Rename the Go module path from code.gitea.io/gitea to
git.mokoconsulting.tech/MokoConsulting/MokoGitea across the entire
codebase.
Scope:
- go.mod module declaration
- 2,235 Go source files (import paths)
- Dockerfile WORKDIR and COPY paths
- Swagger API templates
- golangci.yml linter config
External dependencies (code.gitea.io/gitea-vet, code.gitea.io/sdk/gitea,
gitea.com/gitea/act, etc.) are intentionally NOT renamed — they are
separate upstream modules.
Closes#132
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Minimal dep additions using targeted go get, NOT go mod tidy.
Only adds modernc.org/sqlite v1.20.4 and github.com/getkin/kin-openapi
v0.138.0 with their transitive deps. No existing deps modified.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The full go mod tidy upgraded gocron, renderhelper, and other deps
to incompatible versions. Revert to the original go.mod and add
ONLY modernc.org/sqlite v1.20.4 via targeted go get.
Verified: go build -tags 'bindata timetzdata' ./... compiles clean.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Run go mod tidy on server (golang:1.26-alpine) to properly resolve
all transitive deps for modernc.org/sqlite and other indirect
requirements. This ensures go generate and go build work without
needing go mod tidy in the Dockerfile.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The gitea.com/gitea/runner module path doesn't match its actual module
declaration (gitea.com/gitea/act_runner) and has version compatibility
issues. Switch imports to github.com/nektos/act which is already
replaced by gitea.com/gitea/act v0.261.10 in go.mod — same packages,
proven compatible.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The module at gitea.com/gitea/runner declares itself as
gitea.com/gitea/act_runner. Add replace to map the import path.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add missing dependencies directly to go.mod instead of relying on
go mod tidy (which pulls incompatible transitive dep upgrades):
- gitea.com/gitea/runner v0.4.1 (for act/workflowpattern imports)
- modernc.org/sqlite v1.20.4 (implicit import from models/auth)
Remove go mod tidy from Dockerfile to prevent version drift.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Backport of go-git upgrade to v5.18.0 for the v1.26 release branch.
Fixes GHSA-3xc5-wrhm-f963 (credential exposure on HTTP redirects).
---
This PR was written with the help of Claude Opus 4.6
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>
Update all non-locked Go dependencies and pin incompatible ones.
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Hey, I bumped Go to 1.26.1 and fixed a couple of things I ran into while
poking around.
### Changes
- Bump go.mod from 1.26.0 to 1.26.1 (security patch)
- Bump golangci-lint from v2.10.1 to v2.11.2
- Run make tidy, fmt, lint-go
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>
After many years, "activitypub" is still "in progress" and no real
progress for end users. So it is not mature.
Temporarily mark the endpoints as "501 not implemented",
and wait until the whole design is stable and usable.
The jobparser sub package in act is only used by Gitea. Move it to Gitea
to make it more easier to maintain.
---------
Co-authored-by: Christopher Homberger <christopher.homberger@web.de>
1. handle non-release git verions (not semver)
2. fix rubygems version "0" handling (only ">=" can be omitted)
3. lazy compile the regexp to improve performance
4. make test data maintainable, use origin source code instead of compressed binary
## Overview
This PR updates the Go toolchain version from `1.25.5` to `1.25.6` for
the Gitea project.
## Changes
### Toolchain Update
- **Go Toolchain**: Updated from `go1.25.5` to `go1.25.6`
This is a minor toolchain version bump that ensures the project uses the
latest patch release of Go 1.25.
## Security Improvements
While this PR primarily addresses the toolchain update, the project
maintains a strong security posture through:
### Current Security Measures
```log
Vulnerability #1: GO-2026-4342
Excessive CPU consumption when building archive index in archive/zip
More info: https://pkg.go.dev/vuln/GO-2026-4342
Standard library
Found in: archive/zip@go1.25.5
Fixed in: archive/zip@go1.25.6
Example traces found:
#1: modules/packages/nuget/metadata.go:217:25: nuget.ParseNuspecMetaData calls zip.Reader.Open
Vulnerability #2: GO-2026-4341
Memory exhaustion in query parameter parsing in net/url
More info: https://pkg.go.dev/vuln/GO-2026-4341
Standard library
Found in: net/url@go1.25.5
Fixed in: net/url@go1.25.6
Example traces found:
#1: modules/storage/minio.go:284:34: storage.MinioStorage.URL calls url.ParseQuery
#2: routers/api/v1/repo/action.go:1640:29: repo.DownloadArtifactRaw calls url.URL.Query
Vulnerability #3: GO-2026-4340
Handshake messages may be processed at the incorrect encryption level in
crypto/tls
More info: https://pkg.go.dev/vuln/GO-2026-4340
Standard library
Found in: crypto/tls@go1.25.5
Fixed in: crypto/tls@go1.25.6
Example traces found:
#1: services/auth/source/ldap/source_search.go:129:25: ldap.dial calls ldap.Conn.StartTLS, which calls tls.Conn.Handshake
#2: modules/graceful/server.go:156:14: graceful.Server.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext
#3: modules/lfs/content_store.go:132:27: lfs.hashingReader.Read calls tls.Conn.Read
#4: modules/proxyprotocol/conn.go:91:21: proxyprotocol.Conn.Write calls tls.Conn.Write
#5: modules/session/virtual.go:168:39: session.VirtualStore.Release calls couchbase.CouchbaseProvider.Exist, which eventually calls tls.Dial
#6: services/auth/source/ldap/source_search.go:120:22: ldap.dial calls ldap.DialTLS, which calls tls.DialWithDialer
#7: services/migrations/gogs.go:114:34: migrations.client calls http.Transport.RoundTrip, which eventually calls tls.Dialer.DialContext
```
## Breaking Changes
None expected. This is a minor toolchain patch update.
Most potential deadlock problems should have been fixed, and new code is
unlikely to cause new problems with the new design.
Also raise the minimum Git version required to 2.6.0 (released in 2015)
From [docs](https://go.dev/doc/toolchain#config):
> The go line declares the minimum required Go version for using the
module or workspace. For compatibility reasons, if the go line is
omitted from a go.mod file, the module is considered to have an implicit
go 1.16 line, and if the go line is omitted from a go.work file, the
workspace is considered to have an implicit go 1.18 line.
> The toolchain line declares a suggested toolchain to use with the
module or workspace. As described in “[Go toolchain
selection](https://go.dev/doc/toolchain#select)” below, the go command
may run this specific toolchain when operating in that module or
workspace if the default toolchain’s version is less than the suggested
toolchain’s version. If the toolchain line is omitted, the module or
workspace is considered to have an implicit toolchain goV line, where V
is the Go version from the go line.
This is better than setting `go` to the latest version which may break
builds when that go version is unavailable, for example with
`GOTOOLCHAIN=local` in the official go docker images.
Fix#35649
* Use upstream `git-lfs-transfer`
* The Close should be called when error occurs (bug fix)
* The connection pool should be shared (bug fix)
* Add more tests to cover "LFS over SSH download"
Jonathan Miller