x/m8sh
1
0
Fork 0
forked from x/gitea
Code Issues Pull Requests 1 Packages Releases Activity

Gpg-based authorization #3

Open
d wants to merge 9 commits from gpg-auth into main
pull from: gpg-auth
merge into: :main
Conversation 0 Commits 9 Files Changed 14
+252 -125
d commented 2026-06-08 21:44:26 +00:00
Owner
Copy Link
Copy Source

GPG should become the default-standart way of authorization in m8sh for following reasons:

  1. It is much more secure then password, and does not require to remember extra passwords, except GPG
  2. It does not require central institution to prove the user identity, and does not require to rely on that
  3. It allows user to prove his indentity on any node on the network in a single step
  4. When modern browser clients (which would be developed in that project later) will support integrated GPG - won't even have a need in running local commands (though - they would be supported for backward compatability)

Integration includes following actions:

  1. Remove all endpoints related to other form of registration and authorization from GPG
  2. Remove settings and ui representation for other registration/auth methods
  3. Add an endpoint to give a full user's gpg armor (chained)
  4. Add an endpoint to validate user's GPG key against registration possibility
  5. Add a public endpoint to generate a nonce for a user's signature
  6. Add a GPG registration endpoint
  7. Add a GPG login endpoint
  8. Change registration and login UI to use GPG (including initial setup page)
  9. Add translations

WIP 🔨

GPG should become the default-standart way of authorization in m8sh for following reasons: 1. It is much more secure then password, and does not require to remember extra passwords, except GPG 2. It does not require central institution to prove the user identity, and does not require to rely on that 3. It allows user to prove his indentity on any node on the network in a single step 4. When modern browser clients (which would be developed in that project later) will support integrated GPG - won't even have a need in running local commands (though - they would be supported for backward compatability) Integration includes following actions: 1. Remove all endpoints related to other form of registration and authorization from GPG 2. Remove settings and ui representation for other registration/auth methods 3. Add an endpoint to give a full user's gpg armor (chained) 4. Add an endpoint to validate user's GPG key against registration possibility 5. Add a public endpoint to generate a nonce for a user's signature 6. Add a GPG registration endpoint 7. Add a GPG login endpoint 8. Change registration and login UI to use GPG (including initial setup page) 9. Add translations WIP 🔨
d added 2 commits 2026-06-08 21:44:27 +00:00
Merge branch 'main' 409e546ab6
partially implemented frontend for GPG authorization aec5e31465
d added 1 commit 2026-06-08 21:47:16 +00:00
Squashed commit of the following: 19ee2a8b97 
commit 9e7667f090
Merge: 9df885ceaf ee9f31e9c9
Author: Danila Fominykh <d@m8sh.su>
Date:   Mon Jun 8 21:44:41 2026 +0000

    merge upstream

commit ee9f31e9c9
Author: Giteabot <teabot@gitea.io>
Date:   Mon Jun 8 12:28:45 2026 -0700

    chore(deps): update dependency @eslint/json to v2 (#38030)

    This PR contains the following updates:

    | Package | Change |
    [Age](https://docs.renovatebot.com/merge-confidence/) |
    [Confidence](https://docs.renovatebot.com/merge-confidence/) |
    |---|---|---|---|
    | [@eslint/json](https://redirect.github.com/eslint/json) | [`1.2.0` →
    `2.0.0`](https://renovatebot.com/diffs/npm/@eslint%2fjson/1.2.0/2.0.0) |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/@eslint%2fjson/2.0.0?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@eslint%2fjson/1.2.0/2.0.0?slim=true)
    |

    ---

    <details>
    <summary>eslint/json (@&#8203;eslint/json)</summary>
    [`v2.0.0`](https://redirect.github.com/eslint/json/blob/HEAD/CHANGELOG.md#200-2026-05-28)

    [Compare
    Source](https://redirect.github.com/eslint/json/compare/72eb947ec708d1326047977c165670582ce58a26...804ffc4911bf489cea025a829f65ee98c975b7ee)

    - add `meta.languages` to JSON rules
    ([#&#8203;238](https://redirect.github.com/eslint/json/issues/238))

    - add `meta.languages` to JSON rules
    ([#&#8203;238](https://redirect.github.com/eslint/json/issues/238))
    ([deff6b4](https://redirect.github.com/eslint/json/commit/deff6b472152ee16d5384fbada25c43ff699b899))

    - update eslint
    ([#&#8203;226](https://redirect.github.com/eslint/json/issues/226))
    ([237148f](https://redirect.github.com/eslint/json/commit/237148ff7692e4b5fa813dd3bb3757eaebf866e9))
    - update eslint
    ([#&#8203;228](https://redirect.github.com/eslint/json/issues/228))
    ([5803df5](https://redirect.github.com/eslint/json/commit/5803df5fd172562e10e76913370a801c55cf61d3))

    </details>

    ---

    📅 **Schedule**: (UTC)

    - Branch creation
      - Only on Monday (`* * * * 1`)
    - Automerge
      - At any time (no schedule defined)

    🚦 **Automerge**: Disabled by config. Please merge this manually once you
    are satisfied.

    ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
    rebase/retry checkbox.

    🔕 **Ignore**: Close this PR and you won't be reminded about this update
    again.

    ---

    - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
    this box

    ---

    This PR has been generated by [Mend
    Renovate](https://redirect.github.com/renovatebot/renovate).

    <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

commit 3b1e75764e
Author: bircni <bircni@icloud.com>
Date:   Mon Jun 8 21:11:00 2026 +0200

    feat(actions): add job summaries (GITHUB_STEP_SUMMARY) (#37500)

    - Add GitHub-style Actions **job summaries** support
    (`GITHUB_STEP_SUMMARY` / `workflow/SUMMARY.md`) and render them on the
    run Summary view.
    - Store uploaded summaries internally in the DB (not as downloadable
    artifacts).
    - Add runtime-token endpoint for runners to upload summaries:
    - `PUT
    /api/actions_pipeline/_apis/pipelines/workflows/{run_id}/jobs/{job_id}/summary`
    - Advertise support to runners via `RunnerService.Declare` response
    header:
      - `X-Gitea-Actions-Capabilities: job-summary`
    - Devtest: extend `/devtest/repo-action-view/...` to include mock
    `jobSummaries` for previewing UI rendering.
    - New Gitea + old runner: no summary upload → UI shows nothing (no
    behavior change)
    - New runner + old Gitea: capability not advertised → runner skips
    upload (no behavior change)

    <img width="2017" height="729"
    src="https://github.com/user-attachments/assets/31f8b945-50c4-40e1-9f40-382901a53013"
    />

    Fixes #23721
    PR on gitea-runner https://gitea.com/gitea/runner/pulls/917

    ---------

    Co-authored-by: silverwind <me@silverwind.io>
    Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>

commit b1c088e9cf
Author: bircni <bircni@icloud.com>
Date:   Mon Jun 8 20:49:06 2026 +0200

    enhance(actions): Make Summary UI more beautiful with more infos (#37824)

    - Redesign the Actions run summary header to follow GitHub Actions
    layout: trigger info on the left, Status / Total duration / Artifacts
    columns inline on the right
    - Expose trigger user avatar, pull request link, and PR head branch info
    from the run view API
    - Update the workflow graph header to show the workflow filename (linked
    to the run workflow file) and `on: <event>`, while keeping the
    jobs/dependencies/success stats line
    - Remove the redundant commit/workflow metadata row below the run title;
    that information now lives in the summary bar

    New:
    <img width="1564" height="639"
    src="https://github.com/user-attachments/assets/e6bc1623-c5fc-4e97-abc9-fde7f3c6aef9"
    />

    Old:
    <img width="2038" height="1038"
    src="https://github.com/user-attachments/assets/0857f19a-8d3a-4da2-82fd-e9ebeb200062"
    />

    Replaces https://github.com/go-gitea/gitea/pull/36721

    ---------

    Co-authored-by: Giteabot <teabot@gitea.io>

commit e01af366e2
Author: Giteabot <teabot@gitea.io>
Date:   Mon Jun 8 11:30:55 2026 -0700

    fix(deps): update npm dependencies (#38035)

    This PR contains the following updates:

    | Package | Change |
    [Age](https://docs.renovatebot.com/merge-confidence/) |
    [Confidence](https://docs.renovatebot.com/merge-confidence/) |
    |---|---|---|---|
    | @&#8203;codemirror/autocomplete | [`6.20.2` →
    `6.20.3`](https://renovatebot.com/diffs/npm/@codemirror%2fautocomplete/6.20.2/6.20.3)
    |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/@codemirror%2fautocomplete/6.20.3?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@codemirror%2fautocomplete/6.20.2/6.20.3?slim=true)
    |
    | [eslint-plugin-vue](https://eslint.vuejs.org)
    ([source](https://redirect.github.com/vuejs/eslint-plugin-vue)) |
    [`10.9.1` →
    `10.9.2`](https://renovatebot.com/diffs/npm/eslint-plugin-vue/10.9.1/10.9.2)
    |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/eslint-plugin-vue/10.9.2?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/eslint-plugin-vue/10.9.1/10.9.2?slim=true)
    |

    ---

    <details>
    <summary>vuejs/eslint-plugin-vue (eslint-plugin-vue)</summary>
    [`v10.9.2`](https://redirect.github.com/vuejs/eslint-plugin-vue/blob/HEAD/CHANGELOG.md#1092)

    [Compare
    Source](https://redirect.github.com/vuejs/eslint-plugin-vue/compare/v10.9.1...v10.9.2)

    - Fixed
    [`vue/custom-event-name-casing`](https://eslint.vuejs.org/rules/custom-event-name-casing.html)
    to check segments of colon-separated event names like `update:foo-bar`
    ([#&#8203;3079](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3079))
    - Fixed
    [`vue/one-component-per-file`](https://eslint.vuejs.org/rules/one-component-per-file.html)
    to not report functions not imported from Vue
    ([#&#8203;3063](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3063))
    - Fixed
    [`vue/prefer-import-from-vue`](https://eslint.vuejs.org/rules/prefer-import-from-vue.html)
    to not report imports/exports of names that are not re-exported by `vue`
    ([#&#8203;3081](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3081))
    - Fixed
    [`vue/return-in-computed-property`](https://eslint.vuejs.org/rules/return-in-computed-property.html)
    and
    [`vue/require-render-return`](https://eslint.vuejs.org/rules/require-render-return.html)
    to not report exhaustive switch statements when TypeScript type
    information is available
    ([#&#8203;3067](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3067))

    </details>

    ---

    📅 **Schedule**: (UTC)

    - Branch creation
      - Only on Monday (`* * * * 1`)
    - Automerge
      - At any time (no schedule defined)

    🚦 **Automerge**: Disabled by config. Please merge this manually once you
    are satisfied.

    ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
    rebase/retry checkbox.

    👻 **Immortal**: This PR will be recreated if closed unmerged. Get
    [config
    help](https://redirect.github.com/renovatebot/renovate/discussions) if
    that's undesired.

    ---

    - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
    this box

    ---

    This PR has been generated by [Mend
    Renovate](https://redirect.github.com/renovatebot/renovate).

    <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

commit d76a974b24
Author: TheFox0x7 <thefox0x7@gmail.com>
Date:   Mon Jun 8 20:18:58 2026 +0200

    feat(ssh): auto generate additional ssh keys  (#33974)

    adds capabilities for gitea to generate ecdsa and ed25519 keys by
    default
    adds cli for built-in ssh key generation helpers

    closes: https://github.com/go-gitea/gitea/issues/33783

    ---------

    Co-authored-by: Nicolas <bircni@icloud.com>
    Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
    Co-authored-by: Giteabot <teabot@gitea.io>

commit ade76fe838
Author: Nico Schlömer <nschloe@users.noreply.github.com>
Date:   Mon Jun 8 19:58:41 2026 +0200

    enhance: allow MathML core elements (#38034)

    Fixes #36352.

    ---------

    Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

commit 54916f708e
Author: bircni <bircni@icloud.com>
Date:   Mon Jun 8 19:16:22 2026 +0200

    feat: Add avatar stacks (#37594)

    Parse `Co-authored-by:` trailers from commit messages and surface
    contributors as an avatar stack across the commit page, commits list, PR
    commits tab, latest-commit row, blame, graph, and dashboard feed.

    - Up to 10 visible 20px avatars, GitHub-style overlap (6px first stride,
    4px between subsequent), `+N` chip for the rest.
    - Label: 1 → name; 2 → `<a> and <b>`; 3+ → `<N> people` opens a Tippy
    popup with all participants.
    - Names and avatars link to the repo's commits-by-author search; fall
    back to profile or `mailto:`.
    - Trailer parsing uses `net/mail.ParseAddress`, scans only the trailing
    paragraph, filters out the commit's own author/committer.
    - Drops the non-standard `Co-committed-by:` emission on squash merge and
    web edits.

    Devtest: `/devtest/coauthor-avatars`.

    Fixes #25521

    ----
    <img width="353" height="277" alt="image"
    src="https://github.com/user-attachments/assets/72092ceb-97ca-4b09-9557-0b72d3c5458e"
    />

    <img width="533" height="328"
    src="https://github.com/user-attachments/assets/11d0c8f8-8b3f-4f2e-9993-879f1c06bcc5"
    />

    ---------

    Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
    Co-authored-by: silverwind <me@silverwind.io>
    Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
    Co-authored-by: Giteabot <teabot@gitea.io>

commit 9df885ceaf
Merge: 7ddacf0edf 136f7d18aa
Author: Danila Fominykh <d@m8sh.su>
Date:   Mon Jun 8 17:05:31 2026 +0000

    merge upstream

commit 2a84831400
Author: Giteabot <teabot@gitea.io>
Date:   Mon Jun 8 09:53:12 2026 -0700

    chore(deps): update astral-sh/setup-uv action to v8.2.0 (#38036)

    This PR contains the following updates:

    | Package | Type | Update | Change |
    |---|---|---|---|
    | [astral-sh/setup-uv](https://redirect.github.com/astral-sh/setup-uv) |
    action | minor | `v8.1.0` → `v8.2.0` |

    ---

    <details>
    <summary>astral-sh/setup-uv (astral-sh/setup-uv)</summary>
    [`v8.2.0`](https://redirect.github.com/astral-sh/setup-uv/releases/tag/v8.2.0):
    🌈 New inputs `quiet` and `download-from-astral-mirror`

    [Compare
    Source](https://redirect.github.com/astral-sh/setup-uv/compare/v8.1.0...v8.2.0)

    This release brings two new inputs and a few bug fixes.

    Lets talk about the new inputs first.

    Pretty simple. It turns of all `info` loggings. Useful if you use this
    in a composite action and are not interested in all the details.
    In the upcoming releases we will add log groups to fully implement
    support for "less noise"

    > \[!NOTE]\
    > Warnings and errors are always logged.

    In some cases you may want to directly use the fallback of checking for
    available versions and downloading releases from GitHub instead of using
    the astral.sh mirror. Setting `download-from-astral-mirror: false`
    allows you to do that.

    When using the astral.sh mirror to query available versions and download
    releases (done by default) we now stop sending the GitHub token in the
    header. The mirror never looked at it but we shouldn't be handing out
    that data even if it is just a short lived token.
    All other bugfixes try to limit the impact of failed GitHub queries due
    to retries and other faults.

    We couldn't pinpoint all rootcauses yet but added more logging for error
    cases to track them down.

    - fix: report unexpected cache save failures
    [@&#8203;eifinger](https://redirect.github.com/eifinger)
    ([#&#8203;896](https://redirect.github.com/astral-sh/setup-uv/issues/896))
    - fix: report unexpected setup failures
    [@&#8203;eifinger](https://redirect.github.com/eifinger)
    ([#&#8203;895](https://redirect.github.com/astral-sh/setup-uv/issues/895))
    - fix: add timeout to fetch to prevent silent hangs
    [@&#8203;eifinger-bot](https://redirect.github.com/eifinger-bot)
    ([#&#8203;883](https://redirect.github.com/astral-sh/setup-uv/issues/883))
    - Limit GitHub tokens to github.com download URLs
    [@&#8203;zsol](https://redirect.github.com/zsol)
    ([#&#8203;878](https://redirect.github.com/astral-sh/setup-uv/issues/878))
    - increase libuv-workaround timeout to 100ms
    [@&#8203;eifinger](https://redirect.github.com/eifinger)
    ([#&#8203;880](https://redirect.github.com/astral-sh/setup-uv/issues/880))

    - Add quiet input to suppress info-level log output
    [@&#8203;eifinger](https://redirect.github.com/eifinger)
    ([#&#8203;898](https://redirect.github.com/astral-sh/setup-uv/issues/898))
    - feat: add `download-from-astral-mirror` input
    [@&#8203;eifinger](https://redirect.github.com/eifinger)
    ([#&#8203;897](https://redirect.github.com/astral-sh/setup-uv/issues/897))

    - docs: update dependabot rollup biome guidance
    [@&#8203;eifinger](https://redirect.github.com/eifinger)
    ([#&#8203;902](https://redirect.github.com/astral-sh/setup-uv/issues/902))
    - chore: update known checksums for 0.11.18
    @&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
    ([#&#8203;899](https://redirect.github.com/astral-sh/setup-uv/issues/899))
    - chore: update known checksums for 0.11.17
    @&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
    ([#&#8203;892](https://redirect.github.com/astral-sh/setup-uv/issues/892))
    - chore: update known checksums for 0.11.16
    @&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
    ([#&#8203;889](https://redirect.github.com/astral-sh/setup-uv/issues/889))
    - chore: update known checksums for 0.11.15
    @&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
    ([#&#8203;885](https://redirect.github.com/astral-sh/setup-uv/issues/885))
    - chore: update known checksums for 0.11.14
    @&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
    ([#&#8203;879](https://redirect.github.com/astral-sh/setup-uv/issues/879))
    - chore: update known checksums for 0.11.13
    @&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
    ([#&#8203;877](https://redirect.github.com/astral-sh/setup-uv/issues/877))
    - chore: update known checksums for 0.11.12
    @&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
    ([#&#8203;876](https://redirect.github.com/astral-sh/setup-uv/issues/876))
    - chore: update known checksums for 0.11.11
    @&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
    ([#&#8203;873](https://redirect.github.com/astral-sh/setup-uv/issues/873))
    - chore: update known checksums for 0.11.9/0.11.10
    @&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
    ([#&#8203;871](https://redirect.github.com/astral-sh/setup-uv/issues/871))
    - chore: update known checksums for 0.11.8
    @&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
    ([#&#8203;867](https://redirect.github.com/astral-sh/setup-uv/issues/867))
    - Bump setup-uv references to v8.1.0 SHA in docs
    [@&#8203;eifinger](https://redirect.github.com/eifinger)
    ([#&#8203;862](https://redirect.github.com/astral-sh/setup-uv/issues/862))
    - Add update-docs.yml workflow
    [@&#8203;eifinger](https://redirect.github.com/eifinger)
    ([#&#8203;861](https://redirect.github.com/astral-sh/setup-uv/issues/861))

    - chore(deps): roll up dependabot updates
    [@&#8203;eifinger](https://redirect.github.com/eifinger)
    ([#&#8203;903](https://redirect.github.com/astral-sh/setup-uv/issues/903))
    - chore(deps): roll up dependabot updates
    [@&#8203;eifinger](https://redirect.github.com/eifinger)
    ([#&#8203;901](https://redirect.github.com/astral-sh/setup-uv/issues/901))
    - chore(deps): bump release-drafter/release-drafter from 7.3.0 to 7.3.1
    @&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)
    ([#&#8203;900](https://redirect.github.com/astral-sh/setup-uv/issues/900))
    - chore(deps): bump eifinger/actionlint-action from 1.10.1 to 1.10.2
    @&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)
    ([#&#8203;842](https://redirect.github.com/astral-sh/setup-uv/issues/842))
    - chore(deps): bump github/codeql-action from 4.35.4 to 4.36.0
    @&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)
    ([#&#8203;893](https://redirect.github.com/astral-sh/setup-uv/issues/893))
    - chore(deps): bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6
    @&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)
    ([#&#8203;891](https://redirect.github.com/astral-sh/setup-uv/issues/891))
    - chore(deps): bump release-drafter/release-drafter from 7.2.0 to 7.3.0
    @&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)
    ([#&#8203;884](https://redirect.github.com/astral-sh/setup-uv/issues/884))
    - chore(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.5
    @&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)
    ([#&#8203;888](https://redirect.github.com/astral-sh/setup-uv/issues/888))
    - chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4
    @&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)
    ([#&#8203;881](https://redirect.github.com/astral-sh/setup-uv/issues/881))
    - chore(deps): bump github/codeql-action from 4.32.2 to 4.35.3
    @&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)
    ([#&#8203;875](https://redirect.github.com/astral-sh/setup-uv/issues/875))
    - chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0
    @&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)
    ([#&#8203;866](https://redirect.github.com/astral-sh/setup-uv/issues/866))
    - chore(deps): bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3
    @&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)
    ([#&#8203;864](https://redirect.github.com/astral-sh/setup-uv/issues/864))
    - chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1
    @&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)
    ([#&#8203;863](https://redirect.github.com/astral-sh/setup-uv/issues/863))

    </details>

    ---

    📅 **Schedule**: (UTC)

    - Branch creation
      - Only on Monday (`* * * * 1`)
    - Automerge
      - At any time (no schedule defined)

    🚦 **Automerge**: Disabled by config. Please merge this manually once you
    are satisfied.

    ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
    rebase/retry checkbox.

    🔕 **Ignore**: Close this PR and you won't be reminded about this update
    again.

    ---

    - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
    this box

    ---

    This PR has been generated by [Mend
    Renovate](https://redirect.github.com/renovatebot/renovate).

    <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

commit 136f7d18aa
Author: wxiaoguang <wxiaoguang@gmail.com>
Date:   Mon Jun 8 16:58:42 2026 +0800

    fix: api error message (#38031)

    Fix various abuses and mistakes

commit 60f66a9bfd
Author: Zettat123 <zettat123@gmail.com>
Date:   Mon Jun 8 00:39:06 2026 -0600

    enhance(actions): improve reusable workflow `uses` handling and cancellation (#37991)

    Follow up #37478

    1. #37478 doesn't support absolute URL in `uses`. This PR provides
    partial support for URL-style reusable workflow references. A reusable
    workflow can now be referenced by an absolute URL, as long as it points
    to the local Gitea instance:

    ```yaml
    jobs:
      call:
        uses: https://your-gitea.example.com/OWNER/REPO/.gitea/workflows/ci.yaml@v1
    ```

    2. Show an error message in the UI for invalid `uses`.

    <img width="1600" alt="image"
    src="https://github.com/user-attachments/assets/21b34e61-bf10-4af1-b9fd-4ee4e9fde049"
    />

    3. Fix reusable caller cancellation issue. A reusable caller's status is
    aggregated from its children, so cancellation should processes a
    caller's descendants deepest-first.

    ---------

    Signed-off-by: Zettat123 <zettat123@gmail.com>
    Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
    Co-authored-by: bircni <bircni@icloud.com>
    Co-authored-by: Giteabot <teabot@gitea.io>

commit 1e9ea9c8f5
Author: Giteabot <teabot@gitea.io>
Date:   Sun Jun 7 23:03:55 2026 -0700

    fix(deps): update npm dependencies (#38029)

    This PR contains the following updates:

    | Package | Change |
    [Age](https://docs.renovatebot.com/merge-confidence/) |
    [Confidence](https://docs.renovatebot.com/merge-confidence/) |
    |---|---|---|---|
    | [@primer/octicons](https://primer.style/octicons)
    ([source](https://redirect.github.com/primer/octicons)) | [`19.27.0` →
    `19.28.0`](https://renovatebot.com/diffs/npm/@primer%2focticons/19.27.0/19.28.0)
    |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/@primer%2focticons/19.28.0?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@primer%2focticons/19.27.0/19.28.0?slim=true)
    |
    |
    [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser)
    ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser))
    | [`8.60.0` →
    `8.60.1`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.60.0/8.60.1)
    |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/@typescript-eslint%2fparser/8.60.1?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@typescript-eslint%2fparser/8.60.0/8.60.1?slim=true)
    |
    |
    [@vitest/eslint-plugin](https://redirect.github.com/vitest-dev/eslint-plugin-vitest)
    | [`1.6.18` →
    `1.6.19`](https://renovatebot.com/diffs/npm/@vitest%2feslint-plugin/1.6.18/1.6.19)
    |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/@vitest%2feslint-plugin/1.6.19?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@vitest%2feslint-plugin/1.6.18/1.6.19?slim=true)
    |
    | [eslint](https://eslint.org)
    ([source](https://redirect.github.com/eslint/eslint)) | [`10.4.0` →
    `10.4.1`](https://renovatebot.com/diffs/npm/eslint/10.4.0/10.4.1) |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/eslint/10.4.1?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/eslint/10.4.0/10.4.1?slim=true)
    |
    |
    [eslint-import-resolver-typescript](https://redirect.github.com/import-js/eslint-import-resolver-typescript)
    | [`4.4.4` →
    `4.4.5`](https://renovatebot.com/diffs/npm/eslint-import-resolver-typescript/4.4.4/4.4.5)
    |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/eslint-import-resolver-typescript/4.4.5?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/eslint-import-resolver-typescript/4.4.4/4.4.5?slim=true)
    |
    |
    [eslint-plugin-vue-scoped-css](https://future-architect.github.io/eslint-plugin-vue-scoped-css/)
    ([source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css))
    | [`3.1.0` →
    `3.1.1`](https://renovatebot.com/diffs/npm/eslint-plugin-vue-scoped-css/3.1.0/3.1.1)
    |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/eslint-plugin-vue-scoped-css/3.1.1?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/eslint-plugin-vue-scoped-css/3.1.0/3.1.1?slim=true)
    |
    | [js-yaml](https://redirect.github.com/nodeca/js-yaml) | [`4.1.1` →
    `4.2.0`](https://renovatebot.com/diffs/npm/js-yaml/4.1.1/4.2.0) |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/js-yaml/4.2.0?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/js-yaml/4.1.1/4.2.0?slim=true)
    |
    | [pnpm](https://pnpm.io)
    ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) |
    [`11.4.0` →
    `11.5.1`](https://renovatebot.com/diffs/npm/pnpm/11.4.0/11.5.1) |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/pnpm/11.5.1?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/pnpm/11.4.0/11.5.1?slim=true)
    |
    |
    [rolldown-license-plugin](https://redirect.github.com/silverwind/rolldown-license-plugin)
    | [`3.0.8` →
    `3.0.9`](https://renovatebot.com/diffs/npm/rolldown-license-plugin/3.0.8/3.0.9)
    |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/rolldown-license-plugin/3.0.9?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/rolldown-license-plugin/3.0.8/3.0.9?slim=true)
    |
    |
    [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint)
    ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint))
    | [`8.60.0` →
    `8.60.1`](https://renovatebot.com/diffs/npm/typescript-eslint/8.60.0/8.60.1)
    |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/typescript-eslint/8.60.1?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/typescript-eslint/8.60.0/8.60.1?slim=true)
    |
    | [updates](https://redirect.github.com/silverwind/updates) | [`17.17.2`
    → `17.17.3`](https://renovatebot.com/diffs/npm/updates/17.17.2/17.17.3)
    |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/updates/17.17.3?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/updates/17.17.2/17.17.3?slim=true)
    |
    | [vite](https://vite.dev)
    ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
    | [`8.0.14` →
    `8.0.16`](https://renovatebot.com/diffs/npm/vite/8.0.14/8.0.16) |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/vite/8.0.16?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/8.0.14/8.0.16?slim=true)
    |
    | [vitest](https://vitest.dev)
    ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/vitest))
    | [`4.1.7` →
    `4.1.8`](https://renovatebot.com/diffs/npm/vitest/4.1.7/4.1.8) |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/vitest/4.1.8?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vitest/4.1.7/4.1.8?slim=true)
    |
    | [vue-tsc](https://redirect.github.com/vuejs/language-tools)
    ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc))
    | [`3.3.2` →
    `3.3.3`](https://renovatebot.com/diffs/npm/vue-tsc/3.3.2/3.3.3) |
    ![age](https://developer.mend.io/api/mc/badges/age/npm/vue-tsc/3.3.3?slim=true)
    |
    ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vue-tsc/3.3.2/3.3.3?slim=true)
    |

    ---

    <details>
    <summary>primer/octicons (@&#8203;primer/octicons)</summary>
    [`v19.28.0`](https://redirect.github.com/primer/octicons/blob/HEAD/CHANGELOG.md#19280)

    [Compare
    Source](https://redirect.github.com/primer/octicons/compare/v19.27.0...v19.28.0)

    - [#&#8203;1208](https://redirect.github.com/primer/octicons/pull/1208)
    [`eddab3ff`](https://redirect.github.com/primer/octicons/commit/eddab3ff19f1450eb1d60c78b1d20c2c4bc3fd15)
    Thanks [@&#8203;dylanatsmith](https://redirect.github.com/dylanatsmith)!
    - Fix vscode icon: update 16px, add 24px, remove 32px and 48px

    </details>

    <details>
    <summary>typescript-eslint/typescript-eslint
    (@&#8203;typescript-eslint/parser)</summary>
    [`v8.60.1`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8601-2026-06-01)

    [Compare
    Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.60.0...v8.60.1)

    This was a version bump only for parser to align it with other projects,
    there were no code changes.

    See [GitHub
    Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.60.1)
    for more information.

    You can read about our [versioning
    strategy](https://typescript-eslint.io/users/versioning) and
    [releases](https://typescript-eslint.io/users/releases) on our website.

    </details>

    <details>
    <summary>vitest-dev/eslint-plugin-vitest
    (@&#8203;vitest/eslint-plugin)</summary>
    [`v1.6.19`](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/releases/tag/v1.6.19)

    [Compare
    Source](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.18...v1.6.19)

    *No significant changes*
    GitHub](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.18...v1.6.19)

    </details>

    <details>
    <summary>eslint/eslint (eslint)</summary>
    [`v10.4.1`](https://redirect.github.com/eslint/eslint/releases/tag/v10.4.1)

    [Compare
    Source](https://redirect.github.com/eslint/eslint/compare/v10.4.0...v10.4.1)

    -
    [`e557467`](https://redirect.github.com/eslint/eslint/commit/e557467db7496220eebcbe2ac5ea6d38c12bb1ec)
    fix: update `@eslint/plugin-kit` version to 0.7.2
    ([#&#8203;20930](https://redirect.github.com/eslint/eslint/issues/20930))
    (Francesco Trotta)
    -
    [`d4ce898`](https://redirect.github.com/eslint/eslint/commit/d4ce898796ca22c3b96aa70d3014cb85f4bac1cd)
    fix: propagate failures from delegated commands
    ([#&#8203;20917](https://redirect.github.com/eslint/eslint/issues/20917))
    (Minh Vu)
    -
    [`f4f3507`](https://redirect.github.com/eslint/eslint/commit/f4f3507460bc016b5be979c05d2969793f570cbf)
    fix: prefer-arrow-callback invalid autofix with newline after `async`
    ([#&#8203;20916](https://redirect.github.com/eslint/eslint/issues/20916))
    (kuldeep kumar)
    -
    [`c5bc78b`](https://redirect.github.com/eslint/eslint/commit/c5bc78b37e08b9054a11f0cc2d81808bb24acb85)
    fix: false positive for reference in `finally` block
    ([#&#8203;20655](https://redirect.github.com/eslint/eslint/issues/20655))
    (Tanuj Kanti)
    -
    [`27538c0`](https://redirect.github.com/eslint/eslint/commit/27538c01f5df4e9306f6f4ba867b2dd6307fae59)
    fix: add missing CodePath and CodePathSegment types
    ([#&#8203;20853](https://redirect.github.com/eslint/eslint/issues/20853))
    (Pixel998)

    -
    [`61b0add`](https://redirect.github.com/eslint/eslint/commit/61b0add61ffc52665562be7bb96f526690a78b30)
    docs: remove deprecated rule from related rules of `max-params`
    ([#&#8203;20921](https://redirect.github.com/eslint/eslint/issues/20921))
    (Tanuj Kanti)
    -
    [`305d5b9`](https://redirect.github.com/eslint/eslint/commit/305d5b91aeac24d36fde42f75625a8f183d4ce43)
    docs: remove deprecated rules from related rules section
    ([#&#8203;20911](https://redirect.github.com/eslint/eslint/issues/20911))
    (Tanuj Kanti)
    -
    [`49b0202`](https://redirect.github.com/eslint/eslint/commit/49b0202d01918b8061720d586dffd7c68047090c)
    docs: fix `display: none` of ad
    ([#&#8203;20901](https://redirect.github.com/eslint/eslint/issues/20901))
    (Tanuj Kanti)
    -
    [`9067f94`](https://redirect.github.com/eslint/eslint/commit/9067f9492ec998afc5b4f057a477ecf6ebd45e44)
    docs: switch build to Node.js 24
    ([#&#8203;20893](https://redirect.github.com/eslint/eslint/issues/20893))
    (Milos Djermanovic)
    -
    [`c91b041`](https://redirect.github.com/eslint/eslint/commit/c91b0417e3420c76807ce1fa2aea76e2de87ab86)
    docs: Update README (GitHub Actions Bot)
    -
    [`e349265`](https://redirect.github.com/eslint/eslint/commit/e349265cb37f3ebc837e178e48a725bb782bd870)
    docs: clarify semver strings in rule deprecation objects
    ([#&#8203;20885](https://redirect.github.com/eslint/eslint/issues/20885))
    (Milos Djermanovic)

    -
    [`b0e466b`](https://redirect.github.com/eslint/eslint/commit/b0e466b6ab47bfc7de43d8de0c315d8ee83aa584)
    test: add `data` property to invalid tests cases for rules
    ([#&#8203;20924](https://redirect.github.com/eslint/eslint/issues/20924))
    (Tanuj Kanti)
    -
    [`f78838b`](https://redirect.github.com/eslint/eslint/commit/f78838bc4c86d487e1bcc7cede260c4467721c46)
    test: add CodePath type coverage
    ([#&#8203;20904](https://redirect.github.com/eslint/eslint/issues/20904))
    (Pixel998)
    -
    [`1daa4bd`](https://redirect.github.com/eslint/eslint/commit/1daa4bd734b79a62e317d0394394a6b38cff49f9)
    chore: update `eslint-plugin-eslint-comments` test data to latest commit
    ([#&#8203;20922](https://redirect.github.com/eslint/eslint/issues/20922))
    (Francesco Trotta)
    -
    [`002942c`](https://redirect.github.com/eslint/eslint/commit/002942ce988ea28b78e0a2f3b074081e638b552c)
    ci: declare contents:read on update-readme workflow
    ([#&#8203;20919](https://redirect.github.com/eslint/eslint/issues/20919))
    (Arpit Jain)
    -
    [`64bca24`](https://redirect.github.com/eslint/eslint/commit/64bca24e7bed35bc3c864fc625cb2d89eca87d5b)
    chore: update ecosystem plugins
    ([#&#8203;20912](https://redirect.github.com/eslint/eslint/issues/20912))
    (ESLint Bot)
    -
    [`6d7c832`](https://redirect.github.com/eslint/eslint/commit/6d7c832950d5e92499d88e504080661f888f8f56)
    chore: ignore fflate updates in renovate
    ([#&#8203;20908](https://redirect.github.com/eslint/eslint/issues/20908))
    (Pixel998)
    -
    [`b2c8638`](https://redirect.github.com/eslint/eslint/commit/b2c86382164d87c6203b78d52068cd6a2a6ffe30)
    ci: bump pnpm/action-setup from 6.0.7 to 6.0.8
    ([#&#8203;20889](https://redirect.github.com/eslint/eslint/issues/20889))
    (dependabot\[bot])
    -
    [`a9b8d7f`](https://redirect.github.com/eslint/eslint/commit/a9b8d7f74c50211701cfc49710fa541fd91b2aa5)
    chore: increase maxBuffer for ecosystem tests
    ([#&#8203;20881](https://redirect.github.com/eslint/eslint/issues/20881))
    (sethamus)
    -
    [`b702ead`](https://redirect.github.com/eslint/eslint/commit/b702ead5e1ed7cb9f28238a454797662efb37396)
    chore: update ecosystem update PR settings
    ([#&#8203;20884](https://redirect.github.com/eslint/eslint/issues/20884))
    (Pixel998)
    -
    [`507f60e`](https://redirect.github.com/eslint/eslint/commit/507f60e9a78c9a902bc8759f066ae17a1ea6cd81)
    chore: update ecosystem plugins
    ([#&#8203;20882](https://redirect.github.com/eslint/eslint/issues/20882))
    (ESLint Bot)
    -
    [`92f5c5b`](https://redirect.github.com/eslint/eslint/commit/92f5c5bb6bf3a5d167c8ee53a430833410295c6d)
    test: add unit test for message-count
    ([#&#8203;20878](https://redirect.github.com/eslint/eslint/issues/20878))
    (kuldeep kumar)
    -
    [`df32108`](https://redirect.github.com/eslint/eslint/commit/df321080af5758b1fa25e4b9a40e26135642dd6e)
    chore: add
    [@&#8203;eslint/markdown](https://redirect.github.com/eslint/markdown)
    and typescript-eslint ecosystem tests
    ([#&#8203;20837](https://redirect.github.com/eslint/eslint/issues/20837))
    (sethamus)
    -
    [`327f91d`](https://redirect.github.com/eslint/eslint/commit/327f91d36aa49f2a50ded931d841a16374fd875f)
    chore: use includeIgnoreFile internally
    ([#&#8203;20876](https://redirect.github.com/eslint/eslint/issues/20876))
    (Kirk Waiblinger)
    -
    [`f0dc4bd`](https://redirect.github.com/eslint/eslint/commit/f0dc4bd893fb3a9f44e4ddc3ad7063ffb0beacd3)
    chore: pin fflate\@&#8203;0.8.2
    ([#&#8203;20877](https://redirect.github.com/eslint/eslint/issues/20877))
    (Milos Djermanovic)
    -
    [`0f4bd25`](https://redirect.github.com/eslint/eslint/commit/0f4bd257a67a082b756de746d9e0c4842ab764ca)
    ci: run Discord alert for ecosystem test failures
    ([#&#8203;20873](https://redirect.github.com/eslint/eslint/issues/20873))
    (Copilot)

    </details>

    <details>
    <summary>import-js/eslint-import-resolver-typescript
    (eslint-import-resolver-typescript)</summary>
    [`v4.4.5`](https://redirect.github.com/import-js/eslint-import-resolver-typescript/blob/HEAD/CHANGELOG.md#445)

    [Compare
    Source](https://redirect.github.com/import-js/eslint-import-resolver-typescript/compare/v4.4.4...v4.4.5)

    -
    [#&#8203;473](https://redirect.github.com/import-js/eslint-import-resolver-typescript/pull/473)
    [`32c61ab`](https://redirect.github.com/import-js/eslint-import-resolver-typescript/commit/32c61abccf26bd2a2267f2e0e67d82e6f88d149a)
    Thanks [@&#8203;leey0818](https://redirect.github.com/leey0818)! - fix:
    check tsconfig matching before using resolver

    </details>

    <details>
    <summary>future-architect/eslint-plugin-vue-scoped-css
    (eslint-plugin-vue-scoped-css)</summary>
    [`v3.1.1`](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/blob/HEAD/CHANGELOG.md#311)

    [Compare
    Source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/compare/v3.1.0...v3.1.1)

    - Fix false positives in `vue-scoped-css/require-selector-used-inside`
    for selectors that start with ignored pseudo-classes such as
    `:has(...)`.
    ([#&#8203;496](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/pull/496))

    </details>

    <details>
    <summary>nodeca/js-yaml (js-yaml)</summary>
    [`v4.2.0`](https://redirect.github.com/nodeca/js-yaml/blob/HEAD/CHANGELOG.md#420---2026-06-01)

    [Compare
    Source](https://redirect.github.com/nodeca/js-yaml/compare/4.1.1...590dbabadd172b099c07654fab2eabec8c7a07b9)

    - Added `docs/safety.md` with notes about processing untrusted YAML.
    - Added `maxDepth` (100) loader option. Not a problem, but gives a
    better
      exception instead of RangeError on stack overflow.
    - Added `maxMergeSeqLength` (20) loader option. Not a problem after
    `merge` fix,
      but an additional restriction for safety.
    - Added sourcemaps to `dist/` builds.

    - Stop resolving numbers with underscores as numeric scalars,
    [#&#8203;627](https://redirect.github.com/nodeca/js-yaml/issues/627).
    - Switched dev toolchains to Vite / neostandard.
    - Updated demo.
    - Reorganized tests.
    - `dist/` files are no longer kept in the repository.

    - Fix parsing of properties on the first implicit block mapping key,
    [#&#8203;62](https://redirect.github.com/nodeca/js-yaml/issues/62).
    - Fix trailing whitespace handling when folding flow scalar lines,
    [#&#8203;307](https://redirect.github.com/nodeca/js-yaml/issues/307).
    - Reject top-level block scalars without content indentation,
    [#&#8203;280](https://redirect.github.com/nodeca/js-yaml/issues/280).
    - Ensure numbers survive round-trip,
    [#&#8203;737](https://redirect.github.com/nodeca/js-yaml/issues/737).
    - Fix test coverage for issue
    [#&#8203;221](https://redirect.github.com/nodeca/js-yaml/issues/221).
    - Fix flow scalar trailing whitespace folding,
    [#&#8203;307](https://redirect.github.com/nodeca/js-yaml/issues/307).
    - Fix digits in YAML named tag handles.

    - Fix potential DoS via quadratic complexity in merge - deduplicate
    repeated
      elements (makes sense for malformed files > 10K).

    </details>

    <details>
    <summary>pnpm/pnpm (pnpm)</summary>
    [`v11.5.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1151)

    [Compare
    Source](https://redirect.github.com/pnpm/pnpm/compare/v11.5.0...v11.5.1)

    - Improve `pnpm audit` performance by pruning non-vulnerable lockfile
    subtrees and stopping path enumeration once vulnerable findings reach
    the path cap.
    - Avoid crashing when the workspace state cache is partially written or
    malformed.
    - Set `npm_config_user_agent` for root lifecycle scripts during headless
    installs.
    - Preserve the `integrity` field of a remote (non-registry) tarball
    dependency when its lockfile entry is rebuilt. Re-resolving such a
    dependency without re-fetching it (for example via `pnpm update`, or
    when another dependency changes) produced a resolution with no integrity
    — URL/tarball resolvers only learn the integrity after the tarball is
    downloaded — so the previously recorded integrity was dropped, making
    later installs fail with `ERR_PNPM_MISSING_TARBALL_INTEGRITY`
    [#&#8203;12067](https://redirect.github.com/pnpm/pnpm/issues/12067).
    - Normalize a string `repository` field into the `{ type, url }` object
    form when creating the publish manifest, matching npm's behavior. Some
    registries (e.g. Gitea/Codeberg) reject a string `repository` with a 500
    Internal Server Error during `pnpm publish`
    [#&#8203;12099](https://redirect.github.com/pnpm/pnpm/issues/12099).
    - Preserve compatible optional peer versions already present in the
    lockfile when resolving dependencies.
    - Fixed inconsistent resolution of a peer dependency that is shared
    through a diamond. When a package peer-depends on both another package
    and one of that package's own peer dependencies (for example
    `@typescript-eslint/eslint-plugin` peer-depends on both
    `@typescript-eslint/parser` and `typescript`, and
    `@typescript-eslint/parser` peer-depends on `typescript`), pnpm no
    longer reuses a hoisted instance of the shared peer that was resolved
    against a different version
    [#&#8203;12079](https://redirect.github.com/pnpm/pnpm/issues/12079).
    [`v11.5.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1150)

    [Compare
    Source](https://redirect.github.com/pnpm/pnpm/compare/v11.4.0...v11.5.0)

    - Added a new `hoistingLimits` setting for `nodeLinker: hoisted`
    installs, mirroring yarn's `nmHoistingLimits`. It accepts `none` (the
    default — hoist as far as possible), `workspaces` (hoist only as far as
    each workspace package), or `dependencies` (hoist only up to each
    workspace package's direct dependencies). Originally proposed in
    [#&#8203;6468](https://redirect.github.com/pnpm/pnpm/pull/6468), closing
    [#&#8203;6457](https://redirect.github.com/pnpm/pnpm/issues/6457).

    - Replaced `enquirer` with `@inquirer/prompts` for all interactive
    prompts. Fixes the `update -i` scrolling overflow bug where long choice
    lists were clipped in the terminal
    [#&#8203;6643](https://redirect.github.com/pnpm/pnpm/issues/6643).

      **User-facing changes:**

    - `pnpm update -i` / `pnpm update -i --latest`: Scrolling now works
    correctly when many packages are available; the new library uses
    visual-line-aware pagination via `usePagination`
    - `pnpm audit --fix -i`: Same scrolling fix for vulnerability selection
      - `pnpm approve-builds`: Interactive build approval prompts updated
      - `pnpm patch`: Version selection and "apply to all" prompts updated
      - `pnpm patch-remove`: Patch removal selection updated
      - `pnpm publish`: Branch confirmation prompt updated
      - `pnpm login`: Credential prompts updated
    - `pnpm run` / `pnpm exec` (with `verifyDepsBeforeRun=prompt`):
    Confirmation prompt updated

    Vim-style `j`/`k` keys still work for up/down navigation in all
    interactive prompts.

    **Internal:** The `OtpEnquirer` and `LoginEnquirer` DI interfaces
    changed from `{ prompt }` to `{ input }` / `{ input, password }`
    respectively. Plugins or custom builds that inject their own enquirer
    mock will need to update.

    - Staged publishes are now recognized in the trust scale. When a package
    version's registry metadata carries an `approver` field, it is treated
    as the strongest trust evidence (ranked above trusted publishers and
    provenance attestations), since staged publishes require 2FA publish
    approvals. This prevents false-positive trust downgrade errors when
    moving from a staged publish to a lower trust level
    [#&#8203;11887](https://redirect.github.com/pnpm/pnpm/issues/11887).

    - Fix pnpm hanging during peer resolution when an aliased install pulls
    in transitive packages with mutual peer cycles at different depths in
    the dependency tree (for example, `pnpm i nuxt@npm:nuxt-nightly@5x`).
    Cycles whose members hit the `findHit` cache instead of running their
    own `calculateDepPath` are now short-circuited by sibling resolutions at
    the level where the cycle is detected, so the cached path promises no
    longer deadlock.
    [#&#8203;11999](https://redirect.github.com/pnpm/pnpm/issues/11999).
    - Fix `pnpm dist-tag add` and `pnpm dist-tag rm` against npmjs.org
    failing without `--otp` with `[ERR_PNPM_UNAUTHORIZED] You must be logged
    in to set dist-tag … "You must provide a one-time pass. Upgrade your
    client to npm@latest in order to use 2FA."`. pnpm now sends
    `npm-auth-type: web` on dist-tag writes and surfaces the resulting OTP
    challenge through the existing browser-based 2FA flow (the same
    `withOtpHandling` helper used by `pnpm publish`), so the browser opens,
    the user authenticates, and the dist-tag is set on retry. `--otp=<code>`
    continues to work via the classic flow.
    - Fix `minimumReleaseAgeExclude` handling in npm resolution fast paths
    so excluded packages do not get pinned to stale versions. Excludes are
    honored consistently during `publishedBy` metadata selection and
    cache-mtime shortcuts.
    - Fix the `integrity` field being dropped from the lockfile entry of a
    remote (non-registry) https-tarball dependency when an unrelated package
    is installed afterwards. URL/tarball resolvers do not return an
    integrity (it is only known after the tarball is downloaded), so when
    such a dependency was reused from the lockfile without being re-fetched,
    its integrity was lost. It is now carried over from the existing
    resolution. With pnpm's lockfile-integrity hardening, the missing
    integrity made subsequent `--frozen-lockfile` installs fail with
    `ERR_PNPM_MISSING_TARBALL_INTEGRITY`.
    [#&#8203;12001](https://redirect.github.com/pnpm/pnpm/issues/12001).
    - Skip dependency re-resolution when `pnpm-lock.yaml` is missing but
    `node_modules/.pnpm/lock.yaml` exists and still satisfies the manifest.
    `pnpm install` now reuses the materialized snapshot to regenerate
    `pnpm-lock.yaml` instead of walking the registry to rebuild it from
    scratch, turning the cache+node\_modules variation into a near-no-op for
    users who deleted the lockfile but kept the install
    [#&#8203;11993](https://redirect.github.com/pnpm/pnpm/issues/11993).

    `--frozen-lockfile` still refuses to proceed when `pnpm-lock.yaml` is
    absent — the regenerated lockfile must be committed, so failing loudly
    is the correct behavior for CI.

    </details>

    <details>
    <summary>silverwind/rolldown-license-plugin
    (rolldown-license-plugin)</summary>
    [`v3.0.9`](https://redirect.github.com/silverwind/rolldown-license-plugin/releases/tag/3.0.9)

    [Compare
    Source](https://redirect.github.com/silverwind/rolldown-license-plugin/compare/3.0.8...3.0.9)

    - update deps (silverwind)
    - make: collapse patch/minor/major into one rule (silverwind)
    - simplify generateBundle: pair dir+raw, rename shadow, inline
    single-use const (silverwind)
    - make update a combination target, split out update-js (silverwind)
    - add update-actions make target (silverwind)
    - remove authorship attribution rule from AGENTS.md (silverwind)
    - docs: use defineConfig in README usage example (silverwind)

    </details>

    <details>
    <summary>typescript-eslint/typescript-eslint
    (typescript-eslint)</summary>
    [`v8.60.1`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8601-2026-06-01)

    [Compare
    Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.60.0...v8.60.1)

    This was a version bump only for typescript-eslint to align it with
    other projects, there were no code changes.

    See [GitHub
    Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.60.1)
    for more information.

    You can read about our [versioning
    strategy](https://typescript-eslint.io/users/versioning) and
    [releases](https://typescript-eslint.io/users/releases) on our website.

    </details>

    <details>
    <summary>silverwind/updates (updates)</summary>
    [`v17.17.3`](https://redirect.github.com/silverwind/updates/releases/tag/17.17.3)

    [Compare
    Source](https://redirect.github.com/silverwind/updates/compare/17.17.2...17.17.3)

    - fix prerelease drop in updateVersionRange and scope regex (silverwind)
    - fix 1.2.x ranges, docker tag corruption, and per-file cooldown
    (silverwind)
    - fix go +incompatible, cargo inline-table, and prerelease selection
    (silverwind)
    - fix --pin range parsing, url tag deps, and -s flag docs (silverwind)
    - make update a combination target, split out update-js (silverwind)
    - add update-actions make target (silverwind)
    - remove authorship attribution rule from AGENTS.md (silverwind)

    </details>

    <details>
    <summary>vitejs/vite (vite)</summary>
    [`v8.0.16`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8016-2026-06-01-small)

    [Compare
    Source](https://redirect.github.com/vitejs/vite/compare/v8.0.15...v8.0.16)

    - **deps:** reject UNC paths for launch-editor-middleware
    ([#&#8203;22571](https://redirect.github.com/vitejs/vite/issues/22571))
    ([50b9512](https://redirect.github.com/vitejs/vite/commit/50b951225bbf6151eb84a3ad5a454908ab4a76c9))
    - reject windows alternate paths
    ([#&#8203;22572](https://redirect.github.com/vitejs/vite/issues/22572))
    ([dc245c7](https://redirect.github.com/vitejs/vite/commit/dc245c71e5007ea4d891a025e2d69ac96c736546))
    [`v8.0.15`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8015-2026-06-01-small)

    [Compare
    Source](https://redirect.github.com/vitejs/vite/compare/v8.0.14...v8.0.15)

    - send 408 on request timeout
    ([#&#8203;22476](https://redirect.github.com/vitejs/vite/issues/22476))
    ([c85c9ee](https://redirect.github.com/vitejs/vite/commit/c85c9eeb9aaf41f477b48b057146887bd5620797))
    - update rolldown to 1.0.3
    ([#&#8203;22538](https://redirect.github.com/vitejs/vite/issues/22538))
    ([646dbed](https://redirect.github.com/vitejs/vite/commit/646dbedd2870f8ec48df0321177d8aa64bbd1575))

    - capitalize error messages and remove spurious space in parse error
    ([#&#8203;22488](https://redirect.github.com/vitejs/vite/issues/22488))
    ([85a0eff](https://redirect.github.com/vitejs/vite/commit/85a0eff1c82bbb7c99a0fe8e63704316578a40d3))
    - **deps:** update all non-major dependencies
    ([#&#8203;22511](https://redirect.github.com/vitejs/vite/issues/22511))
    ([2686d7d](https://redirect.github.com/vitejs/vite/commit/2686d7d0b722402204d3bcc687a87adea1bcf9fa))
    - **dev:** fix html-proxy cache key mismatch for /@&#8203;fs/ HTML paths
    ([#&#8203;21762](https://redirect.github.com/vitejs/vite/issues/21762))
    ([47c4213](https://redirect.github.com/vitejs/vite/commit/47c4213f134f562c41ed7c031e4788510cf7e31e))
    - **glob:** error on relative glob in virtual module when no files match
    ([#&#8203;22497](https://redirect.github.com/vitejs/vite/issues/22497))
    ([5c8e98f](https://redirect.github.com/vitejs/vite/commit/5c8e98f8b584ac5d42f0f9b8580c49792213b13c))
    - **optimizer:** close the rolldown bundle when write() rejects
    ([#&#8203;22528](https://redirect.github.com/vitejs/vite/issues/22528))
    ([e3cfb9d](https://redirect.github.com/vitejs/vite/commit/e3cfb9deecff563550fa1b8abd27656b8b292815))
    - **resolve:** provide onWarn for viteResolvePlugin in JS plugin
    containers
    ([#&#8203;22509](https://redirect.github.com/vitejs/vite/issues/22509))
    ([40985f1](https://redirect.github.com/vitejs/vite/commit/40985f1c09b7696e594e6c5695fbc315d2da2c83))

    - **deps:** update rolldown-related dependencies
    ([#&#8203;22566](https://redirect.github.com/vitejs/vite/issues/22566))
    ([3052a67](https://redirect.github.com/vitejs/vite/commit/3052a67d9350f4c5076ab1c222c4a21a589cbcdd))

    - correct logic in `collectAllModules` function
    ([#&#8203;22562](https://redirect.github.com/vitejs/vite/issues/22562))
    ([6978a9c](https://redirect.github.com/vitejs/vite/commit/6978a9ceb942c4f5e211d52b8a1e569f8a65c80c))

    </details>

    <details>
    <summary>vitest-dev/vitest (vitest)</summary>
    [`v4.1.8`](https://redirect.github.com/vitest-dev/vitest/releases/tag/v4.1.8)

    [Compare
    Source](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.7...v4.1.8)

    - **browser**:
    - Disable client `cdp` API when `allowWrite/allowExec: false` \[backport
    to v4]  -  by [@&#8203;hi-ogawa](https://redirect.github.com/hi-ogawa)
    and **Codex** in
    [#&#8203;10450](https://redirect.github.com/vitest-dev/vitest/issues/10450)
    [<samp>(e4067)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/e4067b3b1)
    - Remove orphaned Playwright route when same module is mocked via
    multiple ids \[backport to v4]  -  by
    [@&#8203;toxik](https://redirect.github.com/toxik) and
    [@&#8203;Zelys-DFKH](https://redirect.github.com/Zelys-DFKH) in
    [#&#8203;10474](https://redirect.github.com/vitest-dev/vitest/issues/10474)
    [<samp>(675b4)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/675b4343f)
    GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.7...v4.1.8)

    </details>

    <details>
    <summary>vuejs/language-tools (vue-tsc)</summary>
    [`v3.3.3`](https://redirect.github.com/vuejs/language-tools/blob/HEAD/CHANGELOG.md#333-2026-05-30)

    [Compare
    Source](https://redirect.github.com/vuejs/language-tools/compare/v3.3.2...v3.3.3)

    - **fix:** prevent grammar scopes leakage in capitalized tags
    ([#&#8203;6073](https://redirect.github.com/vuejs/language-tools/issues/6073))
    - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)!
    - **fix:** preserve TS auto imports behavior in Vue files
    ([#&#8203;6072](https://redirect.github.com/vuejs/language-tools/issues/6072))
    - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)!

    - **fix:** read PR title from env in `auto-version` workflow to prevent
    injection
    ([#&#8203;6074](https://redirect.github.com/vuejs/language-tools/issues/6074))
    - Thanks to
    [@&#8203;arpitjain099](https://redirect.github.com/arpitjain099)!

    </details>

    ---

    📅 **Schedule**: (UTC)

    - Branch creation
      - Only on Monday (`* * * * 1`)
    - Automerge
      - At any time (no schedule defined)

    🚦 **Automerge**: Disabled by config. Please merge this manually once you
    are satisfied.

    ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
    rebase/retry checkbox.

    👻 **Immortal**: This PR will be recreated if closed unmerged. Get
    [config
    help](https://redirect.github.com/renovatebot/renovate/discussions) if
    that's undesired.

    ---

    - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
    this box

    ---

    This PR has been generated by [Mend
    Renovate](https://redirect.github.com/renovatebot/renovate).

    <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

    Co-authored-by: bircni <bircni@icloud.com>

commit 6dcae57b54
Author: Giteabot <teabot@gitea.io>
Date:   Sun Jun 7 22:40:35 2026 -0700

    chore(deps): update action dependencies (#38027)

commit 7ddacf0edf
Merge: e395dcec67 1c289df6eb
Author: Danila Fominykh <d@m8sh.su>
Date:   Sun Jun 7 19:30:42 2026 +0000

    merge upstream

commit e395dcec67
Author: Danila Fominykh <d@m8sh.su>
Date:   Sun Jun 7 19:26:38 2026 +0000

    Add roadmap to readme (#2)

    Reviewed-on: https://m8sh.su/x/m8sh/pulls/2

commit 1c289df6eb
Author: bircni <bircni@icloud.com>
Date:   Sun Jun 7 18:45:20 2026 +0200

    enhance: Adjust Workflow Graph styling (#37497)

    - Fix workflow dependency graph overflow by making the graph container
    scrollable (no more clipped DAGs; addresses #37493).
    - Improve Actions job list readability by keeping durations
    fixed-width/right-aligned so long times don’t squeeze job names.
    - Make workflow graph layout more intuitive by vertically centering
    shorter columns to reduce misleading “looks like it depends on”
    alignments (addresses #37395).
    <img width="966" height="439"
    src="https://github.com/user-attachments/assets/c180c5a2-4f56-4287-bcaa-f2735ba72949"
    />

    <img width="949" height="559"
    src="https://github.com/user-attachments/assets/a383511d-a962-4920-b792-69f556847eff"
    />

    Fixes #37493
    Fixes #37395

    ---------

    Co-authored-by: silverwind <me@silverwind.io>
    Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
    Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

commit ea35af1b68
Author: bircni <bircni@icloud.com>
Date:   Sun Jun 7 17:30:18 2026 +0200

    fix: bound CODEOWNERS regex match time (#38011)

    User-supplied CODEOWNERS patterns were compiled without a match timeout,
    so a crafted pattern (e.g. (a+)+) against a crafted file path could
    backtrack for tens of seconds inside the PR creation transaction and
    exhaust the database connection pool. Set MatchTimeout on each compiled
    rule; the caller already treats match errors as non-matches.

    ---------

    Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
    Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
d added 1 commit 2026-06-09 05:24:57 +00:00
Merge branch 'main' into gpg-auth 1b64aa9cdc
d added 1 commit 2026-06-09 14:37:22 +00:00
Merge branch 'main' into gpg-auth 7ba497b218
d added 1 commit 2026-06-09 19:10:16 +00:00
add translations for several languages 17a8b6d310
d added 1 commit 2026-06-09 19:18:29 +00:00
Merge branch 'main' into gpg-auth f81f47ee90
d added 1 commit 2026-06-10 19:52:19 +00:00
Merge branch 'main' into gpg-auth 7bb1f0aba4
d added 1 commit 2026-06-10 20:42:51 +00:00
Merge branch 'main' into gpg-auth 366ce014de
You are not authorized to merge this pull request.
This pull request can be merged automatically.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin gpg-auth:gpg-auth
git checkout gpg-auth
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No labels
Milestone
No items
No Milestone
Assignees
Clear assignees
d (Danila Fominykh)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: x/m8sh#3