release: cascade merge, status presets, default teams, secret scanning #714

Merged

jmiller merged 17 commits from dev into main 2026-06-28 09:41:36 +00:00

Conversation 0 Commits 17 Files Changed 20

+1144 -3

jmiller commented 2026-06-28 09:33:47 +00:00

Owner

Copy Link

Copy Source

Summary

• Cascade merge: auto-create PRs to downstream branches after merge with configurable rules per repo (#460)
• Issue status presets: 4 built-in templates (default, software-development, support-tickets, bug-tracking) with API + web UI (#507)
• Cross-org status migration: copy status definitions from one org to another via API (#507)
• Default org teams: auto-create Developers (write), Reviewers (read), CI/CD (actions+packages) on org creation (#513)
• Secret scanning: pre-receive hook blocking + REST API for alerts, config, and on-demand scans (#692)
• IDOR fix: CopyStatusesFromOrg now checks source org visibility + membership

Issues closed

Closes #460, closes #507, closes #513, closes #692

Test plan

• Create cascade rule via API, verify auto-PR on merge
• Apply status preset to org, verify statuses created
• Copy statuses between orgs, verify IDOR protection for private orgs
• Create new org, verify default teams provisioned
• Push commit with secret pattern, verify pre-receive rejection
• Query security alerts API, verify responses

https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

## Summary - **Cascade merge**: auto-create PRs to downstream branches after merge with configurable rules per repo (#460) - **Issue status presets**: 4 built-in templates (default, software-development, support-tickets, bug-tracking) with API + web UI (#507) - **Cross-org status migration**: copy status definitions from one org to another via API (#507) - **Default org teams**: auto-create Developers (write), Reviewers (read), CI/CD (actions+packages) on org creation (#513) - **Secret scanning**: pre-receive hook blocking + REST API for alerts, config, and on-demand scans (#692) - **IDOR fix**: CopyStatusesFromOrg now checks source org visibility + membership ## Issues closed Closes #460, closes #507, closes #513, closes #692 ## Test plan - [ ] Create cascade rule via API, verify auto-PR on merge - [ ] Apply status preset to org, verify statuses created - [ ] Copy statuses between orgs, verify IDOR protection for private orgs - [ ] Create new org, verify default teams provisioned - [ ] Push commit with secret pattern, verify pre-receive rejection - [ ] Query security alerts API, verify responses https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

jmiller added 16 commits 2026-06-28 09:33:50 +00:00

feat: add issue status presets and cross-org migration (#507) ... df9305758f

4 built-in presets: default, software-development, support-tickets,
bug-tracking. API endpoints to list presets, apply to org, and copy
statuses between orgs. Web UI dropdown on org settings page.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

feat: cascade merge — auto-create PRs to downstream branches after merge (#460) ... f627219ca8

Adds configurable cascade rules per repo. When a PR merges into a
source branch, the system auto-creates PRs to each configured target
branch. Skips if a matching PR already exists.

- Model: CascadeMergeRule (repo_id, source, target, enabled, auto_merge)
- Migration v362 creates cascade_merge_rule table
- Notifier hooks into MergePullRequest/AutoMergePullRequest events
- API: CRUD at /repos/{owner}/{repo}/cascade_rules (admin only)

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

feat(orgs): auto-create default teams on org creation (#513) ... e99658ddc0

New organizations now get three default teams in addition to Owners:
- Developers (write: code, issues, PRs, wiki, projects; read: releases)
- Reviewers (read: code, issues, PRs, releases, wiki)
- CI/CD (write: actions, packages, releases; read: code)

Teams are defined in DefaultOrgTeams and created inside the same
transaction as the org, so creation is atomic.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

fix: prevent IDOR in CopyStatusesFromOrg endpoint ... f53bc895ba

Add source org visibility + membership check before copying statuses.
Non-public source orgs now require the doer to be a member or site admin,
preventing unauthorized enumeration of private org statuses.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

fix: remove leaked security scanning routes from cascade-merge branch ... 805c566615

The security route group belongs to feature/secret-scanning (#692) and
was accidentally committed here during parallel agent work.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

feat: security scanning API endpoints + pre-receive hook blocking (#692) ... 7b334f94c0

Add REST API for security alerts (list, get, update status, trigger scan)
and scanner config (get, update). Wire block_on_push into the pre-receive
hook so pushes containing detected secrets are rejected with details.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

feat: register security scanning API routes in router ... 84df5d7932

Adds /repos/{owner}/{repo}/security/* route group for security
alert management, scanning, and configuration endpoints.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

fix: log error when pre-receive secret scan cannot read commit ... 9a4aa0fafb

Previously, GetCommit failures were silently swallowed, allowing
pushes to proceed without scanning. Now logs the error so admins
can diagnose issues while still allowing the push.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

fix: distinguish unknown preset from DB errors in ApplyIssueStatusPreset ... cf25eef480

db.ErrNotExist returns 404, other errors return 500 instead of
masking all errors as 404.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

feat(orgs): auto-create default teams on org creation (#513) b9c04e51b4

feat: security scanning API + pre-receive hook blocking (#692) 2857a1f6a1

merge: incorporate dev changes into feature/status-presets ... 57894e25fd

Resolve CHANGELOG.md conflict — keep both status presets and
default teams entries.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

merge: incorporate dev changes into feature/cascade-merge ... 5a25068d81

Resolve CHANGELOG.md and api.go conflicts — keep both cascade_rules
and security route groups.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

feat: issue status presets and cross-org migration (#507) c618ec9f87

merge: incorporate latest dev (post status-presets merge) into cascade-merge ... 98301bc92b

Resolve CHANGELOG conflict, restore issue_metadata.go from dev.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

feat: cascade merge — auto-create PRs to downstream branches after merge (#460) 7913a05285

jmiller referenced this issue from a commit 2026-06-28 09:36:17 +00:00

merge: incorporate main into dev for release PR #714

jmiller added 1 commit 2026-06-28 09:36:17 +00:00

merge: incorporate main into dev for release PR #714 ... 23bb025700

Resolve CHANGELOG conflict — deduplicate feature entries.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

jmiller merged commit fefdf1a1ec into main 2026-06-28 09:41:36 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

breaking-change

Breaking API or behavior change

ci-cd

CI/CD pipeline changes

config

Configuration changes

dependencies

Dependency updates

deploy-failure

Deployment failed

docker

Docker/container changes

documentation

Documentation changes

feature: wiki

Wiki system enhancements

good first issue

Good for newcomers

health-check

Repo health check result

help wanted

Extra attention needed

mokostandards

Related to MokoStandards framework

push-failure

Git push operation failed

security

Security vulnerability or hardening

size/l

200-500 lines changed

size/m

50-200 lines changed

size/s

10-50 lines changed

size/xl

500+ lines changed

size/xs

< 10 lines changed

standards-drift

Deviates from MokoStandards

standards-update

MokoStandards compliance update

sync-failure

Sync or mirror failed

tech-debt

Technical debt and TODO/FIXME items

upstream

upstream

Inherited from upstream Gitea

work-in-progress

Draft or incomplete work

No labels

Priority -

Type -

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-Fork#714