fix(actions): retry workflow insertion on database deadlock

When multiple workflows are triggered by a single event (e.g. a
pull_request with several matching workflow files), each InsertRun
transaction acquires an X-lock on the repository row via
UpdateRepoRunsNumbers and an index lock on action_run. Two concurrent
transactions can deadlock when each holds one lock and waits for the
other. InnoDB kills the lighter transaction, but handleWorkflows only
logged the error and silently dropped the workflow run — making it
appear as though pull_request events were never fired.

This was the root cause of API-created PRs appearing to not trigger
Actions workflows: the notification pipeline was correct, but the DB
insert was lost to an unretried deadlock.

The fix wraps PrepareRunAndInsert in a retry loop (up to 3 attempts
with exponential backoff) that detects deadlock errors across MySQL,
PostgreSQL, and SQLite. On deadlock, the rolled-back run fields are
reset before the next attempt.

Also adds db.IsErrDeadlock() for cross-engine deadlock detection and
unit tests for the same.

Closes #220

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

models/db/error.go

@@ -5,6 +5,7 @@ package db
 
 import (
 	"fmt"
+	"strings"
 
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/util"
 )
@@ -72,3 +73,27 @@ func (err ErrNotExist) Error() string {
 func (err ErrNotExist) Unwrap() error {
 	return util.ErrNotExist
 }
+
+// IsErrDeadlock checks whether err is a database deadlock.
+// MySQL returns error 1213 (ER_LOCK_DEADLOCK / SQLSTATE 40001).
+// PostgreSQL returns SQLSTATE 40P01 with "deadlock detected".
+// SQLite returns SQLITE_BUSY (error 5) with "database is locked".
+func IsErrDeadlock(err error) bool {
+	if err == nil {
+		return false
+	}
+	msg := err.Error()
+	// MySQL / MariaDB: "Error 1213 (40001): Deadlock found when trying to get lock"
+	if strings.Contains(msg, "Error 1213") || strings.Contains(msg, "40001") {
+		return true
+	}
+	// PostgreSQL: "deadlock detected"
+	if strings.Contains(msg, "deadlock detected") {
+		return true
+	}
+	// SQLite: "database is locked"
+	if strings.Contains(msg, "database is locked") {
+		return true
+	}
+	return false
+}

models/db/error_test.go

@@ -0,0 +1,31 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package db
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsErrDeadlock(t *testing.T) {
+	tests := []struct {
+		name string
+		err  error
+		want bool
+	}{
+		{name: "nil", err: nil, want: false},
+		{name: "unrelated", err: errors.New("connection refused"), want: false},
+		{name: "mysql 1213", err: errors.New("Error 1213 (40001): Deadlock found when trying to get lock; try restarting transaction"), want: true},
+		{name: "mysql sqlstate", err: errors.New("SQLSTATE 40001: serialization failure"), want: true},
+		{name: "postgres", err: errors.New("pq: deadlock detected"), want: true},
+		{name: "sqlite", err: errors.New("database is locked"), want: true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.want, IsErrDeadlock(tt.err))
+		})
+	}
+}

models/migrations/migrations.go

@@ -410,6 +410,7 @@ func prepareMigrationTasks() []*migration {
 
 		newMigration(331, "Add ActionRunAttempt model and related action fields", v1_27.AddActionRunAttemptModel),
 		newMigration(332, "Add org-level branch protection rulesets", v1_27.AddOrgProtectedBranchTable),
+		newMigration(333, "Add require_2fa to user table for org enforcement", v1_27.AddRequire2FAToUser),
 	}
 	return preparedMigrations
 }

models/migrations/v1_27/v333.go

@@ -0,0 +1,16 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package v1_27
+
+import (
+	"xorm.io/xorm"
+)
+
+func AddRequire2FAToUser(x *xorm.Engine) error {
+	type User struct {
+		Require2FA bool `xorm:"NOT NULL DEFAULT false"`
+	}
+	_, err := x.SyncWithOptions(xorm.SyncOptions{IgnoreDropIndices: true}, new(User))
+	return err
+}

models/user/user.go

@@ -117,6 +117,9 @@ type User struct {
 	// Maximum repository creation limit, -1 means use global default
 	MaxRepoCreation int `xorm:"NOT NULL DEFAULT -1"`
 
+	// Require2FA when true (and user is an org), all org members must have 2FA enabled
+	Require2FA bool `xorm:"NOT NULL DEFAULT false"`
+
 	// IsActive true: primary email is activated, user can access Web UI and Git SSH.
 	// false: an inactive user can only log in Web UI for account operations (ex: activate the account by email), no other access.
 	IsActive bool `xorm:"INDEX"`

modules/highlight/highlight_test.go

@@ -63,7 +63,7 @@ func TestFile(t *testing.T) {
 		{
 			name:      "tags.py",
 			code:      "<>",
-			want:      lines(`<span class="o">&lt;</span><span class="o">&gt;</span>`),
+			want:      lines(`<span class="o">&lt;&gt;</span>`),
 			lexerName: "Python",
 		},
 		{
@@ -102,7 +102,7 @@ c=2
 <span class="n">def</span><span class="p">:</span>\n
     <span class="n">a</span><span class="o">=</span><span class="mi">1</span>\n
 \n
-<span class="n">b</span><span class="o">=</span><span class="sa"></span><span class="s1">&#39;</span><span class="s1">&#39;</span>\n
+<span class="n">b</span><span class="o">=</span><span class="s1">&#39;&#39;</span>\n
     \n
 <span class="n">c</span><span class="o">=</span><span class="mi">2</span>`,
 			),
@@ -114,6 +114,18 @@ c=2
 			want:      []template.HTML{"<span class=\"c1\">--\n</span>", `<span class="k">SELECT</span>`},
 			lexerName: "SQL",
 		},
+		{
+			name: "test.http",
+			code: `HTTP/1.0 400 Bad request
+Content-Type: text/html
+
+<html></html>`,
+			want: lines(`<span class="kr">HTTP</span><span class="o">/</span><span class="m">1.0</span> <span class="m">400</span> <span class="ne">Bad request</span>\n
+<span class="n">Content-Type</span><span class="o">:</span> <span class="l">text/html</span>\n
+\n
+<span class="p">&lt;</span><span class="nt">html</span><span class="p">&gt;&lt;/</span><span class="nt">html</span><span class="p">&gt;</span>`),
+			lexerName: "HTTP",
+		},
 	}
 
 	for _, tt := range tests {

modules/highlight/lexerdetect.go

@@ -288,24 +288,24 @@ func detectChromaLexerWithAnalyze(fileName, lang string, code []byte) chroma.Lex
 
 	// if lang is provided, and it matches a lexer, use it directly
 	if byLang {
-		return lexer
+		return chroma.Coalesce(lexer)
 	}
 
 	// if a lexer is detected and there is no conflict for the file extension, use it directly
 	fileExt := path.Ext(fileName)
 	_, hasConflicts := chromaLexers().conflictingExtLangMap[fileExt]
 	if !hasConflicts && lexer != lexers.Fallback {
-		return lexer
+		return chroma.Coalesce(lexer)
 	}
 
 	// try to detect language by content, for best guessing for the language
 	// when using "code" to detect, analyze.GetCodeLanguage is slow, it iterates many rules to detect language from content
 	analyzedLanguage := analyze.GetCodeLanguage(fileName, code)
-	lexer = DetectChromaLexerByFileName(fileName, analyzedLanguage)
+	lexer, _ = detectChromaLexerByFileName(fileName, analyzedLanguage)
 	if lexer == lexers.Fallback {
 		if analyzedLanguage != enry.OtherLanguage {
 			log.Warn("No chroma lexer found for enry detected language: %s (file: %s), need to fix the language mapping between enry and chroma.", analyzedLanguage, fileName)
 		}
 	}
-	return lexer
+	return chroma.Coalesce(lexer)
 }

modules/setting/setting.go

@@ -39,6 +39,13 @@ var (
 		Channel:  "stable",
 	}
 
+	// LoginNotification configuration for sign-in alerts
+	LoginNotification = struct {
+		Enabled bool
+	}{
+		Enabled: true,
+	}
+
 	// IsInTesting indicates whether the testing is running (unit test or integration test). It can be used for:
 	// * Skip nonsense error logs during testing caused by unreliable code (TODO: this is only a temporary solution, we should make the test code more reliable)
 	// * Panic in dev or testing mode to make the problem more obvious and easier to debug
@@ -171,6 +178,7 @@ func loadCommonSettingsFrom(cfg ConfigProvider) error {
 	loadOtherFrom(cfg)
 	loadUpdateCheckerFrom(cfg)
 	loadNtfyFrom(cfg)
+	loadLoginNotificationFrom(cfg)
 	return nil
 }
 
@@ -181,6 +189,11 @@ func loadUpdateCheckerFrom(cfg ConfigProvider) {
 	UpdateChecker.Channel = sec.Key("CHANNEL").MustString(UpdateChecker.Channel)
 }
 
+func loadLoginNotificationFrom(cfg ConfigProvider) {
+	sec := cfg.Section("login_notification")
+	LoginNotification.Enabled = sec.Key("ENABLED").MustBool(true)
+}
+
 func loadRunModeFrom(rootCfg ConfigProvider) {
 	rootSec := rootCfg.Section("")
 	RunUser = rootSec.Key("RUN_USER").MustString(user.CurrentUsername())

routers/web/auth/auth.go

@@ -440,6 +440,9 @@ func handleSignInFull(ctx *context.Context, u *user_model.User, remember bool) {
 		ctx.ServerError("UpdateUser", err)
 		return
 	}
+
+	// Send login notification (email + ntfy)
+	go mailer.SendLoginNotification(u, ctx.RemoteAddr(), ctx.Req.UserAgent())
 }
 
 // extractUserNameFromOAuth2 tries to extract a normalized username from the given OAuth2 user.

routers/web/org/require2fa.go

@@ -0,0 +1,37 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package org
+
+import (
+	auth_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/auth"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/setting"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/context"
+)
+
+// Check2FARequirement checks if the current org requires 2FA and if the user has it enabled.
+// If the user doesn't have 2FA and the org requires it, redirect to 2FA setup page.
+func Check2FARequirement(ctx *context.Context) {
+	if ctx.Org == nil || ctx.Org.Organization == nil || ctx.Doer == nil {
+		return
+	}
+
+	if !ctx.Org.Organization.Require2FA {
+		return
+	}
+
+	// Check if user has 2FA enabled
+	has, err := auth_model.HasTwoFactorOrWebAuthn(ctx, ctx.Doer.ID)
+	if err != nil {
+		ctx.ServerError("HasTwoFactorOrWebAuthn", err)
+		return
+	}
+
+	if has {
+		return
+	}
+
+	// User doesn't have 2FA — show warning and redirect to settings
+	ctx.Flash.Warning("This organization requires two-factor authentication. Please enable 2FA to continue.")
+	ctx.Redirect(setting.AppSubURL + "/user/settings/security")
+}

routers/web/org/setting.go

@@ -80,12 +80,14 @@ func SettingsPost(ctx *context.Context) {
 		return
 	}
 
+	require2FA := ctx.FormBool("require_2fa")
 	opts := &user_service.UpdateOptions{
 		FullName:                  optional.FromPtr(form.FullName),
 		Description:               optional.FromPtr(form.Description),
 		Website:                   optional.FromPtr(form.Website),
 		Location:                  optional.FromPtr(form.Location),
 		RepoAdminChangeTeamAccess: optional.FromPtr(form.RepoAdminChangeTeamAccess),
+		Require2FA:                optional.Some(require2FA),
 	}
 	if ctx.Doer.IsAdmin {
 		opts.MaxRepoCreation = optional.FromPtr(form.MaxRepoCreation)

routers/web/web.go

@@ -960,7 +960,7 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
 			m.Get("/milestones/{team}", reqMilestonesDashboardPageEnabled, user.Milestones)
 			m.Post("/members/action/{action}", org.MembersAction)
 			m.Get("/teams", org.Teams)
-		}, context.OrgAssignment(context.OrgAssignmentOptions{RequireMember: true, RequireTeamMember: true}))
+		}, context.OrgAssignment(context.OrgAssignmentOptions{RequireMember: true, RequireTeamMember: true}), org.Check2FARequirement)
 
 		m.Group("/{org}", func() {
 			m.Get("/teams/{team}", org.TeamMembers)

services/actions/notifier_helper.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"slices"
 	"strings"
+	"time"
 
 	actions_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/actions"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
@@ -344,7 +345,7 @@ func handleWorkflows(
 
 		run.NeedApproval = need
 
-		if err := PrepareRunAndInsert(ctx, dwf.Content, run, nil); err != nil {
+		if err := prepareRunAndInsertWithRetry(ctx, dwf.Content, run); err != nil {
 			log.Error("PrepareRunAndInsert: %v", err)
 			continue
 		}
@@ -352,6 +353,54 @@ func handleWorkflows(
 	return nil
 }
 
+// prepareRunAndInsertWithRetry wraps PrepareRunAndInsert with retries on
+// database deadlocks.  When multiple workflow runs are inserted for the same
+// event (e.g. several workflows triggered by a single pull_request), each
+// InsertRun transaction acquires an X-lock on the repository row (via
+// UpdateRepoRunsNumbers) and an index lock on action_run.  Two concurrent
+// transactions can deadlock when each holds one lock and waits for the other.
+// InnoDB resolves this by killing the lighter transaction, but handleWorkflows
+// only logged the error and moved on — silently dropping the workflow run.
+// Retrying the insert is safe because the rolled-back transaction left no
+// partial state.
+func prepareRunAndInsertWithRetry(ctx context.Context, content []byte, run *actions_model.ActionRun) error {
+	const maxRetries = 3
+	backoff := 50 * time.Millisecond
+
+	// Save original values that InsertRun mutates inside its transaction.
+	// On deadlock rollback these become stale and must be reset before retry.
+	origTitle := run.Title
+
+	var err error
+	for attempt := range maxRetries {
+		if err = PrepareRunAndInsert(ctx, content, run, nil); err == nil {
+			return nil
+		}
+		if !db.IsErrDeadlock(err) {
+			return err
+		}
+		log.Warn("PrepareRunAndInsert deadlock (attempt %d/%d) for workflow %s in repo %d, retrying: %v",
+			attempt+1, maxRetries, run.WorkflowID, run.RepoID, err)
+
+		// Reset fields that InsertRun sets inside the (now rolled-back) transaction
+		// so the next attempt starts clean.
+		run.ID = 0
+		run.Index = 0
+		run.Status = actions_model.StatusWaiting
+		run.Title = origTitle
+		run.ConcurrencyGroup = ""
+		run.ConcurrencyCancel = false
+
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-time.After(backoff):
+		}
+		backoff *= 2
+	}
+	return fmt.Errorf("deadlock persisted after %d retries: %w", maxRetries, err)
+}
+
 func newNotifyInputFromIssue(issue *issues_model.Issue, event webhook_module.HookEventType) *notifyInput {
 	return newNotifyInput(issue.Repo, issue.Poster, event)
 }

services/mailer/mail_login.go

@@ -0,0 +1,84 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package mailer
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	user_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/user"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/log"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/setting"
+	sender_service "git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/mailer/sender"
+)
+
+// SendLoginNotification sends email and ntfy notifications when a user signs in.
+func SendLoginNotification(u *user_model.User, ip, userAgent string) {
+	if !setting.LoginNotification.Enabled {
+		return
+	}
+
+	timestamp := time.Now().UTC().Format("2006-01-02 15:04:05 UTC")
+	subject := fmt.Sprintf("[%s] New sign-in: %s", setting.AppName, u.Name)
+
+	body := fmt.Sprintf(`New sign-in detected
+
+Account:    %s (%s)
+IP Address: %s
+Browser:    %s
+Time:       %s
+Instance:   %s
+
+If this wasn't you, change your password immediately and review your active sessions.
+
+— %s`, u.Name, u.Email, ip, userAgent, timestamp, setting.AppURL, setting.AppName)
+
+	// Email notification
+	if setting.MailService != nil && u.Email != "" {
+		msg := sender_service.NewMessage(u.EmailTo(), subject, body)
+		msg.Info = fmt.Sprintf("Login notification for %s", u.Name)
+		SendAsync(msg)
+		log.Debug("Login notification email sent to %s", u.Email)
+	}
+
+	// ntfy push notification
+	if setting.Ntfy.Enabled && setting.Ntfy.ServerURL != "" {
+		go sendLoginNtfy(subject, u.Name, ip, timestamp)
+	}
+}
+
+func sendLoginNtfy(title, username, ip, timestamp string) {
+	body := fmt.Sprintf("User: %s\nIP: %s\nTime: %s", username, ip, timestamp)
+	url := fmt.Sprintf("%s/%s", setting.Ntfy.ServerURL, setting.Ntfy.DefaultTopic)
+
+	req, err := http.NewRequest("POST", url, bytes.NewBufferString(body))
+	if err != nil {
+		log.Error("ntfy login: create request: %v", err)
+		return
+	}
+
+	req.Header.Set("Title", title)
+	req.Header.Set("Priority", "default")
+	req.Header.Set("Tags", "key,login")
+	req.Header.Set("Click", setting.AppURL+"-/admin")
+	if setting.Ntfy.Token != "" {
+		req.Header.Set("Authorization", "Bearer "+setting.Ntfy.Token)
+	}
+
+	client := &http.Client{Timeout: 10 * time.Second}
+	resp, err := client.Do(req)
+	if err != nil {
+		log.Error("ntfy login: send: %v", err)
+		return
+	}
+	defer resp.Body.Close()
+	io.Copy(io.Discard, resp.Body)
+
+	if resp.StatusCode >= 300 {
+		log.Error("ntfy login: status %d", resp.StatusCode)
+	}
+}

services/user/update.go

@@ -56,6 +56,7 @@ type UpdateOptions struct {
 	EmailNotificationsPreference optional.Option[string]
 	SetLastLogin                 bool
 	RepoAdminChangeTeamAccess    optional.Option[bool]
+	Require2FA                   optional.Option[bool]
 }
 
 func UpdateUser(ctx context.Context, u *user_model.User, opts *UpdateOptions) error {
@@ -169,6 +170,11 @@ func UpdateUser(ctx context.Context, u *user_model.User, opts *UpdateOptions) er
 
 		cols = append(cols, "repo_admin_change_team_access")
 	}
+	if opts.Require2FA.Has() {
+		u.Require2FA = opts.Require2FA.Value()
+
+		cols = append(cols, "require_2fa")
+	}
 
 	if opts.EmailNotificationsPreference.Has() {
 		u.EmailNotificationsPreference = opts.EmailNotificationsPreference.Value()

services/wiki/wiki_path.go

@@ -6,6 +6,7 @@ package wiki
 import (
 	"net/url"
 	"path"
+	"regexp"
 	"strings"
 
 	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
@@ -148,10 +149,26 @@ func WebPathFromRequest(s string) WebPath {
 	return WebPath(s)
 }
 
+var multiHyphenRe = regexp.MustCompile(`-{2,}`)
+var nonSlugRe = regexp.MustCompile(`[^a-zA-Z0-9+.\-]`)
+
+// sanitizeWikiTitle converts a user-provided title into a clean, URL-friendly slug.
+// Spaces and special characters become hyphens, consecutive hyphens collapse to one.
+// Preserves: letters, digits, hyphens, plus signs (+), and dots (.)
+func sanitizeWikiTitle(title string) string {
+	title = strings.TrimSpace(title)
+	title = strings.ReplaceAll(title, " ", "-")
+	title = nonSlugRe.ReplaceAllString(title, "-")
+	title = multiHyphenRe.ReplaceAllString(title, "-")
+	title = strings.NewReplacer("-+-", "-", "+-", "-", "-+", "-").Replace(title) // clean stray plus signs
+	title = strings.Trim(title, "-+.")
+	return title
+}
+
 func UserTitleToWebPath(base, title string) WebPath {
 	// TODO: no support for subdirectory, because the old wiki code's behavior is always using %2F, instead of subdirectory.
 	// So we do not add the support for writing slashes in title at the moment.
-	title = strings.TrimSpace(title)
+	title = sanitizeWikiTitle(title)
 	title = util.PathJoinRelX(base, escapeSegToWeb(title, false))
 	if title == "" || title == "." {
 		title = "unnamed"

templates/base/footer_content.tmpl

@@ -36,6 +36,7 @@
 		</div>
 		<a href="{{AssetUrlPrefix}}/licenses.txt">{{ctx.Locale.Tr "licenses"}}</a>
 		{{if .EnableSwagger}}<a href="{{AppSubUrl}}/api/swagger">API</a>{{end}}
+		<a href="{{HelpURL}}" target="_blank">{{ctx.Locale.Tr "help"}}</a>
 		{{template "custom/extra_links_footer" .}}
 	</div>
 </footer>

templates/base/head_navbar.tmpl

@@ -35,9 +35,7 @@
 
 		{{template "custom/extra_links" .}}
 
-		{{if not .IsSigned}}
-			<a class="item" target="_blank" href="{{HelpURL}}">{{ctx.Locale.Tr "help"}}</a>
-		{{end}}
+		<a class="item" target="_blank" href="{{HelpURL}}">{{ctx.Locale.Tr "help"}}</a>
 	</div>
 
 	<!-- the full dropdown menus -->

templates/org/settings/options.tmpl

@@ -48,6 +48,16 @@
 			</div>
 			{{end}}
 
+			<div class="divider"></div>
+
+			<div class="inline field">
+				<div class="ui checkbox">
+					<input type="checkbox" name="require_2fa" {{if .Org.Require2FA}}checked{{end}}>
+					<label>{{svg "octicon-shield-lock" 16}} Require two-factor authentication for all members</label>
+				</div>
+				<p class="help">When enabled, organization members without 2FA configured will be prompted to set it up before accessing organization resources.</p>
+			</div>
+
 			<div class="field">
 				<button class="ui primary button">{{ctx.Locale.Tr "org.settings.update_settings"}}</button>
 			</div>

templates/user/auth/signin_inner.tmpl

@@ -1,4 +1,7 @@
 <div class="ui container fluid">
+	<div class="tw-text-center tw-mb-4">
+		<img src="{{AssetUrlPrefix}}/img/login-logo.png" style="max-width: 220px; max-height: 80px; object-fit: contain;" onerror="this.style.display='none'">
+	</div>
 	{{if or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeSignIn)}}
 	{{template "base/alert" .}}
 	{{end}}