MokoConsulting/MokoGitea-Fork
1
0
Fork 0
Code Issues 141 Pull Requests Releases 96 Wiki Activity

fix: cherry-pick upstream v1.26.2 security and actions fixes #704

Merged
jmiller merged 8 commits from fix/v1262-security-cherrypicks into main 2026-06-27 05:31:09 +00:00
Conversation 0 Commits 8 Files Changed 15
+374 -73
jmiller commented 2026-06-27 04:15:37 +00:00
Owner
Copy Link
Copy Source

Summary

Cherry-picks 6 upstream fixes from release/v1.26 into MokoGitea:

  • fix(pull): handle empty pull request files view to allow reviews (#37783)
  • fix: "run as root" check refactored with snap container detection (#37622)
  • fix(actions): ack re-sent UpdateLog finalize idempotently (#37885)
  • fix(actions): reject workflow_dispatch for workflows without that trigger (#37660)
  • fix(actions): keep action run title clickable when commit subject is a URL (#37867)
  • fix(actions): exclude workflow_call from workflow trigger detection (#37894)

Details

All namespace imports translated (code.gitea.io/giteacode.mokoconsulting.tech/MokoConsulting/MokoGitea). External module imports (code.gitea.io/actions-proto-go) left unchanged.

The snap/snapcraft.yaml sed hack that replaced os.Getuid() with 1 is removed — snap containers are now detected natively by mustNotRunAsRoot().

Completes #225 (all 27 v1.26.2 items now cherry-picked).
Closes #379, #380, #381, #382 (upstream actions fixes).

Test plan

  • go build succeeds
  • Integration tests pass: actions_log_finalize_test.go, actions_trigger_test.go, pull_status_test.go
  • Unit tests pass: jobparser/model_test.go, util_render_test.go
  • Empty PR files view shows "Diff Content Not Available" instead of 400 error
  • Dispatching a workflow without workflow_dispatch trigger returns 422
## Summary Cherry-picks 6 upstream fixes from `release/v1.26` into MokoGitea: - **fix(pull):** handle empty pull request files view to allow reviews (#37783) - **fix:** "run as root" check refactored with snap container detection (#37622) - **fix(actions):** ack re-sent `UpdateLog` finalize idempotently (#37885) - **fix(actions):** reject `workflow_dispatch` for workflows without that trigger (#37660) - **fix(actions):** keep action run title clickable when commit subject is a URL (#37867) - **fix(actions):** exclude `workflow_call` from workflow trigger detection (#37894) ## Details All namespace imports translated (`code.gitea.io/gitea` → `code.mokoconsulting.tech/MokoConsulting/MokoGitea`). External module imports (`code.gitea.io/actions-proto-go`) left unchanged. The snap/snapcraft.yaml `sed` hack that replaced `os.Getuid()` with `1` is removed — snap containers are now detected natively by `mustNotRunAsRoot()`. Completes #225 (all 27 v1.26.2 items now cherry-picked). Closes #379, #380, #381, #382 (upstream actions fixes). ## Test plan - [ ] `go build` succeeds - [ ] Integration tests pass: `actions_log_finalize_test.go`, `actions_trigger_test.go`, `pull_status_test.go` - [ ] Unit tests pass: `jobparser/model_test.go`, `util_render_test.go` - [ ] Empty PR files view shows "Diff Content Not Available" instead of 400 error - [ ] Dispatching a workflow without `workflow_dispatch` trigger returns 422
jmiller added 7 commits 2026-06-27 04:15:38 +00:00
fix(pull): handle empty pull request files view to allow reviews (#37783) (#37785) ad06fa7bec 
Backport #37783

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
fix: "run as root" check (#37622) (#37625) ac48c1d958 
Backport #37622

Remove the hacky and fragile `sed os.Getuid()` patch.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
fix(actions): ack re-sent UpdateLog finalize idempotently (#37885) (#37892) a063c3b2e4 
Backport #37885 by @silverwind

Fixes https://github.com/go-gitea/gitea/issues/37871, full backwards and
forwards compatible with runners.

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
fix(actions): reject workflow_dispatch for workflows without that trigger (#37660) (#37895) 9db67cd554 
Backport #37660 by @jorgeortiz85

## Summary

Fixes #37528

This PR makes the workflow dispatch API reject workflows that do not
declare `workflow_dispatch`. Previously, `POST
/repos/{owner}/{repo}/actions/workflows/{workflow_id}/dispatches` could
create an `ActionRun` for a workflow that only declared another event
such as `push`.

The service now validates that the target workflow has a
`workflow_dispatch` trigger before inserting the run. The API maps that
validation failure to `422 Unprocessable Entity`, matching existing
validation failures in this handler.

The regression test creates a push-only workflow, dispatches it through
the public API, asserts the `workflow_dispatch` validation message, and
verifies that no run was inserted.

## Testing

- `go test ./services/actions`
- `TAGS="sqlite sqlite_unlock_notify" make
test-integration#TestWorkflowDispatchPublicApiRequiresWorkflowDispatchTrigger`
- `TAGS="sqlite sqlite_unlock_notify" make
test-integration#TestWorkflowDispatchPublicApi`

## Disclosure

Developed with assistance from OpenAI Codex.

Co-authored-by: Jorge Ortiz <jorge.ortiz@gmail.com>
Co-authored-by: Nicolas <bircni@icloud.com>
fix(actions): keep action run title clickable when commit subject is a URL (#37867) (#37898) 58074ac860 
Backport #37867 by @bircni

- When a commit subject is a bare URL, `linkProcessor` wrapped it in its
own `<a>` to that URL. Because HTML cannot nest anchors, the wrapping
default link (the action run / commit link) was lost and the action
title became unclickable — clicking it sent the user to the URL from the
commit message instead of the action log.
- Drop `linkProcessor` from `PostProcessCommitMessageSubject` so the
whole subject stays wrapped in the default link. URLs in subjects now
render as text inside that link; URLs in commit bodies are unaffected.

Fixes #37865

Co-authored-by: Nicolas <bircni@icloud.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
fix(actions): exclude workflow_call from workflow trigger detection (#37894) (#37899)
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 38s
Details
f962ae575a 
Backport #37894 by @Zettat123

Gitea now only allows `workflow_dispatch.inputs`. If a workflow contains
`workflow_call.inputs`, the workflow cannot be triggered, even though
the `on:` section contains other trigger events.


https://github.com/go-gitea/gitea/blob/428ee9fcce7928bf5405900345d43e9ba1b01564/modules/actions/jobparser/model.go#L402-L405

For example, this workflow cannot be triggered due to
`workflow_call.inputs`:
```yaml
on:
  push:
  pull_request:
  workflow_call:
    inputs:
      name:
        type: string
```

---

This PR is extracted from #37478 for backport

Co-authored-by: Zettat123 <zettat123@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com>
docs: add cherry-pick entries to changelog
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 48s
Details
Universal: PR Check / Branch Policy (pull_request) Failing after 1s
Details
Generic: Repo Health / Site Health (pull_request) Has been skipped
Details
Generic: Repo Health / Access control (pull_request) Successful in 2s
Details
Universal: PR Check / Validate PR (pull_request) Failing after 10s
Details
Universal: Build & Release / Promote to RC (pull_request) Failing after 17s
Details
Universal: Build & Release / Build & Release Pipeline (pull_request) Has been skipped
Details
Universal: PR Check / Secret Scan (pull_request) Successful in 52s
Details
PR RC Release / Build RC Release (pull_request) Failing after 49s
Details
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Details
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Details
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Details
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Details
Generic: Repo Health / Report: Scripts Governance (pull_request) Has been cancelled
Details
Generic: Repo Health / Report: Repository Health (pull_request) Has been cancelled
Details
882eb2cce7 
Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
jmiller added 1 commit 2026-06-27 05:20:10 +00:00
fix(ci): allow fix/* and patch/* branches to target main
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
Details
Generic: Repo Health / Site Health (pull_request) Has been skipped
Details
Generic: Repo Health / Access control (pull_request) Successful in 2s
Details
Universal: PR Check / Validate PR (pull_request) Failing after 9s
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 54s
Details
PR RC Release / Build RC Release (pull_request) Failing after 56s
Details
Universal: PR Check / Secret Scan (pull_request) Successful in 57s
Details
Universal: Build & Release / Promote to RC (pull_request) Has been skipped
Details
Branch Cleanup / Delete merged branch (pull_request) Successful in 2s
Details
RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped
Details
Universal: Build & Release / Build & Release Pipeline (pull_request) Failing after 50s
Details
Universal: Workflow Sync Trigger / Sync workflows to live repos (pull_request) Failing after 3m33s
Details
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Details
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Details
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Details
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Details
Generic: Repo Health / Report: Scripts Governance (pull_request) Has been cancelled
Details
Generic: Repo Health / Report: Repository Health (pull_request) Has been cancelled
Details
a48f44c901 
Branch policy check was rejecting fix/* → main PRs, but our actual
policy allows fix/patch branches to target main directly for hotfixes
that don't need the dev → rc → main cycle.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
jmiller merged commit 322bd982bd into main 2026-06-27 05:31:09 +00:00
jmiller deleted branch fix/v1262-security-cherrypicks 2026-06-27 05:31:10 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
breaking-change
Breaking API or behavior change
 ci-cd
CI/CD pipeline changes
 config
Configuration changes
 dependencies
Dependency updates
 deploy-failure
Deployment failed
 docker
Docker/container changes
 documentation
Documentation changes
 feature: wiki
Wiki system enhancements
 good first issue
Good for newcomers
 health-check
Repo health check result
 help wanted
Extra attention needed
 mokostandards
Related to MokoStandards framework
 push-failure
Git push operation failed
 security
Security vulnerability or hardening
 size/l
200-500 lines changed
 size/m
50-200 lines changed
 size/s
10-50 lines changed
 size/xl
500+ lines changed
 size/xs
< 10 lines changed
 standards-drift
Deviates from MokoStandards
 standards-update
MokoStandards compliance update
 sync-failure
Sync or mirror failed
 tech-debt
Technical debt and TODO/FIXME items
 upstream
upstream
Inherited from upstream Gitea
 work-in-progress
Draft or incomplete work
No labels
Priority -
Type -
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-Fork#704
Delete Branch "fix/v1262-security-cherrypicks"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?