testing.T) {
+			mode, ok := getAccessMode(tc.verb, tc.lfsVerb)
+			assert.True(t, ok)
+			assert.Equal(t, tc.expected, mode)
+		})
+	}
+}
+
+// TestGetAccessModeUnknownVerb locks in the invariant that getAccessMode reports
+// ok=false for unrecognised verbs and LFS sub-verbs, so runServ rejects them. An
+// unknown verb has no valid access mode; if it were treated as AccessModeNone (0)
+// it would pass the `userMode < mode` permission check in routers/private/serv.go
+// and hand out valid LFS JWTs for any private repository.
+func TestGetAccessModeUnknownVerb(t *testing.T) {
+	cases := []struct{ verb, lfsVerb string }{
+		{git.CmdVerbLfsAuthenticate, ""},
+		{git.CmdVerbLfsAuthenticate, "badverb"},
+		{git.CmdVerbLfsTransfer, "badverb"},
+		{"git-unknown-verb", ""},
+	}
+	for _, tc := range cases {
+		t.Run(tc.verb+"/"+tc.lfsVerb, func(t *testing.T) {
+			mode, ok := getAccessMode(tc.verb, tc.lfsVerb)
+			assert.False(t, ok)
+			assert.Equal(t, perm.AccessModeNone, mode)
+		})
+	}
+}
@@ -570,8 +570,6 @@ export default defineConfig([
      'no-redeclare': [0], // must be disabled for typescript overloads
      'no-regex-spaces': [2],
      'no-restricted-exports': [0],
-      'no-restricted-globals': [2, ...restrictedGlobals],
-      'no-restricted-properties': [2, ...restrictedProperties],
      'no-restricted-imports': [2, {paths: [
        {name: 'jquery', message: 'Use the global $ instead', allowTypeImports: true},
        {name: 'htmx.org', message: 'Use the global htmx instead', allowTypeImports: true},
@@ -1024,5 +1022,9 @@ export default defineConfig([
  {
    files: ['web_src/**/*'],
    languageOptions: {globals: {...globals.browser, ...globals.jquery, htmx: false}},
+    rules: {
+      'no-restricted-globals': [2, ...restrictedGlobals],
+      'no-restricted-properties': [2, ...restrictedProperties],
+    },
  },
 ]);
@@ -110,13 +110,13 @@ require (
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	gitlab.com/gitlab-org/api/client-go v1.46.0
 	go.yaml.in/yaml/v4 v4.0.0-rc.3
-	golang.org/x/crypto v0.50.0
-	golang.org/x/image v0.38.0
-	golang.org/x/net v0.53.0
+	golang.org/x/crypto v0.52.0
+	golang.org/x/image v0.40.0
+	golang.org/x/net v0.55.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
-	golang.org/x/sys v0.44.0
-	golang.org/x/text v0.36.0
+	golang.org/x/sys v0.45.0
+	golang.org/x/text v0.37.0
 	google.golang.org/grpc v1.79.3
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/ini.v1 v1.67.1
@@ -785,12 +785,12 @@ golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDf
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
+golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
 golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
 golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
-golang.org/x/image v0.38.0 h1:5l+q+Y9JDC7mBOMjo4/aPhMDcxEptsX+Tt3GgRQRPuE=
-golang.org/x/image v0.38.0/go.mod h1:/3f6vaXC+6CEanU4KJxbcUZyEePbyKbaLoDOe4ehFYY=
+golang.org/x/image v0.40.0 h1:Tw4GyDXMo+daZN1znreBRC3VayR1aLFUyUEOLUdW1a8=
+golang.org/x/image v0.40.0/go.mod h1:uIc348UZMSvS5Z65CVZ7iDPaNobNFEPeJ4kbqTOszmA=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -819,8 +819,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -868,8 +868,8 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
-golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -880,8 +880,8 @@ golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
-golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
-golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -892,8 +892,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
 golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -70,7 +70,6 @@ type FindRunOptions struct {
 	Ref              string // the commit/tag/… that caused this workflow
 	TriggerUserID    int64
 	TriggerEvent     webhook_module.HookEventType
-	Approved         bool // not util.OptionalBool, it works only when it's true
 	Status           []Status
 	ConcurrencyGroup string
 	CommitSHA        string
@@ -87,9 +86,6 @@ func (opts FindRunOptions) ToConds() builder.Cond {
 	if opts.TriggerUserID > 0 {
 		cond = cond.And(builder.Eq{"`action_run`.trigger_user_id": opts.TriggerUserID})
 	}
-	if opts.Approved {
-		cond = cond.And(builder.Gt{"`action_run`.approved_by": 0})
-	}
 	if len(opts.Status) > 0 {
 		cond = cond.And(builder.In("`action_run`.status", opts.Status))
 	}
@@ -196,7 +196,10 @@ func LFSObjectAccessible(ctx context.Context, user *user_model.User, oid string)
 		count, err := db.GetEngine(ctx).Count(&LFSMetaObject{Pointer: lfs.Pointer{Oid: oid}})
 		return count > 0, err
 	}
-	cond := repo_model.AccessibleRepositoryCondition(user, unit.TypeInvalid)
+	// LFS objects are repository code content, so authorization must require
+	// Code-unit access; other unit accesses (e.g. Issues) must not authorize
+	// reuse of an existing LFS object across repositories.
+	cond := repo_model.AccessibleRepositoryCondition(user, unit.TypeCode)
 	count, err := db.GetEngine(ctx).Where(cond).Join("INNER", "repository", "`lfs_meta_object`.repository_id = `repository`.id").Count(&LFSMetaObject{Pointer: lfs.Pointer{Oid: oid}})
 	return count > 0, err
 }
@@ -220,7 +223,7 @@ func LFSAutoAssociate(ctx context.Context, metas []*LFSMetaObject, user *user_mo
 			newMetas := make([]*LFSMetaObject, 0, len(metas))
 			cond := builder.In(
 				"`lfs_meta_object`.repository_id",
-				builder.Select("`repository`.id").From("repository").Where(repo_model.AccessibleRepositoryCondition(user, unit.TypeInvalid)),
+				builder.Select("`repository`.id").From("repository").Where(repo_model.AccessibleRepositoryCondition(user, unit.TypeCode)),
 			)
 			if err := db.GetEngine(ctx).Cols("oid").Where(cond).In("oid", oids...).GroupBy("oid").Find(&newMetas); err != nil {
 				return err
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"strings"
+	"time"

 	"code.gitea.io/gitea/models/db"
 	git_model "code.gitea.io/gitea/models/git"
@@ -860,6 +861,11 @@ func GetCodeOwnersFromContent(ctx context.Context, data string) ([]*CodeOwnerRul
 	return rules, warnings
 }

+// codeOwnerMatchTimeout bounds a single pattern match so a crafted pattern
+// cannot stall via catastrophic backtracking. See also the aggregate budget
+// enforced by the caller across the whole rules×files match loop.
+const codeOwnerMatchTimeout = 150 * time.Millisecond
+
 type CodeOwnerRule struct {
 	Rule     *regexp2.Regexp // it supports negative lookahead, does better for end users
 	Negative bool
@@ -888,6 +894,8 @@ func ParseCodeOwnersLine(ctx context.Context, tokens []string) (*CodeOwnerRule,
 		warnings = append(warnings, fmt.Sprintf("incorrect codeowner regexp: %s", err))
 		return nil, warnings
 	}
+	// Bound matching time so user-supplied patterns cannot stall PR creation via catastrophic backtracking.
+	rule.Rule.MatchTimeout = codeOwnerMatchTimeout

 	for _, user := range tokens[1:] {
 		user = strings.TrimPrefix(user, "@")
@@ -4,7 +4,9 @@
 package issues_test

 import (
+	"strings"
 	"testing"
+	"time"

 	"code.gitea.io/gitea/models/db"
 	issues_model "code.gitea.io/gitea/models/issues"
@@ -39,6 +41,7 @@ func TestPullRequest(t *testing.T) {
 	t.Run("DeleteOrphanedObjects", testDeleteOrphanedObjects)
 	t.Run("ParseCodeOwnersLine", testParseCodeOwnersLine)
 	t.Run("CodeOwnerAbsolutePathPatterns", testCodeOwnerAbsolutePathPatterns)
+	t.Run("CodeOwnerPatternMatchTimeout", testCodeOwnerPatternMatchTimeout)
 	t.Run("GetApprovers", testGetApprovers)
 	t.Run("GetPullRequestByMergedCommit", testGetPullRequestByMergedCommit)
 	t.Run("Migrate_InsertPullRequests", testMigrateInsertPullRequests)
@@ -376,6 +379,22 @@ func testCodeOwnerAbsolutePathPatterns(t *testing.T) {
 	}
 }

+// testCodeOwnerPatternMatchTimeout ensures user-supplied CODEOWNERS patterns
+// cannot stall pull request processing through catastrophic regex backtracking:
+// each compiled rule must enforce a bounded match time.
+func testCodeOwnerPatternMatchTimeout(t *testing.T) {
+	rules, _ := issues_model.GetCodeOwnersFromContent(t.Context(), "(a+)+ @user5\n")
+	require.Len(t, rules, 1)
+
+	maliciousInput := strings.Repeat("a", 30) + "X"
+	start := time.Now()
+	_, err := rules[0].Rule.MatchString(maliciousInput)
+	elapsed := time.Since(start)
+
+	require.Error(t, err, "expected MatchTimeout error on pathological input")
+	assert.Less(t, elapsed, time.Second, "match timeout did not bound regex evaluation; took %s", elapsed)
+}
+
 func testGetApprovers(t *testing.T) {
 	pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 5})
 	// Official reviews are already deduplicated. Allow unofficial reviews
@@ -483,6 +483,14 @@ func SubmitReview(ctx context.Context, doer *user_model.User, issue *Issue, revi
 		if _, err := sess.ID(review.ID).Cols("content, type, official, commit_id, stale").Update(review); err != nil {
 			return nil, nil, err
 		}
+
+		// make sure the leftover review request is cleared, consistent with CreateReview
+		if reviewType != ReviewTypePending {
+			if _, err := sess.Where(builder.Eq{"reviewer_id": doer.ID, "issue_id": issue.ID, "type": ReviewTypeRequest}).
+				Delete(new(Review)); err != nil {
+				return nil, nil, err
+			}
+		}
 	}

 	comm, err := CreateComment(ctx, &CreateCommentOptions{
@@ -303,6 +303,46 @@ func TestDeleteDismissedReview(t *testing.T) {
 	unittest.AssertNotExistsBean(t, &issues_model.Comment{ID: comment.ID})
 }

+func TestSubmitReviewClearsStaleReviewRequest(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 3})
+	assert.NoError(t, issue.LoadRepo(t.Context()))
+	assert.NoError(t, issue.Repo.LoadOwner(t.Context()))
+	reviewer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+	// the reviewer is requested to review the pull request
+	requestReview, err := issues_model.CreateReview(t.Context(), issues_model.CreateReviewOptions{
+		Type:     issues_model.ReviewTypeRequest,
+		Issue:    issue,
+		Reviewer: reviewer,
+	})
+	assert.NoError(t, err)
+
+	// the reviewer starts a pending review (e.g. by adding code comments)
+	pendingReview, err := issues_model.CreateReview(t.Context(), issues_model.CreateReviewOptions{
+		Type:     issues_model.ReviewTypePending,
+		Issue:    issue,
+		Reviewer: reviewer,
+	})
+	assert.NoError(t, err)
+
+	// submitting the pending review must clear the leftover review request,
+	// otherwise the reviewer can no longer be re-requested afterwards
+	review, _, err := issues_model.SubmitReview(t.Context(), reviewer, issue, issues_model.ReviewTypeComment, "looks good", "", false, nil)
+	assert.NoError(t, err)
+	assert.Equal(t, pendingReview.ID, review.ID)
+	assert.Equal(t, issues_model.ReviewTypeComment, review.Type)
+
+	unittest.AssertNotExistsBean(t, &issues_model.Review{ID: requestReview.ID})
+
+	// the reviewer can be re-requested afterwards (no-op before the fix)
+	comment, err := issues_model.AddReviewRequest(t.Context(), issue, reviewer, doer, false)
+	assert.NoError(t, err)
+	assert.NotNil(t, comment)
+}
+
 func TestAddReviewRequest(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())

@@ -298,6 +298,9 @@ func toGitContext(input map[string]any) *model.GithubContext {
 	return gitContext
 }

+// workflowCallEvent is only fired by another workflow's `uses:`, so it is excluded from trigger detection.
+const workflowCallEvent = "workflow_call"
+
 func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 	switch rawOn.Kind {
 	case yaml.ScalarNode:
@@ -306,6 +309,9 @@ func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 		if err != nil {
 			return nil, err
 		}
+		if val == workflowCallEvent {
+			return []*Event{}, nil
+		}
 		return []*Event{
 			{Name: val},
 		}, nil
@@ -319,6 +325,9 @@ func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 		for _, v := range val {
 			switch t := v.(type) {
 			case string:
+				if t == workflowCallEvent {
+					continue
+				}
 				res = append(res, &Event{Name: t})
 			default:
 				return nil, fmt.Errorf("invalid type %T", t)
@@ -332,6 +341,9 @@ func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 		}
 		res := make([]*Event, 0, len(events))
 		for i, k := range events {
+			if k == workflowCallEvent {
+				continue
+			}
 			v := triggers[i]
 			switch v.Kind {
 			case yaml.ScalarNode:
@@ -254,6 +254,53 @@ func TestParseRawOn(t *testing.T) {
 				},
 			},
 		},
+		{
+			// `workflow_call` is only fired by another workflow's `uses:`, so ParseRawOn intentionally excludes it from trigger detection.
+			input: `on:
+  workflow_call:
+    inputs:
+      env:
+        type: string
+        required: true
+    outputs:
+      sha:
+        value: ${{ jobs.build.outputs.commit }}
+    secrets:
+      DEPLOY_KEY:
+        required: true
+`,
+			result: []*Event{},
+		},
+		{
+			// Mixed: a workflow that is both callable AND triggered by push. Only the "push" event surfaces.
+			input: `on:
+  workflow_call:
+    inputs:
+      env:
+        type: string
+  push:
+    branches: [main]
+`,
+			result: []*Event{
+				{
+					Name: "push",
+					acts: map[string][]string{"branches": {"main"}},
+				},
+			},
+		},
+		{
+			// Scalar form: a purely reusable workflow has no event triggers.
+			input:  "on: workflow_call",
+			result: []*Event{},
+		},
+		{
+			// Sequence form: `workflow_call` is excluded while sibling events are kept.
+			input: "on:\n  - push\n  - workflow_call\n  - pull_request",
+			result: []*Event{
+				{Name: "push"},
+				{Name: "pull_request"},
+			},
+		},
 	}
 	for _, kase := range kases {
 		t.Run(kase.input, func(t *testing.T) {
@@ -445,6 +445,17 @@ func (c *Command) Start(ctx context.Context) (retErr error) {
 	c.cmd.Stdout = c.cmdStdout
 	c.cmd.Stdin = c.cmdStdin
 	c.cmd.Stderr = c.cmdStderr
+	c.cmd.Cancel = func() error {
+		// Golang's default cmd.Cancel only calls Process.Kill(), but here we need to close the parent pipes together:
+		// * for some commands like "git --batch-xxx", Windows git might have 2 processes (a wrapper and a real git process)
+		// * on Windows, if parent process is killed (context canceled), the children process won't be killed, and the pipe handles are still open.
+		// * if we don't close the parent pipes here, the children process won't exit.
+		//
+		// There is no such problem on POSIX, while it won't make things worse by closing the parent pipes also on POSIX.
+		err := c.cmd.Process.Kill()
+		c.closePipeFiles(c.parentPipeFiles)
+		return err
+	}
 	return c.cmd.Start()
 }

@@ -161,7 +161,7 @@ func (ref RefName) ShortName() string {
 	if ref.IsFor() {
 		return ref.ForBranchName()
 	}
-	return string(ref) // usually it is a commit ID
+	return string(ref) // usually it is a commit ID, or "HEAD"
 }

 // RefGroup returns the group type of the reference
@@ -8,6 +8,7 @@ import (
 	"strings"

 	"code.gitea.io/gitea/modules/git/gitcmd"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 )

@@ -86,8 +87,11 @@ func (repo *Repository) UnstableGuessRefByShortName(shortName string) RefName {
 	commit, err := repo.GetCommit(shortName)
 	if err == nil {
 		commitIDString := commit.ID.String()
-		if strings.HasPrefix(commitIDString, shortName) {
+		// Make sure the short name is either a partial commit ID, or the symbolic HEAD ref.
+		if strings.HasPrefix(commitIDString, shortName) || shortName == "HEAD" {
 			return RefName(commitIDString)
+		} else {
+			setting.PanicInDevOrTesting("abuse of UnstableGuessRefByShortName, queried %s, got %s", shortName, commitIDString)
 		}
 	}
 	return ""
@@ -53,3 +53,18 @@ func TestRepository_GetRefsFiltered(t *testing.T) {
 		assert.Equal(t, "3ad28a9149a2864384548f3d17ed7f38014c9e8a", refs[1].Object.String())
 	}
 }
+
+func TestRepository_UnstableGuessRefByShortName(t *testing.T) {
+	bareRepo1Path := filepath.Join(testReposDir, "repo1_bare")
+	bareRepo1, err := OpenRepository(t.Context(), bareRepo1Path)
+	assert.NoError(t, err)
+	defer bareRepo1.Close()
+
+	headCommit, err := bareRepo1.GetCommit("HEAD")
+	assert.NoError(t, err)
+
+	assert.Equal(t, RefName(headCommit.ID.String()), bareRepo1.UnstableGuessRefByShortName("HEAD"))
+	assert.Equal(t, RefName(headCommit.ID.String()), bareRepo1.UnstableGuessRefByShortName(headCommit.ID.String()[:8]))
+	assert.Equal(t, RefNameFromBranch("master"), bareRepo1.UnstableGuessRefByShortName("master"))
+	assert.Empty(t, bareRepo1.UnstableGuessRefByShortName("NotExisting"))
+}
@@ -40,7 +40,7 @@ type contextKey struct {
 }

 // RepositoryFromContextOrOpen attempts to get the repository from the context or just opens it
-// The caller must call "defer gitRepo.Close()"
+// The caller must call Closer.Close()
 func RepositoryFromContextOrOpen(ctx context.Context, repo Repository) (*git.Repository, io.Closer, error) {
 	reqCtx := reqctx.FromContext(ctx)
 	if reqCtx != nil {
@@ -63,7 +63,7 @@ func TestFile(t *testing.T) {
 		{
 			name:      "tags.py",
 			code:      "<>",
-			want:      lines(`<span class="o">&lt;</span><span class="o">&gt;</span>`),
+			want:      lines(`<span class="o">&lt;&gt;</span>`),
 			lexerName: "Python",
 		},
 		{
@@ -102,7 +102,7 @@ c=2
 <span class="n">def</span><span class="p">:</span>\n
    <span class="n">a</span><span class="o">=</span><span class="mi">1</span>\n
 \n
-<span class="n">b</span><span class="o">=</span><span class="sa"></span><span class="s1">&#39;</span><span class="s1">&#39;</span>\n
+<span class="n">b</span><span class="o">=</span><span class="s1">&#39;&#39;</span>\n
    \n
 <span class="n">c</span><span class="o">=</span><span class="mi">2</span>`,
 			),
@@ -114,6 +114,18 @@ c=2
 			want:      []template.HTML{"<span class=\"c1\">--\n</span>", `<span class="k">SELECT</span>`},
 			lexerName: "SQL",
 		},
+		{
+			name: "test.http",
+			code: `HTTP/1.0 400 Bad request
+Content-Type: text/html
+
+<html></html>`,
+			want: lines(`<span class="kr">HTTP</span><span class="o">/</span><span class="m">1.0</span> <span class="m">400</span> <span class="ne">Bad request</span>\n
+<span class="n">Content-Type</span><span class="o">:</span> <span class="l">text/html</span>\n
+\n
+<span class="p">&lt;</span><span class="nt">html</span><span class="p">&gt;&lt;/</span><span class="nt">html</span><span class="p">&gt;</span>`),
+			lexerName: "HTTP",
+		},
 	}

 	for _, tt := range tests {
@@ -288,24 +288,24 @@ func detectChromaLexerWithAnalyze(fileName, lang string, code []byte) chroma.Lex

 	// if lang is provided, and it matches a lexer, use it directly
 	if byLang {
-		return lexer
+		return chroma.Coalesce(lexer)
 	}

 	// if a lexer is detected and there is no conflict for the file extension, use it directly
 	fileExt := path.Ext(fileName)
 	_, hasConflicts := chromaLexers().conflictingExtLangMap[fileExt]
 	if !hasConflicts && lexer != lexers.Fallback {
-		return lexer
+		return chroma.Coalesce(lexer)
 	}

 	// try to detect language by content, for best guessing for the language
 	// when using "code" to detect, analyze.GetCodeLanguage is slow, it iterates many rules to detect language from content
 	analyzedLanguage := analyze.GetCodeLanguage(fileName, code)
-	lexer = DetectChromaLexerByFileName(fileName, analyzedLanguage)
+	lexer, _ = detectChromaLexerByFileName(fileName, analyzedLanguage)
 	if lexer == lexers.Fallback {
 		if analyzedLanguage != enry.OtherLanguage {
 			log.Warn("No chroma lexer found for enry detected language: %s (file: %s), need to fix the language mapping between enry and chroma.", analyzedLanguage, fileName)
 		}
 	}
-	return lexer
+	return chroma.Coalesce(lexer)
 }
@@ -8,6 +8,7 @@ import (
 	"path/filepath"
 	"slices"
 	"strings"
+	"sync"
 )

 // HostMatchList is used to check if a host or IP is in a list.
@@ -23,10 +24,64 @@ type HostMatchList struct {
 	ipNets []*net.IPNet
 }

-// MatchBuiltinExternal A valid non-private unicast IP, all hosts on public internet are matched
+// MatchBuiltinExternal A valid global-unicast IP that is neither private (see MatchBuiltinPrivate)
+// nor a reserved special-purpose range (see reservedIPNets); i.e. a routable host on the public internet.
 const MatchBuiltinExternal = "external"

-// MatchBuiltinPrivate RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and RFC 4193 (FC00::/7). Also called LAN/Intranet.
+// reservedIPNets are special-purpose ranges that net.IP.IsPrivate omits but that must not be
+// treated as public/external destinations (CGNAT, cloud metadata, IPv6 transition, etc.). We layer
+// these on top of net.IP.IsPrivate (RFC 1918 / RFC 4193) so future additions to Go's IsPrivate are
+// picked up automatically, while still covering the ranges it leaves out; otherwise the default
+// allow-list would let authenticated users reach cloud metadata, internal, and IPv6 transition
+// endpoints (SSRF), and a "private" block-list would fail to catch them.
+var reservedIPNets = sync.OnceValue(func() []*net.IPNet {
+	var nets []*net.IPNet
+	for _, cidr := range []string{
+		// IPv4
+		"100.64.0.0/10",    // RFC 6598 Carrier-Grade NAT
+		"168.63.129.16/32", // Azure WireServer metadata endpoint
+		"192.0.0.0/24",     // RFC 6890 IETF protocol assignments
+		"192.0.2.0/24",     // RFC 5737 TEST-NET-1
+		"192.88.99.0/24",   // RFC 7526 6to4 relay anycast (deprecated)
+		"198.18.0.0/15",    // RFC 2544 benchmarking
+		"198.51.100.0/24",  // RFC 5737 TEST-NET-2
+		"203.0.113.0/24",   // RFC 5737 TEST-NET-3
+		// IPv6
+		"100::/64",       // RFC 6666 discard-only
+		"64:ff9b::/96",   // RFC 6052 NAT64 (can embed IPv4 such as 169.254.169.254)
+		"64:ff9b:1::/48", // RFC 8215 local-use NAT64
+		"2001::/32",      // RFC 4380 Teredo tunneling (embeds IPv4)
+		"2001:10::/28",   // RFC 4843 ORCHID (deprecated)
+		"2001:20::/28",   // RFC 7343 ORCHIDv2
+		"2001:db8::/32",  // RFC 3849 documentation
+		"2002::/16",      // RFC 3056 6to4 (embeds IPv4)
+	} {
+		_, ipNet, err := net.ParseCIDR(cidr)
+		if err != nil {
+			panic("hostmatcher: invalid reserved CIDR " + cidr + ": " + err.Error())
+		}
+		nets = append(nets, ipNet)
+	}
+	return nets
+})
+
+// isPrivateIP reports whether ip falls in a private (net.IP.IsPrivate) or reserved special-purpose
+// range (see reservedIPNets) that must not be considered a public/external destination.
+func isPrivateIP(ip net.IP) bool {
+	if ip.IsPrivate() {
+		return true
+	}
+	for _, ipNet := range reservedIPNets() {
+		if ipNet.Contains(ip) {
+			return true
+		}
+	}
+	return false
+}
+
+// MatchBuiltinPrivate RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and RFC 4193 (FC00::/7),
+// plus the reserved special-purpose ranges in reservedIPNets (CGNAT, NAT64, cloud metadata, etc.).
+// Also called LAN/Intranet.
 const MatchBuiltinPrivate = "private"

 // MatchBuiltinLoopback 127.0.0.0/8 for IPv4 and ::1/128 for IPv6, localhost is included.
@@ -105,11 +160,11 @@ func (hl *HostMatchList) checkIP(ip net.IP) bool {
 	for _, builtin := range hl.builtins {
 		switch builtin {
 		case MatchBuiltinExternal:
-			if ip.IsGlobalUnicast() && !ip.IsPrivate() {
+			if ip.IsGlobalUnicast() && !isPrivateIP(ip) {
 				return true
 			}
 		case MatchBuiltinPrivate:
-			if ip.IsPrivate() {
+			if isPrivateIP(ip) {
 				return true
 			}
 		case MatchBuiltinLoopback:
@@ -159,3 +159,58 @@ func TestHostOrIPMatchesList(t *testing.T) {
 	}
 	test(cases)
 }
+
+// TestReservedRanges ensures special-purpose ranges that net.IP.IsPrivate misses are kept out of the
+// "external" allow-list (the default for webhook delivery and repository migrations) and folded into
+// the "private" block-list, so they cannot be used for SSRF to metadata/internal endpoints.
+func TestReservedRanges(t *testing.T) {
+	external := ParseHostMatchList("", "external")
+	private := ParseHostMatchList("", "private")
+
+	// legitimate public destinations: external, not private
+	for _, ip := range []string{"8.8.8.8", "1.1.1.1", "2001:4860:4860::8888", "1000::1"} {
+		addr := net.ParseIP(ip)
+		assert.Truef(t, external.MatchIPAddr(addr), "public ip %s should be external", ip)
+		assert.Falsef(t, private.MatchIPAddr(addr), "public ip %s should not be private", ip)
+	}
+
+	// RFC 1918 / RFC 4193 private ranges (now folded into privateIPNets instead of net.IP.IsPrivate):
+	// not external, blockable as private. Includes range edges to guard the CIDR boundaries.
+	for _, ip := range []string{
+		"10.0.0.0", "10.255.255.255", // 10.0.0.0/8
+		"172.16.0.0", "172.31.255.255", // 172.16.0.0/12
+		"192.168.0.0", "192.168.255.255", // 192.168.0.0/16
+		"fc00::", "fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", // fc00::/7
+	} {
+		addr := net.ParseIP(ip)
+		assert.Falsef(t, external.MatchIPAddr(addr), "private ip %s must not be external", ip)
+		assert.Truef(t, private.MatchIPAddr(addr), "private ip %s should match private block-list", ip)
+	}
+
+	// 172.32.0.0 is just outside 172.16.0.0/12: a public destination, not private
+	if addr := net.ParseIP("172.32.0.0"); assert.NotNil(t, addr) {
+		assert.True(t, external.MatchIPAddr(addr), "172.32.0.0 should be external")
+		assert.False(t, private.MatchIPAddr(addr), "172.32.0.0 should not be private")
+	}
+
+	// reserved ranges that IsPrivate does not cover: not external, but blockable as private
+	for _, ip := range []string{
+		"100.64.0.1",         // CGNAT
+		"100.127.255.254",    // CGNAT
+		"168.63.129.16",      // Azure WireServer
+		"192.0.2.1",          // TEST-NET-1
+		"198.18.0.1",         // benchmarking
+		"198.51.100.1",       // TEST-NET-2
+		"203.0.113.1",        // TEST-NET-3
+		"192.88.99.1",        // 6to4 relay anycast
+		"64:ff9b::1",         // NAT64
+		"64:ff9b::a9fe:a9fe", // NAT64 embedding 169.254.169.254
+		"2001::1",            // Teredo
+		"2002::1",            // 6to4
+		"2001:db8::1",        // documentation
+	} {
+		addr := net.ParseIP(ip)
+		assert.Falsef(t, external.MatchIPAddr(addr), "reserved ip %s must not be external", ip)
+		assert.Truef(t, private.MatchIPAddr(addr), "reserved ip %s should match private block-list", ip)
+	}
+}
@@ -173,16 +173,25 @@ var emojiProcessors = []processor{
 	emojiProcessor,
 }

+// isBareURLSubject reports whether the (HTML-escaped) commit subject content
+// is entirely a single URL, ignoring leading/trailing whitespace.
+func isBareURLSubject(content string) bool {
+	s := strings.TrimSpace(html.UnescapeString(content))
+	if s == "" {
+		return false
+	}
+	m := common.GlobalVars().LinkRegex.FindStringIndex(s)
+	return m != nil && m[0] == 0 && m[1] == len(s)
+}
+
 // PostProcessCommitMessageSubject will use the same logic as PostProcess and
 // PostProcessCommitMessage, but will disable the shortLinkProcessor and
-// emailAddressProcessor, will add a defaultLinkProcessor if defaultLink is set,
-// which changes every text node into a link to the passed default link.
+// emailAddressProcessor, and wraps the whole subject in defaultLink.
 func PostProcessCommitMessageSubject(ctx *RenderContext, defaultLink, content string) (string, error) {
 	procs := []processor{
 		fullIssuePatternProcessor,
 		comparePatternProcessor,
 		fullHashPatternProcessor,
-		linkProcessor,
 		mentionProcessor,
 		issueIndexPatternProcessor,
 		commitCrossReferencePatternProcessor,
@@ -190,6 +199,15 @@ func PostProcessCommitMessageSubject(ctx *RenderContext, defaultLink, content st
 		emojiShortCodeProcessor,
 		emojiProcessor,
 	}
+	// When the whole subject is a bare URL, linkProcessor would turn it into
+	// a competing anchor and hijack the surrounding defaultLink wrapper, leaving
+	// the subject visually unclickable. Match GitHub: render such subjects as
+	// plain text inside defaultLink. Partial URLs inside larger text still become
+	// their own links (nested anchors aren't legal HTML, so the outer defaultLink
+	// naturally breaks on that span, same as on GitHub).
+	if !isBareURLSubject(content) {
+		procs = append(procs, linkProcessor)
+	}
 	procs = append(procs, func(ctx *RenderContext, node *html.Node) {
 		ch := &html.Node{Parent: node, Type: html.TextNode, Data: node.Data}
 		node.Type = html.ElementNode
@@ -146,15 +146,26 @@ func ParseControlFile(r io.Reader) (*Package, error) {
 	var depends strings.Builder
 	var control strings.Builder

-	s := bufio.NewScanner(io.TeeReader(r, &control))
+	// https://www.debian.org/doc/debian-policy/ch-controlfields.html#syntax-of-control-files
+	s := bufio.NewScanner(r)
 	for s.Scan() {
 		line := s.Text()

 		trimmed := strings.TrimSpace(line)
 		if trimmed == "" {
-			continue
+			// A binary package control file holds exactly one stanza. Stop at the
+			// blank line that terminates it, otherwise a crafted control file could
+			// smuggle additional stanzas (with attacker-chosen Filename/Package
+			// fields) into the generated repository "Packages" index.
+			if control.Len() == 0 {
+				continue
+			}
+			break
 		}

+		control.WriteString(line)
+		control.WriteByte('\n')
+
 		if line[0] == ' ' || line[0] == '\t' {
 			switch key {
 			case "Description":
@@ -184,4 +184,19 @@ func TestParseControlFile(t *testing.T) {
 			assert.NotNil(t, p)
 		}
 	})
+
+	t.Run("SingleStanzaOnly", func(t *testing.T) {
+		// A control file with a trailing stanza must not leak the extra fields into
+		// p.Control, otherwise buildPackagesIndices would emit a second package entry
+		// with an attacker-chosen Filename into the repository "Packages" index.
+		content := bytes.NewBufferString("Package: realpkg\nVersion: 1.0.0\nArchitecture: amd64\nMaintainer: a <a@b.c>\nDescription: real\n\nPackage: openssl\nVersion: 99.0\nArchitecture: amd64\nFilename: pool/main/o/openssl/evil.deb\nDescription: spoofed\n")
+
+		p, err := ParseControlFile(content)
+		assert.NoError(t, err)
+		assert.NotNil(t, p)
+		assert.Equal(t, "realpkg", p.Name)
+		assert.Equal(t, "1.0.0", p.Version)
+		assert.NotContains(t, p.Control, "openssl")
+		assert.NotContains(t, p.Control, "evil.deb")
+	})
 }
@@ -140,6 +140,18 @@ com 88fc37a3c0a4dda553bdcfc80c178a58247f42fb mit
 		assert.EqualValues(t, expected, newTestRenderUtils(t).RenderCommitMessageLinkSubject(testInput(), "https://example.com/link", mockRepo))
 	})

+	t.Run("RenderCommitMessageLinkSubjectURLOnly", func(t *testing.T) {
+		// a bare URL in the subject must not hijack the default link
+		expected := `<a href="https://example.com/link" class="muted">https://example.com/file.bin</a>`
+		assert.EqualValues(t, expected, newTestRenderUtils(t).RenderCommitMessageLinkSubject("https://example.com/file.bin", "https://example.com/link", mockRepo))
+	})
+
+	t.Run("RenderCommitMessageLinkSubjectPartialURL", func(t *testing.T) {
+		// a URL embedded in larger subject text still becomes its own link
+		expected := `<a href="https://example.com/link" class="muted">see </a><a href="https://example.com/x" data-markdown-generated-content="">https://example.com/x</a><a href="https://example.com/link" class="muted"> here</a>`
+		assert.EqualValues(t, expected, newTestRenderUtils(t).RenderCommitMessageLinkSubject("see https://example.com/x here", "https://example.com/link", mockRepo))
+	})
+
 	t.Run("RenderIssueTitle", func(t *testing.T) {
 		defer test.MockVariableValue(&markup.RenderBehaviorForTesting.DisableAdditionalAttributes, true)()
 		expected := `  space @mention-user<SPACE><SPACE>
@@ -270,6 +270,15 @@ func (s *Service) UpdateLog(
 		rows = req.Msg.Rows[ack-req.Msg.Index:]
 	}

+	// Ack a re-sent finalize idempotently. Appending new rows past the seal errors.
+	if task.LogInStorage {
+		if len(rows) > 0 {
+			return nil, status.Errorf(codes.AlreadyExists, "log file has been archived")
+		}
+		res.Msg.AckIndex = ack
+		return res, nil
+	}
+
 	// Bail unless we have new rows or a NoMore to finalize. Even with
 	// NoMore, bail when the runner has outrun the server — archiving a
 	// log with a gap is worse than asking it to retry.
@@ -278,10 +287,6 @@ func (s *Service) UpdateLog(
 		return res, nil
 	}

-	if task.LogInStorage {
-		return nil, status.Errorf(codes.AlreadyExists, "log file has been archived")
-	}
-
 	// WriteLogs is called even with no rows: with offset==0 it bootstraps
 	// an empty DBFS file so TransferLogs below has something to read when
 	// the runner finalizes a task that produced no log output.
@@ -1074,6 +1074,8 @@ func ActionsDispatchWorkflow(ctx *context.APIContext) {
 			ctx.APIError(http.StatusNotFound, err)
 		} else if errors.Is(err, util.ErrPermissionDenied) {
 			ctx.APIError(http.StatusForbidden, err)
+		} else if errors.Is(err, util.ErrInvalidArgument) {
+			ctx.APIError(http.StatusUnprocessableEntity, err)
 		} else {
 			ctx.APIErrorInternal(err)
 		}
@@ -55,7 +55,8 @@ func ListForks(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"

-	forks, total, err := repo_service.FindForks(ctx, ctx.Repo.Repository, ctx.Doer, utils.GetListOptions(ctx))
+	listOptions := utils.GetListOptions(ctx)
+	forks, total, err := repo_service.FindForks(ctx, ctx.Repo.Repository, ctx.Doer, listOptions)
 	if err != nil {
 		ctx.APIErrorInternal(err)
 		return
@@ -79,6 +80,7 @@ func ListForks(ctx *context.APIContext) {
 		apiForks[i] = convert.ToRepo(ctx, fork, permission)
 	}

+	ctx.SetLinkHeader(total, listOptions.PageSize)
 	ctx.SetTotalCountHeader(total)
 	ctx.JSON(http.StatusOK, apiForks)
 }
@@ -95,7 +95,8 @@ func ListTrackedTimes(ctx *context.APIContext) {
 	if qUser != "" {
 		user, err := user_model.GetUserByName(ctx, qUser)
 		if user_model.IsErrUserNotExist(err) {
-			ctx.APIError(http.StatusNotFound, err)
+			ctx.APIError(http.StatusNotFound, err.Error())
+			return
 		} else if err != nil {
 			ctx.APIErrorInternal(err)
 			return
@@ -523,7 +524,8 @@ func ListTrackedTimesByRepository(ctx *context.APIContext) {
 	if qUser != "" {
 		user, err := user_model.GetUserByName(ctx, qUser)
 		if user_model.IsErrUserNotExist(err) {
-			ctx.APIError(http.StatusNotFound, err)
+			ctx.APIError(http.StatusNotFound, err.Error())
+			return
 		} else if err != nil {
 			ctx.APIErrorInternal(err)
 			return
@@ -4,7 +4,9 @@
 package common

 import (
+	"errors"
 	"fmt"
+	"io/fs"
 	"strings"

 	actions_model "code.gitea.io/gitea/models/actions"
@@ -50,6 +52,9 @@ func DownloadActionsRunJobLogs(ctx *context.Base, ctxRepo *repo_model.Repository

 	reader, err := actions.OpenLogs(ctx, task.LogInStorage, task.LogFilename)
 	if err != nil {
+		if errors.Is(err, fs.ErrNotExist) {
+			return util.NewNotExistErrorf("logs not found")
+		}
 		return fmt.Errorf("OpenLogs: %w", err)
 	}
 	defer reader.Close()
@@ -47,7 +47,7 @@ func HookPostReceive(ctx *gitea_context.PrivateContext) {
 		repo    *repo_model.Repository
 		gitRepo *git.Repository
 	)
-	defer gitRepo.Close() // it's safe to call Close on a nil pointer
+	defer func() { _ = gitRepo.Close() }() // it's safe to call Close on a nil pointer, but it needs to use the latest value

 	updates := make([]*repo_module.PushUpdateOptions, 0, len(opts.OldCommitIDs))
 	wasEmpty := false
@@ -399,6 +399,24 @@ func notifyPackage(ctx context.Context, sender *user_model.User, pd *packages_mo
 }

 func ifNeedApproval(ctx context.Context, run *actions_model.ActionRun, repo *repo_model.Repository, user *user_model.User) (bool, error) {
+	canWrite := func(ctx context.Context, repo *repo_model.Repository, user *user_model.User) (bool, error) {
+		perm, err := access_model.GetDoerRepoPermission(ctx, repo, user)
+		if err != nil {
+			return false, err
+		}
+		return perm.CanWrite(unit_model.TypeActions), nil
+	}
+	return ifNeedApprovalWith(ctx, run, repo, user, canWrite, issues_model.HasMergedPullRequestInRepo)
+}
+
+func ifNeedApprovalWith(
+	ctx context.Context,
+	run *actions_model.ActionRun,
+	repo *repo_model.Repository,
+	user *user_model.User,
+	canWriteActions func(context.Context, *repo_model.Repository, *user_model.User) (bool, error),
+	hasMergedPR func(context.Context, int64, int64) (bool, error),
+) (bool, error) {
 	// 1. don't need approval if it's not a fork PR
 	// 2. don't need approval if the event is `pull_request_target` since the workflow will run in the context of base branch
 	// 		see https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks#about-workflow-runs-from-public-forks
@@ -413,27 +431,24 @@ func ifNeedApproval(ctx context.Context, run *actions_model.ActionRun, repo *rep
 	}

 	// don't need approval if the user can write
-	if perm, err := access_model.GetDoerRepoPermission(ctx, repo, user); err != nil {
+	if ok, err := canWriteActions(ctx, repo, user); err != nil {
 		return false, fmt.Errorf("GetDoerRepoPermission: %w", err)
-	} else if perm.CanWrite(unit_model.TypeActions) {
+	} else if ok {
 		log.Trace("do not need approval because user %d can write", user.ID)
 		return false, nil
 	}

-	// don't need approval if the user has been approved before
-	if count, err := db.Count[actions_model.ActionRun](ctx, actions_model.FindRunOptions{
-		RepoID:        repo.ID,
-		TriggerUserID: user.ID,
-		Approved:      true,
-	}); err != nil {
-		return false, fmt.Errorf("CountRuns: %w", err)
-	} else if count > 0 {
-		log.Trace("do not need approval because user %d has been approved before", user.ID)
+	// trust the user only after a merged PR — matching GitHub Actions. Approving one
+	// fork PR's run must not implicitly trust later fork PRs that replace the workflow.
+	if merged, err := hasMergedPR(ctx, repo.ID, user.ID); err != nil {
+		return false, fmt.Errorf("HasMergedPullRequestInRepo: %w", err)
+	} else if merged {
+		log.Trace("do not need approval because user %d has a merged pull request in repo %d", user.ID, repo.ID)
 		return false, nil
 	}

 	// otherwise, need approval
-	log.Trace("need approval because it's the first time user %d triggered actions", user.ID)
+	log.Trace("need approval because user %d has no merged pull request in repo %d", user.ID, repo.ID)
 	return true, nil
 }

@@ -0,0 +1,102 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	repo_model "code.gitea.io/gitea/models/repo"
+	user_model "code.gitea.io/gitea/models/user"
+	actions_module "code.gitea.io/gitea/modules/actions"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestIfNeedApproval(t *testing.T) {
+	alwaysWrite := func(_ context.Context, _ *repo_model.Repository, _ *user_model.User) (bool, error) {
+		return true, nil
+	}
+	neverWrite := func(_ context.Context, _ *repo_model.Repository, _ *user_model.User) (bool, error) {
+		return false, nil
+	}
+	hasMerged := func(_ context.Context, _, _ int64) (bool, error) { return true, nil }
+	noMerged := func(_ context.Context, _, _ int64) (bool, error) { return false, nil }
+	errPerm := errors.New("perm error")
+	errMerge := errors.New("merge error")
+
+	forkRun := &actions_model.ActionRun{IsForkPullRequest: true, TriggerEvent: actions_module.GithubEventPullRequest}
+	nonForkRun := &actions_model.ActionRun{IsForkPullRequest: false, TriggerEvent: actions_module.GithubEventPullRequest}
+	prTargetRun := &actions_model.ActionRun{IsForkPullRequest: true, TriggerEvent: actions_module.GithubEventPullRequestTarget}
+
+	repo := &repo_model.Repository{ID: 1}
+	normalUser := &user_model.User{ID: 10}
+	restrictedUser := &user_model.User{ID: 11, IsRestricted: true}
+
+	t.Run("not a fork PR never needs approval", func(t *testing.T) {
+		need, err := ifNeedApprovalWith(t.Context(), nonForkRun, repo, normalUser, alwaysWrite, hasMerged)
+		require.NoError(t, err)
+		assert.False(t, need)
+	})
+
+	t.Run("pull_request_target never needs approval even when fork", func(t *testing.T) {
+		need, err := ifNeedApprovalWith(t.Context(), prTargetRun, repo, normalUser, alwaysWrite, hasMerged)
+		require.NoError(t, err)
+		assert.False(t, need)
+	})
+
+	t.Run("restricted user always needs approval", func(t *testing.T) {
+		need, err := ifNeedApprovalWith(t.Context(), forkRun, repo, restrictedUser, alwaysWrite, hasMerged)
+		require.NoError(t, err)
+		assert.True(t, need)
+	})
+
+	t.Run("fork PR with write permission does not need approval", func(t *testing.T) {
+		need, err := ifNeedApprovalWith(t.Context(), forkRun, repo, normalUser, alwaysWrite, noMerged)
+		require.NoError(t, err)
+		assert.False(t, need)
+	})
+
+	t.Run("fork PR with merged PR but no write permission does not need approval", func(t *testing.T) {
+		need, err := ifNeedApprovalWith(t.Context(), forkRun, repo, normalUser, neverWrite, hasMerged)
+		require.NoError(t, err)
+		assert.False(t, need)
+	})
+
+	t.Run("fork PR with no write and no merged PR needs approval", func(t *testing.T) {
+		need, err := ifNeedApprovalWith(t.Context(), forkRun, repo, normalUser, neverWrite, noMerged)
+		require.NoError(t, err)
+		assert.True(t, need)
+	})
+
+	t.Run("canWriteActions error is propagated", func(t *testing.T) {
+		failWrite := func(_ context.Context, _ *repo_model.Repository, _ *user_model.User) (bool, error) {
+			return false, errPerm
+		}
+		_, err := ifNeedApprovalWith(t.Context(), forkRun, repo, normalUser, failWrite, noMerged)
+		require.ErrorIs(t, err, errPerm)
+	})
+
+	t.Run("hasMergedPR error is propagated", func(t *testing.T) {
+		failMerge := func(_ context.Context, _, _ int64) (bool, error) { return false, errMerge }
+		_, err := ifNeedApprovalWith(t.Context(), forkRun, repo, normalUser, neverWrite, failMerge)
+		require.ErrorIs(t, err, errMerge)
+	})
+
+	t.Run("restricted user skips permission check entirely", func(t *testing.T) {
+		// The perm and merge functions must not be called for a restricted user.
+		called := false
+		trackWrite := func(_ context.Context, _ *repo_model.Repository, _ *user_model.User) (bool, error) {
+			called = true
+			return true, nil
+		}
+		need, err := ifNeedApprovalWith(t.Context(), forkRun, repo, restrictedUser, trackWrite, noMerged)
+		require.NoError(t, err)
+		assert.True(t, need)
+		assert.False(t, called, "permission check must not run for restricted user")
+	})
+}
@@ -140,11 +140,17 @@ func DispatchActionWorkflow(ctx reqctx.RequestContext, doer *user_model.User, re
 	workflow := &model.Workflow{
 		RawOn: singleWorkflow.RawOn,
 	}
+	workflowDispatch := workflow.WorkflowDispatchConfig()
+	if workflowDispatch == nil {
+		return 0, util.ErrorWrapTranslatable(
+			util.NewInvalidArgumentErrorf("workflow %q has no workflow_dispatch event trigger", workflowID),
+			"actions.workflow.has_no_workflow_dispatch", workflowID,
+		)
+	}
+
 	inputsWithDefaults := make(map[string]any)
-	if workflowDispatch := workflow.WorkflowDispatchConfig(); workflowDispatch != nil {
-		if err = processInputs(workflowDispatch, inputsWithDefaults); err != nil {
-			return 0, err
-		}
+	if err = processInputs(workflowDispatch, inputsWithDefaults); err != nil {
+		return 0, err
 	}

 	// ctx.Req.PostForm -> WorkflowDispatchPayload.Inputs -> ActionRun.EventPayload -> runner: ghc.Event
@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 	"slices"
+	"time"

 	issues_model "code.gitea.io/gitea/models/issues"
 	org_model "code.gitea.io/gitea/models/organization"
@@ -26,6 +27,10 @@ type ReviewRequestNotifier struct {

 var codeOwnerFiles = []string{"CODEOWNERS", "docs/CODEOWNERS", ".gitea/CODEOWNERS"}

+// codeOwnerMatchBudget caps the total wall-clock time spent evaluating all
+// CODEOWNERS rules against all changed files for a single PR.
+const codeOwnerMatchBudget = 2 * time.Second
+
 func IsCodeOwnerFile(f string) bool {
 	return slices.Contains(codeOwnerFiles, f)
 }
@@ -93,8 +98,17 @@ func PullRequestCodeOwnersReview(ctx context.Context, pr *issues_model.PullReque

 	uniqUsers := make(map[int64]*user_model.User)
 	uniqTeams := make(map[string]*org_model.Team)
+	// Bound the total time spent matching rules×files. The per-rule MatchTimeout
+	// only caps a single match; without an aggregate budget a crafted CODEOWNERS
+	// plus a PR touching many files could still exhaust CPU inside this loop.
+	matchDeadline := time.Now().Add(codeOwnerMatchBudget)
+ruleLoop:
 	for _, rule := range rules {
 		for _, f := range changedFiles {
+			if time.Now().After(matchDeadline) {
+				log.Warn("CODEOWNERS matching for PR %s#%d exceeded its time budget; some rules were not evaluated", pr.BaseRepo.FullName(), pr.ID)
+				break ruleLoop
+			}
 			shouldMatch := !rule.Negative
 			matched, _ := rule.Rule.MatchString(f) // err only happens when timeouts, any error can be considered as not matched
 			if matched == shouldMatch {
@@ -10,6 +10,7 @@ import (
 	"slices"
 	"strings"

+	"code.gitea.io/gitea/models/db"
 	issues_model "code.gitea.io/gitea/models/issues"
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
@@ -32,18 +33,23 @@ func GenerateReleaseNotes(ctx context.Context, repo *repo_model.Repository, gitR
 		return "", err
 	}

-	if opts.PreviousTag == "" {
-		// no previous tag, usually due to there is no tag in the repo, use the same content as GitHub
-		content := fmt.Sprintf("**Full Changelog**: %s/commits/tag/%s\n", repo.HTMLURL(ctx), util.PathEscapeSegments(opts.TagName))
-		return content, nil
+	isFirstRelease, err := isFirstRelease(ctx, repo.ID)
+	if err != nil {
+		return "", fmt.Errorf("isFirstRelease: %w", err)
 	}

-	baseCommit, err := gitRepo.GetCommit(opts.PreviousTag)
-	if err != nil {
+	baseCommitID := ""
+	if opts.PreviousTag != "" {
+		baseCommit, err := gitRepo.GetCommit(opts.PreviousTag)
+		if err != nil {
+			return "", util.ErrorWrapTranslatable(util.ErrNotExist, "repo.release.generate_notes_tag_not_found", opts.TagName)
+		}
+		baseCommitID = baseCommit.ID.String()
+	} else if !isFirstRelease {
 		return "", util.ErrorWrapTranslatable(util.ErrNotExist, "repo.release.generate_notes_tag_not_found", opts.TagName)
 	}

-	commits, err := gitRepo.CommitsBetweenIDs(headCommit.ID.String(), baseCommit.ID.String())
+	commits, err := gitRepo.CommitsBetweenIDs(headCommit.ID.String(), baseCommitID)
 	if err != nil {
 		return "", fmt.Errorf("CommitsBetweenIDs: %w", err)
 	}
@@ -58,10 +64,27 @@ func GenerateReleaseNotes(ctx context.Context, repo *repo_model.Repository, gitR
 		return "", err
 	}

-	content := buildReleaseNotesContent(ctx, repo, opts.TagName, opts.PreviousTag, prs, contributors, newContributors)
+	fullChangelogURL := ""
+	if isFirstRelease {
+		// Keep the first-release changelog link aligned with GitHub, while collecting PRs from full history.
+		fullChangelogURL = fmt.Sprintf("%s/commits/tag/%s", repo.HTMLURL(ctx), util.PathEscapeSegments(opts.TagName))
+	}
+
+	content := buildReleaseNotesContent(ctx, repo, opts.TagName, opts.PreviousTag, prs, contributors, newContributors, fullChangelogURL)
 	return content, nil
 }

+func isFirstRelease(ctx context.Context, repoID int64) (bool, error) {
+	count, err := db.Count[repo_model.Release](ctx, repo_model.FindReleasesOptions{
+		RepoID:        repoID,
+		IncludeDrafts: false,
+	})
+	if err != nil {
+		return false, err
+	}
+	return count == 0, nil
+}
+
 func resolveHeadCommit(gitRepo *git.Repository, tagName, tagTarget string) (*git.Commit, error) {
 	ref := tagName
 	if !gitRepo.IsTagExist(tagName) {
@@ -107,7 +130,7 @@ func collectPullRequestsFromCommits(ctx context.Context, repoID int64, commits [
 	return prs, nil
 }

-func buildReleaseNotesContent(ctx context.Context, repo *repo_model.Repository, tagName, baseRef string, prs []*issues_model.PullRequest, contributors []*user_model.User, newContributors []*issues_model.PullRequest) string {
+func buildReleaseNotesContent(ctx context.Context, repo *repo_model.Repository, tagName, baseRef string, prs []*issues_model.PullRequest, contributors []*user_model.User, newContributors []*issues_model.PullRequest, fullChangelogURL string) string {
 	var builder strings.Builder
 	builder.WriteString("## What's Changed\n")

@@ -136,8 +159,12 @@ func buildReleaseNotesContent(ctx context.Context, repo *repo_model.Repository,
 	}

 	builder.WriteString("**Full Changelog**: ")
-	compareURL := fmt.Sprintf("%s/compare/%s...%s", repo.HTMLURL(ctx), util.PathEscapeSegments(baseRef), util.PathEscapeSegments(tagName))
-	fmt.Fprintf(&builder, "[%s...%s](%s)", baseRef, tagName, compareURL)
+	if fullChangelogURL != "" {
+		builder.WriteString(fullChangelogURL)
+	} else {
+		compareURL := fmt.Sprintf("%s/compare/%s...%s", repo.HTMLURL(ctx), util.PathEscapeSegments(baseRef), util.PathEscapeSegments(tagName))
+		fmt.Fprintf(&builder, "[%s...%s](%s)", baseRef, tagName, compareURL)
+	}
 	builder.WriteByte('\n')
 	return builder.String()
 }
@@ -21,13 +21,14 @@ import (
 func TestGenerateReleaseNotes(t *testing.T) {
 	unittest.PrepareTestEnv(t)

-	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
-	gitRepo, err := gitrepo.OpenRepository(t.Context(), repo)
-	require.NoError(t, err)
-
 	t.Run("ChangeLogsWithPRs", func(t *testing.T) {
+		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+		gitRepo, err := gitrepo.OpenRepository(t.Context(), repo)
+		require.NoError(t, err)
+		t.Cleanup(func() { gitRepo.Close() })
+
 		mergedCommit := "90c1019714259b24fb81711d4416ac0f18667dfa"
-		createMergedPullRequest(t, repo, mergedCommit, 5)
+		createMergedPullRequest(t, repo, mergedCommit, 5, "Release notes test pull request")

 		content, err := GenerateReleaseNotes(t.Context(), repo, gitRepo, GenerateReleaseNotesOptions{
 			TagName:     "v1.2.0",
@@ -50,16 +51,51 @@ func TestGenerateReleaseNotes(t *testing.T) {
 	})

 	t.Run("NoPreviousTag", func(t *testing.T) {
+		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 16})
+		gitRepo, err := gitrepo.OpenRepository(t.Context(), repo)
+		require.NoError(t, err)
+		t.Cleanup(func() { gitRepo.Close() })
+
+		createMergedPullRequest(t, repo, "69554a64c1e6030f051e5c3f94bfbd773cd6a324", 5, "Initial tag PR 1")
+		createMergedPullRequest(t, repo, "27566bd5738fc8b4e3fef3c5e72cce608537bd95", 4, "Initial tag PR 2")
+		createMergedPullRequest(t, repo, "5099b81332712fe655e34e8dd63574f503f61811", 8, "Initial tag PR 3")
+
 		content, err := GenerateReleaseNotes(t.Context(), repo, gitRepo, GenerateReleaseNotesOptions{
-			TagName:   "v1.2.0",
-			TagTarget: "DefaultBranch",
+			TagName:   "v0.1.0",
+			TagTarget: repo.DefaultBranch,
 		})
 		require.NoError(t, err)
-		assert.Equal(t, "**Full Changelog**: https://try.gitea.io/user2/repo1/commits/tag/v1.2.0\n", content)
+
+		assert.Contains(t, content, "## What's Changed\n")
+		assert.Contains(t, content, "* Initial tag PR 1 in [#")
+		assert.Contains(t, content, "* Initial tag PR 2 in [#")
+		assert.Contains(t, content, "* Initial tag PR 3 in [#")
+		assert.Contains(t, content, "\n## Contributors\n")
+		assert.Contains(t, content, "* @user5\n")
+		assert.Contains(t, content, "* @user4\n")
+		assert.Contains(t, content, "* @user8\n")
+		assert.Contains(t, content, "\n## New Contributors\n")
+		assert.Contains(t, content, "* @user5 made their first contribution in [#")
+		assert.Contains(t, content, "* @user4 made their first contribution in [#")
+		assert.Contains(t, content, "* @user8 made their first contribution in [#")
+		assert.Contains(t, content, "**Full Changelog**: https://try.gitea.io/user2/repo16/commits/tag/v0.1.0\n")
+	})
+
+	t.Run("EmptyPreviousTagWithExistingTags", func(t *testing.T) {
+		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+		gitRepo, err := gitrepo.OpenRepository(t.Context(), repo)
+		require.NoError(t, err)
+		t.Cleanup(func() { gitRepo.Close() })
+
+		_, err = GenerateReleaseNotes(t.Context(), repo, gitRepo, GenerateReleaseNotesOptions{
+			TagName:   "v1.2.0",
+			TagTarget: repo.DefaultBranch,
+		})
+		require.Error(t, err)
 	})
 }

-func createMergedPullRequest(t *testing.T, repo *repo_model.Repository, mergeCommit string, posterID int64) *issues_model.PullRequest {
+func createMergedPullRequest(t *testing.T, repo *repo_model.Repository, mergeCommit string, posterID int64, title string) *issues_model.PullRequest {
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: posterID})

 	issue := &issues_model.Issue{
@@ -67,7 +103,7 @@ func createMergedPullRequest(t *testing.T, repo *repo_model.Repository, mergeCom
 		Repo:     repo,
 		Poster:   user,
 		PosterID: user.ID,
-		Title:    "Release notes test pull request",
+		Title:    title,
 		Content:  "content",
 	}

@@ -47,7 +47,8 @@ func NewTemporaryUploadRepository(repo *repo_model.Repository) (*TemporaryUpload

 // Close the repository cleaning up all files
 func (t *TemporaryUploadRepository) Close() {
-	defer t.gitRepo.Close()
+	// must stop the repo access before removal, otherwise Windows can't remove the directory occupied by other processes
+	t.gitRepo.Close()
 	if t.cleanup != nil {
 		t.cleanup()
 	}
@@ -140,3 +140,107 @@ jobs:
 		assert.Equal(t, actions_model.StatusWaiting, run2.Status)
 	})
 }
+
+// TestForkPullRequestApprovalNotBypassedByPriorApproval verifies that a single
+// approval on a fork PR does not permanently trust the contributor: a subsequent
+// fork PR from the same user must still be gated (Blocked / NeedApproval=true)
+// until that user has had a pull request merged in the repo.
+func TestForkPullRequestApprovalNotBypassedByPriorApproval(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		user2Session := loginUser(t, user2.Name)
+		user2Token := getTokenForLoggedInUser(t, user2Session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
+		user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+		user4Session := loginUser(t, user4.Name)
+		user4Token := getTokenForLoggedInUser(t, user4Session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
+
+		apiBaseRepo := createActionsTestRepo(t, user2Token, "fork-approval-regression", false)
+		baseRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: apiBaseRepo.ID})
+		user2APICtx := NewAPITestContext(t, baseRepo.OwnerName, baseRepo.Name, auth_model.AccessTokenScopeWriteRepository)
+		defer doAPIDeleteRepository(user2APICtx)(t)
+
+		wfTreePath := ".gitea/workflows/ci.yml"
+		wfContent := `name: CI
+on: pull_request
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo ok
+`
+		createWorkflowFile(t, user2Token, baseRepo.OwnerName, baseRepo.Name, wfTreePath,
+			getWorkflowCreateFileOptions(user2, baseRepo.DefaultBranch, "add ci", wfContent))
+
+		// user4 forks the repo
+		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/forks", baseRepo.OwnerName, baseRepo.Name),
+			&api.CreateForkOption{Name: new("fork-approval-regression-fork")}).AddTokenAuth(user4Token)
+		resp := MakeRequest(t, req, http.StatusAccepted)
+		apiForkRepo := DecodeJSON(t, resp, &api.Repository{})
+		forkRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: apiForkRepo.ID})
+		user4APICtx := NewAPITestContext(t, user4.Name, forkRepo.Name, auth_model.AccessTokenScopeWriteRepository)
+		defer doAPIDeleteRepository(user4APICtx)(t)
+
+		// PR #1: a benign change from user4's fork — first-time contributor, gate engages.
+		doAPICreateFile(user4APICtx, "first.txt", &api.CreateFileOptions{
+			FileOptions: api.FileOptions{
+				NewBranchName: "first",
+				Message:       "first",
+				Author:        api.Identity{Name: user4.Name, Email: user4.Email},
+				Committer:     api.Identity{Name: user4.Name, Email: user4.Email},
+				Dates:         api.CommitDateOptions{Author: time.Now(), Committer: time.Now()},
+			},
+			ContentBase64: base64.StdEncoding.EncodeToString([]byte("first")),
+		})(t)
+		pr1, err := doAPICreatePullRequest(user4APICtx, baseRepo.OwnerName, baseRepo.Name, baseRepo.DefaultBranch, user4.Name+":first")(t)
+		assert.NoError(t, err)
+
+		run1 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID, TriggerUserID: user4.ID, Ref: fmt.Sprintf("refs/pull/%d/head", pr1.Index)})
+		assert.True(t, run1.NeedApproval, "first fork PR must require approval")
+		assert.Equal(t, actions_model.StatusBlocked, run1.Status)
+
+		// user2 approves run1.
+		req = NewRequest(t, "POST", fmt.Sprintf("%s/actions/approve-all-checks?commit_id=%s", baseRepo.Link(), pr1.Head.Sha))
+		user2Session.MakeRequest(t, req, http.StatusOK)
+		run1 = unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: run1.ID})
+		assert.False(t, run1.NeedApproval)
+		assert.Equal(t, user2.ID, run1.ApprovedBy)
+
+		// PR #2: same user, fresh branch. Pre-fix, this run was created with
+		// NeedApproval=false and dispatched immediately — the bypass path.
+		doAPICreateFile(user4APICtx, "second.txt", &api.CreateFileOptions{
+			FileOptions: api.FileOptions{
+				NewBranchName: "second",
+				Message:       "second",
+				Author:        api.Identity{Name: user4.Name, Email: user4.Email},
+				Committer:     api.Identity{Name: user4.Name, Email: user4.Email},
+				Dates:         api.CommitDateOptions{Author: time.Now(), Committer: time.Now()},
+			},
+			ContentBase64: base64.StdEncoding.EncodeToString([]byte("second")),
+		})(t)
+		pr2, err := doAPICreatePullRequest(user4APICtx, baseRepo.OwnerName, baseRepo.Name, baseRepo.DefaultBranch, user4.Name+":second")(t)
+		assert.NoError(t, err)
+
+		run2 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID, TriggerUserID: user4.ID, Ref: fmt.Sprintf("refs/pull/%d/head", pr2.Index)})
+		assert.True(t, run2.NeedApproval, "second fork PR must still require approval — prior approval-to-run does not grant trust")
+		assert.Equal(t, actions_model.StatusBlocked, run2.Status)
+		assert.EqualValues(t, 0, run2.ApprovedBy)
+
+		// After merging PR #1, user4 becomes a known contributor and the gate lifts for a new PR.
+		doAPIMergePullRequest(user2APICtx, baseRepo.OwnerName, baseRepo.Name, pr1.Index)(t)
+		doAPICreateFile(user4APICtx, "third.txt", &api.CreateFileOptions{
+			FileOptions: api.FileOptions{
+				NewBranchName: "third",
+				Message:       "third",
+				Author:        api.Identity{Name: user4.Name, Email: user4.Email},
+				Committer:     api.Identity{Name: user4.Name, Email: user4.Email},
+				Dates:         api.CommitDateOptions{Author: time.Now(), Committer: time.Now()},
+			},
+			ContentBase64: base64.StdEncoding.EncodeToString([]byte("third")),
+		})(t)
+		pr3, err := doAPICreatePullRequest(user4APICtx, baseRepo.OwnerName, baseRepo.Name, baseRepo.DefaultBranch, user4.Name+":third")(t)
+		assert.NoError(t, err)
+
+		run3 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID, TriggerUserID: user4.ID, Ref: fmt.Sprintf("refs/pull/%d/head", pr3.Index)})
+		assert.False(t, run3.NeedApproval, "fork PR from a user with a prior merged PR should not require approval")
+	})
+}
@@ -484,14 +484,18 @@ jobs:
 			},
 			ContentBase64: base64.StdEncoding.EncodeToString([]byte("user4-fix2")),
 		})(t)
-		doAPICreatePullRequest(user4APICtx, baseRepo.OwnerName, baseRepo.Name, baseRepo.DefaultBranch, user4.Name+":do-not-cancel/ccc")(t)
-		// cannot fetch the task because cancel-in-progress is false
+		pr3, _ := doAPICreatePullRequest(user4APICtx, baseRepo.OwnerName, baseRepo.Name, baseRepo.DefaultBranch, user4.Name+":do-not-cancel/ccc")(t)
+		// cannot fetch the task: approval still required (user4 has no merged PR) and cancel-in-progress is false
 		runner.fetchNoTask(t)
 		runner.execTask(t, pr2Task1, &mockTaskOutcome{
 			result: runnerv1.Result_RESULT_SUCCESS,
 		})
 		pr2Run1 = unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: pr2Run1.ID})
 		assert.Equal(t, actions_model.StatusSuccess, pr2Run1.Status)
+		// user2 approves the third PR's run (user4 still has no merged PR, approval still required)
+		pr3Run1Pending := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID, TriggerUserID: user4.ID, Ref: fmt.Sprintf("refs/pull/%d/head", pr3.Index)})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/approve", baseRepo.OwnerName, baseRepo.Name, pr3Run1Pending.ID))
+		user2Session.MakeRequest(t, req, http.StatusOK)
 		// fetch the task
 		pr3Task1 := runner.fetchTask(t)
 		_, _, pr3Run1 := getTaskAndJobAndRunByTaskID(t, pr3Task1.Id)
@@ -73,5 +73,19 @@ jobs:

 		_, err = dbfs.Open(t.Context(), actions_module.DBFSPrefix+freshTask.LogFilename)
 		assert.ErrorIs(t, err, os.ErrNotExist, "DBFS row must be cleaned up after TransferLogs")
+
+		// The runner re-sends its final UpdateLog when the response was lost.
+		// A sealed log must ack the re-send and still reject new appended rows.
+		t.Run("re-sent finalize is idempotent", func(t *testing.T) {
+			finalize := &runnerv1.UpdateLogRequest{TaskId: task.Id, Index: 0, Rows: nil, NoMore: true}
+			resp, err := runner.client.runnerServiceClient.UpdateLog(t.Context(), connect.NewRequest(finalize))
+			require.NoError(t, err)
+			assert.EqualValues(t, 0, resp.Msg.AckIndex)
+
+			_, err = runner.client.runnerServiceClient.UpdateLog(t.Context(), connect.NewRequest(&runnerv1.UpdateLogRequest{
+				TaskId: task.Id, Index: 0, Rows: []*runnerv1.LogRow{{Content: "late"}}, NoMore: true,
+			}))
+			require.Error(t, err, "appending rows past the seal must be rejected")
+		})
 	})
 }
@@ -931,6 +931,76 @@ jobs:
 	})
 }

+func TestWorkflowDispatchPublicApiRequiresWorkflowDispatchTrigger(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		session := loginUser(t, user2.Name)
+		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
+
+		repo, err := repo_service.CreateRepository(t.Context(), user2, user2, repo_service.CreateRepoOptions{
+			Name:          "workflow-dispatch-requires-trigger",
+			Description:   "test workflow dispatch requires workflow_dispatch",
+			AutoInit:      true,
+			Gitignores:    "Go",
+			License:       "MIT",
+			Readme:        "Default",
+			DefaultBranch: "main",
+			IsPrivate:     false,
+		})
+		require.NoError(t, err)
+		require.NotNil(t, repo)
+
+		addWorkflowToBaseResp, err := files_service.ChangeRepoFiles(t.Context(), repo, user2, &files_service.ChangeRepoFilesOptions{
+			Files: []*files_service.ChangeRepoFile{
+				{
+					Operation: "create",
+					TreePath:  ".gitea/workflows/push-only.yml",
+					ContentReader: strings.NewReader(`
+on:
+  push:
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo helloworld
+`),
+				},
+			},
+			Message:   "add workflow",
+			OldBranch: "main",
+			NewBranch: "main",
+			Author: &files_service.IdentityOptions{
+				GitUserName:  user2.Name,
+				GitUserEmail: user2.Email,
+			},
+			Committer: &files_service.IdentityOptions{
+				GitUserName:  user2.Name,
+				GitUserEmail: user2.Email,
+			},
+			Dates: &files_service.CommitDateOptions{
+				Author:    time.Now(),
+				Committer: time.Now(),
+			},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, addWorkflowToBaseResp)
+
+		values := url.Values{}
+		values.Set("ref", "main")
+		req := NewRequestWithURLValues(t, "POST", fmt.Sprintf("/api/v1/repos/%s/actions/workflows/push-only.yml/dispatches", repo.FullName()), values).
+			AddTokenAuth(token)
+		resp := MakeRequest(t, req, http.StatusUnprocessableEntity)
+		apiError := DecodeJSON(t, resp, &api.APIError{})
+		assert.Contains(t, apiError.Message, "has no workflow_dispatch event trigger")
+
+		unittest.AssertNotExistsBean(t, &actions_model.ActionRun{
+			RepoID:     repo.ID,
+			Event:      "workflow_dispatch",
+			WorkflowID: "push-only.yml",
+		})
+	})
+}
+
 func TestWorkflowDispatchPublicApiWithInputs(t *testing.T) {
 	onGiteaRun(t, func(t *testing.T, u *url.URL) {
 		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
@@ -89,7 +89,7 @@ func testAPIForkListLimitedAndPrivateRepos(t *testing.T) {
 		assert.Equal(t, "0", resp.Header().Get("X-Total-Count"))
 	})

-	t.Run("Logged in", func(t *testing.T) {
+	t.Run("LoggedIn", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()

 		req := NewRequest(t, "GET", "/api/v1/repos/user2/repo1/forks").AddTokenAuth(user1Token)
@@ -107,6 +107,36 @@ func testAPIForkListLimitedAndPrivateRepos(t *testing.T) {
 		assert.Len(t, forks, 2)
 		assert.Equal(t, "2", resp.Header().Get("X-Total-Count"))
 	})
+
+	t.Run("RespHeaderLinks", func(t *testing.T) {
+		t.Run("Page1", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			req := NewRequest(t, "GET", "/api/v1/repos/user2/repo1/forks?page=1&limit=1").AddTokenAuth(user1Token)
+			resp := MakeRequest(t, req, http.StatusOK)
+			assert.Equal(t, "2", resp.Header().Get("X-Total-Count"))
+
+			linkHeader := resp.Header().Get("Link")
+			assert.NotEmpty(t, linkHeader, "Link header should not be empty")
+			assert.Contains(t, linkHeader, `rel="next"`)
+			assert.Contains(t, linkHeader, `rel="last"`)
+			assert.Contains(t, linkHeader, `/api/v1/repos/user2/repo1/forks?limit=1&page=2>`)
+
+			forks := DecodeJSON(t, resp, []*api.Repository{})
+			assert.Len(t, forks, 1)
+		})
+
+		t.Run("Page2", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			req := NewRequest(t, "GET", "/api/v1/repos/user2/repo1/forks?page=2&limit=1").AddTokenAuth(user1Token)
+			resp := MakeRequest(t, req, http.StatusOK)
+			assert.Equal(t, "2", resp.Header().Get("X-Total-Count"))
+
+			forks := DecodeJSON(t, resp, []*api.Repository{})
+			assert.Len(t, forks, 1)
+		})
+	})
 }

 func testGetPrivateReposForks(t *testing.T) {
@@ -13,6 +13,7 @@ import (
 	issues_model "code.gitea.io/gitea/models/issues"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/json"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/tests"

@@ -63,6 +64,44 @@ func TestAPIGetTrackedTimes(t *testing.T) {
 	assert.Equal(t, int64(6), filterAPITimes[1].ID)
 }

+// TestAPIGetTrackedTimesNonExistentUserFilter ensures filtering by a user that
+// does not exist returns a clean 404 instead of panicking (nil pointer dereference).
+func TestAPIGetTrackedTimesNonExistentUserFilter(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	issue2 := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 2})
+	assert.NoError(t, issue2.LoadRepo(t.Context()))
+
+	session := loginUser(t, user2.Name)
+	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue, auth_model.AccessTokenScopeReadRepository)
+
+	for _, tc := range []struct {
+		name string
+		url  string
+	}{
+		{"repository level", fmt.Sprintf("/api/v1/repos/%s/%s/times?user=nonexistentuser", user2.Name, issue2.Repo.Name)},
+		{"issue level", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/times?user=nonexistentuser", user2.Name, issue2.Repo.Name, issue2.Index)},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			req := NewRequest(t, "GET", tc.url).AddTokenAuth(token)
+			resp := MakeRequest(t, req, http.StatusNotFound)
+
+			assert.True(t, json.Valid(resp.Body.Bytes()), "response body must be a single JSON value, got: %s", resp.Body.Bytes())
+
+			var apiError api.APIError
+			DecodeJSON(t, resp, &apiError)
+			assert.Contains(t, apiError.Message, "user does not exist")
+		})
+	}
+
+	t.Run("existing user", func(t *testing.T) {
+		req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/times?user=%s", user2.Name, issue2.Repo.Name, user2.Name).AddTokenAuth(token)
+		resp := MakeRequest(t, req, http.StatusOK)
+		DecodeJSON(t, resp, api.TrackedTimeList{})
+	})
+}
+
 func TestAPIDeleteTrackedTime(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()

@@ -36,9 +36,17 @@ func TestCompareTag(t *testing.T) {
 	// A dropdown for both base and head.
 	assert.Lenf(t, selection.Nodes, 2, "The template has changed")

+	req = NewRequest(t, "GET", "/user2/repo1/compare/v1.1...HEAD")
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	assert.True(t, test.IsNormalPageCompleted(resp.Body.String()))
+
+	req = NewRequest(t, "GET", "/user2/repo1/compare/v1.1...NotExisting").SetHeader("Accept", "text/html")
+	resp = session.MakeRequest(t, req, http.StatusNotFound)
+	assert.True(t, test.IsNormalPageCompleted(resp.Body.String()))
+
 	req = NewRequest(t, "GET", "/user2/repo1/compare/invalid").SetHeader("Accept", "text/html")
 	resp = session.MakeRequest(t, req, http.StatusNotFound)
-	assert.True(t, test.IsNormalPageCompleted(resp.Body.String()), "expect 404 page not 500")
+	assert.True(t, test.IsNormalPageCompleted(resp.Body.String()))
 }

 // Compare with inferred default branch (master)
@@ -0,0 +1,133 @@
+#!/usr/bin/env node
+import {argv, env, exit} from 'node:process';
+
+const allowedTypes = [
+  'build',
+  'chore',
+  'ci',
+  'docs',
+  'enhance',
+  'feat',
+  'fix',
+  'perf',
+  'refactor',
+  'revert',
+  'style',
+  'test',
+] as const;
+type CommitType = typeof allowedTypes[number];
+
+const allowedTypesList = allowedTypes.join(', ');
+const titlePattern = new RegExp(`^(${allowedTypes.join('|')})(\\([\\w/.-]+\\))?(!)?: .+$`);
+
+function parsePrTitle(title: string): {type: CommitType; breaking: boolean} | null {
+  const match = titlePattern.exec(title);
+  return match ? {type: match[1] as CommitType, breaking: Boolean(match[3])} : null;
+}
+
+const breakingLabel = 'pr/breaking';
+
+// Mutually exclusive type labels, fully synced with the title type (added and removed).
+const typeLabels: Partial<Record<CommitType, string>> = {
+  feat: 'type/feature',
+  enhance: 'type/enhancement',
+  fix: 'type/bug',
+  docs: 'type/docs',
+  test: 'type/testing',
+};
+
+// Non-type labels, only added, never auto-removed, so manual labeling is not clobbered.
+const extraLabels: Partial<Record<CommitType, string>> = {
+  chore: 'skip-changelog',
+  ci: 'skip-changelog',
+  build: 'topic/build',
+};
+
+// Labels this tool may remove when the title no longer implies them.
+const removableLabels = [...Object.values(typeLabels), breakingLabel];
+
+function labelsForPrTitle(title: string): string[] {
+  const parsed = parsePrTitle(title);
+  if (!parsed) return [];
+  return [typeLabels[parsed.type], extraLabels[parsed.type], parsed.breaking ? breakingLabel : undefined]
+    .filter((label): label is string => label !== undefined);
+}
+
+// Command: validate PR_TITLE against the allowed Conventional Commits format.
+function lintPrTitle(): void {
+  if (!env.PR_TITLE) {
+    console.error('Missing PR_TITLE');
+    exit(1);
+  }
+  if (!parsePrTitle(env.PR_TITLE)) {
+    console.error(`Invalid PR title: ${env.PR_TITLE}`);
+    console.error('Expected format: type(scope): subject (scope optional, append "!" for breaking changes)');
+    console.error(`Allowed types: ${allowedTypesList}`);
+    exit(1);
+  }
+}
+
+// Command: sync the title-derived labels onto the PR via the GitHub API.
+async function setPrLabels(): Promise<void> {
+  if (!env.PR_TITLE || !env.GITHUB_TOKEN || !env.GITHUB_REPOSITORY || !env.PR_NUMBER) {
+    console.error('set-pr-labels requires PR_TITLE, GITHUB_TOKEN, GITHUB_REPOSITORY and PR_NUMBER');
+    exit(1);
+  }
+
+  const labelsUrl = `https://api.github.com/repos/${env.GITHUB_REPOSITORY}/issues/${env.PR_NUMBER}/labels`;
+
+  async function request(url: string, method = 'GET', body?: unknown): Promise<Response> {
+    const response = await fetch(url, {
+      method,
+      headers: {
+        Accept: 'application/vnd.github+json',
+        Authorization: `Bearer ${env.GITHUB_TOKEN}`,
+        'X-GitHub-Api-Version': '2022-11-28',
+        ...(body ? {'Content-Type': 'application/json'} : {}),
+      },
+      body: body ? JSON.stringify(body) : undefined,
+    });
+    if (!response.ok) {
+      throw new Error(`GitHub API ${method} ${url} failed (${response.status}): ${await response.text()}`);
+    }
+    return response;
+  }
+
+  const desired = labelsForPrTitle(env.PR_TITLE);
+  const response = await request(`${labelsUrl}?per_page=100`);
+  const current = ((await response.json()) as Array<{name: string}>).map((label) => label.name);
+
+  const toAdd = desired.filter((name) => !current.includes(name));
+  const toRemove = removableLabels.filter((name) => current.includes(name) && !desired.includes(name));
+
+  if (toAdd.length) {
+    await request(labelsUrl, 'POST', {labels: toAdd});
+    console.info(`Added labels: ${toAdd.join(', ')}`);
+  }
+  for (const name of toRemove) {
+    await request(`${labelsUrl}/${encodeURIComponent(name)}`, 'DELETE');
+    console.info(`Removed label: ${name}`);
+  }
+  if (!toAdd.length && !toRemove.length) {
+    console.info('PR labels already in sync');
+  }
+}
+
+const commands: Record<string, () => void | Promise<void>> = {
+  'lint-pr-title': lintPrTitle,
+  'set-pr-labels': setPrLabels,
+};
+
+const command = argv[2];
+const handler = commands[command];
+if (!handler) {
+  console.error(`Usage: ci-tools.ts <${Object.keys(commands).join('|')}>`);
+  exit(1);
+}
+
+try {
+  await handler();
+} catch (error) {
+  console.error(error instanceof Error ? error.message : error);
+  exit(1);
+}
@@ -1,4 +1,4 @@
-@import "../../node_modules/swagger-ui-dist/swagger-ui.css";
+@import "swagger-ui-dist/swagger-ui.css";

 html,
 html body,
@@ -1951,8 +1951,8 @@ $.fn.dropdown = function(parameters) {
                $choice.find(selector.menu).remove();
                $choice.find(selector.menuIcon).remove();
              }
-              return ($choice.data(metadata.text) !== undefined)
-                ? $choice.data(metadata.text)
+              return ($choice.attr('data-' + metadata.text) !== undefined) // GITEA-PATCH: use "attr" but not "data", don't decode JSON like "false"
+                ? $choice.attr('data-' + metadata.text)
                : (preserveHTML)
                  ? $choice.html().trim()
                  : $choice.text().trim()
@@ -2005,8 +2005,8 @@ $.fn.dropdown = function(parameters) {
                    value    = ( $option.attr('value') !== undefined )
                      ? $option.attr('value')
                      : name,
-                    text     = ( $option.data(metadata.text) !== undefined )
-                      ? $option.data(metadata.text)
+                    text     = ( $option.attr('data-' + metadata.text) !== undefined ) // GITEA-PATCH: use "attr" but not "data", don't decode JSON like "false"
+                      ? $option.attr('data-' + metadata.text)
                      : name,
                    group = $option.parent('optgroup')
                  ;
@@ -1,6 +1,23 @@
+import '../../../fomantic/build/fomantic.js';
 import {createElementFromHTML} from '../../utils/dom.ts';
 import {hideScopedEmptyDividers} from './dropdown.ts';

+test('dropdown-item-literal-text', () => {
+  // a "choice" workflow_dispatch input can offer the string "false" as an option.
+  // jQuery `.data()` would coerce `data-text="false"` to the boolean `false`, which then renders as empty text.
+  const $dropdown = $(`<select class="ui dropdown">
+    <option value="1">1</option>
+    <option value="0">0</option>
+    <option value="true">true</option>
+    <option value="false">false</option>
+  </select>`).dropdown();
+  for (const value of ['1', '0', 'true', 'false']) {
+    $dropdown.dropdown('set selected', value);
+    expect($dropdown.dropdown('get text')).toEqual(value);
+    expect($dropdown.dropdown('get value')).toEqual(value);
+  }
+});
+
 test('hideScopedEmptyDividers-simple', () => {
  const container = createElementFromHTML(`<div>
 <div class="divider"></div>
Author	SHA1	Message	Date
Lunny XiaoandGitHub	bb4cccc6e9	fix: parse HEAD ref (#38119 ) backport #38088	2026-06-14 19:52:44 +00:00
bircni GitHub Pycub	98cc15b307	fix(api): nil pointer panic when filtering tracked times by a non-existent user (#38112 ) (#38115 ) Backport #38112 ## Problem `GET /repos/{owner}/{repo}/times` and `GET /repos/{owner}/{repo}/issues/{index}/times` crash with a nil pointer dereference when the `user` query filter names a user that does not exist. ## Root cause In `ListTrackedTimes` and `ListTrackedTimesByRepository`, the `IsErrUserNotExist` branch sends the 404 but is missing a `return`, so execution falls through to `opts.UserID = user.ID` with a nil `user`. --------- Co-authored-by: Pycub <iamsokhandan@gmail.com>	2026-06-14 20:06:04 +02:00
Giteabot GitHub metsw24-max wxiaoguang bircni	9b8bfdceb1	fix: bound debian ParseControlFile to a single control stanza (#38044 ) (#38055 ) Backport #38044 by @metsw24-max Packages-index stanza injection via Debian control file A `.deb` whose `control` file appends extra paragraphs after a blank line was still accepted, and `ParseControlFile` stored the whole multi-stanza blob in `p.Control`. That blob is re-emitted verbatim into the generated `Packages` index, so the embedded blank line splits it into separate stanzas and an uploader can smuggle a package entry with an attacker-chosen `Filename` into the shared index. A binary control file only holds one stanza, so parsing now stops at the blank line that terminates it; well-formed packages are unaffected and the new subtest covers the trailing-stanza case. Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: metsw24-max <metsw24@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: bircni <bircni@icloud.com>	2026-06-14 14:29:27 +00:00
GiteabotandGitHub	e156ac8063	fix: keep literal "false" value displayed in workflow_dispatch choice dropdowns (#38080 ) (#38096 )	2026-06-13 11:56:35 +02:00
Giteabot GitHub Eugenio Paolantonio wxiaoguang	4751adf42d	feat(api): add Link header in ListForks (#38052 ) (#38063 ) Backport #38052 Fixes #38051. Signed-off-by: Eugenio Paolantonio <eugenio.paolantonio@suse.com> Co-authored-by: Eugenio Paolantonio <me@medesimo.eu> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>	2026-06-12 18:21:46 +00:00
Giteabot GitHub wxiaoguang	3bebddedc0	fix: git cmd (#38084 ) (#38087 ) Backport #38084 fix #37370 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>	2026-06-12 21:28:13 +08:00
GiteabotandGitHub	617b6948b1	fix(hostmatcher): block reserved IP ranges from external/private filters (#38039 ) (#38059 )	2026-06-10 12:05:23 +02:00
GiteabotandGitHub	1c7b7ea72d	fix(lfs): require Code-unit access for cross-repo LFS object reuse (#38006 ) (#38050 )	2026-06-10 09:32:28 +02:00
Giteabot GitHub bircni	e107498f3b	fix(actions)!: require merged PR to bypass fork PR approval gate (#38010 ) (#38041 ) Backport #38010 by @bircni `ifNeedApproval` in `services/actions/notifier_helper.go` decided whether a fork PR's workflow run had to wait for maintainer approval. The bypass clause counted any prior `approved_by > 0` run for `(repo_id, trigger_user_id)`, so the very first Approve-and-run click on a contributor's fork PR permanently trusted that user for every future fork PR in the same repository — including PRs whose only change is the workflow YAML itself. Approving a workflow run is not the same as merging code. This change aligns the gate with GitHub Actions' first-time-contributor model: trust is granted only after the user has had a pull request merged in the repo. ## Behavior change - Before: one approval = permanent trust for that user in that repo. - After: every fork PR is gated until the contributor has at least one merged PR in the repo. Existing already-approved runs and merged PRs continue to work; only the trust criterion for future fork PRs changes. Maintainers who rely on the implicit "approve once" trust will see the approval banner reappear until they merge a PR from that contributor. --------- Signed-off-by: bircni <bircni@icloud.com> Co-authored-by: bircni <bircni@icloud.com>	2026-06-09 15:53:42 +02:00
Giteabot GitHub bircni wxiaoguang	3b705738ab	fix: bound CODEOWNERS regex match time (#38011 ) (#38025 ) Backport #38011 by @bircni User-supplied CODEOWNERS patterns were compiled without a match timeout, so a crafted pattern (e.g. (a+)+) against a crafted file path could backtrack for tens of seconds inside the PR creation transaction and exhaust the database connection pool. Set MatchTimeout on each compiled rule; the caller already treats match errors as non-matches. Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: bircni <bircni@icloud.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>	2026-06-07 16:40:34 +00:00
GiteabotandGitHub	8f4b7ebbf6	fix(lfs): reject unknown SSH LFS sub-verbs to prevent auth bypass (#38008 ) (#38015 )	2026-06-06 22:07:06 +02:00
Dawid Góra GitHub OpenAI GPT-5.5 Giteabot	603c8ece00	fix(releases): generate notes for initial tag (#37697 ) (#37986 ) Backport #37697 Fixes https://github.com/go-gitea/gitea/issues/37286 Automatic release notes for the first release in a repository were empty when there was no previous tag. Before this change, the release notes generator used the tag name to build the changelog link, but reused that state for pull request collection. When `PreviousTag` was empty, the PR collection logic did not scan a useful commit range, so merged pull requests were omitted from the generated notes. This pull request fixes that by decoupling the internal PR collection range from the rendered changelog link: - when a previous tag exists, behavior stays unchanged - when no previous tag exists, release notes collect merged pull requests from the full reachable history up to the target tag - the displayed full changelog link for the first release still uses the existing `/commits/tag/{tag}` format Tests were updated to cover: - generating notes for a repository with no previous tags - including merged pull requests before the first tag - preserving existing behavior when a previous tag exists <!-- Before submitting: - Target the `main` branch; release branches are for backports only. - Use a Conventional Commits title, e.g. `fix(repo): handle empty branch names`. - Read the contributing guidelines: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md - Documentation changes go to https://gitea.com/gitea/docs Describe your change below and link any issue it fixes. --> Co-authored-by: OpenAI GPT-5.5 <openai-gpt-5.5@users.noreply.github.com> Co-authored-by: Giteabot <teabot@gitea.io>	2026-06-05 19:13:16 +00:00
Giteabot GitHub bircni	4a19964921	fix(actions): return 404 when job log blob is missing (#38003 ) (#38004 ) Backport #38003 by @bircni - When the `action_task` row exists but the underlying dbfs/storage blob is gone, `OpenLogs` returns a wrapped `os.ErrNotExist` which surfaces as a 500 on the job logs endpoints. - Translate it to the same `util.NewNotExistErrorf` shape already used for unknown job ids / expired logs, so both the API (`/api/v1/repos/.../actions/jobs/<id>/logs`) and the web download handler return a clean 404 instead. Fixes #37990. Co-authored-by: bircni <bircni@icloud.com>	2026-06-05 18:42:15 +00:00
Giteabot GitHub Zettat123 silverwind Claude	38711f2696	fix(actions): exclude `workflow_call` from workflow trigger detection (#37894 ) (#37899 ) Backport #37894 by @Zettat123 Gitea now only allows `workflow_dispatch.inputs`. If a workflow contains `workflow_call.inputs`, the workflow cannot be triggered, even though the `on:` section contains other trigger events. https://github.com/go-gitea/gitea/blob/428ee9fcce7928bf5405900345d43e9ba1b01564/modules/actions/jobparser/model.go#L402-L405 For example, this workflow cannot be triggered due to `workflow_call.inputs`: ```yaml on: push: pull_request: workflow_call: inputs: name: type: string ``` --- This PR is extracted from #37478 for backport Co-authored-by: Zettat123 <zettat123@gmail.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com>	2026-05-29 06:40:50 +00:00
Giteabot GitHub Nicolas Claude Opus 4.7 Lunny Xiao	64ad4bb0ff	fix(actions): keep action run title clickable when commit subject is a URL (#37867 ) (#37898 ) Backport #37867 by @bircni - When a commit subject is a bare URL, `linkProcessor` wrapped it in its own `<a>` to that URL. Because HTML cannot nest anchors, the wrapping default link (the action run / commit link) was lost and the action title became unclickable — clicking it sent the user to the URL from the commit message instead of the action log. - Drop `linkProcessor` from `PostProcessCommitMessageSubject` so the whole subject stays wrapped in the default link. URLs in subjects now render as text inside that link; URLs in commit bodies are unaffected. Fixes #37865 Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>	2026-05-29 07:59:47 +02:00
Giteabot GitHub Jorge Ortiz Nicolas	8bf445e86a	fix(actions): reject workflow_dispatch for workflows without that trigger (#37660 ) (#37895 ) Backport #37660 by @jorgeortiz85 ## Summary Fixes #37528 This PR makes the workflow dispatch API reject workflows that do not declare `workflow_dispatch`. Previously, `POST /repos/{owner}/{repo}/actions/workflows/{workflow_id}/dispatches` could create an `ActionRun` for a workflow that only declared another event such as `push`. The service now validates that the target workflow has a `workflow_dispatch` trigger before inserting the run. The API maps that validation failure to `422 Unprocessable Entity`, matching existing validation failures in this handler. The regression test creates a push-only workflow, dispatches it through the public API, asserts the `workflow_dispatch` validation message, and verifies that no run was inserted. ## Testing - `go test ./services/actions` - `TAGS="sqlite sqlite_unlock_notify" make test-integration#TestWorkflowDispatchPublicApiRequiresWorkflowDispatchTrigger` - `TAGS="sqlite sqlite_unlock_notify" make test-integration#TestWorkflowDispatchPublicApi` ## Disclosure Developed with assistance from OpenAI Codex. Co-authored-by: Jorge Ortiz <jorge.ortiz@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com>	2026-05-29 05:09:08 +02:00
Giteabot GitHub silverwind Claude Lunny Xiao	094eeee365	fix(actions): ack re-sent `UpdateLog` finalize idempotently (#37885 ) (#37892 ) Backport #37885 by @silverwind Fixes https://github.com/go-gitea/gitea/issues/37871, full backwards and forwards compatible with runners. Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>	2026-05-28 03:52:50 +00:00
Giteabot GitHub wxiaoguang TheFox0x7	cc3ee01fd8	fix: http content file render (#37850 ) (#37856 ) Backport #37850 Fix #37849 Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>	2026-05-26 06:41:47 +00:00
Lunny Xiao GitHub Giteabot silverwind	c044b0f48c	fix(deps): update module golang.org/x/net to v0.55.0 [security] (#37813 ) (#37829 ) Backport #37813 Co-authored-by: Giteabot <teabot@gitea.io> Co-authored-by: silverwind <me@silverwind.io>	2026-05-24 06:07:36 +00:00
silverwind GitHub Claude	10fc85e263	ci: add `tools/ci-tools.ts` for the PR labeler workflow (#37831 ) Backport `./tools/ci-tools.ts` to 1.26 which is needed for the `pr-title` flow to succeed on that branch. Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>	2026-05-24 07:36:20 +02:00
Giteabot GitHub Alaa Abdelwahab silverwind Claude Nicolas	bb6ca9da4d	fix(issues): clear stale ReviewTypeRequest when submitting pending re… (#37809 ) (#37815 ) Backport #37809 by @Powerscore When SubmitReview updates an existing pending review in-place, it was not deleting the reviewer's ReviewTypeRequest row, unlike the CreateReview path. That leftover row causes AddReviewRequest to bail out silently, making the re-request icon in the PR sidebar a no-op. Fixes #37808 (Claude Opus 4.7) <!-- Before submitting: - Target the `main` branch; release branches are for backports only. - Use a Conventional Commits title, e.g. `fix(repo): handle empty branch names`. - Read the contributing guidelines: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md - Documentation changes go to https://gitea.com/gitea/docs Describe your change below and link any issue it fixes. --> Co-authored-by: Alaa Abdelwahab <82750565+Powerscore@users.noreply.github.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com>	2026-05-22 20:43:03 +02:00
Giteabot GitHub Lunny Xiao silverwind	53877583f0	fix(build): swagger css import (#37801 ) (#37803 ) Backport #37801 by @lunny Snap build failure caused by missed swagger ui css file. ``` :: [plugin vite:css] /build/gitea/parts/gitea/build/web_src/css/swagger-standalone.css:undefined:NaN :: Error: [postcss] ENOENT: no such file or directory, open '../../node_modules/swagger-ui-dist/swagger-ui.css' ``` Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: silverwind <me@silverwind.io>	2026-05-21 16:48:16 +02:00