Files
jmiller 6a3db171c1
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
PR RC Release / Build RC Release (pull_request) Successful in 3s
Universal: PR Check / Validate PR (pull_request) Successful in 12s
Generic: Project CI / Lint & Validate (pull_request) Successful in 25s
Universal: PR Check / Secret Scan (pull_request) Successful in 1m2s
RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped
Branch Cleanup / Delete merged branch (pull_request) Successful in 4s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
feat(org): org-level email domain policy for members (#727)
Restricts which email domains an organization's members may have. When a policy
is configured, a user can only be added to the org (via any team) if their
primary email matches one of the allowed domain globs.

Enforced at the single membership choke point services/org.AddTeamMember, which
every add path (API, web, group-sync) funnels through — so one check covers them
all. On violation it returns a typed ErrEmailDomainNotAllowed; the API team-add
handler maps it to 422.

- models/git/org_email_domain.go: OrgEmailDomainPolicy model + EmailAllowed
  (domain glob match) + OrgEmailDomainAllowed + typed error + CRUD. Migration 366.
- API: GET/PATCH/DELETE /orgs/{org}/email_domain_policy.
- Enforcement in services/org/team.go; 422 mapping in routers/api/v1/org/team.go.

An empty policy imposes no restriction. This is the one bounded piece of the
"access/security" tier; org 2FA-required and IP allowlists were deliberately NOT
built here — they are cross-cutting enforcement (auth gating / request
middleware) that needs a compiler + tests, not a blind stacked PR.

Stacked on #731/#730/#729/#728 for migration ordering (this = 366). Swagger
omitted.

Note: no Go toolchain available locally, so not compiled/gofmt'd/tested here.
Hand-verified: gofmt (tabs, no blank-in-block), imports (git_model added to the
api team handler, gci order), typed-error detection, migration contiguous (366).

Claude-Session: https://claude.ai/code/session_01Wsno14cxE49MstXFs9G5KT
2026-07-04 23:23:11 -05:00

11 KiB

Changelog

[Unreleased]

Added

  • Org branch protection: repositories now show the inherited organization rules read-only in their Branch Protection settings, with an expandable detail (direct push, force-push, branch deletion, merge restrictions, required approvals, status checks, protected files, and whitelisted teams) — like GitHub surfaces org rulesets in a repo (#727)
  • Org branch protection: org-level rules can now also protect against branch deletion (enable_delete + delete allowlist teams), mirroring the per-repo delete allowlist (#727)
  • Org-level tag protection: protect tag patterns org-wide (e.g. v*) with a team allowlist, layered on top of each repo's own protected tags — a tag is controllable only if allowed at both levels (fail-closed). API at /orgs/{org}/tag_protections; enforced at the git push/delete hook and the release create/delete paths; shown read-only in the repo Tag settings (#727)
  • Org-level push policy: one policy per org, enforced in the pre-receive hook across all its repositories — branch/tag name conventions (glob), a mandatory secret-scanning block-on-push that repos cannot disable, a max pushed-file size, and blocked file-path patterns. API at /orgs/{org}/push_policy. Naming is fail-closed; the content checks (blocked paths, max size) fail open on error so a policy bug can never block every push (#727)
  • Org-level repository defaults: an org can force new/transferred repositories private and set default pull-request settings (allowed merge styles, default merge style, auto-delete branch after merge), applied via a notifier when a repo is created in or transferred into the org (best-effort — never blocks repo creation). API at /orgs/{org}/repo_defaults (#727)
  • Org-level email domain policy: restrict which email domains an organization's members may have — a user can only be added to the org (via any team) if their primary email matches one of the allowed domain globs. Enforced at the single membership-add choke point (AddTeamMember); API at /orgs/{org}/email_domain_policy (#727)
  • Code security scanner: pattern-based detection of SQL injection, XSS, command injection, path traversal, insecure deserialization, hardcoded credentials, and weak cryptography across Go/PHP/Python/JS/TS (#552)
  • Cascade merge: auto-create PRs to downstream branches after merge with configurable rules per repo (#460)
  • Issue status presets: 4 built-in templates (default, software-development, support-tickets, bug-tracking) with API + web UI (#507)
  • Cross-org status migration: copy status definitions from one org to another via API (#507)
  • Auto-create default teams on org creation: Developers (write), Reviewers (read), CI/CD (actions+packages) (#513)
  • Branch protection delete allowlist: configurable per-user/team/deploy-key allowlist for deleting protected branches (#696)
  • Workflow subdirectory discovery: workflows in subdirectories of .mokogitea/workflows/ are now auto-discovered (#693)
  • API token scope read:licensing / write:licensing for licensing endpoints (#697)
  • Edit API token scopes: PATCH /users/{username}/tokens/{id} API endpoint + web UI edit button (#697)
  • Wiki full-text search: case-insensitive search across all wiki page titles and content (#550)
  • Wiki search API: GET /wiki/search?q=term with paginated JSON results (#550)
  • Metadata deploy fields: deploy_host, deploy_port, deploy_user, deploy_path, docker_image, docker_registry, container_name, health_url (#692)
  • Security scanning API: REST endpoints for alerts, config, and on-demand scans (GET/PATCH /security/alerts, /security/config, POST /security/scan) (#692)
  • Pre-receive hook secret blocking: push rejection when block_on_push enabled and secrets detected in commits (#692)
  • Metadata API partial updates: PUT /metadata now merges only sent fields instead of replacing all
  • Wiki revision diff: line-by-line diff view per commit in wiki page history (#667)
  • Wiki categories: YAML frontmatter categories: with category index page (#668)
  • Wiki template transclusion: {{template:Name|key=val}} with _Template/ folder (#671)
  • Wiki enhanced ToC: collapsible, inline via frontmatter, sticky sidebar (#673)
  • Wiki folder ACL: _access.yml per-folder write protection (#674)
  • Wiki print view and ZIP export of all wiki pages (#675)
  • Wiki features documentation page in org wiki (standards/Wiki-Features)
  • DLID licensing system: license, entitlement, activation, product_tier, audit_log tables (v359 migration)
  • License CRUD with CRC32-checksummed DLID generation and format validation
  • Entitlement model with tier-based rebuild and custom entitlement preservation
  • Domain activation tracking with limit enforcement and auto-activate on first use
  • 13 seeded product tiers from base to enterprise
  • DLID-gated update XML endpoint: GET /api/v1/licensing/updates/{product}.xml
  • Profile repo fallback chain: .mokogitea > .profile > .github
  • Metadata/manifest GET endpoint publicly accessible without auth (#676)
  • Org wiki: folder-based collapsible tree sidebar, _Sidebar.md overrides (#680)
  • Wiki backlinks: "What links here" page showing all pages referencing current page (#669)
  • Wiki wikilinks: Page Name and Page syntax with red links for missing pages (#666)
  • Required baseline issue statuses: Open and Closed are indestructible (is_required flag) (#681)
  • Issue status API response includes is_required field
  • Wiki recent changes page: cross-page edit activity with pagination (#670)
  • Wiki page rename with automatic redirects via YAML frontmatter (#672)

Security

  • Cherry-pick upstream v1.26.3: LFS reject unknown SSH sub-verbs to prevent auth bypass (#38015)
  • Cherry-pick upstream v1.26.3: bound CODEOWNERS regex match time — ReDoS prevention (#38025)
  • Cherry-pick upstream v1.26.3: require merged PR to bypass fork PR approval gate (#38041)
  • Cherry-pick upstream v1.26.3: LFS require Code-unit access for cross-repo object reuse (#38050)
  • Cherry-pick upstream v1.26.3: hostmatcher block reserved IP ranges — SSRF prevention (#38059)
  • Cherry-pick upstream v1.26.3: bound debian ParseControlFile — DoS prevention (#38055)
  • Cherry-pick upstream v1.26.3: feed token scope, migration SSRF, notification redaction (#38147)
  • Cherry-pick upstream v1.26.3: OIDC ignore stale external login links to organizations (#38141)
  • Cherry-pick upstream v1.26.3: 2FA timing, branch delete auth, org labels visibility, merge upstream auth (#38151)
  • Cherry-pick upstream v1.26.3: allow git clone of private repos with anonymous code access (#38146)
  • Cherry-pick upstream v1.26.3: hostmatcher patch incorrect private IP list (#38173)
  • Cherry-pick upstream v1.26.4: do not auto-reactivate disabled users on OAuth2 callback (#38183)
  • Cherry-pick upstream v1.26.4: walk git log context error handling — regression fix (#38185)

Fixed

  • Org-level branch protection now layers with per-repo rules instead of being ignored whenever a repo rule exists. When both an org rule and a repo rule match a branch, the effective rule is the most-restrictive (fail-closed) combination — the org rule is a mandatory floor a repo cannot weaken: allow flags AND'd, gate/require/block flags OR'd, required approvals max'd, status checks and protected-file patterns unioned, whitelists intersected. Previously a repo rule shadowed the org rule entirely at the enforcement choke point (GetFirstMatchProtectedBranchRule), letting a repo opt out of org protection (#727)
  • Org Teams page: list now renders — the handler wrote ctx.Data["OrgListTeams"] but the template reads .Teams, so the page showed header/nav but no teams (#720)
  • Issue type: now editable after creation for users with issue write permission — the sidebar gated editing on a FieldEditFlags data key that was never populated (always read-only); now uses HasIssuesOrPullsWritePermission like the priority field (#721)
  • Admin config form: radio inputs (e.g. instance landing page Mode) no longer throw "Unsupported config form value mapping", which had aborted all JS init on the admin settings page
  • PR check branch policy: allow fix/*main and patch/*main to match documented policy (was rejecting fix/patch PRs to main)
  • PR check platform detection: guard for missing .mokogitea/manifest.xml so the Validate PR job no longer aborts under set -e (manifest replaced by metadata API)
  • Remove dangling mcp-mokogitea-api submodule gitlink (no .gitmodules entry) that broke submodule update --init at checkout, failing all PR build/release jobs; ignore the local clone path
  • PR RC Release workflow: no-op cleanly when updates.xml is absent (generic repos) instead of aborting the "Determine RC version" step under set -e
  • PR check: platform detection now queries metadata API instead of removed manifest.xml
  • Cherry-pick upstream v1.26.2: handle empty pull request files view to allow reviews (#37783)
  • Cherry-pick upstream v1.26.2: fix "run as root" check with snap container detection (#37622)
  • Cherry-pick upstream: ack re-sent UpdateLog finalize idempotently (#37885)
  • Cherry-pick upstream: reject workflow_dispatch for workflows without that trigger (#37660)
  • Cherry-pick upstream: keep action run title clickable when commit subject is a URL (#37867)
  • Cherry-pick upstream: exclude workflow_call from workflow trigger detection (#37894)
  • API token edit: reject empty scope update requests with 400 instead of silently succeeding
  • Workflow token auth: pr-check.yml pre-release dispatch was silently failing due to env var / curl reference mismatch
  • Workflow tokens: standardize all GA_TOKEN/GITEA_TOKEN/GITEA_URL env vars to MOKOGITEA_TOKEN/MOKOGITEA_URL across all workflow files in 5 template repos + MokoCLI (65+ files)
  • CI issue reporter: rename GITEA_TOKEN/GITEA_URL to MOKOGITEA_TOKEN/MOKOGITEA_URL in automation/ci-issue-reporter.sh
  • Workflow sync trigger: add workflow_dispatch event, fix if-condition to allow manual dispatch, add PHP install step for non-PHP runners
  • Deploy workflow: merge dev health check into deploy job to avoid runner status reporting failures on inter-job handoff
  • Licensing API: handle DB write errors in UpdateLicense, UpdateTier, DeleteTier instead of silently discarding
  • Wiki API: fix findEntryForFile URL-decode fallback for non-ASCII page names
  • Metadata settings template 500 error: removed reference to deleted Version field
  • Wiki recent changes: use commit.MessageTitle() instead of commit.Message()
  • Wiki backlinks: proper URL encoding for subdirectory pages
  • Wiki wikilinks: page existence lookup normalizes spaces and hyphens
  • Issue statuses template: garbled em-dash character replaced

Changed

  • Custom workflows moved to .mokogitea/workflows/custom/: deploy-mokogitea, deploy-dev, cascade-dev, pr-rc-release, test-mokogitea, upstream-bug-sync
  • Issue status seed defaults: Open, In Progress, Waiting, In Review, Closed, Won't Fix
  • Pre-release workflow: auto-bump skipped for non-Joomla repos (platform check)
  • CI issue reporter: moved to MokoCLI (cli/ci_issue_reporter.sh), pr-check and repo-health now use ci-issue-reporter.yml reusable workflow

Removed

  • Workflows: gitleaks.yml, npm-publish.yml, notify.yml, workflow-sync-trigger.yml, composer-publish.yml, deploy-manual.yml, security-audit.yml (not applicable to Go repo)
  • automation/ci-issue-reporter.sh: moved to MokoCLI as centralized CLI tool

[06.19.00] --- 2026-06-20

[06.19.00] --- 2026-06-20

[06.19.00] --- 2026-06-20

[06.19.00] --- 2026-06-19