fix api route (#7346) (#7347)

* Changelog 1.8.3

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Suggestion

Co-Authored-By: zeripath <art27@cantab.net>

.air.toml

@@ -1,26 +0,0 @@
-root = "."
-tmp_dir = ".air"
-
-[build]
-pre_cmd = ["killall -9 gitea 2>/dev/null || true"] # kill off potential zombie processes from previous runs
-cmd = "make --no-print-directory backend"
-entrypoint = ["./gitea"]
-delay = 2000
-include_ext = ["go", "tmpl"]
-include_file = ["main.go"]
-include_dir = ["cmd", "models", "modules", "options", "routers", "services"]
-exclude_dir = [
-  "models/fixtures",
-  "models/migrations/fixtures",
-  "modules/avatar/identicon/testdata",
-  "modules/avatar/testdata",
-  "modules/git/tests",
-  "modules/migration/file_format_testdata",
-  "routers/private/tests",
-  "services/gitdiff/testdata",
-]
-exclude_regex = ["_test.go$", "_gen.go$"]
-stop_on_error = true
-
-[log]
-main_only = true

.changelog.yml

@@ -1,62 +1,44 @@
-# The full repository name
 repo: go-gitea/gitea
-
-# Service type (gitea or github)
-service: github
-
-# Base URL for Gitea instance if using gitea service type (optional)
-# Default: https://gitea.com
-base-url:
-
-# Changelog groups and which labeled PRs to add to each group
 groups:
-  -
+  - 
     name: BREAKING
     labels:
-      - pr/breaking
-  -
-    name: SECURITY
+      - kind/breaking
+  - 
+    name: FEATURE
     labels:
-      - topic/security
-  -
-    name: FEATURES
-    labels:
-      - type/feature
-  -
-    name: ENHANCEMENTS
-    labels:
-      - type/enhancement
-  -
-    name: PERFORMANCE
-    labels:
-      - performance/memory
-      - performance/speed
-      - performance/bigrepo
-      - performance/cpu
+      - kind/feature
   -
     name: BUGFIXES
     labels:
-      - type/bug
-  -
-    name: API
+      - kind/bug
+  - 
+    name: ENHANCEMENT
     labels:
-      - modifies/api
+      - kind/enhancement
+      - kind/refactor
+      - kind/ui
   -
+    name: SECURITY
+    labels:
+      - kind/security
+  - 
     name: TESTING
     labels:
-      - type/testing
-  -
+      - kind/testing
+  - 
+    name: TRANSLATION
+    labels:
+      - kind/translation
+  - 
     name: BUILD
     labels:
-      - topic/build
-      - topic/code-linting
-  -
+      - kind/build
+      - kind/lint
+  - 
     name: DOCS
     labels:
-      - type/docs
-  -
+      - kind/docs
+  - 
     name: MISC
-    default: true
-
-# regex indicating which labels to skip for the changelog
-skip-labels: skip-changelog|backport\/.+
+    default: true

.devcontainer/devcontainer.json

@@ -1,46 +0,0 @@
-{
-  "name": "Gitea DevContainer",
-  "image": "mcr.microsoft.com/devcontainers/go:1.25-trixie",
-  "containerEnv": {
-    // override "local" from packaged version
-    "GOTOOLCHAIN": "auto"
-  },
-  "features": {
-    // installs nodejs into container
-    "ghcr.io/devcontainers/features/node:1": {
-      "version": "latest"
-    },
-    "ghcr.io/devcontainers/features/git-lfs:1.2.5": {},
-    "ghcr.io/jsburckhardt/devcontainer-features/uv:1": {},
-    "ghcr.io/devcontainers/features/python:1": {
-      "version": "3.13"
-    },
-    "ghcr.io/warrenbuckley/codespace-features/sqlite:1": {}
-  },
-  "customizations": {
-    "vscode": {
-      "settings": {},
-      // same extensions as Gitpod, should match /.gitpod.yml
-      "extensions": [
-        "editorconfig.editorconfig",
-        "dbaeumer.vscode-eslint",
-        "golang.go",
-        "stylelint.vscode-stylelint",
-        "DavidAnson.vscode-markdownlint",
-        "Vue.volar",
-        "ms-azuretools.vscode-docker",
-        "vitest.explorer",
-        "cweijan.vscode-database-client2",
-        "GitHub.vscode-pull-request-github",
-        "Azurite.azurite"
-      ]
-    }
-  },
-  "portsAttributes": {
-    "3000": {
-      "label": "Gitea Web",
-      "onAutoForward": "notify"
-    }
-  },
-  "postCreateCommand": "make deps"
-}

.dockerignore

@@ -1,98 +0,0 @@
-# Compiled Object files, Static and Dynamic libs (Shared Objects)
-*.o
-*.a
-*.so
-
-# Folders
-_obj
-_test
-
-# IntelliJ
-.idea
-# Goland's output filename can not be set manually
-/go_build_*
-
-# MS VSCode
-.vscode
-__debug_bin*
-
-# Architecture specific extensions/prefixes
-*.[568vq]
-[568vq].out
-
-*.cgo1.go
-*.cgo2.c
-_cgo_defun.c
-_cgo_gotypes.go
-_cgo_export.*
-
-_testmain.go
-
-*.exe
-*.test
-*.prof
-
-*coverage.out
-coverage.all
-cpu.out
-
-*.db
-*.log
-
-/gitea
-/gitea-vet
-/debug
-/integrations.test
-
-/bin
-/dist
-/custom/*
-!/custom/conf
-/custom/conf/*
-!/custom/conf/app.example.ini
-/data
-/indexers
-/log
-/tests/integration/gitea-integration-*
-/tests/integration/indexers-*
-/tests/e2e/gitea-e2e-*
-/tests/e2e/indexers-*
-/tests/e2e/reports
-/tests/e2e/test-artifacts
-/tests/e2e/test-snapshots
-/tests/*.ini
-/node_modules
-/yarn.lock
-/yarn-error.log
-/npm-debug.log*
-/pnpm-debug.log*
-/public/assets/js
-/public/assets/css
-/public/assets/fonts
-/public/assets/img/avatar
-/vendor
-/VERSION
-/.air
-/.go-licenses
-/Dockerfile
-/Dockerfile.rootless
-/.venv
-
-# Files and folders that were previously generated
-/public/assets/img/webpack
-
-# Snapcraft
-snap/.snapcraft/
-parts/
-stage/
-prime/
-*.snap
-*.snap-build
-*_source.tar.bz2
-.DS_Store
-
-# Make evidence files
-/.make_evidence
-
-# Manpage
-/man

.drone.yml

@@ -0,0 +1,452 @@
+workspace:
+  base: /go
+  path: src/code.gitea.io/gitea
+
+pipeline:
+  fetch-tags:
+    image: docker:git
+    commands:
+      - git fetch --tags --force
+
+  download_translations:
+    image: jonasfranz/crowdin
+    pull: true
+    secrets: [ crowdin_key ]
+    project_identifier: gitea
+    ignore_branch: true
+    download: true
+    export_dir: options/locale/
+    when:
+      event: [ push ]
+      branch: [ master ]
+
+  update-translations:
+    image: alpine:3.7
+    commands:
+      - mv ./options/locale/locale_en-US.ini ./options/
+      - sed -i -e 's/="/=/g' -e 's/"$$//g' ./options/locale/*.ini
+      - sed -i -e 's/\\\\"/"/g' ./options/locale/*.ini
+      - mv ./options/locale_en-US.ini ./options/locale/
+    when:
+      event: [ push ]
+      branch: [ master ]
+
+  git_push:
+    image: appleboy/drone-git-push
+    pull: true
+    secrets: [ git_push_ssh_key ]
+    remote: git@github.com:go-gitea/gitea.git
+    force: false
+    commit: true
+    commit_message: "[skip ci] Updated translations via Crowdin"
+    author_name: GiteaBot
+    author_email: teabot@gitea.io
+    when:
+      event: [ push ]
+      branch: [ master ]
+
+  pre-build:
+    image: webhippie/nodejs:latest
+    pull: true
+    commands:
+      - npm install
+      - make stylesheets-check
+    when:
+      event: [ push, tag, pull_request ]
+
+  build-without-gcc:
+    image: golang:1.10 # this step is kept as the lowest version of golang that we support
+    pull: true
+    commands:
+      - go build -o gitea_no_gcc # test if build succeeds without the sqlite tag
+    when:
+      event: [ push, tag, pull_request ]
+
+  build:
+    image: golang:1.12
+    pull: true
+    environment:
+      TAGS: bindata sqlite sqlite_unlock_notify
+    commands:
+      - make clean
+      - make generate
+      - make vet
+      - make lint
+      - make fmt-check
+      - make swagger-check
+      - make swagger-validate
+      - make misspell-check
+      - make test-vendor
+      - make build
+    when:
+      event: [ push, tag, pull_request ]
+
+  unit-test:
+    image: golang:1.12
+    pull: true
+    group: test
+    environment:
+      TAGS: bindata sqlite sqlite_unlock_notify
+    commands:
+      - make unit-test-coverage
+    when:
+      event: [ push, pull_request ]
+      branch: [ master ]
+
+  release-test:
+    image: golang:1.12
+    pull: true
+    group: test
+    environment:
+      TAGS: bindata sqlite sqlite_unlock_notify
+    commands:
+      - make test
+    when:
+      event: [ push, pull_request ]
+      branch: [ release/* ]
+
+  tag-test:
+    image: golang:1.12
+    pull: true
+    group: test
+    environment:
+      TAGS: bindata
+    commands:
+      - make test
+    when:
+      event: [ tag ]
+
+  test-sqlite:
+    image: golang:1.12
+    pull: true
+    group: test
+    environment:
+      TAGS: bindata
+    commands:
+      - curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash
+      - apt-get install -y git-lfs
+      - (sleep 1200 && (echo 'kill -ABRT $(pidof gitea) $(pidof integrations.sqlite.test)' | sh)) &
+      - make test-sqlite-migration
+      - make test-sqlite
+    when:
+      event: [ push, tag, pull_request ]
+
+  test-mysql:
+    image: golang:1.12
+    pull: true
+    group: test
+    environment:
+      TAGS: bindata
+      TEST_LDAP: "1"
+    commands:
+      - curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash
+      - apt-get install -y git-lfs
+      - make test-mysql-migration
+      - make integration-test-coverage
+    when:
+      event: [ push, pull_request ]
+      branch: [ master ]
+
+  tag-test-mysql:
+    image: golang:1.12
+    pull: true
+    group: test
+    environment:
+      TAGS: bindata
+      TEST_LDAP: "1"
+    commands:
+      - curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash
+      - apt-get install -y git-lfs
+      - (sleep 1200 && (echo 'kill -ABRT $(pidof gitea) $(pidof integrations.test)' | sh)) &
+      - make test-mysql-migration
+      - make test-mysql
+    when:
+      event: [ tag ]
+
+  test-mysql8:
+    image: golang:1.11
+    pull: true
+    group: test
+    environment:
+      TAGS: bindata
+      TEST_LDAP: "1"
+    commands:
+      - curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash
+      - apt-get install -y git-lfs
+      - (sleep 1200 && (echo 'kill -ABRT $(pidof gitea) $(pidof integrations.test)' | sh)) &
+      - make test-mysql8-migration
+      - make test-mysql8
+    when:
+      event: [ push, tag, pull_request ]
+
+  test-pgsql:
+    image: golang:1.12
+    pull: true
+    group: test
+    environment:
+      TAGS: bindata
+      TEST_LDAP: "1"
+    commands:
+      - curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash
+      - apt-get install -y git-lfs
+      - (sleep 1200 && (echo 'kill -ABRT $(pidof gitea) $(pidof integrations.test)' | sh)) &
+      - make test-pgsql-migration
+      - make test-pgsql
+    when:
+      event: [ push, tag, pull_request ]
+
+  test-mssql:
+    image: golang:1.12
+    pull: true
+    group: test
+    environment:
+      TAGS: bindata
+      TEST_LDAP: "1"
+    commands:
+      - curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash
+      - apt-get install -y git-lfs
+      - make test-mssql-migration
+      - make test-mssql
+    when:
+      event: [ push, tag, pull_request ]
+
+#  bench-sqlite:
+#    image: golang:1.12
+#    pull: true
+#    group: bench
+#    commands:
+#      - make bench-sqlite
+#    when:
+#      event: [ tag ]
+
+#  bench-mysql:
+#    image: golang:1.12
+#    pull: true
+#    group: bench
+#    commands:
+#      - make bench-mysql
+#    when:
+#      event: [ tag ]
+
+#  bench-mssql:
+#    image: golang:1.12
+#    pull: true
+#    group: bench
+#    commands:
+#      - make bench-mssql
+#    when:
+#      event: [ tag ]
+
+#  bench-pgsql:
+#    image: golang:1.12
+#    pull: true
+#    group: bench
+#    commands:
+#      - make bench-pgsql
+#    when:
+#      event: [ tag ]
+
+  generate-coverage:
+    image: golang:1.12
+    pull: true
+    environment:
+      TAGS: bindata
+    commands:
+      - make coverage
+    when:
+      event: [ push, pull_request ]
+      branch: [ master ]
+
+  coverage:
+    image: robertstettner/drone-codecov
+    secrets: [ codecov_token ]
+    files:
+      - coverage.all
+    when:
+      event: [ push, pull_request ]
+      branch: [ master ]
+
+  static:
+    image: techknowlogick/xgo:latest
+    pull: true
+    environment:
+      TAGS: bindata sqlite sqlite_unlock_notify
+    commands:
+      - export PATH=$PATH:$GOPATH/bin
+      - make release
+    when:
+      event: [ push, tag ]
+
+  build-docs:
+    image: webhippie/hugo:latest
+    pull: true
+    commands:
+      - cd docs
+      - make trans-copy
+      - make clean
+      - make build
+
+  publish-docs:
+    image: lucap/drone-netlify:latest
+    pull: true
+    secrets: [ netlify_token ]
+    site_id: d2260bae-7861-4c02-8646-8f6440b12672
+    path: docs/public/
+    when:
+      event: [ push ]
+      branch: [ master ]
+
+  docker-dryrun:
+    image: plugins/docker:17.12
+    pull: true
+    repo: gitea/gitea
+    cache_from: gitea/gitea
+    dry_run: true
+    when:
+      event: [ pull_request ]
+
+  release-docker:
+    image: plugins/docker:17.12
+    pull: true
+    secrets: [ docker_username, docker_password ]
+    repo: gitea/gitea
+    tags: [ '${DRONE_BRANCH##release/v}' ]
+    cache_from: gitea/gitea
+    when:
+      event: [ push ]
+      branch: [ release/* ]
+
+  docker:
+    image: plugins/docker:17.12
+    secrets: [ docker_username, docker_password ]
+    pull: true
+    repo: gitea/gitea
+    cache_from: gitea/gitea
+    default_tags: true
+    when:
+      event: [ push, tag ]
+
+  gpg-sign:
+    image: plugins/gpgsign:1
+    pull: true
+    secrets: [ gpgsign_key, gpgsign_passphrase ]
+    detach_sign: true
+    files:
+      - dist/release/*
+    excludes:
+      - dist/release/*.sha256
+    when:
+      event: [ push, tag ]
+
+  tag-release:
+    image: plugins/s3:1
+    pull: true
+    secrets: [ aws_access_key_id, aws_secret_access_key ]
+    bucket: releases
+    acl: public-read
+    endpoint: https://storage.gitea.io
+    path_style: true
+    strip_prefix: dist/release/
+    source: dist/release/*
+    target: /gitea/${DRONE_TAG##v}
+    when:
+      event: [ tag ]
+
+  release-branch-release:
+    image: plugins/s3:1
+    pull: true
+    secrets: [ aws_access_key_id, aws_secret_access_key ]
+    bucket: releases
+    acl: public-read
+    endpoint: https://storage.gitea.io
+    path_style: true
+    strip_prefix: dist/release/
+    source: dist/release/*
+    target: /gitea/${DRONE_BRANCH##release/v}
+    when:
+      event: [ push ]
+      branch: [ release/* ]
+
+  release:
+    image: plugins/s3:1
+    pull: true
+    secrets: [ aws_access_key_id, aws_secret_access_key ]
+    bucket: releases
+    acl: public-read
+    endpoint: https://storage.gitea.io
+    path_style: true
+    strip_prefix: dist/release/
+    source: dist/release/*
+    target: /gitea/master
+    when:
+      event: [ push ]
+      branch: [ master ]
+
+  github:
+    image: plugins/github-release:1
+    pull: true
+    secrets: [ github_token ]
+    files:
+      - dist/release/*
+    when:
+      event: [ tag ]
+
+  upload_translations:
+    image: jonasfranz/crowdin
+    pull: true
+    secrets: [ crowdin_key ]
+    project_identifier: gitea
+    ignore_branch: true
+    download: false
+    files:
+      locale_en-US.ini: options/locale/locale_en-US.ini
+    when:
+      event: [ push ]
+      branch: [ master ]
+
+  discord:
+    image: appleboy/drone-discord:1.0.0
+    pull: true
+    secrets: [ discord_webhook_id, discord_webhook_token ]
+    when:
+      event: [ push, tag, pull_request ]
+      status: [ changed, failure ]
+
+services:
+  mysql:
+    image: mysql:5.7
+    environment:
+      - MYSQL_DATABASE=test
+      - MYSQL_ALLOW_EMPTY_PASSWORD=yes
+    when:
+      event: [ push, tag, pull_request ]
+
+  mysql8:
+    image: mysql:8.0
+    environment:
+      - MYSQL_DATABASE=test
+      - MYSQL_ALLOW_EMPTY_PASSWORD=yes
+      - MYSQL_DATABASE=testgitea
+    when:
+      event: [ push, tag, pull_request ]
+
+  pgsql:
+    image: postgres:9.5
+    environment:
+      - POSTGRES_DB=test
+    when:
+      event: [ push, tag, pull_request ]
+
+  mssql:
+    image: microsoft/mssql-server-linux:latest
+    environment:
+      - ACCEPT_EULA=Y
+      - SA_PASSWORD=MwantsaSecurePassword1
+      - MSSQL_PID=Standard
+    when:
+      event: [ push, tag, pull_request ]
+
+  ldap:
+    image: gitea/test-openldap:latest
+    when:
+      event: [ push, tag, pull_request ]

.editorconfig

@@ -1,36 +1,30 @@
+# http://editorconfig.org
 root = true
 
 [*]
+charset = utf-8
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.go]
+indent_style = tab
+indent_size = 8
+
+[*.{tmpl,html}]
+indent_style = tab
+indent_size = 4
+
+[*.less]
+indent_style = space
+indent_size = 4
+
+[*.{yml,json}]
 indent_style = space
 indent_size = 2
-tab_width = 2
-end_of_line = lf
-charset = utf-8
-trim_trailing_whitespace = true
-insert_final_newline = true
 
-[*.{go,tmpl,html}]
-indent_style = tab
-
-[go.*]
-indent_style = tab
-
-[templates/custom/*.tmpl]
-insert_final_newline = false
-
-[templates/swagger/v1_json.tmpl]
+[*.js]
 indent_style = space
-insert_final_newline = false
-
-[templates/user/auth/oidc_wellknown.tmpl]
-indent_style = space
-
-[templates/shared/actions/runner_badge_*.tmpl]
-# editconfig lint requires these XML-like files to have charset defined, but the files don't have.
-charset = unset
+indent_size = 4
 
 [Makefile]
 indent_style = tab
-
-[*.svg]
-insert_final_newline = false

.envrc

@@ -1 +0,0 @@
-use flake

.gitattributes

@@ -1,11 +1,6 @@
-* text=auto eol=lf
-*.tmpl linguist-language=Handlebars
-*.pb.go linguist-generated
-/assets/*.json linguist-generated
-/public/assets/img/svg/*.svg linguist-generated
-/templates/swagger/v1_json.tmpl linguist-generated
-/options/fileicon/** linguist-generated
-/vendor/** -text -eol linguist-vendored
-/web_src/js/vendor/** -text -eol linguist-vendored
-Dockerfile.* linguist-language=Dockerfile
-Makefile.* linguist-language=Makefile
+conf/* linguist-vendored
+docker/* linguist-vendored
+options/* linguist-vendored
+public/* linguist-vendored
+scripts/* linguist-vendored
+templates/* linguist-vendored

.gitcleaner/health-report.md

@@ -1,26 +0,0 @@
-# Repository Health Report
-
-## Overall Score: 77/100 (Good)
-
-### Summary
-- Commits Analyzed: 1000
-- Branches: 1
-- Authors: 149
-- Merges: 0
-
-### Component Scores
-| Component | Score |
-|-----------|-------|
-| Messages | 90% |
-| Merges | 97% |
-| Duplicates | 0% |
-| Branches | 100% |
-| Authorship | 100% |
-
-### Issues (3)
-- **Merge fix commits detected**: Found 1 commits with messages like 'fix merge' detected after merges. (-3 pts)
-- **Duplicate commits with identical content**: Found 1 groups of commits with identical file content (1 redundant commits). These are safe to squash as they have the same tree SHA. (-7 pts)
-- **Commits with duplicate messages**: Found 1 groups of commits with identical messages but different code changes (135 commits). Consider using more descriptive messages to differentiate changes. (-1 pts)
-
----
-Generated by GitCleaner for GitCaddy dd

.gitea/issue_template.md

@@ -1,42 +0,0 @@
-<!-- NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue -->
-
-<!--
-    1. Please speak English, this is the language all maintainers can speak and write.
-    2. Please ask questions or configuration/deploy problems on our Discord
-       server (https://discord.gg/gitea) or forum (https://forum.gitea.com).
-    3. Please take a moment to check that your issue doesn't already exist.
-    4. Make sure it's not mentioned in the FAQ (https://docs.gitea.com/help/faq)
-    5. Please give all relevant information below for bug reports, because
-       incomplete details will be handled as an invalid report.
--->
-
-- Gitea version (or commit ref):
-- Git version:
-- Operating system:
-  <!-- Please include information on whether you built gitea yourself, used one of our downloads or are using some other package -->
-  <!-- Please also tell us how you are running gitea, e.g. if it is being run from docker, a command-line, systemd etc. --->
-  <!-- If you are using a package or systemd tell us what distribution you are using -->
-- Database (use `[x]`):
-  - [ ] PostgreSQL
-  - [ ] MySQL
-  - [ ] MSSQL
-  - [ ] SQLite
-- Can you reproduce the bug at https://demo.gitea.com:
-  - [ ] Yes (provide example URL)
-  - [ ] No
-- Log gist:
-<!-- It really is important to provide pertinent logs -->
-<!-- Please read https://docs.gitea.com/administration/logging-config#collecting-logs-for-help -->
-<!-- In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini -->
-
-## Description
-<!-- If using a proxy or a CDN (e.g. CloudFlare) in front of gitea, please
-     disable the proxy/CDN fully and connect to gitea directly to confirm
-     the issue still persists without those services. -->
-
-...
-
-
-## Screenshots
-
-<!-- **If this issue involves the Web Interface, please include a screenshot** -->

.gitea/workflows/build.yml

@@ -1,674 +0,0 @@
-name: Build and Release
-
-on:
-  push:
-    branches:
-      - main
-      - release/*
-    tags:
-      - 'v*'
-  pull_request:
-    branches:
-      - main
-
-env:
-  GOPROXY: https://proxy.golang.org,direct
-  GOPRIVATE: git.marketally.com
-  GONOSUMDB: git.marketally.com
-  GOTOOLCHAIN: local
-  GO_VERSION: "1.25.0"
-  NODE_VERSION: "22"
-
-jobs:
-  # Lint job - must pass
-  lint:
-    name: Lint
-    runs-on: linux-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.RELEASE_TOKEN }}
-
-      - name: Clone vault dependency
-        env:
-          VAULT_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        run: |
-          git -c "http.extraheader=Authorization: token ${VAULT_TOKEN}" clone --depth 1 https://direct.git.marketally.com/gitcaddy/gitcaddy-vault.git ../gitcaddy-vault
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Install pnpm
-        run: npm install -g pnpm
-
-      - name: Install dependencies
-        run: make deps-frontend deps-backend
-
-      - name: Run Go linter
-        run: make lint-go
-
-      - name: Run frontend linter
-        run: make lint-frontend
-        continue-on-error: true
-
-  # Unit tests with SQLite (no external database needed)
-  test-unit:
-    name: Unit Tests
-    runs-on: linux-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.RELEASE_TOKEN }}
-
-      - name: Clone vault dependency
-        env:
-          VAULT_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        run: |
-          git -c "http.extraheader=Authorization: token ${VAULT_TOKEN}" clone --depth 1 https://direct.git.marketally.com/gitcaddy/gitcaddy-vault.git ../gitcaddy-vault
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
-
-      - name: Install dependencies
-        run: go mod download
-
-      - name: Run unit tests
-        run: |
-          # Skip tests that require external services (Redis, Elasticsearch, Meilisearch, Azure, SHA256 git)
-          go test -tags="sqlite sqlite_unlock_notify" -race \
-            -skip "TestRepoStatsIndex|TestRenderHelper|Sha256|SHA256|Redis|redis|Elasticsearch|Meilisearch|AzureBlob|TestLockAndDo|TestLocker|TestBaseRedis" \
-            ./modules/... \
-            ./services/...
-        env:
-          GITEA_I_AM_BEING_UNSAFE_RUNNING_AS_ROOT: true
-
-  # Integration tests with PostgreSQL
-  test-pgsql:
-    name: Integration Tests (PostgreSQL)
-    runs-on: linux-latest
-    services:
-      pgsql:
-        image: postgres:15
-        env:
-          POSTGRES_DB: testgitea
-          POSTGRES_USER: postgres
-          POSTGRES_PASSWORD: postgres
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-        ports:
-          - 5432:5432
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.RELEASE_TOKEN }}
-
-      - name: Clone vault dependency
-        env:
-          VAULT_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        run: |
-          git -c "http.extraheader=Authorization: token ${VAULT_TOKEN}" clone --depth 1 https://direct.git.marketally.com/gitcaddy/gitcaddy-vault.git ../gitcaddy-vault
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Install pnpm
-        run: npm install -g pnpm
-
-      - name: Install dependencies
-        run: make deps-frontend deps-backend
-
-      - name: Build frontend
-        run: make frontend
-
-      - name: Generate bindata
-        run: make generate
-        env:
-          TAGS: bindata
-
-      - name: Build test binary
-        run: |
-          go build -tags="bindata sqlite sqlite_unlock_notify"  -o gitcaddy-server .
-
-      - name: Generate test config
-        run: |
-          make generate-ini-pgsql
-        env:
-          TEST_PGSQL_HOST: localhost:5432
-          TEST_PGSQL_DBNAME: testgitea
-          TEST_PGSQL_USERNAME: postgres
-          TEST_PGSQL_PASSWORD: postgres
-          TEST_PGSQL_SCHEMA: gtestschema
-
-      - name: Run PostgreSQL integration tests
-        run: |
-          make test-pgsql
-        continue-on-error: true
-        env:
-          TEST_PGSQL_HOST: localhost:5432
-          TEST_PGSQL_DBNAME: testgitea
-          TEST_PGSQL_USERNAME: postgres
-          TEST_PGSQL_PASSWORD: postgres
-          TEST_PGSQL_SCHEMA: gtestschema
-          GITEA_I_AM_BEING_UNSAFE_RUNNING_AS_ROOT: true
-
-  # Create release job - runs first to create the release before build jobs upload
-  create-release:
-    name: Create Release
-    runs-on: linux-latest
-    if: startsWith(github.ref, 'refs/tags/v')
-    outputs:
-      release_id: ${{ steps.create.outputs.release_id }}
-    steps:
-      - name: Create or get release
-        id: create
-        run: |
-          TAG="${{ github.ref_name }}"
-          echo "Creating/getting release for tag: $TAG"
-
-          # Try to get existing release first
-          EXISTING=$(curl -sf \
-            -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
-            "https://direct.git.marketally.com/api/v1/repos/${{ github.repository }}/releases/tags/$TAG" 2>/dev/null || echo "")
-
-          if echo "$EXISTING" | grep -q '"id":[0-9]'; then
-            RELEASE_ID=$(echo "$EXISTING" | grep -o '"id":[0-9]*' | head -1 | cut -d: -f2)
-            echo "Found existing release: $RELEASE_ID"
-            echo "release_id=$RELEASE_ID" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          # Create new release
-          echo "Creating new release..."
-          RESPONSE=$(curl -sf -X POST \
-            -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
-            -H "Content-Type: application/json" \
-            -d '{"tag_name":"'"$TAG"'","name":"GitCaddy Server '"$TAG"'","body":"Official release of GitCaddy Server '"$TAG"'.","draft":false,"prerelease":false}' \
-            "https://direct.git.marketally.com/api/v1/repos/${{ github.repository }}/releases" 2>&1)
-
-          if echo "$RESPONSE" | grep -q '"id":[0-9]'; then
-            RELEASE_ID=$(echo "$RESPONSE" | grep -o '"id":[0-9]*' | head -1 | cut -d: -f2)
-            echo "Created release: $RELEASE_ID"
-            echo "release_id=$RELEASE_ID" >> "$GITHUB_OUTPUT"
-          else
-            echo "ERROR: Failed to create release: $RESPONSE"
-            exit 1
-          fi
-
-  # Build job for binaries
-  build:
-    name: Build Binaries
-    runs-on: ${{ matrix.runs-on }}
-    needs: [lint, create-release]
-    if: startsWith(github.ref, 'refs/tags/v') && needs.lint.result == 'success' && needs.create-release.result == 'success'
-    strategy:
-      matrix:
-        include:
-          - goos: linux
-            goarch: amd64
-            runs-on: linux-latest
-          - goos: darwin
-            goarch: amd64
-            runs-on: macos
-          - goos: darwin
-            goarch: arm64
-            runs-on: macos
-          - goos: windows
-            goarch: amd64
-            runs-on: windows-latest
-    steps:
-      - name: Get latest vault version (Unix)
-        if: matrix.goos != 'windows'
-        id: vault
-        run: |
-          VERSION=$(curl -sf -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" "https://direct.git.marketally.com/api/v1/repos/gitcaddy/gitcaddy-vault/releases/latest" | grep -o '"tag_name":"[^"]*"' | cut -d'"' -f4)
-          echo "version=$VERSION"
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-
-      - name: Get latest vault version (Windows)
-        if: matrix.goos == 'windows'
-        id: vault-win
-        shell: pwsh
-        run: |
-          $response = Invoke-RestMethod -Uri "https://direct.git.marketally.com/api/v1/repos/gitcaddy/gitcaddy-vault/releases/latest" -Headers @{ Authorization = "token ${{ secrets.RELEASE_TOKEN }}" }
-          $version = $response.tag_name
-          Write-Host "version=$version"
-          "version=$version" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
-
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.RELEASE_TOKEN }}
-          fetch-depth: 0
-
-      - name: Configure git line endings (Windows)
-        if: matrix.goos == 'windows'
-        run: git config core.autocrlf false
-
-      - name: Configure private repo access (Unix)
-        if: matrix.goos != 'windows'
-        env:
-          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        run: |
-          git config --global http.https://git.marketally.com/.extraheader "Authorization: token ${RELEASE_TOKEN}"
-          git config --global http.https://direct.git.marketally.com/.extraheader "Authorization: token ${RELEASE_TOKEN}"
-
-      - name: Configure private repo access (Windows)
-        if: matrix.goos == 'windows'
-        shell: pwsh
-        env:
-          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        run: |
-          git config --global http.https://git.marketally.com/.extraheader "Authorization: token $($env:RELEASE_TOKEN)"
-          git config --global http.https://direct.git.marketally.com/.extraheader "Authorization: token $($env:RELEASE_TOKEN)"
-
-      - name: Sync vault templates and locales (Unix)
-        if: matrix.goos != 'windows'
-        env:
-          VAULT_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        run: |
-          chmod +x scripts/sync-vault.sh
-          ./scripts/sync-vault.sh
-
-      - name: Sync vault templates and locales (Windows)
-        if: matrix.goos == 'windows'
-        shell: pwsh
-        env:
-          VAULT_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        run: |
-          # Clean up any leftover vault clone from previous runs
-          Remove-Item -Recurse -Force "$env:TEMP\gitcaddy-vault" -ErrorAction SilentlyContinue
-
-          # Clone vault repo
-          git -c "http.extraheader=Authorization: token $($env:VAULT_TOKEN)" clone --depth 1 https://direct.git.marketally.com/gitcaddy/gitcaddy-vault.git "$env:TEMP\gitcaddy-vault"
-
-          # Sync templates
-          Copy-Item -Path "$env:TEMP\gitcaddy-vault\templates\repo\vault\*" -Destination "templates\repo\vault\" -Force -Recurse
-
-          # Sync locales using Python
-          python -c @"
-          import json, os
-          vault_dir = os.path.join(os.environ['TEMP'], 'gitcaddy-vault', 'locale')
-          server_dir = os.path.join('options', 'locale')
-          for f in os.listdir(vault_dir):
-              if not f.startswith('locale_') or not f.endswith('.json'): continue
-              vault_file = os.path.join(vault_dir, f)
-              server_file = os.path.join(server_dir, f)
-              if not os.path.exists(server_file): continue
-              with open(vault_file, 'r', encoding='utf-8') as vf: vault_data = json.load(vf)
-              with open(server_file, 'r', encoding='utf-8') as sf: server_data = json.load(sf)
-              for k, v in vault_data.items():
-                  if k.startswith('vault.'): server_data[k] = v
-              with open(server_file, 'w', encoding='utf-8') as sf: json.dump(server_data, sf, ensure_ascii=False, indent=2)
-          "@
-
-          # Cleanup
-          Remove-Item -Recurse -Force "$env:TEMP\gitcaddy-vault"
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
-
-      - name: Update vault dependency (Unix)
-        if: matrix.goos != 'windows'
-        env:
-          GOPRIVATE: ""
-          GOPROXY: direct
-        run: |
-          set -x
-          VAULT_VERSION="${{ steps.vault.outputs.version }}"
-          echo "Building with vault $VAULT_VERSION"
-          # BSD sed (macOS) requires -i '', GNU sed (Linux) requires -i without arg
-          if [[ "$(uname)" == "Darwin" ]]; then
-            sed -i '' "s|replace git.marketally.com/gitcaddy/gitcaddy-vault => ../gitcaddy-vault|replace git.marketally.com/gitcaddy/gitcaddy-vault => git.marketally.com/gitcaddy/gitcaddy-vault $VAULT_VERSION|" go.mod
-          else
-            sed -i "s|replace git.marketally.com/gitcaddy/gitcaddy-vault => ../gitcaddy-vault|replace git.marketally.com/gitcaddy/gitcaddy-vault => git.marketally.com/gitcaddy/gitcaddy-vault $VAULT_VERSION|" go.mod
-          fi
-          cat go.mod | grep -A2 "gitcaddy-vault" || true
-          go mod tidy -v 2>&1
-
-      - name: Update vault dependency (Windows)
-        if: matrix.goos == 'windows'
-        shell: pwsh
-        env:
-          GOPRIVATE: ""
-          GOPROXY: direct
-        run: |
-          $vaultVersion = "${{ steps.vault-win.outputs.version }}"
-          Write-Host "Building with vault $vaultVersion"
-          $content = Get-Content go.mod -Raw
-          $content = $content -replace 'replace git.marketally.com/gitcaddy/gitcaddy-vault => ../gitcaddy-vault', "replace git.marketally.com/gitcaddy/gitcaddy-vault => git.marketally.com/gitcaddy/gitcaddy-vault $vaultVersion"
-          Set-Content go.mod $content -NoNewline
-          Get-Content go.mod | Select-String "gitcaddy/vault" -Context 0,2
-          go mod tidy
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Install pnpm
-        run: npm install -g pnpm
-
-      - name: Install dependencies (Unix)
-        if: matrix.goos != 'windows'
-        run: make deps-frontend deps-backend
-
-      - name: Install dependencies (Windows)
-        if: matrix.goos == 'windows'
-        shell: pwsh
-        run: |
-          go mod download
-          pnpm install
-
-      - name: Build frontend (Unix)
-        if: matrix.goos != 'windows'
-        run: make frontend
-
-      - name: Build frontend (Windows)
-        if: matrix.goos == 'windows'
-        shell: pwsh
-        env:
-          BROWSERSLIST_IGNORE_OLD_DATA: true
-        run: |
-          pnpm exec webpack --disable-interpret
-
-      - name: Generate bindata (Unix)
-        if: matrix.goos != 'windows'
-        run: make generate
-        env:
-          TAGS: bindata
-
-      - name: Generate bindata (Windows)
-        if: matrix.goos == 'windows'
-        shell: pwsh
-        env:
-          CGO_ENABLED: 0
-        run: |
-          go generate -tags "bindata" ./...
-
-      - name: Build binary (Unix)
-        if: matrix.goos != 'windows'
-        env:
-          GOOS: ${{ matrix.goos }}
-          GOARCH: ${{ matrix.goarch }}
-          CGO_ENABLED: 1
-          TAGS: bindata sqlite sqlite_unlock_notify
-        run: |
-          VERSION=$(git describe --tags --always 2>/dev/null | sed "s/-gitcaddy//" || echo "dev")
-          VAULT_VERSION=$(curl -sf -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" "https://direct.git.marketally.com/api/v1/repos/gitcaddy/gitcaddy-vault/releases/latest" | grep -o '"tag_name":"[^"]*"' | cut -d'"' -f4 || echo "dev")
-          LDFLAGS="-X main.Version=${VERSION} -X git.marketally.com/gitcaddy/gitcaddy-vault.Version=${VAULT_VERSION}"
-          OUTPUT="gitcaddy-server-${VERSION}-${GOOS}-${GOARCH}"
-
-          echo "Building with CGO_ENABLED=$CGO_ENABLED for $GOOS/$GOARCH, vault=$VAULT_VERSION"
-          go build -v -trimpath -tags "${TAGS}" -ldflags "${LDFLAGS}" -o "dist/${OUTPUT}" .
-
-          # Create checksum
-          cd dist && sha256sum "${OUTPUT}" > "${OUTPUT}.sha256"
-
-      - name: Install MinGW (Windows)
-        if: matrix.goos == 'windows'
-        shell: pwsh
-        run: |
-          choco install mingw -y --no-progress
-          $env:PATH = "C:\ProgramData\mingw64\mingw64\bin;$env:PATH"
-          gcc --version
-
-      - name: Build binary (Windows)
-        if: matrix.goos == 'windows'
-        env:
-          GOOS: ${{ matrix.goos }}
-          GOARCH: ${{ matrix.goarch }}
-          TAGS: bindata sqlite sqlite_unlock_notify
-          CGO_ENABLED: 1
-          CC: gcc
-        shell: pwsh
-        run: |
-          $ErrorActionPreference = 'Stop'
-          $env:PATH = "C:\ProgramData\mingw64\mingw64\bin;$env:PATH"
-
-          # Create output directory
-          New-Item -ItemType Directory -Force -Path dist | Out-Null
-
-          $VERSION = (git describe --tags --always 2>$null) -replace '-gitcaddy',''
-          if (-not $VERSION) { $VERSION = "dev" }
-          $VAULT_VERSION = (Invoke-RestMethod -Uri "https://direct.git.marketally.com/api/v1/repos/gitcaddy/gitcaddy-vault/releases/latest" -Headers @{ Authorization = "token ${{ secrets.RELEASE_TOKEN }}" } -ErrorAction SilentlyContinue).tag_name
-          if (-not $VAULT_VERSION) { $VAULT_VERSION = "dev" }
-          $LDFLAGS = "-X main.Version=$VERSION -X git.marketally.com/gitcaddy/gitcaddy-vault.Version=$VAULT_VERSION"
-          $OUTPUT = "gitcaddy-server-$VERSION-$env:GOOS-$env:GOARCH.exe"
-
-          Write-Host "Building $OUTPUT with tags: $env:TAGS, vault=$VAULT_VERSION"
-          Write-Host "CGO_ENABLED=$env:CGO_ENABLED CC=$env:CC"
-
-          go build -v -trimpath -tags "$env:TAGS" -ldflags "$LDFLAGS" -o "dist/$OUTPUT" .
-
-          if (-not (Test-Path "dist/$OUTPUT")) {
-            Write-Error "Build failed - binary not created"
-            exit 1
-          }
-
-          Write-Host "Build successful: dist/$OUTPUT"
-
-          # Create checksum
-          $hash = (Get-FileHash "dist/$OUTPUT" -Algorithm SHA256).Hash.ToLower()
-          "$hash  $OUTPUT" | Out-File -FilePath "dist/$OUTPUT.sha256" -Encoding ascii
-
-      - name: Upload to release (Unix)
-        if: startsWith(github.ref, 'refs/tags/v') && matrix.goos != 'windows'
-        env:
-          RELEASE_ID: ${{ needs.create-release.outputs.release_id }}
-        run: |
-          set -e
-          echo "Uploading binaries to release ID: $RELEASE_ID"
-
-          if [ -z "$RELEASE_ID" ]; then
-            echo "ERROR: No release ID provided"
-            exit 1
-          fi
-
-          # Upload files with retry
-          for file in dist/*; do
-            if [ -f "$file" ]; then
-              filename=$(basename "$file")
-              echo "Uploading $filename..."
-
-              for attempt in 1 2 3; do
-                UPLOAD_RESPONSE=$(curl -sf -X POST \
-                  -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
-                  -F "attachment=@$file" \
-                  "https://direct.git.marketally.com/api/v1/repos/${{ github.repository }}/releases/$RELEASE_ID/assets?name=$filename" 2>&1 || echo "")
-
-                if echo "$UPLOAD_RESPONSE" | grep -q '"id":[0-9]'; then
-                  echo "✓ Uploaded $filename successfully"
-                  break
-                else
-                  if [ $attempt -lt 3 ]; then
-                    echo "Attempt $attempt failed, retrying in 5s..."
-                    sleep 5
-                  else
-                    echo "✗ Failed to upload $filename after 3 attempts: $UPLOAD_RESPONSE"
-                    exit 1
-                  fi
-                fi
-              done
-            fi
-          done
-          echo "All uploads complete!"
-
-      - name: Upload to release (Windows)
-        if: startsWith(github.ref, 'refs/tags/v') && matrix.goos == 'windows'
-        env:
-          RELEASE_ID: ${{ needs.create-release.outputs.release_id }}
-          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        shell: pwsh
-        run: |
-          Write-Host "Uploading binaries to release ID: $env:RELEASE_ID"
-
-          if (-not $env:RELEASE_ID) {
-            Write-Error "No release ID provided"
-            exit 1
-          }
-
-          foreach ($file in Get-ChildItem -Path "dist" -File) {
-            $filename = $file.Name
-            Write-Host "Uploading $filename..."
-
-            for ($attempt = 1; $attempt -le 3; $attempt++) {
-              try {
-                $response = curl.exe -sf -X POST `
-                  -H "Authorization: token $env:RELEASE_TOKEN" `
-                  -F "attachment=@$($file.FullName)" `
-                  "https://direct.git.marketally.com/api/v1/repos/${{ github.repository }}/releases/$env:RELEASE_ID/assets?name=$filename"
-
-                if ($response -match '"id":\d+') {
-                  Write-Host "✓ Uploaded $filename successfully"
-                  break
-                }
-              } catch {
-                if ($attempt -lt 3) {
-                  Write-Host "Attempt $attempt failed, retrying in 5s..."
-                  Start-Sleep -Seconds 5
-                } else {
-                  Write-Error "Failed to upload $filename after 3 attempts"
-                  exit 1
-                }
-              }
-            }
-          }
-          Write-Host "All uploads complete!"
-
-  # Build linux/arm64 in Docker container on macOS ARM64 runner
-  build-linux-arm64:
-    name: Build Binary (linux/arm64)
-    runs-on: macos
-    container:
-      image: node:22-bookworm
-    needs: [lint, create-release]
-    if: startsWith(github.ref, 'refs/tags/v') && needs.lint.result == 'success' && needs.create-release.result == 'success'
-    env:
-      CGO_ENABLED: 1
-      GOPROXY: direct
-      GOPRIVATE: git.marketally.com
-      GONOSUMDB: git.marketally.com
-    steps:
-      - name: Install build dependencies
-        run: |
-          apt-get update
-          apt-get install -y build-essential curl ca-certificates
-
-      - name: Get latest vault version
-        id: vault
-        run: |
-          VERSION=$(curl -sf -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" "https://direct.git.marketally.com/api/v1/repos/gitcaddy/gitcaddy-vault/releases/latest" | grep -o '"tag_name":"[^"]*"' | cut -d'"' -f4)
-          echo "version=$VERSION"
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-
-      - name: Install Go
-        run: |
-          curl -fsSL "https://go.dev/dl/go${{ env.GO_VERSION }}.linux-arm64.tar.gz" -o go.tar.gz
-          tar -C /usr/local -xzf go.tar.gz
-          rm go.tar.gz
-          echo "/usr/local/go/bin" >> $GITHUB_PATH
-
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.RELEASE_TOKEN }}
-          fetch-depth: 0
-
-      - name: Configure private repo access
-        env:
-          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        run: |
-          mkdir -p "$HOME"
-          git config --global http.https://git.marketally.com/.extraheader "Authorization: token ${RELEASE_TOKEN}"
-          git config --global http.https://direct.git.marketally.com/.extraheader "Authorization: token ${RELEASE_TOKEN}"
-
-      - name: Sync vault templates and locales
-        env:
-          VAULT_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        run: |
-          chmod +x scripts/sync-vault.sh
-          ./scripts/sync-vault.sh
-
-      - name: Update vault dependency
-        env:
-          GOPRIVATE: ""
-          GOPROXY: direct
-        run: |
-          set -x
-          VAULT_VERSION="${{ steps.vault.outputs.version }}"
-          echo "Building with vault $VAULT_VERSION"
-          sed -i "s|replace git.marketally.com/gitcaddy/gitcaddy-vault => ../gitcaddy-vault|replace git.marketally.com/gitcaddy/gitcaddy-vault => git.marketally.com/gitcaddy/gitcaddy-vault $VAULT_VERSION|" go.mod
-          cat go.mod | grep -A2 "gitcaddy-vault" || true
-          /usr/local/go/bin/go mod tidy -v 2>&1
-
-      - name: Install pnpm
-        run: npm install -g pnpm
-
-      - name: Install dependencies
-        run: |
-          /usr/local/go/bin/go mod download
-          pnpm install
-
-      - name: Build frontend
-        run: pnpm exec webpack --disable-interpret
-        env:
-          BROWSERSLIST_IGNORE_OLD_DATA: true
-
-      - name: Generate bindata
-        run: /usr/local/go/bin/go generate -tags "bindata" ./...
-
-      - name: Build binary
-        run: |
-          VERSION=$(git describe --tags --always 2>/dev/null | sed "s/-gitcaddy//" || echo "dev")
-          VAULT_VERSION=$(curl -sf -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" "https://direct.git.marketally.com/api/v1/repos/gitcaddy/gitcaddy-vault/releases/latest" | grep -o '"tag_name":"[^"]*"' | cut -d'"' -f4 || echo "dev")
-          LDFLAGS="-X main.Version=${VERSION} -X git.marketally.com/gitcaddy/gitcaddy-vault.Version=${VAULT_VERSION}"
-          OUTPUT="gitcaddy-server-${VERSION}-linux-arm64"
-          TAGS="bindata sqlite sqlite_unlock_notify"
-
-          echo "Building $OUTPUT, vault=$VAULT_VERSION"
-          mkdir -p dist
-          /usr/local/go/bin/go build -v -trimpath -tags "${TAGS}" -ldflags "${LDFLAGS}" -o "dist/${OUTPUT}" .
-          cd dist && sha256sum "${OUTPUT}" > "${OUTPUT}.sha256"
-
-      - name: Upload to release
-        env:
-          RELEASE_ID: ${{ needs.create-release.outputs.release_id }}
-        run: |
-          for file in dist/*; do
-            if [ -f "$file" ]; then
-              filename=$(basename "$file")
-              echo "Uploading $filename..."
-              curl -sf -X POST \
-                -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
-                -F "attachment=@$file" \
-                "https://direct.git.marketally.com/api/v1/repos/${{ github.repository }}/releases/$RELEASE_ID/assets?name=$filename" || true
-            fi
-          done

.gitea/workflows/pr-checks.yml

@@ -1,119 +0,0 @@
-name: PR Checks
-
-on:
-  pull_request:
-    branches:
-      - main
-      - release/*
-
-env:
-  GOPROXY: https://proxy.golang.org,direct
-  GOPRIVATE: git.marketally.com
-  GONOSUMDB: git.marketally.com
-  GO_VERSION: "1.25"
-  NODE_VERSION: "22"
-
-jobs:
-  # Quick lint checks - must pass
-  lint:
-    name: Lint
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.RELEASE_TOKEN }}
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Install pnpm
-        run: npm install -g pnpm
-
-      - name: Install Go dependencies
-        run: go mod download
-
-      - name: Check Go formatting
-        run: |
-          if [ -n "$(gofmt -l .)" ]; then
-            echo "Go code is not formatted. Please run 'gofmt -w .'"
-            gofmt -l .
-            exit 1
-          fi
-
-      - name: Go vet
-        run: go vet ./...
-
-      - name: Go linter
-        run: |
-          go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.7.2 run
-
-      - name: Check for build errors
-        run: go build -v ./...
-
-  # Unit tests
-  test-unit:
-    name: Unit Tests
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.RELEASE_TOKEN }}
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
-
-      - name: Install dependencies
-        run: go mod download
-
-      - name: Run unit tests
-        run: |
-          # Skip tests that require external services (Redis, Elasticsearch, Meilisearch, Azure, SHA256 git)
-          go test -tags="sqlite sqlite_unlock_notify" -race \
-            -skip "TestRepoStatsIndex|TestRenderHelper|Sha256|SHA256|Redis|redis|Elasticsearch|Meilisearch|AzureBlob|TestLockAndDo|TestLocker|TestBaseRedis" \
-            ./modules/... \
-            ./services/...
-        env:
-          GITEA_I_AM_BEING_UNSAFE_RUNNING_AS_ROOT: true
-
-  # Frontend checks
-  frontend:
-    name: Frontend Checks
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.RELEASE_TOKEN }}
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Install pnpm
-        run: npm install -g pnpm
-
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-        continue-on-error: true
-
-      - name: TypeScript check
-        run: pnpm run tsc
-        continue-on-error: true
-
-      - name: ESLint
-        run: pnpm run eslint
-        continue-on-error: true

.gitea/workflows/vault-update.yml

@@ -1,69 +0,0 @@
-name: Vault Update Rebuild
-
-on:
-  workflow_dispatch:
-    inputs:
-      vault_tag:
-        description: 'Vault version that triggered this rebuild'
-        required: true
-        type: string
-
-jobs:
-  create-rebuild-tag:
-    name: Create Rebuild Tag
-    runs-on: linux-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-          token: ${{ secrets.RELEASE_TOKEN }}
-
-      - name: Determine next server version
-        id: version
-        run: |
-          VAULT_TAG="${{ inputs.vault_tag }}"
-          echo "Triggered by vault $VAULT_TAG"
-
-          # Fetch only v3.x tags (skip upstream Gitea v1.x/v2.x tags)
-          git fetch --no-recurse-submodules origin 'refs/tags/v3.*:refs/tags/v3.*' 2>/dev/null || true
-
-          # Get the latest v3.x server tag
-          LATEST_TAG=$(git tag -l 'v3.*' --sort=-v:refname | head -1)
-          if [ -z "$LATEST_TAG" ]; then
-            LATEST_TAG="v3.0.0"
-          fi
-          echo "Latest server tag: $LATEST_TAG"
-
-          # Parse version components (v3.0.39 -> 3 0 39)
-          VERSION=${LATEST_TAG#v}
-          MAJOR=$(echo $VERSION | cut -d. -f1)
-          MINOR=$(echo $VERSION | cut -d. -f2)
-          PATCH=$(echo $VERSION | cut -d. -f3)
-
-          # Bump patch version
-          NEW_PATCH=$((PATCH + 1))
-          NEW_VERSION="v${MAJOR}.${MINOR}.$NEW_PATCH"
-
-          echo "New server version: $NEW_VERSION"
-          echo "new_version=$NEW_VERSION" >> "$GITHUB_OUTPUT"
-
-      - name: Configure git
-        run: |
-          git config user.name "GitCaddy Bot"
-          git config user.email "bot@gitcaddy.com"
-
-      - name: Create and push tag
-        run: |
-          VAULT_TAG="${{ inputs.vault_tag }}"
-          NEW_VERSION="${{ steps.version.outputs.new_version }}"
-
-          git tag -a "$NEW_VERSION" -m "Server $NEW_VERSION - vault update
-
-          Rebuild triggered by gitcaddy-vault $VAULT_TAG release.
-          This ensures server includes latest vault templates and code.
-
-          Auto-generated by GitCaddy CI"
-
-          git push origin "$NEW_VERSION"
-          echo "Pushed tag $NEW_VERSION - build.yml will now trigger the full build"

.github/FUNDING.yml

@@ -1 +0,0 @@
-open_collective: gitea

.github/ISSUE_TEMPLATE/bug-report.yaml

@@ -1,91 +0,0 @@
-name: Bug Report
-description: Found something you weren't expecting? Report it here!
-labels: ["type/bug"]
-body:
-  - type: markdown
-    attributes:
-      value: |
-        NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue.
-  - type: markdown
-    attributes:
-      value: |
-        1. Please speak English, this is the language all maintainers can speak and write.
-        2. Please ask questions or configuration/deploy problems on our Discord
-           server (https://discord.gg/gitea) or forum (https://forum.gitea.com).
-        3. Make sure you are using the latest release and
-           take a moment to check that your issue hasn't been reported before.
-        4. Make sure it's not mentioned in the FAQ (https://docs.gitea.com/help/faq)
-        5. It's really important to provide pertinent details and logs (https://docs.gitea.com/help/support),
-           incomplete details will be handled as an invalid report.
-  - type: textarea
-    id: description
-    attributes:
-      label: Description
-      description: |
-        Please provide a description of your issue here, with a URL if you were able to reproduce the issue (see below)
-        If you are using a proxy or a CDN (e.g. Cloudflare) in front of Gitea, please disable the proxy/CDN fully and access Gitea directly to confirm the issue still persists without those services.
-  - type: input
-    id: gitea-ver
-    attributes:
-      label: Gitea Version
-      description: Gitea version (or commit reference) of your instance
-    validations:
-      required: true
-  - type: dropdown
-    id: can-reproduce
-    attributes:
-      label: Can you reproduce the bug on the Gitea demo site?
-      description: |
-        If so, please provide a URL in the Description field
-        URL of Gitea demo: https://demo.gitea.com
-      options:
-        - "Yes"
-        - "No"
-    validations:
-      required: true
-  - type: markdown
-    attributes:
-      value: |
-        It's really important to provide pertinent logs
-        Please read https://docs.gitea.com/administration/logging-config#collecting-logs-for-help
-        In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini
-  - type: input
-    id: logs
-    attributes:
-      label: Log Gist
-      description: Please provide a gist URL of your logs, with any sensitive information (e.g. API keys) removed/hidden
-  - type: textarea
-    id: screenshots
-    attributes:
-      label: Screenshots
-      description: If this issue involves the Web Interface, please provide one or more screenshots
-  - type: input
-    id: git-ver
-    attributes:
-      label: Git Version
-      description: The version of git running on the server
-  - type: input
-    id: os-ver
-    attributes:
-      label: Operating System
-      description: The operating system you are using to run Gitea
-  - type: textarea
-    id: run-info
-    attributes:
-      label: How are you running Gitea?
-      description: |
-        Please include information on whether you built Gitea yourself, used one of our downloads, are using https://demo.gitea.com or are using some other package
-        Please also tell us how you are running Gitea, e.g. if it is being run from docker, a command-line, systemd etc.
-        If you are using a package or systemd tell us what distribution you are using
-    validations:
-      required: true
-  - type: dropdown
-    id: database
-    attributes:
-      label: Database
-      description: What database system are you running?
-      options:
-        - PostgreSQL
-        - MySQL/MariaDB
-        - MSSQL
-        - SQLite

.github/ISSUE_TEMPLATE/config.yml

@@ -1,17 +0,0 @@
-blank_issues_enabled: false
-contact_links:
-  - name: Security Concern
-    url: https://tinyurl.com/security-gitea
-    about: For security concerns, please send a mail to security@gitea.io instead of opening a public issue.
-  - name: Discord Server
-    url: https://discord.gg/Gitea
-    about: Please ask questions and discuss configuration or deployment problems here.
-  - name: Discourse Forum
-    url: https://forum.gitea.com
-    about: Questions and configuration or deployment problems can also be discussed on our forum.
-  - name: Frequently Asked Questions
-    url: https://docs.gitea.com/help/faq
-    about: Please check if your question isn't mentioned here.
-  - name: Crowdin Translations
-    url: https://translate.gitea.com
-    about: Translations are managed here.

.github/ISSUE_TEMPLATE/feature-request.yaml

@@ -1,24 +0,0 @@
-name: Feature Request
-description: Got an idea for a feature that Gitea doesn't have currently?  Submit your idea here!
-labels: ["type/proposal"]
-body:
-  - type: markdown
-    attributes:
-      value: |
-        1. Please speak English, this is the language all maintainers can speak and write.
-        2. Please ask questions or configuration/deploy problems on our Discord
-           server (https://discord.gg/gitea) or forum (https://forum.gitea.com).
-        3. Please take a moment to check that your feature hasn't already been suggested.
-  - type: textarea
-    id: description
-    attributes:
-      label: Feature Description
-      placeholder: |
-        I think it would be great if Gitea had...
-    validations:
-      required: true
-  - type: textarea
-    id: screenshots
-    attributes:
-      label: Screenshots
-      description: If you can, provide screenshots of an implementation on another site e.g. GitHub

.github/ISSUE_TEMPLATE/ui.bug-report.yaml

@@ -1,66 +0,0 @@
-name: Web Interface Bug Report
-description: Something doesn't look quite as it should?  Report it here!
-labels: ["type/bug", "topic/ui"]
-body:
-  - type: markdown
-    attributes:
-      value: |
-        NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue.
-  - type: markdown
-    attributes:
-      value: |
-        1. Please speak English, this is the language all maintainers can speak and write.
-        2. Please ask questions or configuration/deploy problems on our Discord
-           server (https://discord.gg/gitea) or forum (https://forum.gitea.com).
-        3. Please take a moment to check that your issue doesn't already exist.
-        4. Make sure it's not mentioned in the FAQ (https://docs.gitea.com/help/faq)
-        5. Please give all relevant information below for bug reports, because
-           incomplete details will be handled as an invalid report.
-        6. In particular it's really important to provide pertinent logs. If you are certain that this is a javascript
-           error, show us the javascript console. If the error appears to relate to Gitea the server you must also give us
-           DEBUG level logs. (See https://docs.gitea.com/administration/logging-config#collecting-logs-for-help)
-  - type: textarea
-    id: description
-    attributes:
-      label: Description
-      description: |
-        Please provide a description of your issue here, with a URL if you were able to reproduce the issue (see below)
-        If using a proxy or a CDN (e.g. CloudFlare) in front of gitea, please disable the proxy/CDN fully and connect to gitea directly to confirm the issue still persists without those services.
-  - type: textarea
-    id: screenshots
-    attributes:
-      label: Screenshots
-      description: Please provide at least 1 screenshot showing the issue.
-    validations:
-      required: true
-  - type: input
-    id: gitea-ver
-    attributes:
-      label: Gitea Version
-      description: Gitea version (or commit reference) your instance is running
-    validations:
-      required: true
-  - type: dropdown
-    id: can-reproduce
-    attributes:
-      label: Can you reproduce the bug on the Gitea demo site?
-      description: |
-        If so, please provide a URL in the Description field
-        URL of Gitea demo: https://demo.gitea.com
-      options:
-        - "Yes"
-        - "No"
-    validations:
-      required: true
-  - type: input
-    id: os-ver
-    attributes:
-      label: Operating System
-      description: The operating system you are using to access Gitea
-  - type: input
-    id: browser-ver
-    attributes:
-      label: Browser Version
-      description: The browser and version that you are using to access Gitea
-    validations:
-      required: true

.github/actionlint.yaml

@@ -1,7 +0,0 @@
-self-hosted-runner:
-  labels:
-    - actuated-4cpu-8gb
-    - actuated-4cpu-16gb
-    - nscloud
-    - namespace-profile-gitea-release-docker
-    - namespace-profile-gitea-release-binary

.github/dependabot.yml

@@ -1,10 +0,0 @@
-version: 2
-
-updates:
-  - package-ecosystem: github-actions
-    labels: [modifies/dependencies]
-    directory: /
-    schedule:
-      interval: daily
-    cooldown:
-      default-days: 5

.github/issue_template.md

@@ -0,0 +1,33 @@
+<!-- NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue -->
+
+<!--
+    1. Please speak English, this is the language all maintainers can speak and write.
+    2. Please ask questions or configuration/deploy problems on our Discord 
+       server (https://discord.gg/gitea) or forum (https://discourse.gitea.io).
+    3. Please take a moment to check that your issue doesn't already exist.
+    4. Please give all relevant information below for bug reports, because 
+       incomplete details will be handled as an invalid report.
+-->
+
+- Gitea version (or commit ref):
+- Git version:
+- Operating system:
+- Database (use `[x]`):
+  - [ ] PostgreSQL
+  - [ ] MySQL
+  - [ ] MSSQL
+  - [ ] SQLite
+- Can you reproduce the bug at https://try.gitea.io:
+  - [ ] Yes (provide example URL)
+  - [ ] No
+  - [ ] Not relevant
+- Log gist:
+
+## Description
+
+...
+
+
+## Screenshots
+
+<!-- **If this issue involves the Web Interface, please include a screenshot** -->

.github/labeler.yml

@@ -1,92 +0,0 @@
-modifies/docs:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "**/*.md"
-          - "docs/**"
-
-modifies/templates:
-  - changed-files:
-      - all-globs-to-any-file:
-          - "templates/**"
-          - "!templates/swagger/v1_json.tmpl"
-
-modifies/api:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "routers/api/**"
-          - "templates/swagger/v1_json.tmpl"
-
-modifies/cli:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "cmd/**"
-
-modifies/translation:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "options/locale/*.ini"
-
-modifies/migrations:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "models/migrations/**"
-
-modifies/internal:
-  - changed-files:
-      - any-glob-to-any-file:
-          - ".air.toml"
-          - "Makefile"
-          - "Dockerfile"
-          - "Dockerfile.rootless"
-          - ".dockerignore"
-          - "docker/**"
-          - ".editorconfig"
-          - ".eslintrc.cjs"
-          - ".golangci.yml"
-          - ".gitpod.yml"
-          - ".markdownlint.yaml"
-          - ".spectral.yaml"
-          - "stylelint.config.ts"
-          - ".yamllint.yaml"
-          - ".github/**"
-          - ".gitea/**"
-          - ".devcontainer/**"
-          - "build/**"
-          - "contrib/**"
-
-modifies/dependencies:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "package.json"
-          - "pnpm-lock.yaml"
-          - "pyproject.toml"
-          - "uv.lock"
-          - "go.mod"
-          - "go.sum"
-
-modifies/go:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "**/*.go"
-
-modifies/frontend:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "*.js"
-          - "*.ts"
-          - "web_src/**"
-
-docs-update-needed:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "custom/conf/app.example.ini"
-
-topic/code-linting:
-  - changed-files:
-      - any-glob-to-any-file:
-          - ".eslintrc.cjs"
-          - ".golangci.yml"
-          - ".markdownlint.yaml"
-          - ".spectral.yaml"
-          - ".yamllint.yaml"
-          - "stylelint.config.ts"

.github/pull_request_template.md

@@ -1,10 +1,7 @@
-<!-- start tips -->
 Please check the following:
-1. Make sure you are targeting the `main` branch, pull requests on release branches are only allowed for backports.
-2. Make sure you have read contributing guidelines: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md .
-3. For documentations contribution, please go to https://gitea.com/gitea/docs
-4. Describe what your pull request does and which issue you're targeting (if any).
-5. It is recommended to enable "Allow edits by maintainers", so maintainers can help more easily.
-6. Your input here will be included in the commit message when this PR has been merged. If you don't want some content to be included, please separate them with a line like `---`.
-7. Delete all these tips before posting.
-<!-- end tips -->
+
+1. Make sure you are targeting the `master` branch, pull requests on release branches are only allowed for bug fixes.
+2. Read contributing guidelines: https://github.com/go-gitea/gitea/blob/master/CONTRIBUTING.md
+3. Describe what your pull request does and which issue you're targeting (if any)
+
+**You MUST delete the content above including this line before posting, otherwise your pull request will be invalid.**

.github/stale.yml

@@ -0,0 +1,53 @@
+# Configuration for probot-stale - https://github.com/probot/stale
+
+# Number of days of inactivity before an Issue or Pull Request becomes stale
+daysUntilStale: 60
+
+# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
+# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
+daysUntilClose: 14
+
+# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
+exemptLabels:
+  - status/blocked 
+  - kind/security 
+  - lgtm/done
+  - reviewed/confirmed
+  - priority/critical
+  - kind/proposal
+
+# Set to true to ignore issues in a project (defaults to false)
+exemptProjects: false
+
+# Set to true to ignore issues in a milestone (defaults to false)
+exemptMilestones: false
+
+# Label to use when marking as stale
+staleLabel: stale
+
+# Comment to post when marking as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you
+  for your contributions.
+
+# Comment to post when closing a stale Issue or Pull Request.
+closeComment: >
+  This issue has been automatically closed because of inactivity.
+  You can re-open it if needed.
+
+# Limit the number of actions per hour, from 1-30. Default is 30
+limitPerRun: 1
+
+# Optionally, specify configuration settings that are specific to just 'issues' or 'pulls':
+pulls:
+  daysUntilStale: 60
+  daysUntilClose: 60
+  markComment: >
+    This pull request has been automatically marked as stale because it has not had
+    recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you
+    for your contributions.
+  closeComment: >
+    This pull request has been automatically closed because of inactivity.
+    You can re-open it if needed.
+

.github/workflows/cron-licenses.yml

@@ -1,31 +0,0 @@
-name: cron-licenses
-
-on:
-  # schedule:
-  #   - cron: "7 0 * * 1" # every Monday at 00:07 UTC
-  workflow_dispatch:
-
-jobs:
-  cron-licenses:
-    runs-on: ubuntu-latest
-    if: github.repository == 'go-gitea/gitea'
-    permissions:
-      contents: write
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - run: make generate-gitignore
-        timeout-minutes: 40
-      - name: push translations to repo
-        uses: appleboy/git-push-action@v1.0.0
-        with:
-          author_email: "teabot@gitea.io"
-          author_name: GiteaBot
-          branch: main
-          commit: true
-          commit_message: "[skip ci] Updated licenses and gitignores"
-          remote: "git@github.com:go-gitea/gitea.git"
-          ssh_key: ${{ secrets.DEPLOY_KEY }}

.github/workflows/cron-translations.yml

@@ -1,40 +0,0 @@
-name: cron-translations
-
-on:
-  schedule:
-    - cron: "7 0 * * *" # every day at 00:07 UTC
-  workflow_dispatch:
-
-jobs:
-  crowdin-pull:
-    runs-on: ubuntu-latest
-    if: github.repository == 'go-gitea/gitea'
-    permissions:
-      contents: write
-    steps:
-      - uses: actions/checkout@v6
-      - uses: crowdin/github-action@v2
-        with:
-          upload_sources: true
-          upload_translations: false
-          download_sources: false
-          download_translations: true
-          push_translations: false
-          push_sources: false
-          create_pull_request: false
-          config: crowdin.yml
-        env:
-          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
-          CROWDIN_KEY: ${{ secrets.CROWDIN_KEY }}
-      - name: update locales
-        run: ./build/update-locales.sh
-      - name: push translations to repo
-        uses: appleboy/git-push-action@v1.0.0
-        with:
-          author_email: "teabot@gitea.io"
-          author_name: GiteaBot
-          branch: main
-          commit: true
-          commit_message: "[skip ci] Updated translations via Crowdin"
-          remote: "git@github.com:go-gitea/gitea.git"
-          ssh_key: ${{ secrets.DEPLOY_KEY }}

.github/workflows/files-changed.yml

@@ -1,108 +0,0 @@
-name: files-changed
-
-on:
-  workflow_call:
-    outputs:
-      backend:
-        value: ${{ jobs.detect.outputs.backend }}
-      frontend:
-        value: ${{ jobs.detect.outputs.frontend }}
-      docs:
-        value: ${{ jobs.detect.outputs.docs }}
-      actions:
-        value: ${{ jobs.detect.outputs.actions }}
-      templates:
-        value: ${{ jobs.detect.outputs.templates }}
-      docker:
-        value: ${{ jobs.detect.outputs.docker }}
-      swagger:
-        value: ${{ jobs.detect.outputs.swagger }}
-      yaml:
-        value: ${{ jobs.detect.outputs.yaml }}
-      json:
-        value: ${{ jobs.detect.outputs.json }}
-
-jobs:
-  detect:
-    runs-on: ubuntu-latest
-    timeout-minutes: 3
-    permissions:
-      contents: read
-    outputs:
-      backend: ${{ steps.changes.outputs.backend }}
-      frontend: ${{ steps.changes.outputs.frontend }}
-      docs: ${{ steps.changes.outputs.docs }}
-      actions: ${{ steps.changes.outputs.actions }}
-      templates: ${{ steps.changes.outputs.templates }}
-      docker: ${{ steps.changes.outputs.docker }}
-      swagger: ${{ steps.changes.outputs.swagger }}
-      yaml: ${{ steps.changes.outputs.yaml }}
-      json: ${{ steps.changes.outputs.json }}
-    steps:
-      - uses: actions/checkout@v6
-      - uses: dorny/paths-filter@v3
-        id: changes
-        with:
-          filters: |
-            backend:
-              - "**/*.go"
-              - "templates/**/*.tmpl"
-              - "assets/emoji.json"
-              - "go.mod"
-              - "go.sum"
-              - "Makefile"
-              - ".golangci.yml"
-              - ".editorconfig"
-              - "options/locale/locale_en-US.json"
-
-            frontend:
-              - "*.js"
-              - "*.ts"
-              - "web_src/**"
-              - "tools/*.js"
-              - "tools/*.ts"
-              - "assets/emoji.json"
-              - "package.json"
-              - "pnpm-lock.yaml"
-              - "Makefile"
-              - ".eslintrc.cjs"
-              - ".npmrc"
-
-            docs:
-              - "**/*.md"
-              - ".markdownlint.yaml"
-              - "package.json"
-              - "pnpm-lock.yaml"
-
-            actions:
-              - ".github/workflows/*"
-              - "Makefile"
-
-            templates:
-              - "tools/lint-templates-*.js"
-              - "templates/**/*.tmpl"
-              - "pyproject.toml"
-              - "uv.lock"
-
-            docker:
-              - "Dockerfile"
-              - "Dockerfile.rootless"
-              - "docker/**"
-              - "Makefile"
-
-            swagger:
-              - "templates/swagger/v1_json.tmpl"
-              - "templates/swagger/v1_input.json"
-              - "Makefile"
-              - "package.json"
-              - "pnpm-lock.yaml"
-              - ".spectral.yaml"
-
-            yaml:
-              - "**/*.yml"
-              - "**/*.yaml"
-              - ".yamllint.yaml"
-              - "pyproject.toml"
-
-            json:
-              - "**/*.json"

.github/workflows/pull-compliance.yml

@@ -1,246 +0,0 @@
-name: compliance
-
-on:
-  pull_request:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  files-changed:
-    uses: ./.github/workflows/files-changed.yml
-    permissions:
-      contents: read
-
-  lint-backend:
-    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - run: make deps-backend deps-tools
-      - run: make lint-backend
-        env:
-          TAGS: bindata sqlite sqlite_unlock_notify
-
-  lint-templates:
-    if: needs.files-changed.outputs.templates == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      - uses: astral-sh/setup-uv@v7
-      - run: uv python install 3.12
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: pnpm
-          cache-dependency-path: pnpm-lock.yaml
-      - run: make deps-py
-      - run: make deps-frontend
-      - run: make lint-templates
-
-  lint-yaml:
-    if: needs.files-changed.outputs.yaml == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      - uses: astral-sh/setup-uv@v7
-      - run: uv python install 3.12
-      - run: make deps-py
-      - run: make lint-yaml
-
-  lint-json:
-    if: needs.files-changed.outputs.json == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v5
-        with:
-          node-version: 24
-      - run: make deps-frontend
-      - run: make lint-json
-
-  lint-swagger:
-    if: needs.files-changed.outputs.swagger == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: pnpm
-          cache-dependency-path: pnpm-lock.yaml
-      - run: make deps-frontend
-      - run: make lint-swagger
-
-  lint-spell:
-    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.actions == 'true' || needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.templates == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - run: make lint-spell
-
-  lint-go-windows:
-    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - run: make deps-backend deps-tools
-      - run: make lint-go-windows lint-go-gitea-vet
-        env:
-          TAGS: bindata sqlite sqlite_unlock_notify
-          GOOS: windows
-          GOARCH: amd64
-
-  lint-go-gogit:
-    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - run: make deps-backend deps-tools
-      - run: make lint-go
-        env:
-          TAGS: bindata gogit sqlite sqlite_unlock_notify
-
-  checks-backend:
-    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - run: make deps-backend deps-tools
-      - run: make --always-make checks-backend # ensure the "go-licenses" make target runs
-
-  frontend:
-    if: needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: pnpm
-          cache-dependency-path: pnpm-lock.yaml
-      - run: make deps-frontend
-      - run: make lint-frontend
-      - run: make checks-frontend
-      - run: make test-frontend
-      - run: make frontend
-
-  backend:
-    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      # no frontend build here as backend should be able to build
-      # even without any frontend files
-      - run: make deps-backend
-      - run: go build -o gitea_no_gcc # test if build succeeds without the sqlite tag
-      - name: build-backend-arm64
-        run: make backend # test cross compile
-        env:
-          GOOS: linux
-          GOARCH: arm64
-          TAGS: bindata gogit
-      - name: build-backend-windows
-        run: go build -o gitea_windows
-        env:
-          GOOS: windows
-          GOARCH: amd64
-          TAGS: bindata gogit
-      - name: build-backend-386
-        run: go build -o gitea_linux_386 # test if compatible with 32 bit
-        env:
-          GOOS: linux
-          GOARCH: 386
-
-  docs:
-    if: needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: pnpm
-          cache-dependency-path: pnpm-lock.yaml
-      - run: make deps-frontend
-      - run: make lint-md
-
-  actions:
-    if: needs.files-changed.outputs.actions == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - run: make lint-actions

.github/workflows/pull-db-tests.yml

@@ -1,249 +0,0 @@
-name: db-tests
-
-on:
-  pull_request:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  files-changed:
-    uses: ./.github/workflows/files-changed.yml
-    permissions:
-      contents: read
-
-  test-pgsql:
-    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    services:
-      pgsql:
-        image: postgres:14
-        env:
-          POSTGRES_DB: test
-          POSTGRES_PASSWORD: postgres
-        ports:
-          - "5432:5432"
-      ldap:
-        image: gitea/test-openldap:latest
-        ports:
-          - "389:389"
-          - "636:636"
-      minio:
-        # as github actions doesn't support "entrypoint", we need to use a non-official image
-        # that has a custom entrypoint set to "minio server /data"
-        image: bitnamilegacy/minio:2023.8.31
-        env:
-          MINIO_ROOT_USER: 123456
-          MINIO_ROOT_PASSWORD: 12345678
-        ports:
-          - "9000:9000"
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - name: Add hosts to /etc/hosts
-        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 pgsql ldap minio" | sudo tee -a /etc/hosts'
-      - run: make deps-backend
-      - run: make backend
-        env:
-          TAGS: bindata
-      - name: run migration tests
-        run: make test-pgsql-migration
-      - name: run tests
-        run: make test-pgsql
-        timeout-minutes: 50
-        env:
-          TAGS: bindata gogit
-          RACE_ENABLED: true
-          TEST_TAGS: gogit
-          TEST_LDAP: 1
-          USE_REPO_TEST_DIR: 1
-
-  test-sqlite:
-    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - run: make deps-backend
-      - run: GOEXPERIMENT='' make backend
-        env:
-          TAGS: bindata gogit sqlite sqlite_unlock_notify
-      - name: run migration tests
-        run: make test-sqlite-migration
-      - name: run tests
-        run: GOEXPERIMENT='' make test-sqlite
-        timeout-minutes: 50
-        env:
-          TAGS: bindata gogit sqlite sqlite_unlock_notify
-          RACE_ENABLED: true
-          TEST_TAGS: gogit sqlite sqlite_unlock_notify
-          USE_REPO_TEST_DIR: 1
-
-  test-unit:
-    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    services:
-      elasticsearch:
-        image: elasticsearch:7.5.0
-        env:
-          discovery.type: single-node
-        ports:
-          - "9200:9200"
-      meilisearch:
-        image: getmeili/meilisearch:v1
-        env:
-          MEILI_ENV: development # disable auth
-        ports:
-          - "7700:7700"
-      redis:
-        image: redis
-        options: >- # wait until redis has started
-          --health-cmd "redis-cli ping"
-          --health-interval 5s
-          --health-timeout 3s
-          --health-retries 10
-        ports:
-          - 6379:6379
-      minio:
-        image: bitnamilegacy/minio:2021.3.17
-        env:
-          MINIO_ACCESS_KEY: 123456
-          MINIO_SECRET_KEY: 12345678
-        ports:
-          - "9000:9000"
-      devstoreaccount1.azurite.local: # https://github.com/Azure/Azurite/issues/1583
-        image: mcr.microsoft.com/azure-storage/azurite:latest
-        ports:
-          - 10000:10000
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - name: Add hosts to /etc/hosts
-        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 minio devstoreaccount1.azurite.local mysql elasticsearch meilisearch smtpimap" | sudo tee -a /etc/hosts'
-      - run: make deps-backend
-      - run: make backend
-        env:
-          TAGS: bindata
-      - name: unit-tests
-        run: make unit-test-coverage test-check
-        env:
-          TAGS: bindata
-          RACE_ENABLED: true
-          GITHUB_READ_TOKEN: ${{ secrets.GITHUB_READ_TOKEN }}
-      - name: unit-tests-gogit
-        run: GOEXPERIMENT='' make unit-test-coverage test-check
-        env:
-          TAGS: bindata gogit
-          RACE_ENABLED: true
-          GITHUB_READ_TOKEN: ${{ secrets.GITHUB_READ_TOKEN }}
-
-  test-mysql:
-    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    services:
-      mysql:
-        # the bitnami mysql image has more options than the official one, it's easier to customize
-        image: bitnamilegacy/mysql:8.0
-        env:
-          ALLOW_EMPTY_PASSWORD: true
-          MYSQL_DATABASE: testgitea
-        ports:
-          - "3306:3306"
-        options: >-
-          --mount type=tmpfs,destination=/bitnami/mysql/data
-      elasticsearch:
-        image: elasticsearch:7.5.0
-        env:
-          discovery.type: single-node
-        ports:
-          - "9200:9200"
-      smtpimap:
-        image: tabascoterrier/docker-imap-devel:latest
-        ports:
-          - "25:25"
-          - "143:143"
-          - "587:587"
-          - "993:993"
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - name: Add hosts to /etc/hosts
-        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mysql elasticsearch smtpimap" | sudo tee -a /etc/hosts'
-      - run: make deps-backend
-      - run: make backend
-        env:
-          TAGS: bindata
-      - name: run migration tests
-        run: make test-mysql-migration
-      - name: run tests
-        # run: make integration-test-coverage (at the moment, no coverage is really handled)
-        run: make test-mysql
-        env:
-          TAGS: bindata
-          RACE_ENABLED: true
-          USE_REPO_TEST_DIR: 1
-          TEST_INDEXER_CODE_ES_URL: "http://elastic:changeme@elasticsearch:9200"
-
-  test-mssql:
-    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    services:
-      mssql:
-        image: mcr.microsoft.com/mssql/server:2019-latest
-        env:
-          ACCEPT_EULA: Y
-          MSSQL_PID: Standard
-          SA_PASSWORD: MwantsaSecurePassword1
-        ports:
-          - "1433:1433"
-      devstoreaccount1.azurite.local: # https://github.com/Azure/Azurite/issues/1583
-        image: mcr.microsoft.com/azure-storage/azurite:latest
-        ports:
-          - 10000:10000
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - name: Add hosts to /etc/hosts
-        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mssql devstoreaccount1.azurite.local" | sudo tee -a /etc/hosts'
-      - run: make deps-backend
-      - run: make backend
-        env:
-          TAGS: bindata
-      - run: make test-mssql-migration
-      - name: run tests
-        run: make test-mssql
-        timeout-minutes: 50
-        env:
-          TAGS: bindata
-          USE_REPO_TEST_DIR: 1

.github/workflows/pull-docker-dryrun.yml

@@ -1,37 +0,0 @@
-name: docker-dryrun
-
-on:
-  pull_request:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  files-changed:
-    uses: ./.github/workflows/files-changed.yml
-    permissions:
-      contents: read
-
-  container:
-    if: needs.files-changed.outputs.docker == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      - uses: docker/setup-buildx-action@v3
-      - name: Build regular container image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: false
-          tags: gitea/gitea:linux-amd64
-      - name: Build rootless container image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: false
-          file: Dockerfile.rootless
-          tags: gitea/gitea:linux-amd64

.github/workflows/pull-labeler.yml

@@ -1,20 +0,0 @@
-name: labeler
-
-on:
-  pull_request_target:
-    types: [opened, synchronize, reopened]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  labeler:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - uses: actions/labeler@v6
-        with:
-          sync-labels: true

.github/workflows/release-nightly.yml

@@ -1,131 +0,0 @@
-name: release-nightly
-
-on:
-  push:
-    branches: [main, release/v*]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  nightly-binary:
-    runs-on: namespace-profile-gitea-release-binary
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
-      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
-      - run: git fetch --unshallow --quiet --tags --force
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: pnpm
-          cache-dependency-path: pnpm-lock.yaml
-      - run: make deps-frontend deps-backend
-      # xgo build
-      - run: make release
-        env:
-          TAGS: bindata sqlite sqlite_unlock_notify
-      - name: import gpg key
-        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v6
-        with:
-          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
-          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
-      - name: sign binaries
-        run: |
-          for f in dist/release/*; do
-            echo '${{ secrets.GPGSIGN_PASSPHRASE }}' | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u ${{ steps.import_gpg.outputs.fingerprint }} --output "$f.asc" "$f"
-          done
-      # clean branch name to get the folder name in S3
-      - name: Get cleaned branch name
-        id: clean_name
-        run: |
-          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
-          echo "Cleaned name is ${REF_NAME}"
-          echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT"
-      - name: configure aws
-        uses: aws-actions/configure-aws-credentials@v5
-        with:
-          aws-region: ${{ secrets.AWS_REGION }}
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      - name: upload binaries to s3
-        run: |
-          aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
-
-  nightly-container:
-    runs-on: namespace-profile-gitea-release-docker
-    permissions:
-      contents: read
-      packages: write # to publish to ghcr.io
-    steps:
-      - uses: actions/checkout@v6
-      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
-      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
-      - run: git fetch --unshallow --quiet --tags --force
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - name: Get cleaned branch name
-        id: clean_name
-        run: |
-          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
-          echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT"
-      - uses: docker/metadata-action@v5
-        id: meta
-        with:
-          images: |-
-            gitea/gitea
-            ghcr.io/go-gitea/gitea
-          tags: |
-            type=raw,value=${{ steps.clean_name.outputs.branch }}
-          annotations: |
-            org.opencontainers.image.authors="maintainers@gitea.io"
-      - uses: docker/metadata-action@v5
-        id: meta_rootless
-        with:
-          images: |-
-            gitea/gitea
-            ghcr.io/go-gitea/gitea
-          # each tag below will have the suffix of -rootless
-          flavor: |
-            suffix=-rootless
-          tags: |
-            type=raw,value=${{ steps.clean_name.outputs.branch }}
-          annotations: |
-            org.opencontainers.image.authors="maintainers@gitea.io"
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR using PAT
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: build regular docker image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64,linux/riscv64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          annotations: ${{ steps.meta.outputs.annotations }}
-      - name: build rootless docker image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64,linux/riscv64
-          push: true
-          file: Dockerfile.rootless
-          tags: ${{ steps.meta_rootless.outputs.tags }}
-          annotations: ${{ steps.meta_rootless.outputs.annotations }}

.github/workflows/release-tag-rc.yml

@@ -1,141 +0,0 @@
-name: release-tag-rc
-
-on:
-  push:
-    tags:
-      - "v1*-rc*"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
-jobs:
-  binary:
-    runs-on: namespace-profile-gitea-release-binary
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v6
-      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
-      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
-      - run: git fetch --unshallow --quiet --tags --force
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: pnpm
-          cache-dependency-path: pnpm-lock.yaml
-      - run: make deps-frontend deps-backend
-      # xgo build
-      - run: make release
-        env:
-          TAGS: bindata sqlite sqlite_unlock_notify
-      - name: import gpg key
-        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v6
-        with:
-          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
-          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
-      - name: sign binaries
-        run: |
-          for f in dist/release/*; do
-            echo '${{ secrets.GPGSIGN_PASSPHRASE }}' | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u ${{ steps.import_gpg.outputs.fingerprint }} --output "$f.asc" "$f"
-          done
-      # clean branch name to get the folder name in S3
-      - name: Get cleaned branch name
-        id: clean_name
-        run: |
-          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//')
-          echo "Cleaned name is ${REF_NAME}"
-          echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT"
-      - name: configure aws
-        uses: aws-actions/configure-aws-credentials@v5
-        with:
-          aws-region: ${{ secrets.AWS_REGION }}
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      - name: upload binaries to s3
-        run: |
-          aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
-      - name: Install GH CLI
-        uses: dev-hanz-ops/install-gh-cli-action@v0.2.1
-        with:
-          gh-cli-version: 2.39.1
-      - name: create github release
-        run: |
-          gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --draft --notes-from-tag dist/release/*
-        env:
-          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-
-  container:
-    runs-on: namespace-profile-gitea-release-docker
-    permissions:
-      contents: read
-      packages: write # to publish to ghcr.io
-    steps:
-      - uses: actions/checkout@v6
-      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
-      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
-      - run: git fetch --unshallow --quiet --tags --force
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/metadata-action@v5
-        id: meta
-        with:
-          images: |-
-            gitea/gitea
-            ghcr.io/go-gitea/gitea
-          flavor: |
-            latest=false
-          # 1.2.3-rc0
-          tags: |
-            type=semver,pattern={{version}}
-          annotations: |
-            org.opencontainers.image.authors="maintainers@gitea.io"
-      - uses: docker/metadata-action@v5
-        id: meta_rootless
-        with:
-          images: |-
-            gitea/gitea
-            ghcr.io/go-gitea/gitea
-          # each tag below will have the suffix of -rootless
-          flavor: |
-            latest=false
-            suffix=-rootless
-          # 1.2.3-rc0
-          tags: |
-            type=semver,pattern={{version}}
-          annotations: |
-            org.opencontainers.image.authors="maintainers@gitea.io"
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR using PAT
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: build regular container image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64,linux/riscv64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          annotations: ${{ steps.meta.outputs.annotations }}
-      - name: build rootless container image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64,linux/riscv64
-          push: true
-          file: Dockerfile.rootless
-          tags: ${{ steps.meta_rootless.outputs.tags }}
-          annotations: ${{ steps.meta_rootless.outputs.annotations }}

.github/workflows/release-tag-version.yml

@@ -1,153 +0,0 @@
-name: release-tag-version
-
-on:
-  push:
-    tags:
-      - "v1.*"
-      - "!v1*-rc*"
-      - "!v1*-dev"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
-jobs:
-  binary:
-    runs-on: namespace-profile-gitea-release-binary
-    permissions:
-      contents: read
-      packages: write # to publish to ghcr.io
-    steps:
-      - uses: actions/checkout@v6
-      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
-      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
-      - run: git fetch --unshallow --quiet --tags --force
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: pnpm
-          cache-dependency-path: pnpm-lock.yaml
-      - run: make deps-frontend deps-backend
-      # xgo build
-      - run: make release
-        env:
-          TAGS: bindata sqlite sqlite_unlock_notify
-      - name: import gpg key
-        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v6
-        with:
-          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
-          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
-      - name: sign binaries
-        run: |
-          for f in dist/release/*; do
-            echo '${{ secrets.GPGSIGN_PASSPHRASE }}' | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u ${{ steps.import_gpg.outputs.fingerprint }} --output "$f.asc" "$f"
-          done
-      # clean branch name to get the folder name in S3
-      - name: Get cleaned branch name
-        id: clean_name
-        run: |
-          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//')
-          echo "Cleaned name is ${REF_NAME}"
-          echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT"
-      - name: configure aws
-        uses: aws-actions/configure-aws-credentials@v5
-        with:
-          aws-region: ${{ secrets.AWS_REGION }}
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      - name: upload binaries to s3
-        run: |
-          aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
-      - name: Install GH CLI
-        uses: dev-hanz-ops/install-gh-cli-action@v0.2.1
-        with:
-          gh-cli-version: 2.39.1
-      - name: create github release
-        run: |
-          gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --notes-from-tag dist/release/*
-        env:
-          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-
-  container:
-    runs-on: namespace-profile-gitea-release-docker
-    permissions:
-      contents: read
-      packages: write # to publish to ghcr.io
-    steps:
-      - uses: actions/checkout@v6
-      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
-      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
-      - run: git fetch --unshallow --quiet --tags --force
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/metadata-action@v5
-        id: meta
-        with:
-          images: |-
-            gitea/gitea
-            ghcr.io/go-gitea/gitea
-          # this will generate tags in the following format:
-          # latest
-          # 1
-          # 1.2
-          # 1.2.3
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}
-            type=semver,pattern={{major}}.{{minor}}
-          annotations: |
-            org.opencontainers.image.authors="maintainers@gitea.io"
-      - uses: docker/metadata-action@v5
-        id: meta_rootless
-        with:
-          images: |-
-            gitea/gitea
-            ghcr.io/go-gitea/gitea
-          # each tag below will have the suffix of -rootless
-          flavor: |
-            suffix=-rootless,onlatest=true
-          # this will generate tags in the following format (with -rootless suffix added):
-          # latest
-          # 1
-          # 1.2
-          # 1.2.3
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}
-            type=semver,pattern={{major}}.{{minor}}
-          annotations: |
-            org.opencontainers.image.authors="maintainers@gitea.io"
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR using PAT
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: build regular container image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64,linux/riscv64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          annotations: ${{ steps.meta.outputs.annotations }}
-      - name: build rootless container image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64,linux/riscv64
-          push: true
-          file: Dockerfile.rootless
-          tags: ${{ steps.meta_rootless.outputs.tags }}
-          annotations: ${{ steps.meta_rootless.outputs.annotations }}

.gitignore

@@ -9,24 +9,13 @@ _test
 
 # IntelliJ
 .idea
-.run
-
-# IntelliJ Gateway
-.uuid
-
-# Goland's output filename can not be set manually
-/go_build_*
-/gitea_*
 
 # MS VSCode
 .vscode
-__debug_bin*
 
-# Visual Studio
-/.vs/
-
-# mise version managment tool
-mise.toml
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
 
 *.cgo1.go
 *.cgo2.c
@@ -39,62 +28,47 @@ _testmain.go
 *.exe
 *.test
 *.prof
-*.tsbuildinfo
 
 *coverage.out
 coverage.all
-cpu.out
 
-/modules/migration/bindata.*
-/modules/options/bindata.*
-/modules/public/bindata.*
-/modules/templates/bindata.*
+/modules/options/bindata.go
+/modules/public/bindata.go
+/modules/templates/bindata.go
 
 *.db
 *.log
-*.log.*.gz
 
 /gitea
-/gitea-vet
 /debug
 /integrations.test
 
 /bin
 /dist
-/custom/*
-!/custom/conf/app.example.ini
+/custom
 /data
 /indexers
 /log
-/public/assets/img/avatar
-/tests/integration/gitea-integration-*
-/tests/integration/indexers-*
-/tests/e2e/gitea-e2e-*
-/tests/e2e/indexers-*
-/tests/e2e/reports
-/tests/e2e/test-artifacts
-/tests/e2e/test-snapshots
-/tests/*.ini
-/tests/**/*.git/**/*.sample
+/public/img/avatar
+/integrations/gitea-integration-mysql
+/integrations/gitea-integration-mysql8
+/integrations/gitea-integration-pgsql
+/integrations/gitea-integration-sqlite
+/integrations/gitea-integration-mssql
+/integrations/indexers-mysql
+/integrations/indexers-mysql8
+/integrations/indexers-pgsql
+/integrations/indexers-sqlite
+/integrations/indexers-mssql
+/integrations/mysql.ini
+/integrations/mysql8.ini
+/integrations/pgsql.ini
+/integrations/mssql.ini
 /node_modules
-/.venv
-/yarn.lock
-/yarn-error.log
-/npm-debug.log*
-/.pnpm-store
-/public/assets/js
-/public/assets/css
-/public/assets/fonts
-/vendor
-/VERSION
-/.air
-/.go-licenses
+/modules/indexer/issues/indexers
 
-# Files and folders that were previously generated
-/public/assets/img/webpack
 
 # Snapcraft
-/gitea_a*.txt
 snap/.snapcraft/
 parts/
 stage/
@@ -102,36 +76,3 @@ prime/
 *.snap
 *.snap-build
 *_source.tar.bz2
-.DS_Store
-
-# nix-direnv generated files
-.direnv/
-
-# Make evidence files
-/.make_evidence
-
-# Manpage
-/man
-
-# Ignore AI/LLM instruction files
-/.claude/
-/.cursorrules
-/.cursor/
-/.goosehints
-/.windsurfrules
-/.github/copilot-instructions.md
-/AGENT.md
-/CLAUDE.md
-/llms.txt
-
-# Ignore worktrees when working on multiple branches
-.worktrees/
-
-# A Makefile for custom make targets
-Makefile.local
-
-# GitCaddy binaries
-/gitcaddy-server
-/gitcaddy-server-*
-
-/sdk/csharp/Gitea.SDK/obj

.gitpod.yml

@@ -1,51 +0,0 @@
-tasks:
-  - name: Setup
-    init: |
-      cp -r contrib/ide/vscode .vscode
-      make deps
-      make build
-    command: |
-      gp sync-done setup
-      exit 0
-  - name: Run backend
-    command: |
-      gp sync-await setup
-
-      # Get the URL and extract the domain
-      url=$(gp url 3000)
-      domain=$(echo $url | awk -F[/:] '{print $4}')
-
-      if [ -f custom/conf/app.ini ]; then
-        sed -i "s|^ROOT_URL =.*|ROOT_URL = ${url}/|" custom/conf/app.ini
-        sed -i "s|^DOMAIN =.*|DOMAIN = ${domain}|" custom/conf/app.ini
-        sed -i "s|^SSH_DOMAIN =.*|SSH_DOMAIN = ${domain}|" custom/conf/app.ini
-        sed -i "s|^NO_REPLY_ADDRESS =.*|SSH_DOMAIN = noreply.${domain}|" custom/conf/app.ini
-      else
-        mkdir -p custom/conf/
-        echo -e "[server]\nROOT_URL = ${url}/" > custom/conf/app.ini
-        echo -e "\n[database]\nDB_TYPE = sqlite3\nPATH = $GITPOD_REPO_ROOT/data/gitea.db" >> custom/conf/app.ini
-      fi
-      export TAGS="sqlite sqlite_unlock_notify"
-      make watch-backend
-  - name: Run frontend
-    command: |
-      gp sync-await setup
-      make watch-frontend
-    openMode: split-right
-
-vscode:
-  extensions:
-    - editorconfig.editorconfig
-    - dbaeumer.vscode-eslint
-    - golang.go
-    - stylelint.vscode-stylelint
-    - DavidAnson.vscode-markdownlint
-    - Vue.volar
-    - ms-azuretools.vscode-docker
-    - vitest.explorer
-    - cweijan.vscode-database-client2
-    - GitHub.vscode-pull-request-github
-
-ports:
-  - name: Gitea
-    port: 3000

.gitsecrets-ignore

@@ -1,422 +0,0 @@
-# GitSecrets Ignore File
-# This file tracks false positives identified by AI evaluation or manually marked.
-# Each line is a JSON object with the following fields:
-# - contentHash: SHA256 hash prefix of the secret content
-# - patternId: The pattern that detected this secret
-# - filePath: Relative path where the secret was found
-# - reason: Why this was marked as a false positive
-# - confidence: AI confidence level (if from AI evaluation)
-# - addedAt: Timestamp when this entry was added
-#
-# You can safely commit this file to share false positive markers with your team.
-# To remove an entry, simply delete the corresponding line.
-
-{"contentHash":"9851b69c92aa453f","patternId":"password-assignment","filePath":"..\\gitcaddy\\cmd\\admin_auth_ldap_test.go","reason":"AI: This is a test file (admin_auth_ldap_test.go) containing mock LDAP configuration data. The password 'secret-bind-full' appears in test case 0 of the TestUpdateLdapBindDn function as part of test fixture data. This is the same placeholder password used consistently throughout the test cases to verify LDAP configuration update functionality, not a real credential.","confidence":95,"addedAt":1769251368809}
-{"contentHash":"03e10948783bbdf5","patternId":"password-assignment","filePath":"..\\gitcaddy\\cmd\\admin_auth_oauth_test.go","reason":"AI: Another instance of 'some_secret' placeholder in test code validating OAuth configuration with custom URLs and options. This is part of a test case structure verifying command functionality with mock data, not real secrets.","confidence":95,"addedAt":1769251382118}
-{"contentHash":"13d1fe05e3c21c82","patternId":"password-assignment","filePath":"..\\gitcaddy\\cmd\\admin_auth_oauth_test.go","reason":"AI: This is test code with a placeholder value 'some_secret' used to test OpenID Connect configuration. The test is validating the command-line argument parsing and source creation logic, not using real credentials. The obvious placeholder naming confirms this is mock data.","confidence":95,"addedAt":1769251382118}
-{"contentHash":"9432c43933e1ef7b","patternId":"password-assignment","filePath":"..\\gitcaddy\\cmd\\admin_auth_oauth_test.go","reason":"AI: Another 'old_secret' placeholder in test code representing the existing authentication source configuration before an update operation. This is clearly mock data used for testing update functionality, not a real credential.","confidence":95,"addedAt":1769251382118}
-{"contentHash":"ed683dd7d1dc00b8","patternId":"password-assignment","filePath":"..\\gitcaddy\\cmd\\admin_auth_oauth_test.go","reason":"AI: Placeholder value 'new_secret' used in test code to verify OAuth source update functionality. This is mock data representing the updated configuration in a unit test, not a real secret. The generic naming and test context confirm this is test data.","confidence":95,"addedAt":1769251382118}
-{"contentHash":"8bd6834507ca39fd","patternId":"password-assignment","filePath":"..\\gitcaddy\\cmd\\admin_auth_oauth_test.go","reason":"AI: Placeholder value 'new_secret' in test code validating OAuth configuration updates with various options. This is mock data used to test command-line argument parsing and update logic, not a real secret. The test file context and generic naming confirm this is test data.","confidence":95,"addedAt":1769251382118}
-{"contentHash":"4f1184f8d8a07ac4","patternId":"password-assignment","filePath":"..\\gitcaddy\\cmd\\gitea-cli\\cmd\\auth.go","reason":"AI: This is a false positive. The detected pattern 'Toke********************ng('\"' is part of a code statement 'fmt.Print(\"API Token: \")' which is simply printing a prompt message to the user asking them to input their API token. This is not an actual secret value, but rather a string literal used for user interface purposes. The detection appears to have matched on the word 'Token' in the prompt text.","confidence":95,"addedAt":1769251386709}
-{"contentHash":"64458673e0e2cd18","patternId":"password-assignment","filePath":"..\\gitcaddy\\models\\fixtures\\oauth2_application.yml","reason":"AI: This is a test fixture file (oauth2_application.yml in fixtures directory) containing bcrypt hashed passwords for testing purposes. The comment explicitly reveals the plaintext value being hashed ('4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA='), which would never be done with real secrets. The application name is 'Test native app' and this is clearly mock data for development/testing. Additionally, it's the same hash as line 6, indicating reused test data.","confidence":95,"addedAt":1769251392454}
-{"contentHash":"2410892c2b5c9790","patternId":"password-assignment","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo1_bare\\pulls\\2.patch","reason":"AI: This is a placeholder password value 'password' in a git patch file within a test repository directory (modules/git/tests/repos/repo1_bare/pulls/). The code shows example database connection configuration with generic placeholder values including user='user' and passwd='password'. This is clearly example/demo code meant for testing purposes, not a real credential.","confidence":95,"addedAt":1769251396694}
-{"contentHash":"e83481b3cec3e3d6","patternId":"password-assignment","filePath":"..\\gitcaddy\\modules\\hcaptcha\\hcaptcha_test.go","reason":"AI: This is a dummy/test secret value used in test code (hcaptcha_test.go). The constant is explicitly named 'dummySecret' and has the value '0x0000000000000000000000000000000000000000' which is an obviously fake placeholder consisting of all zeros. It's used in a mockTransport test setup to simulate hCaptcha API responses.","confidence":95,"addedAt":1769251402615}
-{"contentHash":"c07aec1b54a1b36c","patternId":"password-assignment","filePath":"..\\gitcaddy\\modules\\hcaptcha\\hcaptcha_test.go","reason":"AI: This is a dummy/test token value used in test code (hcaptcha_test.go). The constant is explicitly named 'dummyToken' and has the value '10000000-aaaa-bbbb-cccc-000000000001' which is an obviously fake placeholder with repeated simple patterns (aaaa, bbbb, cccc). It's used alongside dummySiteKey and dummySecret in mock test scenarios.","confidence":95,"addedAt":1769251402615}
-{"contentHash":"1d7159caedd002e9","patternId":"basic-auth-header","filePath":"..\\gitcaddy\\modules\\markup\\markdown\\renderconfig.go","reason":"AI: This is a false positive. The detected pattern 'Basi********************nfig' on line 65 is actually part of the variable name 'stringBasic' in the code 'var stringBasic controlStringRenderConfig'. This is a Go variable declaration where 'stringBasic' is the variable name and 'controlStringRenderConfig' is the type. The pattern matcher incorrectly identified this as a Basic Auth header due to the substring 'Basic' appearing in the variable name, but it's clearly just a variable name in source code, not a credential.","confidence":99,"addedAt":1769251407186}
-{"contentHash":"1b72af0fa08df201","patternId":"password-assignment","filePath":"..\\gitcaddy\\modules\\setting\\database_test.go","reason":"AI: This is a test file (database_test.go) containing unit test data. The password 'space space !#$%^^%^```-=?=' is clearly a test value designed to verify URL encoding of special characters in PostgreSQL connection strings. The test is validating that special characters are properly escaped in the connection string output.","confidence":95,"addedAt":1769251412433}
-{"contentHash":"4df01e0e76f0e472","patternId":"password-assignment","filePath":"..\\gitcaddy\\modules\\setting\\database_test.go","reason":"AI: This is a test file (database_test.go) containing unit test data. The password 'I love Gitea!' is clearly a fake, human-readable test value used to verify PostgreSQL connection string generation. It's an obvious placeholder phrase that would never be used as a real password in production.","confidence":95,"addedAt":1769251412434}
-{"contentHash":"26379cbd3ea2d55b","patternId":"bearer-token","filePath":"..\\gitcaddy\\routers\\api\\actions\\artifacts.go","reason":"AI: This is a reference to an environment variable name 'ACTIONS_RUNTIME_TOKEN' in a code comment explaining the authentication mechanism. The comment states 'action task call server api with Bearer ACTIONS_RUNTIME_TOKEN' which is describing the format of the authorization header, not exposing an actual token value. This is documentation within the code explaining how the API authentication works.","confidence":95,"addedAt":1769251416472}
-{"contentHash":"0331542783bd4fab","patternId":"password-assignment","filePath":"..\\gitcaddy\\routers\\api\\v1\\user\\gpg_key.go","reason":"AI: This is not a hardcoded secret. The line reads 'ctx.APIError(http.StatusNotFound, \"None of the emails attached to the GPG key could be found. It may still be added if you provide a valid signature for the token: \"+token)' where 'token' is a variable being concatenated to an error message string. The token variable is dynamically generated by calling asymkey_model.VerificationToken(ctx.Doer, 1) earlier in the function. This is a false positive triggered by the word 'token' appearing in the error message string.","confidence":95,"addedAt":1769251422591}
-{"contentHash":"6b203247c1054286","patternId":"password-assignment","filePath":"..\\gitcaddy\\routers\\api\\v1\\user\\gpg_key.go","reason":"AI: This is not a hardcoded secret. The line reads 'ctx.APIError(http.StatusUnprocessableEntity, \"The provided GPG key, signature and token do not match or token is out of date. Provide a valid signature for the token: \"+token)' where 'token' is a variable being concatenated to an error message string. The token variable is dynamically generated by calling asymkey_model.VerificationToken(ctx.Doer, 1) earlier in the function. This is a false positive triggered by the word 'token' appearing in the error message string.","confidence":95,"addedAt":1769251422591}
-{"contentHash":"399cde2c3d56e22d","patternId":"password-assignment","filePath":"..\\gitcaddy\\routers\\web\\admin\\config.go","reason":"AI: This is not an actual password assignment but a string literal used for masking/shadowing passwords in configuration display. The line 'fields[i] = \"password=******\"' is part of the shadowPasswordKV function that replaces actual password values with asterisks for security when displaying configuration to admins. This is a hardcoded placeholder string used to hide real passwords, not a real credential.","confidence":95,"addedAt":1769251428203}
-{"contentHash":"cd47a739ea9babee","patternId":"password-assignment","filePath":"..\\gitcaddy\\routers\\web\\admin\\users_test.go","reason":"AI: This is a test file (users_test.go) with a hardcoded password 'abc123ABC!=$' used in unit tests for creating mock users. The password is a simple test value used across multiple test functions to verify user creation functionality, not a real credential.","confidence":95,"addedAt":1769251435465}
-{"contentHash":"d61031a12da2d6c1","patternId":"password-assignment","filePath":"..\\gitcaddy\\routers\\web\\user\\setting\\account_test.go","reason":"AI: This is a test password value 'Qwerty123456-' used in a unit test file (account_test.go) for testing password change functionality. The file contains multiple test cases with various password values to validate password complexity requirements, length checks, and matching logic. This is clearly test/mock data, not a real credential.","confidence":95,"addedAt":1769251439376}
-{"contentHash":"e96bd4dc9f0e25fe","patternId":"password-assignment","filePath":"..\\gitcaddy\\sdk\\python\\gitea\\__init__.py","reason":"AI: This is a placeholder value 'your_token' used in documentation/example code within a docstring. The file is an __init__.py file containing example usage documentation showing how to use the GiteaClient API. The value is clearly a placeholder meant to be replaced by users with their actual token.","confidence":95,"addedAt":1769251443385}
-{"contentHash":"68ead4d6f4aec16e","patternId":"password-assignment","filePath":"..\\gitcaddy\\sdk\\typescript\\src\\index.ts","reason":"AI: This is a placeholder string 'your_token' used in documentation/example code within a JSDoc comment block. The comment demonstrates how to use the GiteaClient SDK with example configuration. This is clearly示例代码 showing the API usage pattern, not an actual secret.","confidence":95,"addedAt":1769251450684}
-{"contentHash":"390362fdd61c80b0","patternId":"password-assignment","filePath":"..\\gitcaddy\\services\\auth\\source\\smtp\\auth.go","reason":"AI: This is a variable name 'password' in a switch-case statement that checks the string value of 'fromServer' against the literal string 'Password:'. This is part of the SMTP LOGIN authentication protocol implementation where the code checks if the server is requesting a password prompt. The 'password' field is a struct member that holds user-provided credentials temporarily during authentication, not a hardcoded secret. The actual password value is passed in at runtime from the caller.","confidence":95,"addedAt":1769251455296}
-{"contentHash":"bb2f71dc5cc74fbe","patternId":"password-assignment","filePath":"..\\gitcaddy\\services\\mailer\\sender\\smtp_auth.go","reason":"AI: This is not a hardcoded password value. Line 34 contains 'return []byte(a.password), nil' which is part of the SMTP authentication implementation. The 'a.password' is a struct field that holds a password parameter passed to the LoginAuth function at runtime. This is legitimate code for handling authentication credentials dynamically, not a hardcoded secret. The detected pattern appears to be a false positive triggered by the variable name 'password' and the surrounding code structure.","confidence":95,"addedAt":1769251459310}
-{"contentHash":"1763852ca2c89db5","patternId":"password-assignment","filePath":"..\\gitcaddy\\services\\mailer\\token\\token.go","reason":"AI: This is a false positive. The detected pattern 'invalid email token: ' is part of an error message string literal in the Error() method implementation. It's not a password or secret, but rather a user-facing error message prefix that gets concatenated with context information. The pattern matcher likely triggered on the word 'token' in the string, but this is clearly just descriptive text for error handling.","confidence":95,"addedAt":1769251463754}
-{"contentHash":"e982d83b21531e49","patternId":"password-assignment","filePath":"..\\gitcaddy\\services\\migrations\\github_test.go","reason":"AI: This is a test case string 'single_token' used in a unit test (TestGithubMultiToken) to verify token handling logic. The value is clearly a placeholder/mock value for testing purposes, not a real GitHub token. Real GitHub tokens follow specific formats (e.g., ghp_..., github_pat_...) and are much longer.","confidence":95,"addedAt":1769251469522}
-{"contentHash":"033a75c6045db468","patternId":"password-assignment","filePath":"..\\gitcaddy\\services\\migrations\\github_test.go","reason":"AI: This is a test case string 'token1,token2' used in a unit test (TestGithubMultiToken) to verify multi-token handling logic. These are clearly placeholder/mock values for testing comma-separated token functionality, not real GitHub tokens. Real GitHub tokens follow specific formats and are much longer than these simple test strings.","confidence":95,"addedAt":1769251469522}
-{"contentHash":"f6b0cff7303a5080","patternId":"password-assignment","filePath":"..\\gitcaddy\\templates\\admin\\user\\new.tmpl","reason":"AI: This is a false positive. The detected pattern is part of an HTML input element attribute 'data-password=\"required\"' which is a data attribute used for form validation logic, not an actual password value. The word 'password' here is being used as a configuration parameter to indicate that a password field is required, not as a secret credential.","confidence":95,"addedAt":1769251473444}
-{"contentHash":"2e03469e8304b935","patternId":"basic-auth-header","filePath":"..\\gitcaddy\\templates\\repo\\settings\\webhook\\settings.tmpl","reason":"AI: This is a placeholder example value used in documentation/help text within an HTML template. The value 'Basic YWxhZGRpbjpvcGVuc2VzYW1l' is a well-known example from Aladdin:OpenSesame (the classic HTTP Basic Auth example from RFC 7617). It appears in an HTMLFormat helper function that generates example text to show users the format of authorization headers. The context shows it's part of a help span demonstrating valid formats alongside 'Bearer token123456'.","confidence":95,"addedAt":1769251479534}
-{"contentHash":"9966f4023ce28cb1","patternId":"password-assignment","filePath":"..\\gitcaddy\\tests\\e2e\\utils_e2e.ts","reason":"AI: This is a test file (tests/e2e/utils_e2e.ts) containing end-to-end test utilities. The constant LOGIN_PASSWORD = 'password' is a hardcoded test credential used for automated testing with Playwright. The value 'password' is a generic placeholder commonly used in test environments, not a real production secret. This is clearly test/mock code for setting up test user sessions.","confidence":95,"addedAt":1769251483544}
-{"contentHash":"e70a46bffdc25be4","patternId":"password-assignment","filePath":"..\\gitcaddy\\tests\\integration\\auth_ldap_test.go","reason":"AI: This is a test file (auth_ldap_test.go) containing mock LDAP user data. The password 'professor' is assigned to a test user named 'professor' in a struct used for integration testing. The value is clearly a simple test credential matching the username, used with mock LDAP server data (planetexpress.com domain, which is a reference to the TV show Futurama). This is test data, not a real secret.","confidence":95,"addedAt":1769251490634}
-{"contentHash":"97128a8a2e492d81","patternId":"password-assignment","filePath":"..\\gitcaddy\\tests\\integration\\auth_ldap_test.go","reason":"AI: This is a test file containing mock LDAP user data for integration testing. The password 'zoidberg' is assigned to a test user named 'zoidberg' in the otherLDAPUsers test data array. Like the other test users, this references a Futurama character with planetexpress.com email domain. The password matches the username, which is a common pattern in test data. This is clearly test/mock data, not a real secret.","confidence":95,"addedAt":1769251490635}
-{"contentHash":"2f9fc8a44774390c","patternId":"password-assignment","filePath":"..\\gitcaddy\\tests\\integration\\delete_user_test.go","reason":"AI: This is in a test file (tests/integration/delete_user_test.go) and references the same 'userPassword' variable as line 35. It's used in another integration test function (TestUserDeleteAccountStillOwnRepos) to test account deletion functionality. This is clearly test code using a shared test password constant, not a real secret.","confidence":95,"addedAt":1769251496735}
-{"contentHash":"c66feceab8debfce","patternId":"password-assignment","filePath":"..\\gitcaddy\\tests\\integration\\integration_test.go","reason":"AI: This is a constant string 'userPassword = \"password\"' defined in integration test code. It's used as a default password for test user accounts in the test suite, as evidenced by its usage in functions like 'loginUser' and 'loginUserWithPassword'. This is clearly test/mock data for integration testing purposes, not a real production credential.","confidence":95,"addedAt":1769251500617}
-{"contentHash":"c9a5755bf8341e87","patternId":"basic-auth-header","filePath":"..\\gitcaddy\\tests\\integration\\oauth_test.go","reason":"AI: This is the same Base64-encoded Basic Auth header reused in the same TestOAuthIntrospection test function to test the introspection endpoint with valid credentials. It's part of the integration test fixtures.","confidence":95,"addedAt":1769251524437}
-{"contentHash":"a2c496560f8e1943","patternId":"basic-auth-header","filePath":"..\\gitcaddy\\tests\\integration\\oauth_test.go","reason":"AI: This is a Base64-encoded Basic Auth header used in integration test code. The value 'ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpK' appears to be testing an invalid/truncated client secret scenario (note it's shorter than the valid one). This is part of test code validating error handling for incorrect credentials.","confidence":95,"addedAt":1769251524435}
-{"contentHash":"8f616bdb9eb4a000","patternId":"basic-auth-header","filePath":"..\\gitcaddy\\tests\\integration\\oauth_test.go","reason":"AI: This is a Base64-encoded Basic Auth header with an intentionally invalid/truncated client secret (ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpK - note the truncation). This is used in TestOAuthIntrospection to test error handling for invalid credentials. It's clearly test data for negative test cases.","confidence":95,"addedAt":1769251524438}
-{"contentHash":"1a615dab7b2eba46","patternId":"password-assignment","filePath":"..\\gitcaddy\\tests\\integration\\signin_test.go","reason":"Manually marked as false positive","addedAt":1769251532140}
-{"contentHash":"d3334f387fe3185d","patternId":"password-assignment","filePath":"..\\gitcaddy\\tests\\integration\\signin_test.go","reason":"AI: This is a test file with a test case using 'password' as a generic literal string to test authentication failure. It's part of a test suite verifying that wrong username/password combinations are handled correctly. The value is an obvious placeholder.","confidence":95,"addedAt":1769251532139}
-{"contentHash":"64aa848ddf5ae0d4","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\contrib\\gitea-monitoring-mixin\\jsonnetfile.lock.json","reason":"AI: This is a Git commit SHA hash (40 character hexadecimal string) used in a jsonnet lock file to pin a specific version of the grafonnet-lib dependency. It's not a GitHub OAuth token - it's a public commit reference that identifies a specific point in the repository history. The pattern matcher incorrectly flagged this as a token due to the hexadecimal format, but commit SHAs are public identifiers, not secrets.","confidence":95,"addedAt":1769274505523}
-{"contentHash":"1d23be6121c73cf7","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\contrib\\upgrade.sh","reason":"AI: This is a GPG public key fingerprint (7C9E68152594688862D62AF62D9AE806EC1592E2) used to verify Gitea release signatures. GPG public key fingerprints are meant to be public and are not secrets. This specific fingerprint belongs to the Gitea maintainers' signing key and is intentionally shared publicly for verification purposes. The context shows it's being used with 'gpg --keyserver keys.openpgp.org --recv' to import a public key for signature verification.","confidence":95,"addedAt":1769252347465}
-{"contentHash":"0cda87c795684386","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\flake.lock","reason":"AI: This is a Git commit hash (SHA-1) in a Nix flake.lock file, not a GitHub OAuth token. The 'rev' field contains a 40-character hexadecimal Git commit reference (0b4defa2584313f3b781240b29d61f6f9f7e0df3) which is a standard format for Git commits. This is a public reference to a specific commit in the nixos/nixpkgs repository and is not a secret credential. Flake.lock files are used by Nix to pin dependency versions and always contain commit hashes.","confidence":95,"addedAt":1769274510164}
-{"contentHash":"9c2990cb2a543c1b","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\models\\asymkey\\gpg_key_test.go","reason":"AI: This is a Git tree hash in a test GPG signature payload, not a GitHub OAuth token. The value '56ae8d2799882b20381fc11659db06c16c68c61a' is a SHA-1 hash used in Git's internal object storage. The context shows this is part of a test commit object ('tree 56ae8d2799882b20381fc11659db06c16c68c61a\\nparent c7870c39e4e6b247235ca005797703ec4254613f') used for testing GPG signature extraction.","confidence":95,"addedAt":1769274540717}
-{"contentHash":"6819b298fef327be","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\models\\asymkey\\gpg_key_test.go","reason":"AI: This is a Git parent commit hash in a test GPG signature payload, not a GitHub OAuth token. The value 'c7870c39e4e6b247235ca005797703ec4254613f' is a SHA-1 hash representing a parent commit in Git. This appears in test data for validating GPG signature verification functionality.","confidence":95,"addedAt":1769274540719}
-{"contentHash":"46331f8fe3e09b0e","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\models\\asymkey\\gpg_key_test.go","reason":"AI: This is a Git tree hash in a test GPG signature payload, not a GitHub OAuth token. The value '3074ff04951956a974e8b02d57733b0766f7cf6c' is a SHA-1 hash used in Git's internal object storage. The context shows this is part of a test commit object ('tree 3074ff04951956a974e8b02d57733b0766f7cf6c\\nparent fd3577542f7ad1554c7c7c0eb86bb57a1324ad91') used for testing bad GPG signatures.","confidence":95,"addedAt":1769274540722}
-{"contentHash":"3252b74e35188143","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\models\\asymkey\\gpg_key_test.go","reason":"AI: This is a Git parent commit hash in a test GPG signature payload, not a GitHub OAuth token. The value 'fd3577542f7ad1554c7c7c0eb86bb57a1324ad91' is a SHA-1 hash representing a parent commit in Git. This appears in test data for validating GPG signature verification with an unknown key.","confidence":95,"addedAt":1769274540724}
-{"contentHash":"576b295f2bba2f35","patternId":"private-key-openssh","filePath":"..\\gitcaddy\\models\\asymkey\\ssh_key_test.go","reason":"AI: This is a test SSH private key in a test file (ssh_key_test.go). The key is used for unit testing SSH signature functionality. The comment indicates it was 'Generated with ssh-keygen -C test@rekor.dev -f id_rsa' specifically for testing purposes. The email 'test@rekor.dev' is a clear test identifier, and the key is stored in a variable 'sshPrivateKey' that is used throughout the test suite.","confidence":95,"addedAt":1769252373468}
-{"contentHash":"991a32d17ad4d54e","patternId":"private-key-openssh","filePath":"..\\gitcaddy\\models\\asymkey\\ssh_key_test.go","reason":"AI: This is another test SSH private key in the same test file. The comment indicates it was 'Generated with ssh-keygen -C other-test@rekor.dev -f id_rsa' for testing purposes. The email 'other-test@rekor.dev' is clearly a test identifier, and the variable name 'otherSSHPrivateKey' indicates it's used for testing scenarios where multiple keys are needed (e.g., testing validation against wrong keys).","confidence":95,"addedAt":1769252373470}
-{"contentHash":"821c93239efe4f55","patternId":"private-key-openssh","filePath":"..\\gitcaddy\\models\\asymkey\\ssh_key_test.go","reason":"AI: This is a test Ed25519 SSH private key in the same test file. The comment indicates it was 'Generated with ssh-keygen -C test@rekor.dev -t ed25519 -f id_ed25519' for testing purposes. The email 'test@rekor.dev' matches the first test key, and the variable name 'ed25519PrivateKey' indicates it's used for testing Ed25519 key type functionality alongside RSA keys in the test suite.","confidence":95,"addedAt":1769252373472}
-{"contentHash":"41b16568b3da7edd","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\models\\fixtures\\access_token.yml","reason":"AI: This is a test fixture file (access_token.yml in fixtures directory) containing mock data for testing. The token is commented out and corresponds to a hashed version stored in token_hash. The file includes a comment at the end stating 'commented out tokens so you can see what they are in plaintext', indicating these are intentionally exposed test values. The presence of token_salt and token_hash suggests this is test data for validating token hashing functionality.","confidence":95,"addedAt":1769274578791}
-{"contentHash":"f547ad5f862f8769","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\models\\fixtures\\access_token.yml","reason":"AI: This is a test fixture file (access_token.yml in fixtures directory) containing mock data for testing. The token is commented out and corresponds to a hashed version stored in token_hash. The file includes a comment at the end stating 'commented out tokens so you can see what they are in plaintext', indicating these are intentionally exposed test values. The presence of token_salt and token_hash suggests this is test data for validating token hashing functionality.","confidence":95,"addedAt":1769274578794}
-{"contentHash":"de31439e85a255f4","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\models\\fixtures\\access_token.yml","reason":"AI: This is a test fixture file (access_token.yml in fixtures directory) containing mock data for testing. The token is commented out and corresponds to a hashed version stored in token_hash. The file includes a comment at the end stating 'commented out tokens so you can see what they are in plaintext', indicating these are intentionally exposed test values. The presence of token_salt and token_hash suggests this is test data for validating token hashing functionality.","confidence":95,"addedAt":1769274578797}
-{"contentHash":"70fa7ea9621c42ee","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\models\\fixtures\\action_task.yml","reason":"AI: This is a commit SHA (Git commit hash), not a GitHub OAuth token. The value 'c2d72f548424103f01ee1dc02889c1e2bff816b0' is a 40-character hexadecimal string which is the standard format for Git commit SHAs. This appears in a test fixture file with the field name 'commit_sha', clearly indicating it's a Git commit reference, not an authentication token.","confidence":95,"addedAt":1769274648419}
-{"contentHash":"bebf47fe017de047","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\models\\fixtures\\action_task.yml","reason":"AI: This is a commit SHA (Git commit hash), not a GitHub OAuth token. The value '6e64b26de7ba966d01d90ecfaf5c7f14ef203e86' is a 40-character hexadecimal string which is the standard format for Git commit SHAs. This appears in a test fixture file with the field name 'commit_sha', clearly indicating it's a Git commit reference, not an authentication token.","confidence":95,"addedAt":1769274648418}
-{"contentHash":"e1bf2a526edbf4cc","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\models\\fixtures\\action_runner_token.yml","reason":"AI: This is a test fixture file (models/fixtures/action_runner_token.yml) containing mock data for testing purposes. The token 'xeiWBL5kuTYxGPynHCqQdoeYmJAeG3IzGXCYTrDX' is a fixture token used for action runner testing, not an actual AWS secret. The file structure with multiple entries, IDs, and test scenarios (instance scope, user scope, active/inactive states) clearly indicates this is test data.","confidence":95,"addedAt":1769252423312}
-{"contentHash":"fc084708b0ff9b1b","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\models\\fixtures\\action_runner_token.yml","reason":"AI: This is a test fixture file containing mock data. The token 'vohJB9QcZuSv1gAXESTk2uqpSjHhsKT9j4zYF84x' is a fixture token for testing action runner functionality. The comment 'user scope and can't be used' and is_active: 0 flag further confirm this is test data designed to test different scenarios, not a real AWS secret.","confidence":95,"addedAt":1769252423316}
-{"contentHash":"96df5fd91a8856e0","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\models\\fixtures\\action_runner_token.yml","reason":"AI: This is a test fixture file with mock data. The token 'gjItAeJ3CA74hNPmPPo0Zco8I1eMaNcP1jVifjOE' is a fixture token for testing. The comment 'user scope and can be used' indicates this is part of a test suite to verify different permission scenarios. The systematic structure with sequential IDs and timestamps confirms this is test data, not a real AWS secret.","confidence":95,"addedAt":1769252423318}
-{"contentHash":"03ca8ada5cee9cfb","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\models\\fixtures\\action_runner_token.yml","reason":"AI: This is a test fixture file containing mock data. The token 'NOjLubxzFxPGhPXflZknys0gjVvQNhomFbAYuhbH' is a fixture token for testing action runner functionality. The comment 'repo scope' and the systematic structure with sequential IDs (1-4) and timestamps clearly indicate this is test data designed to test different scope scenarios, not a real AWS secret.","confidence":95,"addedAt":1769252423319}
-{"contentHash":"4fb93d35084cb386","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repo_test.go","reason":"AI: This is the same Git commit ID '65f1bf27bc3bf70f64657658635e66094edbcb4d' as line 485, used in another test assertion for URL generation. Git commit hashes are public repository metadata, not secrets.","confidence":95,"addedAt":1769276807958}
-{"contentHash":"f0e7e421778ccd6b","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_repo_git_trees_test.go","reason":"AI: This is the same Git commit/tree SHA hash (62fb502a7172d4453f0322a2cc85bddffa57f07a) as line 41, used again in a pagination test. It's a Git object identifier, not an authentication token. The context clearly shows it's testing API pagination functionality.","confidence":95,"addedAt":1769276643986}
-{"contentHash":"4c72f9c17a85daa8","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repo_commits_test.go","reason":"AI: This is a Git commit SHA hash (985f0301dba5e7b34be866819cd15ad3d8f508ee) used in integration tests, not a GitHub OAuth token. It appears in an assertion checking a commit URL path. Git commit SHAs are public identifiers, not secrets.","confidence":95,"addedAt":1769276795946}
-{"contentHash":"8b6dc2e9aa49cb9d","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\models\\fixtures\\branch.yml","reason":"AI: This is a Git commit SHA-1 hash (40 hex characters) in a test fixture file, not a GitHub OAuth token. Part of the branch fixture test data.","confidence":95,"addedAt":1769274683862}
-{"contentHash":"05c89c87afbe4fd3","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user5\\repo4.git\\refs\\heads\\master","reason":"AI: This is a Git commit SHA hash, not a GitHub OAuth token. The file path 'tests/gitea-repositories-meta/user5/repo4.git/refs/heads/master' clearly indicates this is a Git reference file that stores the commit hash for the master branch. Git commit SHAs are 40-character hexadecimal strings (SHA-1), which matches this pattern. This is test repository metadata, not a secret.","confidence":95,"addedAt":1769276453291}
-{"contentHash":"83d95358b2e063d8","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repo_commits_test.go","reason":"AI: This is a Git commit SHA hash (69554a64c1e6030f051e5c3f94bfbd773cd6a324) used in integration tests, not a GitHub OAuth token. It appears in a URL path assertion for a commit reference in test code. Git commit SHAs are public identifiers.","confidence":95,"addedAt":1769276795941}
-{"contentHash":"5240b625ba030a5b","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repo_commits_test.go","reason":"AI: This is a Git commit SHA hash (5099b81332712fe655e34e8dd63574f503f61811) used in integration tests, not a GitHub OAuth token. The value appears in an assertion checking commit IDs in a test repository. Git commit SHAs are public identifiers, not secrets.","confidence":95,"addedAt":1769276795936}
-{"contentHash":"13f4666bf3bd7ff6","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_repo_git_commits_test.go","reason":"AI: This is a Git commit SHA hash (f27c2b2b03dcab38beaf89b0ab4ff61f6de63441) used in test assertions for file history API testing. It's test fixture data.","confidence":95,"addedAt":1769276628297}
-{"contentHash":"3c65540756308a60","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repo_test.go","reason":"AI: This is the same Git commit ID 'aacbdfe9e1c4b47f60abe81849045fa4e96f1d75' as line 502, used in another test assertion. Git commit hashes are public repository identifiers and do not represent authentication credentials or secrets.","confidence":95,"addedAt":1769276807961}
-{"contentHash":"d44aaf74353049fa","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repo_test.go","reason":"AI: This is the same Git commit ID '2a47ca4b614a9f5a43abbd5ad851a54a616ffee6' as line 116, used in another test assertion. Git commit hashes are public repository identifiers and not authentication tokens or secrets.","confidence":95,"addedAt":1769276807954}
-{"contentHash":"e8afafbb3ef5b976","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\org3\\repo5.git\\refs\\heads\\test_branch","reason":"AI: This is a Git commit SHA hash (40-character hexadecimal string) located in a Git refs file (.git/refs/heads/test_branch). Git refs files store commit hashes that branches point to, not OAuth tokens. While the pattern matches the format of a GitHub OAuth token, the context clearly indicates this is a Git object reference. The file path 'tests/gitea-repositories-meta/org3/repo5.git/refs/heads/test_branch' confirms this is test repository metadata.","confidence":95,"addedAt":1769275975208}
-{"contentHash":"53656ab59f867a64","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repofiles_change_test.go","reason":"AI: Same Git commit SHA hash (73cf03db6ece34e12bf91e8853dc58f678f2f82d) as line 327, repeated in test code.","confidence":95,"addedAt":1769276779022}
-{"contentHash":"61e7e706de1bb537","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\repo1.git\\refs\\heads\\DefaultBranch","reason":"AI: This is a Git commit SHA hash (40 character hexadecimal string) located in a Git refs/heads file, which is the standard format for Git references. The file path 'tests/gitea-repositories-meta/user2/repo1.git/refs/heads/DefaultBranch' clearly indicates this is a test repository structure. Git commit SHAs are public identifiers, not secrets. While the pattern matches the format of a GitHub OAuth token (40 hex characters), the context definitively identifies this as a Git reference.","confidence":95,"addedAt":1769276250050}
-{"contentHash":"121ca6feaf350e95","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repofiles_change_test.go","reason":"AI: Git commit SHA hash (4649299398e4d39a5c09eb4f534df6f1e1eb87cc) used in test code for LastCommitID in directory deletion test. Public repository identifier.","confidence":95,"addedAt":1769276779032}
-{"contentHash":"619e6e366c421fb9","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\models\\fixtures\\commit_status.yml","reason":"AI: This is a test fixture file with the same 'context_hash' value ('c65f4d64a3b14a3eced0c9b36799e66e1bd5ced7') repeated from line 10, confirming it's a deterministic hash value for the context 'ci/awesomeness'. This is test/mock data, not a real GitHub OAuth token.","confidence":95,"addedAt":1769274694029}
-{"contentHash":"fca27b1d7fc48ee5","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\models\\fixtures\\commit_status.yml","reason":"AI: This is a test fixture file with the same 'context_hash' value ('3929ac7bccd3fa1bf9b38ddedb77973b1b9a8cfe') repeated from line 22, confirming it's a deterministic hash value for the same context 'cov/awesomeness'. This is clearly test data, not a real GitHub OAuth token.","confidence":95,"addedAt":1769274694025}
-{"contentHash":"7c980ae42d417628","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\models\\fixtures\\commit_status.yml","reason":"AI: This is a test fixture file containing mock data. The value 'ae9547713a6665fc4261d0756904932085a41cf2' is labeled as 'context_hash' for the context 'deploy/awesomeness'. Like the other entries, this is a deterministic hash value used in test fixtures, not a GitHub OAuth token.","confidence":95,"addedAt":1769274694031}
-{"contentHash":"c12fc15973ff0325","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\pull_commit_test.go","reason":"AI: This is a Git commit SHA hash (4a357436d925b5c974181ff12a994538ddc5a269) used in integration test code to verify the last review commit SHA. Git commit SHAs are not secrets - they are public identifiers in version control systems. The value is being used in an assertion to validate test data.","confidence":95,"addedAt":1769276739413}
-{"contentHash":"f98adb6fface65ba","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_pull_test.go","reason":"AI: This is a Git commit SHA hash (1a8823cd1a9549fde083f992f6b9b87a7ab74fb3) used in a test file to verify API functionality for retrieving pull request information by commit. The variable name 'mergedCommitSHA' clearly indicates this is a commit hash, not a GitHub OAuth token. Git commit SHAs are 40-character hexadecimal strings that are public identifiers in version control systems.","confidence":95,"addedAt":1769276533684}
-{"contentHash":"67d29ad7da776efa","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\commitsonpr.git\\refs\\heads\\master","reason":"AI: This is a Git commit SHA hash, not a GitHub OAuth token. The file path 'tests/gitea-repositories-meta/user2/commitsonpr.git/refs/heads/master' indicates this is a Git reference file that stores the commit hash for the master branch. Git commit SHAs are 40-character hexadecimal strings (SHA-1), which matches this pattern. This is test repository metadata, not a secret.","confidence":95,"addedAt":1769276118749}
-{"contentHash":"7ba004453d49ef66","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\repo-release.git\\refs\\tags\\v1.0","reason":"AI: This is a Git object hash (SHA-1) stored in a Git refs/tags file, not a GitHub OAuth token. The file path 'tests/gitea-repositories-meta/user2/repo-release.git/refs/tags/v1.0' clearly indicates this is a Git reference file that stores the commit hash for tag v1.0. Git SHA-1 hashes are 40-character hexadecimal strings, which matches this pattern. This is test repository data, not a secret.","confidence":95,"addedAt":1769276225110}
-{"contentHash":"e8a58dcbd092f28d","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\repo-release.git\\refs\\tags\\v1.1","reason":"AI: This is a Git object SHA-1 hash (40 hexadecimal characters) located in a Git repository refs/tags directory, not a GitHub OAuth token. The file path 'tests/gitea-repositories-meta/user2/repo-release.git/refs/tags/v1.1' indicates this is a Git tag reference file that stores the commit hash for tag v1.1. Git SHA-1 hashes are public identifiers, not secrets. The pattern was incorrectly flagged as a GitHub OAuth token due to similar character length and hexadecimal format.","confidence":95,"addedAt":1769276229448}
-{"contentHash":"6764b5b064c32c52","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\repo-release.git\\refs\\tags\\v2.0","reason":"AI: This is a Git object SHA-1 hash (40 hexadecimal characters) stored in a Git refs/tags file, which is part of the standard Git repository structure. The file path 'tests\\gitea-repositories-meta\\user2\\repo-release.git\\refs\\tags\\v2.0' indicates this is a test repository, and the content is a Git commit/tag reference hash, not a GitHub OAuth token. Git SHA-1 hashes follow the same format as some tokens but serve a completely different purpose in version control systems.","confidence":95,"addedAt":1769276234332}
-{"contentHash":"4aa48c1eed47a60a","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\repo2.git\\packed-refs","reason":"AI: This is a Git SHA-1 commit hash in a packed-refs file, not a GitHub OAuth token. The file is located in a test repository's .git directory (tests/gitea-repositories-meta/user2/repo2.git/packed-refs). Git packed-refs files store references to commits using SHA-1 hashes (40 hexadecimal characters), which have a similar format to some tokens but serve a completely different purpose. The value '205ac761f3326a7ebe416e8673760016450b5cec' is a legitimate Git object reference, not an authentication credential.","confidence":95,"addedAt":1769276339751}
-{"contentHash":"915b22ccece04aaa","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\models\\fixtures\\review.yml","reason":"AI: This is a Git commit SHA hash (8091a55037cd59e47293aca02981b5a67076b364) in a test fixture file, not a GitHub OAuth token. The file is located in 'models/fixtures/review.yml' which is clearly test data. Git commit SHAs are 40-character hexadecimal strings that are public identifiers, not secrets. The context shows this is the 'commit_id' field in a review fixture.","confidence":95,"addedAt":1769274736392}
-{"contentHash":"f0df9deb633ee41f","patternId":"postgres-uri","filePath":"..\\gitcaddy\\tests\\integration\\migration-test\\migration_test.go","reason":"AI: This is a PostgreSQL connection string template in test code that uses placeholder variables (setting.Database.User, setting.Database.Passwd, setting.Database.SSLMode, setting.Database.Host). The values are dynamically constructed from configuration settings, not hardcoded credentials. This is part of migration test infrastructure that restores old database versions for testing purposes.","confidence":95,"addedAt":1769254510609}
-{"contentHash":"2ff9386dc0a0cef1","patternId":"postgres-uri","filePath":"..\\gitcaddy\\tests\\test_utils.go","reason":"AI: This is another PostgreSQL connection string template in test utility code that uses configuration variables (setting.Database.User, setting.Database.Passwd, etc.) rather than hardcoded credentials. The pattern detected is just the format string 'postgres://%s:%s@/%s?sslmode=%s&host=%s' which is a connection URI template, not an actual secret. The actual values are loaded from test configuration at runtime. This is the same pattern as line 102, used in a different conditional branch.","confidence":95,"addedAt":1769254613106}
-{"contentHash":"85a551eb5c52ab21","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\models\\migrations\\fixtures\\Test_RepositoryFormat\\review_state.yml","reason":"AI: This is a Git commit SHA hash in a test fixture file (located in models/migrations/fixtures/Test_RepositoryFormat/). The value '19fe5caf872476db265596eaac1dc35ad1c6422d' is a 40-character hexadecimal string which is the standard format for Git commit hashes, not a GitHub OAuth token. The field name 'commit_sha' clearly indicates this is a commit hash. This is test/mock data for database migrations.","confidence":95,"addedAt":1769274781909}
-{"contentHash":"a4163358850908d7","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\tests\\integration\\api_packages_test.go","reason":"AI: This is part of an import path 'code.gitcaddy.com/server/v3/modules/packages/container' in a Go source file. The detected pattern 'com/********************iner' is matching across the import path structure, not an actual AWS secret key. This is a false positive triggered by pattern matching on a URL/package path.","confidence":95,"addedAt":1769254357744}
-{"contentHash":"d60c5d1d5d35929a","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\routers\\install\\install.go","reason":"AI: This is a Go import path 'code.gitcaddy.com/server/v3/modules/auth/password/hash' - not an AWS secret key. The pattern matcher incorrectly flagged this as a secret because it contains 'hash' at the end and has a structure that superficially resembles a secret key format. However, this is clearly a module import statement in Go code, which is a standard programming construct for importing packages.","confidence":95,"addedAt":1769253334420}
-{"contentHash":"32d60fd8fcf8b46b","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\language_stats_repo\\refs\\heads\\master","reason":"AI: This is a Git reference file located in a test repository (.git/refs/heads/master). The value '8fee858da5796dfb37704761701bb8e800ad9ef3' is a Git commit SHA-1 hash (40 hexadecimal characters), not a GitHub OAuth token. Git commit hashes are public identifiers used to reference specific commits in version control and are not secrets. The file path 'modules/git/tests/repos/language_stats_repo/refs/heads/master' clearly indicates this is test data within a mock Git repository structure.","confidence":95,"addedAt":1769275069082}
-{"contentHash":"f9027c7f8865bb73","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\repo_blob_test.go","reason":"AI: This is a Git object ID (SHA-1 hash) used in a test file for the Git repository module. The value '6c493ff740f9380390d5c9ddef4af18697ac9375' is a 40-character hexadecimal string that represents a blob object in a test repository, not a GitHub OAuth token. Git object IDs are public identifiers within repositories and are not secrets. The context shows this is testing the GetBlob functionality with known test data that corresponds to 'file2'.","confidence":95,"addedAt":1769274940790}
-{"contentHash":"78fde4a035305814","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\repo_compare_test.go","reason":"AI: This is a Git commit SHA-1 hash (8d92fc957a4d7cfd98bc375f0b7bb189a0d6c9f2) used in test case data for testing file change detection. This is the same commit hash used throughout the test file. Git commit hashes are public version control identifiers.","confidence":99,"addedAt":1769275002550}
-{"contentHash":"70606cec6eff46b0","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\repo_compare_test.go","reason":"AI: This is a Git commit SHA-1 hash (95bb4d39648ee7e325106df01a621c530863a653) used as the 'base' commit in a test case for comparing file changes. Same hash as line 146. Git commit hashes are public repository identifiers.","confidence":99,"addedAt":1769275002546}
-{"contentHash":"91b556aa4409fa66","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo1_bare\\refs\\heads\\branch1","reason":"AI: This is a Git commit SHA hash, not a GitHub OAuth token. The file path 'modules/git/tests/repos/repo1_bare/refs/heads/branch1' clearly indicates this is part of a Git repository structure where refs/heads/ contains branch references that point to commit SHAs. Git commit hashes are 40-character hexadecimal strings, which can superficially match patterns for tokens, but they are not secrets - they are public identifiers for commits in version control.","confidence":99,"addedAt":1769275095602}
-{"contentHash":"193f5d4dd779a724","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\commit_info_test.go","reason":"AI: This is a Git commit SHA-1 hash (9c9aef8dd84e02bc7ec12641deb4c930a7c30185) used in test cases, not a GitHub OAuth token.","confidence":95,"addedAt":1769274863640}
-{"contentHash":"66c12304b740cbb2","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo1_bare\\refs\\heads\\branch2","reason":"AI: This is a Git commit SHA-1 hash, not a GitHub OAuth token. The file path 'modules/git/tests/repos/repo1_bare/refs/heads/branch2' clearly indicates this is a Git reference file in a bare repository test fixture. Git stores branch references as 40-character hexadecimal SHA-1 hashes in files under refs/heads/. The value '5c80b0245c1c6f8343fa418ec374b13b5d4ee658' is a standard Git commit hash format (40 hex characters), which coincidentally matches the pattern length of some tokens but serves a completely different purpose.","confidence":99,"addedAt":1769275100123}
-{"contentHash":"72c13e6c329c6e78","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo1_bare\\logs\\refs\\heads\\master","reason":"AI: This is a Git commit SHA hash (ce064814f4a0d337b333e646ece456cd39fab612) in a Git reflog file, not a GitHub OAuth token. The context clearly shows this is test data in a bare Git repository's reflog. Git SHAs are public version control identifiers, not authentication credentials.","confidence":95,"addedAt":1769275086444}
-{"contentHash":"290572652a0e8c88","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tree_entry_common_test.go","reason":"AI: This is a Git commit SHA hash (37991dec2c8e592043f47155ce4808d4580f9123) used in a test file to reference a specific commit in a test repository. Git commit SHAs are public identifiers, not secrets. The context shows it's being used with r.GetCommit() to retrieve a commit object for testing purposes.","confidence":95,"addedAt":1769275239873}
-{"contentHash":"0045f64b61219d5c","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\repo_blob_test.go","reason":"AI: This is a Git object ID (SHA-1 hash) used in a test file for the Git repository module. The value 'e2129701f1a4d54dc44f03c93bca0a2aec7c5449' is a 40-character hexadecimal string that represents a blob object in a test repository, not a GitHub OAuth token. Git object IDs are public identifiers within repositories and are not secrets. The context shows this is testing the GetBlob functionality with known test data.","confidence":95,"addedAt":1769274940787}
-{"contentHash":"c8ca67126aec4108","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\modules\\git\\commit_sha256_test.go","reason":"AI: This is the same PGP signature block appearing again in the test assertions (assert.Equal statement). The pattern is part of the expected PGP signature output being validated in the test. It's test data verifying that commit signature parsing works correctly, not an actual AWS secret key.","confidence":95,"addedAt":1769252678826}
-{"contentHash":"82e6e3095c495bd1","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\gitrepo\\commit_test.go","reason":"AI: This is a Git commit SHA hash (8006ff9adbf0cb94da7dad9e537e53817f9fa5c0) used in a test file, not a GitHub OAuth token. Git commit SHAs are 40-character hexadecimal strings that are publicly visible in repositories and are not secrets. The context shows this is being used to test the CommitsCount function with a specific revision.","confidence":95,"addedAt":1769275275116}
-{"contentHash":"d13d50aeb42f4ea1","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\commit_test.go","reason":"AI: This is a Git tree object SHA hash (f1a6cb52b2d16773290cefe49ad0684b50a4f930) in an assertion statement verifying commit parsing. Git tree hashes are public identifiers, not secrets.","confidence":95,"addedAt":1769274880716}
-{"contentHash":"15823bc837230050","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\commit_test.go","reason":"AI: This is a Git tree object SHA hash (ca3fad42080dd1a6d291b75acdfc46e5b9b307e5) in an assertion verifying commit parsing with encoding. Git tree hashes are public identifiers, not secrets.","confidence":95,"addedAt":1769274880729}
-{"contentHash":"33eb564418ceb64f","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\commit_test.go","reason":"AI: This is a Git commit SHA hash (47b24e7ab977ed31c5a39989d570847d6d0052af) in an assertion statement. Git commit hashes are public repository identifiers, not secrets.","confidence":95,"addedAt":1769274880732}
-{"contentHash":"ed66511d63589d85","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\error.go","reason":"AI: This is a Git commit SHA hash appearing in a comment that explains the format of stderr output from a Git push rejection. The value '44e67c77559211d21b630b902cdcc6ab9d4a4f51' is a 40-character hexadecimal Git commit hash, not a GitHub OAuth token. It's part of example output showing what a rejected push looks like, specifically in the line '! [remote rejected] 44e67c77559211d21b630b902cdcc6ab9d4a4f51 -> develop (pre-receive hook declined)'. This is documentation/example code explaining error message parsing.","confidence":95,"addedAt":1769274886277}
-{"contentHash":"cb968d338c679fcb","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\foreachref\\parser.go","reason":"AI: This is the same Git commit SHA hash used as an example in another code comment demonstrating the format of a reference block string. The value 'f460b7543ed500e49c133c2cd85c8c55ee9dbe27' is a Git object hash used for illustrative purposes in the parseRef function documentation, not a GitHub OAuth token. The context clearly shows it's part of a sample git command output.","confidence":95,"addedAt":1769274892399}
-{"contentHash":"1323f94649402716","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\foreachref\\parser_test.go","reason":"AI: This is a Git object hash (SHA-1) used in test data for a parser test. The value '7b2c5ac9fc04fc5efafb60700713d4fa609b777b' is a 40-character hexadecimal string representing a Git commit object, not a GitHub OAuth token. This is the same test value as line 77, appearing in the expected results section of the test.","confidence":95,"addedAt":1769274902123}
-{"contentHash":"0a61fcdbcd8be938","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\foreachref\\parser_test.go","reason":"AI: This is a Git object hash (SHA-1) used in test data for a parser test. The value 'a1f051bc3eba734da4772d60e2d677f47cf93ef4' is a 40-character hexadecimal string representing a Git commit object, not a GitHub OAuth token. This is the same test value as line 78, appearing in the expected results section of the test.","confidence":95,"addedAt":1769274902125}
-{"contentHash":"ae28c342ad0f0242","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\foreachref\\parser_test.go","reason":"AI: This is a Git object hash (SHA-1) used in test data for a parser test. The value 'ef82de70bb3f60c65fb8eebacbb2d122ef517385' is a 40-character hexadecimal string representing a Git commit object, not a GitHub OAuth token. This is the same test value as line 79, appearing in the expected results section of the test.","confidence":95,"addedAt":1769274902128}
-{"contentHash":"ea0892795d09fa84","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo3_notes\\refs\\heads\\master","reason":"AI: This is a Git commit SHA hash, not a GitHub OAuth token. The file path 'modules/git/tests/repos/repo3_notes/refs/heads/master' indicates this is a Git reference file that stores the commit hash for the master branch in a test repository. Git reference files in the .git/refs/heads/ directory contain 40-character hexadecimal commit SHAs, which match the pattern of some secret detection rules but are not secrets themselves.","confidence":95,"addedAt":1769275138440}
-{"contentHash":"5a26dd42a9bfec70","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo3_notes\\logs\\refs\\heads\\master","reason":"AI: This is a Git commit SHA hash (3e668dbfac39cbc80a9ff9c61eb565d944453ba4) found in a Git reflog file. This represents the new commit hash in the Git history. The file is located in a test repository ('tests/repos/repo3_notes'), and these 40-character hex strings are standard Git commit identifiers, not GitHub OAuth tokens.","confidence":95,"addedAt":1769275134173}
-{"contentHash":"b0b5f99c8bbca858","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\object_id_test.go","reason":"AI: This is a test file (object_id_test.go) testing Git SHA hash computation. The value 'e69de29bb2d1d6434b8b29ae775ad8c2e48c5391' is the well-known Git SHA-1 hash for an empty blob object, which is a deterministic hash value used in Git internals testing. This is not a GitHub OAuth token but a Git object hash being validated in a unit test.","confidence":95,"addedAt":1769274919509}
-{"contentHash":"9159fa16c9b2c6df","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\object_id_test.go","reason":"AI: This is a test file testing Git SHA hash computation. The value '2e65efe2a145dda7ee51d1741299f848e5bf752e' is the deterministic Git SHA-1 hash for a blob containing the single character 'a'. This is a standard Git hash value used for testing hash computation functions, not a GitHub OAuth token. The context shows it's comparing expected hash outputs from ComputeBlobHash function.","confidence":95,"addedAt":1769274919512}
-{"contentHash":"45266f29f44538de","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\parse_treeentry_test.go","reason":"AI: This is a Git blob SHA-1 hash (ea0d83c9081af9500ac9f804101b3fd0a5c293af) used in test input for invalid format testing. Git object hashes are not secrets - they are publicly visible identifiers.","confidence":99,"addedAt":1769274934809}
-{"contentHash":"0218a26ee0b184e1","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\parse_treeentry_test.go","reason":"AI: This is a Git blob SHA-1 hash (037f27dc9d353ae4fd50f0474b2194c593914e35) used in test expectations. It's the same hash as line 19, used to verify parsing logic. Git object hashes are not secrets.","confidence":99,"addedAt":1769274934791}
-{"contentHash":"2d38d86086b271db","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\parse_treeentry_test.go","reason":"AI: This is a Git blob SHA-1 hash (9846a94f7e8350a916632929d0fda38c90dd2ca8) used in test expectations. It's the same hash as line 20, used to verify parsing logic. Git object hashes are not secrets.","confidence":99,"addedAt":1769274934793}
-{"contentHash":"863f9b46ed8476df","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\parse_treeentry_test.go","reason":"AI: This is a Git tree SHA-1 hash (84b90550547016f73c5dd3f50dea662389e67b6d) used in test expectations for the short format test. Git object hashes are not secrets.","confidence":99,"addedAt":1769274934807}
-{"contentHash":"347ec2250ed0ed18","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo5_pulls\\packed-refs","reason":"AI: This is the same Git SHA-1 commit hash (c83380d7056593c51a699d12b9c00627bd5743e9) appearing again in the packed-refs file for a different ref (refs/pull/1/head). This is normal Git behavior where the same commit can be referenced by multiple refs. It's a Git object hash, not a GitHub OAuth token.","confidence":99,"addedAt":1769275191726}
-{"contentHash":"0787d895bfc8ccd0","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\gitdiff_test.go","reason":"AI: This is a Git commit SHA hash (d8e0bbb45f200e67d9a784ce55bd90821af45ebd) used in a test file for diff comparison, not a GitHub OAuth token. The pattern detector incorrectly flagged it due to the hexadecimal format, but commit SHAs are 40 characters long and are public identifiers in Git repositories, not secrets.","confidence":95,"addedAt":1769275563011}
-{"contentHash":"e00baf775a33ce9a","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo5_pulls\\refs\\pull\\4\\head","reason":"AI: This is a Git reference file located in a test repository under 'modules/git/tests/repos/repo5_pulls/refs/pull/4/head'. The value '58a4bcc53ac13e7ff76127e0fb518b5262bf09af' is a Git commit SHA-1 hash (40 hexadecimal characters), not a GitHub OAuth token. Git refs files store commit hashes to track branch and pull request heads. The file path structure 'refs/pull/4/head' is the standard Git format for storing pull request references.","confidence":95,"addedAt":1769275210333}
-{"contentHash":"4b8be99a69ac5b49","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\gitrepo\\commit_test.go","reason":"AI: This is a Git commit SHA hash (ce064814f4a0d337b333e646ece456cd39fab612) referenced in a comment within a test file, not a GitHub OAuth token. The comment explicitly states this is 'the time of commit ce064814f4a0d337b333e646ece456cd39fab612 (refs/heads/master)', confirming it's a Git commit reference. Git commit SHAs are public identifiers, not secrets.","confidence":95,"addedAt":1769275275118}
-{"contentHash":"30943ab8087dbede","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\repo_branch_test.go","reason":"AI: This is a Git SHA-1 blob hash (153f451b9ee7fa1da317ab17a127e9fd9d384310) used in test code to verify blob hash references. Same hash as line 135, confirming it's a test fixture value, not a secret.","confidence":95,"addedAt":1769274959461}
-{"contentHash":"86f256e08c9242ae","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\repo_commit_test.go","reason":"AI: This is a Git commit SHA-1 hash (28b55526e7100924d864dd89e35c1ea62e7a5a32) used in test code for the repo1_bare test repository. Git commit hashes are public identifiers, not secrets. The pattern was incorrectly flagged as a GitHub OAuth token.","confidence":95,"addedAt":1769274990452}
-{"contentHash":"bf4083e0d8974d47","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo4_commitsbetween\\logs\\refs\\heads\\main","reason":"AI: This is a Git commit SHA hash (a78e5638b66ccfe7e1b4689d3d5684e42c97d7ca) in a Git reflog file, not a GitHub OAuth token. This is test data in a test repository, and Git commit SHAs are public identifiers, not secrets.","confidence":95,"addedAt":1769275168470}
-{"contentHash":"0c071730757c69d5","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo4_commitsbetween\\logs\\refs\\heads\\main","reason":"AI: This is a Git commit SHA hash (fdc1b615bdcff0f0658b216df0c9209e5ecb7c78) in a Git reflog file, not a GitHub OAuth token. This is test data in a test repository, and Git commit SHAs are public identifiers, not secrets.","confidence":95,"addedAt":1769275168467}
-{"contentHash":"8a9ba0fb86d78af7","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo4_commitsbetween\\refs\\heads\\main","reason":"AI: This is a Git commit SHA hash, not a GitHub OAuth token. The file path 'modules/git/tests/repos/repo4_commitsbetween/refs/heads/main' indicates this is a Git reference file that stores the commit hash for the 'main' branch. Git ref files contain 40-character hexadecimal SHA-1 hashes that point to commits. While the format (40 hex characters) can superficially resemble some token formats, the context clearly shows this is test repository data for Git operations, specifically a commit reference.","confidence":95,"addedAt":1769275173342}
-{"contentHash":"f552ee55b3093dfe","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo1_bare\\refs\\tags\\test","reason":"AI: This is a Git commit SHA-1 hash located in a Git repository's refs/tags directory, not a GitHub OAuth token. The file path 'modules/git/tests/repos/repo1_bare/refs/tags/test' clearly indicates this is part of a Git repository structure where tag references store commit hashes. Git SHA-1 hashes are 40-character hexadecimal strings that match the pattern detected, but they are not secrets - they are public identifiers for commits.","confidence":95,"addedAt":1769275118787}
-{"contentHash":"107a54d4744e511a","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo1_bare\\pulls\\2.patch","reason":"AI: This is a Git commit hash from a patch file, not a GitHub OAuth token. The value '6e8e2a6f9efd71dbe6917816343ed8415ad696c3' appears in the 'From' line of a Git patch file format, which is a standard Git commit SHA-1 hash. Git commit hashes are 40-character hexadecimal strings that are publicly visible in repositories and are not secrets. The file is located in a test directory (modules/git/tests/repos/repo1_bare/pulls/2.patch), further confirming this is test data.","confidence":95,"addedAt":1769275091175}
-{"contentHash":"913f63626088b650","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo1_bare\\refs\\tags\\signed-tag","reason":"AI: This is a Git object SHA-1 hash (40 hexadecimal characters) located in a Git repository's refs/tags directory, not a GitHub OAuth token. The file path 'modules/git/tests/repos/repo1_bare/refs/tags/signed-tag' clearly indicates this is part of Git's internal structure for storing tag references. Git uses SHA-1 hashes to identify commits, trees, and other objects. GitHub OAuth tokens have a different format and would not be stored in Git's internal reference files.","confidence":95,"addedAt":1769275114468}
-{"contentHash":"eb4780d844125b59","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\repo_tag_test.go","reason":"AI: This is a Git commit SHA hash (6fbd69e9823458e6c4a2fc5c0f6bc022b2f2acd1) used in test code for GetAnnotatedTag testing. Git commit hashes are public identifiers in repositories.","confidence":95,"addedAt":1769275037115}
-{"contentHash":"624f2ed9a0d8b513","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\repo_tag_test.go","reason":"AI: This is a Git commit SHA hash (ab23e4b7f4cd0caafe0174c0e7ef6d651ba72889) used in test expectations for verifying Tag.Object field. Same hash reused in test assertions.","confidence":95,"addedAt":1769275037124}
-{"contentHash":"3fabab5a05325bc9","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\repo_tag_test.go","reason":"AI: This is a Git commit SHA hash (3325fd8a973321fd59455492976c042dde3fd1ca) used in the Signature.Payload field as part of test data for PGP-signed Git tags. Git object identifier in test fixture.","confidence":95,"addedAt":1769275037142}
-{"contentHash":"23d356b1c0dc4825","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\repo_tag_test.go","reason":"AI: This is a Git commit SHA hash (8c68a1f06fc59c655b7e3905b159d761e91c53c9) used in test expectations for verifying Tag.ID in signed tag test case. Test data.","confidence":95,"addedAt":1769275037138}
-{"contentHash":"772007de62545792","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\submodule_test.go","reason":"AI: This is a test file (submodule_test.go) containing a Git submodule commit hash, not a GitHub OAuth token. The value 'd2932de67963f23d43e1c7ecf20173e92ee6c43c' is a 40-character SHA-1 Git commit hash used in test assertions for submodule functionality. Git commit hashes are public identifiers, not secrets. The pattern matcher incorrectly flagged this as a GitHub OAuth token due to similar character patterns.","confidence":95,"addedAt":1769275042118}
-{"contentHash":"a1dc99830e2ff63e","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tag_test.go","reason":"AI: This is the same Git object SHA-1 hash (3b114ab800c6432ad42387ccf6bc8d4388a2885a) referenced in the expected test result structure. Git SHA-1 hashes are public identifiers, not secrets. This is part of a unit test validating tag parsing functionality.","confidence":99,"addedAt":1769275055944}
-{"contentHash":"eb54a7fd634f8e1f","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tag_test.go","reason":"AI: This is the same Git object SHA-1 hash (7cdf42c0b1cc763ab7e4c33c47a24e27c66bfccc) in the expected test result. Git SHA-1 hashes are not secrets - they are cryptographic hashes of Git objects that serve as public identifiers. This is part of unit test validation.","confidence":99,"addedAt":1769275055951}
-{"contentHash":"bdf60ac28845ad8e","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tag_test.go","reason":"AI: This is the same Git object SHA-1 hash (7cdf42c0b1cc763ab7e4c33c47a24e27c66bfaaa) appearing in the Payload field of the test's expected signature structure. Git SHA-1 hashes are public identifiers used to reference Git objects and are not secrets. This is clearly part of unit test validation.","confidence":99,"addedAt":1769275055958}
-{"contentHash":"da83322a5b6f7e59","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo1_bare\\refs\\notes\\commits","reason":"AI: This is a Git commit SHA-1 hash located in a Git repository's refs/notes/commits file, which is a standard Git internal reference file. The file path 'modules/git/tests/repos/repo1_bare/refs/notes/commits' clearly indicates this is test repository data. Git commit hashes are 40-character hexadecimal strings that match the pattern of various secret detectors, but they are not secrets - they are public identifiers for commits. The value 'ca6b5ddf303169a72d2a2971acde4f6eea194e5c' is a legitimate Git object reference, not a GitHub OAuth token.","confidence":95,"addedAt":1769275109673}
-{"contentHash":"1711d401d5d5b367","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo3_notes\\refs\\notes\\commits","reason":"AI: This is a Git reference hash located in a test repository under 'modules/git/tests/repos/repo3_notes/refs/notes/commits'. The file path indicates this is test data for Git notes functionality. The value '654c8b6b63c08bf37f638d3f521626b7fbbd4d37' is a 40-character SHA-1 hash used by Git to reference commits, not a GitHub OAuth token. Git commit hashes and GitHub OAuth tokens may have similar formats (hexadecimal strings), but this is clearly a Git object reference in a notes ref file, which is a standard Git internal structure.","confidence":95,"addedAt":1769275145000}
-{"contentHash":"b85846be9dcd846f","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo4_submodules\\refs\\heads\\master","reason":"AI: This is a Git reference file located in .git/refs/heads/master that contains a Git commit SHA-1 hash (40 hexadecimal characters). Git commit hashes are not secrets - they are public identifiers for commits in version control. The file path 'modules/git/tests/repos/repo4_submodules/refs/heads/master' clearly indicates this is test repository data. The pattern was incorrectly flagged as a GitHub OAuth token, but GitHub tokens have different formats and are not 40-character hex strings stored in Git ref files.","confidence":95,"addedAt":1769275178255}
-{"contentHash":"2bc6c835a073578f","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo5_pulls\\objects\\info\\packs","reason":"AI: This is a Git pack file reference in a standard Git repository structure. The string 'pack-81423f591973f5d9dab89cc45afa1c544448133e.pack' is a Git pack filename where the hex string is a SHA-1 hash identifying the pack file, not a GitHub OAuth token. The file is located in 'objects/info/packs' which is a standard Git internal directory. The 'P' prefix indicates this is a pack file entry in Git's internal format. This is test repository data as evidenced by the path 'modules/git/tests/repos/repo5_pulls'.","confidence":99,"addedAt":1769275182854}
-{"contentHash":"8569da82fc986c82","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo5_pulls\\packed-refs","reason":"AI: This is a Git SHA-1 commit hash (111cac04bd7d20301964e27a93698aabb5781b80) in a packed-refs file for refs/pull/1/merge. This is a standard Git commit reference, not a GitHub OAuth token. The context clearly shows this is part of a Git repository's internal reference storage.","confidence":99,"addedAt":1769275191728}
-{"contentHash":"d42fc6342b434b48","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\migrations\\github_test.go","reason":"AI: This is a Git commit SHA hash (72866af952e98d02a73003501836074b286a78f6) used in test code for the Base branch SHA in a PullRequest test structure. Not an OAuth token.","confidence":95,"addedAt":1769275686125}
-{"contentHash":"4bd0d103ab8cd62f","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\gitrepo\\blame_test.go","reason":"AI: This is a Git commit SHA hash (544d8f7a3b15927cddf2299b4b562d6ebd71b6a7) used in test code, same as line 96. It's a public Git commit identifier, not a GitHub OAuth token.","confidence":95,"addedAt":1769275264554}
-{"contentHash":"a3d35a9b8d851d34","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\gitrepo\\commit_file_test.go","reason":"AI: This is a Git commit SHA hash (022f4ce6214973e018f02bf363bf8a2e3691f699) used in a test file, not a GitHub OAuth token. The pattern detector incorrectly flagged it as a GitHub OAuth token. Git commit SHAs are 40-character hexadecimal strings that are public identifiers for commits in version control systems and are not secrets. This is clearly test code (TestGetCommitFileStatusMerges function) referencing a specific commit in a mock repository.","confidence":95,"addedAt":1769275268897}
-{"contentHash":"805b74b66a6d6797","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo6_merge\\refs\\heads\\merge\\add_file","reason":"AI: This is a Git commit SHA hash (40 hexadecimal characters) located in a Git repository reference file (.git/refs/heads/merge/add_file). The file path and format are consistent with Git's internal structure for storing commit references. Git commit SHAs are not secrets - they are public identifiers used to reference specific commits in version control. The pattern was incorrectly flagged as a GitHub OAuth token, but the context clearly indicates this is a Git object reference.","confidence":95,"addedAt":1769275224124}
-{"contentHash":"ede2441f72384ca0","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo6_merge\\refs\\heads\\merge\\modify_file","reason":"AI: This is a Git commit SHA hash, not a GitHub OAuth token. The file is located in a test repository path (modules/git/tests/repos/repo6_merge/refs/heads/merge/modify_file) which is part of Git's internal structure. The 'refs/heads' directory stores commit references in Git repositories. Git commit SHAs are 40-character hexadecimal strings that happen to match the pattern of some API tokens, but they are not secrets - they are public identifiers for commits.","confidence":95,"addedAt":1769275228879}
-{"contentHash":"0a477fa443b88e08","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tests\\repos\\repo6_merge\\refs\\heads\\merge\\remove_file","reason":"AI: This is a Git commit SHA-1 hash (40 hexadecimal characters) located in a Git repository reference file (.git/refs/heads/merge/remove_file). The file path and format are consistent with Git's internal structure for storing branch references. Git commit hashes are public identifiers, not secrets. The pattern was incorrectly flagged as a GitHub OAuth token, but GitHub tokens have different formats and lengths.","confidence":95,"addedAt":1769275233367}
-{"contentHash":"26a8dad0cbb56b99","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\tree_entry_common_test.go","reason":"AI: This is a Git object ID/SHA hash (b14df6442ea5a1b382985a6549b85d435376c351) used in a test assertion to verify the correct target entry is resolved when following a symlink. Git object IDs are public identifiers that reference blobs, trees, or commits in a Git repository, not authentication secrets. The context shows it's being compared with res.TargetEntry.ID.String() in a test.","confidence":95,"addedAt":1769275239876}
-{"contentHash":"69ce9d45aaf6ba92","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\gitrepo\\blame_test.go","reason":"AI: This is a Git commit SHA hash (45fb6cbc12f970b04eacd5cd4165edd11c8d7376) used in test code, same as lines 78 and 113. It's a public Git commit identifier, not a GitHub OAuth token.","confidence":95,"addedAt":1769275264558}
-{"contentHash":"237a0d985580acc4","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\git\\utils_test.go","reason":"AI: This is a SHA-1 hash value used in a test case for the HashFilePathForWebUI function. The value '8843d7f92416211de9ebb963ff4ce28125932878' is the expected SHA-1 hash output for the input string 'foobar', which is a well-known test value. This is test code verifying hash computation, not a GitHub OAuth token.","confidence":99,"addedAt":1769275250296}
-{"contentHash":"5791d70116070482","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\migrations\\onedev_test.go","reason":"AI: This is a Git commit SHA hash (f32b0a9dfd09a60f616f29158f772cedd89942d2) used in test code to reference a specific commit in a pull request base branch. Git commit SHAs are public identifiers visible in repository history, not authentication secrets. The value appears in a test file testing migration functionality, where it represents the base branch commit of a pull request.","confidence":95,"addedAt":1769275698989}
-{"contentHash":"dc63101fc6826d98","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\gitrepo\\blame_test.go","reason":"AI: This is a Git commit SHA hash (af7486bd54cfc39eea97207ca666aa69c9d6df93) used in test code, same as previous occurrences. It's a public Git commit identifier, not an OAuth token.","confidence":95,"addedAt":1769275264552}
-{"contentHash":"54dfa889d68e3a77","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\gitrepo\\diff.go","reason":"AI: This is a Git commit SHA hash used as an example in a code comment demonstrating the output format of 'git diff --shortstat'. The value '1ebb35b98889ff77299f24d82da426b434b0cca0...788b8b1440462d477f45b0088875' is a Git commit reference, not a GitHub OAuth token. Git commit SHAs are 40-character hexadecimal strings that are public identifiers in version control systems and are not secrets. The comment is explaining what the git command output looks like.","confidence":95,"addedAt":1769275280726}
-{"contentHash":"7f311659938e2c9c","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\modules\\markup\\markdown\\markdown.go","reason":"AI: This is a Go import statement importing the 'chromahtml' package from GitHub (github.com/alecthomas/chroma/v2/formatters/html). The pattern matched 'com/********************html' which is part of the import path, not an AWS secret key. Import paths in Go follow the format 'domain.com/path/to/package' and this is clearly a legitimate package import for syntax highlighting functionality.","confidence":99,"addedAt":1769253137452}
-{"contentHash":"086e8c2333bfb511","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\modules\\indexer\\code\\indexer_test.go","reason":"AI: This is a false positive. The detected pattern 'com/********************leve' is actually part of an import path 'code.gitcaddy.com/server/v3/modules/indexer/code/bleve' in a Go source file. This is a standard Go package import statement, not an AWS secret access key. The pattern matcher incorrectly identified the substring as a secret due to pattern matching on the text, but it's clearly part of a URL/package path structure.","confidence":99,"addedAt":1769253099144}
-{"contentHash":"6c6bd82c92435070","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\references\\references.go","reason":"AI: This is part of a regex pattern comment demonstrating the format for cross-reference commit patterns. The string 'd8a994ef243349f321568f9e36d5c3f444b99cae' is a 40-character hexadecimal string used as an example of a Git commit SHA in the comment explaining the regex pattern. It appears in a comment line that reads '// e.g. go-gitea/gitea@d8a994ef, go-gitea/gitea@d8a994ef243349f321568f9e36d5c3f444b99cae (7-40 characters)'. This is clearly documentation showing the expected format for matching commit references, not an actual secret.","confidence":95,"addedAt":1769275411842}
-{"contentHash":"3d55bfadf3b08e7a","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\markup\\html_internal_test.go","reason":"AI: Same jQuery commit SHA used in test case validation. Public commit identifier.","confidence":100,"addedAt":1769275334913}
-{"contentHash":"c4e211e2fe675e52","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\markup\\html_internal_test.go","reason":"AI: Same jQuery commit SHA used in test case validation. Public commit identifier.","confidence":100,"addedAt":1769275334922}
-{"contentHash":"545b0badd1203cc6","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\markup\\html_test.go","reason":"AI: This is a duplicate detection of the same BitTorrent info hash on line 174. The pattern appears twice in the same line because the hash appears in both the href attribute and the link text of the rendered HTML. This is test fixture data for validating markup rendering, not a GitHub OAuth token.","confidence":99,"addedAt":1769275346798}
-{"contentHash":"bc08fdc88ff9de6a","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\templates\\util_render_test.go","reason":"AI: This is a Git commit SHA hash (12fc37a3c0a4dda553bdcfc80c178a58247f42fb) in expected test output for MarkdownToHtml test. Git commit SHAs are public identifiers, not secrets. This is part of the expected HTML output in a test assertion.","confidence":99,"addedAt":1769275486494}
-{"contentHash":"3472ed74bcad9b4c","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\templates\\util_render_test.go","reason":"AI: This is a Git commit SHA hash (88fc37a3c0a4dda553bdcfc80c178a58247f42fb) in expected test output for MarkdownToHtml test. Git commit SHAs are public identifiers, not secrets. This is part of the expected HTML output in a test assertion.","confidence":99,"addedAt":1769275486499}
-{"contentHash":"0388a2a62c3061b8","patternId":"redis-uri","filePath":"..\\gitcaddy\\modules\\nosql\\manager_redis_test.go","reason":"AI: This is another test connection URI 'redis://redis:password@myredis/12' in the TestRedisDatabaseIndexTcp function. It uses the same generic placeholder credentials ('redis:password') and fake hostname ('myredis') as the other tests. This is clearly test code verifying database index parsing functionality, not containing real credentials.","confidence":95,"addedAt":1769253161295}
-{"contentHash":"f0b66987c70222d9","patternId":"redis-uri","filePath":"..\\gitcaddy\\modules\\nosql\\redis.go","reason":"AI: This is a documentation comment explaining the Redis URI connection string format. The detected pattern 'redis://[username:password@]host[:port][/database][?[option=value]*]' is a template/schema showing the structure of Redis URIs with placeholder syntax (brackets indicating optional components). This is not an actual credential but rather documentation of the expected format.","confidence":99,"addedAt":1769253165075}
-{"contentHash":"d3143999597ff181","patternId":"redis-uri","filePath":"..\\gitcaddy\\modules\\nosql\\redis_test.go","reason":"AI: This is a test file (redis_test.go) containing test cases for Redis URI conversion. The connection string 'network=tcp,addr=127.0.0.1:6379,password=macaron,db=0,pool_size=100,idle_timeout=180' uses 'macaron' as a password, which is clearly a placeholder/example value named after the Macaron web framework. The test is validating URI conversion logic, not containing real credentials. The localhost address (127.0.0.1) and generic password further confirm this is test data.","confidence":95,"addedAt":1769253169157}
-{"contentHash":"147855a5aec1e12a","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\packages\\alpine\\metadata_test.go","reason":"AI: This is a test file assertion checking that the CommitHash field equals '1111e709613fbc979651b09ac2bc27c6591a9999'. This is the same mock Git commit hash value used in the test fixture above. It's clearly test data with an obvious fake pattern (repeating 1111 and 9999), and represents a Git commit hash in Alpine package metadata, not a GitHub OAuth token.","confidence":95,"addedAt":1769275377950}
-{"contentHash":"168601827c50b370","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_packages_maven_test.go","reason":"AI: This is the same SHA-1 hash value ('a94a8fe5ccb19ba61c4c0873d391e987982fbbd3') appearing again in the test file, used for checksum verification. It's testing the download checksum functionality for Maven packages. This is a well-known SHA-1 hash of the string 'test', not a secret token.","confidence":99,"addedAt":1769276508810}
-{"contentHash":"005bcfc452209697","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\packages\\hashed_buffer_test.go","reason":"AI: This is a SHA1 hash value used in a test case to verify hash computation functionality. The file is a test file that tests hashing of the string 'testtest'. The value '51abb9636078defbf888d8457a7c76f85c8f114c' is the SHA1 hash of the word 'testtest', not a GitHub OAuth token. It appears in a test case structure alongside corresponding MD5, SHA256, and SHA512 hashes for validation purposes.","confidence":95,"addedAt":1769275389426}
-{"contentHash":"dd8042551421f03b","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\packages\\multi_hasher_test.go","reason":"AI: This is a SHA1 hash constant used in a test file for validating hash computation. The value '060b3b99f88e96085b4a68e095bc9e3d1d91e1bc' is the expected SHA1 hash of the string 'gitea' and is used to verify the MultiHasher implementation works correctly. It's not a GitHub OAuth token, but rather a cryptographic hash that happens to match the pattern of a hex-encoded string.","confidence":99,"addedAt":1769275393907}
-{"contentHash":"4c321f391f304576","patternId":"azure-storage-key","filePath":"..\\gitcaddy\\tests\\integration\\api_packages_npm_test.go","reason":"AI: This is an assertion in a test file verifying that the integrity hash 'sha512-yA4FJsVhetynGfOC1jFf79BuS+jrHbm0fhh+aHzCQkOaOBXKf9oBnC4a6DnLLnEsHQDRLYd00cwj8sCXpC+wIg==' matches the expected value. This is the same test data from line 65 being validated. It's a mock SHA-512 integrity hash for NPM package testing, not an Azure storage key.","confidence":95,"addedAt":1769254340236}
-{"contentHash":"2e95a4380ff80a7a","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_pull_test.go","reason":"AI: This is an obviously fake/placeholder commit SHA (abcd1234abcd1234abcd1234abcd1234abcd1234) used in a test to verify error handling when an invalid commit is requested. The variable name 'invalidCommitSHA' explicitly states this is invalid, and the pattern 'abcd1234' repeated is a clear indicator of test data. This is used to test the 404 Not Found response path.","confidence":98,"addedAt":1769276533688}
-{"contentHash":"deb87fabd17715bb","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\repository\\commits_test.go","reason":"AI: This is the same test constant 'hexString1' with value '0123456789abcdef0123456789abcdef01234567' used in another test function. It's a mock Git commit SHA-1 hash with an obvious sequential pattern (0123456789abcdef repeated), used for testing Git commit functionality, not a real GitHub OAuth token.","confidence":99,"addedAt":1769275426404}
-{"contentHash":"bafec2d5bcb2f60f","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\repository\\commits_test.go","reason":"AI: This is a test constant 'hexString2' with value 'fedcba9876543210fedcba9876543210fedcba98', which is a 40-character hexadecimal string used as a mock Git commit SHA-1 hash. It follows a reverse sequential pattern (fedcba9876543210 repeated), clearly indicating it's a placeholder value for testing purposes, not a real GitHub OAuth token.","confidence":99,"addedAt":1769275426407}
-{"contentHash":"439f4119c30858f3","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\repository\\repo_test.go","reason":"AI: This is a Git commit SHA-1 hash (1006e6e13c73ad3d9e2d5682ad266b5016523485) used in test code for database release mock data. Git commit hashes are public identifiers, not secrets. This is the same hash from line 27, reused in the dbReleases fixture.","confidence":95,"addedAt":1769275436852}
-{"contentHash":"5f35723df6a416f7","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\repository\\repo_test.go","reason":"AI: This is a Git commit SHA-1 hash (bbdb7df30248e7d4a26a909c8d2598a152e13868) used in test code for repository tag testing. Git commit hashes are public identifiers, not secrets. The context shows this is mock data for testing tag retagging scenarios.","confidence":95,"addedAt":1769275436845}
-{"contentHash":"ac01cd80f19bce95","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\repository\\repo_test.go","reason":"AI: This is a Git commit SHA-1 hash (a5147145e2f24d89fd6d2a87826384cc1d253267) used in test code for repository tag testing. Git commit hashes are public identifiers, not secrets. The context shows this is mock data for testing new tag creation.","confidence":95,"addedAt":1769275436847}
-{"contentHash":"f70030efaf3b1458","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\repository\\repo_test.go","reason":"AI: This is a Git commit SHA-1 hash (244758d7da8dd1d9e0727e8cb7704ed4ba9a17c3) used in test code for database release mock data. Git commit hashes are public identifiers, not secrets. This is the same hash reused in another test fixture entry.","confidence":95,"addedAt":1769275436850}
-{"contentHash":"7dfc62608f587b18","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\repository\\repo_test.go","reason":"AI: This is a Git commit SHA-1 hash (53ab18dcecf4152b58328d1f47429510eb414d50) used in test code for database release mock data. Git commit hashes are public identifiers, not secrets. This appears in the dbReleases test fixture for testing update scenarios.","confidence":95,"addedAt":1769275436854}
-{"contentHash":"0ccead5ab37eb478","patternId":"private-key-openssh","filePath":"..\\gitcaddy\\modules\\secretscan\\patterns.go","reason":"AI: This is a regex pattern definition in a secret scanning tool. The string '-----BEGIN OPENSSH PRIVATE KEY-----' is part of a regexp.MustCompile() call that defines what pattern to search for, not an actual private key. This is code that detects secrets, not a secret itself.","confidence":95,"addedAt":1769253238535}
-{"contentHash":"7077754e95ca80dc","patternId":"private-key-ec","filePath":"..\\gitcaddy\\modules\\secretscan\\patterns.go","reason":"AI: This is a regex pattern definition in a secret scanning tool. The string '-----BEGIN EC PRIVATE KEY-----' is part of a regexp.MustCompile() call that defines what pattern to search for, not an actual private key. This is code that detects secrets, not a secret itself.","confidence":95,"addedAt":1769253238540}
-{"contentHash":"b6634a8e9f9e0584","patternId":"private-key-dsa","filePath":"..\\gitcaddy\\modules\\secretscan\\patterns.go","reason":"AI: This is a regex pattern definition in a secret scanning tool. The string '-----BEGIN DSA PRIVATE KEY-----' is part of a regexp.MustCompile() call that defines what pattern to search for, not an actual private key. This is code that detects secrets, not a secret itself.","confidence":95,"addedAt":1769253238543}
-{"contentHash":"301b002c6b859f18","patternId":"private-key-pgp","filePath":"..\\gitcaddy\\modules\\secretscan\\patterns.go","reason":"AI: This is a regex pattern definition in a secret scanning tool. The string '-----BEGIN PGP PRIVATE KEY BLOCK-----' is part of a regexp.MustCompile() call that defines what pattern to search for, not an actual private key. This is code that detects secrets, not a secret itself.","confidence":95,"addedAt":1769253238545}
-{"contentHash":"be323abe3d4c0876","patternId":"mysql-uri","filePath":"..\\gitcaddy\\modules\\secretscan\\patterns.go","reason":"AI: This is a regex pattern definition in a secret scanning tool. The string 'mysql://[^:]+:[^@]+@[^/]+/[^\\s\"']+' is a regular expression pattern used to detect MySQL connection strings, not an actual connection string with credentials. This is code that detects secrets, not a secret itself.","confidence":95,"addedAt":1769253238547}
-{"contentHash":"daababcd561a37f0","patternId":"postgres-uri","filePath":"..\\gitcaddy\\modules\\setting\\database_test.go","reason":"AI: This is a test file (database_test.go) containing unit tests for PostgreSQL connection string parsing. The detected pattern is part of a test case with obviously fake credentials ('pgsqlusername', 'I love Gitea!') used to verify URL encoding functionality. The values are hardcoded test data, not real database credentials.","confidence":95,"addedAt":1769253244113}
-{"contentHash":"6749aa972e61de86","patternId":"postgres-uri","filePath":"..\\gitcaddy\\modules\\setting\\database_test.go","reason":"AI: This is a test file (database_test.go) containing unit tests for PostgreSQL connection string generation. The detected pattern is part of a test case with simple placeholder credentials ('user', 'pass') used to verify connection string formatting with query parameters. These are clearly mock values for testing purposes, not real database credentials.","confidence":95,"addedAt":1769253244116}
-{"contentHash":"0011cc25eb432071","patternId":"azure-storage-key","filePath":"..\\gitcaddy\\tests\\mssql.ini.tmpl","reason":"AI: This is the well-known Azure Storage Emulator (Azurite) default account key 'Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw=='. This is a publicly documented default key used with the Azure storage emulator for local development. The endpoint 'devstoreaccount1.azurite.local:10000' and account name 'devstoreaccount1' confirm this is the standard Azurite emulator configuration, not a real Azure storage account.","confidence":98,"addedAt":1769254589146}
-{"contentHash":"1b96ffa0d5c86a69","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\options\\gitignore\\Flutter","reason":"AI: This is a false positive detection in a Flutter .gitignore file. The detected pattern '/mac********************rant' is actually part of the gitignore entry '**/macos/Flutter/GeneratedPluginRegistrant.swift' which specifies a file path pattern to ignore. The asterisks are gitignore wildcards for path matching, not part of an AWS secret key. This is a standard Flutter project configuration file with no actual secrets.","confidence":99,"addedAt":1769253275105}
-{"contentHash":"1b34137a01ef16bd","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\options\\gitignore\\Prestashop","reason":"AI: This is a false positive. The detected pattern 'dev/********************ggle' is actually part of a gitignore file path pattern '/admin-dev/autoupgrade/*'. The asterisks are gitignore wildcard characters used for pattern matching, not part of an AWS secret key. This is a standard gitignore syntax for ignoring all files in the /admin-dev/autoupgrade/ directory.","confidence":95,"addedAt":1769253278823}
-{"contentHash":"e675c8bb27e8c5e2","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\options\\gitignore\\WordPress","reason":"AI: This is a false positive detection. The matched text 'com/********************ress' is part of a URL comment '# https://github.com/github/gitignore/blob/main/WordPress.gitignore' in a WordPress .gitignore file. The pattern matcher incorrectly identified part of the URL path containing 'github.com' and 'WordPress' as an AWS Secret Access Key. This is clearly a GitHub URL reference, not a secret key.","confidence":99,"addedAt":1769253283110}
-{"contentHash":"dd4e9c1f41746379","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\routers\\api\\actions\\actions.go","reason":"AI: This is a false positive. The detected pattern 'com/********************nner' is part of a Go import path 'code.gitcaddy.com/server/v3/routers/api/actions/runner'. This is a standard Go package import statement, not an AWS Secret Access Key. The pattern matcher incorrectly identified this as a secret due to the 'com/' prefix and 'nner' suffix matching some pattern, but it's clearly just a URL path component in an import statement.","confidence":99,"addedAt":1769253287209}
-{"contentHash":"11e34898eccc7e0c","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\tests\\integration\\api_packages_cargo_test.go","reason":"AI: This is a false positive. The detected pattern 'com/********************argo' is actually part of an import path 'code.gitcaddy.com/server/v3/tests' followed by another import for cargo_router. The secret detection tool incorrectly matched across multiple lines of Go import statements. This is clearly test code (in tests/integration directory) with standard Go package imports, not an AWS secret key.","confidence":99,"addedAt":1769254297883}
-{"contentHash":"455dc9bec93745c6","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\tests\\integration\\api_packages_conan_test.go","reason":"AI: This is a false positive detection. The matched string 'com/********************onan' is part of an import path 'code.gitcaddy.com/server/v3/models/packages/conan' in a Go source file. This is a module import statement, not an AWS secret key. The pattern matcher incorrectly identified the substring 'com/' followed by 'onan' (from 'conan') as matching an AWS secret key pattern, but it's clearly just a URL path component in a package import.","confidence":99,"addedAt":1769254315829}
-{"contentHash":"0ee22c9629c9ff08","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\routers\\api\\packages\\api.go","reason":"AI: This is a Go import path 'code.gitcaddy.com/server/v3/routers/api/packages/conda', not an AWS secret key. The pattern matcher incorrectly flagged this as a secret because it contains 'com/' followed by characters, but it's actually part of a standard Go package import statement.","confidence":100,"addedAt":1769253295806}
-{"contentHash":"b5e7f797570db81b","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\routers\\api\\packages\\api.go","reason":"AI: This is a Go import path 'code.gitcaddy.com/server/v3/routers/api/packages/maven', not an AWS secret key. The pattern matcher incorrectly flagged this as a secret because it contains 'com/' followed by characters, but it's actually part of a standard Go package import statement.","confidence":100,"addedAt":1769253295808}
-{"contentHash":"8da8c2e0d423acdc","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\tests\\integration\\api_packages_nuget_test.go","reason":"AI: This is a false positive. The detected pattern 'com/********************uget' is part of an import path 'code.gitcaddy.com/server/v3/routers/api/packages/nuget' in a Go source file. This is a module import statement, not an API key. The asterisks in the detection are masking normal characters in the URL path structure. This is test code for NuGet package integration testing, and the pattern match is incorrectly identifying a URL path as a secret.","confidence":95,"addedAt":1769254345616}
-{"contentHash":"298a700a63998ff1","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\tests\\integration\\api_packages_swift_test.go","reason":"AI: This is a false positive. The detected pattern 'com/********************wift' is actually part of a Go import path 'code.gitcaddy.com/server/v3/modules/packages/swift' where 'swift' refers to the Swift programming language package module. This is test code for Swift package integration, and the pattern match is coincidental - it's matching across the import path structure, not an actual AWS secret key.","confidence":99,"addedAt":1769254350386}
-{"contentHash":"9b6462f2a4d6842e","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\routers\\api\\v1\\api.go","reason":"AI: This is part of an import path 'code.gitcaddy.com/server/v3/models/perm/access' where the detected pattern 'com/********************ypub' is actually a substring of the module path. The '/access' at the end and the context of being in an import statement makes it clear this is not an AWS secret key but rather part of a code repository URL structure.","confidence":95,"addedAt":1769253317432}
-{"contentHash":"41cd047e64ffd8dd","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\routers\\api\\v1\\misc\\markup_test.go","reason":"AI: This is a false positive. The detected pattern is part of a URL string in test code: 'http://localhost:3000/user2/repo1/src/branch/main/image.png'. The pattern matcher incorrectly identified '3000' followed by text ending in 'mage' as an AWS Secret Access Key, but it's actually just a localhost port number (3000) and the word 'image' from a test URL path. This is identical to lines 161 and 165 and appears in the same test function.","confidence":95,"addedAt":1769253324965}
-{"contentHash":"605daf76557c3f8a","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\routers\\api\\v1\\org\\pinned.go","reason":"AI: This is a false positive. The detected pattern '/def********************tion' is part of a Swagger/OpenAPI schema reference '#/definitions/CreateOrgPinnedGroupOption' in the API documentation comment. The pattern matcher incorrectly identified 'definitions' as containing a secret pattern, but it's actually just part of the standard OpenAPI/Swagger documentation syntax for referencing schema definitions.","confidence":99,"addedAt":1769253329384}
-{"contentHash":"20a18b2865c16c0e","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\routers\\private\\hook_verification_test.go","reason":"AI: This is a Git commit SHA hash (72920278f2f999e3005801e5d5b8ab8139d3641c) used in test code for hook verification. This is the same commit SHA that appears on line 33. Git commit SHAs are publicly visible and not secrets.","confidence":95,"addedAt":1769275509383}
-{"contentHash":"129196a28061e93c","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\routers\\private\\tests\\repos\\repo1_hook_verification\\refs\\heads\\main","reason":"AI: This is a Git commit SHA hash, not a GitHub OAuth token. The file path 'refs/heads/main' indicates this is a Git reference file that stores the commit hash for the main branch. Git commit SHAs are 40-character hexadecimal strings that look similar to tokens but are public identifiers, not secrets. This appears to be part of a test repository structure ('tests/repos/repo1_hook_verification') which further confirms it's a legitimate Git reference.","confidence":95,"addedAt":1769275529982}
-{"contentHash":"e4ab455a6d0bbd1b","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\routers\\private\\hook_verification_test.go","reason":"AI: This is a Git commit SHA hash (93eac826f6188f34646cea81bf426aa5ba7d3bfe) used in test code for hook verification. The comment 'New branch with verified commit' confirms this is test data. Git commit SHAs are publicly visible and not secrets.","confidence":95,"addedAt":1769275509378}
-{"contentHash":"e5906c61bd950384","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\routers\\private\\hook_verification_test.go","reason":"AI: This is a Git commit SHA hash (72920278f2f999e3005801e5d5b8ab8139d3641c) used in test code for hook verification. This is the same commit SHA that appears on line 33. Git commit SHAs are publicly visible and not secrets.","confidence":95,"addedAt":1769275509381}
-{"contentHash":"f52c905ac1ca146a","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\routers\\private\\hook_verification_test.go","reason":"AI: This is a Git commit SHA hash (9ce3f779ae33f31fce17fac3c512047b75d7498b) used in test code for hook verification. The comment 'New branch with unverified commit' confirms this is test data. Git commit SHAs are publicly visible and not secrets.","confidence":95,"addedAt":1769275509385}
-{"contentHash":"b7dcf0ae770b3959","patternId":"postgres-uri","filePath":"..\\gitcaddy\\routers\\web\\admin\\admin_test.go","reason":"AI: This is a test case in a unit test file (admin_test.go) that tests the shadowPassword function. The connection string 'postgres://user:pass@hostname/dbname' uses generic placeholder values ('user', 'pass', 'hostname', 'dbname') that are clearly example values for testing password masking functionality. The test verifies that the password 'pass' gets replaced with '******' in the output.","confidence":95,"addedAt":1769253370753}
-{"contentHash":"29ca483b2a4ad31a","patternId":"postgres-uri","filePath":"..\\gitcaddy\\routers\\web\\admin\\admin_test.go","reason":"AI: This is the expected result in a test case that demonstrates the shadowPassword function working correctly. The value 'postgres://user:******@hostname/dbname' shows the password already masked with asterisks, which is the expected output of the password masking function being tested. This is test data verifying proper secret redaction, not an actual secret.","confidence":95,"addedAt":1769253370757}
-{"contentHash":"f1c0edd46f3a0ef3","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\routers\\web\\repo\\setting\\secrets.go","reason":"AI: This is a false positive. The detected pattern 'com/********************rets' is part of an import path 'code.gitcaddy.com/server/v3/routers/web/shared/secrets' which is a Go package import statement. The word 'secrets' at the end is part of the package name referring to secrets management functionality, not an actual secret value. This is standard Go code structure.","confidence":99,"addedAt":1769253374466}
-{"contentHash":"8ad0ee559b698737","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\routers\\web\\repo\\treelist_test.go","reason":"AI: This is a test file (treelist_test.go) containing mock data. The value '4acf7eef1c943a09e9f754e93ff190db8583236b' appears to be a NameHash field used in test assertions for file tree transformation. It's a SHA-1 hash used as a test fixture, not a GitHub OAuth token. The context shows this is part of a WebDiffFileItem structure being tested.","confidence":95,"addedAt":1769275535296}
-{"contentHash":"d34b96389b3b272e","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\routers\\web\\repo\\treelist_test.go","reason":"AI: This is a test file (treelist_test.go) containing mock data. The value '60b27f004e454aca81b0480209cce5081ec52390' appears to be a NameHash field used in test assertions for file tree transformation. It's a SHA-1 hash used as a test fixture, not a GitHub OAuth token. The context shows this is part of a WebDiffFileItem structure being tested.","confidence":95,"addedAt":1769275535300}
-{"contentHash":"06e1d1aed238d512","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\routers\\web\\web.go","reason":"AI: This is part of an import path 'code.gitcaddy.com/server/v3/routers/web/shared/actions' in a Go source file. The pattern matched 'com/********************ions' which is just a substring of the package import path, not an actual AWS secret key. Import paths are code structure declarations, not credentials.","confidence":95,"addedAt":1769253391301}
-{"contentHash":"ac168532559c1760","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\routers\\web\\web.go","reason":"AI: This is part of an import path 'code.gitcaddy.com/server/v3/routers/web/shared/project' in a Go source file. The pattern matched 'com/********************ject' which is just a substring of the package import path, not an actual AWS secret key. Import paths are code structure declarations, not credentials.","confidence":95,"addedAt":1769253391304}
-{"contentHash":"48b3863d1413e620","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\actions\\context.go","reason":"AI: This is an example SHA commit hash used in a code comment to illustrate the format of the 'sha' field in the GitHub Actions context. The comment explicitly states 'For example, ffac537e6cbbf934b08745a378932722df287a53.' This is documentation showing what a commit SHA looks like, not an actual secret token. The value is a 40-character hexadecimal string which is the standard format for Git commit SHAs, not a GitHub OAuth token.","confidence":95,"addedAt":1769275540411}
-{"contentHash":"540fe0b888467ee8","patternId":"private-key-openssh","filePath":"..\\gitcaddy\\services\\asymkey\\commit_test.go","reason":"AI: This is a test file (commit_test.go) and the OpenSSH private key is embedded in a comment block as test data. The comment explicitly shows it's for testing SSH signature parsing. The corresponding public key is added to a test database with user ID 999 (clearly a test user). This is test fixture data, not a real secret in use.","confidence":95,"addedAt":1769253405161}
-{"contentHash":"6d40d0288548999f","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\asymkey\\commit_test.go","reason":"AI: This is a Git tree SHA-1 hash (a3b1fad553e0f9a2b4a58327bebde36c7da75aa2) used in a test file for parsing SSH-signed commits. Git tree hashes are cryptographic hashes of repository content, not authentication tokens. The pattern was incorrectly flagged as a GitHub OAuth token due to similar hexadecimal format, but this is clearly test data within a commit object structure.","confidence":99,"addedAt":1769275546356}
-{"contentHash":"c539478d1f8db687","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\asymkey\\commit_test.go","reason":"AI: This is a Git tree SHA-1 hash (9a93ffa76e8b72bdb6431910b3a506fa2b39f42e) used in a test file for parsing SSH-signed commits. Git tree hashes are cryptographic hashes of repository content, not authentication tokens. The pattern was incorrectly flagged as a GitHub OAuth token due to similar hexadecimal format, but this is clearly test data within a commit object structure for the TrustedSSHKey test case.","confidence":99,"addedAt":1769275546360}
-{"contentHash":"79141b050620735f","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\submodule_test.go","reason":"AI: Git commit SHA hash (68972a994719ae5c74e28d8fa82fa27c23399bc8) in expected test results for the 'converted to submodule' test case, validating the new commit reference extraction.","confidence":99,"addedAt":1769275636519}
-{"contentHash":"53b92c908d9faa21","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\submodule_test.go","reason":"AI: Git commit SHA hash (c8ffe777cf9c5bb47a38e3e0b3a3b5de6cd8813d) in expected test results for the 'converted to file' test case.","confidence":99,"addedAt":1769275636514}
-{"contentHash":"f6317238a3b9c8a1","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\submodule_test.go","reason":"AI: Git commit SHA hash (8eefa1f6dedf2488db2c9e12c916e8e51f673160) in expected test results, representing the new commit reference after move and update.","confidence":99,"addedAt":1769275636509}
-{"contentHash":"70ef637a97ad0f92","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\migrations\\codebase_test.go","reason":"AI: This is a Git commit SHA hash (1287f206b888d4d13540e0a8e1c07458f5420059) used in test code to reference a specific commit in a pull request. It's part of a test assertion for the Head branch SHA in a PullRequest object. Git commit SHAs are public identifiers, not secrets, and this appears in a test file validating migration functionality.","confidence":95,"addedAt":1769275654017}
-{"contentHash":"9d996a7b04fdc4e5","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\migrate_test.go","reason":"AI: This is a Git commit SHA hash (827aa28a907853e5ddfa40c8f9bc52471a2685fd), not a GitHub OAuth token. The value appears in a test file that's verifying migration functionality from gitea.com, and it's being used to assert the MergedCommitID of a pull request. Git commit SHAs are public identifiers in repositories and are not secrets. The pattern detector incorrectly flagged this as a token due to the hexadecimal format, but the context clearly shows it's a commit hash being validated in an integration test.","confidence":95,"addedAt":1769276699616}
-{"contentHash":"8cb7754a8da27420","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\migrations\\gitea_downloader_test.go","reason":"AI: This is a Git commit SHA hash (b6ab5d9ae000b579a5fff03f92c486da4ddf48b6) used in test code for pull request head branch reference. Git SHAs are public identifiers, not secrets. The context shows this is part of a PullRequestBranch structure in a test file.","confidence":95,"addedAt":1769275667212}
-{"contentHash":"9421fd77c8548310","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\migrations\\gitea_downloader_test.go","reason":"AI: This is a Git commit SHA hash (187ece0cb6631e2858a6872e5733433bb3ca3b03) used as CommitID in yet another review test structure. Git SHAs are public identifiers, not secrets. This is the same SHA used throughout the test data for the review functionality tests.","confidence":95,"addedAt":1769275667224}
-{"contentHash":"d2461b63569ea195","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\migrations\\github_test.go","reason":"AI: This is a Git commit SHA hash (076160cf0b039f13e5eff19619932d181269414b) used in test data for Review.CommitID field. Not an OAuth token.","confidence":95,"addedAt":1769275686143}
-{"contentHash":"e1e98a880fc90b81","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\migrations\\github_test.go","reason":"AI: This is a Git commit SHA hash (2be9101c543658591222acbee3eb799edfc3853d) used in test data for ReviewComment.CommitID field. Not an OAuth token.","confidence":95,"addedAt":1769275686153}
-{"contentHash":"8794f091a92f7d2c","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\migrations\\github_test.go","reason":"AI: This is a Git commit SHA hash (565d1208f5fffdc1c5ae1a2436491eb9a5e4ebae) used as MergeCommitSHA in test data. Not an OAuth token.","confidence":95,"addedAt":1769275686135}
-{"contentHash":"1d15b7b7455f70b9","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\migrations\\gitlab_test.go","reason":"AI: This is a Git commit SHA hash (0720a3ec57c1f843568298117b874319e7deee75) used as a TargetCommitish in test code for GitLab migration testing. It's part of test data representing a release's target commit, not an authentication token. The pattern was misidentified as a GitHub OAuth token due to the hexadecimal format, but commit SHAs are 40 characters long and publicly visible in repositories.","confidence":95,"addedAt":1769275693422}
-{"contentHash":"f9af1062c783c8b8","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\migrations\\gitlab_test.go","reason":"AI: This is a Git commit SHA hash (9f733b96b98a4175276edf6a2e1231489c3bdd23) used in test code to represent the HEAD SHA of a pull request branch. It's part of test data for GitLab migration testing, not an authentication token. The pattern was misidentified as a GitHub OAuth token due to the hexadecimal format, but commit SHAs are 40 characters long and are publicly visible metadata in Git repositories.","confidence":95,"addedAt":1769275693425}
-{"contentHash":"5ff4844aff5e64f2","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\migrations\\onedev_test.go","reason":"AI: This is a Git commit SHA hash (343deffe3526b9bc84e873743ff7f6e6d8b827c0) used in test code to reference a specific commit in a pull request branch. Git commit SHAs are public identifiers, not secrets. The value appears in a test file (onedev_test.go) testing migration functionality from OneDev, where it represents the HEAD commit of a pull request branch.","confidence":95,"addedAt":1769275698984}
-{"contentHash":"426bb830cbb6c2e3","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\mirror\\mirror_pull_test.go","reason":"AI: This is a Git commit SHA hash (7f894307ffc9553edbd0b671cab829786866f7b2) used in a test case error message to simulate a race condition where a ref has an expected commit value. This is part of test data for error handling scenarios, not a GitHub OAuth token.","confidence":95,"addedAt":1769275705394}
-{"contentHash":"68c71c03ed3f3ca7","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\mirror\\mirror_pull_test.go","reason":"AI: This is a Git commit SHA hash (7f894307ffc9553edbd0b671cab829786866f7b2) used in a test case error message to simulate a race condition where a ref has an expected commit value. This is part of test data for error handling scenarios, not a GitHub OAuth token.","confidence":95,"addedAt":1769275705398}
-{"contentHash":"004878340e83e2d8","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\repository\\files\\diff_test.go","reason":"AI: This is a test file (diff_test.go) and the value '8ec9a00bfd09b3190ac6b22251dbb1aa95a0579d' is assigned to 'NameHash' field in a test data structure. This appears to be a Git hash (40 hex characters) used for testing diff functionality, not a GitHub OAuth token. The context shows it's part of expectedDiff test data for validating diff output, and Git hashes are commonly used in repository testing.","confidence":95,"addedAt":1769275746413}
-{"contentHash":"6cbc9654c71d136d","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repofiles_change_test.go","reason":"AI: Git blob SHA hash (4b4851ad51df6a7d9f25c979345979eaeb5b349f) used in test code, same as line 51. Public Git object identifier for file content.","confidence":95,"addedAt":1769276779030}
-{"contentHash":"72a3fb399b150ae3","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\repository\\gitgraph\\graph_test.go","reason":"AI: This is the same Git commit SHA hash (4e61bacab44e9b4730e44a6615d04098dd3a8eaf) appearing again in test data within the 'TestCommitStringParsing' function. The value is part of a test string 'dataFirstPart' used to validate commit message parsing. This is clearly mock/test data representing a Git commit identifier, not a GitHub OAuth token. The pattern matches a Git SHA-1 hash format which is a public version control identifier.","confidence":95,"addedAt":1769275767959}
-{"contentHash":"3ae2493ada432760","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\webhook\\telegram_test.go","reason":"AI: This is a Git commit SHA hash (2020558fe2e34debb818a514715839cabd25e778) used in test code, not a GitHub OAuth token. The value appears in a URL path for a commit reference in a webhook test payload. Git commit SHAs are public identifiers, not secrets.","confidence":95,"addedAt":1769275855175}
-{"contentHash":"e89a0bcdf2728006","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\webhook\\general_test.go","reason":"AI: This is mock test data in a webhook test file. The value '2020558fe2e34debb818a514715839cabd25e777' is used as the 'Before' commit SHA in a push payload test. It represents the previous commit state in a Git push operation, which is public information, not a secret token.","confidence":95,"addedAt":1769275827661}
-{"contentHash":"f9c3dce648efacd8","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\webhook\\matrix_test.go","reason":"AI: This is a SHA1 hash (0a4d55a8d778e5022fab701977c5d840bbc486d0) that is the expected output of hashing 'Hello World' in a unit test. It's the expected result in a test case for the getMatrixTxnID function, not a secret token.","confidence":100,"addedAt":1769275839693}
-{"contentHash":"7faf445065087b5d","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\limited_org\\private_repo_on_limited_org.git\\refs\\heads\\master","reason":"AI: This is a Git commit SHA hash (40 character hexadecimal string) stored in a Git refs file, not a GitHub OAuth token. The file path 'refs/heads/master' indicates this is a Git reference file that stores the commit hash that the master branch points to. Git commit SHAs are public identifiers, not secrets. While the pattern matches the format of a GitHub OAuth token, the context clearly shows this is a Git internal file.","confidence":95,"addedAt":1769275859583}
-{"contentHash":"b4890e9b04cfb98a","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\limited_org\\public_repo_on_limited_org.git\\refs\\heads\\master","reason":"AI: This is a Git commit SHA-1 hash (40 hexadecimal characters) stored in a Git reference file under .git/refs/heads/master. The file path 'tests\\gitea-repositories-meta\\limited_org\\public_repo_on_limited_org.git\\refs\\heads\\master' clearly indicates this is part of a test repository structure. Git commit hashes are public identifiers, not secrets. The pattern was incorrectly flagged as a GitHub OAuth token due to similar character length and hexadecimal format, but the context (Git refs file) definitively identifies this as a commit hash.","confidence":95,"addedAt":1769275864345}
-{"contentHash":"611c7ad43bf0ea1c","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\migration\\lfs-test.git\\refs\\heads\\master","reason":"AI: This is a Git commit SHA hash (40 hexadecimal characters) located in a Git refs file (refs/heads/master), not a GitHub OAuth token. The file path 'tests/gitea-repositories-meta/migration/lfs-test.git/refs/heads/master' indicates this is test data for a Git repository migration test. Git refs files contain commit hashes that point to specific commits, which is the expected format and content for this file type. While it matches the pattern of a 40-character hex string similar to some legacy tokens, the context clearly shows this is a legitimate Git reference.","confidence":95,"addedAt":1769275869695}
-{"contentHash":"83e0cc26cc6e9593","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\org26\\repo_external_tracker_numeric.git\\refs\\heads\\master","reason":"AI: This is a Git commit SHA-1 hash (40 hexadecimal characters) stored in a Git refs file, not a GitHub OAuth token. The file path 'tests/gitea-repositories-meta/org26/repo_external_tracker_numeric.git/refs/heads/master' indicates this is part of a Git repository's internal structure where refs/heads/master contains the commit hash that the master branch points to. Git commit hashes are public identifiers, not secrets.","confidence":95,"addedAt":1769275957475}
-{"contentHash":"69b616cd4406cb8e","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\repo1.git\\refs\\heads\\home-md-img-check","reason":"AI: This is a Git reference file (refs/heads/home-md-img-check) containing a Git commit SHA-1 hash (78fb907e3a3309eae4fe8fef030874cebbf1cd5e), not a GitHub OAuth token. Git commit hashes are 40-character hexadecimal strings that look similar to tokens but are public identifiers for commits in version control. The file path structure 'refs/heads/' is the standard Git internal structure for storing branch references. This is test repository metadata, not a secret.","confidence":95,"addedAt":1769276263725}
-{"contentHash":"66af926be9fd3739","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\org42\\search-by-path.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash (9f894b61946fd2f7b8b9d8e370e4d62f915522f5) in a packed-refs file, not a GitHub OAuth token. It references the master branch in a test Git repository.","confidence":95,"addedAt":1769276012224}
-{"contentHash":"f35db7be60e096fa","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\repo1.git\\refs\\notes\\commits","reason":"AI: This is a Git reference hash located in a test repository's refs/notes/commits file. The file path 'tests\\gitea-repositories-meta\\user2\\repo1.git\\refs\\notes\\commits' clearly indicates this is test data for a Gitea repository. The value '3fa2f829675543ecfc16b2891aebe8bf0608a8f4' is a 40-character hexadecimal string which is the standard format for a Git commit SHA-1 hash, not a GitHub OAuth token. Git notes references store commit hashes, not secrets.","confidence":95,"addedAt":1769276281003}
-{"contentHash":"5e253b6438d331e5","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\org42\\search-by-path.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash (5f22f7d0d95d614d25a5b68592adb345a4b5c7fd) in a packed-refs file, not a GitHub OAuth token. It references a pull request (refs/pull/3/head) in a test Git repository.","confidence":95,"addedAt":1769276012233}
-{"contentHash":"239e66c093253b4d","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\org42\\search-by-path.git\\objects\\info\\packs","reason":"AI: This is a Git pack file reference in a standard Git repository metadata file. The string 'pack-a7bef76cf6e2b46bc816936ab69306fb10aea571.pack' is a Git pack filename where the hex string is a SHA-1 hash identifying the pack file, not a GitHub OAuth token. The file path 'objects/info/packs' is a standard Git internal structure file that lists available pack files. Additionally, this is in a test directory ('tests/gitea-repositories-meta'), confirming this is test data.","confidence":95,"addedAt":1769275996316}
-{"contentHash":"ce97a88c20b74177","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\privated_org\\private_repo_on_private_org.git\\refs\\heads\\master","reason":"AI: This is a Git commit SHA hash (40 character hexadecimal string) stored in a Git refs file, not a GitHub OAuth token. The file path 'refs/heads/master' indicates this is a Git reference file that stores the commit hash that the master branch points to. Git commit SHAs are public identifiers, not secrets. While the pattern matches the format of a GitHub OAuth token (both are 40 hex characters), the context clearly shows this is a Git internal file.","confidence":95,"addedAt":1769276016900}
-{"contentHash":"07a26e5e536cbab8","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\privated_org\\public_repo_on_private_org.git\\refs\\heads\\master","reason":"AI: This is a Git reference file (refs/heads/master) containing a Git commit SHA-1 hash. The file path structure 'refs/heads/master' is the standard Git internal format for storing branch references. The 40-character hexadecimal string 'bf19fd4707acb403c4aca44f126ab69142ac59ce' is a Git commit hash, not a GitHub OAuth token. While both are 40-character hex strings, the context clearly indicates this is part of Git's internal repository structure in a test directory.","confidence":95,"addedAt":1769276021654}
-{"contentHash":"32c223cc2e3bf7b1","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user13\\repo11.git\\refs\\heads\\branch2","reason":"AI: This is a Git commit SHA-1 hash (40 hexadecimal characters) located in a Git refs file (.git/refs/heads/branch2), not a GitHub OAuth token. The file path and format clearly indicate this is a Git reference pointer to a commit object. Git commit hashes are public identifiers, not secrets. The pattern was misidentified as a GitHub OAuth token due to similar character length and hexadecimal format.","confidence":95,"addedAt":1769276058593}
-{"contentHash":"ecbb8fb49fd32d02","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\commitsonpr.git\\refs\\pull\\1\\head","reason":"AI: This is a Git commit SHA-1 hash (40 hexadecimal characters) stored in a Git reference file under 'refs/pull/1/head'. The file path indicates this is part of a test repository structure ('tests/gitea-repositories-meta'). Git commit hashes are not secrets - they are public identifiers for commits. The pattern was incorrectly flagged as a GitHub OAuth token, but it's actually a standard Git reference.","confidence":95,"addedAt":1769276122905}
-{"contentHash":"83d85d56960698f0","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\commits_search_test.git\\refs\\heads\\master","reason":"AI: This is a Git commit SHA-1 hash (40 hexadecimal characters) stored in a Git refs file, not a GitHub OAuth token. The file path 'tests/gitea-repositories-meta/user2/commits_search_test.git/refs/heads/master' indicates this is part of a test repository structure. Git refs files contain commit hashes that point to specific commits, which are public identifiers in version control systems, not secrets. The pattern was misidentified as a GitHub OAuth token due to similar character length and hexadecimal format.","confidence":95,"addedAt":1769276131898}
-{"contentHash":"e9542eff47a49e44","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\glob.git\\refs\\heads\\master","reason":"AI: This is a Git commit SHA hash (40 hexadecimal characters) located in a Git refs file (refs/heads/master), which is the standard format for Git references. The file path 'tests/gitea-repositories-meta/user2/glob.git/refs/heads/master' indicates this is test data for a Gitea repository. Git commit SHAs are not secrets - they are public identifiers for commits in version control systems. The pattern was incorrectly flagged as a GitHub OAuth token due to similar hexadecimal format, but the context clearly shows it's a Git reference.","confidence":95,"addedAt":1769276163134}
-{"contentHash":"33f02f73d10edf84","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash (40 hex characters) in a packed-refs file, not a GitHub OAuth token. The file is from a test repository (tests/gitea-repositories-meta) and contains Git references. Git SHAs follow the same format as some tokens but serve a completely different purpose.","confidence":95,"addedAt":1769276208449}
-{"contentHash":"4bc5223f8f8ab07b","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208452}
-{"contentHash":"5aaf66507355f243","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208454}
-{"contentHash":"c426e2aadd16d701","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208456}
-{"contentHash":"4472eb28cc20b85b","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208461}
-{"contentHash":"7ca9e3fbf6538be1","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208464}
-{"contentHash":"9b0a4934b49bed8d","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208466}
-{"contentHash":"dcd005f6ed7a6b10","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208469}
-{"contentHash":"7384c19445bad2e4","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208470}
-{"contentHash":"2d380b49fa235df7","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208473}
-{"contentHash":"27c5bb820120cc12","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208475}
-{"contentHash":"80556ca4b769d478","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208477}
-{"contentHash":"3e91f4020b92db47","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208479}
-{"contentHash":"4cce2c14fdcd1164","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208481}
-{"contentHash":"3478a8b4e0867edf","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208482}
-{"contentHash":"6c0b7ceee0470378","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208484}
-{"contentHash":"ad1cbdb565a60c39","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208485}
-{"contentHash":"ae9c6ec9e824eda7","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208487}
-{"contentHash":"75b2bf3bdf0b7f53","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208489}
-{"contentHash":"60218e50cef51143","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208490}
-{"contentHash":"a4edf9f121ff6f01","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\packed-refs","reason":"AI: This is a Git commit SHA-1 hash in a packed-refs file, not a GitHub OAuth token. Part of test repository structure.","confidence":95,"addedAt":1769276208493}
-{"contentHash":"920ff4cd4af8aea6","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\objects\\info\\packs","reason":"AI: This is a Git pack file reference in a Git repository's objects/info/packs file. The string 'pack-8933bd634b76f8154310cccb52537a0195e43166.pack' is a Git pack filename where the hex string is a SHA-1 hash identifying the pack file, not a GitHub OAuth token. This is standard Git internal structure and the file path 'tests\\gitea-repositories-meta\\user2\\readme-test.git\\objects\\info\\packs' confirms this is test repository metadata.","confidence":99,"addedAt":1769276192582}
-{"contentHash":"88e7adb3af9b0f76","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\readme-test.git\\refs\\heads\\fallbacks-broken-symlinks","reason":"AI: This is a Git reference file containing a commit SHA hash (40-character hexadecimal string). The file path 'tests/gitea-repositories-meta/user2/readme-test.git/refs/heads/fallbacks-broken-symlinks' indicates this is a Git repository reference file, which stores commit hashes, not OAuth tokens. Git commit SHAs are public identifiers and not secrets. The pattern was incorrectly flagged as a GitHub OAuth token due to similar character length and hexadecimal format.","confidence":95,"addedAt":1769276212882}
-{"contentHash":"04183dae93ffaa18","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\repo1.wiki.git\\refs\\heads\\master","reason":"AI: This is a Git reference file (refs/heads/master) containing a Git commit SHA-1 hash, not a GitHub OAuth token. The file path 'tests\\gitea-repositories-meta\\user2\\repo1.wiki.git\\refs\\heads\\master' clearly indicates this is part of a Git repository structure in a test directory. Git commit hashes are 40-character hexadecimal strings that can superficially resemble tokens, but they are public identifiers, not secrets. The value 'a5bbc0fd39a696feabed2d4cccaf05abbcaf3b02' is a standard Git SHA-1 hash format.","confidence":95,"addedAt":1769276305091}
-{"contentHash":"7aa4db6a38da0cae","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\repo2.git\\objects\\info\\packs","reason":"AI: This is a Git pack file reference in a test repository. The string 'pack-a2f7ad943b3d857eb3ebdb4b35eeef38f63cf5d2.pack' is a Git pack filename where the hex string is a SHA-1 hash used to identify the pack file, not a GitHub OAuth token. The file is located in 'tests/gitea-repositories-meta/user2/repo2.git/objects/info/packs' which is clearly test data for a Git repository structure. Git pack files use SHA-1 hashes in their naming convention (format: pack-<40-char-hex-hash>.pack), and this matches that pattern exactly.","confidence":95,"addedAt":1769276334650}
-{"contentHash":"7a14cb8e779c6157","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\repo2.git\\refs\\tags\\v1.1","reason":"AI: This is a Git reference file (refs/tags/v1.1) containing a Git commit SHA-1 hash (40 hexadecimal characters). Git commit hashes are not secrets - they are public identifiers used in version control systems. The file path 'tests/gitea-repositories-meta/user2/repo2.git/refs/tags/v1.1' clearly indicates this is part of a test repository structure mimicking Gitea's internal Git storage format. The pattern was incorrectly flagged as a GitHub OAuth token, but it's actually a standard Git object identifier.","confidence":95,"addedAt":1769276349334}
-{"contentHash":"31c674065ba4cfee","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\repo20.git\\refs\\heads\\master","reason":"AI: This is a Git commit SHA hash (40 hexadecimal characters) stored in a Git reference file (.git/refs/heads/master), not a GitHub OAuth token. The file path 'tests/gitea-repositories-meta/user2/repo20.git/refs/heads/master' indicates this is test data for a Gitea repository. Git commit SHAs are public identifiers, not secrets. The pattern was misidentified as a GitHub OAuth token due to similar character patterns.","confidence":95,"addedAt":1769276363291}
-{"contentHash":"76cf3e3e2f6d5a14","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_repo_git_commits_test.go","reason":"AI: This is a Git commit SHA hash (c8e31bc7688741a5287fcde4fbb8fc129ca07027) used in test assertions for file history testing. It's test data referencing a specific commit in the test repository.","confidence":95,"addedAt":1769276628299}
-{"contentHash":"10405070e9cf787d","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_repo_git_commits_test.go","reason":"AI: This is a Git commit SHA hash (cfe3b3c1fd36fba04f9183287b106497e1afe986) used in test assertions to verify API responses return the correct commit. It's test data, not an authentication token.","confidence":95,"addedAt":1769276628275}
-{"contentHash":"f63457df762ff21c","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\repo20.git\\refs\\heads\\remove-files-b","reason":"AI: This is a Git reference file (refs/heads/remove-files-b) containing a Git commit SHA-1 hash, not a GitHub OAuth token. Git commit hashes are 40-character hexadecimal strings that can superficially match token patterns, but they are public identifiers used in version control systems. The file path 'tests/gitea-repositories-meta/user2/repo20.git/refs/heads/' clearly indicates this is test repository metadata storing a branch reference.","confidence":95,"addedAt":1769276371992}
-{"contentHash":"a2f78c4f746e5f69","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\utf8.git\\refs\\tags\\Тэг","reason":"AI: This is a Git object SHA-1 hash (40 hexadecimal characters) located in a Git refs/tags directory, not a GitHub OAuth token. The file path 'tests\\gitea-repositories-meta\\user2\\utf8.git\\refs\\tags\\Тэг' indicates this is part of a Git repository's internal structure where tag references point to commit hashes. Git SHA-1 hashes follow the same format as some API tokens but serve a completely different purpose in version control systems.","confidence":95,"addedAt":1769276421229}
-{"contentHash":"eb0288b0b54ffbcb","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\utf8.git\\info\\refs","reason":"AI: This is a Git commit SHA-1 hash (40 hexadecimal characters) in a Git refs file, not a GitHub OAuth token. The file is located in tests/gitea-repositories-meta/user2/utf8.git/info/refs, which is clearly test data for a Git repository. Git commit hashes follow the same format as some API tokens but serve a completely different purpose.","confidence":99,"addedAt":1769276384055}
-{"contentHash":"12e67425e5e3ef36","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\utf8.git\\refs\\heads\\master","reason":"AI: This is a Git commit SHA-1 hash (40 hexadecimal characters) located in a Git refs file (.git/refs/heads/master), not a GitHub OAuth token. The file path and format clearly indicate this is part of Git's internal repository structure used to track branch references. Git commit hashes are public identifiers, not secrets.","confidence":95,"addedAt":1769276393635}
-{"contentHash":"ecdb3261f7f47bf7","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\utf8.git\\refs\\tags\\タグ","reason":"AI: This is a Git object SHA-1 hash (40 hexadecimal characters) located in a Git refs/tags directory, not a GitHub OAuth token. The file path 'tests\\gitea-repositories-meta\\user2\\utf8.git\\refs\\tags\\タグ' clearly indicates this is part of a Git repository's internal structure where tag references store commit hashes. Git SHA-1 hashes are public identifiers, not secrets. The pattern was misidentified as a GitHub OAuth token due to similar character patterns.","confidence":95,"addedAt":1769276426308}
-{"contentHash":"0625237031c84e76","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user2\\utf8.git\\refs\\heads\\Plus+Is+Not+Space","reason":"AI: This is a Git reference file containing a commit SHA-1 hash (40 hexadecimal characters). The file path 'tests/gitea-repositories-meta/user2/utf8.git/refs/heads/Plus+Is+Not+Space' indicates this is a Git repository reference file in a test directory. Git commit hashes are not secrets - they are public identifiers for commits. The pattern was incorrectly flagged as a GitHub OAuth token, but it's actually a standard Git commit hash.","confidence":95,"addedAt":1769276397733}
-{"contentHash":"b13020dac328f08e","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\gitea-repositories-meta\\user27\\template1.git\\refs\\heads\\master","reason":"AI: This is a Git commit SHA hash (40-character hexadecimal string) stored in a Git reference file under refs/heads/master. The file path 'tests\\gitea-repositories-meta\\user27\\template1.git\\refs\\heads\\master' indicates this is part of a test repository structure. Git refs files contain commit hashes, not OAuth tokens. While the pattern matches the format of a GitHub OAuth token, the context clearly shows this is a Git object reference.","confidence":95,"addedAt":1769276449804}
-{"contentHash":"ac6d3c286b39a98d","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\actions_settings_test.go","reason":"AI: This is the same hardcoded token value detected by a different pattern matcher. As explained above, this is test fixture data in an integration test file used to verify authentication mechanisms. The token is associated with a test database record (ActionTask ID: 55, RepoID: 6) and is used to test git clone operations with task-based authentication. This is clearly test/mock data, not a real production secret.","confidence":95,"addedAt":1769276460630}
-{"contentHash":"7879b32e5cb28194","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\tests\\integration\\actions_settings_test.go","reason":"AI: Similar to line 44, this is a URL path construction: fmt.Sprintf('/%s/%s/settings/actions/general/collaborative_owner/delete?id=%d', ...). The detected pattern is part of the URL path '/settings/actions/general/collaborative_owner/delete' which is a route endpoint, not a secret. This is a false positive from pattern matching.","confidence":98,"addedAt":1769254249526}
-{"contentHash":"1bca219b9c94ffd1","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_actions_permission_test.go","reason":"AI: This is the same test token ('8061e833a55f6fc0157c98b883e91fcfeeb1a71a') used in the 'testActionUserNoAccessOtherPrivateRepo' test function. The consistent reuse of this token across all test functions in the integration test file, combined with the test context (verifying permission scenarios), clearly indicates this is a test fixture established in the test environment setup, not a real secret.","confidence":95,"addedAt":1769276494312}
-{"contentHash":"7c717f9a198f6a86","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\tests\\integration\\api_gpg_keys_test.go","reason":"AI: This is a URL path in a test file ('/api/v1/repos/user2/repo16/branches/good-sign'). The pattern matcher incorrectly flagged this as an AWS Secret Access Key due to the '/api' prefix and the word 'good' in the branch name. This is clearly a REST API endpoint path for testing Git branch operations with GPG signatures, not a secret key.","confidence":95,"addedAt":1769254287764}
-{"contentHash":"12f7ee777a8499e9","patternId":"private-key-openssh","filePath":"..\\gitcaddy\\tests\\integration\\api_httpsig_test.go","reason":"AI: This is a test OpenSSH private key used in integration tests (file path: tests/integration/api_httpsig_test.go). The key is defined as a constant 'httpsigPrivateKey' and is used alongside a matching certificate constant 'httpsigCertificate' to test HTTP signature authentication functionality. The key is intentionally embedded in test code to verify the httpsig authentication mechanism works correctly. The presence of a matching public key certificate and the test context (TestHTTPSigPubKey and TestHTTPSigCert functions) clearly indicate this is test data, not a real secret.","confidence":95,"addedAt":1769254293168}
-{"contentHash":"b6a787b8a32c2b3b","patternId":"private-key-rsa","filePath":"..\\gitcaddy\\tests\\integration\\api_packages_chef_test.go","reason":"AI: This is a test RSA private key used in integration tests for the Chef package API. The file is located in 'tests/integration/' directory, and the key is hardcoded in test code to verify authentication mechanisms. The corresponding public key is also present in the test (line 56), and both are used to test Chef API authentication signing. This is clearly test/mock data for integration testing purposes, not a real production secret.","confidence":95,"addedAt":1769254303242}
-{"contentHash":"2a3c635e67a81e9c","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_packages_composer_test.go","reason":"AI: This is the same SHA-1 checksum hash (40 hex characters: '4f5fa464c3cb808a1df191dbf6cb75363f8b7072') appearing again in the same test file, verifying the same package's integrity after linking it to a repository. This is a legitimate checksum value in Composer package metadata, not a GitHub OAuth token. The value is reused because it's testing the same package.","confidence":95,"addedAt":1769276500803}
-{"contentHash":"0075593bfb08ba94","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_packages_maven_test.go","reason":"AI: This is a SHA-1 hash value ('8696abce499fe84d9ea93e5492abe7147e195b6c') used in test code to verify the checksum of Maven metadata XML. It's testing the integrity verification feature of Maven package downloads. This is a cryptographic hash used for file verification, not a GitHub OAuth token.","confidence":99,"addedAt":1769276508811}
-{"contentHash":"7d568b6a10b2c106","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_packages_npm_test.go","reason":"AI: This is the same shasum hash value 'aaa7eaf852a948b0aa05afeda35b1badca155d90' appearing in a test assertion that validates the package metadata response. It's verifying that the shasum field in the NPM package dist metadata matches the expected test value. This is clearly test/mock data in an integration test, not a real GitHub OAuth token.","confidence":95,"addedAt":1769276516669}
-{"contentHash":"07e23ede2756aa3f","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_packages_test.go","reason":"AI: This is the SHA-1 hash of an empty string (da39a3ee5e6b4b0d3255bfef95601890afd80709), which is a well-known constant value used in testing. The context shows this is part of a test file (api_packages_test.go) that validates package file hashes. The line is asserting that an uploaded empty file has the expected SHA-1 hash value. This is not a GitHub OAuth token but rather a cryptographic hash used for file integrity verification in tests.","confidence":99,"addedAt":1769276521449}
-{"contentHash":"c0a7d6705b1094c8","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\pull_commit_test.go","reason":"AI: This is a Git commit SHA hash (5c050d3b6d2db231ab1f64e324f1b6b9a0b181c2) used in integration test code to verify pull request commit listings. Git commit SHAs are not secrets - they are public identifiers in version control systems. The value is being used in an assertion to validate test data.","confidence":95,"addedAt":1769276739411}
-{"contentHash":"132f5d5a6add1c27","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\tests\\integration\\api_repo_archive_test.go","reason":"AI: This is a URL path in a test file ('/api/v1/repos/user2/repo1/archive/master.zip'). The pattern matcher incorrectly flagged this as an AWS Secret Access Key, but it's clearly just an API endpoint path for testing private repository access. The 'api' portion is part of the URL structure, not a secret key.","confidence":99,"addedAt":1769254377442}
-{"contentHash":"478f30ad3e9f7f90","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\tests\\integration\\api_repo_archive_test.go","reason":"AI: This is a URL path in a test file ('/api/v1/repos/user2/repo1/zipball/master'). The pattern matcher incorrectly flagged this as an AWS Secret Access Key, but it's clearly just an API endpoint path for testing private repository access in GitHub-style format. The 'api' portion is part of the URL structure, not a secret key.","confidence":99,"addedAt":1769254377446}
-{"contentHash":"4e7710132c60767b","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repofiles_change_test.go","reason":"AI: Same Git blob SHA hash (103ff9234cefeee5ec5361d22b49fbb04d385885) as line 103, used for test assertions. This is a public Git object identifier.","confidence":95,"addedAt":1769276778993}
-{"contentHash":"c52506870495705e","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_repo_file_create_test.go","reason":"AI: This is the same SHA hash value as line 66, used in the test function 'TestAPICreateFile' to verify the expected SHA of a created file. The variable 'expectedSHA' is assigned this value and compared against the API response. This is clearly test data representing a Git blob SHA-1 hash, not a GitHub OAuth token despite the pattern match.","confidence":95,"addedAt":1769276560884}
-{"contentHash":"04b0297c880cdf90","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_repo_file_update_test.go","reason":"AI: This is a Git blob SHA hash (08bd14b2e2852529157324de9c226b3364e76136) used in test assertions for file rename operations. Same SHA value used consistently throughout the test file as expected content hash. This is mock/test data, not a real authentication credential.","confidence":95,"addedAt":1769276578804}
-{"contentHash":"daafe79cfeb2dc84","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\tests\\integration\\api_repo_get_contents_test.go","reason":"AI: This is a base64-encoded test string 'IyByZXBvMQoKRGVzY3JpcHRpb24gZm9yIHJlcG8x' which decodes to '# repo1\\n\\nDescription for repo1'. It's mock content data used in integration tests for API responses, not an AWS secret key.","confidence":95,"addedAt":1769254434262}
-{"contentHash":"39a2cd4a80e8ab0e","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_repo_git_trees_test.go","reason":"AI: This is a Git commit/tree SHA hash (d56a3073c1dbb7b15963110a049d50cdb5db99fc) used in the API endpoint URL for testing access control, not a GitHub OAuth token. It's test data verifying that user4 cannot access org3/repo3's Git tree objects.","confidence":95,"addedAt":1769276643988}
-{"contentHash":"e46c48949f7eab49","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_repo_git_blobs_test.go","reason":"AI: This is a Git SHA-1 hash (f90451c72ef61a7645293d17b47be7a8e983da57) used in integration tests to reference a specific blob object. The variable name 'repo16ReadmeSHA' clearly indicates this is a Git commit/blob SHA, not a GitHub OAuth token. This is test code using repository object identifiers.","confidence":95,"addedAt":1769276606261}
-{"contentHash":"a67d1ca1f508362e","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repo_commits_test.go","reason":"AI: This is a Git commit SHA hash (5099b81332712fe655e34e8dd63574f503f61811) used in integration tests, not a GitHub OAuth token. The value appears in an assertion checking commit IDs in a test repository. Git commit SHAs are public identifiers, not secrets.","confidence":95,"addedAt":1769276795937}
-{"contentHash":"2ee7696ba95db47c","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_wiki_test.go","reason":"AI: This is the same Git commit SHA hash (2c54faec6c45d31c1abfaecdab471eac6633738a) appearing a third time in the TestAPIListPageRevisions test function. It's used to verify wiki revision data. Git commit hashes are public repository identifiers, not authentication secrets.","confidence":95,"addedAt":1769276666063}
-{"contentHash":"4418caf846fb5ca7","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_wiki_test.go","reason":"AI: This is a Git commit SHA hash (0cf15c3f66ec8384480ed9c3cf87c9e97fbb0ec3) used in test data to represent a wiki page commit. It's part of mock data structure in an integration test. Git commit hashes are public identifiers that reference specific commits in a repository, not authentication credentials.","confidence":95,"addedAt":1769276666057}
-{"contentHash":"f8a9c76c4a896290","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_wiki_test.go","reason":"AI: This is a Git commit SHA hash (c10d10b7e655b3dab1f53176db57c8219a5488d6) used in test fixture data. It represents a commit for a wiki page with a spaced name. Git commit SHAs are public repository metadata, not secrets that need protection.","confidence":95,"addedAt":1769276666059}
-{"contentHash":"7afbea7d12412cd5","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\api_wiki_test.go","reason":"AI: This is a Git commit SHA hash (0dca5bd9b5d7ef937710e056f575e86c0184ba85) used in test data for an 'Unescaped File' wiki page. Like all Git commit hashes, this is a public identifier that references a specific commit in version control, not a secret credential.","confidence":95,"addedAt":1769276666061}
-{"contentHash":"226bb89915b4ee0a","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\tests\\integration\\nonascii_branches_test.go","reason":"AI: This is a false positive. The detected pattern 'bran********************alid' is part of a URL path string 'branch/Plus+Is+Not+Space/and+it+is+valid.md' in a test file. This is testing URL encoding and non-ASCII branch names in Git repositories, not an AWS secret key. The pattern match is coincidental due to the substring 'and+it+is+valid' being misidentified as a secret.","confidence":99,"addedAt":1769254514955}
-{"contentHash":"b2582f52fc08270d","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\pull_diff_test.go","reason":"AI: This is a Git commit SHA hash (23576dd018294e476c06e569b6b0f170d0558705) used in a test file for integration testing. It represents the end of a commit range in a PR diff URL. Git commit SHAs are public version control identifiers, not authentication tokens or secrets.","confidence":95,"addedAt":1769276745596}
-{"contentHash":"24a6797539be0fbc","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repofiles_change_test.go","reason":"AI: Same Git blob SHA hash (dbf8d00e022e05b7e5cf7e535de857de57925647) as line 173, used in test assertions.","confidence":95,"addedAt":1769276779001}
-{"contentHash":"43931722a46db0e4","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repofiles_change_test.go","reason":"AI: Same Git tree SHA hash (f93e3a1a1525fb5b91020da86e44810c87a2d7bc) repeated in test code.","confidence":95,"addedAt":1769276779010}
-{"contentHash":"e714df9cabc96165","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repofiles_change_test.go","reason":"AI: Git blob SHA hash (8276d2a29779af982c0afa976bdb793b52d442a8) used in test code for file rename operations. Public Git object identifier.","confidence":95,"addedAt":1769276779013}
-{"contentHash":"c7e56f5ff15879f8","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repofiles_change_test.go","reason":"AI: Git blob SHA hash (d4a41a0d4db4949e129bd22f871171ea988103ef) used in test code for LFS file operations. Public Git object identifier.","confidence":95,"addedAt":1769276779014}
-{"contentHash":"3706f7ee37cefb5c","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repofiles_change_test.go","reason":"AI: Git blob SHA hash (71911bf48766c7181518c1070911019fbb00b1fc) used in test code for JPEG file operations. Public Git object identifier.","confidence":95,"addedAt":1769276779016}
-{"contentHash":"64b7cd98891b90b5","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repofiles_change_test.go","reason":"AI: Git blob SHA hash (2b6c6c4eaefa24b22f2092c3d54b263ff26feb58) used in test code for LFS binary file operations. Public Git object identifier.","confidence":95,"addedAt":1769276779018}
-{"contentHash":"ddd220c436305fb7","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repofiles_change_test.go","reason":"AI: Same Git tree SHA hash (5307376dc3a5557dc1c403c29a8984668ca9ecb5) as line 333, repeated in test code.","confidence":95,"addedAt":1769276779026}
-{"contentHash":"bbb69eedf3c4150f","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\tests\\sqlite.ini.tmpl","reason":"AI: This is a test configuration file (tests/sqlite.ini.tmpl) for Gitea's test suite. The value 'Tv_MjmZuHqpIY6GFl12ebgkRAMt4RlWt0v4EHKSXO0w' is the LFS_JWT_SECRET used in automated testing. Multiple indicators suggest this is a test value: 1) File is in 'tests/' directory with .tmpl extension, 2) Contains template variables like {{TEST_TYPE}}, 3) Uses dummy mailer protocol, 4) References test paths throughout, 5) This is a static test secret that would be committed to version control for reproducible test environments. Similar test secrets appear on lines 103 (SECRET_KEY) and 109 (JWT_SECRET).","confidence":95,"addedAt":1769254607040}
-{"contentHash":"76e9f7fba3566191","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\web_src\\js\\features\\user-auth-webauthn.ts","reason":"AI: This is a false positive. The detected pattern '/use********************uest' is actually part of a URL path '/user/settings/security/webauthn/request_register' in the code. The asterisks in the detection are masking the middle portion of the URL path, but this is clearly an API endpoint path, not an AWS Secret Access Key. The context shows this is a POST request to a WebAuthn registration endpoint.","confidence":99,"addedAt":1769254617775}
-{"contentHash":"0ac902c1610f6527","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\web_src\\js\\webcomponents\\polyfills.ts","reason":"AI: This is a URL path to a GitHub/GitLab issue tracker (repo.palemoon.org/MoonchildProductions/UXP/issues/2289), not an AWS secret key. The pattern 'org/********************2289' is part of a comment referencing a bug report about Intl.NumberFormat support in PaleMoon browser. The '2289' is simply the issue number, and the asterisks in the detection are likely from the path components being redacted by the scanner.","confidence":99,"addedAt":1769254622685}
-{"contentHash":"0a002c26600ac250","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\gitcaddy-server.sln","reason":"AI: This is a Visual Studio Project GUID (455910FC-CC9B-244E-E3A8-78E8113461FC) used to identify the 'csharp' project folder. These are standard Visual Studio identifiers, not API keys.","confidence":99,"addedAt":1769274527854}
-{"contentHash":"2ac37e27e5f3f353","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\gitcaddy-server.sln","reason":"AI: This is the Project GUID (FF13A09E-0E72-1904-124B-A4E979EF28D3) used in nested project configuration. These are project structure identifiers, not API keys.","confidence":99,"addedAt":1769274527873}
-{"contentHash":"0a967abf18dc96d2","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\gitcaddy-server.sln","reason":"AI: This is the Project GUID (455910FC-CC9B-244E-E3A8-78E8113461FC) used in nested project configuration. These are standard Visual Studio identifiers.","confidence":99,"addedAt":1769274527877}
-{"contentHash":"ca1930afd4dcd9ba","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\gitcaddy-server.sln","reason":"AI: This is a Visual Studio Project GUID (CC3F3F81-98F0-4F04-FB6D-D977CE0360AA) for the Gitea.SDK project. These are randomly generated identifiers by Visual Studio, not secrets.","confidence":99,"addedAt":1769274527857}
-{"contentHash":"cc9d9007370a8445","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\gitcaddy-server.sln","reason":"AI: This is the Project GUID (455910FC-CC9B-244E-E3A8-78E8113461FC) used in nested project configuration. These are standard Visual Studio identifiers.","confidence":99,"addedAt":1769274527875}
-{"contentHash":"670b00e6b8859f36","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\gitcaddy-server.sln","reason":"AI: This is a Solution GUID (6836703D-481F-41AE-8B58-7FB4F2B4A88C) used by Visual Studio to uniquely identify the solution. These are randomly generated by Visual Studio and are not secrets.","confidence":99,"addedAt":1769274527879}
-{"contentHash":"bc308ecaf2a38e27","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\models\\asymkey\\ssh_key_authorized_keys.go","reason":"AI: This is part of a GitHub URL in a code comment that references the OpenSSH source code repository. The detected pattern '32deb00b38b4ee2b3302f261ea1e68c04e020a08' is actually a Git commit hash in the URL 'https://github.com/openssh/openssh-portable/blob/32deb00b38b4ee2b3302f261ea1e68c04e020a08/auth2-pubkeyfile.c#L221-L256'. Git commit hashes are public identifiers, not secrets. The comment is explaining how the code reverse engineers sshd's authorized keys file parsing.","confidence":95,"addedAt":1769274545878}
-{"contentHash":"0cd10f417c317b39","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\models\\auth\\oauth2.go","reason":"AI: This is a UUID (a4792ccc-144e-407e-86c9-5e7d8d9c3269) used as a client ID for a builtin OAuth2 application. It's part of the BuiltinApplications() function that defines hardcoded, well-known OAuth2 client IDs for git credential helpers. UUIDs are not secrets - they are identifiers. The actual secret would be the client_secret field, not the client_id.","confidence":95,"addedAt":1769274564416}
-{"contentHash":"827d3bbbf23cca4a","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\models\\auth\\oauth2.go","reason":"AI: This is a UUID (e90ee53c-94e2-48ac-9358-a874fb9e0662) used as a client ID for the 'Git Credential Manager' builtin OAuth2 application. Like the previous entry, this is a public identifier, not a secret. OAuth2 client IDs are meant to be public and are used to identify the application, while client secrets are the confidential values.","confidence":95,"addedAt":1769274564419}
-{"contentHash":"50b0f48aa2280538","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\models\\auth\\oauth2.go","reason":"AI: This is a UUID (d57cb8c4-630c-4168-8324-ec79935e18d4) used as a client ID for the 'tea' builtin OAuth2 application. This is another public OAuth2 client identifier, not a secret. The code shows these are hardcoded builtin applications that are registered in the system, and client IDs in OAuth2 are public by design.","confidence":95,"addedAt":1769274564422}
-{"contentHash":"ed4adc29381a8583","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\tests\\integration\\oauth_test.go","reason":"AI: Test OAuth2 client_id 'da7da3ba-9a13-4167-856f-3899de0b0138' used in another test case within TestOAuthIntrospection.","confidence":95,"addedAt":1769276732038}
-{"contentHash":"c165687b311631c7","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\models\\fixtures\\action_runner.yml","reason":"AI: This is a token_hash field containing the same UUID value (3EF231BD-FBB7-4E4B-9602-E6F28363EF18) as the uuid field above it in a test fixtures file. While token hashes could be sensitive, this is clearly test data with placeholder values, and the hash matches the UUID exactly which is not realistic for production.","confidence":95,"addedAt":1769274621082}
-{"contentHash":"b9bc7e5a6b58b11d","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\models\\fixtures\\action_runner.yml","reason":"AI: This is a token_hash field containing the same UUID value (3EF231BD-FBB7-4E4B-9602-E6F28363EF19) as the uuid field in a test fixtures file. The pattern of token_hash matching uuid exactly indicates this is test/mock data, not real credentials.","confidence":95,"addedAt":1769274621086}
-{"contentHash":"d2de5c6b29554850","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\models\\fixtures\\action_runner.yml","reason":"AI: This is a token_hash field containing the same UUID value (3EF231BD-FBB7-4E4B-9602-E6F28363EF20) as the uuid field in a test fixtures file. The consistent pattern of matching uuid/token_hash pairs confirms this is test data.","confidence":95,"addedAt":1769274621090}
-{"contentHash":"b15e65966b02eebc","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\models\\fixtures\\action_runner.yml","reason":"AI: This is a token_hash field containing the same UUID value (3EF231BD-FBB7-4E4B-9602-E6F28363EF17) as the uuid field in a test fixtures file. Following the same pattern as other entries, this is test data.","confidence":95,"addedAt":1769274621094}
-{"contentHash":"8afa76ef18520c84","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\models\\fixtures\\action_runner.yml","reason":"AI: This is a token_hash field containing the same UUID value (3FF231BD-FBB7-4E4B-9602-E6F28363EF20) as the uuid field in a test fixtures file. Consistent with all other entries, this is test data with the token_hash matching the uuid.","confidence":95,"addedAt":1769274621100}
-{"contentHash":"0aca198ee7979a67","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\tests\\integration\\attachment_test.go","reason":"AI: This is a UUID (a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11) used in integration test code for testing public access by non-logged users. This is test fixture data, not a Heroku API key.","confidence":95,"addedAt":1769276680923}
-{"contentHash":"61f584658fe47ac0","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\tests\\integration\\attachment_test.go","reason":"AI: This is a UUID (a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12) used in integration test code for testing repository access restrictions. This is test fixture data, not a Heroku API key.","confidence":95,"addedAt":1769276680931}
-{"contentHash":"dc9c518471a34a04","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\models\\fixtures\\attachment.yml","reason":"AI: This is a UUID field in a test fixture file. The value 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a13' is part of a sequential series of test UUIDs, not a Heroku API key. It's clearly mock data for testing attachment functionality.","confidence":99,"addedAt":1769274663638}
-{"contentHash":"d9e729ce666a27c5","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\modules\\storage\\local_test.go","reason":"AI: Same UUID (a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a14) in expected test result. This is test code for path normalization, not a real API key.","confidence":99,"addedAt":1769275460493}
-{"contentHash":"3cf3d9243b7f2c3d","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\models\\fixtures\\attachment.yml","reason":"AI: This is a UUID field in a test fixture file. The value 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a15' is part of a sequential series of test UUIDs, not a Heroku API key. It's clearly mock data for testing attachment functionality.","confidence":99,"addedAt":1769274663643}
-{"contentHash":"a55f89d5f09b7d48","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\models\\fixtures\\attachment.yml","reason":"AI: This is a UUID field in a test fixture file. The value 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a16' is part of a sequential series of test UUIDs, not a Heroku API key. It's clearly mock data for testing attachment functionality.","confidence":99,"addedAt":1769274663646}
-{"contentHash":"651f46a6f16cdafb","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\tests\\integration\\attachment_test.go","reason":"AI: This is a UUID (a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a17) used in integration test code for testing comment attachment functionality. This is test fixture data, not a Heroku API key.","confidence":95,"addedAt":1769276680910}
-{"contentHash":"ba425bd5d0381324","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\tests\\integration\\attachment_test.go","reason":"AI: This is a UUID (a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a18) used in integration test code for testing missing file scenarios. This is test fixture data, not a Heroku API key.","confidence":95,"addedAt":1769276680917}
-{"contentHash":"5d7be51f0755dbf8","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\tests\\integration\\attachment_test.go","reason":"AI: This is a UUID (a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a19) used in integration test code for testing release attachment functionality. This is test fixture data, not a Heroku API key.","confidence":95,"addedAt":1769276680913}
-{"contentHash":"2b48f491c469b8e9","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\tests\\integration\\attachment_test.go","reason":"AI: This is a UUID (a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a20) used in integration test code for testing uploader access scenarios. This is test fixture data, not a Heroku API key.","confidence":95,"addedAt":1769276680921}
-{"contentHash":"bfd629c97eb63cc6","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\tests\\integration\\attachment_test.go","reason":"AI: This is a UUID (a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a21) used in integration test code for testing organization access restrictions. This is test fixture data, not a Heroku API key.","confidence":95,"addedAt":1769276680933}
-{"contentHash":"4f874cd6503a862e","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\models\\fixtures\\attachment.yml","reason":"AI: This is a UUID field in a test fixture file. The value 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a22' is part of a sequential series of test UUIDs, not a Heroku API key. It's clearly mock data for testing attachment functionality.","confidence":99,"addedAt":1769274663660}
-{"contentHash":"325606b5dcd98d70","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\tests\\integration\\oauth_test.go","reason":"AI: Test OAuth2 client_id 'ce5a1322-42a7-11ed-b878-0242ac120002' used in TestAccessTokenExchangeWithPublicClient test.","confidence":95,"addedAt":1769276732018}
-{"contentHash":"a4d869f7ac31a303","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\models\\repo\\release_test.go","reason":"AI: This is a UUID (a0eebc91-9c0c-4ef7-bb6e-6bb9bd380a12) used as a test fixture for an Attachment object in a unit test. It follows the standard UUID v4 format and is being used to test the InsertReleases function. This is clearly test data, not a Heroku API key. The context shows it's part of a test database setup.","confidence":95,"addedAt":1769274830736}
-{"contentHash":"a69c47e0e9deeb99","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\modules\\hcaptcha\\hcaptcha_test.go","reason":"AI: This appears to be detecting the same dummySiteKey from line 18. The value '10000000-ffff-ffff-ffff-000000000001' is a test constant with obvious placeholder patterns. It's defined as a const in test code and used throughout the test suite as mock data.","confidence":99,"addedAt":1769275294080}
-{"contentHash":"5da2b544bed6f4ae","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\modules\\hcaptcha\\hcaptcha_test.go","reason":"AI: This is a dummy/test token defined in a test file. The value '10000000-aaaa-bbbb-cccc-000000000001' follows an obvious test pattern with repeating sequences (aaaa-bbbb-cccc) and is explicitly named 'dummyToken'. It's used in the mockTransport to simulate hCaptcha responses in unit tests.","confidence":99,"addedAt":1769275294083}
-{"contentHash":"47759ebffcc8144e","patternId":"generic-secret","filePath":"..\\gitcaddy\\modules\\hcaptcha\\hcaptcha_test.go","reason":"AI: This appears to be detecting the same dummySiteKey from line 18. The value '10000000-ffff-ffff-ffff-000000000001' is a test constant with obvious placeholder patterns. It's defined as a const in test code and used throughout the test suite as mock data.","confidence":99,"addedAt":1769275294085}
-{"contentHash":"bf526d77053db08d","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\modules\\indexer\\issues\\internal\\tests\\tests.go","reason":"AI: This is a UUID (f1dfac73-fda6-4a6b-b8a4-2408fcb8ef69) used as a test keyword in a search test case to verify empty search results. The context shows it's part of a test suite (package tests) with the comment 'All the code in this package is only used for testing.' The value is used in SearchOptions.Keyword field to test that searching for a non-existent UUID returns zero results (ExpectedIDs: []int64{}, ExpectedTotal: 0). This is clearly test data, not a real API key.","confidence":95,"addedAt":1769275300840}
-{"contentHash":"bddc0bee3d618461","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\lfs\\http_client.go","reason":"AI: This is a Git commit SHA hash from a GitHub URL reference in a code comment, not a GitHub OAuth token. The pattern 'a32a02b44bf8a511aa14f047627c49e1a7fd5021' is a 40-character hexadecimal Git commit hash that appears in a URL pointing to the git-lfs documentation repository (https://github.com/git-lfs/git-lfs/blob/a32a02b44bf8a511aa14f047627c49e1a7fd5021/docs/api/batch.md). Git commit SHAs are public identifiers, not secrets.","confidence":95,"addedAt":1769275310082}
-{"contentHash":"41ee05bb34f88c87","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\markup\\html_internal_test.go","reason":"AI: Same fake SHA hash with colon - test data for validating pattern matching with trailing punctuation.","confidence":100,"addedAt":1769275334903}
-{"contentHash":"37573b2243da7c2c","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\markup\\orgmode\\orgmode.go","reason":"AI: This is a GitHub commit hash reference in a URL comment (https://github.com/niklasfasching/go-org/blob/6eb20dbda93cb88c3503f7508dc78cbbc639378f/org/html_writer.go#L406-L427). The pattern '6eb20dbda93cb88c3503f7508dc78cbbc639378f' is a 40-character Git SHA-1 commit hash, not a GitHub OAuth token. Git commit hashes are public identifiers used to reference specific commits in version control and are not secrets.","confidence":95,"addedAt":1769275371497}
-{"contentHash":"4fe35907064f0c86","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\packages\\conda\\metadata.go","reason":"AI: This is a GitHub commit hash reference in a URL comment (https://github.com/conda/conda-build/blob/db9a728a9e4e6cfc895637ca3221117970fc2663/conda_build/metadata.py#L1403). The 'db9a728a9e4e6cfc895637ca3221117970fc2663' is a Git commit SHA, not a GitHub OAuth token. Git commit SHAs are 40 hexadecimal characters and are public information used to reference specific commits in repositories.","confidence":95,"addedAt":1769275383109}
-{"contentHash":"ab0ab1b66ae9a7a1","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\packages\\nuget\\metadata.go","reason":"AI: This is part of a GitHub URL in a code comment referencing the NuGet.Client source code repository. The pattern 'dccbd304b11103e08b97abf4cf4bcc1499d9235a' is actually a Git commit hash (40 character hexadecimal string), not a GitHub OAuth token. The full URL is 'https://github.com/NuGet/NuGet.Client/blob/dccbd304b11103e08b97abf4cf4bcc1499d9235a/src/NuGet.Core/NuGet.Versioning/VersionFormatter.cs#L121' which is a standard GitHub permalink to a specific file at a specific commit.","confidence":95,"addedAt":1769275399384}
-{"contentHash":"39ac00771440ac4b","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\packages\\pub\\metadata.go","reason":"AI: This is a commit hash in a GitHub URL comment reference, not a GitHub OAuth token. The pattern appears in a comment that references a specific line in the dart-lang/pub-dev repository (https://github.com/dart-lang/pub-dev/blob/4d582302a8d10152a5cd6129f65bf4f4dbca239d/...). The '4d582302a8d10152a5cd6129f65bf4f4dbca239d' is a 40-character Git commit SHA, which happens to match the pattern for GitHub tokens but is clearly being used as a source code reference in a URL.","confidence":95,"addedAt":1769275405158}
-{"contentHash":"df84ab47b7bb8c62","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\modules\\ssh\\ssh.go","reason":"AI: This is part of a GitHub URL in a code comment that references the gliderlabs/ssh library source code. The pattern 'd137aad99cd6f2d9495bfd98c755bec4e5dffb8c' is a Git commit hash, not a GitHub OAuth token. The full URL is 'https://github.com/gliderlabs/ssh/blob/d137aad99cd6f2d9495bfd98c755bec4e5dffb8c/session.go#L109-L113' which is a public repository reference.","confidence":95,"addedAt":1769275441767}
-{"contentHash":"5fe6568e87825574","patternId":"generic-secret","filePath":"..\\gitcaddy\\modules\\storage\\azureblob_test.go","reason":"AI: This is the well-known Azurite development storage account key, which is documented in Microsoft's official documentation (as referenced in the comment on line 25). Azurite is a local Azure Storage emulator for development/testing purposes, and this key 'Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==' is a publicly known default credential that is the same across all Azurite installations. The code is clearly test code (filename ends in _test.go), and the comment explicitly references Microsoft's documentation about well-known storage account credentials.","confidence":95,"addedAt":1769275448753}
-{"contentHash":"5f19b3cd02bef156","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\web_src\\js\\utils\\color.ts","reason":"AI: This is a GitHub commit hash appearing in a URL comment that references a specific implementation in the color-js library. The pattern 'eb7b53f7a13bb716ec8b28c7a56f052cd599acd9' is a 40-character Git SHA-1 hash used to link to a specific version of code, not a GitHub OAuth token. The full context shows it's part of a GitHub URL: 'https://github.com/color-js/color.js/blob/eb7b53f7a13bb716ec8b28c7a56f052cd599acd9/src/contrast/APCA.js#L42' which is a standard way to reference specific commits in GitHub repositories.","confidence":95,"addedAt":1769276864806}
-{"contentHash":"7357d7bf26cc2c7a","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\routers\\api\\packages\\chef\\auth.go","reason":"AI: This is part of a GitHub URL in a code comment that references documentation. The string 'bc8adbef833d4be23dc78cb23e6fe44b51ebc34f' is a Git commit hash in the URL 'https://github.com/chef/mixlib-authentication/blob/bc8adbef833d4be23dc78cb23e6fe44b51ebc34f/lib/mixlib/authentication/signedheaderauth.rb', not a GitHub OAuth token. Git commit hashes are public identifiers and not secrets.","confidence":95,"addedAt":1769275494578}
-{"contentHash":"f37283f31c626fad","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\repository\\branch.go","reason":"AI: This is not a GitHub OAuth token. The detected pattern 'cb52********************ca48' is part of a URL in a code comment that references a specific line in the Gitea GitHub repository (https://github.com/go-gitea/gitea/blob/cb52b17f92e2d2293f7c003649743464492bca48/cmd/hook.go#L27). The 'cb52...ca48' is a Git commit SHA hash, not an OAuth token. Git commit SHAs are 40-character hexadecimal strings and are public identifiers, not secrets.","confidence":95,"addedAt":1769275733851}
-{"contentHash":"ae1dcbeaabdd77b7","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\services\\auth\\auth_test.go","reason":"AI: This is a UUID (6d92a9ee-5d8b-4993-97c9-6181bdaa8955) used in a test file path for testing attachment URLs, not a Heroku API key. The value appears in a test case array testing path detection for '/owner/repo/attachments/{uuid}' patterns. UUIDs are commonly used as attachment identifiers in web applications and this is clearly test data.","confidence":95,"addedAt":1769275551299}
-{"contentHash":"ff3022747a58abdb","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\packages\\arch\\vercmp.go","reason":"AI: This is a Git commit hash in a URL comment referencing the upstream pacman source code on GitLab. The pattern 'd55b47e5512808b67bc944feb20c2bcc6c1a4c45' is a 40-character SHA-1 commit hash, not a GitHub OAuth token. The full URL 'https://gitlab.archlinux.org/pacman/pacman/-/blob/d55b47e5512808b67bc944feb20c2bcc6c1a4c45/lib/libalpm/version.c' is a source code reference link showing where the implementation was derived from.","confidence":99,"addedAt":1769275710065}
-{"contentHash":"41b09727307bd235","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\repository\\archiver\\archiver.go","reason":"AI: This is not a GitHub OAuth token. The detected pattern '5676********************80a7' appears in a URL construction context where it's actually the commit ID being used in a Link header. Looking at the code, this is part of `archiveReq.CommitID` which is a Git commit SHA, not an OAuth token. The pattern matcher incorrectly flagged this as a secret due to the hexadecimal format of Git commit IDs resembling token patterns.","confidence":95,"addedAt":1769275728102}
-{"contentHash":"134de1e285e8684a","patternId":"generic-secret","filePath":"..\\gitcaddy\\tests\\integration\\actions_settings_test.go","reason":"AI: This is the same hardcoded token value detected by a different pattern matcher. As explained above, this is test fixture data in an integration test file used to verify authentication mechanisms. The token is associated with a test database record (ActionTask ID: 55, RepoID: 6) and is used to test git clone operations with task-based authentication. This is clearly test/mock data, not a real production secret.","confidence":95,"addedAt":1769276460632}
-{"contentHash":"a8a9fdc91ec6b51d","patternId":"heroku-api-key","filePath":"..\\gitcaddy\\tests\\integration\\attachment_test.go","reason":"AI: This is a UUID (b0eebc99-9c0b-4ef8-bb6d-6bb9bd380a18) used in integration test code for testing non-existing attachment scenarios. This is test fixture data, not a Heroku API key.","confidence":95,"addedAt":1769276680915}
-{"contentHash":"3218f4d52f5c501a","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\download_test.go","reason":"AI: This is the same Git blob SHA-1 hash (6395b68e1feebb1e4c657b4f9f6ba2676a283c0b) as line 34, reused in another test case for media download with SVG headers. These are public Git object identifiers used in integration tests, not authentication tokens.","confidence":95,"addedAt":1769276689547}
-{"contentHash":"3e0576c3c704b697","patternId":"generic-secret","filePath":"..\\gitcaddy\\tests\\integration\\oauth_test.go","reason":"AI: Same test client_secret '4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=' used in another test case within TestOAuthIntrospection.","confidence":95,"addedAt":1769276732060}
-{"contentHash":"887c5c23a9d6736a","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\pull_diff_test.go","reason":"AI: This is a Git commit SHA hash (c5626fc9eff57eb1bb7b796b01d4d0f2f3f792a2) used in a test file for integration testing of pull request diffs. The value is part of a URL path to test viewing a specific commit in a PR. Git commit SHAs are public identifiers in version control systems, not secrets.","confidence":95,"addedAt":1769276745591}
-{"contentHash":"d4b3c24636c8758d","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\pull_diff_test.go","reason":"AI: This is a Git commit SHA hash (23576dd018294e476c06e569b6b0f170d0558705) used in a test file for integration testing. It represents the end of a commit range in a PR diff URL. Git commit SHAs are public version control identifiers, not authentication tokens or secrets.","confidence":95,"addedAt":1769276745594}
-{"contentHash":"ca36fff3b5571b87","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\tests\\integration\\repo_branch_test.go","reason":"AI: This is a Git commit SHA hash (acd1d892867872cb47f3993468605b8aa59aa2e0) used in integration test code to reference a specific commit. It's part of a test case URL path 'commit/acd1d892867872cb47f3993468605b8aa59aa2e0' for testing branch creation from a commit. Git commit SHAs are public identifiers in repositories, not secrets.","confidence":95,"addedAt":1769276784802}
-{"contentHash":"a3133f5b78429474","patternId":"jwt-token","filePath":"..\\gitcaddy\\tests\\pgsql.ini.tmpl","reason":"AI: This is a test configuration file (tests/pgsql.ini.tmpl) containing a JWT token used for testing purposes. The file contains multiple test-related placeholders like {{TEST_PGSQL_HOST}}, {{TEST_TYPE}}, etc. The JWT token 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE0OTU1NTE2MTh9.hhSVGOANkaKk3vfCd2jDOIww4pUk0xtg9JRde5UogyQ' is a static test token (decodes to a simple payload with nbf:1495551618) that is hardcoded for test environments. The SECRET_KEY is also a simple test value '9pCviYTWSb'. Additionally, the file contains obviously fake credentials like MINIO_ACCESS_KEY_ID = 123456 and MINIO_SECRET_ACCESS_KEY = 12345678, confirming this is test data.","confidence":95,"addedAt":1769276828542}
-{"contentHash":"9d9797316d2ebf1e","patternId":"generic-secret","filePath":"..\\gitcaddy\\tests\\mssql.ini.tmpl","reason":"AI: This is the well-known Azure Storage Emulator (Azurite) default account key 'Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw=='. This is a publicly documented default key used by the Azure storage emulator for local development and testing. The account name 'devstoreaccount1' and endpoint 'azurite.local' confirm this is for local testing with the Azurite emulator, not real Azure storage credentials.","confidence":98,"addedAt":1769276815847}
-{"contentHash":"28032a4fa265d0c9","patternId":"jwt-token","filePath":"..\\gitcaddy\\tests\\sqlite.ini.tmpl","reason":"AI: This is a test configuration file (tests/sqlite.ini.tmpl) for Gitea's test suite. The JWT token 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE0OTI3OTU5ODN9.OQkH5UmzID2XBdwQ9TAI6Jj2t1X-wElVTjbE7aoN4I8' is used as INTERNAL_TOKEN for testing purposes. The file contains multiple test-specific values (TEST_TYPE placeholders, test paths, dummy mailer protocol, test email addresses like 'sqlite-{{TEST_TYPE}}-test@gitea.io'). The JWT payload decodes to a simple nbf (not before) claim with timestamp 1492795983, which is a static test value. This is clearly a hardcoded test token meant for automated testing, not a production secret.","confidence":95,"addedAt":1769276835337}
-{"contentHash":"5da1471323c264da","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\web_src\\css\\chroma\\light.css","reason":"AI: This is a GitHub commit SHA hash from a URL reference (https://github.com/alecthomas/chroma/blob/6428fb4e65f3c1493491571c8a6a8f1add1da822/types.go#L208), not a GitHub OAuth token. The pattern '6428fb4e65f3c1493491571c8a6a8f1add1da822' is a 40-character hexadecimal commit hash used to reference a specific version of source code. This is public information and not a secret credential.","confidence":99,"addedAt":1769276845672}
-{"contentHash":"b2170345622da801","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\web_src\\css\\features\\console.css","reason":"AI: This is a Git commit hash from a GitHub URL reference in a CSS comment, not a GitHub OAuth token. The pattern '697ff23bd8dc48b9d23f11f259f5256dae2455f0' is a 40-character SHA-1 commit hash that appears in the URL 'https://github.com/buildkite/terminal-to-html/blob/697ff23bd8dc48b9d23f11f259f5256dae2455f0/assets/terminal.css'. This is a public reference to a specific version of a CSS file being used as a basis for this code.","confidence":99,"addedAt":1769276851537}
-{"contentHash":"2562231c0cabc4c2","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\web_src\\css\\modules\\normalize.css","reason":"AI: This is a Git commit hash from a GitHub URL reference in a CSS comment, not a GitHub OAuth token. The pattern '2f9eacd9d3d995c937b4251a5557d95d494c9be1' is part of a Mozilla Gecko repository URL (https://github.com/mozilla/gecko-dev/blob/2f9eacd9d3d995c937b4251a5557d95d494c9be1/layout/style/res/forms.css#L728-L737) used to reference the source of a CSS fix. Git commit hashes are 40 hexadecimal characters and are public identifiers, not secrets.","confidence":99,"addedAt":1769276856120}
-{"contentHash":"3674709a0ad91271","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\web_src\\js\\features\\heatmap.ts","reason":"AI: This is a Git commit hash reference in a comment (a83761cbbae3c2e3b4bced71e680f44432073ac8), not a GitHub OAuth token. The comment references a specific GitHub pull request commit URL. Git commit hashes are 40-character hexadecimal strings and are public identifiers, not secrets. The pattern matcher incorrectly flagged this as a token due to the alphanumeric pattern.","confidence":99,"addedAt":1769276860064}
-{"contentHash":"42a152b5befa1cec","patternId":"pkcs12","filePath":"..\\gitcaddy\\options\\gitignore\\OpenSSL","reason":"Manually marked as false positive","addedAt":1769282350503}
-{"contentHash":"bde309f829bd09cc","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\assets\\go-licenses.json","reason":"Manually marked as false positive","addedAt":1769282615250}
-{"contentHash":"b84d31ad8af250f3","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811830}
-{"contentHash":"57660ce3d831bdfb","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811820}
-{"contentHash":"58404645c8579166","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811829}
-{"contentHash":"130cde6fef6361fd","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811814}
-{"contentHash":"7e544495a20d5ed2","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811811}
-{"contentHash":"3636ae0810cb1723","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811827}
-{"contentHash":"b5f3af2a54e1cbf9","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811832}
-{"contentHash":"27a9edf592d2c94d","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811828}
-{"contentHash":"7148f0225feab9ac","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811839}
-{"contentHash":"ebe86ac40a10e02c","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811838}
-{"contentHash":"d4d2bd21a9f2c6c5","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811844}
-{"contentHash":"0a8ba8f1e33a8e08","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811845}
-{"contentHash":"68b81df3157dd03b","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811852}
-{"contentHash":"5e580e00af70b27b","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811851}
-{"contentHash":"795936669cdaddbd","patternId":"aws-secret-key","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811755}
-{"contentHash":"668934b86015ff5b","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811878}
-{"contentHash":"982a390d9a9163e0","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811879}
-{"contentHash":"a2d82c996b68fed7","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811881}
-{"contentHash":"03435bff9ca7e8e3","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811880}
-{"contentHash":"48c61620a6d1cb80","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811889}
-{"contentHash":"2f8ffc953bf59b9c","patternId":"github-oauth-legacy","filePath":"..\\gitcaddy\\services\\gitdiff\\git_diff_tree_test.go","reason":"Manually ignored after review","addedAt":1769282811888}
-{"contentHash":"42aa78d545dd6738","patternId":"private-key-pgp","filePath":"..\\gitcaddy\\tests\\integration\\private-testing.key","reason":"Manually ignored after review","addedAt":1769282955057}
-{"contentHash":"db50f18b86135279","patternId":"pkcs12","filePath":"..\\gitcaddy\\options\\gitignore\\VisualStudio","reason":"Manually ignored after review","addedAt":1769283010531}

.golangci.yml

@@ -1,199 +0,0 @@
-version: "2"
-output:
-  sort-results: true
-  sort-order:
-    - file
-linters:
-  default: none
-  enable:
-    - bidichk
-    - bodyclose
-    - depguard
-    - dupl
-    - errcheck
-    - forbidigo
-    - gocheckcompilerdirectives
-    - gocritic
-    - govet
-    - ineffassign
-    - mirror
-    - modernize
-    - nakedret
-    - nolintlint
-    - perfsprint
-    - revive
-    - staticcheck
-    - testifylint
-    - unconvert
-    - unparam
-    - unused
-    - usestdlibvars
-    - usetesting
-    - wastedassign
-  settings:
-    depguard:
-      rules:
-        main:
-          deny:
-            - pkg: encoding/json
-              desc: use gitea's modules/json instead of encoding/json
-            - pkg: github.com/unknwon/com
-              desc: use gitea's util and replacements
-            - pkg: io/ioutil
-              desc: use os or io instead
-            - pkg: golang.org/x/exp
-              desc: it's experimental and unreliable
-            - pkg: code.gitcaddy.com/server/modules/git/internal
-              desc: do not use the internal package, use AddXxx function instead
-            - pkg: gopkg.in/ini.v1
-              desc: do not use the ini package, use gitea's config system instead
-            - pkg: gitea.com/go-chi/cache
-              desc: do not use the go-chi cache package, use gitea's cache system
-    nolintlint:
-      allow-unused: false
-      require-explanation: true
-      require-specific: true
-    gocritic:
-      enabled-checks:
-        - equalFold
-      disabled-checks:
-        - ifElseChain
-        - singleCaseSwitch # Every time this occurred in the code, there was no other way.
-        - deprecatedComment # conflicts with go-swagger comments
-    revive:
-      severity: error
-      rules:
-        - name: atomic
-        - name: bare-return
-        - name: blank-imports
-        - name: constant-logical-expr
-        - name: context-as-argument
-        - name: context-keys-type
-        - name: dot-imports
-        - name: duplicated-imports
-        - name: empty-lines
-        - name: error-naming
-        - name: error-return
-        - name: error-strings
-        - name: errorf
-        - name: exported
-        - name: identical-branches
-        - name: if-return
-        - name: increment-decrement
-        - name: indent-error-flow
-        - name: modifies-value-receiver
-        - name: package-comments
-        - name: range
-        - name: receiver-naming
-        - name: redefines-builtin-id
-        - name: string-of-int
-        - name: superfluous-else
-        - name: time-naming
-        - name: unconditional-recursion
-        - name: unexported-return
-        - name: unreachable-code
-        - name: var-declaration
-        - name: var-naming
-          arguments:
-            - [] # AllowList - do not remove as args for the rule are positional and won't work without lists first
-            - [] # DenyList
-            - - skip-package-name-checks: true # supress errors from underscore in migration packages
-    staticcheck:
-      checks:
-        - all
-        - -ST1003
-        - -ST1005
-        - -QF1001
-        - -QF1006
-        - -QF1008
-    testifylint:
-      disable:
-        - go-require
-        - require-error
-    usetesting:
-      os-temp-dir: true
-    perfsprint:
-      concat-loop: false
-    govet:
-      enable:
-        - nilness
-        - unusedwrite
-  exclusions:
-    generated: lax
-    presets:
-      - comments
-      - common-false-positives
-      - legacy
-      - std-error-handling
-    rules:
-      - linters:
-          - dupl
-          - errcheck
-          - gocyclo
-          - gosec
-          - staticcheck
-          - unparam
-        path: _test\.go
-      - linters:
-          - dupl
-          - errcheck
-          - gocyclo
-          - gosec
-        path: models/migrations/v
-      - linters:
-          - forbidigo
-        path: cmd
-      - linters:
-          - depguard
-          - gofumpt
-        path: sdk/
-      - linters:
-          - dupl
-        text: (?i)webhook
-      - linters:
-          - gocritic
-        text: (?i)`ID' should not be capitalized
-      - linters:
-          - deadcode
-          - unused
-        text: (?i)swagger
-      - linters:
-          - staticcheck
-        text: (?i)argument x is overwritten before first use
-      - linters:
-          - gocritic
-        text: '(?i)commentFormatting: put a space between `//` and comment text'
-      - linters:
-          - gocritic
-        text: '(?i)exitAfterDefer:'
-    paths:
-      - node_modules
-      - .venv
-      - public
-      - web_src
-      - third_party$
-      - builtin$
-      - examples$
-issues:
-  max-issues-per-linter: 0
-  max-same-issues: 0
-formatters:
-  enable:
-    - gofmt
-    - gofumpt
-  settings:
-    gofumpt:
-      extra-rules: true
-  exclusions:
-    generated: lax
-    paths:
-      - node_modules
-      - .venv
-      - public
-      - web_src
-      - third_party$
-      - builtin$
-      - examples$
-
-run:
-  timeout: 30m

.ignore

@@ -1,8 +0,0 @@
-*.min.css
-*.min.js
-/assets/*.json
-/options/gitignore
-/options/license
-/public/assets
-/vendor
-node_modules

.lgtm

@@ -0,0 +1,3 @@
+pattern = "(?)LGTM"
+self_approval_off = true
+ignore_maintainers_file = true

.mailmap

@@ -1,2 +0,0 @@
-Unknwon <u@gogs.io> <joe2010xtmf@163.com>
-Unknwon <u@gogs.io> 无闻 <u@gogs.io>

.markdownlint.yaml

@@ -1,15 +0,0 @@
-commands-show-output: false
-fenced-code-language: false
-first-line-h1: false
-heading-increment: false
-line-length: {code_blocks: false, tables: false, stern: true, line_length: -1}
-no-alt-text: false
-no-bare-urls: false
-no-emphasis-as-heading: false
-no-empty-links: false
-no-hard-tabs: {code_blocks: false}
-no-inline-html: false
-no-space-in-code: false
-no-space-in-emphasis: false
-no-trailing-spaces: {br_spaces: 0}
-single-h1: false

.notes/note-1768881142114-zwzrej9gc.json

@@ -1,7 +0,0 @@
-{
-  "id": "note-1768881142114-zwzrej9gc",
-  "title": "Release Notes for Gallery",
-  "content": "  New Feature: Repository Home Page Tabs\n\n  The repository home page now features a tabbed interface replacing the single README display. When content is available, users will see tabs for:\n\n  - Readme - Displays the README file (default tab, existing behavior)\n  - License - Displays the LICENSE file content\n  - Gallery - Displays project screenshots from the .gallery folder\n\n  Tabs only appear when the corresponding content exists in the repository.\n\n  ---\n  New Feature: Repository Gallery\n\n  Developers can now showcase screenshots and images of their applications directly on the repository home page.\n\n  Gallery Tab Features:\n  - Responsive image grid layout\n  - Lightbox viewer for full-size images with keyboard navigation (\u2190 \u2192)\n  - Custom captions for each image\n  - Lazy loading for better performance\n\n  Gallery Settings Page (Repository \u003E Settings \u003E Gallery):\n  - Upload images (PNG, JPG, JPEG, GIF, WebP, SVG, BMP, ICO)\n  - 5MB maximum file size per image\n  - Add/edit captions for each image\n  - Delete images with confirmation\n\n  Storage:\n  - Images are stored in the .gallery folder at the repository root\n  - Captions are stored in .gallery/gallery.json\n  - All changes are committed to the repository automatically\n\n  ---\n  Localization\n\n  Full translations added for gallery-related strings in 20\u002B languages:\n  - English, German, French, Spanish, Italian, Dutch, Polish\n  - Portuguese (Brazil \u0026 Portugal)\n  - Russian, Ukrainian, Turkish, Czech, Greek, Hungarian\n  - Finnish, Swedish\n  - Japanese, Korean, Chinese (Simplified \u0026 Traditional)\n",
-  "createdAt": 1768881142111,
-  "updatedAt": 1768883658811
-}

.notes/note-1769113439411-asd5qtp9l.json

@@ -1,8 +0,0 @@
-{
-  "id": "note-1769113439411-asd5qtp9l",
-  "title": "AutoRelease",
-  "content": "  New Endpoint: /{owner}/{repo}/releases/latest.json\n\n  Simple URL - no /api/v1 prefix needed!\n\n  Channel Support\n\n  | Channel            | Description                         |\n  |--------------------|-------------------------------------|\n  | stable (default)   | Latest non-prerelease release       |\n  | prerelease or beta | Latest prerelease only              |\n  | any or all         | Latest release regardless of status |\n\n  Authentication\n\n  - Public repos: No authentication required\n  - Private repos: Vault token via Authorization: Bearer gvt_xxx\n\n  Rate Limiting\n\n  Endpoint includes X-RateLimit-Exempt: update-check header for app update checks.\n\n  Usage Examples\n\n  # Get latest stable release\n  curl https://gitcaddy.com/myorg/myapp/releases/latest.json\n\n  # Get latest beta/prerelease\n  curl https://gitcaddy.com/myorg/myapp/releases/latest.json?channel=beta\n\n  # Get absolute latest (stable or prerelease)\n  curl https://gitcaddy.com/myorg/myapp/releases/latest.json?channel=any\n\n  # Private repo with vault token\n  curl -H \"Authorization: Bearer gvt_xxx\" \\\n    https://gitcaddy.com/myorg/private-app/releases/latest.json\n\n  Response Format\n\n  {\n    \"repo_url\": \"https://gitcaddy.com/myorg/myapp\",\n    \"repo_name\": \"myapp\",\n    \"repo_full_name\": \"myorg/myapp\",\n    \"repo_display_name\": \"My Application\",\n    \"repo_description\": \"A great app for doing things\",\n    \"tag_name\": \"v1.2.3\",\n    \"name\": \"Version 1.2.3\",\n    \"body\": \"Release notes here...\",\n    \"draft\": false,\n    \"prerelease\": false,\n    \"channel\": \"stable\",\n    \"created_at\": \"2026-01-20T10:30:00Z\",\n    \"published_at\": \"2026-01-20T10:30:00Z\",\n    \"html_url\": \"https://gitcaddy.com/myorg/myapp/releases/tag/v1.2.3\",\n    \"tarball_url\": \"https://gitcaddy.com/myorg/myapp/archive/v1.2.3.tar.gz\",\n    \"zipball_url\": \"https://gitcaddy.com/myorg/myapp/archive/v1.2.3.zip\",\n    \"assets\": [\n      {\n        \"name\": \"myapp-windows.exe\",\n        \"size\": 15728640,\n        \"download_count\": 1234,\n        \"browser_download_url\": \"https://gitcaddy.com/myorg/myapp/releases/download/v1.2.3/myapp-windows.exe\"\n      }\n    ]\n  }\n\n  UI Integration\n\n  A JSON button appears on the Releases page (header and per-release) linking to this endpoint.",
-  "createdAt": 1769113439408,
-  "updatedAt": 1769113860499,
-  "tags": []
-}

.notes/note-1769285434594-8owbl45ah.json

@@ -1,8 +0,0 @@
-{
-  "id": "note-1769285434594-8owbl45ah",
-  "title": "Packages MCP",
-  "content": "  New MCP Tool: list_packages\n\n  GitCaddy Server (routers/api/v2/mcp.go)\n\n  Tool Definition:\n  {\n      Name:        \"list_packages\",\n      Description: \"List packages for an owner or globally. Shows package name, type, version info, and visibility.\",\n      InputSchema: {\n          \"owner\": \"Package owner (user or organization). If omitted, lists global packages.\",\n          \"type\": \"Filter by package type (e.g., nuget, npm, container, generic)\",\n          \"limit\": \"Maximum number of packages to return (default 50)\"\n      }\n  }\n\n  Tool Implementation: toolListPackages() function that:\n  - If owner is omitted, lists global packages only (packages with IsGlobal=true)\n  - If owner is specified, lists that user/org's packages\n  - Can filter by package type (nuget, npm, container, etc.)\n  - Returns package info including:\n    - Name, type, latest version\n    - Download count\n    - Visibility (private/public, global)\n    - Owner info\n\n  Example Response:\n  {\n    \"packages\": [\n      {\n        \"id\": 123,\n        \"name\": \"MyLibrary\",\n        \"type\": \"nuget\",\n        \"type_name\": \"NuGet\",\n        \"latest_version\": \"1.2.3\",\n        \"is_private\": false,\n        \"is_global\": true,\n        \"download_count\": 456,\n        \"owner\": \"_\",\n        \"owner_type\": \"global\",\n        \"created_at\": \"2026-01-24T...\"\n      }\n    ],\n    \"count\": 1,\n    \"scope\": \"global\"\n  }",
-  "createdAt": 1769285434592,
-  "updatedAt": 1769285438575,
-  "tags": []
-}

.notes/note-1769359412583-8i40cz2kh.json

@@ -1,8 +0,0 @@
-{
-  "id": "note-1769359412583-8i40cz2kh",
-  "title": "Vault Fix",
-  "content": "We must increment to use the new vault \n\n\t// GitCaddy Vault plugin (compiled-in)\n\tgit.marketally.com/gitcaddy/gitcaddy-vault v1.0.51   <--\n\n\n\n**Related Projects:**\n\n| Project | Description |\n|---------|-------------|\n| [gitcaddy/act_runner](https://git.marketally.com/gitcaddy/act_runner) | Runner with automatic capability detection |\n| [gitcaddy/actions-proto-go](https://git.marketally.com/gitcaddy/actions-proto-go) | Protocol buffer definitions for Actions |\n",
-  "createdAt": 1769359412581,
-  "updatedAt": 1769568634391,
-  "tags": []
-}

.notes/note-1770858253427-5d5d6gaia.json

@@ -1,8 +0,0 @@
-{
-  "id": "note-1770858253427-5d5d6gaia",
-  "title": "Issues/Releases",
-  "content": "  Access matrix after changes\n  ┌────────────────────────┬────────────┬────────────┬────────────┬─────────────┐\n  │        Endpoint        │   Public   │  Limited   │  Private   │ Private Org │\n  ├────────────────────────┼────────────┼────────────┼────────────┼─────────────┤\n  │ POST submit.json       │ anonymous  │ anonymous  │ anonymous  │ anonymous   │\n  ├────────────────────────┼────────────┼────────────┼────────────┼─────────────┤\n  │ GET status.json        │ anonymous* │ anonymous* │ anonymous* │ anonymous*  │\n  ├────────────────────────┼────────────┼────────────┼────────────┼─────────────┤\n  │ GET external/{id}.json │ anonymous  │ anonymous  │ anonymous  │ anonymous   │\n  ├────────────────────────┼────────────┼────────────┼────────────┼─────────────┤\n  │ GET latest.json        │ anonymous  │ anonymous  │ anonymous  │ anonymous   │\n  └────────────────────────┴────────────┴────────────┴────────────┴─────────────┘\n  * Only returns issues where external_source = \"gitcaddy-desktop\"",
-  "createdAt": 1770858253425,
-  "updatedAt": 1770858258193,
-  "tags": []
-}

.npmrc

@@ -1,7 +0,0 @@
-audit=false
-fund=false
-update-notifier=false
-save-exact=true
-auto-install-peers=true
-dedupe-peer-dependents=false
-enable-pre-post-scripts=true

.revive.toml

@@ -0,0 +1,25 @@
+ignoreGeneratedHeader = false
+severity = "warning"
+confidence = 0.8
+errorCode = 1
+warningCode = 1
+
+[rule.blank-imports]
+[rule.context-as-argument]
+[rule.context-keys-type]
+[rule.dot-imports]
+[rule.error-return]
+[rule.error-strings]
+[rule.error-naming]
+[rule.exported]
+[rule.if-return]
+[rule.increment-decrement]
+[rule.var-naming]
+[rule.var-declaration]
+[rule.package-comments]
+[rule.range]
+[rule.receiver-naming]
+[rule.time-naming]
+[rule.unexported-return]
+[rule.indent-error-flow]
+[rule.errorf]

.spectral.yaml

@@ -1,12 +0,0 @@
-extends: [[spectral:oas, all]]
-
-rules:
-  info-contact: off
-  oas2-api-host: off
-  oas2-parameter-description: off
-  oas2-schema: off
-  oas2-valid-schema-example: off
-  openapi-tags: off
-  operation-description: off
-  operation-singular-tag: off
-  operation-tag-defined: off

.yamllint.yaml

@@ -1,44 +0,0 @@
-extends: default
-
-rules:
-  braces:
-    min-spaces-inside: 0
-    max-spaces-inside: 1
-    min-spaces-inside-empty: 0
-    max-spaces-inside-empty: 0
-
-  brackets:
-    min-spaces-inside: 0
-    max-spaces-inside: 1
-    min-spaces-inside-empty: 0
-    max-spaces-inside-empty: 0
-
-  comments:
-    require-starting-space: true
-    ignore-shebangs: true
-    min-spaces-from-content: 1
-
-  comments-indentation:
-    level: error
-
-  document-start:
-    level: error
-    present: false
-
-  document-end:
-    present: false
-
-  empty-lines:
-    max: 1
-
-  indentation:
-    spaces: 2
-
-  line-length: disable
-
-  truthy:
-    allowed-values: ["true", "false", "on", "off"]
-
-ignore: |
-  .venv
-  node_modules

BSDmakefile

@@ -1,7 +1,6 @@
 # GNU makefile proxy script for BSD make
-#
 # Written and maintained by Mahmoud Al-Qudsi <mqudsi@neosmart.net>
-# Copyright NeoSmart Technologies <https://neosmart.net/> 2014-2019
+# Copyright NeoSmart Technologies <https://neosmart.net/> 2014-2018
 # Obtain updates from <https://github.com/neosmart/gmake-proxy>
 #
 # Redistribution and use in source and binary forms, with or without
@@ -27,32 +26,26 @@
 
 JARG =
 GMAKE = "gmake"
-# When gmake is called from another make instance, -w is automatically added
-# which causes extraneous messages about directory changes to be emitted.
-# Running with --no-print-directory silences these messages.
+#When gmake is called from another make instance, -w is automatically added
+#which causes extraneous messages about directory changes to be emitted.
+#--no-print-directory silences these messages.
 GARGS = "--no-print-directory"
 
 .if "$(.MAKE.JOBS)" != ""
-    JARG = -j$(.MAKE.JOBS)
+JARG = -j$(.MAKE.JOBS)
 .endif
 
-# bmake prefers out-of-source builds and tries to cd into ./obj (among others)
-# where possible. GNU Make doesn't, so override that value.
+#by default bmake will cd into ./obj first
 .OBJDIR: ./
 
-# The GNU convention is to use the lowercased `prefix` variable/macro to
-# specify the installation directory. Humor them.
-GPREFIX =
-.if defined(PREFIX) && ! defined(prefix)
-    GPREFIX = 'prefix = "$(PREFIX)"'
-.endif
-
-.BEGIN: .SILENT
-	which $(GMAKE) || (printf "Error: GNU Make is required!\n\n" 1>&2 && false)
-
 .PHONY: FRC
 $(.TARGETS): FRC
-	$(GMAKE) $(GPREFIX) $(GARGS) $(.TARGETS:S,.DONE,,) $(JARG)
+	$(GMAKE) $(GARGS) $(.TARGETS:S,.DONE,,) $(JARG)
 
 .DONE .DEFAULT: .SILENT
-	$(GMAKE) $(GPREFIX) $(GARGS) $(.TARGETS:S,.DONE,,) $(JARG)
+	$(GMAKE) $(GARGS) $(.TARGETS:S,.DONE,,) $(JARG)
+
+.ERROR: .SILENT
+	if ! which $(GMAKE) > /dev/null; then \
+		echo "GNU Make is required!"; \
+	fi

CODE_OF_CONDUCT.md

@@ -1,96 +0,0 @@
-# Gitea Community Code of Conduct
-
-## About
-
-Online communities include people from many different backgrounds. The Gitea contributors are committed to providing a friendly, safe and welcoming environment for all, regardless of gender identity and expression, sexual orientation, disabilities, neurodiversity, physical appearance, body size, ethnicity, nationality, race, age, religion, or similar personal characteristics.
-
-The first goal of the Code of Conduct is to specify a baseline standard of behavior so that people with different social values and communication styles can talk about Gitea effectively, productively, and respectfully.
-
-The second goal is to provide a mechanism for resolving conflicts in the community when they arise.
-
-The third goal of the Code of Conduct is to make our community welcoming to people from different backgrounds. Diversity is critical to the project; for Gitea to be successful, it needs contributors and users from all backgrounds.
-
-We believe that healthy debate and disagreement are essential to a healthy project and community. However, it is never ok to be disrespectful. We value diverse opinions, but we value respectful behavior more.
-
-## Community values
-
-These are the values to which people in the Gitea community should aspire.
-
-- **Be friendly and welcoming.**
-- **Be patient.**
-  - Remember that people have varying communication styles and that not everyone is using their native language. (Meaning and tone can be lost in translation.)
-- **Be thoughtful.**
-  - Productive communication requires effort. Think about how your words will be interpreted.
-  - Remember that sometimes it is best to refrain entirely from commenting.
-- **Be respectful.**
-  - In particular, respect differences of opinion.
-- **Be charitable.**
-  - Interpret the arguments of others in good faith, do not seek to disagree.
-  - When we do disagree, try to understand why.
-- **Be constructive.**
-  - Avoid derailing: stay on topic; if you want to talk about something else, start a new conversation.
-  - Avoid unconstructive criticism: don't merely decry the current state of affairs; offer—or at least solicit—suggestions as to how things may be improved.
-  - Avoid snarking (pithy, unproductive, sniping comments).
-  - Avoid discussing potentially offensive or sensitive issues; this all too often leads to unnecessary conflict.
-  - Avoid microaggressions (brief and commonplace verbal, behavioral and environmental indignities that communicate hostile, derogatory or negative slights and insults to a person or group).
-- **Be responsible.**
-  - What you say and do matters. Take responsibility for your words and actions, including their consequences, whether intended or otherwise.
-
-People are complicated. You should expect to be misunderstood and to misunderstand others; when this inevitably occurs, resist the urge to be defensive or assign blame. Try not to take offense where no offense was intended. Give people the benefit of the doubt. Even if the intent was to provoke, do not rise to it. It is the responsibility of all parties to de-escalate conflict when it arises.
-
-## Code of Conduct
-
-### Our Pledge
-
-In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to make participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
-
-### Our Standards
-
-Examples of behavior that contributes to creating a positive environment include:
-
-- Using welcoming and inclusive language
-- Being respectful of differing viewpoints and experiences
-- Gracefully accepting constructive criticism
-- Focusing on what is best for the community
-- Showing empathy towards other community members
-
-Examples of unacceptable behavior by participants include:
-
-- The use of sexualized language or imagery and unwelcome sexual attention or advances
-- Trolling, insulting/derogatory comments, and personal or political attacks
-- Public or private harassment
-- Publishing others’ private information, such as a physical or electronic address, without explicit permission
-- Other conduct which could reasonably be considered inappropriate in a professional setting
-
-### Our Responsibilities
-
-Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
-
-Project maintainers have the right and responsibility to remove, edit, or reject: comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, as well as to ban (temporarily or permanently) any contributor for behaviors that they deem inappropriate, threatening, offensive, or harmful.
-
-### Scope
-
-This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
-
-This Code of Conduct also applies outside the project spaces when the Project Stewards have a reasonable belief that an individual’s behavior may have a negative impact on the project or its community.
-
-### Conflict Resolution
-
-We do not believe that all conflict is bad; healthy debate and disagreement often yield positive results. However, it is never okay to be disrespectful or to engage in behavior that violates the project’s code of conduct.
-
-If you see someone violating the code of conduct, you are encouraged to address the behavior directly with those involved. Many issues can be resolved quickly and easily, and this gives people more control over the outcome of their dispute. If you are unable to resolve the matter for any reason, or if the behavior is threatening or harassing, report it. We are dedicated to providing an environment where participants feel welcome and safe.
-
-Reports should be directed to the Gitea Project Stewards at conduct@gitea.com. It is the Project Stewards’ duty to receive and address reported violations of the code of conduct. They will then work with a committee consisting of representatives from the technical-oversight-committee.
-
-We will investigate every complaint, but you may not receive a direct response. We will use our discretion in determining when and how to follow up on reported incidents, which may range from not taking action to permanent expulsion from the project and project-sponsored spaces. Under normal circumstances, we will notify the accused of the report and provide them an opportunity to discuss it before any action is taken. If there is a consensus between maintainers that such an endeavor would be useless (i.e. in case of an obvious spammer), we reserve the right to take action without notifying the accused first. The identity of the reporter will be omitted from the details of the report supplied to the accused. In potentially harmful situations, such as ongoing harassment or threats to anyone’s safety, we may take action without notice.
-
-### Attribution
-
-This Code of Conduct is adapted from the Contributor Covenant, version 1.4, available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
-
-## Summary
-
-- Treat everyone with respect and kindness.
-- Be thoughtful in how you communicate.
-- Don’t be destructive or inflammatory.
-- If you encounter an issue, please mail conduct@gitea.com.

CONTRIBUTING.md

@@ -1,474 +1,195 @@
 # Contribution Guidelines
 
-<details><summary>Table of Contents</summary>
+## Table of Contents
 
 - [Contribution Guidelines](#contribution-guidelines)
   - [Introduction](#introduction)
-  - [Issues](#issues)
-    - [How to report issues](#how-to-report-issues)
-    - [Types of issues](#types-of-issues)
-    - [Discuss your design before the implementation](#discuss-your-design-before-the-implementation)
-    - [Issue locking](#issue-locking)
-  - [Building Gitea](#building-gitea)
-  - [Dependencies](#dependencies)
-    - [Backend](#backend)
-    - [Frontend](#frontend)
-  - [Design guideline](#design-guideline)
-  - [Styleguide](#styleguide)
-  - [Copyright](#copyright)
-  - [Testing](#testing)
+  - [Bug reports](#bug-reports)
+  - [Discuss your design](#discuss-your-design)
+  - [Testing redux](#testing-redux)
+  - [Vendoring](#vendoring)
   - [Translation](#translation)
   - [Code review](#code-review)
-    - [Pull request format](#pull-request-format)
-    - [PR title and summary](#pr-title-and-summary)
-    - [Milestone](#milestone)
-    - [Labels](#labels)
-    - [Breaking PRs](#breaking-prs)
-      - [What is a breaking PR?](#what-is-a-breaking-pr)
-      - [How to handle breaking PRs?](#how-to-handle-breaking-prs)
-    - [Maintaining open PRs](#maintaining-open-prs)
-    - [Getting PRs merged](#getting-prs-merged)
-    - [Final call](#final-call)
-    - [Commit messages](#commit-messages)
-      - [PR Co-authors](#pr-co-authors)
-      - [PRs targeting `main`](#prs-targeting-main)
-      - [Backport PRs](#backport-prs)
-  - [Documentation](#documentation)
-  - [API v1](#api-v1)
-    - [GitHub API compatibility](#github-api-compatibility)
-    - [Adding/Maintaining API routes](#addingmaintaining-api-routes)
-    - [When to use what HTTP method](#when-to-use-what-http-method)
-    - [Requirements for API routes](#requirements-for-api-routes)
-  - [Backports and Frontports](#backports-and-frontports)
-    - [What is backported?](#what-is-backported)
-    - [How to backport?](#how-to-backport)
-    - [Format of backport PRs](#format-of-backport-prs)
-    - [Frontports](#frontports)
-  - [Developer Certificate of Origin (DCO)](#developer-certificate-of-origin-dco)
+  - [Styleguide](#styleguide)
+  - [Sign-off your work](#sign-off-your-work)
   - [Release Cycle](#release-cycle)
   - [Maintainers](#maintainers)
-  - [Technical Oversight Committee (TOC)](#technical-oversight-committee-toc)
-    - [TOC election process](#toc-election-process)
-    - [Current TOC members](#current-toc-members)
-    - [Previous TOC/owners members](#previous-tocowners-members)
-  - [Governance Compensation](#governance-compensation)
-  - [TOC \& Working groups](#toc--working-groups)
-  - [Roadmap](#roadmap)
+  - [Owners](#owners)
   - [Versions](#versions)
   - [Releasing Gitea](#releasing-gitea)
-
-</details>
+  - [Copyright](#copyright)
 
 ## Introduction
 
-This document explains how to contribute changes to the Gitea project. \
-It assumes you have followed the [installation instructions](https://docs.gitea.com/category/installation). \
-Sensitive security-related issues should be reported to [security@gitea.io](mailto:security@gitea.io).
+This document explains how to contribute changes to the Gitea project.
+It assumes you have followed the
+[installation instructions](https://docs.gitea.io/en-us/).
+Sensitive security-related issues should be reported to
+[security@gitea.io](mailto:security@gitea.io).
 
-For configuring IDEs for Gitea development, see the [contributed IDE configurations](contrib/ide/).
+For configuring IDE or code editor to develop Gitea see [IDE and code editor configuration](contrib/ide/)
 
-## Issues
+## Bug reports
 
-### How to report issues
+Please search the issues on the issue tracker with a variety of keywords
+to ensure your bug is not already reported.
 
-Please search the issues on the issue tracker with a variety of related keywords to ensure that your issue has not already been reported.
+If unique, [open an issue](https://github.com/go-gitea/gitea/issues/new)
+and answer the questions so we can understand and reproduce the
+problematic behavior.
 
-If your issue has not been reported yet, [open an issue](https://github.com/go-gitea/gitea/issues/new)
-and answer the questions so we can understand and reproduce the problematic behavior. \
-Please write clear and concise instructions so that we can reproduce the behavior — even if it seems obvious. \
-The more detailed and specific you are, the faster we can fix the issue. \
-It is really helpful if you can reproduce your problem on a site running on the latest commits, i.e. <https://demo.gitea.com>, as perhaps your problem has already been fixed on a current version. \
-Please follow the guidelines described in [How to Report Bugs Effectively](http://www.chiark.greenend.org.uk/~sgtatham/bugs.html) for your report.
+To show us that the issue you are having is in Gitea itself, please
+write clear, concise instructions so we can reproduce the behavior—
+even if it seems obvious. The more detailed and specific you are,
+the faster we can fix the issue. Check out [How to Report Bugs
+Effectively](http://www.chiark.greenend.org.uk/~sgtatham/bugs.html).
 
-Please be kind, remember that Gitea comes at no cost to you, and you're getting free help.
+Please be kind, remember that Gitea comes at no cost to you, and you're
+getting free help.
 
-### Types of issues
+## Discuss your design
 
-Typically, issues fall in one of the following categories:
+The project welcomes submissions. If you want to change or add something,
+please let everyone know what you're working on—[file an issue](https://github.com/go-gitea/gitea/issues/new)!
+Significant changes must go through the change proposal process
+before they can be accepted. To create a proposal, file an issue with
+your proposed changes documented, and make sure to note in the title
+of the issue that it is a proposal.
 
-- `bug`: Something in the frontend or backend behaves unexpectedly
-- `security issue`: bug that has serious implications such as leaking another users data. Please do not file such issues on the public tracker and send a mail to security@gitea.io instead
-- `feature`: Completely new functionality. You should describe this feature in enough detail that anyone who reads the issue can understand how it is supposed to be implemented
-- `enhancement`: An existing feature should get an upgrade
-- `refactoring`: Parts of the code base don't conform with other parts and should be changed to improve Gitea's maintainability
+This process gives everyone a chance to validate the design, helps
+prevent duplication of effort, and ensures that the idea fits inside
+the goals for the project and tools. It also checks that the design is
+sound before code is written; the code review tool is not the place for
+high-level discussions.
 
-### Discuss your design before the implementation
+## Testing redux
 
-We welcome submissions. \
-If you want to change or add something, please let everyone know what you're working on — [file an issue](https://github.com/go-gitea/gitea/issues/new) or comment on an existing one before starting your work!
+Before submitting a pull request, run all the tests for the whole tree
+to make sure your changes don't cause regression elsewhere.  
 
-Significant changes such as new features must go through the change proposal process before they can be accepted. \
-This is mainly to save yourself the trouble of implementing it, only to find out that your proposed implementation has some potential problems. \
-Furthermore, this process gives everyone a chance to validate the design, helps prevent duplication of effort, and ensures that the idea fits inside
-the goals for the project and tools.
+Here's how to run the test suite: 
 
-Pull requests should not be the place for architecture discussions.
+- Install the correct version of the drone-cli package.  As of this
+  writing, the correct drone-cli version is
+  [0.8.6](https://0-8-0.docs.drone.io/cli-installation/).
+- Ensure you have enough free disk space.  You will need at least
+  15-20 Gb of free disk space to hold all of the containers drone
+  creates (a default AWS or GCE disk size won't work -- see
+  [#6243](https://github.com/go-gitea/gitea/issues/6243)).  
+- Change into the base directory of your copy of the gitea repository,
+  and run `drone exec --local --build-event pull_request`.
 
-### Issue locking
+The drone version, command line, and disk requirements do change over
+time (see [#4053](https://github.com/go-gitea/gitea/issues/4053) and
+[#6243](https://github.com/go-gitea/gitea/issues/6243)); if you
+discover any issues, please feel free to send us a pull request to
+update these instructions.
 
-Commenting on closed or merged issues/PRs is strongly discouraged.
-Such comments will likely be overlooked as some maintainers may not view notifications on closed issues, thinking that the item is resolved.
-As such, commenting on closed/merged issues/PRs may be disabled prior to the scheduled auto-locking if a discussion starts or if unrelated comments are posted.
-If further discussion is needed, we encourage you to open a new issue instead and we recommend linking to the issue/PR in question for context.
+## Vendoring
 
-## Building Gitea
+We keep a cached copy of dependencies within the `vendor/` directory,
+managing updates via [dep](https://github.com/golang/dep).
 
-See the [development setup instructions](https://docs.gitea.com/development/hacking-on-gitea).
+Pull requests should only include `vendor/` updates if they are part of
+the same change, be it a bugfix or a feature addition.
 
-## Dependencies
-
-### Backend
-
-Go dependencies are managed using [Go Modules](https://go.dev/cmd/go/#hdr-Module_maintenance). \
-You can find more details in the [go mod documentation](https://go.dev/ref/mod) and the [Go Modules Wiki](https://github.com/golang/go/wiki/Modules).
-
-Pull requests should only modify `go.mod` and `go.sum` where it is related to your change, be it a bugfix or a new feature. \
-Apart from that, these files should only be modified by Pull Requests whose only purpose is to update dependencies.
-
-The `go.mod`, `go.sum` update needs to be justified as part of the PR description,
+The `vendor/` update needs to be justified as part of the PR description,
 and must be verified by the reviewers and/or merger to always reference
 an existing upstream commit.
 
-### Frontend
-
-For the frontend, we use [npm](https://www.npmjs.com/).
-
-The same restrictions apply for frontend dependencies as for backend dependencies, with the exceptions that the files for it are `package.json` and `package-lock.json`, and that new versions must always reference an existing version.
-
-## Design guideline
-
-Depending on your change, please read the
-
-- [backend development guideline](https://docs.gitea.com/contributing/guidelines-backend)
-- [frontend development guideline](https://docs.gitea.com/contributing/guidelines-frontend)
-- [refactoring guideline](https://docs.gitea.com/contributing/guidelines-refactoring)
-
-## Styleguide
-
-You should always run `make fmt` before committing to conform to Gitea's styleguide.
-
-## Copyright
-
-New code files that you contribute should use the standard copyright header:
-
-```
-// Copyright <current year> The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-```
-
-Afterwards, copyright should only be modified when the copyright author changes.
-
-## Testing
-
-Before submitting a pull request, run all tests to make sure your changes don't cause a regression elsewhere.
-
-Here's how to run the test suite:
-
-- code lint
-
-|                       |                                                                              |
-| :-------------------- | :--------------------------------------------------------------------------- |
-|``make lint``          | lint everything (not needed if you only change the front- **or** backend)    |
-|``make lint-frontend`` | lint frontend files                                                          |
-|``make lint-backend``  | lint backend files                                                           |
-
-- run tests (we suggest running them on Linux)
-
-|  Command                                    | Action                                                   |                                             |
-| :------------------------------------------ | :------------------------------------------------------- | ------------------------------------------- |
-|``make test[\#SpecificTestName]``            |  run unit test(s)                                        |                                             |
-|``make test-sqlite[\#SpecificTestName]``     |  run [integration](tests/integration) test(s) for SQLite | [More details](tests/integration/README.md) |
-|``make test-e2e-sqlite[\#SpecificTestName]`` |  run [end-to-end](tests/e2e) test(s) for SQLite          | [More details](tests/e2e/README.md)         |
+You can find more information on how to get started with it on the [dep project website](https://golang.github.io/dep/docs/introduction.html).
 
 ## Translation
 
-All translation work happens on [Crowdin](https://translate.gitea.com).
-The only translation that is maintained in this repository is [the English translation](https://github.com/go-gitea/gitea/blob/main/options/locale/locale_en-US.ini).
-It is synced regularly with Crowdin. \
-Other locales on main branch **should not** be updated manually as they will be overwritten with each sync. \
-Once a language has reached a **satisfactory percentage** of translated keys (~25%), it will be synced back into this repo and included in the next released version.
+We do all translation work inside [Crowdin](https://crowdin.com/project/gitea).
+The only translation that is maintained in this git repository is
+[`en_US.ini`](https://github.com/go-gitea/gitea/blob/master/options/locale/locale_en-US.ini)
+and is synced regularly to Crowdin. Once a translation has reached
+A SATISFACTORY PERCENTAGE it will be synced back into this repo and
+included in the next released version.
 
-The tool `go run build/backport-locale.go` can be used to backport locales from the main branch to release branches that were missed.
+## Building Gitea
+
+Generally, the go build tools are installed as-needed in the `Makefile`.
+An exception are the tools to build the CSS and images.
+
+- To build CSS: Install [Node.js](https://nodejs.org/en/download/package-manager) at version 8.0 or above
+  with `npm` and then run `npm install` and `make generate-stylesheets`.
+- To build Images: ImageMagick, inkscape and zopflipng binaries must be
+  available in your `PATH` to run `make generate-images`.
 
 ## Code review
 
-### Pull request format
+Changes to Gitea must be reviewed before they are accepted—no matter who
+makes the change, even if they are an owner or a maintainer. We use GitHub's
+pull request workflow to do that. And, we also use [LGTM](http://lgtm.co)
+to ensure every PR is reviewed by at least 2 maintainers.
 
-Please try to make your pull request easy to review for us. \
-For that, please read the [*Best Practices for Faster Reviews*](https://github.com/kubernetes/community/blob/261cb0fd089b64002c91e8eddceebf032462ccd6/contributors/guide/pull-requests.md#best-practices-for-faster-reviews) guide. \
-It has lots of useful tips for any project you may want to contribute to. \
+Please try to make your pull request easy to review for us. And, please read
+the *[How to get faster PR reviews](https://github.com/kubernetes/community/blob/261cb0fd089b64002c91e8eddceebf032462ccd6/contributors/guide/pull-requests.md#best-practices-for-faster-reviews)* guide;
+it has lots of useful tips for any project you may want to contribute.
 Some of the key points:
 
-- Make small pull requests. \
-  The smaller, the faster to review and the more likely it will be merged soon.
-- Don't make changes unrelated to your PR. \
-  Maybe there are typos on some comments, maybe refactoring would be welcome on a function... \
-  but if that is not related to your PR, please make *another* PR for that.
-- Split big pull requests into multiple small ones. \
-  An incremental change will be faster to review than a huge PR.
-- Allow edits by maintainers. This way, the maintainers will take care of merging the PR later on instead of you.
+* Make small pull requests. The smaller, the faster to review and the
+  more likely it will be merged soon.
+* Don't make changes unrelated to your PR. Maybe there are typos on
+  some comments, maybe refactoring would be welcome on a function... but
+  if that is not related to your PR, please make *another* PR for that.
+* Split big pull requests into multiple small ones. An incremental change
+  will be faster to review than a huge PR.
 
-### PR title and summary
+## Styleguide
 
-In the PR title, describe the problem you are fixing, not how you are fixing it. \
-Use the first comment as a summary of your PR. \
-In the PR summary, you can describe exactly how you are fixing this problem.
+For imports you should use the following format (_without_ the comments)
+```go
+import (
+  // stdlib
+  "encoding/json"
+  "fmt"
 
-Keep this summary up-to-date as the PR evolves. \
-If your PR changes the UI, you must add **after** screenshots in the PR summary. \
-If you are not implementing a new feature, you should also post **before** screenshots for comparison.
+  // local packages
+  "code.gitea.io/gitea/models"
+  "code.gitea.io/sdk/gitea"
 
-If you are implementing a new feature, your PR will only be merged if your screenshots are up to date.\
-Furthermore, feature PRs will only be merged if their summary contains a clear usage description (understandable for users) and testing description (understandable for reviewers).
-You should strive to combine both into a single description.
-
-Another requirement for merging PRs is that the PR is labeled correctly.\
-However, this is not your job as a contributor, but the job of the person merging your PR.\
-If you think that your PR was labeled incorrectly, or notice that it was merged without labels, please let us know.
-
-If your PR closes some issues, you must note that in a way that both GitHub and Gitea understand, i.e. by appending a paragraph like
-
-```text
-Fixes/Closes/Resolves #<ISSUE_NR_X>.
-Fixes/Closes/Resolves #<ISSUE_NR_Y>.
+  // external packages
+  "github.com/foo/bar"
+  "gopkg.io/baz.v1"
+)
 ```
 
-to your summary. \
-Each issue that will be closed must stand on a separate line.
+## Sign-off your work
 
-### Milestone
-
-A PR should only be assigned to a milestone if it will likely be merged into the given version. \
-As a rule of thumb, assume that a PR will stay open for an additional month for every 100 added lines. \
-PRs without a milestone may not be merged.
-
-### Labels
-
-Almost all labels used inside Gitea can be classified as one of the following:
-
-- `modifies/…`: Determines which parts of the codebase are affected. These labels will be set through the CI.
-- `topic/…`:  Determines the conceptual component of Gitea that is affected, i.e. issues, projects, or authentication. At best, PRs should only target one component but there might be overlap. Must be set manually.
-- `type/…`: Determines the type of an issue or PR (feature, refactoring, docs, bug, …). If GitHub supported scoped labels, these labels would be exclusive, so you should set **exactly** one, not more or less (every PR should fall into one of the provided categories, and only one).
-- `issue/…` / `pr/…`: Labels that are specific to issues or PRs respectively and that are only necessary in a given context, i.e. `issue/not-a-bug` or `pr/need-2-approvals`
-
-Every PR should be labeled correctly with every label that applies.
-
-There are also some labels that will be managed automatically.\
-In particular, these are
-
-- the amount of pending required approvals
-- has all `backport`s or needs a manual backport
-
-### Breaking PRs
-
-#### What is a breaking PR?
-
-A PR is breaking if it meets one of the following criteria:
-
-- It changes API output in an incompatible way for existing users
-- It removes a setting that an admin could previously set (i.e. via `app.ini`)
-- An admin must do something manually to restore the old behavior
-
-In particular, this means that adding new settings is not breaking.\
-Changing the default value of a setting or replacing the setting with another one is breaking, however.
-
-#### How to handle breaking PRs?
-
-If your PR has a breaking change, you must add two things to the summary of your PR:
-
-1. A reasoning why this breaking change is necessary
-2. A `BREAKING` section explaining in simple terms (understandable for a typical user) how this PR affects users and how to mitigate these changes. This section can look for example like
-
-```md
-## :warning: BREAKING :warning:
-```
-
-Breaking PRs will not be merged as long as not both of these requirements are met.
-
-### Maintaining open PRs
-
-The moment you create a non-draft PR or the moment you convert a draft PR to a non-draft PR is the moment code review starts for it. \
-Once that happens, do not rebase or squash your branch anymore as it makes it difficult to review the new changes. \
-Merge the base branch into your branch only when you really need to, i.e. because of conflicting changes in the mean time. \
-This reduces unnecessary CI runs. \
-Don't worry about merge commits messing up your commit history as every PR will be squash merged. \
-This means that all changes are joined into a single new commit whose message is as described below.
-
-### Getting PRs merged
-
-Changes to Gitea must be reviewed before they are accepted — no matter who
-makes the change, even if they are an owner or a maintainer. \
-The only exception are critical bugs that prevent Gitea from being compiled or started. \
-Specifically, we require two approvals from maintainers for every PR. \
-Once this criteria has been met, your PR receives the `lgtm/done` label. \
-From this point on, your only responsibility is to fix merge conflicts or respond to/implement requests by maintainers. \
-It is the responsibility of the maintainers from this point to get your PR merged.
-
-If a PR has the `lgtm/done` label and there are no open discussions or merge conflicts anymore, any maintainer can add the `reviewed/wait-merge` label. \
-This label means that the PR is part of the merge queue and will be merged as soon as possible. \
-The merge queue will be cleared in the order of the list below:
-
-<https://github.com/go-gitea/gitea/pulls?q=is%3Apr+label%3Areviewed%2Fwait-merge+sort%3Acreated-asc+is%3Aopen>
-
-Gitea uses it's own tool, the <https://github.com/GiteaBot/gitea-backporter> to automate parts of the review process. \
-This tool does the things listed below automatically:
-
-- create a backport PR if needed once the initial PR was merged
-- remove the PR from the merge queue after the PR merged
-- keep the oldest branch in the merge queue up to date with merges
-
-### Final call
-
-If a PR has been ignored for more than 7 days with no comments or reviews, and the author or any maintainer believes it will not survive a long wait (such as a refactoring PR), they can send "final call" to the TOC by mentioning them in a comment.
-
-After another 7 days, if there is still zero approval, this is considered a polite refusal, and the PR will be closed to avoid wasting further time. Therefore, the "final call" has a cost, and should be used cautiously.
-
-However, if there are no objections from maintainers, the PR can be merged with only one approval from the TOC (not the author).
-
-### Commit messages
-
-Mergers are able and required to rewrite the PR title and summary (the first comment of a PR) so that it can produce an easily understandable commit message if necessary. \
-The final commit message should no longer contain any uncertainty such as `hopefully, <x> won't happen anymore`. Replace uncertainty with certainty.
-
-#### PR Co-authors
-
-A person counts as a PR co-author the moment they (co-)authored a commit that is not simply a `Merge base branch into branch` commit. \
-Mergers are required to remove such "false-positive" co-authors when writing the commit message. \
-The true co-authors must remain in the commit message.
-
-#### PRs targeting `main`
-
-The commit message of PRs targeting `main` is always
-
-```bash
-$PR_TITLE ($PR_INDEX)
-
-$REWRITTEN_PR_SUMMARY
-```
-
-#### Backport PRs
-
-The commit message of backport PRs is always
-
-```bash
-$PR_TITLE ($INITIAL_PR_INDEX) ($BACKPORT_PR_INDEX)
-
-$REWRITTEN_PR_SUMMARY
-```
-
-## Documentation
-
-If you add a new feature or change an existing aspect of Gitea, the documentation for that feature must be created or updated in another PR at [https://gitea.com/gitea/docs](https://gitea.com/gitea/docs).
-**The docs directory on main repository will be removed at some time. We will have a yaml file to store configuration file's meta data. After that completed, configuration documentation should be in the main repository.**
-
-## API v1
-
-The API is documented by [swagger](https://gitea.com/api/swagger) and is based on [the GitHub API](https://docs.github.com/en/rest).
-
-### GitHub API compatibility
-
-Gitea's API should use the same endpoints and fields as the GitHub API as far as possible, unless there are good reasons to deviate. \
-If Gitea provides functionality that GitHub does not, a new endpoint can be created. \
-If information is provided by Gitea that is not provided by the GitHub API, a new field can be used that doesn't collide with any GitHub fields. \
-Updating an existing API should not remove existing fields unless there is a really good reason to do so. \
-The same applies to status responses. If you notice a problem, feel free to leave a comment in the code for future refactoring to API v2 (which is currently not planned).
-
-### Adding/Maintaining API routes
-
-All expected results (errors, success, fail messages) must be documented ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L319-L327)). \
-All JSON input types must be defined as a struct in [modules/structs/](modules/structs/) ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/modules/structs/issue.go#L76-L91)) \
-and referenced in [routers/api/v1/swagger/options.go](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/swagger/options.go). \
-They can then be used like [this example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L318). \
-All JSON responses must be defined as a struct in [modules/structs/](modules/structs/) ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/modules/structs/issue.go#L36-L68)) \
-and referenced in its category in [routers/api/v1/swagger/](routers/api/v1/swagger/) ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/swagger/issue.go#L11-L16)) \
-They can be used like [this example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L277-L279).
-
-### When to use what HTTP method
-
-In general, HTTP methods are chosen as follows:
-
-- **GET** endpoints return the requested object(s) and status **OK (200)**
-- **DELETE** endpoints return the status **No Content (204)** and no content either
-- **POST** endpoints are used to **create** new objects (e.g. a User) and return the status **Created (201)** and the created object
-- **PUT** endpoints are used to **add/assign** existing Objects (e.g. a user to a team) and return the status **No Content (204)** and no content either
-- **PATCH** endpoints are used to **edit/change** an existing object and return the changed object and the status **OK (200)**
-
-### Requirements for API routes
-
-All parameters of endpoints changing/editing an object must be optional (except the ones to identify the object, which are required).
-
-Endpoints returning lists must
-
-- support pagination (`page` & `limit` options in query)
-- set `X-Total-Count` header via **SetTotalCountHeader** ([example](https://github.com/go-gitea/gitea/blob/7aae98cc5d4113f1e9918b7ee7dd09f67c189e3e/routers/api/v1/repo/issue.go#L444))
-
-## Backports and Frontports
-
-### What is backported?
-
-We backport PRs given the following circumstances:
-
-1. Feature freeze is active, but `<version>-rc0` has not been released yet. Here, we backport as much as possible. <!-- TODO: Is that our definition with the new backport bot? -->
-2. `rc0` has been released. Here, we only backport bug- and security-fixes, and small enhancements. Large PRs such as refactors are not backported anymore. <!-- TODO: Is that our definition with the new backport bot? -->
-3. We never backport new features.
-4. We never backport breaking changes except when
-    1. The breaking change has no effect on the vast majority of users
-    2. The component triggering the breaking change is marked as experimental
-
-### How to backport?
-
-In the past, it was necessary to manually backport your PRs. \
-Now, that's not a requirement anymore as our [backport bot](https://github.com/GiteaBot) tries to create backports automatically once the PR is merged when the PR
-
-- does not have the label `backport/manual`
-- has the label `backport/<version>`
-
-The `backport/manual` label signifies either that you want to backport the change yourself, or that there were conflicts when backporting, thus you **must** do it yourself.
-
-### Format of backport PRs
-
-The title of backport PRs should be
-
-```
-<original PR title> (#<original pr number>)
-```
-
-The first two lines of the summary of the backporting PR should be
-
-```
-Backport #<original pr number>
-
-```
-
-with the rest of the summary and labels matching the original PR.
-
-### Frontports
-
-Frontports behave exactly as described above for backports.
-
-## Developer Certificate of Origin (DCO)
-
-We consider the act of contributing to the code by submitting a Pull Request as the "Sign off" or agreement to the certifications and terms of the [DCO](DCO) and [MIT license](LICENSE). \
-No further action is required. \
-You can also decide to sign off your commits by adding the following line at the end of your commit messages:
+The sign-off is a simple line at the end of the explanation for the
+patch. Your signature certifies that you wrote the patch or otherwise
+have the right to pass it on as an open-source patch. The rules are
+pretty simple: If you can certify [DCO](DCO), then you just add a line
+to every git commit message:
 
 ```
 Signed-off-by: Joe Smith <joe.smith@email.com>
 ```
 
-If you set the `user.name` and `user.email` Git config options, you can add the line to the end of your commits automatically with `git commit -s`.
-
-We assume in good faith that the information you provide is legally binding.
+Please use your real name; we really dislike pseudonyms or anonymous
+contributions. We are in the open-source world without secrets. If you
+set your `user.name` and `user.email` git configs, you can sign-off your
+commit automatically with `git commit -s`.
 
 ## Release Cycle
 
-We adopted a release schedule to streamline the process of working on, finishing, and issuing releases. \
-The overall goal is to make a major release every three or four months, which breaks down into two or three months of general development followed by one month of testing and polishing known as the release freeze. \
-All the feature pull requests should be
-merged before feature freeze. All feature pull requests haven't been merged before this feature freeze will be moved to next milestone, please notice our feature freeze announcement on discord. And, during the frozen period, a corresponding
-release branch is open for fixes backported from main branch. Release candidates
-are made during this period for user testing to
-obtain a final version that is maintained in this branch.
+We adopted a release schedule to streamline the process of working
+on, finishing, and issuing releases. The overall goal is to make a
+minor release every two months, which breaks down into one month of
+general development followed by one month of testing and polishing
+known as the release freeze. All the feature pull requests should be
+merged in the first month of one release period. And, during the frozen
+period, a corresponding release branch is open for fixes backported from
+master. Release candidates are made during this period for user testing to
+obtain a final version that is maintained in this branch. A release is
+maintained by issuing patch releases to only correct critical problems
+such as crashes or security issues.
+
+Major release cycles are bimonthly. They always begin on the 25th and end on
+the 24th (i.e., the 25th of December to February 24th).
 
 During a development cycle, we may also publish any necessary minor releases
 for the previous version. For example, if the latest, published release is
@@ -477,12 +198,13 @@ still possible.
 
 ## Maintainers
 
-To make sure every PR is checked, we have [maintainers](MAINTAINERS). \
-Every PR **must** be reviewed by at least two maintainers (or owners) before it can get merged. \
-For refactoring PRs after a week and documentation only PRs, the approval of only one maintainer is enough. \
-A maintainer should be a contributor of Gitea and contributed at least
+To make sure every PR is checked, we have [team
+maintainers](MAINTAINERS). Every PR **MUST** be reviewed by at least
+two maintainers (or owners) before it can get merged. A maintainer
+should be a contributor of Gitea (or Gogs) and contributed at least
 4 accepted PRs. A contributor should apply as a maintainer in the
-[Discord](https://discord.gg/Gitea) `#develop` channel. The team maintainers may invite the contributor. A maintainer
+[Discord](https://discord.gg/NsatcWJ) #develop channel. The owners
+or the team maintainers may invite the contributor. A maintainer
 should spend some time on code reviews. If a maintainer has no
 time to do that, they should apply to leave the maintainers team
 and we will give them the honor of being a member of the [advisors
@@ -492,115 +214,88 @@ to the maintainers team. If a maintainer is inactive for more than 3
 months and forgets to leave the maintainers team, the owners may move
 him or her from the maintainers team to the advisors team.
 For security reasons, Maintainers should use 2FA for their accounts and
-if possible provide GPG signed commits.
+if possible provide gpg signed commits. 
 https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/
 https://help.github.com/articles/signing-commits-with-gpg/
 
-Furthermore, any account with write access (like bots and TOC members) **must** use 2FA.
+## Owners
+
+Since Gitea is a pure community organization without any company support,
+to keep the development healthy we will elect three owners every year. All
+contributors may vote to elect up to three candidates, one of which will
+be the main owner, and the other two the assistant owners. When the new
+owners have been elected, the old owners will give up ownership to the
+newly elected owners. If an owner is unable to do so, the other owners
+will assist in ceding ownership to the newly elected owners.
+For security reasons, Owners or any account with write access (like a bot)
+must use 2FA.
 https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/
 
-## Technical Oversight Committee (TOC)
+After the election, the new owners should proactively agree
+with our [CONTRIBUTING](CONTRIBUTING.md) requirements in the
+[Discord](https://discord.gg/NsatcWJ) #general channel. Below are the
+words to speak:
 
-At the start of 2023, the `Owners` team was dissolved. Instead, the governance charter proposed a technical oversight committee (TOC) which expands the ownership team of the Gitea project from three elected positions to six positions. Three positions are elected as it has been over the past years, and the other three consist of appointed members from the Gitea company.
-https://blog.gitea.com/quarterly-23q1/
+```
+I'm honored to having been elected an owner of Gitea, I agree with
+[CONTRIBUTING](CONTRIBUTING.md). I will spend part of my time on Gitea
+and lead the development of Gitea.
+```
 
-### TOC election process
+To honor the past owners, here's the history of the owners and the time
+they served:
 
-Any maintainer is eligible to be part of the community TOC if they are not associated with the Gitea company.
-A maintainer can either nominate themselves, or can be nominated by other maintainers to be a candidate for the TOC election.
-If you are nominated by someone else, you must first accept your nomination before the vote starts to be a candidate.
+* 2016-11-04 ~ 2017-12-31
+  * [Lunny Xiao](https://github.com/lunny) <xiaolunwen@gmail.com>
+  * [Thomas Boerger](https://github.com/tboerger) <thomas@webhippie.de>
+  * [Kim Carlbäcker](https://github.com/bkcsoft) <kim.carlbacker@gmail.com>
 
-The TOC is elected for one year, the TOC election happens yearly.
-After the announcement of the results of the TOC election, elected members have two weeks time to confirm or refuse the seat.
-If an elected member does not answer within this timeframe, they are automatically assumed to refuse the seat.
-Refusals result in the person with the next highest vote getting the same choice.
-As long as seats are empty in the TOC, members of the previous TOC can fill them until an elected member accepts the seat.
+* 2018-01-01 ~ 2018-12-31
+  * [Lunny Xiao](https://github.com/lunny) <xiaolunwen@gmail.com>
+  * [Lauris Bukšis-Haberkorns](https://github.com/lafriks) <lauris@nix.lv>
+  * [Kim Carlbäcker](https://github.com/bkcsoft) <kim.carlbacker@gmail.com>
 
-If an elected member that accepts the seat does not have 2FA configured yet, they will be temporarily counted as `answer pending` until they manage to configure 2FA, thus leaving their seat empty for this duration.
-
-### Current TOC members
-
-- 2024-01-01 ~ 2024-12-31
-  - Company
-    - [Jason Song](https://gitea.com/wolfogre) <i@wolfogre.com>
-    - [Lunny Xiao](https://gitea.com/lunny) <xiaolunwen@gmail.com>
-    - [Matti Ranta](https://gitea.com/techknowlogick) <techknowlogick@gitea.com>
-  - Community
-    - [6543](https://gitea.com/6543) <6543@obermui.de>
-    - [delvh](https://gitea.com/delvh) <dev.lh@web.de>
-    - [John Olheiser](https://gitea.com/jolheiser) <john.olheiser@gmail.com>
-
-### Previous TOC/owners members
-
-Here's the history of the owners and the time they served:
-
-- [Lunny Xiao](https://gitea.com/lunny) - 2016, 2017, [2018](https://github.com/go-gitea/gitea/issues/3255), [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872), 2023
-- [Kim Carlbäcker](https://github.com/bkcsoft) - 2016, 2017
-- [Thomas Boerger](https://gitea.com/tboerger) - 2016, 2017
-- [Lauris Bukšis-Haberkorns](https://gitea.com/lafriks) - [2018](https://github.com/go-gitea/gitea/issues/3255), [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801)
-- [Matti Ranta](https://gitea.com/techknowlogick) - [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872), 2023
-- [Andrew Thornton](https://gitea.com/zeripath) - [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872), 2023
-- [6543](https://gitea.com/6543) - 2023
-- [John Olheiser](https://gitea.com/jolheiser) - 2023
-- [Jason Song](https://gitea.com/wolfogre) - 2023
-
-## Governance Compensation
-
-Each member of the community elected TOC will be granted $500 each month as compensation for their work.
-
-Furthermore, any community release manager for a specific release or LTS will be compensated $500 for the delivery of said release.
-
-These funds will come from community sources like the OpenCollective rather than directly from the company.
-Only non-company members are eligible for this compensation, and if a member of the community TOC takes the responsibility of release manager, they would only be compensated for their TOC duties.
-Gitea Ltd employees are not eligible to receive any funds from the OpenCollective unless it is reimbursement for a purchase made for the Gitea project itself.
-
-## TOC & Working groups
-
-With Gitea covering many projects outside of the main repository, several groups will be created to help focus on specific areas instead of requiring maintainers to be a jack-of-all-trades. Maintainers are of course more than welcome to be part of multiple groups should they wish to contribute in multiple places.
-
-The currently proposed groups are:
-
-- **Core Group**: maintain the primary Gitea repository
-- **Integration Group**: maintain the Gitea ecosystem's related tools, including go-sdk/tea/changelog/bots etc.
-- **Documentation Group**: maintain related documents and repositories
-- **Translation Group**: coordinate with translators and maintain translations
-- **Security Group**: managed by TOC directly, members are decided by TOC, maintains security patches/responsible for security items
-
-## Roadmap
-
-Each year a roadmap will be discussed with the entire Gitea maintainers team, and feedback will be solicited from various stakeholders.
-TOC members need to review the roadmap every year and work together on the direction of the project.
-
-When a vote is required for a proposal or other change, the vote of community elected TOC members count slightly more than the vote of company elected TOC members. With this approach, we both avoid ties and ensure that changes align with the mission statement and community opinion.
-
-You can visit our roadmap on the wiki.
+* 2019-01-01 ~ 2019-12-31
+  * [Lunny Xiao](https://github.com/lunny) <xiaolunwen@gmail.com>
+  * [Lauris Bukšis-Haberkorns](https://github.com/lafriks) <lauris@nix.lv>
+  * [Matti Ranta](https://github.com/techknowlogick) <matti@mdranta.net>
 
 ## Versions
 
-Gitea has the `main` branch as a tip branch and has version branches
-such as `release/v1.19`. `release/v1.19` is a release branch and we will
-tag `v1.19.0` for binary download. If `v1.19.0` has bugs, we will accept
-pull requests on the `release/v1.19` branch and publish a `v1.19.1` tag,
-after bringing the bug fix also to the main branch.
+Gitea has the `master` branch as a tip branch and has version branches
+such as `release/v0.9`. `release/v0.9` is a release branch and we will
+tag `v0.9.0` for binary download. If `v0.9.0` has bugs, we will accept
+pull requests on the `release/v0.9` branch and publish a `v0.9.1` tag,
+after bringing the bug fix also to the master branch.
 
-Since the `main` branch is a tip version, if you wish to use Gitea
+Since the `master` branch is a tip version, if you wish to use Gitea
 in production, please download the latest release tag version. All the
 branches will be protected via GitHub, all the PRs to every branch must
 be reviewed by two maintainers and must pass the automatic tests.
 
 ## Releasing Gitea
 
-- Let $vmaj, $vmin and $vpat be Major, Minor and Patch version numbers, $vpat should be rc1, rc2, 0, 1, ...... $vmaj.$vmin will be kept the same as milestones on github or gitea in future.
-- Before releasing, confirm all the version's milestone issues or PRs has been resolved. Then discuss the release on Discord channel #maintainers and get agreed with almost all the owners and mergers. Or you can declare the version and if nobody is against it in about several hours.
-- If this is a big version first you have to create PR for changelog on branch `main` with PRs with label `changelog` and after it has been merged do following steps:
-  - Create `-dev` tag as `git tag -s -F release.notes v$vmaj.$vmin.0-dev` and push the tag as `git push origin v$vmaj.$vmin.0-dev`.
-  - When CI has finished building tag then you have to create a new branch named `release/v$vmaj.$vmin`
-- If it is bugfix version create PR for changelog on branch `release/v$vmaj.$vmin` and wait till it is reviewed and merged.
-- Add a tag as `git tag -s -F release.notes v$vmaj.$vmin.$`, release.notes file could be a temporary file to only include the changelog this version which you added to `CHANGELOG.md`.
-- And then push the tag as `git push origin v$vmaj.$vmin.$`. Drone CI will automatically create a release and upload all the compiled binary. (But currently it doesn't add the release notes automatically. Maybe we should fix that.)
-- If needed send a frontport PR for the changelog to branch `main` and update the version in `docs/config.yaml` to refer to the new version.
-- Send PR to [blog repository](https://gitea.com/gitea/blog) announcing the release.
-- Verify all release assets were correctly published through CI on dl.gitea.com and GitHub releases. Once ACKed:
-  - bump the version of https://dl.gitea.com/gitea/version.json
-  - merge the blog post PR
-  - announce the release in discord `#announcements`
+* Let $vmaj, $vmin and $vpat be Major, Minor and Patch version numbers, $vpat should be rc1, rc2, 0, 1, ...... $vmaj.$vmin will be kept the same as milestones on github or gitea in future.
+* Before releasing, confirm all the version's milestone issues or PRs has been resolved. Then discuss the release on discord channel #maintainers and get agreed with almost all the owners and mergers. Or you can declare the version and if nobody against in about serval hours.
+* If this is a big version first you have to create PR for changelog on branch `master` with PRs with label `changelog` and after it has been merged do following steps:
+  * Create `-dev` tag as `git tag -s -F release.notes v$vmaj.$vmin.0-dev` and push the tag as `git push origin v$vmaj.$vmin.0-dev`.
+  * When CI has finished building tag then you have to create a new branch named `release/v$vmaj.$vmin`
+* If it is bugfix version create PR for changelog on branch `release/v$vmaj.$vmin` and wait till it is reviewed and merged.
+* Add a tag as `git tag -s -F release.notes v$vmaj.$vmin.$`, release.notes file could be a temporary file to only include the changelog this version which you added to `CHANGELOG.md`. 
+* And then push the tag as `git push origin v$vmaj.$vmin.$`. Drone CI will automatically created a release and upload all the compiled binary. (But currently it didn't add the release notes automatically. Maybe we should fix that.)
+* If needed send PR for changelog on branch `master`.
+* Send PR to [blog repository](https://github.com/go-gitea/blog) announcing the release.
+
+## Copyright
+
+Code that you contribute should use the standard copyright header:
+
+```
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+```
+
+Files in the repository contain copyright from the year they are added
+to the year they are last changed. If the copyright author is changed,
+just paste the header below the old one.

DCO

@@ -2,6 +2,8 @@ Developer Certificate of Origin
 Version 1.1
 
 Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+660 York Street, Suite 102,
+San Francisco, CA 94110 USA
 
 Everyone is permitted to copy and distribute verbatim copies of this
 license document, but changing it is not allowed.
@@ -31,4 +33,4 @@ By making a contribution to this project, I certify that:
     are public and that a record of the contribution (including all
     personal information I submit with it, including my sign-off) is
     maintained indefinitely and may be redistributed consistent with
-    this project or the open source license(s) involved.
+    this project or the open source license(s) involved.

Dockerfile

@@ -1,45 +1,25 @@
-# syntax=docker/dockerfile:1
-# Build stage
-FROM docker.io/library/golang:1.25-alpine3.22 AS build-env
 
-ARG GOPROXY=direct
+###################################
+#Build stage
+FROM golang:1.12-alpine3.9 AS build-env
 
 ARG GITEA_VERSION
 ARG TAGS="sqlite sqlite_unlock_notify"
-ENV TAGS="bindata timetzdata $TAGS"
-ARG CGO_EXTRA_CFLAGS
+ENV TAGS "bindata $TAGS"
 
-# Build deps
-RUN apk --no-cache add \
-    build-base \
-    git \
-    nodejs \
-    pnpm
+#Build deps
+RUN apk --no-cache add build-base git
 
-WORKDIR ${GOPATH}/src/code.gitcaddy.com/server
-# Use COPY but not "mount" because some directories like "node_modules" contain platform-depended contents and these directories need to be ignored.
-# ".git" directory will be mounted later separately for getting version data.
-# TODO: in the future, maybe we can pre-build the frontend assets on one platform and share them for different platforms, the benefit is that it won't be affected by webpack plugin compatibility problems, then the working directory can be fully mounted and the COPY is not needed.
-COPY --exclude=.git/ . .
+#Setup repo
+COPY . ${GOPATH}/src/code.gitea.io/gitea
+WORKDIR ${GOPATH}/src/code.gitea.io/gitea
 
-# Build gitea, .git mount is required for version data
-RUN --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=cache,target="/root/.cache/go-build" \
-    --mount=type=cache,target=/root/.local/share/pnpm/store \
-    --mount=type=bind,source=".git/",target=".git/" \
-    make
+#Checkout version if set
+RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
+ && make clean generate build
 
-COPY docker/root /tmp/local
-
-# Set permissions for builds that made under windows which strips the executable bit from file
-RUN chmod 755 /tmp/local/usr/bin/entrypoint \
-              /tmp/local/usr/local/bin/* \
-              /tmp/local/etc/s6/gitea/* \
-              /tmp/local/etc/s6/openssh/* \
-              /tmp/local/etc/s6/.s6-svscan/* \
-              /go/src/code.gitcaddy.com/server/gitea
-
-FROM docker.io/library/alpine:3.22 AS gitea
+FROM alpine:3.9
+LABEL maintainer="maintainers@gitea.io"
 
 EXPOSE 22 3000
 
@@ -54,7 +34,7 @@ RUN apk --no-cache add \
     s6 \
     sqlite \
     su-exec \
-    gnupg
+    tzdata
 
 RUN addgroup \
     -S -g 1000 \
@@ -66,15 +46,16 @@ RUN addgroup \
     -u 1000 \
     -G git \
     git && \
-  echo "git:*" | chpasswd -e
+  echo "git:$(dd if=/dev/urandom bs=24 count=1 status=none | base64)" | chpasswd
 
-COPY --from=build-env /tmp/local /
-COPY --from=build-env /go/src/code.gitcaddy.com/server/gitea /app/gitea/gitea
-
-ENV USER=git
-ENV GITEA_CUSTOM=/data/gitea
+ENV USER git
+ENV GITEA_CUSTOM /data/gitea
 
 VOLUME ["/data"]
 
 ENTRYPOINT ["/usr/bin/entrypoint"]
-CMD ["/usr/bin/s6-svscan", "/etc/s6"]
+CMD ["/bin/s6-svscan", "/etc/s6"]
+
+COPY docker /
+COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
+RUN ln -s /app/gitea/gitea /usr/local/bin/gitea

Dockerfile.rootless

@@ -1,81 +0,0 @@
-# syntax=docker/dockerfile:1
-# Build stage
-FROM docker.io/library/golang:1.25-alpine3.22 AS build-env
-
-ARG GOPROXY=direct
-
-ARG GITEA_VERSION
-ARG TAGS="sqlite sqlite_unlock_notify"
-ENV TAGS="bindata timetzdata $TAGS"
-ARG CGO_EXTRA_CFLAGS
-
-# Build deps
-RUN apk --no-cache add \
-    build-base \
-    git \
-    nodejs \
-    pnpm
-
-WORKDIR ${GOPATH}/src/code.gitcaddy.com/server
-# See the comments in Dockerfile
-COPY --exclude=.git/ . .
-
-# Build gitea, .git mount is required for version data
-RUN --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=cache,target="/root/.cache/go-build" \
-    --mount=type=cache,target=/root/.local/share/pnpm/store \
-    --mount=type=bind,source=".git/",target=".git/" \
-    make
-
-COPY docker/rootless /tmp/local
-
-# Set permissions for builds that made under windows which strips the executable bit from file
-RUN chmod 755 /tmp/local/usr/local/bin/* \
-              /go/src/code.gitcaddy.com/server/gitea
-
-FROM docker.io/library/alpine:3.22 AS gitea-rootless
-
-EXPOSE 2222 3000
-
-RUN apk --no-cache add \
-    bash \
-    ca-certificates \
-    dumb-init \
-    gettext \
-    git \
-    curl \
-    gnupg \
-    openssh-keygen
-
-RUN addgroup \
-    -S -g 1000 \
-    git && \
-  adduser \
-    -S -H -D \
-    -h /var/lib/gitea/git \
-    -s /bin/bash \
-    -u 1000 \
-    -G git \
-    git
-
-RUN mkdir -p /var/lib/gitea /etc/gitea
-RUN chown git:git /var/lib/gitea /etc/gitea
-
-COPY --from=build-env /tmp/local /
-COPY --from=build-env --chown=root:root /go/src/code.gitcaddy.com/server/gitea /app/gitea/gitea
-
-# git:git
-USER 1000:1000
-ENV GITEA_WORK_DIR=/var/lib/gitea
-ENV GITEA_CUSTOM=/var/lib/gitea/custom
-ENV GITEA_TEMP=/tmp/gitea
-ENV TMPDIR=/tmp/gitea
-
-# TODO add to docs the ability to define the ini to load (useful to test and revert a config)
-ENV GITEA_APP_INI=/etc/gitea/app.ini
-ENV HOME="/var/lib/gitea/git"
-VOLUME ["/var/lib/gitea", "/etc/gitea"]
-WORKDIR /var/lib/gitea
-
-ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/docker-entrypoint.sh"]
-CMD []

Gopkg.toml

@@ -0,0 +1,119 @@
+
+ignored = ["google.golang.org/appengine*"]
+
+[prune]
+  go-tests = true
+  unused-packages = true
+  non-go = true
+
+[[constraint]]
+  branch = "master"
+  name = "code.gitea.io/git"
+
+[[constraint]]
+  branch = "master"
+  name = "code.gitea.io/sdk"
+
+[[constraint]]
+  revision = "05d86ea8f6e30456949f612cf68cf4a27ce8c9c5"
+  name = "github.com/blevesearch/bleve"
+
+[[constraint]]
+  revision = "12dd70caea0268ac0d6c2707d0611ef601e7c64e"
+  name = "golang.org/x/crypto"
+
+[[constraint]]
+  branch = "master"
+  name = "golang.org/x/sys"
+
+[[constraint]]
+  revision = "2bf8f2a19ec09c670e931282edfe6567f6be21c9"
+  name = "golang.org/x/text"
+
+[[constraint]]
+  branch = "master"
+  name = "golang.org/x/net"
+
+[[override]]
+  name = "github.com/go-xorm/xorm"
+  revision = "a6300f2a45e05a8f75f00a1d6188049fe7851915"
+
+[[override]]
+  name = "github.com/go-xorm/builder"
+  version = "0.3.3"
+
+[[override]]
+  name = "github.com/go-sql-driver/mysql"
+  revision = "c45f530f8e7fe40f4687eaa50d0c8c5f1b66f9e0"
+
+[[override]]
+  name = "github.com/mattn/go-sqlite3"
+  revision = "c7c4067b79cc51e6dfdcef5c702e74b1e0fa7c75"
+
+[[override]]
+  name = "github.com/gorilla/mux"
+  revision = "757bef944d0f21880861c2dd9c871ca543023cba"
+
+[[constraint]]
+  name = "github.com/gorilla/context"
+  version = "1.1.1"
+
+[[constraint]]
+  name = "github.com/lafriks/xormstore"
+  version = "1.0.0"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/lunny/dingtalk_webhook"
+
+[[constraint]]
+  name = "github.com/markbates/goth"
+  version = "1.47.2"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/mcuadros/go-version"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/russross/blackfriday"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/tstranex/u2f"
+
+[[constraint]]
+  name = "gopkg.in/editorconfig/editorconfig-core-go.v1"
+  version = "1.2.0"
+
+[[constraint]]
+  branch = "v2"
+  name = "gopkg.in/gomail.v2"
+
+[[constraint]]
+  name = "gopkg.in/ini.v1"
+  version = "1.31.1"
+
+[[constraint]]
+  name = "gopkg.in/ldap.v3"
+  version = "3.0.1"
+
+[[constraint]]
+  name = "gopkg.in/macaron.v1"
+  version = "1.2.4"
+
+[[constraint]]
+  name = "gopkg.in/testfixtures.v2"
+  version = "2.0.0"
+
+[[override]]
+  branch = "master"
+  name = "golang.org/x/oauth2"
+
+[[constraint]]
+  name = "github.com/prometheus/client_golang"
+  version = "0.9.0"
+
+[[constraint]]
+  name = "github.com/mvdan/xurls"
+  version = "2.0.0"

LICENSE.md

@@ -1,18 +0,0 @@
-MIT License
-
-Copyright (c) 2026 GitCaddy
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and 
-associated documentation files (the "Software"), to deal in the Software without restriction, including 
-without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 
-copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the 
-following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial 
-portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT 
-LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO 
-EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE 
-USE OR OTHER DEALINGS IN THE SOFTWARE.

MAINTAINERS

@@ -1,10 +1,13 @@
 Alexey Makhov <amakhov@avito.ru> (@makhov)
+Andrey Nering <andrey.nering@gmail.com> (@andreynering)
 Bo-Yi Wu <appleboy.tw@gmail.com> (@appleboy)
 Ethan Koenig <ethantkoenig@gmail.com> (@ethantkoenig)
 Kees de Vries <bouwko@gmail.com> (@Bwko)
 Kim Carlbäcker <kim.carlbacker@gmail.com> (@bkcsoft)
 LefsFlare <nobody@nobody.tld> (@LefsFlarey)
 Lunny Xiao <xiaolunwen@gmail.com> (@lunny)
+Matthias Loibl <mail@matthiasloibl.com> (@metalmatze)
+Morgan Bazalgette <the@howl.moe> (@thehowl)
 Rachid Zarouali <nobody@nobody.tld> (@xinity)
 Rémy Boulanouar <admin@dblk.org> (@DblK)
 Sandro Santilli <strk@kbt.io> (@strk)
@@ -16,7 +19,7 @@ Lauris Bukšis-Haberkorns <lauris@nix.lv> (@lafriks)
 Jonas Östanbäck <jonas.ostanback@gmail.com> (@cez81)
 David Schneiderbauer <dschneiderbauer@gmail.com> (@daviian)
 Peter Žeby <morlinest@gmail.com> (@morlinest)
-Matti Ranta <techknowlogick@gitea.io> (@techknowlogick)
+Matti Ranta <matti@mdranta.net> (@techknowlogick)
 Jonas Franz <info@jonasfranz.software> (@jonasfranz)
 Alexey Terentyev <axifnx@gmail.com> (@axifive)
 Lanre Adelowo <yo@lanre.wtf> (@adelowo)
@@ -25,42 +28,3 @@ He-Long Zhang <outman99@hotmail.com> (@BetaCat0)
 Andrew Thornton <art27@cantab.net> (@zeripath)
 John Olheiser <john.olheiser@gmail.com> (@jolheiser)
 Richard Mahn <rich.mahn@unfoldingword.org> (@richmahn)
-Mrsdizzie <info@mrsdizzie.com> (@mrsdizzie)
-silverwind <me@silverwind.io> (@silverwind)
-Gary Kim <gary@garykim.dev> (@gary-kim)
-Guillermo Prandi <gitea.maint@mailfilter.com.ar> (@guillep2k)
-Mura Li <typeless@ctli.io> (@typeless)
-6543 <6543@obermui.de> (@6543)
-David Svantesson <davidsvantesson@gmail.com> (@davidsvantesson)
-a1012112796 <1012112796@qq.com> (@a1012112796)
-Karl Heinz Marbaise <kama@soebes.de> (@khmarbaise)
-Norwin Roosen <git@nroo.de> (@noerw)
-Kyle Dumont <kdumontnu@gmail.com> (@kdumontnu)
-Janis Estelmann <admin@oldschoolhack.me> (@KN4CK3R)
-Jimmy Praet <jimmy.praet@telenet.be> (@jpraet)
-Leon Hofmeister <dev.lh@web.de> (@delvh)
-Wim <wim@42.be> (@42wim)
-Jason Song <i@wolfogre.com> (@wolfogre)
-Yarden Shoham <git@yardenshoham.com> (@yardenshoham)
-Yu Tian <zettat123@gmail.com> (@Zettat123)
-Dong Ge <gedong_1994@163.com> (@sillyguodong)
-Xinyi Gong <hestergong@gmail.com> (@HesterG)
-wxiaoguang <wxiaoguang@gmail.com> (@wxiaoguang)
-Gary Moon <gary@garymoon.net> (@garymoon)
-Philip Peterson <philip.c.peterson@gmail.com> (@philip-peterson)
-Denys Konovalov <kontakt@denyskon.de> (@denyskon)
-Punit Inani <punitinani1@gmail.com> (@puni9869)
-CaiCandong  <1290147055@qq.com> (@caicandong)
-Rui Chen  <rui@chenrui.dev> (@chenrui333)
-Nanguan Lin <nanguanlin6@gmail.com> (@lng2020)
-kerwin612 <kerwin612@qq.com> (@kerwin612)
-Gary Wang <git@blumia.net> (@BLumia)
-Tim-Niclas Oelschläger <zokki.softwareschmiede@gmail.com> (@zokkis)
-Yu Liu <1240335630@qq.com> (@HEREYUA)
-Kemal Zebari <kemalzebra@gmail.com> (@kemzeb)
-Rowan Bohde <rowan.bohde@gmail.com> (@bohde)
-hiifong <i@hiif.ong> (@hiifong)
-metiftikci <metiftikci@hotmail.com> (@metiftikci)
-Christopher Homberger <christopher.homberger@web.de> (@ChristopherHX)
-Tobias Balle-Petersen <tobiasbp@gmail.com> (@tobiasbp)
-TheFox <thefox0x7@gmail.com> (@TheFox0x7)

PLUGINS.md

@@ -1,577 +0,0 @@
-# GitCaddy Plugin Development Guide
-
-This guide explains how to build external plugins for GitCaddy. Plugins are standalone services that communicate with the server over gRPC (HTTP/2) using a well-defined protocol.
-
-## Table of Contents
-
-- [Overview](#overview)
-- [Protocol](#protocol)
-  - [Service Definition](#service-definition)
-  - [Lifecycle](#lifecycle)
-  - [Messages](#messages)
-- [Plugin Manifest](#plugin-manifest)
-  - [Routes](#routes)
-  - [Events](#events)
-  - [Permissions](#permissions)
-- [Health Monitoring](#health-monitoring)
-- [Protocol Versioning](#protocol-versioning)
-- [Configuration](#configuration)
-  - [External Mode](#external-mode)
-  - [Managed Mode](#managed-mode)
-  - [Configuration Reference](#configuration-reference)
-- [Transport](#transport)
-- [Example: Go Plugin](#example-go-plugin)
-- [Example: C# Plugin](#example-c-plugin)
-- [Example: Python Plugin](#example-python-plugin)
-- [Debugging](#debugging)
-
-## Overview
-
-A GitCaddy plugin is any process that implements the `PluginService` gRPC interface. The server connects to the plugin on startup, calls `Initialize` to get its manifest, and then:
-
-- **Health checks** the plugin periodically (default: every 30 seconds)
-- **Dispatches events** the plugin has subscribed to (e.g., `license:updated`)
-- **Proxies HTTP requests** to routes the plugin has declared
-- **Shuts down** the plugin gracefully when the server stops
-
-Plugins can run in two modes:
-- **External mode** - The plugin runs independently (Docker, systemd, etc.). The server connects to it.
-- **Managed mode** - The server launches the plugin binary and manages its process lifecycle.
-
-## Protocol
-
-The protocol is defined in [`modules/plugins/pluginv1/plugin.proto`](modules/plugins/pluginv1/plugin.proto).
-
-### Service Definition
-
-```protobuf
-service PluginService {
-    rpc Initialize(InitializeRequest) returns (InitializeResponse);
-    rpc Shutdown(ShutdownRequest) returns (ShutdownResponse);
-    rpc HealthCheck(HealthCheckRequest) returns (HealthCheckResponse);
-    rpc GetManifest(GetManifestRequest) returns (PluginManifest);
-    rpc OnEvent(PluginEvent) returns (EventResponse);
-    rpc HandleHTTP(HTTPRequest) returns (HTTPResponse);
-}
-```
-
-All 6 RPCs are unary (request-response). The server is the client; the plugin is the server.
-
-### Lifecycle
-
-```
-Server starts
-    │
-    ▼
-Initialize(server_version, config)
-    │  Plugin returns: success + PluginManifest
-    │
-    ▼
-Plugin is ONLINE
-    │
-    ├──► HealthCheck() every 30s
-    │      Plugin returns: healthy, status, details
-    │
-    ├──► OnEvent(event_type, payload, repo_id, org_id)
-    │      Dispatched for subscribed events (fire-and-forget with 30s timeout)
-    │
-    ├──► HandleHTTP(method, path, headers, body)
-    │      Proxied when an incoming request matches a declared route
-    │
-    ▼
-Server shutting down
-    │
-    ▼
-Shutdown(reason)
-    │  Plugin returns: success
-    │
-    ▼
-Plugin process is sent SIGINT (managed mode only)
-```
-
-### Messages
-
-#### InitializeRequest
-
-| Field | Type | Description |
-|-------|------|-------------|
-| `server_version` | string | The GitCaddy server version (e.g., `"3.0.0"`) |
-| `config` | map<string, string> | Server-provided configuration key-value pairs |
-| `protocol_version` | int32 | Plugin protocol version the server supports (current: `1`). `0` means pre-versioning. |
-
-#### InitializeResponse
-
-| Field | Type | Description |
-|-------|------|-------------|
-| `success` | bool | Whether initialization succeeded |
-| `error` | string | Error message if `success` is false |
-| `manifest` | PluginManifest | The plugin's capability manifest |
-| `protocol_version` | int32 | Plugin protocol version the plugin supports (current: `1`). `0` means pre-versioning, treated as `1`. |
-
-#### HealthCheckRequest
-
-Empty message. No fields.
-
-#### HealthCheckResponse
-
-| Field | Type | Description |
-|-------|------|-------------|
-| `healthy` | bool | Whether the plugin considers itself healthy |
-| `status` | string | Human-readable status (e.g., `"operational"`, `"degraded"`) |
-| `details` | map<string, string> | Arbitrary key-value details (version, uptime, etc.) |
-
-#### PluginEvent
-
-| Field | Type | Description |
-|-------|------|-------------|
-| `event_type` | string | The event name (e.g., `"license:updated"`, `"repo:push"`) |
-| `payload` | google.protobuf.Struct | Event-specific data as a JSON-like structure |
-| `timestamp` | google.protobuf.Timestamp | When the event occurred |
-| `repo_id` | int64 | Repository ID (0 if not repo-specific) |
-| `org_id` | int64 | Organization ID (0 if not org-specific) |
-
-#### EventResponse
-
-| Field | Type | Description |
-|-------|------|-------------|
-| `handled` | bool | Whether the plugin handled the event |
-| `error` | string | Error message if handling failed |
-
-#### HTTPRequest / HTTPResponse
-
-| Field | Type | Description |
-|-------|------|-------------|
-| `method` | string | HTTP method (`GET`, `POST`, etc.) |
-| `path` | string | Request path (e.g., `/api/v1/health`) |
-| `headers` | map<string, string> | HTTP headers |
-| `body` | bytes | Request/response body |
-| `query_params` | map<string, string> | Query parameters (request only) |
-| `status_code` | int32 | HTTP status code (response only) |
-
-## Plugin Manifest
-
-The manifest declares what your plugin does. It is returned during `Initialize` and can be re-fetched via `GetManifest`.
-
-```protobuf
-message PluginManifest {
-    string name = 1;
-    string version = 2;
-    string description = 3;
-    repeated string subscribed_events = 4;
-    repeated PluginRoute routes = 5;
-    repeated string required_permissions = 6;
-    string license_tier = 7;
-}
-```
-
-| Field | Description | Example |
-|-------|-------------|---------|
-| `name` | Display name | `"My Analytics Plugin"` |
-| `version` | Semver version | `"1.2.0"` |
-| `description` | What the plugin does | `"Tracks repository analytics"` |
-| `subscribed_events` | Events to receive | `["repo:push", "issue:created"]` |
-| `routes` | HTTP routes the plugin handles | See below |
-| `required_permissions` | Permissions the plugin needs | `["repo:read", "issue:write"]` |
-| `license_tier` | Minimum license tier required | `"standard"`, `"professional"`, `"enterprise"` |
-
-### Routes
-
-Routes declare which HTTP paths your plugin handles. When the server receives a request matching a plugin's route, it proxies the request via `HandleHTTP`.
-
-```protobuf
-message PluginRoute {
-    string method = 1;   // "GET", "POST", etc.
-    string path = 2;     // "/api/v1/my-plugin/endpoint"
-    string description = 3;
-}
-```
-
-Route matching uses prefix matching: a declared path of `/api/v1/analytics` will match `/api/v1/analytics/events`.
-
-### Events
-
-Subscribe to server events by listing them in `subscribed_events`. Use `"*"` to subscribe to all events.
-
-Available events include:
-- `license:updated` - License key changed
-- `repo:push` - Code pushed to a repository
-- `repo:created` - New repository created
-- `issue:created` - New issue opened
-- `issue:comment` - Comment added to an issue
-- `pull_request:opened` - New pull request opened
-- `pull_request:merged` - Pull request merged
-
-Events are dispatched asynchronously (fire-and-forget) with a 30-second timeout per plugin.
-
-### Permissions
-
-The `required_permissions` field declares what server resources your plugin needs access to. The server logs these at startup for admin review.
-
-## Health Monitoring
-
-The server health-checks every registered plugin at a configurable interval (default: 30 seconds).
-
-**Behavior:**
-
-| Consecutive Failures | Action |
-|---------------------|--------|
-| 1-2 | Warning logged, plugin stays online |
-| 3+ | Plugin marked **offline**, error logged |
-| 3+ (managed mode) | Automatic restart attempted |
-
-When a previously offline plugin responds to a health check, it is marked **online** and an info log is emitted.
-
-If `HealthCheckResponse.healthy` is `false` (the RPC succeeds but the plugin reports unhealthy), the plugin is marked as **error** status. This allows plugins to report degraded operation (e.g., missing API key, expired license) without being treated as crashed.
-
-**Health check timeout** is configured per-plugin via `HEALTH_TIMEOUT` (default: 5 seconds).
-
-## Protocol Versioning
-
-The plugin protocol uses explicit version negotiation to ensure forward compatibility. Both the server and plugin exchange their supported protocol version during `Initialize`:
-
-1. The server sends `protocol_version = 1` in `InitializeRequest`
-2. The plugin returns `protocol_version = 1` in `InitializeResponse`
-3. The server stores the plugin's version and checks it before calling any RPCs added in later versions
-
-**What this means for plugin developers:**
-
-- **You don't need to recompile** when the server adds new fields to existing messages. Protobuf handles this automatically — unknown fields are ignored, missing fields use zero-value defaults.
-- **You don't need to recompile** when the server adds new event types. Your plugin only receives events it subscribed to.
-- **You only need to update** if you want to use features from a newer protocol version (e.g., new RPCs added in protocol v2).
-
-**Version history:**
-
-| Version | RPCs | Notes |
-|---------|------|-------|
-| 1 | Initialize, Shutdown, HealthCheck, GetManifest, OnEvent, HandleHTTP | Initial release |
-
-**Pre-versioning plugins** (those that don't set `protocol_version` in their response) return `0`, which the server treats as version `1`. This means all existing plugins are compatible without changes.
-
-## Configuration
-
-Plugins are configured in the server's `app.ini`.
-
-### External Mode
-
-The plugin runs independently. The server connects to its gRPC endpoint.
-
-```ini
-[plugins]
-ENABLED = true
-HEALTH_CHECK_INTERVAL = 30s
-
-[plugins.my-plugin]
-ENABLED = true
-ADDRESS = localhost:9090
-HEALTH_TIMEOUT = 5s
-SUBSCRIBED_EVENTS = repo:push, issue:created
-```
-
-### Managed Mode
-
-The server launches the plugin binary and manages its lifecycle. If the plugin crashes, the server restarts it automatically.
-
-```ini
-[plugins.my-plugin]
-ENABLED = true
-BINARY = /opt/plugins/my-plugin
-ARGS = --port 9090 --log-level info
-ADDRESS = localhost:9090
-HEALTH_TIMEOUT = 5s
-```
-
-When `BINARY` is set, the server:
-1. Starts the process with the specified arguments
-2. Waits 2 seconds for the process to initialize
-3. Calls `Initialize` via gRPC
-4. Sends `SIGINT` on server shutdown
-5. Auto-restarts the process if health checks fail 3 consecutive times
-
-### Configuration Reference
-
-#### `[plugins]` Section
-
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| `ENABLED` | bool | `true` | Master switch for the plugin framework |
-| `PATH` | string | `data/plugins` | Directory for plugin data |
-| `HEALTH_CHECK_INTERVAL` | duration | `30s` | How often to health-check plugins |
-
-#### `[plugins.<name>]` Section
-
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| `ENABLED` | bool | `true` | Whether this plugin is active |
-| `ADDRESS` | string | (required) | gRPC endpoint (e.g., `localhost:9090`) |
-| `BINARY` | string | (optional) | Path to plugin binary (enables managed mode) |
-| `ARGS` | string | (optional) | Arguments for the binary |
-| `HEALTH_TIMEOUT` | duration | `5s` | Timeout for health check RPCs |
-| `SUBSCRIBED_EVENTS` | string | (optional) | Comma-separated event names |
-
-A plugin must have either `BINARY` or `ADDRESS` (or both for managed mode). Entries with neither are skipped with a warning.
-
-## Transport
-
-Plugins communicate over **cleartext HTTP/2 (h2c)** by default. The server uses the gRPC wire protocol via [Connect RPC](https://connectrpc.com/).
-
-**Requirements for your plugin's gRPC server:**
-- Listen on a TCP port
-- Support HTTP/2 (standard for any gRPC server)
-- No TLS required for local communication (h2c)
-
-The server constructs its gRPC client with `connect.WithGRPC()`, which uses the standard gRPC binary protocol. This means your plugin can use **any** gRPC server implementation:
-
-| Language | gRPC Library |
-|----------|-------------|
-| Go | `google.golang.org/grpc` or `connectrpc.com/connect` |
-| C# | `Grpc.AspNetCore` |
-| Python | `grpcio` |
-| Java | `io.grpc` |
-| Rust | `tonic` |
-| Node.js | `@grpc/grpc-js` |
-
-## Example: Go Plugin
-
-```go
-package main
-
-import (
-    "context"
-    "log"
-    "net/http"
-
-    "connectrpc.com/connect"
-    pluginv1 "code.gitcaddy.com/server/v3/modules/plugins/pluginv1"
-    "code.gitcaddy.com/server/v3/modules/plugins/pluginv1/pluginv1connect"
-    "golang.org/x/net/http2"
-    "golang.org/x/net/http2/h2c"
-)
-
-type myPlugin struct {
-    pluginv1connect.UnimplementedPluginServiceHandler
-}
-
-func (p *myPlugin) Initialize(
-    ctx context.Context,
-    req *connect.Request[pluginv1.InitializeRequest],
-) (*connect.Response[pluginv1.InitializeResponse], error) {
-    log.Printf("Initialized by server %s (protocol v%d)", req.Msg.ServerVersion, req.Msg.ProtocolVersion)
-    return connect.NewResponse(&pluginv1.InitializeResponse{
-        Success:         true,
-        ProtocolVersion: 1,
-        Manifest: &pluginv1.PluginManifest{
-            Name:             "My Plugin",
-            Version:          "1.0.0",
-            Description:      "Does something useful",
-            SubscribedEvents: []string{"repo:push"},
-            Routes: []*pluginv1.PluginRoute{
-                {Method: "GET", Path: "/api/v1/my-plugin/status", Description: "Plugin status"},
-            },
-        },
-    }), nil
-}
-
-func (p *myPlugin) HealthCheck(
-    ctx context.Context,
-    req *connect.Request[pluginv1.HealthCheckRequest],
-) (*connect.Response[pluginv1.HealthCheckResponse], error) {
-    return connect.NewResponse(&pluginv1.HealthCheckResponse{
-        Healthy: true,
-        Status:  "operational",
-        Details: map[string]string{"version": "1.0.0"},
-    }), nil
-}
-
-func (p *myPlugin) Shutdown(
-    ctx context.Context,
-    req *connect.Request[pluginv1.ShutdownRequest],
-) (*connect.Response[pluginv1.ShutdownResponse], error) {
-    log.Printf("Shutdown requested: %s", req.Msg.Reason)
-    return connect.NewResponse(&pluginv1.ShutdownResponse{Success: true}), nil
-}
-
-func (p *myPlugin) OnEvent(
-    ctx context.Context,
-    req *connect.Request[pluginv1.PluginEvent],
-) (*connect.Response[pluginv1.EventResponse], error) {
-    log.Printf("Event: %s for repo %d", req.Msg.EventType, req.Msg.RepoId)
-    return connect.NewResponse(&pluginv1.EventResponse{Handled: true}), nil
-}
-
-func main() {
-    mux := http.NewServeMux()
-    path, handler := pluginv1connect.NewPluginServiceHandler(&myPlugin{})
-    mux.Handle(path, handler)
-
-    server := &http.Server{
-        Addr:    ":9090",
-        Handler: h2c.NewHandler(mux, &http2.Server{}),
-    }
-    log.Println("Plugin listening on :9090")
-    log.Fatal(server.ListenAndServe())
-}
-```
-
-**app.ini:**
-```ini
-[plugins.my-plugin]
-ENABLED = true
-ADDRESS = localhost:9090
-SUBSCRIBED_EVENTS = repo:push
-```
-
-## Example: C# Plugin
-
-```csharp
-using Grpc.Core;
-// Assumes plugin.proto is included in the .csproj with GrpcServices="Server"
-
-public class MyPlugin : PluginService.PluginServiceBase
-{
-    public override Task<InitializeResponse> Initialize(
-        InitializeRequest request, ServerCallContext context)
-    {
-        var manifest = new PluginManifest
-        {
-            Name = "My C# Plugin",
-            Version = "1.0.0",
-            Description = "A C# plugin for GitCaddy"
-        };
-        manifest.SubscribedEvents.Add("issue:created");
-
-        return Task.FromResult(new InitializeResponse
-        {
-            Success = true,
-            ProtocolVersion = 1,
-            Manifest = manifest
-        });
-    }
-
-    public override Task<HealthCheckResponse> HealthCheck(
-        HealthCheckRequest request, ServerCallContext context)
-    {
-        return Task.FromResult(new HealthCheckResponse
-        {
-            Healthy = true,
-            Status = "operational"
-        });
-    }
-
-    public override Task<ShutdownResponse> Shutdown(
-        ShutdownRequest request, ServerCallContext context)
-    {
-        return Task.FromResult(new ShutdownResponse { Success = true });
-    }
-
-    public override Task<EventResponse> OnEvent(
-        PluginEvent request, ServerCallContext context)
-    {
-        Console.WriteLine($"Event: {request.EventType} for repo {request.RepoId}");
-        return Task.FromResult(new EventResponse { Handled = true });
-    }
-}
-```
-
-**Program.cs:**
-```csharp
-var builder = WebApplication.CreateBuilder(args);
-builder.Services.AddGrpc();
-builder.WebHost.ConfigureKestrel(options =>
-{
-    options.ListenAnyIP(9090, o =>
-        o.Protocols = Microsoft.AspNetCore.Server.Kestrel.Core.HttpProtocols.Http2);
-});
-
-var app = builder.Build();
-app.MapGrpcService<MyPlugin>();
-app.Run();
-```
-
-## Example: Python Plugin
-
-```python
-import grpc
-from concurrent import futures
-
-# Generated from plugin.proto using grpcio-tools:
-#   python -m grpc_tools.protoc -I. --python_out=. --grpc_python_out=. plugin.proto
-import plugin_pb2
-import plugin_pb2_grpc
-
-class MyPlugin(plugin_pb2_grpc.PluginServiceServicer):
-    def Initialize(self, request, context):
-        manifest = plugin_pb2.PluginManifest(
-            name="My Python Plugin",
-            version="1.0.0",
-            description="A Python plugin for GitCaddy",
-            subscribed_events=["repo:push"],
-        )
-        return plugin_pb2.InitializeResponse(success=True, protocol_version=1, manifest=manifest)
-
-    def HealthCheck(self, request, context):
-        return plugin_pb2.HealthCheckResponse(
-            healthy=True,
-            status="operational",
-            details={"version": "1.0.0"},
-        )
-
-    def Shutdown(self, request, context):
-        print(f"Shutdown: {request.reason}")
-        return plugin_pb2.ShutdownResponse(success=True)
-
-    def OnEvent(self, request, context):
-        print(f"Event: {request.event_type} for repo {request.repo_id}")
-        return plugin_pb2.EventResponse(handled=True)
-
-    def HandleHTTP(self, request, context):
-        return plugin_pb2.HTTPResponse(status_code=501)
-
-    def GetManifest(self, request, context):
-        return plugin_pb2.PluginManifest(
-            name="My Python Plugin",
-            version="1.0.0",
-        )
-
-def serve():
-    server = grpc.server(futures.ThreadPoolExecutor(max_workers=4))
-    plugin_pb2_grpc.add_PluginServiceServicer_to_server(MyPlugin(), server)
-    server.add_insecure_port("[::]:9090")
-    server.start()
-    print("Plugin listening on :9090")
-    server.wait_for_termination()
-
-if __name__ == "__main__":
-    serve()
-```
-
-## Debugging
-
-**Server logs** show plugin lifecycle events:
-
-```
-[I] Loaded external plugin config: my-plugin (managed=false)
-[I] External plugin my-plugin is online (managed=false)
-[W] Health check failed for plugin my-plugin: connection refused
-[E] Plugin my-plugin is now offline after 3 consecutive health check failures
-[I] Plugin my-plugin is back online
-[I] Shutting down external plugin: my-plugin
-```
-
-**Tips:**
-
-- Use `HEALTH_TIMEOUT = 10s` during development to avoid false positives
-- Set `HEALTH_CHECK_INTERVAL = 5s` for faster feedback during testing
-- Check that your plugin supports cleartext HTTP/2 (h2c) - this is the most common connection issue
-- Use `grpcurl` to test your plugin's gRPC service independently:
-
-```bash
-# List services
-grpcurl -plaintext localhost:9090 list
-
-# Call HealthCheck
-grpcurl -plaintext localhost:9090 plugin.v1.PluginService/HealthCheck
-
-# Call Initialize
-grpcurl -plaintext -d '{"server_version": "3.0.0"}' \
-    localhost:9090 plugin.v1.PluginService/Initialize
-```

README_ZH.md

@@ -0,0 +1,51 @@
+[English](https://github.com/go-gitea/gitea/blob/master/README.md)
+
+# Gitea - Git with a cup of tea
+
+[![Build Status](https://drone.gitea.io/api/badges/go-gitea/gitea/status.svg)](https://drone.gitea.io/go-gitea/gitea)
+[![Join the chat at https://img.shields.io/discord/322538954119184384.svg](https://img.shields.io/discord/322538954119184384.svg)](https://discord.gg/NsatcWJ)
+[![](https://images.microbadger.com/badges/image/gitea/gitea.svg)](https://microbadger.com/images/gitea/gitea "Get your own image badge on microbadger.com")
+[![Coverage Status](https://coverage.gitea.io/badges/go-gitea/gitea/coverage.svg)](https://coverage.gitea.io/go-gitea/gitea)
+[![Go Report Card](https://goreportcard.com/badge/code.gitea.io/gitea)](https://goreportcard.com/report/code.gitea.io/gitea)
+[![GoDoc](https://godoc.org/code.gitea.io/gitea?status.svg)](https://godoc.org/code.gitea.io/gitea)
+[![GitHub release](https://img.shields.io/github/release/go-gitea/gitea.svg)](https://github.com/go-gitea/gitea/releases/latest)
+[![Become a backer/sponsor of gitea](https://opencollective.com/gitea/tiers/backer/badge.svg?label=backer&color=brightgreen)](https://opencollective.com/gitea)
+
+## 目标
+
+Gitea 的首要目标是创建一个极易安装，运行非常快速，安装和使用体验良好的自建 Git 服务。我们采用 Go 作为后端语言，这使我们只要生成一个可执行程序即可。并且他还支持跨平台，支持 Linux, macOS 和 Windows 以及各种架构，除了 x86，amd64，还包括 ARM 和 PowerPC。
+
+如果您想试用一下，请访问 [在线Demo](https://try.gitea.io/)！
+
+## 提示
+
+1. **开始贡献代码之前请确保你已经看过了 [贡献者向导（英文）](CONTRIBUTING.md)**.
+2. 所有的安全问题，请私下发送邮件给 **security@gitea.io**。谢谢！
+3. 如果你要使用API，请参见 [API 文档](https://godoc.org/code.gitea.io/sdk/gitea).
+
+## 文档
+
+关于如何安装请访问我们的 [文档站](https://docs.gitea.io/zh-cn/)，如果没有找到对应的文档，你也可以通过 [Discord - 英文](https://discord.gg/NsatcWJ) 和 QQ群 328432459 来和我们交流。
+
+## 贡献流程
+
+Fork -> Patch -> Push -> Pull Request
+
+## 作者
+
+* [Maintainers](https://github.com/orgs/go-gitea/people)
+* [Contributors](https://github.com/go-gitea/gitea/graphs/contributors)
+* [Translators](options/locale/TRANSLATORS)
+
+## 授权许可
+
+本项目采用 MIT 开源授权许可证，完整的授权说明已放置在 [LICENSE](https://github.com/go-gitea/gitea/blob/master/LICENSE) 文件中。
+
+## 截图
+
+| | | |
+|:---:|:---:|:---:|
+|![Dashboard](https://image.ibb.co/dms6DG/1.png)|![Repository](https://image.ibb.co/m6MSLw/2.png)|![Commits History](https://image.ibb.co/cjrSLw/3.png)|
+|![Branches](https://image.ibb.co/e6vbDG/4.png)|![Issues](https://image.ibb.co/bJTJSb/5.png)|![Pull Request View](https://image.ibb.co/e02dSb/6.png)|
+|![Releases](https://image.ibb.co/cUzgfw/7.png)|![Activity](https://image.ibb.co/eZgGDG/8.png)|![Wiki](https://image.ibb.co/dYV9YG/9.png)|
+|![Diff](https://image.ibb.co/ewA9YG/10.png)|![Organization](https://image.ibb.co/ceOwDG/11.png)|![Profile](https://image.ibb.co/c44Q7b/12.png)|

SECURITY.md

@@ -1,85 +0,0 @@
-# Reporting security issues
-
-The Gitea maintainers take security seriously.
-
-If you discover a security issue, please bring it to their attention right away!
-
-Previous vulnerabilities are listed at https://about.gitea.com/security.
-
-## Reporting a Vulnerability
-
-Please **DO NOT** file a public issue, instead send your report privately to `security@gitea.io`.
-
-## Protecting Security Information
-
-Due to the sensitive nature of security information, you can use the below GPG public key to encrypt your mail body.
-
-The PGP key is valid until July 4, 2026.
-
-```
-Key ID: 6FCD2D5B
-Key Type: RSA
-Expires: 7/4/2026
-Key Size: 4096/4096
-Fingerprint: 3DE0 3D1E 144A 7F06 9359 99DC AAFD 2381 6FCD 2D5B
-```
-
-UserID: Gitea Security <security@gitea.io>
-
-```
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBGK1Z/4BEADFMqXA9DeeChmSxUjF0Be5sq99ZUhgrZjcN/wOzz0wuCJZC0l8
-4uC+d6mfv7JpJYlzYzOK97/x5UguKHkYNZ6mm1G9KHaXmoIBDLKDzfPdJopVNv2r
-OajijaE0uMCnMjadlg5pbhMLRQG8a9J32yyaz7ZEAw72Ab31fvvcA53NkuqO4j2w
-k7dtFQzhbNOYV0VffQT90WDZdalYHB1JHyEQ+70U9OjVD5ggNYSzX98Eu3Hjn7V7
-kqFrcAxr5TE1elf0IXJcuBJtFzQSTUGlQldKOHtGTGgGjj9r/FFAE5ioBgVD05bV
-rEEgIMM/GqYaG/nbNpWE6P3mEc2Mnn3pZaRJL0LuF26TLjnqEcMMDp5iIhLdFzXR
-3tMdtKgQFu+Mtzs3ipwWARYgHyU09RJsI2HeBx7RmZO/Xqrec763Z7zdJ7SpCn0Z
-q+pHZl24JYR0Kf3T/ZiOC0cGd2QJqpJtg5J6S/OqfX9NH6MsCczO8pUC1N/aHH2X
-CTme2nF56izORqDWKoiICteL3GpYsCV9nyCidcCmoQsS+DKvE86YhIhVIVWGRY2F
-lzpAjnN9/KLtQroutrm+Ft0mdjDiJUeFVl1cOHDhoyfCsQh62HumoyZoZvqzQd6e
-AbN11nq6aViMe2Q3je1AbiBnRnQSHxt1Tc8X4IshO3MQK1Sk7oPI6LA5oQARAQAB
-tCJHaXRlYSBTZWN1cml0eSA8c2VjdXJpdHlAZ2l0ZWEuaW8+iQJXBBMBCABBAhsD
-BQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAFiEEPeA9HhRKfwaTWZncqv0jgW/N
-LVsFAmhoHmkFCQeT6esACgkQqv0jgW/NLVuFLRAAmjBQSKRAgs2bFIEj7HLAbDp4
-f+XkdH+GsT3jRPOZ9QZgmtM+TfoE4yNgIVfOl+s4RdjM/W4QzqZuPQ55hbEHd056
-cJmm7B+6GsHFcdrPmh65sOCEIyh4+t45dUfeWpFsDPqm9j1UHXAJQIpB8vDEVAPH
-t+3wLCk8GMPJs1o5tIyMmaO23ngvkwn8eG7KgY+rp2PzObrb5g7ppci0ILzILkrp
-HVjZsEfUWRgSVF7LuU5ppqDKrlcqwUpQq6n3kGMZcLrCp6ACKP04TBmTfUxNwdL7
-I0N7apI2Pbct9T1Gv/lYAUFWyU2c3gh/EBLbO6BukaLOFRQHrtNfdJV/YnMPlcXr
-LUJjK9K4eAH9DsrZqrisz/LthsC2BaNIN3KRMTk5YTYgmIh8GXzSgihORmtDFELC
-RroID3pTuS0zjXh+wpY9GuPTh7UW23p42Daxca4fAT4k5EclvDRUrL21xMopPMiL
-HuNdELz4FVchRTy05PjzKVyjVInDNojE2KUxnjxZDzYJ6aT/g+coD5yfntYm8BEj
-+ZzL0ndZES54hzKLpv7zwBQwFzam68clZYmDPILOPTflQDfpGEWmJK4undFU5obz
-ZsQRz0R3ulspChATbZxO0d5LX2obLpKO9X3b5VoO1KF+R8Vjw1Y0KxrNZ6rIcfqH
-Z50QVQKSe9dm08K0ON+5Ag0EYrVn/gEQALrFLQjCR3GjuHSindz0rd3Fnx/t7Sen
-T+p07yCSSoSlmnJHCQmwh4vfg1blyz0zZ4vkIhtpHsEgc+ZAG+WQXSsJ2iRz+eSN
-GwoOQl4XC3n+QWkc1ws+btr48+6UqXIQU+F8TPQyx/PIgi2nZXJB7f5+mjCqsk46
-XvH4nTr4kJjuqMSR/++wvre2qNQRa/q/dTsK0OaN/mJsdX6Oi+aGNaQJUhIG7F+E
-ZDMkn/O6xnwWNzy/+bpg43qH/Gk0eakOmz5NmQLRkV58SZLiJvuCUtkttf6CyhnX
-03OcWaajv5W8qA39dBYQgDrrPbBWUnwfO3yMveqhwV4JjDoe8sPAyn1NwzakNYqP
-RzsWyLrLS7R7J9s3FkZXhQw/QQcsaSMcGNQO047dm1P83N8JY5aEpiRo9zSWjoiw
-qoExANj5lUTZPe8M50lI182FrcjAN7dClO3QI6pg7wy0erMxfFly3j8UQ91ysS9T
-s+GsP9I3cmWWQcKYxWHtE8xTXnNCVPFZQj2nwhJzae8ypfOtulBRA3dUKWGKuDH/
-axFENhUsT397aOU3qkP/od4a64JyNIEo4CTTSPVeWd7njsGqli2U3A4xL2CcyYvt
-D/MWcMBGEoLSNTswwKdom4FaJpn5KThnK/T0bQcmJblJhoCtppXisbexZnCpuS0x
-Zdlm2T14KJ3LABEBAAGJAjwEGAEIACYCGwwWIQQ94D0eFEp/BpNZmdyq/SOBb80t
-WwUCaGgeJAUJB5PppgAKCRCq/SOBb80tW/NWEACB6Jrf0gWlk7e+hNCdnbM0ZVWU
-f2sHNFfXxxsdhpcDgKbNHtkZb8nZgv8AX+5fTtUwMVa3vKcdw30xFiIM5N7cCIPV
-vg/5z5BtfEaitnabEUG2iiVDIy8IHXIcK10rX+7BosA3QDl2PsiBHwyi5G13lRk8
-zGTSNDuOalug33h5/lr2dPigamkq74Aoy29q8Rjad6GfWHipL2bFimgtY+Zdi0BH
-NLk4EJXxj1SgVx5dtkQzWJReBA5M+FQ4QYQZBO+f4TDoOLmjui152uhkoLBQbGAa
-WWJFTVxm0bG5MXloEL3gA8DfU7XDwuW/sHJC5pBko8RpQViooOhckMepZV3Y83DK
-bwLYa3JmPgj2rEv4993dvrJbQhpGd082HOxOsllCs8pgNq1SnXpWYfcGTgGKC3ts
-U8YZUUJUQ7mi2L8Tv3ix20c9EiGmA30JAmA8eZTC3cWup91ZkkVBFRml2czTXajd
-RWZ6GbHV5503ueDQcB8yBVgF3CSixs67+dGSbD3p86OqGrjAcJzM5TFbNKcnGLdE
-kGbZpNwAISy750lXzXKmyrh5RTCeTOQerbwCMBvHZO+HAevA/LXDTw2OAiSIQlP5
-sYA4sFYLQ30OAkgJcmdp/pSgVj/erNtSN07ClrOpDb/uFpQymO6K2h0Pst3feNVK
-9M2VbqL9C51z/wyHLg==
-=SfZA
------END PGP PUBLIC KEY BLOCK-----
-
-```
-
-Security reports are greatly appreciated and we will publicly thank you for it, although we keep your name confidential if you request it.

assets/favicon.svg

@@ -1,31 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<svg version="1.1" id="main_outline" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px"
-	 y="0px" viewBox="0 0 640 640" style="enable-background:new 0 0 640 640;" xml:space="preserve">
-<g>
-	<path id="teabag" style="fill:#FFFFFF" d="M395.9,484.2l-126.9-61c-12.5-6-17.9-21.2-11.8-33.8l61-126.9c6-12.5,21.2-17.9,33.8-11.8
-		c17.2,8.3,27.1,13,27.1,13l-0.1-109.2l16.7-0.1l0.1,117.1c0,0,57.4,24.2,83.1,40.1c3.7,2.3,10.2,6.8,12.9,14.4
-		c2.1,6.1,2,13.1-1,19.3l-61,126.9C423.6,484.9,408.4,490.3,395.9,484.2z"/>
-	<g>
-		<g>
-			<path style="fill:#609926" d="M622.7,149.8c-4.1-4.1-9.6-4-9.6-4s-117.2,6.6-177.9,8c-13.3,0.3-26.5,0.6-39.6,0.7c0,39.1,0,78.2,0,117.2
-				c-5.5-2.6-11.1-5.3-16.6-7.9c0-36.4-0.1-109.2-0.1-109.2c-29,0.4-89.2-2.2-89.2-2.2s-141.4-7.1-156.8-8.5
-				c-9.8-0.6-22.5-2.1-39,1.5c-8.7,1.8-33.5,7.4-53.8,26.9C-4.9,212.4,6.6,276.2,8,285.8c1.7,11.7,6.9,44.2,31.7,72.5
-				c45.8,56.1,144.4,54.8,144.4,54.8s12.1,28.9,30.6,55.5c25,33.1,50.7,58.9,75.7,62c63,0,188.9-0.1,188.9-0.1s12,0.1,28.3-10.3
-				c14-8.5,26.5-23.4,26.5-23.4s12.9-13.8,30.9-45.3c5.5-9.7,10.1-19.1,14.1-28c0,0,55.2-117.1,55.2-231.1
-				C633.2,157.9,624.7,151.8,622.7,149.8z M125.6,353.9c-25.9-8.5-36.9-18.7-36.9-18.7S69.6,321.8,60,295.4
-				c-16.5-44.2-1.4-71.2-1.4-71.2s8.4-22.5,38.5-30c13.8-3.7,31-3.1,31-3.1s7.1,59.4,15.7,94.2c7.2,29.2,24.8,77.7,24.8,77.7
-				S142.5,359.9,125.6,353.9z M425.9,461.5c0,0-6.1,14.5-19.6,15.4c-5.8,0.4-10.3-1.2-10.3-1.2s-0.3-0.1-5.3-2.1l-112.9-55
-				c0,0-10.9-5.7-12.8-15.6c-2.2-8.1,2.7-18.1,2.7-18.1L322,273c0,0,4.8-9.7,12.2-13c0.6-0.3,2.3-1,4.5-1.5c8.1-2.1,18,2.8,18,2.8
-				l110.7,53.7c0,0,12.6,5.7,15.3,16.2c1.9,7.4-0.5,14-1.8,17.2C474.6,363.8,425.9,461.5,425.9,461.5z"/>
-			<path style="fill:#609926" d="M326.8,380.1c-8.2,0.1-15.4,5.8-17.3,13.8c-1.9,8,2,16.3,9.1,20c7.7,4,17.5,1.8,22.7-5.4
-				c5.1-7.1,4.3-16.9-1.8-23.1l24-49.1c1.5,0.1,3.7,0.2,6.2-0.5c4.1-0.9,7.1-3.6,7.1-3.6c4.2,1.8,8.6,3.8,13.2,6.1
-				c4.8,2.4,9.3,4.9,13.4,7.3c0.9,0.5,1.8,1.1,2.8,1.9c1.6,1.3,3.4,3.1,4.7,5.5c1.9,5.5-1.9,14.9-1.9,14.9
-				c-2.3,7.6-18.4,40.6-18.4,40.6c-8.1-0.2-15.3,5-17.7,12.5c-2.6,8.1,1.1,17.3,8.9,21.3c7.8,4,17.4,1.7,22.5-5.3
-				c5-6.8,4.6-16.3-1.1-22.6c1.9-3.7,3.7-7.4,5.6-11.3c5-10.4,13.5-30.4,13.5-30.4c0.9-1.7,5.7-10.3,2.7-21.3
-				c-2.5-11.4-12.6-16.7-12.6-16.7c-12.2-7.9-29.2-15.2-29.2-15.2s0-4.1-1.1-7.1c-1.1-3.1-2.8-5.1-3.9-6.3c4.7-9.7,9.4-19.3,14.1-29
-				c-4.1-2-8.1-4-12.2-6.1c-4.8,9.8-9.7,19.7-14.5,29.5c-6.7-0.1-12.9,3.5-16.1,9.4c-3.4,6.3-2.7,14.1,1.9,19.8
-				C343.2,346.5,335,363.3,326.8,380.1z"/>
-		</g>
-	</g>
-</g>
-</svg>

assets/logo.svg

@@ -1,31 +1,160 @@
-<?xml version="1.0" encoding="utf-8"?>
-<svg version="1.1" id="main_outline" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px"
-	 y="0px" viewBox="0 0 640 640" style="enable-background:new 0 0 640 640;" xml:space="preserve">
-<g>
-	<path id="teabag" style="fill:#FFFFFF" d="M395.9,484.2l-126.9-61c-12.5-6-17.9-21.2-11.8-33.8l61-126.9c6-12.5,21.2-17.9,33.8-11.8
-		c17.2,8.3,27.1,13,27.1,13l-0.1-109.2l16.7-0.1l0.1,117.1c0,0,57.4,24.2,83.1,40.1c3.7,2.3,10.2,6.8,12.9,14.4
-		c2.1,6.1,2,13.1-1,19.3l-61,126.9C423.6,484.9,408.4,490.3,395.9,484.2z"/>
-	<g>
-		<g>
-			<path style="fill:#609926" d="M622.7,149.8c-4.1-4.1-9.6-4-9.6-4s-117.2,6.6-177.9,8c-13.3,0.3-26.5,0.6-39.6,0.7c0,39.1,0,78.2,0,117.2
-				c-5.5-2.6-11.1-5.3-16.6-7.9c0-36.4-0.1-109.2-0.1-109.2c-29,0.4-89.2-2.2-89.2-2.2s-141.4-7.1-156.8-8.5
-				c-9.8-0.6-22.5-2.1-39,1.5c-8.7,1.8-33.5,7.4-53.8,26.9C-4.9,212.4,6.6,276.2,8,285.8c1.7,11.7,6.9,44.2,31.7,72.5
-				c45.8,56.1,144.4,54.8,144.4,54.8s12.1,28.9,30.6,55.5c25,33.1,50.7,58.9,75.7,62c63,0,188.9-0.1,188.9-0.1s12,0.1,28.3-10.3
-				c14-8.5,26.5-23.4,26.5-23.4s12.9-13.8,30.9-45.3c5.5-9.7,10.1-19.1,14.1-28c0,0,55.2-117.1,55.2-231.1
-				C633.2,157.9,624.7,151.8,622.7,149.8z M125.6,353.9c-25.9-8.5-36.9-18.7-36.9-18.7S69.6,321.8,60,295.4
-				c-16.5-44.2-1.4-71.2-1.4-71.2s8.4-22.5,38.5-30c13.8-3.7,31-3.1,31-3.1s7.1,59.4,15.7,94.2c7.2,29.2,24.8,77.7,24.8,77.7
-				S142.5,359.9,125.6,353.9z M425.9,461.5c0,0-6.1,14.5-19.6,15.4c-5.8,0.4-10.3-1.2-10.3-1.2s-0.3-0.1-5.3-2.1l-112.9-55
-				c0,0-10.9-5.7-12.8-15.6c-2.2-8.1,2.7-18.1,2.7-18.1L322,273c0,0,4.8-9.7,12.2-13c0.6-0.3,2.3-1,4.5-1.5c8.1-2.1,18,2.8,18,2.8
-				l110.7,53.7c0,0,12.6,5.7,15.3,16.2c1.9,7.4-0.5,14-1.8,17.2C474.6,363.8,425.9,461.5,425.9,461.5z"/>
-			<path style="fill:#609926" d="M326.8,380.1c-8.2,0.1-15.4,5.8-17.3,13.8c-1.9,8,2,16.3,9.1,20c7.7,4,17.5,1.8,22.7-5.4
-				c5.1-7.1,4.3-16.9-1.8-23.1l24-49.1c1.5,0.1,3.7,0.2,6.2-0.5c4.1-0.9,7.1-3.6,7.1-3.6c4.2,1.8,8.6,3.8,13.2,6.1
-				c4.8,2.4,9.3,4.9,13.4,7.3c0.9,0.5,1.8,1.1,2.8,1.9c1.6,1.3,3.4,3.1,4.7,5.5c1.9,5.5-1.9,14.9-1.9,14.9
-				c-2.3,7.6-18.4,40.6-18.4,40.6c-8.1-0.2-15.3,5-17.7,12.5c-2.6,8.1,1.1,17.3,8.9,21.3c7.8,4,17.4,1.7,22.5-5.3
-				c5-6.8,4.6-16.3-1.1-22.6c1.9-3.7,3.7-7.4,5.6-11.3c5-10.4,13.5-30.4,13.5-30.4c0.9-1.7,5.7-10.3,2.7-21.3
-				c-2.5-11.4-12.6-16.7-12.6-16.7c-12.2-7.9-29.2-15.2-29.2-15.2s0-4.1-1.1-7.1c-1.1-3.1-2.8-5.1-3.9-6.3c4.7-9.7,9.4-19.3,14.1-29
-				c-4.1-2-8.1-4-12.2-6.1c-4.8,9.8-9.7,19.7-14.5,29.5c-6.7-0.1-12.9,3.5-16.1,9.4c-3.4,6.3-2.7,14.1,1.9,19.8
-				C343.2,346.5,335,363.3,326.8,380.1z"/>
-		</g>
-	</g>
-</g>
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="512"
+   height="512"
+   viewBox="0 0 135.46667 135.46667"
+   version="1.1"
+   id="svg8"
+   sodipodi:docname="logo.svg"
+   inkscape:version="0.92.1 r15371"
+   inkscape:export-filename=""
+   inkscape:export-xdpi="48.000004"
+   inkscape:export-ydpi="48.000004">
+  <defs
+     id="defs2" />
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="0.70710678"
+     inkscape:cx="418.13805"
+     inkscape:cy="177.57445"
+     inkscape:document-units="mm"
+     inkscape:current-layer="layer2"
+     showgrid="false"
+     units="px"
+     width="256px"
+     showguides="false"
+     inkscape:window-width="1920"
+     inkscape:window-height="1137"
+     inkscape:window-x="1912"
+     inkscape:window-y="-8"
+     inkscape:window-maximized="1"
+     inkscape:pagecheckerboard="false"
+     inkscape:measure-start="283.373,243.952"
+     inkscape:measure-end="290.267,236.527">
+    <sodipodi:guide
+       position="0,0"
+       orientation="0,512"
+       id="guide3699"
+       inkscape:locked="false" />
+    <sodipodi:guide
+       position="135.46667,0"
+       orientation="-512,0"
+       id="guide3701"
+       inkscape:locked="false" />
+    <sodipodi:guide
+       position="135.46667,135.46667"
+       orientation="0,-512"
+       id="guide3703"
+       inkscape:locked="false" />
+    <sodipodi:guide
+       position="0,135.46667"
+       orientation="512,0"
+       id="guide3705"
+       inkscape:locked="false" />
+  </sodipodi:namedview>
+  <metadata
+     id="metadata5">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Layer 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(0,-161.53334)"
+     style="display:inline">
+    <path
+       style="fill:#609926;fill-opacity:1;stroke:#428f29;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;stroke-miterlimit:4;stroke-dasharray:none"
+       d="m 27.709937,195.15095 c -9.546573,-0.0272 -22.3392732,6.79805 -21.6317552,23.90397 1.105534,26.72889 25.4565952,29.20839 35.1916502,29.42301 1.068023,5.01357 12.521798,22.30563 21.001818,23.21667 h 37.15277 c 22.27763,-1.66785 38.9607,-75.75671 26.59321,-76.03825 -46.781583,2.47691 -49.995146,2.13838 -88.599758,0 -2.495053,-0.0266 -5.972321,-0.49474 -9.707935,-0.5054 z m 2.491319,9.45886 c 1.351378,13.69267 3.555849,21.70359 8.018216,33.94345 -11.382872,-1.50473 -21.069822,-5.22443 -22.851515,-19.10984 -0.950962,-7.4112 2.390428,-15.16769 14.833299,-14.83361 z"
+       id="path3722"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="sscccccsccsc" />
+  </g>
+  <g
+     inkscape:groupmode="layer"
+     id="layer2"
+     inkscape:label="Layer 2"
+     style="display:inline">
+    <rect
+       style="display:inline;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:0.24757317;stroke-opacity:1"
+       id="rect4599"
+       width="34.762054"
+       height="34.762054"
+       x="87.508659"
+       y="18.291576"
+       transform="rotate(25.914715)"
+       ry="5.4825778" />
+    <path
+       style="display:inline;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:0.26644793px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       d="m 79.804947,57.359056 3.241146,1.609954 V 35.255731 h -3.262698 z"
+       id="path4525"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="ccccc" />
+  </g>
+  <g
+     inkscape:groupmode="layer"
+     id="layer3"
+     inkscape:label="Layer 3"
+     style="display:inline">
+    <g
+       style="display:inline"
+       id="g4539">
+      <circle
+         transform="rotate(-19.796137)"
+         r="3.4745038"
+         cy="90.077766"
+         cx="49.064713"
+         id="path4606"
+         style="fill:#609926;fill-opacity:1;stroke:none;stroke-width:0.26458332;stroke-opacity:1" />
+      <circle
+         transform="rotate(-19.796137)"
+         r="3.4745038"
+         cy="102.1049"
+         cx="36.810425"
+         id="path4606-3"
+         style="fill:#609926;fill-opacity:1;stroke:none;stroke-width:0.26458332;stroke-opacity:1" />
+      <circle
+         transform="rotate(-19.796137)"
+         r="3.4745038"
+         cy="111.43928"
+         cx="46.484283"
+         id="path4606-1"
+         style="fill:#609926;fill-opacity:1;stroke:none;stroke-width:0.26458332;stroke-opacity:1" />
+      <rect
+         transform="rotate(26.024158)"
+         y="18.061695"
+         x="97.333458"
+         height="27.261492"
+         width="2.6726954"
+         id="rect4629-8"
+         style="fill:#609926;fill-opacity:1;stroke:none;stroke-width:0.27444693;stroke-opacity:1" />
+      <path
+         sodipodi:nodetypes="cc"
+         inkscape:connector-curvature="0"
+         id="path4514"
+         d="m 76.558096,68.116343 c 12.97589,6.395378 13.012989,4.101862 4.890858,20.907244"
+         style="fill:none;stroke:#609926;stroke-width:2.68000007;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
+    </g>
+  </g>
 </svg>

assets/misspellings.csv

@@ -1,21 +0,0 @@
-acounts,accounts
-canidate,candidate
-comfirm,confirm
-converage,coverage
-currrently,currently
-delimeter,delimiter
-differrent,different
-exclusing,excluding
-finshed,finished
-formated,formatted
-inderect,indirect
-insuficient,insufficient
-likly,likely
-mergable,mergeable
-overrided,overridden
-priortized,prioritized
-registeration,registration
-reuqest,request
-reviwer,reviewer
-superceded,superseded
-underlaying,underlying

build/backport-locales.go

@@ -1,115 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-//go:build ignore
-
-package main
-
-import (
-	"fmt"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
-
-	"code.gitcaddy.com/server/v3/modules/container"
-	"code.gitcaddy.com/server/v3/modules/setting"
-)
-
-func main() {
-	if len(os.Args) != 2 {
-		println("usage: backport-locales <to-ref>")
-		println("eg: backport-locales release/v1.19")
-		os.Exit(1)
-	}
-
-	mustNoErr := func(err error) {
-		if err != nil {
-			panic(err)
-		}
-	}
-	collectInis := func(ref string) map[string]setting.ConfigProvider {
-		inis := map[string]setting.ConfigProvider{}
-		err := filepath.WalkDir("options/locale", func(path string, d os.DirEntry, err error) error {
-			if err != nil {
-				return err
-			}
-			if d.IsDir() || !strings.HasSuffix(d.Name(), ".ini") {
-				return nil
-			}
-			cfg, err := setting.NewConfigProviderForLocale(path)
-			mustNoErr(err)
-			inis[path] = cfg
-			fmt.Printf("collecting: %s @ %s\n", path, ref)
-			return nil
-		})
-		mustNoErr(err)
-		return inis
-	}
-
-	// collect new locales from current working directory
-	inisNew := collectInis("HEAD")
-
-	// switch to the target ref, and collect the old locales
-	cmd := exec.Command("git", "checkout", os.Args[1])
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	mustNoErr(cmd.Run())
-	inisOld := collectInis(os.Args[1])
-
-	// use old en-US as the base, and copy the new translations to the old locales
-	enUsOld := inisOld["options/locale/locale_en-US.ini"]
-	brokenWarned := make(container.Set[string])
-	for path, iniOld := range inisOld {
-		if iniOld == enUsOld {
-			continue
-		}
-		iniNew := inisNew[path]
-		if iniNew == nil {
-			continue
-		}
-		for _, secEnUS := range enUsOld.Sections() {
-			secOld := iniOld.Section(secEnUS.Name())
-			secNew := iniNew.Section(secEnUS.Name())
-			for _, keyEnUs := range secEnUS.Keys() {
-				if secNew.HasKey(keyEnUs.Name()) {
-					oldStr := secOld.Key(keyEnUs.Name()).String()
-					newStr := secNew.Key(keyEnUs.Name()).String()
-					broken := oldStr != "" && strings.Count(oldStr, "%") != strings.Count(newStr, "%")
-					broken = broken || strings.Contains(oldStr, "\n") || strings.Contains(oldStr, "\n")
-					if broken {
-						brokenWarned.Add(secOld.Name() + "." + keyEnUs.Name())
-						fmt.Println("----")
-						fmt.Printf("WARNING: skip broken locale: %s , [%s] %s\n", path, secEnUS.Name(), keyEnUs.Name())
-						fmt.Printf("\told: %s\n", strings.ReplaceAll(oldStr, "\n", "\\n"))
-						fmt.Printf("\tnew: %s\n", strings.ReplaceAll(newStr, "\n", "\\n"))
-						continue
-					}
-					secOld.Key(keyEnUs.Name()).SetValue(newStr)
-				}
-			}
-		}
-		mustNoErr(iniOld.SaveTo(path))
-	}
-
-	fmt.Println("========")
-
-	for path, iniNew := range inisNew {
-		for _, sec := range iniNew.Sections() {
-			for _, key := range sec.Keys() {
-				str := sec.Key(key.Name()).String()
-				broken := strings.Contains(str, "\n")
-				broken = broken || strings.HasPrefix(str, "`") != strings.HasSuffix(str, "`")
-				broken = broken || strings.HasPrefix(str, "\"`")
-				broken = broken || strings.HasPrefix(str, "`\"")
-				broken = broken || strings.Count(str, `"`)%2 == 1
-				broken = broken || strings.Count(str, "`")%2 == 1
-				if broken && !brokenWarned.Contains(sec.Name()+"."+key.Name()) {
-					fmt.Printf("WARNING: found broken locale: %s , [%s] %s\n", path, sec.Name(), key.Name())
-					fmt.Printf("\tstr: %s\n", strings.ReplaceAll(str, "\n", "\\n"))
-					fmt.Println("----")
-				}
-			}
-		}
-	}
-}

build/generate-bindata.go

@@ -1,27 +0,0 @@
-// Copyright 2020 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-//go:build ignore
-
-package main
-
-import (
-	"fmt"
-	"os"
-
-	"code.gitcaddy.com/server/v3/modules/assetfs"
-)
-
-func main() {
-	if len(os.Args) != 3 {
-		fmt.Println("usage: ./generate-bindata {local-directory} {bindata-filename}")
-		os.Exit(1)
-	}
-
-	dir, filename := os.Args[1], os.Args[2]
-	fmt.Printf("generating bindata for %s to %s\n", dir, filename)
-	if err := assetfs.GenerateEmbedBindata(dir, filename); err != nil {
-		fmt.Printf("failed: %s\n", err.Error())
-		os.Exit(1)
-	}
-}

build/generate-emoji.go

@@ -1,219 +0,0 @@
-// Copyright 2020 The Gitea Authors. All rights reserved.
-// Copyright 2015 Kenneth Shaw
-// SPDX-License-Identifier: MIT
-
-//go:build ignore
-
-package main
-
-import (
-	"flag"
-	"fmt"
-	"go/format"
-	"io"
-	"log"
-	"net/http"
-	"os"
-	"regexp"
-	"sort"
-	"strconv"
-	"strings"
-	"unicode/utf8"
-
-	"code.gitcaddy.com/server/v3/modules/json"
-)
-
-const (
-	gemojiURL         = "https://raw.githubusercontent.com/github/gemoji/master/db/emoji.json"
-	maxUnicodeVersion = 15
-)
-
-var flagOut = flag.String("o", "modules/emoji/emoji_data.go", "out")
-
-// Gemoji is a set of emoji data.
-type Gemoji []Emoji
-
-// Emoji represents a single emoji and associated data.
-type Emoji struct {
-	Emoji          string   `json:"emoji"`
-	Description    string   `json:"description,omitempty"`
-	Aliases        []string `json:"aliases"`
-	UnicodeVersion string   `json:"unicode_version,omitempty"`
-	SkinTones      bool     `json:"skin_tones,omitempty"`
-}
-
-// Don't include some fields in JSON
-func (e Emoji) MarshalJSON() ([]byte, error) {
-	type emoji Emoji
-	x := emoji(e)
-	x.UnicodeVersion = ""
-	x.Description = ""
-	x.SkinTones = false
-	return json.Marshal(x)
-}
-
-func main() {
-	flag.Parse()
-
-	// generate data
-	buf, err := generate()
-	if err != nil {
-		log.Fatalf("generate err: %v", err)
-	}
-
-	// write
-	err = os.WriteFile(*flagOut, buf, 0o644)
-	if err != nil {
-		log.Fatalf("WriteFile err: %v", err)
-	}
-}
-
-var replacer = strings.NewReplacer(
-	"main.Gemoji", "Gemoji",
-	"main.Emoji", "\n",
-	"}}", "},\n}",
-	", Description:", ", ",
-	", Aliases:", ", ",
-	", UnicodeVersion:", ", ",
-	", SkinTones:", ", ",
-)
-
-var emojiRE = regexp.MustCompile(`\{Emoji:"([^"]*)"`)
-
-func generate() ([]byte, error) {
-	// load gemoji data
-	res, err := http.Get(gemojiURL)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-
-	// read all
-	body, err := io.ReadAll(res.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	// unmarshal
-	var data Gemoji
-	err = json.Unmarshal(body, &data)
-	if err != nil {
-		return nil, err
-	}
-
-	skinTones := make(map[string]string)
-
-	skinTones["\U0001f3fb"] = "Light Skin Tone"
-	skinTones["\U0001f3fc"] = "Medium-Light Skin Tone"
-	skinTones["\U0001f3fd"] = "Medium Skin Tone"
-	skinTones["\U0001f3fe"] = "Medium-Dark Skin Tone"
-	skinTones["\U0001f3ff"] = "Dark Skin Tone"
-
-	var tmp Gemoji
-
-	// filter out emoji that require greater than max unicode version
-	for i := range data {
-		val, _ := strconv.ParseFloat(data[i].UnicodeVersion, 64)
-		if int(val) <= maxUnicodeVersion {
-			tmp = append(tmp, data[i])
-		}
-	}
-	data = tmp
-
-	sort.Slice(data, func(i, j int) bool {
-		return data[i].Aliases[0] < data[j].Aliases[0]
-	})
-
-	aliasMap := make(map[string]int, len(data))
-
-	for i, e := range data {
-		if e.Emoji == "" || len(e.Aliases) == 0 {
-			continue
-		}
-		for _, a := range e.Aliases {
-			if a == "" {
-				continue
-			}
-			aliasMap[a] = i
-		}
-	}
-
-	// gitea customizations
-	i, ok := aliasMap["tada"]
-	if ok {
-		data[i].Aliases = append(data[i].Aliases, "hooray")
-	}
-	i, ok = aliasMap["laughing"]
-	if ok {
-		data[i].Aliases = append(data[i].Aliases, "laugh")
-	}
-
-	// write a JSON file to use with tribute (write before adding skin tones since we can't support them there yet)
-	file, _ := json.Marshal(data)
-	_ = os.WriteFile("assets/emoji.json", file, 0o644)
-
-	// Add skin tones to emoji that support it
-	var (
-		s              []string
-		newEmoji       string
-		newDescription string
-		newData        Emoji
-	)
-
-	for i := range data {
-		if data[i].SkinTones {
-			for k, v := range skinTones {
-				s = strings.Split(data[i].Emoji, "")
-
-				if utf8.RuneCountInString(data[i].Emoji) == 1 {
-					s = append(s, k)
-				} else {
-					// insert into slice after first element because all emoji that support skin tones
-					// have that modifier placed at this spot
-					s = append(s, "")
-					copy(s[2:], s[1:])
-					s[1] = k
-				}
-
-				newEmoji = strings.Join(s, "")
-				newDescription = data[i].Description + ": " + v
-				newAlias := data[i].Aliases[0] + "_" + strings.ReplaceAll(v, " ", "_")
-
-				newData = Emoji{newEmoji, newDescription, []string{newAlias}, "12.0", false}
-				data = append(data, newData)
-			}
-		}
-	}
-
-	sort.Slice(data, func(i, j int) bool {
-		return data[i].Aliases[0] < data[j].Aliases[0]
-	})
-
-	// add header
-	str := replacer.Replace(fmt.Sprintf(hdr, gemojiURL, data))
-
-	// change the format of the unicode string
-	str = emojiRE.ReplaceAllStringFunc(str, func(s string) string {
-		var err error
-		s, err = strconv.Unquote(s[len("{Emoji:"):])
-		if err != nil {
-			panic(err)
-		}
-		return "{" + strconv.QuoteToASCII(s)
-	})
-
-	// format
-	return format.Source([]byte(str))
-}
-
-const hdr = `
-// Copyright 2020 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-
-package emoji
-
-// Code generated by build/generate-emoji.go. DO NOT EDIT.
-// Sourced from %s
-var GemojiData = %#v
-`

build/generate-gitignores.go

@@ -1,126 +0,0 @@
-//go:build ignore
-
-package main
-
-import (
-	"archive/tar"
-	"compress/gzip"
-	"flag"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"os"
-	"path"
-	"path/filepath"
-	"strings"
-
-	"code.gitcaddy.com/server/v3/modules/util"
-)
-
-func main() {
-	var (
-		prefix         = "gitea-gitignore"
-		url            = "https://api.github.com/repos/github/gitignore/tarball"
-		githubApiToken = ""
-		githubUsername = ""
-		destination    = ""
-	)
-
-	flag.StringVar(&destination, "dest", "options/gitignore/", "destination for the gitignores")
-	flag.StringVar(&githubUsername, "username", "", "github username")
-	flag.StringVar(&githubApiToken, "token", "", "github api token")
-	flag.Parse()
-
-	file, err := os.CreateTemp(os.TempDir(), prefix)
-	if err != nil {
-		log.Fatalf("Failed to create temp file. %s", err)
-	}
-
-	defer util.Remove(file.Name())
-
-	req, err := http.NewRequest("GET", url, nil)
-	if err != nil {
-		log.Fatalf("Failed to download archive. %s", err)
-	}
-
-	if len(githubApiToken) > 0 && len(githubUsername) > 0 {
-		req.SetBasicAuth(githubUsername, githubApiToken)
-	}
-
-	resp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		log.Fatalf("Failed to download archive. %s", err)
-	}
-	defer resp.Body.Close()
-
-	if _, err := io.Copy(file, resp.Body); err != nil {
-		log.Fatalf("Failed to copy archive to file. %s", err)
-	}
-
-	if _, err := file.Seek(0, 0); err != nil {
-		log.Fatalf("Failed to reset seek on archive. %s", err)
-	}
-
-	gz, err := gzip.NewReader(file)
-	if err != nil {
-		log.Fatalf("Failed to gunzip the archive. %s", err)
-	}
-
-	tr := tar.NewReader(gz)
-
-	filesToCopy := make(map[string]string, 0)
-
-	for {
-		hdr, err := tr.Next()
-
-		if err == io.EOF {
-			break
-		}
-
-		if err != nil {
-			log.Fatalf("Failed to iterate archive. %s", err)
-		}
-
-		if filepath.Ext(hdr.Name) != ".gitignore" {
-			continue
-		}
-
-		if hdr.Typeflag == tar.TypeSymlink {
-			fmt.Printf("Found symlink %s -> %s\n", hdr.Name, hdr.Linkname)
-			filesToCopy[strings.TrimSuffix(filepath.Base(hdr.Name), ".gitignore")] = strings.TrimSuffix(filepath.Base(hdr.Linkname), ".gitignore")
-			continue
-		}
-
-		out, err := os.Create(path.Join(destination, strings.TrimSuffix(filepath.Base(hdr.Name), ".gitignore")))
-		if err != nil {
-			log.Fatalf("Failed to create new file. %s", err)
-		}
-
-		defer out.Close()
-
-		if _, err := io.Copy(out, tr); err != nil {
-			log.Fatalf("Failed to write new file. %s", err)
-		} else {
-			fmt.Printf("Written %s\n", out.Name())
-		}
-	}
-
-	for dst, src := range filesToCopy {
-		// Read all content of src to data
-		src = path.Join(destination, src)
-		data, err := os.ReadFile(src)
-		if err != nil {
-			log.Fatalf("Failed to read src file. %s", err)
-		}
-		// Write data to dst
-		dst = path.Join(destination, dst)
-		err = os.WriteFile(dst, data, 0o644)
-		if err != nil {
-			log.Fatalf("Failed to write new file. %s", err)
-		}
-		fmt.Printf("Written (copy of %s) %s\n", src, dst)
-	}
-
-	fmt.Println("Done")
-}

build/generate-go-licenses.go

@@ -1,118 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-//go:build ignore
-
-package main
-
-import (
-	"encoding/json"
-	"fmt"
-	"io/fs"
-	"os"
-	"path"
-	"path/filepath"
-	"regexp"
-	"sort"
-	"strings"
-
-	"code.gitcaddy.com/server/v3/modules/container"
-)
-
-// regexp is based on go-license, excluding README and NOTICE
-// https://github.com/google/go-licenses/blob/master/licenses/find.go
-var licenseRe = regexp.MustCompile(`^(?i)((UN)?LICEN(S|C)E|COPYING).*$`)
-
-type LicenseEntry struct {
-	Name        string `json:"name"`
-	Path        string `json:"path"`
-	LicenseText string `json:"licenseText"`
-}
-
-func main() {
-	if len(os.Args) != 3 {
-		fmt.Println("usage: go run generate-go-licenses.go <base-dir> <out-json-file>")
-		os.Exit(1)
-	}
-
-	base, out := os.Args[1], os.Args[2]
-
-	// Add ext for excluded files because license_test.go will be included for some reason.
-	// And there are more files that should be excluded, check with:
-	//
-	// go run github.com/google/go-licenses@v1.6.0 save . --force --save_path=.go-licenses 2>/dev/null
-	// find .go-licenses -type f | while read FILE; do echo "${$(basename $FILE)##*.}"; done | sort -u
-	//    AUTHORS
-	//    COPYING
-	//    LICENSE
-	//    Makefile
-	//    NOTICE
-	//    gitignore
-	//    go
-	//    md
-	//    mod
-	//    sum
-	//    toml
-	//    txt
-	//    yml
-	//
-	// It could be removed once we have a better regex.
-	excludedExt := container.SetOf(".gitignore", ".go", ".mod", ".sum", ".toml", ".yml")
-
-	var paths []string
-	err := filepath.WalkDir(base, func(path string, entry fs.DirEntry, err error) error {
-		if err != nil {
-			return err
-		}
-		if entry.IsDir() || !licenseRe.MatchString(entry.Name()) || excludedExt.Contains(filepath.Ext(entry.Name())) {
-			return nil
-		}
-		paths = append(paths, path)
-		return nil
-	})
-	if err != nil {
-		panic(err)
-	}
-
-	sort.Strings(paths)
-
-	var entries []LicenseEntry
-	for _, filePath := range paths {
-		licenseText, err := os.ReadFile(filePath)
-		if err != nil {
-			panic(err)
-		}
-
-		pkgPath := filepath.ToSlash(filePath)
-		pkgPath = strings.TrimPrefix(pkgPath, base+"/")
-		pkgName := path.Dir(pkgPath)
-
-		// There might be a bug somewhere in go-licenses that sometimes interprets the
-		// root package as "." and sometimes as "code.gitcaddy.com/server". Workaround by
-		// removing both of them for the sake of stable output.
-		if pkgName == "." || pkgName == "code.gitcaddy.com/server" {
-			continue
-		}
-
-		entries = append(entries, LicenseEntry{
-			Name:        pkgName,
-			Path:        pkgPath,
-			LicenseText: string(licenseText),
-		})
-	}
-
-	jsonBytes, err := json.MarshalIndent(entries, "", "  ")
-	if err != nil {
-		panic(err)
-	}
-
-	// Ensure file has a final newline
-	if jsonBytes[len(jsonBytes)-1] != '\n' {
-		jsonBytes = append(jsonBytes, '\n')
-	}
-
-	err = os.WriteFile(out, jsonBytes, 0o644)
-	if err != nil {
-		panic(err)
-	}
-}

build/test-env-check.sh

@@ -1,24 +0,0 @@
-#!/bin/sh
-
-set -e
-
-if [ ! -f ./build/test-env-check.sh ]; then
-  echo "${0} can only be executed in gitea source root directory"
-  exit 1
-fi
-
-
-echo "check uid ..."
-
-# the uid of gitea defined in "https://gitea.com/gitea/test-env" is 1000
-gitea_uid=$(id -u gitea)
-if [ "$gitea_uid" != "1000" ]; then
-  echo "The uid of linux user 'gitea' is expected to be 1000, but it is $gitea_uid"
-  exit 1
-fi
-
-cur_uid=$(id -u)
-if [ "$cur_uid" != "0" -a "$cur_uid" != "$gitea_uid" ]; then
-  echo "The uid of current linux user is expected to be 0 or $gitea_uid, but it is $cur_uid"
-  exit 1
-fi

build/test-env-prepare.sh

@@ -1,11 +0,0 @@
-#!/bin/sh
-
-set -e
-
-if [ ! -f ./build/test-env-prepare.sh ]; then
-  echo "${0} can only be executed in gitea source root directory"
-  exit 1
-fi
-
-echo "change the owner of files to gitea ..."
-chown -R gitea:gitea .

build/update-locales.sh

@@ -1,22 +0,0 @@
-#!/bin/sh
-
-# this script runs in alpine image which only has `sh` shell
-if [ ! -f ./options/locale/locale_en-US.json ]; then
-  echo "please run this script in the root directory of the project"
-  exit 1
-fi
-
-mv ./options/locale/locale_en-US.json ./options/
-
-# Remove translation under 25% of en_us
-baselines=$(cat "./options/locale_en-US.json" | wc -l)
-baselines=$((baselines / 4))
-for filename in ./options/locale/*.json; do
-  lines=$(cat "$filename" | wc -l)
-  if [ "$lines" -lt "$baselines" ]; then
-    echo "Removing $filename: $lines/$baselines"
-    rm "$filename"
-  fi
-done
-
-mv ./options/locale_en-US.json ./options/locale/

cmd/actions.go

@@ -1,53 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"context"
-	"fmt"
-
-	"code.gitcaddy.com/server/v3/modules/private"
-	"code.gitcaddy.com/server/v3/modules/setting"
-
-	"github.com/urfave/cli/v3"
-)
-
-var (
-	// CmdActions represents the available actions sub-commands.
-	CmdActions = &cli.Command{
-		Name:  "actions",
-		Usage: "Manage Gitea Actions",
-		Commands: []*cli.Command{
-			subcmdActionsGenRunnerToken,
-		},
-	}
-
-	subcmdActionsGenRunnerToken = &cli.Command{
-		Name:    "generate-runner-token",
-		Usage:   "Generate a new token for a runner to use to register with the server",
-		Action:  runGenerateActionsRunnerToken,
-		Aliases: []string{"grt"},
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:    "scope",
-				Aliases: []string{"s"},
-				Value:   "",
-				Usage:   "{owner}[/{repo}] - leave empty for a global runner",
-			},
-		},
-	}
-)
-
-func runGenerateActionsRunnerToken(ctx context.Context, c *cli.Command) error {
-	setting.MustInstalled()
-
-	scope := c.String("scope")
-
-	respText, extra := private.GenerateActionsRunnerToken(ctx, scope)
-	if extra.HasError() {
-		return handleCliResponseExtra(extra)
-	}
-	_, _ = fmt.Printf("%s\n", respText.Text)
-	return nil
-}

cmd/admin.go

@@ -1,167 +1,589 @@
 // Copyright 2016 The Gogs Authors. All rights reserved.
 // Copyright 2016 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
 
 package cmd
 
 import (
-	"context"
+	"errors"
 	"fmt"
+	"os"
+	"text/tabwriter"
 
-	"code.gitcaddy.com/server/v3/models/db"
-	repo_model "code.gitcaddy.com/server/v3/models/repo"
-	"code.gitcaddy.com/server/v3/modules/git"
-	"code.gitcaddy.com/server/v3/modules/gitrepo"
-	"code.gitcaddy.com/server/v3/modules/log"
-	repo_module "code.gitcaddy.com/server/v3/modules/repository"
+	"code.gitea.io/git"
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/auth/oauth2"
+	"code.gitea.io/gitea/modules/generate"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
 
-	"github.com/urfave/cli/v3"
+	"github.com/urfave/cli"
 )
 
 var (
 	// CmdAdmin represents the available admin sub-command.
-	CmdAdmin = &cli.Command{
+	CmdAdmin = cli.Command{
 		Name:  "admin",
-		Usage: "Perform common administrative operations",
-		Commands: []*cli.Command{
-			subcmdUser,
+		Usage: "Command line interface to perform common administrative operations",
+		Subcommands: []cli.Command{
+			subcmdCreateUser,
+			subcmdChangePassword,
 			subcmdRepoSyncReleases,
 			subcmdRegenerate,
 			subcmdAuth,
-			subcmdSendMail,
 		},
 	}
 
-	subcmdRepoSyncReleases = &cli.Command{
+	subcmdCreateUser = cli.Command{
+		Name:   "create-user",
+		Usage:  "Create a new user in database",
+		Action: runCreateUser,
+		Flags: []cli.Flag{
+			cli.StringFlag{
+				Name:  "name",
+				Usage: "Username",
+			},
+			cli.StringFlag{
+				Name:  "password",
+				Usage: "User password",
+			},
+			cli.StringFlag{
+				Name:  "email",
+				Usage: "User email address",
+			},
+			cli.BoolFlag{
+				Name:  "admin",
+				Usage: "User is an admin",
+			},
+			cli.StringFlag{
+				Name:  "config, c",
+				Value: "custom/conf/app.ini",
+				Usage: "Custom configuration file path",
+			},
+			cli.BoolFlag{
+				Name:  "random-password",
+				Usage: "Generate a random password for the user",
+			},
+			cli.BoolFlag{
+				Name:  "must-change-password",
+				Usage: "Force the user to change his/her password after initial login",
+			},
+			cli.IntFlag{
+				Name:  "random-password-length",
+				Usage: "Length of the random password to be generated",
+				Value: 12,
+			},
+		},
+	}
+
+	subcmdChangePassword = cli.Command{
+		Name:   "change-password",
+		Usage:  "Change a user's password",
+		Action: runChangePassword,
+		Flags: []cli.Flag{
+			cli.StringFlag{
+				Name:  "username,u",
+				Value: "",
+				Usage: "The user to change password for",
+			},
+			cli.StringFlag{
+				Name:  "password,p",
+				Value: "",
+				Usage: "New password to set for user",
+			},
+			cli.StringFlag{
+				Name:  "config, c",
+				Value: "custom/conf/app.ini",
+				Usage: "Custom configuration file path",
+			},
+		},
+	}
+
+	subcmdRepoSyncReleases = cli.Command{
 		Name:   "repo-sync-releases",
 		Usage:  "Synchronize repository releases with tags",
 		Action: runRepoSyncReleases,
 	}
 
-	subcmdRegenerate = &cli.Command{
+	subcmdRegenerate = cli.Command{
 		Name:  "regenerate",
 		Usage: "Regenerate specific files",
-		Commands: []*cli.Command{
+		Subcommands: []cli.Command{
 			microcmdRegenHooks,
 			microcmdRegenKeys,
 		},
 	}
 
-	subcmdAuth = &cli.Command{
+	microcmdRegenHooks = cli.Command{
+		Name:   "hooks",
+		Usage:  "Regenerate git-hooks",
+		Action: runRegenerateHooks,
+		Flags: []cli.Flag{
+			cli.StringFlag{
+				Name:  "config, c",
+				Value: "custom/conf/app.ini",
+				Usage: "Custom configuration file path",
+			},
+		},
+	}
+
+	microcmdRegenKeys = cli.Command{
+		Name:   "keys",
+		Usage:  "Regenerate authorized_keys file",
+		Action: runRegenerateKeys,
+		Flags: []cli.Flag{
+			cli.StringFlag{
+				Name:  "config, c",
+				Value: "custom/conf/app.ini",
+				Usage: "Custom configuration file path",
+			},
+		},
+	}
+
+	subcmdAuth = cli.Command{
 		Name:  "auth",
 		Usage: "Modify external auth providers",
-		Commands: []*cli.Command{
-			microcmdAuthAddOauth(),
-			microcmdAuthUpdateOauth(),
-			microcmdAuthAddLdapBindDn(),
-			microcmdAuthUpdateLdapBindDn(),
-			microcmdAuthAddLdapSimpleAuth(),
-			microcmdAuthUpdateLdapSimpleAuth(),
-			microcmdAuthAddSMTP(),
-			microcmdAuthUpdateSMTP(),
+		Subcommands: []cli.Command{
+			microcmdAuthAddOauth,
+			microcmdAuthUpdateOauth,
 			microcmdAuthList,
 			microcmdAuthDelete,
 		},
 	}
 
-	subcmdSendMail = &cli.Command{
-		Name:   "sendmail",
-		Usage:  "Send a message to all users",
-		Action: runSendMail,
+	microcmdAuthList = cli.Command{
+		Name:   "list",
+		Usage:  "List auth sources",
+		Action: runListAuth,
 		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:     "title",
-				Usage:    "a title of a message",
-				Required: true,
-			},
-			&cli.StringFlag{
-				Name:  "content",
-				Usage: "a content of a message",
-				Value: "",
-			},
-			&cli.BoolFlag{
-				Name:    "force",
-				Aliases: []string{"f"},
-				Usage:   "A flag to bypass a confirmation step",
+			cli.StringFlag{
+				Name:  "config, c",
+				Value: "custom/conf/app.ini",
+				Usage: "Custom configuration file path",
 			},
 		},
 	}
+
+	idFlag = cli.Int64Flag{
+		Name:  "id",
+		Usage: "ID of OAuth authentication source",
+	}
+
+	microcmdAuthDelete = cli.Command{
+		Name:   "delete",
+		Usage:  "Delete specific auth source",
+		Action: runDeleteAuth,
+		Flags: []cli.Flag{
+			cli.StringFlag{
+				Name:  "config, c",
+				Value: "custom/conf/app.ini",
+				Usage: "Custom configuration file path",
+			},
+			idFlag,
+		},
+	}
+
+	oauthCLIFlags = []cli.Flag{
+		cli.StringFlag{
+			Name:  "config, c",
+			Value: "custom/conf/app.ini",
+			Usage: "Custom configuration file path",
+		},
+		cli.StringFlag{
+			Name:  "name",
+			Value: "",
+			Usage: "Application Name",
+		},
+		cli.StringFlag{
+			Name:  "provider",
+			Value: "",
+			Usage: "OAuth2 Provider",
+		},
+		cli.StringFlag{
+			Name:  "key",
+			Value: "",
+			Usage: "Client ID (Key)",
+		},
+		cli.StringFlag{
+			Name:  "secret",
+			Value: "",
+			Usage: "Client Secret",
+		},
+		cli.StringFlag{
+			Name:  "auto-discover-url",
+			Value: "",
+			Usage: "OpenID Connect Auto Discovery URL (only required when using OpenID Connect as provider)",
+		},
+		cli.StringFlag{
+			Name:  "use-custom-urls",
+			Value: "false",
+			Usage: "Use custom URLs for GitLab/GitHub OAuth endpoints",
+		},
+		cli.StringFlag{
+			Name:  "custom-auth-url",
+			Value: "",
+			Usage: "Use a custom Authorization URL (option for GitLab/GitHub)",
+		},
+		cli.StringFlag{
+			Name:  "custom-token-url",
+			Value: "",
+			Usage: "Use a custom Token URL (option for GitLab/GitHub)",
+		},
+		cli.StringFlag{
+			Name:  "custom-profile-url",
+			Value: "",
+			Usage: "Use a custom Profile URL (option for GitLab/GitHub)",
+		},
+		cli.StringFlag{
+			Name:  "custom-email-url",
+			Value: "",
+			Usage: "Use a custom Email URL (option for GitHub)",
+		},
+	}
+
+	microcmdAuthUpdateOauth = cli.Command{
+		Name:   "update-oauth",
+		Usage:  "Update existing Oauth authentication source",
+		Action: runUpdateOauth,
+		Flags:  append(oauthCLIFlags[:1], append([]cli.Flag{idFlag}, oauthCLIFlags[1:]...)...),
+	}
+
+	microcmdAuthAddOauth = cli.Command{
+		Name:   "add-oauth",
+		Usage:  "Add new Oauth authentication source",
+		Action: runAddOauth,
+		Flags:  oauthCLIFlags,
+	}
 )
 
-func idFlag() *cli.Int64Flag {
-	return &cli.Int64Flag{
-		Name:  "id",
-		Usage: "ID of authentication source",
-	}
-}
-
-func runRepoSyncReleases(ctx context.Context, _ *cli.Command) error {
-	if err := initDB(ctx); err != nil {
+func runChangePassword(c *cli.Context) error {
+	if err := argsSet(c, "username", "password"); err != nil {
 		return err
 	}
 
-	if err := git.InitSimple(); err != nil {
+	if c.IsSet("config") {
+		setting.CustomConf = c.String("config")
+	}
+
+	if err := initDB(); err != nil {
+		return err
+	}
+
+	uname := c.String("username")
+	user, err := models.GetUserByName(uname)
+	if err != nil {
+		return err
+	}
+	if user.Salt, err = models.GetUserSalt(); err != nil {
+		return err
+	}
+	user.HashPassword(c.String("password"))
+	if err := models.UpdateUserCols(user, "passwd", "salt"); err != nil {
+		return err
+	}
+
+	fmt.Printf("%s's password has been successfully updated!\n", user.Name)
+	return nil
+}
+
+func runCreateUser(c *cli.Context) error {
+	if err := argsSet(c, "name", "email"); err != nil {
+		return err
+	}
+
+	if c.IsSet("password") && c.IsSet("random-password") {
+		return errors.New("cannot set both -random-password and -password flags")
+	}
+
+	var password string
+
+	if c.IsSet("password") {
+		password = c.String("password")
+	} else if c.IsSet("random-password") {
+		var err error
+		password, err = generate.GetRandomString(c.Int("random-password-length"))
+		if err != nil {
+			return err
+		}
+
+		fmt.Printf("generated random password is '%s'\n", password)
+	} else {
+		return errors.New("must set either password or random-password flag")
+	}
+
+	if c.IsSet("config") {
+		setting.CustomConf = c.String("config")
+	}
+
+	if err := initDB(); err != nil {
+		return err
+	}
+
+	// always default to true
+	var changePassword = true
+
+	// If this is the first user being created.
+	// Take it as the admin and don't force a password update.
+	if n := models.CountUsers(); n == 0 {
+		changePassword = false
+	}
+
+	if c.IsSet("must-change-password") {
+		changePassword = c.Bool("must-change-password")
+	}
+
+	if err := models.CreateUser(&models.User{
+		Name:               c.String("name"),
+		Email:              c.String("email"),
+		Passwd:             password,
+		IsActive:           true,
+		IsAdmin:            c.Bool("admin"),
+		MustChangePassword: changePassword,
+		Theme:              setting.UI.DefaultTheme,
+	}); err != nil {
+		return fmt.Errorf("CreateUser: %v", err)
+	}
+
+	fmt.Printf("New user '%s' has been successfully created!\n", c.String("name"))
+	return nil
+}
+
+func runRepoSyncReleases(c *cli.Context) error {
+	if err := initDB(); err != nil {
 		return err
 	}
 
 	log.Trace("Synchronizing repository releases (this may take a while)")
 	for page := 1; ; page++ {
-		repos, count, err := repo_model.SearchRepositoryByName(ctx, repo_model.SearchRepoOptions{
-			ListOptions: db.ListOptions{
-				PageSize: repo_model.RepositoryListDefaultPageSize,
-				Page:     page,
-			},
-			Private: true,
+		repos, count, err := models.SearchRepositoryByName(&models.SearchRepoOptions{
+			Page:     page,
+			PageSize: models.RepositoryListDefaultPageSize,
+			Private:  true,
 		})
 		if err != nil {
-			return fmt.Errorf("SearchRepositoryByName: %w", err)
+			return fmt.Errorf("SearchRepositoryByName: %v", err)
 		}
 		if len(repos) == 0 {
 			break
 		}
 		log.Trace("Processing next %d repos of %d", len(repos), count)
 		for _, repo := range repos {
-			log.Trace("Synchronizing repo %s with path %s", repo.FullName(), repo.RelativePath())
-			gitRepo, err := gitrepo.OpenRepository(ctx, repo)
+			log.Trace("Synchronizing repo %s with path %s", repo.FullName(), repo.RepoPath())
+			gitRepo, err := git.OpenRepository(repo.RepoPath())
 			if err != nil {
 				log.Warn("OpenRepository: %v", err)
 				continue
 			}
 
-			oldnum, err := getReleaseCount(ctx, repo.ID)
+			oldnum, err := getReleaseCount(repo.ID)
 			if err != nil {
 				log.Warn(" GetReleaseCountByRepoID: %v", err)
 			}
 			log.Trace(" currentNumReleases is %d, running SyncReleasesWithTags", oldnum)
 
-			if err = repo_module.SyncReleasesWithTags(ctx, repo, gitRepo); err != nil {
+			if err = models.SyncReleasesWithTags(repo, gitRepo); err != nil {
 				log.Warn(" SyncReleasesWithTags: %v", err)
-				gitRepo.Close()
 				continue
 			}
 
-			count, err = getReleaseCount(ctx, repo.ID)
+			count, err = getReleaseCount(repo.ID)
 			if err != nil {
 				log.Warn(" GetReleaseCountByRepoID: %v", err)
-				gitRepo.Close()
 				continue
 			}
 
-			log.Trace("repo %s releases synchronized to tags: from %d to %d",
+			log.Trace(" repo %s releases synchronized to tags: from %d to %d",
 				repo.FullName(), oldnum, count)
-			gitRepo.Close()
 		}
 	}
 
 	return nil
 }
 
-func getReleaseCount(ctx context.Context, id int64) (int64, error) {
-	return db.Count[repo_model.Release](
-		ctx,
-		repo_model.FindReleasesOptions{
-			RepoID:      id,
+func getReleaseCount(id int64) (int64, error) {
+	return models.GetReleaseCountByRepoID(
+		id,
+		models.FindReleasesOptions{
 			IncludeTags: true,
 		},
 	)
 }
+
+func runRegenerateHooks(c *cli.Context) error {
+	if c.IsSet("config") {
+		setting.CustomConf = c.String("config")
+	}
+
+	if err := initDB(); err != nil {
+		return err
+	}
+	return models.SyncRepositoryHooks()
+}
+
+func runRegenerateKeys(c *cli.Context) error {
+	if c.IsSet("config") {
+		setting.CustomConf = c.String("config")
+	}
+
+	if err := initDB(); err != nil {
+		return err
+	}
+	return models.RewriteAllPublicKeys()
+}
+
+func parseOAuth2Config(c *cli.Context) *models.OAuth2Config {
+	var customURLMapping *oauth2.CustomURLMapping
+	if c.IsSet("use-custom-urls") {
+		customURLMapping = &oauth2.CustomURLMapping{
+			TokenURL:   c.String("custom-token-url"),
+			AuthURL:    c.String("custom-auth-url"),
+			ProfileURL: c.String("custom-profile-url"),
+			EmailURL:   c.String("custom-email-url"),
+		}
+	} else {
+		customURLMapping = nil
+	}
+	return &models.OAuth2Config{
+		Provider:                      c.String("provider"),
+		ClientID:                      c.String("key"),
+		ClientSecret:                  c.String("secret"),
+		OpenIDConnectAutoDiscoveryURL: c.String("auto-discover-url"),
+		CustomURLMapping:              customURLMapping,
+	}
+}
+
+func runAddOauth(c *cli.Context) error {
+	if c.IsSet("config") {
+		setting.CustomConf = c.String("config")
+	}
+
+	if err := initDB(); err != nil {
+		return err
+	}
+
+	return models.CreateLoginSource(&models.LoginSource{
+		Type:      models.LoginOAuth2,
+		Name:      c.String("name"),
+		IsActived: true,
+		Cfg:       parseOAuth2Config(c),
+	})
+}
+
+func runUpdateOauth(c *cli.Context) error {
+	if c.IsSet("config") {
+		setting.CustomConf = c.String("config")
+	}
+
+	if !c.IsSet("id") {
+		return fmt.Errorf("--id flag is missing")
+	}
+
+	if err := initDB(); err != nil {
+		return err
+	}
+
+	source, err := models.GetLoginSourceByID(c.Int64("id"))
+	if err != nil {
+		return err
+	}
+
+	oAuth2Config := source.OAuth2()
+
+	if c.IsSet("name") {
+		source.Name = c.String("name")
+	}
+
+	if c.IsSet("provider") {
+		oAuth2Config.Provider = c.String("provider")
+	}
+
+	if c.IsSet("key") {
+		oAuth2Config.ClientID = c.String("key")
+	}
+
+	if c.IsSet("secret") {
+		oAuth2Config.ClientSecret = c.String("secret")
+	}
+
+	if c.IsSet("auto-discover-url") {
+		oAuth2Config.OpenIDConnectAutoDiscoveryURL = c.String("auto-discover-url")
+	}
+
+	// update custom URL mapping
+	var customURLMapping *oauth2.CustomURLMapping
+
+	if oAuth2Config.CustomURLMapping != nil {
+		customURLMapping.TokenURL = oAuth2Config.CustomURLMapping.TokenURL
+		customURLMapping.AuthURL = oAuth2Config.CustomURLMapping.AuthURL
+		customURLMapping.ProfileURL = oAuth2Config.CustomURLMapping.ProfileURL
+		customURLMapping.EmailURL = oAuth2Config.CustomURLMapping.EmailURL
+	}
+	if c.IsSet("use-custom-urls") && c.IsSet("custom-token-url") {
+		customURLMapping.TokenURL = c.String("custom-token-url")
+	}
+
+	if c.IsSet("use-custom-urls") && c.IsSet("custom-auth-url") {
+		customURLMapping.AuthURL = c.String("custom-auth-url")
+	}
+
+	if c.IsSet("use-custom-urls") && c.IsSet("custom-profile-url") {
+		customURLMapping.ProfileURL = c.String("custom-profile-url")
+	}
+
+	if c.IsSet("use-custom-urls") && c.IsSet("custom-email-url") {
+		customURLMapping.EmailURL = c.String("custom-email-url")
+	}
+
+	oAuth2Config.CustomURLMapping = customURLMapping
+	source.Cfg = oAuth2Config
+
+	return models.UpdateSource(source)
+}
+
+func runListAuth(c *cli.Context) error {
+	if c.IsSet("config") {
+		setting.CustomConf = c.String("config")
+	}
+
+	if err := initDB(); err != nil {
+		return err
+	}
+
+	loginSources, err := models.LoginSources()
+
+	if err != nil {
+		return err
+	}
+
+	// loop through each source and print
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 1, ' ', tabwriter.AlignRight)
+	fmt.Fprintf(w, "ID\tName\tType\tEnabled")
+	for _, source := range loginSources {
+		fmt.Fprintf(w, "%d\t%s\t%s\t%t", source.ID, source.Name, models.LoginNames[source.Type], source.IsActived)
+	}
+	w.Flush()
+
+	return nil
+}
+
+func runDeleteAuth(c *cli.Context) error {
+	if c.IsSet("config") {
+		setting.CustomConf = c.String("config")
+	}
+
+	if !c.IsSet("id") {
+		return fmt.Errorf("--id flag is missing")
+	}
+
+	if err := initDB(); err != nil {
+		return err
+	}
+
+	source, err := models.GetLoginSourceByID(c.Int64("id"))
+	if err != nil {
+		return err
+	}
+
+	return models.DeleteSource(source)
+}

cmd/admin_auth.go

@@ -1,106 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"os"
-	"text/tabwriter"
-
-	auth_model "code.gitcaddy.com/server/v3/models/auth"
-	"code.gitcaddy.com/server/v3/models/db"
-	auth_service "code.gitcaddy.com/server/v3/services/auth"
-
-	"github.com/urfave/cli/v3"
-)
-
-var (
-	microcmdAuthDelete = &cli.Command{
-		Name:   "delete",
-		Usage:  "Delete specific auth source",
-		Flags:  []cli.Flag{idFlag()},
-		Action: runDeleteAuth,
-	}
-	microcmdAuthList = &cli.Command{
-		Name:   "list",
-		Usage:  "List auth sources",
-		Action: runListAuth,
-		Flags: []cli.Flag{
-			&cli.IntFlag{
-				Name:  "min-width",
-				Usage: "Minimal cell width including any padding for the formatted table",
-				Value: 0,
-			},
-			&cli.IntFlag{
-				Name:  "tab-width",
-				Usage: "width of tab characters in formatted table (equivalent number of spaces)",
-				Value: 8,
-			},
-			&cli.IntFlag{
-				Name:  "padding",
-				Usage: "padding added to a cell before computing its width",
-				Value: 1,
-			},
-			&cli.StringFlag{
-				Name:  "pad-char",
-				Usage: `ASCII char used for padding if padchar == '\\t', the Writer will assume that the width of a '\\t' in the formatted output is tabwidth, and cells are left-aligned independent of align_left (for correct-looking results, tabwidth must correspond to the tab width in the viewer displaying the result)`,
-				Value: "\t",
-			},
-			&cli.BoolFlag{
-				Name:  "vertical-bars",
-				Usage: "Set to true to print vertical bars between columns",
-			},
-		},
-	}
-)
-
-func runListAuth(ctx context.Context, c *cli.Command) error {
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-
-	authSources, err := db.Find[auth_model.Source](ctx, auth_model.FindSourcesOptions{})
-	if err != nil {
-		return err
-	}
-
-	flags := tabwriter.AlignRight
-	if c.Bool("vertical-bars") {
-		flags |= tabwriter.Debug
-	}
-
-	padChar := byte('\t')
-	if len(c.String("pad-char")) > 0 {
-		padChar = c.String("pad-char")[0]
-	}
-
-	// loop through each source and print
-	w := tabwriter.NewWriter(os.Stdout, c.Int("min-width"), c.Int("tab-width"), c.Int("padding"), padChar, flags)
-	fmt.Fprintf(w, "ID\tName\tType\tEnabled\n")
-	for _, source := range authSources {
-		fmt.Fprintf(w, "%d\t%s\t%s\t%t\n", source.ID, source.Name, source.Type.String(), source.IsActive)
-	}
-	w.Flush()
-
-	return nil
-}
-
-func runDeleteAuth(ctx context.Context, c *cli.Command) error {
-	if !c.IsSet("id") {
-		return errors.New("--id flag is missing")
-	}
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-
-	source, err := auth_model.GetSourceByID(ctx, c.Int64("id"))
-	if err != nil {
-		return err
-	}
-
-	return auth_service.DeleteSource(ctx, source)
-}

cmd/admin_auth_ldap.go

@@ -1,462 +0,0 @@
-// Copyright 2019 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"code.gitcaddy.com/server/v3/models/auth"
-	"code.gitcaddy.com/server/v3/modules/util"
-	"code.gitcaddy.com/server/v3/services/auth/source/ldap"
-
-	"github.com/urfave/cli/v3"
-)
-
-type (
-	authService struct {
-		initDB            func(ctx context.Context) error
-		createAuthSource  func(context.Context, *auth.Source) error
-		updateAuthSource  func(context.Context, *auth.Source) error
-		getAuthSourceByID func(ctx context.Context, id int64) (*auth.Source, error)
-	}
-)
-
-func commonLdapCLIFlags() []cli.Flag {
-	return []cli.Flag{
-		&cli.StringFlag{
-			Name:  "name",
-			Usage: "Authentication name.",
-		},
-		&cli.BoolFlag{
-			Name:  "not-active",
-			Usage: "Deactivate the authentication source.",
-		},
-		&cli.BoolFlag{
-			Name:  "active",
-			Usage: "Activate the authentication source.",
-		},
-		&cli.StringFlag{
-			Name:  "security-protocol",
-			Usage: "Security protocol name.",
-		},
-		&cli.BoolFlag{
-			Name:  "skip-tls-verify",
-			Usage: "Disable TLS verification.",
-		},
-		&cli.StringFlag{
-			Name:  "host",
-			Usage: "The address where the LDAP server can be reached.",
-		},
-		&cli.IntFlag{
-			Name:  "port",
-			Usage: "The port to use when connecting to the LDAP server.",
-		},
-		&cli.StringFlag{
-			Name:  "user-search-base",
-			Usage: "The LDAP base at which user accounts will be searched for.",
-		},
-		&cli.StringFlag{
-			Name:  "user-filter",
-			Usage: "An LDAP filter declaring how to find the user record that is attempting to authenticate.",
-		},
-		&cli.StringFlag{
-			Name:  "admin-filter",
-			Usage: "An LDAP filter specifying if a user should be given administrator privileges.",
-		},
-		&cli.StringFlag{
-			Name:  "restricted-filter",
-			Usage: "An LDAP filter specifying if a user should be given restricted status.",
-		},
-		&cli.BoolFlag{
-			Name:  "allow-deactivate-all",
-			Usage: "Allow empty search results to deactivate all users.",
-		},
-		&cli.StringFlag{
-			Name:  "username-attribute",
-			Usage: "The attribute of the user’s LDAP record containing the user name.",
-		},
-		&cli.StringFlag{
-			Name:  "firstname-attribute",
-			Usage: "The attribute of the user’s LDAP record containing the user’s first name.",
-		},
-		&cli.StringFlag{
-			Name:  "surname-attribute",
-			Usage: "The attribute of the user’s LDAP record containing the user’s surname.",
-		},
-		&cli.StringFlag{
-			Name:  "email-attribute",
-			Usage: "The attribute of the user’s LDAP record containing the user’s email address.",
-		},
-		&cli.StringFlag{
-			Name:  "public-ssh-key-attribute",
-			Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",
-		},
-		&cli.BoolFlag{
-			Name:  "ssh-keys-are-verified",
-			Usage: "Set to true to automatically flag SSH keys in LDAP as verified.",
-		},
-		&cli.BoolFlag{
-			Name:  "skip-local-2fa",
-			Usage: "Set to true to skip local 2fa for users authenticated by this source",
-		},
-		&cli.StringFlag{
-			Name:  "avatar-attribute",
-			Usage: "The attribute of the user’s LDAP record containing the user’s avatar.",
-		},
-	}
-}
-
-func ldapBindDnCLIFlags() []cli.Flag {
-	return append(commonLdapCLIFlags(),
-		&cli.StringFlag{
-			Name:  "bind-dn",
-			Usage: "The DN to bind to the LDAP server with when searching for the user.",
-		},
-		&cli.StringFlag{
-			Name:  "bind-password",
-			Usage: "The password for the Bind DN, if any.",
-		},
-		&cli.BoolFlag{
-			Name:  "attributes-in-bind",
-			Usage: "Fetch attributes in bind DN context.",
-		},
-		&cli.BoolFlag{
-			Name:  "synchronize-users",
-			Usage: "Enable user synchronization.",
-		},
-		&cli.BoolFlag{
-			Name:  "disable-synchronize-users",
-			Usage: "Disable user synchronization.",
-		},
-		&cli.UintFlag{
-			Name:  "page-size",
-			Usage: "Search page size.",
-		},
-		&cli.BoolFlag{
-			Name:  "enable-groups",
-			Usage: "Enable LDAP groups",
-		},
-		&cli.StringFlag{
-			Name:  "group-search-base-dn",
-			Usage: "The LDAP base DN at which group accounts will be searched for",
-		},
-		&cli.StringFlag{
-			Name:  "group-member-attribute",
-			Usage: "Group attribute containing list of users",
-		},
-		&cli.StringFlag{
-			Name:  "group-user-attribute",
-			Usage: "User attribute listed in group",
-		},
-		&cli.StringFlag{
-			Name:  "group-filter",
-			Usage: "Verify group membership in LDAP",
-		},
-		&cli.StringFlag{
-			Name:  "group-team-map",
-			Usage: "Map LDAP groups to Organization teams",
-		},
-		&cli.BoolFlag{
-			Name:  "group-team-map-removal",
-			Usage: "Remove users from synchronized teams if user does not belong to corresponding LDAP group",
-		})
-}
-
-func ldapSimpleAuthCLIFlags() []cli.Flag {
-	return append(commonLdapCLIFlags(),
-		&cli.StringFlag{
-			Name:  "user-dn",
-			Usage: "The user's DN.",
-		})
-}
-
-func microcmdAuthAddLdapBindDn() *cli.Command {
-	return &cli.Command{
-		Name:  "add-ldap",
-		Usage: "Add new LDAP (via Bind DN) authentication source",
-		Action: func(ctx context.Context, cmd *cli.Command) error {
-			return newAuthService().addLdapBindDn(ctx, cmd)
-		},
-		Flags: ldapBindDnCLIFlags(),
-	}
-}
-
-func microcmdAuthUpdateLdapBindDn() *cli.Command {
-	return &cli.Command{
-		Name:  "update-ldap",
-		Usage: "Update existing LDAP (via Bind DN) authentication source",
-		Action: func(ctx context.Context, cmd *cli.Command) error {
-			return newAuthService().updateLdapBindDn(ctx, cmd)
-		},
-		Flags: append([]cli.Flag{idFlag()}, ldapBindDnCLIFlags()...),
-	}
-}
-
-func microcmdAuthAddLdapSimpleAuth() *cli.Command {
-	return &cli.Command{
-		Name:  "add-ldap-simple",
-		Usage: "Add new LDAP (simple auth) authentication source",
-		Action: func(ctx context.Context, cmd *cli.Command) error {
-			return newAuthService().addLdapSimpleAuth(ctx, cmd)
-		},
-		Flags: ldapSimpleAuthCLIFlags(),
-	}
-}
-
-func microcmdAuthUpdateLdapSimpleAuth() *cli.Command {
-	return &cli.Command{
-		Name:  "update-ldap-simple",
-		Usage: "Update existing LDAP (simple auth) authentication source",
-		Action: func(ctx context.Context, cmd *cli.Command) error {
-			return newAuthService().updateLdapSimpleAuth(ctx, cmd)
-		},
-		Flags: append([]cli.Flag{idFlag()}, ldapSimpleAuthCLIFlags()...),
-	}
-}
-
-// newAuthService creates a service with default functions.
-func newAuthService() *authService {
-	return &authService{
-		initDB:            initDB,
-		createAuthSource:  auth.CreateSource,
-		updateAuthSource:  auth.UpdateSource,
-		getAuthSourceByID: auth.GetSourceByID,
-	}
-}
-
-// parseAuthSourceLdap assigns values on authSource according to command line flags.
-func parseAuthSourceLdap(c *cli.Command, authSource *auth.Source) {
-	if c.IsSet("name") {
-		authSource.Name = c.String("name")
-	}
-	if c.IsSet("not-active") {
-		authSource.IsActive = !c.Bool("not-active")
-	}
-	if c.IsSet("active") {
-		authSource.IsActive = c.Bool("active")
-	}
-	if c.IsSet("synchronize-users") {
-		authSource.IsSyncEnabled = c.Bool("synchronize-users")
-	}
-	if c.IsSet("disable-synchronize-users") {
-		authSource.IsSyncEnabled = !c.Bool("disable-synchronize-users")
-	}
-	authSource.TwoFactorPolicy = util.Iif(c.Bool("skip-local-2fa"), "skip", "")
-}
-
-// parseLdapConfig assigns values on config according to command line flags.
-func parseLdapConfig(c *cli.Command, config *ldap.Source) error {
-	if c.IsSet("name") {
-		config.Name = c.String("name")
-	}
-	if c.IsSet("host") {
-		config.Host = c.String("host")
-	}
-	if c.IsSet("port") {
-		config.Port = c.Int("port")
-	}
-	if c.IsSet("security-protocol") {
-		p, ok := findLdapSecurityProtocolByName(c.String("security-protocol"))
-		if !ok {
-			return fmt.Errorf("unknown security protocol name: %s", c.String("security-protocol"))
-		}
-		config.SecurityProtocol = p
-	}
-	if c.IsSet("skip-tls-verify") {
-		config.SkipVerify = c.Bool("skip-tls-verify")
-	}
-	if c.IsSet("bind-dn") {
-		config.BindDN = c.String("bind-dn")
-	}
-	if c.IsSet("user-dn") {
-		config.UserDN = c.String("user-dn")
-	}
-	if c.IsSet("bind-password") {
-		config.BindPassword = c.String("bind-password")
-	}
-	if c.IsSet("user-search-base") {
-		config.UserBase = c.String("user-search-base")
-	}
-	if c.IsSet("username-attribute") {
-		config.AttributeUsername = c.String("username-attribute")
-	}
-	if c.IsSet("firstname-attribute") {
-		config.AttributeName = c.String("firstname-attribute")
-	}
-	if c.IsSet("surname-attribute") {
-		config.AttributeSurname = c.String("surname-attribute")
-	}
-	if c.IsSet("email-attribute") {
-		config.AttributeMail = c.String("email-attribute")
-	}
-	if c.IsSet("attributes-in-bind") {
-		config.AttributesInBind = c.Bool("attributes-in-bind")
-	}
-	if c.IsSet("public-ssh-key-attribute") {
-		config.AttributeSSHPublicKey = c.String("public-ssh-key-attribute")
-	}
-	if c.IsSet("ssh-keys-are-verified") {
-		config.SSHKeysAreVerified = c.Bool("ssh-keys-are-verified")
-	}
-	if c.IsSet("avatar-attribute") {
-		config.AttributeAvatar = c.String("avatar-attribute")
-	}
-	if c.IsSet("page-size") {
-		config.SearchPageSize = uint32(c.Uint("page-size"))
-	}
-	if c.IsSet("user-filter") {
-		config.Filter = c.String("user-filter")
-	}
-	if c.IsSet("admin-filter") {
-		config.AdminFilter = c.String("admin-filter")
-	}
-	if c.IsSet("restricted-filter") {
-		config.RestrictedFilter = c.String("restricted-filter")
-	}
-	if c.IsSet("allow-deactivate-all") {
-		config.AllowDeactivateAll = c.Bool("allow-deactivate-all")
-	}
-	if c.IsSet("enable-groups") {
-		config.GroupsEnabled = c.Bool("enable-groups")
-	}
-	if c.IsSet("group-search-base-dn") {
-		config.GroupDN = c.String("group-search-base-dn")
-	}
-	if c.IsSet("group-member-attribute") {
-		config.GroupMemberUID = c.String("group-member-attribute")
-	}
-	if c.IsSet("group-user-attribute") {
-		config.UserUID = c.String("group-user-attribute")
-	}
-	if c.IsSet("group-filter") {
-		config.GroupFilter = c.String("group-filter")
-	}
-	if c.IsSet("group-team-map") {
-		config.GroupTeamMap = c.String("group-team-map")
-	}
-	if c.IsSet("group-team-map-removal") {
-		config.GroupTeamMapRemoval = c.Bool("group-team-map-removal")
-	}
-	return nil
-}
-
-// findLdapSecurityProtocolByName finds security protocol by its name ignoring case.
-// It returns the value of the security protocol and if it was found.
-func findLdapSecurityProtocolByName(name string) (ldap.SecurityProtocol, bool) {
-	for i, n := range ldap.SecurityProtocolNames {
-		if strings.EqualFold(name, n) {
-			return i, true
-		}
-	}
-	return 0, false
-}
-
-// getAuthSource gets the login source by its id defined in the command line flags.
-// It returns an error if the id is not set, does not match any source or if the source is not of expected type.
-func (a *authService) getAuthSource(ctx context.Context, c *cli.Command, authType auth.Type) (*auth.Source, error) {
-	if err := argsSet(c, "id"); err != nil {
-		return nil, err
-	}
-	authSource, err := a.getAuthSourceByID(ctx, c.Int64("id"))
-	if err != nil {
-		return nil, err
-	}
-
-	if authSource.Type != authType {
-		return nil, fmt.Errorf("invalid authentication type. expected: %s, actual: %s", authType.String(), authSource.Type.String())
-	}
-
-	return authSource, nil
-}
-
-// addLdapBindDn adds a new LDAP via Bind DN authentication source.
-func (a *authService) addLdapBindDn(ctx context.Context, c *cli.Command) error {
-	if err := argsSet(c, "name", "security-protocol", "host", "port", "user-search-base", "user-filter", "email-attribute"); err != nil {
-		return err
-	}
-	if err := a.initDB(ctx); err != nil {
-		return err
-	}
-
-	authSource := &auth.Source{
-		Type:     auth.LDAP,
-		IsActive: true, // active by default
-		Cfg: &ldap.Source{
-			Enabled: true, // always true
-		},
-	}
-
-	parseAuthSourceLdap(c, authSource)
-	if err := parseLdapConfig(c, authSource.Cfg.(*ldap.Source)); err != nil {
-		return err
-	}
-
-	return a.createAuthSource(ctx, authSource)
-}
-
-// updateLdapBindDn updates a new LDAP via Bind DN authentication source.
-func (a *authService) updateLdapBindDn(ctx context.Context, c *cli.Command) error {
-	if err := a.initDB(ctx); err != nil {
-		return err
-	}
-
-	authSource, err := a.getAuthSource(ctx, c, auth.LDAP)
-	if err != nil {
-		return err
-	}
-
-	parseAuthSourceLdap(c, authSource)
-	if err := parseLdapConfig(c, authSource.Cfg.(*ldap.Source)); err != nil {
-		return err
-	}
-
-	return a.updateAuthSource(ctx, authSource)
-}
-
-// addLdapSimpleAuth adds a new LDAP (simple auth) authentication source.
-func (a *authService) addLdapSimpleAuth(ctx context.Context, c *cli.Command) error {
-	if err := argsSet(c, "name", "security-protocol", "host", "port", "user-dn", "user-filter", "email-attribute"); err != nil {
-		return err
-	}
-
-	if err := a.initDB(ctx); err != nil {
-		return err
-	}
-
-	authSource := &auth.Source{
-		Type:     auth.DLDAP,
-		IsActive: true, // active by default
-		Cfg: &ldap.Source{
-			Enabled: true, // always true
-		},
-	}
-
-	parseAuthSourceLdap(c, authSource)
-	if err := parseLdapConfig(c, authSource.Cfg.(*ldap.Source)); err != nil {
-		return err
-	}
-
-	return a.createAuthSource(ctx, authSource)
-}
-
-// updateLdapSimpleAuth updates a new LDAP (simple auth) authentication source.
-func (a *authService) updateLdapSimpleAuth(ctx context.Context, c *cli.Command) error {
-	if err := a.initDB(ctx); err != nil {
-		return err
-	}
-
-	authSource, err := a.getAuthSource(ctx, c, auth.DLDAP)
-	if err != nil {
-		return err
-	}
-
-	parseAuthSourceLdap(c, authSource)
-	if err := parseLdapConfig(c, authSource.Cfg.(*ldap.Source)); err != nil {
-		return err
-	}
-
-	return a.updateAuthSource(ctx, authSource)
-}

cmd/admin_auth_oauth.go

@@ -1,322 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/url"
-
-	auth_model "code.gitcaddy.com/server/v3/models/auth"
-	"code.gitcaddy.com/server/v3/modules/util"
-	"code.gitcaddy.com/server/v3/services/auth/source/oauth2"
-
-	"github.com/urfave/cli/v3"
-)
-
-func oauthCLIFlags() []cli.Flag {
-	return []cli.Flag{
-		&cli.StringFlag{
-			Name:  "name",
-			Value: "",
-			Usage: "Application Name",
-		},
-		&cli.StringFlag{
-			Name:  "provider",
-			Value: "",
-			Usage: "OAuth2 Provider",
-		},
-		&cli.StringFlag{
-			Name:  "key",
-			Value: "",
-			Usage: "Client ID (Key)",
-		},
-		&cli.StringFlag{
-			Name:  "secret",
-			Value: "",
-			Usage: "Client Secret",
-		},
-		&cli.StringFlag{
-			Name:  "auto-discover-url",
-			Value: "",
-			Usage: "OpenID Connect Auto Discovery URL (only required when using OpenID Connect as provider)",
-		},
-		&cli.StringFlag{
-			Name:  "use-custom-urls",
-			Value: "false",
-			Usage: "Use custom URLs for GitLab/GitHub OAuth endpoints",
-		},
-		&cli.StringFlag{
-			Name:  "custom-tenant-id",
-			Value: "",
-			Usage: "Use custom Tenant ID for OAuth endpoints",
-		},
-		&cli.StringFlag{
-			Name:  "custom-auth-url",
-			Value: "",
-			Usage: "Use a custom Authorization URL (option for GitLab/GitHub)",
-		},
-		&cli.StringFlag{
-			Name:  "custom-token-url",
-			Value: "",
-			Usage: "Use a custom Token URL (option for GitLab/GitHub)",
-		},
-		&cli.StringFlag{
-			Name:  "custom-profile-url",
-			Value: "",
-			Usage: "Use a custom Profile URL (option for GitLab/GitHub)",
-		},
-		&cli.StringFlag{
-			Name:  "custom-email-url",
-			Value: "",
-			Usage: "Use a custom Email URL (option for GitHub)",
-		},
-		&cli.StringFlag{
-			Name:  "icon-url",
-			Value: "",
-			Usage: "Custom icon URL for OAuth2 login source",
-		},
-		&cli.BoolFlag{
-			Name:  "skip-local-2fa",
-			Usage: "Set to true to skip local 2fa for users authenticated by this source",
-		},
-		&cli.StringSliceFlag{
-			Name:  "scopes",
-			Value: nil,
-			Usage: "Scopes to request when to authenticate against this OAuth2 source",
-		},
-		&cli.StringFlag{
-			Name:  "ssh-public-key-claim-name",
-			Usage: "Claim name that provides SSH public keys",
-		},
-		&cli.StringFlag{
-			Name:  "full-name-claim-name",
-			Usage: "Claim name that provides user's full name",
-		},
-		&cli.StringFlag{
-			Name:  "required-claim-name",
-			Value: "",
-			Usage: "Claim name that has to be set to allow users to login with this source",
-		},
-		&cli.StringFlag{
-			Name:  "required-claim-value",
-			Value: "",
-			Usage: "Claim value that has to be set to allow users to login with this source",
-		},
-		&cli.StringFlag{
-			Name:  "group-claim-name",
-			Value: "",
-			Usage: "Claim name providing group names for this source",
-		},
-		&cli.StringFlag{
-			Name:  "admin-group",
-			Value: "",
-			Usage: "Group Claim value for administrator users",
-		},
-		&cli.StringFlag{
-			Name:  "restricted-group",
-			Value: "",
-			Usage: "Group Claim value for restricted users",
-		},
-		&cli.StringFlag{
-			Name:  "group-team-map",
-			Value: "",
-			Usage: "JSON mapping between groups and org teams",
-		},
-		&cli.BoolFlag{
-			Name:  "group-team-map-removal",
-			Usage: "Activate automatic team membership removal depending on groups",
-		},
-	}
-}
-
-func microcmdAuthAddOauth() *cli.Command {
-	return &cli.Command{
-		Name:  "add-oauth",
-		Usage: "Add new Oauth authentication source",
-		Action: func(ctx context.Context, cmd *cli.Command) error {
-			return newAuthService().runAddOauth(ctx, cmd)
-		},
-		Flags: oauthCLIFlags(),
-	}
-}
-
-func microcmdAuthUpdateOauth() *cli.Command {
-	return &cli.Command{
-		Name:  "update-oauth",
-		Usage: "Update existing Oauth authentication source",
-		Action: func(ctx context.Context, cmd *cli.Command) error {
-			return newAuthService().runUpdateOauth(ctx, cmd)
-		},
-		Flags: append(oauthCLIFlags()[:1], append([]cli.Flag{&cli.Int64Flag{
-			Name:  "id",
-			Usage: "ID of authentication source",
-		}}, oauthCLIFlags()[1:]...)...),
-	}
-}
-
-func parseOAuth2Config(c *cli.Command) *oauth2.Source {
-	var customURLMapping *oauth2.CustomURLMapping
-	if c.IsSet("use-custom-urls") {
-		customURLMapping = &oauth2.CustomURLMapping{
-			TokenURL:   c.String("custom-token-url"),
-			AuthURL:    c.String("custom-auth-url"),
-			ProfileURL: c.String("custom-profile-url"),
-			EmailURL:   c.String("custom-email-url"),
-			Tenant:     c.String("custom-tenant-id"),
-		}
-	} else {
-		customURLMapping = nil
-	}
-	return &oauth2.Source{
-		Provider:                      c.String("provider"),
-		ClientID:                      c.String("key"),
-		ClientSecret:                  c.String("secret"),
-		OpenIDConnectAutoDiscoveryURL: c.String("auto-discover-url"),
-		CustomURLMapping:              customURLMapping,
-		IconURL:                       c.String("icon-url"),
-		Scopes:                        c.StringSlice("scopes"),
-		RequiredClaimName:             c.String("required-claim-name"),
-		RequiredClaimValue:            c.String("required-claim-value"),
-		GroupClaimName:                c.String("group-claim-name"),
-		AdminGroup:                    c.String("admin-group"),
-		RestrictedGroup:               c.String("restricted-group"),
-		GroupTeamMap:                  c.String("group-team-map"),
-		GroupTeamMapRemoval:           c.Bool("group-team-map-removal"),
-		SSHPublicKeyClaimName:         c.String("ssh-public-key-claim-name"),
-		FullNameClaimName:             c.String("full-name-claim-name"),
-	}
-}
-
-func (a *authService) runAddOauth(ctx context.Context, c *cli.Command) error {
-	if err := a.initDB(ctx); err != nil {
-		return err
-	}
-
-	config := parseOAuth2Config(c)
-	if config.Provider == "openidConnect" {
-		discoveryURL, err := url.Parse(config.OpenIDConnectAutoDiscoveryURL)
-		if err != nil || (discoveryURL.Scheme != "http" && discoveryURL.Scheme != "https") {
-			return fmt.Errorf("invalid Auto Discovery URL: %s (this must be a valid URL starting with http:// or https://)", config.OpenIDConnectAutoDiscoveryURL)
-		}
-	}
-
-	return a.createAuthSource(ctx, &auth_model.Source{
-		Type:            auth_model.OAuth2,
-		Name:            c.String("name"),
-		IsActive:        true,
-		Cfg:             config,
-		TwoFactorPolicy: util.Iif(c.Bool("skip-local-2fa"), "skip", ""),
-	})
-}
-
-func (a *authService) runUpdateOauth(ctx context.Context, c *cli.Command) error {
-	if !c.IsSet("id") {
-		return errors.New("--id flag is missing")
-	}
-
-	if err := a.initDB(ctx); err != nil {
-		return err
-	}
-
-	source, err := a.getAuthSourceByID(ctx, c.Int64("id"))
-	if err != nil {
-		return err
-	}
-
-	oAuth2Config := source.Cfg.(*oauth2.Source)
-
-	if c.IsSet("name") {
-		source.Name = c.String("name")
-	}
-
-	if c.IsSet("provider") {
-		oAuth2Config.Provider = c.String("provider")
-	}
-
-	if c.IsSet("key") {
-		oAuth2Config.ClientID = c.String("key")
-	}
-
-	if c.IsSet("secret") {
-		oAuth2Config.ClientSecret = c.String("secret")
-	}
-
-	if c.IsSet("auto-discover-url") {
-		oAuth2Config.OpenIDConnectAutoDiscoveryURL = c.String("auto-discover-url")
-	}
-
-	if c.IsSet("icon-url") {
-		oAuth2Config.IconURL = c.String("icon-url")
-	}
-
-	if c.IsSet("scopes") {
-		oAuth2Config.Scopes = c.StringSlice("scopes")
-	}
-
-	if c.IsSet("required-claim-name") {
-		oAuth2Config.RequiredClaimName = c.String("required-claim-name")
-	}
-	if c.IsSet("required-claim-value") {
-		oAuth2Config.RequiredClaimValue = c.String("required-claim-value")
-	}
-
-	if c.IsSet("group-claim-name") {
-		oAuth2Config.GroupClaimName = c.String("group-claim-name")
-	}
-	if c.IsSet("admin-group") {
-		oAuth2Config.AdminGroup = c.String("admin-group")
-	}
-	if c.IsSet("restricted-group") {
-		oAuth2Config.RestrictedGroup = c.String("restricted-group")
-	}
-	if c.IsSet("group-team-map") {
-		oAuth2Config.GroupTeamMap = c.String("group-team-map")
-	}
-	if c.IsSet("group-team-map-removal") {
-		oAuth2Config.GroupTeamMapRemoval = c.Bool("group-team-map-removal")
-	}
-	if c.IsSet("ssh-public-key-claim-name") {
-		oAuth2Config.SSHPublicKeyClaimName = c.String("ssh-public-key-claim-name")
-	}
-	if c.IsSet("full-name-claim-name") {
-		oAuth2Config.FullNameClaimName = c.String("full-name-claim-name")
-	}
-
-	// update custom URL mapping
-	customURLMapping := &oauth2.CustomURLMapping{}
-
-	if oAuth2Config.CustomURLMapping != nil {
-		customURLMapping.TokenURL = oAuth2Config.CustomURLMapping.TokenURL
-		customURLMapping.AuthURL = oAuth2Config.CustomURLMapping.AuthURL
-		customURLMapping.ProfileURL = oAuth2Config.CustomURLMapping.ProfileURL
-		customURLMapping.EmailURL = oAuth2Config.CustomURLMapping.EmailURL
-		customURLMapping.Tenant = oAuth2Config.CustomURLMapping.Tenant
-	}
-	if c.IsSet("use-custom-urls") && c.IsSet("custom-token-url") {
-		customURLMapping.TokenURL = c.String("custom-token-url")
-	}
-
-	if c.IsSet("use-custom-urls") && c.IsSet("custom-auth-url") {
-		customURLMapping.AuthURL = c.String("custom-auth-url")
-	}
-
-	if c.IsSet("use-custom-urls") && c.IsSet("custom-profile-url") {
-		customURLMapping.ProfileURL = c.String("custom-profile-url")
-	}
-
-	if c.IsSet("use-custom-urls") && c.IsSet("custom-email-url") {
-		customURLMapping.EmailURL = c.String("custom-email-url")
-	}
-
-	if c.IsSet("use-custom-urls") && c.IsSet("custom-tenant-id") {
-		customURLMapping.Tenant = c.String("custom-tenant-id")
-	}
-
-	oAuth2Config.CustomURLMapping = customURLMapping
-	source.Cfg = oAuth2Config
-	source.TwoFactorPolicy = util.Iif(c.Bool("skip-local-2fa"), "skip", "")
-	return a.updateAuthSource(ctx, source)
-}

cmd/admin_auth_oauth_test.go

@@ -1,343 +0,0 @@
-// Copyright 2025 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"context"
-	"testing"
-
-	auth_model "code.gitcaddy.com/server/v3/models/auth"
-	"code.gitcaddy.com/server/v3/services/auth/source/oauth2"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/urfave/cli/v3"
-)
-
-func TestAddOauth(t *testing.T) {
-	testCases := []struct {
-		name   string
-		args   []string
-		source *auth_model.Source
-		errMsg string
-	}{
-		{
-			name: "valid config",
-			args: []string{
-				"--name", "test",
-				"--provider", "github",
-				"--key", "some_key",
-				"--secret", "some_secret",
-			},
-			source: &auth_model.Source{
-				Type:     auth_model.OAuth2,
-				Name:     "test",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Scopes:       []string{},
-					Provider:     "github",
-					ClientID:     "some_key",
-					ClientSecret: "some_secret",
-				},
-				TwoFactorPolicy: "",
-			},
-		},
-		{
-			name: "valid config with openid connect",
-			args: []string{
-				"--name", "test",
-				"--provider", "openidConnect",
-				"--key", "some_key",
-				"--secret", "some_secret",
-				"--auto-discover-url", "https://example.com",
-			},
-			source: &auth_model.Source{
-				Type:     auth_model.OAuth2,
-				Name:     "test",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Scopes:                        []string{},
-					Provider:                      "openidConnect",
-					ClientID:                      "some_key",
-					ClientSecret:                  "some_secret",
-					OpenIDConnectAutoDiscoveryURL: "https://example.com",
-				},
-				TwoFactorPolicy: "",
-			},
-		},
-		{
-			name: "valid config with options",
-			args: []string{
-				"--name", "test",
-				"--provider", "gitlab",
-				"--key", "some_key",
-				"--secret", "some_secret",
-				"--use-custom-urls", "true",
-				"--custom-token-url", "https://example.com/token",
-				"--custom-auth-url", "https://example.com/auth",
-				"--custom-profile-url", "https://example.com/profile",
-				"--custom-email-url", "https://example.com/email",
-				"--custom-tenant-id", "some_tenant",
-				"--icon-url", "https://example.com/icon",
-				"--scopes", "scope1,scope2",
-				"--skip-local-2fa", "true",
-				"--required-claim-name", "claim_name",
-				"--required-claim-value", "claim_value",
-				"--group-claim-name", "group_name",
-				"--admin-group", "admin",
-				"--restricted-group", "restricted",
-				"--group-team-map", `{"group1": [1,2]}`,
-				"--group-team-map-removal=true",
-				"--ssh-public-key-claim-name", "attr_ssh_pub_key",
-				"--full-name-claim-name", "attr_full_name",
-			},
-			source: &auth_model.Source{
-				Type:     auth_model.OAuth2,
-				Name:     "test",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:     "gitlab",
-					ClientID:     "some_key",
-					ClientSecret: "some_secret",
-					CustomURLMapping: &oauth2.CustomURLMapping{
-						TokenURL:   "https://example.com/token",
-						AuthURL:    "https://example.com/auth",
-						ProfileURL: "https://example.com/profile",
-						EmailURL:   "https://example.com/email",
-						Tenant:     "some_tenant",
-					},
-					IconURL:               "https://example.com/icon",
-					Scopes:                []string{"scope1", "scope2"},
-					RequiredClaimName:     "claim_name",
-					RequiredClaimValue:    "claim_value",
-					GroupClaimName:        "group_name",
-					AdminGroup:            "admin",
-					RestrictedGroup:       "restricted",
-					GroupTeamMap:          `{"group1": [1,2]}`,
-					GroupTeamMapRemoval:   true,
-					SSHPublicKeyClaimName: "attr_ssh_pub_key",
-					FullNameClaimName:     "attr_full_name",
-				},
-				TwoFactorPolicy: "skip",
-			},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			var createdSource *auth_model.Source
-			a := &authService{
-				initDB: func(ctx context.Context) error {
-					return nil
-				},
-				createAuthSource: func(ctx context.Context, source *auth_model.Source) error {
-					createdSource = source
-					return nil
-				},
-			}
-
-			app := &cli.Command{
-				Flags:  microcmdAuthAddOauth().Flags,
-				Action: a.runAddOauth,
-			}
-
-			args := []string{"oauth-test"}
-			args = append(args, tc.args...)
-
-			err := app.Run(t.Context(), args)
-
-			if tc.errMsg != "" {
-				assert.EqualError(t, err, tc.errMsg)
-			} else {
-				assert.NoError(t, err)
-				assert.Equal(t, tc.source, createdSource)
-			}
-		})
-	}
-}
-
-func TestUpdateOauth(t *testing.T) {
-	testCases := []struct {
-		name               string
-		args               []string
-		id                 int64
-		existingAuthSource *auth_model.Source
-		authSource         *auth_model.Source
-		errMsg             string
-	}{
-		{
-			name: "missing id",
-			args: []string{
-				"--name", "test",
-			},
-			errMsg: "--id flag is missing",
-		},
-		{
-			name: "valid config",
-			id:   1,
-			existingAuthSource: &auth_model.Source{
-				ID:       1,
-				Type:     auth_model.OAuth2,
-				Name:     "old name",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:     "github",
-					ClientID:     "old_key",
-					ClientSecret: "old_secret",
-				},
-				TwoFactorPolicy: "",
-			},
-			args: []string{
-				"--id", "1",
-				"--name", "test",
-				"--provider", "gitlab",
-				"--key", "new_key",
-				"--secret", "new_secret",
-			},
-			authSource: &auth_model.Source{
-				ID:       1,
-				Type:     auth_model.OAuth2,
-				Name:     "test",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:         "gitlab",
-					ClientID:         "new_key",
-					ClientSecret:     "new_secret",
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-				},
-				TwoFactorPolicy: "",
-			},
-		},
-		{
-			name: "valid config with options",
-			id:   1,
-			existingAuthSource: &auth_model.Source{
-				ID:       1,
-				Type:     auth_model.OAuth2,
-				Name:     "old name",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:     "gitlab",
-					ClientID:     "old_key",
-					ClientSecret: "old_secret",
-					CustomURLMapping: &oauth2.CustomURLMapping{
-						TokenURL:   "https://old.example.com/token",
-						AuthURL:    "https://old.example.com/auth",
-						ProfileURL: "https://old.example.com/profile",
-						EmailURL:   "https://old.example.com/email",
-						Tenant:     "old_tenant",
-					},
-					IconURL:               "https://old.example.com/icon",
-					Scopes:                []string{"old_scope1", "old_scope2"},
-					RequiredClaimName:     "old_claim_name",
-					RequiredClaimValue:    "old_claim_value",
-					GroupClaimName:        "old_group_name",
-					AdminGroup:            "old_admin",
-					RestrictedGroup:       "old_restricted",
-					GroupTeamMap:          `{"old_group1": [1,2]}`,
-					GroupTeamMapRemoval:   true,
-					SSHPublicKeyClaimName: "old_ssh_pub_key",
-					FullNameClaimName:     "old_full_name",
-				},
-				TwoFactorPolicy: "",
-			},
-			args: []string{
-				"--id", "1",
-				"--name", "test",
-				"--provider", "github",
-				"--key", "new_key",
-				"--secret", "new_secret",
-				"--use-custom-urls", "true",
-				"--custom-token-url", "https://example.com/token",
-				"--custom-auth-url", "https://example.com/auth",
-				"--custom-profile-url", "https://example.com/profile",
-				"--custom-email-url", "https://example.com/email",
-				"--custom-tenant-id", "new_tenant",
-				"--icon-url", "https://example.com/icon",
-				"--scopes", "scope1,scope2",
-				"--skip-local-2fa=true",
-				"--required-claim-name", "claim_name",
-				"--required-claim-value", "claim_value",
-				"--group-claim-name", "group_name",
-				"--admin-group", "admin",
-				"--restricted-group", "restricted",
-				"--group-team-map", `{"group1": [1,2]}`,
-				"--group-team-map-removal=false",
-				"--ssh-public-key-claim-name", "new_ssh_pub_key",
-				"--full-name-claim-name", "new_full_name",
-			},
-			authSource: &auth_model.Source{
-				ID:       1,
-				Type:     auth_model.OAuth2,
-				Name:     "test",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:     "github",
-					ClientID:     "new_key",
-					ClientSecret: "new_secret",
-					CustomURLMapping: &oauth2.CustomURLMapping{
-						TokenURL:   "https://example.com/token",
-						AuthURL:    "https://example.com/auth",
-						ProfileURL: "https://example.com/profile",
-						EmailURL:   "https://example.com/email",
-						Tenant:     "new_tenant",
-					},
-					IconURL:               "https://example.com/icon",
-					Scopes:                []string{"scope1", "scope2"},
-					RequiredClaimName:     "claim_name",
-					RequiredClaimValue:    "claim_value",
-					GroupClaimName:        "group_name",
-					AdminGroup:            "admin",
-					RestrictedGroup:       "restricted",
-					GroupTeamMap:          `{"group1": [1,2]}`,
-					GroupTeamMapRemoval:   false,
-					SSHPublicKeyClaimName: "new_ssh_pub_key",
-					FullNameClaimName:     "new_full_name",
-				},
-				TwoFactorPolicy: "skip",
-			},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			a := &authService{
-				initDB: func(ctx context.Context) error {
-					return nil
-				},
-				getAuthSourceByID: func(ctx context.Context, id int64) (*auth_model.Source, error) {
-					return &auth_model.Source{
-						ID:       1,
-						Type:     auth_model.OAuth2,
-						Name:     "test",
-						IsActive: true,
-						Cfg: &oauth2.Source{
-							CustomURLMapping: &oauth2.CustomURLMapping{},
-						},
-						TwoFactorPolicy: "skip",
-					}, nil
-				},
-				updateAuthSource: func(ctx context.Context, source *auth_model.Source) error {
-					assert.Equal(t, tc.authSource, source)
-					return nil
-				},
-			}
-
-			app := &cli.Command{
-				Flags:  microcmdAuthUpdateOauth().Flags,
-				Action: a.runUpdateOauth,
-			}
-
-			args := []string{"oauth-test"}
-			args = append(args, tc.args...)
-
-			err := app.Run(t.Context(), args)
-
-			if tc.errMsg != "" {
-				assert.EqualError(t, err, tc.errMsg)
-			} else {
-				assert.NoError(t, err)
-			}
-		})
-	}
-}

cmd/admin_auth_smtp.go

@@ -1,200 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"context"
-	"errors"
-	"strings"
-
-	auth_model "code.gitcaddy.com/server/v3/models/auth"
-	"code.gitcaddy.com/server/v3/modules/util"
-	"code.gitcaddy.com/server/v3/services/auth/source/smtp"
-
-	"github.com/urfave/cli/v3"
-)
-
-func smtpCLIFlags() []cli.Flag {
-	return []cli.Flag{
-		&cli.StringFlag{
-			Name:  "name",
-			Value: "",
-			Usage: "Application Name",
-		},
-		&cli.StringFlag{
-			Name:  "auth-type",
-			Value: "PLAIN",
-			Usage: "SMTP Authentication Type (PLAIN/LOGIN/CRAM-MD5) default PLAIN",
-		},
-		&cli.StringFlag{
-			Name:  "host",
-			Value: "",
-			Usage: "SMTP Host",
-		},
-		&cli.IntFlag{
-			Name:  "port",
-			Usage: "SMTP Port",
-		},
-		&cli.BoolFlag{
-			Name:  "force-smtps",
-			Usage: "SMTPS is always used on port 465. Set this to force SMTPS on other ports.",
-		},
-		&cli.BoolFlag{
-			Name:  "skip-verify",
-			Usage: "Skip TLS verify.",
-		},
-		&cli.StringFlag{
-			Name:  "helo-hostname",
-			Value: "",
-			Usage: "Hostname sent with HELO. Leave blank to send current hostname",
-		},
-		&cli.BoolFlag{
-			Name:  "disable-helo",
-			Usage: "Disable SMTP helo.",
-		},
-		&cli.StringFlag{
-			Name:  "allowed-domains",
-			Value: "",
-			Usage: "Leave empty to allow all domains. Separate multiple domains with a comma (',')",
-		},
-		&cli.BoolFlag{
-			Name:  "skip-local-2fa",
-			Usage: "Skip 2FA to log on.",
-		},
-		&cli.BoolFlag{
-			Name:  "active",
-			Usage: "This Authentication Source is Activated.",
-			Value: true,
-		},
-	}
-}
-
-func microcmdAuthUpdateSMTP() *cli.Command {
-	return &cli.Command{
-		Name:  "update-smtp",
-		Usage: "Update existing SMTP authentication source",
-		Action: func(ctx context.Context, cmd *cli.Command) error {
-			return newAuthService().runUpdateSMTP(ctx, cmd)
-		},
-		Flags: append(smtpCLIFlags()[:1], append([]cli.Flag{&cli.Int64Flag{
-			Name:  "id",
-			Usage: "ID of authentication source",
-		}}, smtpCLIFlags()[1:]...)...),
-	}
-}
-
-func microcmdAuthAddSMTP() *cli.Command {
-	return &cli.Command{
-		Name:  "add-smtp",
-		Usage: "Add new SMTP authentication source",
-		Action: func(ctx context.Context, cmd *cli.Command) error {
-			return newAuthService().runAddSMTP(ctx, cmd)
-		},
-		Flags: smtpCLIFlags(),
-	}
-}
-
-func parseSMTPConfig(c *cli.Command, conf *smtp.Source) error {
-	if c.IsSet("auth-type") {
-		conf.Auth = c.String("auth-type")
-		validAuthTypes := []string{"PLAIN", "LOGIN", "CRAM-MD5"}
-		if !util.SliceContainsString(validAuthTypes, strings.ToUpper(c.String("auth-type"))) {
-			return errors.New("Auth must be one of PLAIN/LOGIN/CRAM-MD5")
-		}
-		conf.Auth = c.String("auth-type")
-	}
-	if c.IsSet("host") {
-		conf.Host = c.String("host")
-	}
-	if c.IsSet("port") {
-		conf.Port = c.Int("port")
-	}
-	if c.IsSet("allowed-domains") {
-		conf.AllowedDomains = c.String("allowed-domains")
-	}
-	if c.IsSet("force-smtps") {
-		conf.ForceSMTPS = c.Bool("force-smtps")
-	}
-	if c.IsSet("skip-verify") {
-		conf.SkipVerify = c.Bool("skip-verify")
-	}
-	if c.IsSet("helo-hostname") {
-		conf.HeloHostname = c.String("helo-hostname")
-	}
-	if c.IsSet("disable-helo") {
-		conf.DisableHelo = c.Bool("disable-helo")
-	}
-	return nil
-}
-
-func (a *authService) runAddSMTP(ctx context.Context, c *cli.Command) error {
-	if err := a.initDB(ctx); err != nil {
-		return err
-	}
-
-	if !c.IsSet("name") || len(c.String("name")) == 0 {
-		return errors.New("name must be set")
-	}
-	if !c.IsSet("host") || len(c.String("host")) == 0 {
-		return errors.New("host must be set")
-	}
-	if !c.IsSet("port") {
-		return errors.New("port must be set")
-	}
-	active := true
-	if c.IsSet("active") {
-		active = c.Bool("active")
-	}
-
-	var smtpConfig smtp.Source
-	if err := parseSMTPConfig(c, &smtpConfig); err != nil {
-		return err
-	}
-
-	// If not set default to PLAIN
-	if len(smtpConfig.Auth) == 0 {
-		smtpConfig.Auth = "PLAIN"
-	}
-
-	return a.createAuthSource(ctx, &auth_model.Source{
-		Type:            auth_model.SMTP,
-		Name:            c.String("name"),
-		IsActive:        active,
-		Cfg:             &smtpConfig,
-		TwoFactorPolicy: util.Iif(c.Bool("skip-local-2fa"), "skip", ""),
-	})
-}
-
-func (a *authService) runUpdateSMTP(ctx context.Context, c *cli.Command) error {
-	if !c.IsSet("id") {
-		return errors.New("--id flag is missing")
-	}
-
-	if err := a.initDB(ctx); err != nil {
-		return err
-	}
-
-	source, err := a.getAuthSourceByID(ctx, c.Int64("id"))
-	if err != nil {
-		return err
-	}
-
-	smtpConfig := source.Cfg.(*smtp.Source)
-
-	if err := parseSMTPConfig(c, smtpConfig); err != nil {
-		return err
-	}
-
-	if c.IsSet("name") {
-		source.Name = c.String("name")
-	}
-
-	if c.IsSet("active") {
-		source.IsActive = c.Bool("active")
-	}
-
-	source.Cfg = smtpConfig
-	source.TwoFactorPolicy = util.Iif(c.Bool("skip-local-2fa"), "skip", "")
-	return a.updateAuthSource(ctx, source)
-}

cmd/admin_auth_smtp_test.go

@@ -1,271 +0,0 @@
-// Copyright 2025 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"context"
-	"testing"
-
-	auth_model "code.gitcaddy.com/server/v3/models/auth"
-	"code.gitcaddy.com/server/v3/services/auth/source/smtp"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/urfave/cli/v3"
-)
-
-func TestAddSMTP(t *testing.T) {
-	testCases := []struct {
-		name   string
-		args   []string
-		source *auth_model.Source
-		errMsg string
-	}{
-		{
-			name: "missing name",
-			args: []string{
-				"--host", "localhost",
-				"--port", "25",
-			},
-			errMsg: "name must be set",
-		},
-		{
-			name: "missing host",
-			args: []string{
-				"--name", "test",
-				"--port", "25",
-			},
-			errMsg: "host must be set",
-		},
-		{
-			name: "missing port",
-			args: []string{
-				"--name", "test",
-				"--host", "localhost",
-			},
-			errMsg: "port must be set",
-		},
-		{
-			name: "valid config",
-			args: []string{
-				"--name", "test",
-				"--host", "localhost",
-				"--port", "25",
-			},
-			source: &auth_model.Source{
-				Type:     auth_model.SMTP,
-				Name:     "test",
-				IsActive: true,
-				Cfg: &smtp.Source{
-					Auth: "PLAIN",
-					Host: "localhost",
-					Port: 25,
-				},
-				TwoFactorPolicy: "",
-			},
-		},
-		{
-			name: "valid config with options",
-			args: []string{
-				"--name", "test",
-				"--host", "localhost",
-				"--port", "25",
-				"--auth-type", "LOGIN",
-				"--force-smtps",
-				"--skip-verify",
-				"--helo-hostname", "example.com",
-				"--disable-helo=true",
-				"--allowed-domains", "example.com,example.org",
-				"--skip-local-2fa",
-				"--active=false",
-			},
-			source: &auth_model.Source{
-				Type:     auth_model.SMTP,
-				Name:     "test",
-				IsActive: false,
-				Cfg: &smtp.Source{
-					Auth:           "LOGIN",
-					Host:           "localhost",
-					Port:           25,
-					ForceSMTPS:     true,
-					SkipVerify:     true,
-					HeloHostname:   "example.com",
-					DisableHelo:    true,
-					AllowedDomains: "example.com,example.org",
-				},
-				TwoFactorPolicy: "skip",
-			},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			a := &authService{
-				initDB: func(ctx context.Context) error {
-					return nil
-				},
-				createAuthSource: func(ctx context.Context, source *auth_model.Source) error {
-					assert.Equal(t, tc.source, source)
-					return nil
-				},
-			}
-
-			cmd := &cli.Command{
-				Flags:  microcmdAuthAddSMTP().Flags,
-				Action: a.runAddSMTP,
-			}
-
-			args := []string{"smtp-test"}
-			args = append(args, tc.args...)
-
-			t.Log(args)
-			err := cmd.Run(t.Context(), args)
-
-			if tc.errMsg != "" {
-				assert.EqualError(t, err, tc.errMsg)
-			} else {
-				assert.NoError(t, err)
-			}
-		})
-	}
-}
-
-func TestUpdateSMTP(t *testing.T) {
-	testCases := []struct {
-		name               string
-		args               []string
-		existingAuthSource *auth_model.Source
-		authSource         *auth_model.Source
-		errMsg             string
-	}{
-		{
-			name: "missing id",
-			args: []string{
-				"--name", "test",
-				"--host", "localhost",
-				"--port", "25",
-			},
-			errMsg: "--id flag is missing",
-		},
-		{
-			name: "valid config",
-			existingAuthSource: &auth_model.Source{
-				ID:       1,
-				Type:     auth_model.SMTP,
-				Name:     "old name",
-				IsActive: true,
-				Cfg: &smtp.Source{
-					Auth: "PLAIN",
-					Host: "old host",
-					Port: 26,
-				},
-			},
-			args: []string{
-				"--id", "1",
-				"--name", "test",
-				"--host", "localhost",
-				"--port", "25",
-			},
-			authSource: &auth_model.Source{
-				ID:       1,
-				Type:     auth_model.SMTP,
-				Name:     "test",
-				IsActive: true,
-				Cfg: &smtp.Source{
-					Auth: "PLAIN",
-					Host: "localhost",
-					Port: 25,
-				},
-			},
-		},
-		{
-			name: "valid config with options",
-			existingAuthSource: &auth_model.Source{
-				ID:       1,
-				Type:     auth_model.SMTP,
-				Name:     "old name",
-				IsActive: true,
-				Cfg: &smtp.Source{
-					Auth:           "PLAIN",
-					Host:           "old host",
-					Port:           26,
-					HeloHostname:   "old.example.com",
-					AllowedDomains: "old.example.com",
-				},
-				TwoFactorPolicy: "",
-			},
-			args: []string{
-				"--id", "1",
-				"--name", "test",
-				"--host", "localhost",
-				"--port", "25",
-				"--auth-type", "LOGIN",
-				"--force-smtps",
-				"--skip-verify",
-				"--helo-hostname", "example.com",
-				"--disable-helo",
-				"--allowed-domains", "example.com,example.org",
-				"--skip-local-2fa",
-				"--active=false",
-			},
-			authSource: &auth_model.Source{
-				ID:       1,
-				Type:     auth_model.SMTP,
-				Name:     "test",
-				IsActive: false,
-				Cfg: &smtp.Source{
-					Auth:           "LOGIN",
-					Host:           "localhost",
-					Port:           25,
-					ForceSMTPS:     true,
-					SkipVerify:     true,
-					HeloHostname:   "example.com",
-					DisableHelo:    true,
-					AllowedDomains: "example.com,example.org",
-				},
-				TwoFactorPolicy: "skip",
-			},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			a := &authService{
-				initDB: func(ctx context.Context) error {
-					return nil
-				},
-				getAuthSourceByID: func(ctx context.Context, id int64) (*auth_model.Source, error) {
-					return &auth_model.Source{
-						ID:       1,
-						Type:     auth_model.SMTP,
-						Name:     "test",
-						IsActive: true,
-						Cfg: &smtp.Source{
-							Auth: "PLAIN",
-						},
-					}, nil
-				},
-
-				updateAuthSource: func(ctx context.Context, source *auth_model.Source) error {
-					assert.Equal(t, tc.authSource, source)
-					return nil
-				},
-			}
-
-			app := &cli.Command{
-				Flags:  microcmdAuthUpdateSMTP().Flags,
-				Action: a.runUpdateSMTP,
-			}
-			args := []string{"smtp-tests"}
-			args = append(args, tc.args...)
-
-			err := app.Run(t.Context(), args)
-
-			if tc.errMsg != "" {
-				assert.EqualError(t, err, tc.errMsg)
-			} else {
-				assert.NoError(t, err)
-			}
-		})
-	}
-}

cmd/admin_regenerate.go

@@ -1,42 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"context"
-
-	"code.gitcaddy.com/server/v3/modules/graceful"
-	asymkey_service "code.gitcaddy.com/server/v3/services/asymkey"
-	repo_service "code.gitcaddy.com/server/v3/services/repository"
-
-	"github.com/urfave/cli/v3"
-)
-
-var (
-	microcmdRegenHooks = &cli.Command{
-		Name:   "hooks",
-		Usage:  "Regenerate git-hooks",
-		Action: runRegenerateHooks,
-	}
-
-	microcmdRegenKeys = &cli.Command{
-		Name:   "keys",
-		Usage:  "Regenerate authorized_keys file",
-		Action: runRegenerateKeys,
-	}
-)
-
-func runRegenerateHooks(ctx context.Context, _ *cli.Command) error {
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-	return repo_service.SyncRepositoryHooks(graceful.GetManager().ShutdownContext())
-}
-
-func runRegenerateKeys(ctx context.Context, _ *cli.Command) error {
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-	return asymkey_service.RewriteAllPublicKeys(ctx)
-}

cmd/admin_user.go

@@ -1,21 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"github.com/urfave/cli/v3"
-)
-
-var subcmdUser = &cli.Command{
-	Name:  "user",
-	Usage: "Modify users",
-	Commands: []*cli.Command{
-		microcmdUserCreate(),
-		microcmdUserList,
-		microcmdUserChangePassword(),
-		microcmdUserDelete(),
-		microcmdUserGenerateAccessToken,
-		microcmdUserMustChangePassword(),
-	},
-}

cmd/admin_user_change_password.go

@@ -1,78 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"context"
-	"errors"
-	"fmt"
-
-	user_model "code.gitcaddy.com/server/v3/models/user"
-	"code.gitcaddy.com/server/v3/modules/auth/password"
-	"code.gitcaddy.com/server/v3/modules/optional"
-	"code.gitcaddy.com/server/v3/modules/setting"
-	user_service "code.gitcaddy.com/server/v3/services/user"
-
-	"github.com/urfave/cli/v3"
-)
-
-func microcmdUserChangePassword() *cli.Command {
-	return &cli.Command{
-		Name:   "change-password",
-		Usage:  "Change a user's password",
-		Action: runChangePassword,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:     "username",
-				Aliases:  []string{"u"},
-				Usage:    "The user to change password for",
-				Required: true,
-			},
-			&cli.StringFlag{
-				Name:     "password",
-				Aliases:  []string{"p"},
-				Usage:    "New password to set for user",
-				Required: true,
-			},
-			&cli.BoolFlag{
-				Name:  "must-change-password",
-				Usage: "User must change password (can be disabled by --must-change-password=false)",
-				Value: true,
-			},
-		},
-	}
-}
-
-func runChangePassword(ctx context.Context, c *cli.Command) error {
-	if !setting.IsInTesting {
-		if err := initDB(ctx); err != nil {
-			return err
-		}
-	}
-
-	user, err := user_model.GetUserByName(ctx, c.String("username"))
-	if err != nil {
-		return err
-	}
-
-	opts := &user_service.UpdateAuthOptions{
-		Password:           optional.Some(c.String("password")),
-		MustChangePassword: optional.Some(c.Bool("must-change-password")),
-	}
-	if err := user_service.UpdateAuth(ctx, user, opts); err != nil {
-		switch {
-		case errors.Is(err, password.ErrMinLength):
-			return fmt.Errorf("password is not long enough, needs to be at least %d characters", setting.MinPasswordLength)
-		case errors.Is(err, password.ErrComplexity):
-			return errors.New("password does not meet complexity requirements")
-		case errors.Is(err, password.ErrIsPwned):
-			return errors.New("the password is in a list of stolen passwords previously exposed in public data breaches, please try again with a different password, to see more details: https://haveibeenpwned.com/Passwords")
-		default:
-			return err
-		}
-	}
-
-	fmt.Printf("%s's password has been successfully updated!\n", user.Name)
-	return nil
-}

cmd/admin_user_change_password_test.go

@@ -1,91 +0,0 @@
-// Copyright 2025 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"testing"
-
-	"code.gitcaddy.com/server/v3/models/db"
-	"code.gitcaddy.com/server/v3/models/unittest"
-	user_model "code.gitcaddy.com/server/v3/models/user"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestChangePasswordCommand(t *testing.T) {
-	ctx := t.Context()
-
-	defer func() {
-		require.NoError(t, db.TruncateBeans(t.Context(), &user_model.User{}))
-	}()
-
-	t.Run("change password successfully", func(t *testing.T) {
-		// defer func() {
-		// 	require.NoError(t, db.TruncateBeans(t.Context(), &user_model.User{}))
-		// }()
-		// Prepare test user
-		unittest.AssertNotExistsBean(t, &user_model.User{LowerName: "testuser"})
-		err := microcmdUserCreate().Run(ctx, []string{"create", "--username", "testuser", "--email", "testuser@gitea.local", "--random-password"})
-		require.NoError(t, err)
-
-		// load test user
-		userBase := unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuser"})
-
-		// Change the password
-		err = microcmdUserChangePassword().Run(ctx, []string{"change-password", "--username", "testuser", "--password", "newpassword"})
-		require.NoError(t, err)
-
-		// Verify the password has been changed
-		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuser"})
-		assert.NotEqual(t, userBase.Passwd, user.Passwd)
-		assert.NotEqual(t, userBase.Salt, user.Salt)
-
-		// Additional check for must-change-password flag
-		require.NoError(t, microcmdUserChangePassword().Run(ctx, []string{"change-password", "--username", "testuser", "--password", "anotherpassword", "--must-change-password=false"}))
-		user = unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuser"})
-		assert.False(t, user.MustChangePassword)
-
-		require.NoError(t, microcmdUserChangePassword().Run(ctx, []string{"change-password", "--username", "testuser", "--password", "yetanotherpassword", "--must-change-password"}))
-		user = unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "testuser"})
-		assert.True(t, user.MustChangePassword)
-	})
-
-	t.Run("failure cases", func(t *testing.T) {
-		testCases := []struct {
-			name        string
-			args        []string
-			expectedErr string
-		}{
-			{
-				name:        "user does not exist",
-				args:        []string{"change-password", "--username", "nonexistentuser", "--password", "newpassword"},
-				expectedErr: "user does not exist",
-			},
-			{
-				name:        "missing username",
-				args:        []string{"change-password", "--password", "newpassword"},
-				expectedErr: `"username" not set`,
-			},
-			{
-				name:        "missing password",
-				args:        []string{"change-password", "--username", "testuser"},
-				expectedErr: `"password" not set`,
-			},
-			{
-				name:        "too short password",
-				args:        []string{"change-password", "--username", "testuser", "--password", "1"},
-				expectedErr: "password is not long enough",
-			},
-		}
-
-		for _, tc := range testCases {
-			t.Run(tc.name, func(t *testing.T) {
-				err := microcmdUserChangePassword().Run(ctx, tc.args)
-				require.Error(t, err)
-				require.Contains(t, err.Error(), tc.expectedErr)
-			})
-		}
-	})
-}