MokoConsulting/MokoGitea-Fork
1
0
Fork 0
Code Issues 141 Pull Requests Releases 96 Wiki Activity

fix: cherry-pick upstream v1.26.2 security and actions fixes #704

Merged
jmiller merged 8 commits from fix/v1262-security-cherrypicks into main 2026-06-27 05:31:09 +00:00
Conversation 0 Commits 8 Files Changed 15
+374 -73

8 Commits

Author SHA1 Message Date
jmiller a48f44c901 fix(ci): allow fix/* and patch/* branches to target main
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
Details
Generic: Repo Health / Site Health (pull_request) Has been skipped
Details
Generic: Repo Health / Access control (pull_request) Successful in 2s
Details
Universal: PR Check / Validate PR (pull_request) Failing after 9s
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 54s
Details
PR RC Release / Build RC Release (pull_request) Failing after 56s
Details
Universal: PR Check / Secret Scan (pull_request) Successful in 57s
Details
Universal: Build & Release / Promote to RC (pull_request) Has been skipped
Details
Branch Cleanup / Delete merged branch (pull_request) Successful in 2s
Details
RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped
Details
Universal: Build & Release / Build & Release Pipeline (pull_request) Failing after 50s
Details
Universal: Workflow Sync Trigger / Sync workflows to live repos (pull_request) Failing after 3m33s
Details
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Details
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Details
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Details
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Details
Generic: Repo Health / Report: Scripts Governance (pull_request) Has been cancelled
Details
Generic: Repo Health / Report: Repository Health (pull_request) Has been cancelled
Details 
Branch policy check was rejecting fix/* → main PRs, but our actual
policy allows fix/patch branches to target main directly for hotfixes
that don't need the dev → rc → main cycle.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
 2026-06-27 00:19:57 -05:00
jmiller 882eb2cce7 docs: add cherry-pick entries to changelog
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 48s
Details
Universal: PR Check / Branch Policy (pull_request) Failing after 1s
Details
Generic: Repo Health / Site Health (pull_request) Has been skipped
Details
Generic: Repo Health / Access control (pull_request) Successful in 2s
Details
Universal: PR Check / Validate PR (pull_request) Failing after 10s
Details
Universal: Build & Release / Promote to RC (pull_request) Failing after 17s
Details
Universal: Build & Release / Build & Release Pipeline (pull_request) Has been skipped
Details
Universal: PR Check / Secret Scan (pull_request) Successful in 52s
Details
PR RC Release / Build RC Release (pull_request) Failing after 49s
Details
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Details
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Details
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Details
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Details
Generic: Repo Health / Report: Scripts Governance (pull_request) Has been cancelled
Details
Generic: Repo Health / Report: Repository Health (pull_request) Has been cancelled
Details 
Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
 2026-06-26 21:41:36 -05:00
Giteabot f962ae575a fix(actions): exclude workflow_call from workflow trigger detection (#37894) (#37899)
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 38s
Details 
Backport #37894 by @Zettat123

Gitea now only allows `workflow_dispatch.inputs`. If a workflow contains
`workflow_call.inputs`, the workflow cannot be triggered, even though
the `on:` section contains other trigger events.


https://github.com/go-gitea/gitea/blob/428ee9fcce7928bf5405900345d43e9ba1b01564/modules/actions/jobparser/model.go#L402-L405

For example, this workflow cannot be triggered due to
`workflow_call.inputs`:
```yaml
on:
  push:
  pull_request:
  workflow_call:
    inputs:
      name:
        type: string
```

---

This PR is extracted from #37478 for backport

Co-authored-by: Zettat123 <zettat123@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com>
 2026-06-26 21:40:32 -05:00
Giteabot 58074ac860 fix(actions): keep action run title clickable when commit subject is a URL (#37867) (#37898) 
Backport #37867 by @bircni

- When a commit subject is a bare URL, `linkProcessor` wrapped it in its
own `<a>` to that URL. Because HTML cannot nest anchors, the wrapping
default link (the action run / commit link) was lost and the action
title became unclickable — clicking it sent the user to the URL from the
commit message instead of the action log.
- Drop `linkProcessor` from `PostProcessCommitMessageSubject` so the
whole subject stays wrapped in the default link. URLs in subjects now
render as text inside that link; URLs in commit bodies are unaffected.

Fixes #37865

Co-authored-by: Nicolas <bircni@icloud.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
 2026-06-26 21:40:23 -05:00
Giteabot 9db67cd554 fix(actions): reject workflow_dispatch for workflows without that trigger (#37660) (#37895) 
Backport #37660 by @jorgeortiz85

## Summary

Fixes #37528

This PR makes the workflow dispatch API reject workflows that do not
declare `workflow_dispatch`. Previously, `POST
/repos/{owner}/{repo}/actions/workflows/{workflow_id}/dispatches` could
create an `ActionRun` for a workflow that only declared another event
such as `push`.

The service now validates that the target workflow has a
`workflow_dispatch` trigger before inserting the run. The API maps that
validation failure to `422 Unprocessable Entity`, matching existing
validation failures in this handler.

The regression test creates a push-only workflow, dispatches it through
the public API, asserts the `workflow_dispatch` validation message, and
verifies that no run was inserted.

## Testing

- `go test ./services/actions`
- `TAGS="sqlite sqlite_unlock_notify" make
test-integration#TestWorkflowDispatchPublicApiRequiresWorkflowDispatchTrigger`
- `TAGS="sqlite sqlite_unlock_notify" make
test-integration#TestWorkflowDispatchPublicApi`

## Disclosure

Developed with assistance from OpenAI Codex.

Co-authored-by: Jorge Ortiz <jorge.ortiz@gmail.com>
Co-authored-by: Nicolas <bircni@icloud.com>
 2026-06-26 21:40:12 -05:00
Giteabot a063c3b2e4 fix(actions): ack re-sent UpdateLog finalize idempotently (#37885) (#37892) 
Backport #37885 by @silverwind

Fixes https://github.com/go-gitea/gitea/issues/37871, full backwards and
forwards compatible with runners.

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
 2026-06-26 21:40:01 -05:00
Giteabot ac48c1d958 fix: "run as root" check (#37622) (#37625) 
Backport #37622

Remove the hacky and fragile `sed os.Getuid()` patch.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
 2026-06-26 21:37:42 -05:00
Nicolas ad06fa7bec fix(pull): handle empty pull request files view to allow reviews (#37783) (#37785) 
Backport #37783

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
 2026-06-26 21:36:28 -05:00