feat(ci): add upstream bug sync workflow

Adds a scheduled workflow that runs daily at 08:00 UTC to automatically
detect new bug fixes merged into upstream Gitea's release/v1.26 branch
and create corresponding issues in the MokoGitea tracker.

The workflow:
- Queries GitHub Search API for recently merged fix/security PRs
- Cross-references against existing MokoGitea issues to avoid duplicates
- Creates labeled issues (type: bug, upstream, priority, security)
- Supports manual dispatch with configurable lookback period

Requires secrets: GH_TOKEN (GitHub), GITEA_TOKEN (MokoGitea)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/deploy-mokogitea.yml

@@ -1,102 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-# SPDX-License-Identifier: GPL-3.0-or-later
-# BRIEF: Build and deploy MokoGitea via SSH to production server
-
-name: Deploy MokoGitea
-
-on:
-  workflow_dispatch:
-    inputs:
-      version:
-        description: 'Version tag (e.g. v05.00.00)'
-        required: true
-        default: 'latest'
-
-concurrency:
-  group: deploy-mokogitea
-  cancel-in-progress: false
-
-env:
-  REGISTRY: git.mokoconsulting.tech
-  IMAGE: mokoconsulting/mokogitea
-  DEPLOY_HOST: git.mokoconsulting.tech
-  DEPLOY_PORT: 2918
-  DEPLOY_USER: mokoconsulting
-  COMPOSE_DIR: /opt/gitea
-  SOURCE_DIR: /opt/gitea/source
-
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Determine version tag
-        id: version
-        run: |
-          echo "tag=${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT
-
-      - name: Deploy via SSH
-        env:
-          SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
-          VERSION_TAG: ${{ steps.version.outputs.tag }}
-        run: |
-          mkdir -p ~/.ssh
-          echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key
-          chmod 600 ~/.ssh/deploy_key
-
-          SSH_CMD="ssh -i ~/.ssh/deploy_key -p ${{ env.DEPLOY_PORT }} -o ConnectTimeout=30 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ${{ env.DEPLOY_USER }}@${{ env.DEPLOY_HOST }}"
-
-          $SSH_CMD "echo 'SSH connected'"
-
-          # Clone or update source
-          $SSH_CMD "
-            set -e
-            if [ ! -d ${{ env.SOURCE_DIR }}/.git ]; then
-              git clone https://git.mokoconsulting.tech/MokoConsulting/MokoGitea.git ${{ env.SOURCE_DIR }}
-            fi
-            cd ${{ env.SOURCE_DIR }}
-            git fetch origin main
-            git reset --hard origin/main
-          "
-
-          # Build Docker image on server (standard root layout, -p 1 for 12GB server)
-          $SSH_CMD "
-            set -e
-            cd ${{ env.SOURCE_DIR }}
-            docker build \
-              --build-arg GOFLAGS='-p 1' \
-              --tag ${{ env.REGISTRY }}/${{ env.IMAGE }}:${VERSION_TAG} \
-              --tag ${{ env.REGISTRY }}/${{ env.IMAGE }}:latest \
-              -f Dockerfile .
-          "
-
-          # Update compose and restart
-          $SSH_CMD "
-            set -e
-            cd ${{ env.COMPOSE_DIR }}
-            sed -i 's|${{ env.IMAGE }}:[^ ]*|${{ env.IMAGE }}:${VERSION_TAG}|' docker-compose.yml
-            docker compose up -d gitea
-          "
-
-          # Health check
-          $SSH_CMD "
-            for i in 1 2 3 4 5 6 7 8; do
-              sleep 15
-              if docker inspect --format='{{.State.Health.Status}}' gitea 2>/dev/null | grep -q healthy; then
-                echo 'Gitea is healthy!'
-                exit 0
-              fi
-              echo \"Waiting... (attempt \$i/8)\"
-            done
-            echo 'Health check failed'
-            docker logs gitea --tail 20
-            exit 1
-          "
-
-      - name: Verify
-        run: |
-          sleep 5
-          curl -sf https://git.mokoconsulting.tech/api/healthz && echo " — API healthy"
-
-      - name: Notify on failure
-        if: failure()
-        run: echo "::error::Deploy failed for ${{ steps.version.outputs.tag }}"

.mokogitea/ISSUE_TEMPLATE/adr.md

@@ -0,0 +1,110 @@
+---
+name: Architecture Decision Record (ADR)
+about: Propose or document an architectural decision
+title: '[ADR] '
+labels: 'architecture, decision'
+assignees: ''
+
+---
+
+
+## ADR Number
+ADR-XXXX
+
+## Status
+- [ ] Proposed
+- [ ] Accepted
+- [ ] Deprecated
+- [ ] Superseded by ADR-XXXX
+
+## Context
+Describe the issue or problem that motivates this decision.
+
+## Decision
+State the architecture decision and provide rationale.
+
+## Consequences
+### Positive
+- List positive consequences
+
+### Negative
+- List negative consequences or trade-offs
+
+### Neutral
+- List neutral aspects
+
+## Alternatives Considered
+### Alternative 1
+- Description
+- Pros
+- Cons
+- Why not chosen
+
+### Alternative 2
+- Description
+- Pros
+- Cons
+- Why not chosen
+
+## Implementation Plan
+1. Step 1
+2. Step 2
+3. Step 3
+
+## Stakeholders
+- **Decision Makers**: @user1, @user2
+- **Consulted**: @user3, @user4
+- **Informed**: team-name
+
+## Technical Details
+### Architecture Diagram
+```
+[Add diagram or link]
+```
+
+### Dependencies
+- Dependency 1
+- Dependency 2
+
+### Impact Analysis
+- **Performance**: [Impact description]
+- **Security**: [Impact description]
+- **Scalability**: [Impact description]
+- **Maintainability**: [Impact description]
+
+## Testing Strategy
+- [ ] Unit tests
+- [ ] Integration tests
+- [ ] Performance tests
+- [ ] Security tests
+
+## Documentation
+- [ ] Architecture documentation updated
+- [ ] API documentation updated
+- [ ] Developer guide updated
+- [ ] Runbook created
+
+## Migration Path
+Describe how to migrate from current state to new architecture.
+
+## Rollback Plan
+Describe how to rollback if issues occur.
+
+## Timeline
+- **Proposal Date**:
+- **Decision Date**:
+- **Implementation Start**:
+- **Expected Completion**:
+
+## References
+- Related ADRs:
+- External resources:
+- RFCs:
+
+## Review Checklist
+- [ ] Aligns with enterprise architecture principles
+- [ ] Security implications reviewed
+- [ ] Performance implications reviewed
+- [ ] Cost implications reviewed
+- [ ] Compliance requirements met
+- [ ] Team consensus achieved

.mokogitea/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,48 @@
+---
+name: Bug Report
+about: Report a bug or issue with the project
+title: '[BUG] '
+labels: 'bug'
+assignees: ''
+
+---
+
+
+## Bug Description
+A clear and concise description of what the bug is.
+
+## Steps to Reproduce
+1. Go to '...'
+2. Click on '...'
+3. Scroll down to '...'
+4. See error
+
+## Expected Behavior
+A clear and concise description of what you expected to happen.
+
+## Actual Behavior
+A clear and concise description of what actually happened.
+
+## Screenshots
+If applicable, add screenshots to help explain your problem.
+
+## Environment
+- **Project**: [e.g., MokoDoliTools, moko-cassiopeia]
+- **Version**: [e.g., 1.2.3]
+- **Platform**: [e.g., Dolibarr 18.0, Joomla 5.0]
+- **PHP Version**: [e.g., 8.1]
+- **Database**: [e.g., MySQL 8.0, PostgreSQL 14]
+- **Browser** (if applicable): [e.g., Chrome 120, Firefox 121]
+- **OS**: [e.g., Ubuntu 22.04, Windows 11]
+
+## Additional Context
+Add any other context about the problem here.
+
+## Possible Solution
+If you have suggestions on how to fix the issue, please describe them here.
+
+## Checklist
+- [ ] I have searched for similar issues before creating this one
+- [ ] I have provided all the requested information
+- [ ] I have tested this on the latest stable version
+- [ ] I have checked the documentation and couldn't find a solution

.mokogitea/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,18 @@
+---
+blank_issues_enabled: true
+contact_links:
+  - name: 💼 Enterprise Support
+    url: https://mokoconsulting.tech/enterprise
+    about: Enterprise-level support and consultation services
+  - name: 💬 Ask a Question
+    url: https://mokoconsulting.tech/
+    about: Get help or ask questions through our website
+  - name: 📚 MokoStandards Documentation
+    url: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+    about: View our coding standards and best practices
+  - name: 🔒 Report a Security Vulnerability
+    url: https://git.mokoconsulting.tech/mokoconsulting-tech/.github-private/security/advisories/new
+    about: Report security vulnerabilities privately (for critical issues)
+  - name: 💡 Community Discussions
+    url: https://github.com/orgs/mokoconsulting-tech/discussions
+    about: Join community discussions and Q&A

.mokogitea/ISSUE_TEMPLATE/documentation.md

@@ -0,0 +1,52 @@
+---
+name: Documentation Issue
+about: Report an issue with documentation
+title: '[DOCS] '
+labels: 'documentation'
+assignees: ''
+
+---
+
+
+## Documentation Issue
+
+**Location**: 
+<!-- Specify the file, page, or section with the issue -->
+
+## Issue Type
+<!-- Mark the relevant option with an "x" -->
+- [ ] Typo or grammar error
+- [ ] Outdated information
+- [ ] Missing documentation
+- [ ] Unclear explanation
+- [ ] Broken links
+- [ ] Missing examples
+- [ ] Other (specify below)
+
+## Description
+<!-- Clearly describe the documentation issue -->
+
+## Current Content
+<!-- Quote or describe the current documentation (if applicable) -->
+```
+Current text here
+```
+
+## Suggested Improvement
+<!-- Provide your suggestion for how to improve the documentation -->
+```
+Suggested text here
+```
+
+## Additional Context
+<!-- Add any other context, screenshots, or references -->
+
+## Standards Alignment
+- [ ] Follows MokoStandards documentation guidelines
+- [ ] Uses en_US/en_GB localization
+- [ ] Includes proper SPDX headers where applicable
+
+## Checklist
+- [ ] I have searched for similar documentation issues
+- [ ] I have provided a clear description
+- [ ] I have suggested an improvement (if applicable)

.mokogitea/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,51 @@
+---
+name: Feature Request
+about: Suggest a new feature or enhancement
+title: '[FEATURE] '
+labels: 'enhancement'
+assignees: ''
+
+---
+
+
+## Feature Description
+A clear and concise description of the feature you'd like to see.
+
+## Problem or Use Case
+Describe the problem this feature would solve or the use case it addresses.
+Ex. I'm always frustrated when [...]
+
+## Proposed Solution
+A clear and concise description of what you want to happen.
+
+## Alternative Solutions
+A clear and concise description of any alternative solutions or features you've considered.
+
+## Benefits
+Describe how this feature would benefit users:
+- Who would use this feature?
+- What problems does it solve?
+- What value does it add?
+
+## Implementation Details (Optional)
+If you have ideas about how this could be implemented, share them here:
+- Technical approach
+- Files/components that might need changes
+- Any concerns or challenges you foresee
+
+## Additional Context
+Add any other context, mockups, or screenshots about the feature request here.
+
+## Relevant Standards
+Does this relate to any standards in [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/MokoStandards)?
+- [ ] Accessibility (WCAG 2.1 AA)
+- [ ] Localization (en_US/en_GB)
+- [ ] Security best practices
+- [ ] Code quality standards
+- [ ] Other: [specify]
+
+## Checklist
+- [ ] I have searched for similar feature requests before creating this one
+- [ ] I have clearly described the use case and benefits
+- [ ] I have considered alternative solutions
+- [ ] This feature aligns with the project's goals and scope

.mokogitea/ISSUE_TEMPLATE/question.md

@@ -0,0 +1,82 @@
+---
+name: Question
+about: Ask a question about usage, features, or best practices
+title: '[QUESTION] '
+labels: ['question']
+assignees: ['jmiller']
+---
+
+
+## Question
+
+**Your question:**
+
+
+## Context
+
+**What are you trying to accomplish?**
+
+
+**What have you already tried?**
+
+
+**Category**:
+- [ ] Script usage
+- [ ] Configuration
+- [ ] Workflow setup
+- [ ] Documentation interpretation
+- [ ] Best practices
+- [ ] Integration
+- [ ] Other: __________
+
+## Environment (if relevant)
+
+**Your setup**:
+- Operating System:
+- Version:
+
+## What You've Researched
+
+**Documentation reviewed**:
+- [ ] README.md
+- [ ] Project documentation
+- [ ] Other (specify): __________
+
+**Similar issues/questions found**:
+- #
+- #
+
+## Expected Outcome
+
+**What result are you hoping for?**
+
+
+## Code/Configuration Samples
+
+**Relevant code or configuration** (if applicable):
+
+```bash
+# Your code here
+```
+
+## Additional Context
+
+**Any other relevant information:**
+
+
+**Screenshots** (if helpful):
+
+
+## Urgency
+
+- [ ] Urgent (blocking work)
+- [ ] Normal (can work on other things meanwhile)
+- [ ] Low priority (just curious)
+
+## Checklist
+
+- [ ] I have searched existing issues and discussions
+- [ ] I have reviewed relevant documentation
+- [ ] I have provided sufficient context
+- [ ] I have included code/configuration samples if relevant
+- [ ] This is a genuine question (not a bug report or feature request)

.mokogitea/ISSUE_TEMPLATE/rfc.md

@@ -0,0 +1,126 @@
+---
+name: Request for Comments (RFC)
+about: Propose a significant change for community discussion
+title: '[RFC] '
+labels: 'rfc, discussion'
+assignees: ''
+
+---
+
+
+## RFC Summary
+One-paragraph summary of the proposal.
+
+## Motivation
+Why are we doing this? What use cases does it support? What is the expected outcome?
+
+## Detailed Design
+### Overview
+Provide a detailed explanation of the proposed change.
+
+### API Changes (if applicable)
+```php
+// Before
+function oldApi($param1) { }
+
+// After
+function newApi($param1, $param2) { }
+```
+
+### User Experience Changes
+Describe how users will interact with this change.
+
+### Implementation Approach
+High-level implementation strategy.
+
+## Drawbacks
+Why should we *not* do this?
+
+## Alternatives
+What other designs have been considered? What is the impact of not doing this?
+
+### Alternative 1
+- Description
+- Trade-offs
+
+### Alternative 2
+- Description
+- Trade-offs
+
+## Adoption Strategy
+How will existing users adopt this? Is this a breaking change?
+
+### Migration Guide
+```bash
+# Steps to migrate
+```
+
+### Deprecation Timeline
+- **Announcement**:
+- **Deprecation**:
+- **Removal**:
+
+## Unresolved Questions
+- Question 1
+- Question 2
+
+## Future Possibilities
+What future work does this enable?
+
+## Impact Assessment
+### Performance
+Expected performance impact.
+
+### Security
+Security considerations and implications.
+
+### Compatibility
+- **Backward Compatible**: [Yes / No]
+- **Breaking Changes**: [List]
+
+### Maintenance
+Long-term maintenance considerations.
+
+## Community Input
+### Stakeholders
+- [ ] Core team
+- [ ] Module developers
+- [ ] End users
+- [ ] Enterprise customers
+
+### Feedback Period
+**Duration**: [e.g., 2 weeks]
+**Deadline**: [date]
+
+## Implementation Timeline
+### Phase 1: Design
+- [ ] RFC discussion
+- [ ] Design finalization
+- [ ] Approval
+
+### Phase 2: Implementation
+- [ ] Core implementation
+- [ ] Tests
+- [ ] Documentation
+
+### Phase 3: Release
+- [ ] Beta release
+- [ ] Feedback collection
+- [ ] Stable release
+
+## Success Metrics
+How will we measure success?
+- Metric 1
+- Metric 2
+
+## References
+- Related RFCs:
+- External documentation:
+- Prior art:
+
+## Open Questions for Community
+1. Question 1?
+2. Question 2?
+
+---
+**Note**: This RFC is open for community discussion. Please provide feedback in the comments below.

.mokogitea/ISSUE_TEMPLATE/security.md

@@ -0,0 +1,51 @@
+---
+name: Security Vulnerability Report
+about: Report a security vulnerability (use only for non-critical issues)
+title: '[SECURITY] '
+labels: 'security'
+assignees: ''
+
+---
+
+
+## ⚠️ IMPORTANT: Private Disclosure Required
+
+**For critical security vulnerabilities, DO NOT use this template.**
+Follow the process in [SECURITY.md](../SECURITY.md) for responsible disclosure.
+
+Use this template only for:
+- Security improvements
+- Non-critical security suggestions
+- Security documentation updates
+
+---
+
+## Security Issue
+
+**Severity**: 
+<!-- Low, Medium, or informational only -->
+
+## Description
+<!-- Describe the security concern or improvement suggestion -->
+
+## Affected Components
+<!-- List the affected files, features, or components -->
+
+## Suggested Mitigation
+<!-- Describe how this could be addressed -->
+
+## Standards Reference
+Does this relate to security standards in [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/MokoStandards)?
+- [ ] SPDX license identifiers
+- [ ] Secret management
+- [ ] Dependency security
+- [ ] Access control
+- [ ] Other: [specify]
+
+## Additional Context
+<!-- Add any other context about the security concern -->
+
+## Checklist
+- [ ] This is NOT a critical vulnerability requiring private disclosure
+- [ ] I have reviewed the SECURITY.md policy
+- [ ] I have provided sufficient detail for evaluation

.mokogitea/ISSUE_TEMPLATE/test-mokogitea.md

@@ -0,0 +1,9 @@
+---
+name: ".mokogitea Test Template"
+about: "Verify .mokogitea issue templates work"
+labels: ["test"]
+---
+
+This template was loaded from `.mokogitea/ISSUE_TEMPLATE/`.
+
+If you can see this, the `.mokogitea` dot-folder feature is working.

.mokogitea/ISSUE_TEMPLATE/version.md

@@ -0,0 +1,24 @@
+---
+name: Version Bump
+about: Request or track a version change
+title: '[VERSION] '
+labels: 'version, type: version'
+assignees: 'jmiller'
+---
+
+## Version Change
+
+**Current version**: <!-- e.g., 01.02.03 -->
+**Requested version**: <!-- e.g., 01.03.00 -->
+**Change type**: <!-- patch / minor / major -->
+
+## Reason
+
+<!-- Why is this version bump needed? -->
+
+## Checklist
+
+- [ ] README.md `VERSION:` field updated
+- [ ] CHANGELOG.md entry added
+- [ ] Module descriptor version updated (Dolibarr: `$this->version`, Joomla: `<version>`)
+- [ ] All file headers will be auto-propagated by `sync-version-on-merge` workflow

.mokogitea/workflows/deploy-mokogitea.yml

@@ -0,0 +1,134 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# SPDX-License-Identifier: GPL-3.0-or-later
+# BRIEF: Build MokoGitea Docker image, push to registry, and deploy
+
+name: Deploy MokoGitea
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version tag (e.g. v1.26.1-moko.2)'
+        required: true
+        default: 'latest'
+      environment:
+        description: 'Target environment'
+        required: true
+        default: 'dev'
+        type: choice
+        options:
+          - dev
+          - production
+
+concurrency:
+  group: deploy-mokogitea
+  cancel-in-progress: false
+
+env:
+  REGISTRY: git.mokoconsulting.tech
+  IMAGE: mokoconsulting/mokogitea
+  DEPLOY_HOST: git.mokoconsulting.tech
+  DEPLOY_PORT: 2918
+  DEPLOY_USER: mokoconsulting
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Determine settings
+        id: config
+        run: |
+          VERSION="${{ github.event.inputs.version }}"
+          ENV="${{ github.event.inputs.environment }}"
+
+          if [ "$ENV" = "production" ]; then
+            echo "compose_dir=/opt/gitea" >> $GITHUB_OUTPUT
+            echo "container=mokogitea" >> $GITHUB_OUTPUT
+            echo "source_dir=/opt/gitea/source" >> $GITHUB_OUTPUT
+            echo "branch=main" >> $GITHUB_OUTPUT
+            echo "tag=${VERSION}" >> $GITHUB_OUTPUT
+          else
+            echo "compose_dir=/opt/gitea-dev" >> $GITHUB_OUTPUT
+            echo "container=mokogitea-dev" >> $GITHUB_OUTPUT
+            echo "source_dir=/opt/gitea-dev/source" >> $GITHUB_OUTPUT
+            echo "branch=dev" >> $GITHUB_OUTPUT
+            echo "tag=${VERSION}-dev" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Build, push, and deploy via SSH
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
+          TAG: ${{ steps.config.outputs.tag }}
+          BRANCH: ${{ steps.config.outputs.branch }}
+          SOURCE_DIR: ${{ steps.config.outputs.source_dir }}
+          COMPOSE_DIR: ${{ steps.config.outputs.compose_dir }}
+          CONTAINER: ${{ steps.config.outputs.container }}
+        run: |
+          mkdir -p ~/.ssh
+          echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key
+          chmod 600 ~/.ssh/deploy_key
+
+          SSH_CMD="ssh -i ~/.ssh/deploy_key -p ${{ env.DEPLOY_PORT }} -o ConnectTimeout=30 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ${{ env.DEPLOY_USER }}@${{ env.DEPLOY_HOST }}"
+
+          $SSH_CMD "echo 'SSH connected'"
+
+          # Pull latest source
+          $SSH_CMD "
+            set -e
+            if [ ! -d ${SOURCE_DIR}/.git ]; then
+              git clone -b ${BRANCH} https://git.mokoconsulting.tech/MokoConsulting/MokoGitea.git ${SOURCE_DIR}
+            fi
+            cd ${SOURCE_DIR}
+            git fetch origin ${BRANCH}
+            git reset --hard origin/${BRANCH}
+          "
+
+          # Build Docker image
+          $SSH_CMD "
+            set -e
+            cd ${SOURCE_DIR}
+            docker build --no-cache --build-arg GOFLAGS='-p 1' \
+              --tag ${{ env.REGISTRY }}/${{ env.IMAGE }}:${TAG} \
+              --tag ${{ env.REGISTRY }}/${{ env.IMAGE }}:latest \
+              -f Dockerfile .
+          "
+
+          # Push to container registry
+          $SSH_CMD "
+            set -e
+            docker push ${{ env.REGISTRY }}/${{ env.IMAGE }}:${TAG}
+            docker push ${{ env.REGISTRY }}/${{ env.IMAGE }}:latest
+          "
+
+          # Update compose and restart
+          $SSH_CMD "
+            set -e
+            cd ${COMPOSE_DIR}
+            sed -i 's|${{ env.IMAGE }}:[^ ]*|${{ env.IMAGE }}:${TAG}|' docker-compose.yml
+            docker compose up -d ${CONTAINER}
+          "
+
+          # Health check
+          $SSH_CMD "
+            for i in 1 2 3 4 5 6 7 8; do
+              sleep 15
+              if docker inspect --format='{{.State.Health.Status}}' ${CONTAINER} 2>/dev/null | grep -q healthy; then
+                echo 'Container healthy!'
+                docker inspect --format='Image: {{.Config.Image}}' ${CONTAINER}
+                exit 0
+              fi
+              echo \"Waiting... (attempt \$i/8)\"
+            done
+            echo 'Health check failed'
+            docker logs ${CONTAINER} --tail 20
+            exit 1
+          "
+
+      - name: Verify
+        run: |
+          sleep 5
+          curl -sf https://${{ env.DEPLOY_HOST }}/api/healthz && echo " — API healthy"
+
+      - name: Notify on failure
+        if: failure()
+        run: echo "::error::Deploy failed for ${{ steps.config.outputs.tag }}"

.mokogitea/workflows/test-mokogitea.yml

@@ -0,0 +1,12 @@
+# Test workflow to verify .mokogitea/ directory is discovered
+name: Test .mokogitea workflows
+
+on:
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Verify .mokogitea
+        run: echo "This workflow ran from .mokogitea/workflows/ — feature works!"

.mokogitea/workflows/upstream-bug-sync.yml

@@ -0,0 +1,167 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# SPDX-License-Identifier: GPL-3.0-or-later
+# BRIEF: Sync upstream Gitea bug fixes into MokoGitea issue tracker
+
+name: Upstream Bug Sync
+
+on:
+  schedule:
+    - cron: '0 8 * * *'  # daily at 08:00 UTC
+  workflow_dispatch:
+    inputs:
+      days_back:
+        description: 'How many days back to scan (default: 7)'
+        required: false
+        default: '7'
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Sync upstream bugs
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          MOKOGITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          MOKOGITEA_URL: https://git.mokoconsulting.tech
+          MOKOGITEA_REPO: MokoConsulting/MokoGitea
+          UPSTREAM_BRANCH: release/v1.26
+          DAYS_BACK: ${{ github.event.inputs.days_back || '7' }}
+        run: |
+          python3 << 'PYEOF'
+          import json, os, re, sys, urllib.parse, urllib.request
+          from datetime import datetime, timedelta, timezone
+
+          GH_TOKEN = os.environ["GH_TOKEN"]
+          MOKO_TOKEN = os.environ["MOKOGITEA_TOKEN"]
+          MOKO_URL = os.environ["MOKOGITEA_URL"]
+          MOKO_REPO = os.environ["MOKOGITEA_REPO"]
+          BRANCH = os.environ["UPSTREAM_BRANCH"]
+          DAYS = int(os.environ.get("DAYS_BACK", "7"))
+
+          # Label IDs in MokoGitea
+          LABELS = {
+              "type_bug": 5757, "upstream": 5758, "security": 5032,
+              "critical": 5018, "high": 5019, "medium": 5020, "low": 5021,
+          }
+
+          def gh_get(url):
+              req = urllib.request.Request(url, headers={
+                  "Authorization": f"token {GH_TOKEN}",
+                  "Accept": "application/vnd.github.v3+json",
+              })
+              with urllib.request.urlopen(req) as r:
+                  return json.loads(r.read())
+
+          def moko_get(path):
+              req = urllib.request.Request(f"{MOKO_URL}/api/v1/{path}", headers={
+                  "Authorization": f"token {MOKO_TOKEN}",
+              })
+              with urllib.request.urlopen(req) as r:
+                  return json.loads(r.read())
+
+          def moko_post(path, data):
+              payload = json.dumps(data).encode()
+              req = urllib.request.Request(f"{MOKO_URL}/api/v1/{path}",
+                  data=payload, method="POST", headers={
+                      "Authorization": f"token {MOKO_TOKEN}",
+                      "Content-Type": "application/json",
+                  })
+              with urllib.request.urlopen(req) as r:
+                  return json.loads(r.read())
+
+          # ── Step 1: Find recently merged upstream PRs ──
+          since = (datetime.now(timezone.utc) - timedelta(days=DAYS)).strftime("%Y-%m-%dT%H:%M:%SZ")
+          query = f"repo:go-gitea/gitea is:pr is:merged base:{BRANCH} merged:>={since}"
+          encoded = urllib.parse.quote(query)
+          print(f"Scanning: {query}")
+
+          result = gh_get(f"https://api.github.com/search/issues?q={encoded}&per_page=100&sort=updated&order=desc")
+          total = result["total_count"]
+          print(f"Found {total} merged PRs in the last {DAYS} days")
+
+          if total == 0:
+              print("Nothing to sync.")
+              sys.exit(0)
+
+          # ── Step 2: Filter for bug/security fixes ──
+          bugs = []
+          for pr in result["items"]:
+              title = pr["title"]
+              label_names = [l["name"].lower() for l in pr.get("labels", [])]
+              is_fix = title.lower().startswith("fix")
+              is_security = any("security" in l for l in label_names) or "[security]" in title.lower()
+              is_bug = any("bug" in l for l in label_names)
+
+              if not (is_fix or is_security or is_bug):
+                  continue
+
+              refs = re.findall(r"#(\d+)", title)
+              severity = "critical" if is_security and "[security]" in title.lower() else \
+                         "high" if is_security else "medium"
+
+              bugs.append({
+                  "number": pr["number"], "title": title, "url": pr["html_url"],
+                  "severity": severity, "is_security": is_security, "refs": refs,
+                  "merged": pr.get("pull_request", {}).get("merged_at", "")[:10],
+              })
+
+          print(f"Filtered to {len(bugs)} bug/security fixes")
+          if not bugs:
+              sys.exit(0)
+
+          # ── Step 3: Collect already-tracked PR numbers ──
+          tracked = set()
+          for state in ["open", "closed"]:
+              try:
+                  issues = moko_get(f"repos/{MOKO_REPO}/issues?state={state}&type=issues&limit=50&labels=upstream")
+                  for iss in issues:
+                      text = (iss.get("body") or "") + " " + (iss.get("title") or "")
+                      tracked.update(re.findall(r"(?:#|/pull/)(\d{4,})", text))
+              except Exception:
+                  pass
+
+          print(f"Already tracked: {len(tracked)} upstream PRs")
+
+          # ── Step 4: Create issues for new bugs ──
+          created = skipped = errors = 0
+          for bug in bugs:
+              if any(r in tracked for r in bug["refs"]):
+                  print(f"  SKIP #{bug['number']}: {bug['title'][:55]} (tracked)")
+                  skipped += 1
+                  continue
+
+              labels = [LABELS["type_bug"], LABELS["upstream"], LABELS[bug["severity"]]]
+              if bug["is_security"]:
+                  labels.append(LABELS["security"])
+
+              body = (
+                  f"## Summary\n\n"
+                  f"Upstream bug fix merged into `{BRANCH}`.\n\n"
+                  f"## Upstream Reference\n\n"
+                  f"- PR: {bug['url']}\n"
+                  f"- Merged: {bug['merged']}\n"
+                  f"- Branch: {BRANCH}\n\n"
+                  f"## Severity: {bug['severity'].title()}"
+                  f"{'  (security)' if bug['is_security'] else ''}\n\n"
+                  f"## Action\n\n"
+                  f"Cherry-pick from upstream `{BRANCH}` branch.\n\n"
+                  f"---\n"
+                  f"*Auto-created by upstream-bug-sync workflow*\n"
+                  f"*Authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>*"
+              )
+
+              try:
+                  iss = moko_post(f"repos/{MOKO_REPO}/issues", {
+                      "title": bug["title"], "body": body, "labels": labels,
+                  })
+                  print(f"  CREATED #{iss['number']}: {bug['title'][:55]}")
+                  created += 1
+              except Exception as e:
+                  print(f"  ERROR #{bug['number']}: {e}")
+                  errors += 1
+
+          print(f"\n=== Done: {created} created, {skipped} skipped, {errors} errors ===")
+          PYEOF

CHANGELOG.md

@@ -4,6 +4,22 @@ This changelog goes through the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.com).
 
+## [MokoGitea Unreleased]
+
+* FEATURES
+  * feat(api): Bulk issue operations — add/remove/replace labels, close/reopen, set milestone, and set assignees across multiple issues in a single request (#21)
+    * `POST /api/v1/repos/{owner}/{repo}/issues/bulk/labels`
+    * `POST /api/v1/repos/{owner}/{repo}/issues/bulk/state`
+    * `POST /api/v1/repos/{owner}/{repo}/issues/bulk/milestone`
+    * `POST /api/v1/repos/{owner}/{repo}/issues/bulk/assignees`
+    * Partial-failure support: returns per-issue success/failure map
+* INFRASTRUCTURE
+  * Grafana: Standardized kiosk header across all 14 playlist dashboards — each now shows dashboard name, kiosk link, terminal/exit/switch instructions
+* PROCESS
+  * Reopened 9 closed issues lacking documented testing proof (#3, #5, #38, #41, #70, #74, #75, #76, #78)
+  * Created `pending: testing` label for features awaiting verification
+  * Established policy: issues must not be closed without documented testing proof
+
 ## [1.26.1](https://github.com/go-gitea/gitea/releases/tag/v1.26.1) - 2026-04-21
 
 * BUGFIXES

docs/community-governance.md

@@ -1,198 +0,0 @@
-# Community governance and review process
-
-This document describes maintainer expectations, project governance, and the detailed pull request review workflow (labels, merge queue, commit message format for mergers). For what contributors should do when opening and updating a PR, see [CONTRIBUTING.md](../CONTRIBUTING.md).
-
-## Code review
-
-### Milestone
-
-A PR should only be assigned to a milestone if it will likely be merged into the given version. \
-PRs without a milestone may not be merged.
-
-### Labels
-
-Almost all labels used inside Gitea can be classified as one of the following:
-
-- `modifies/…`: Determines which parts of the codebase are affected. These labels will be set through the CI.
-- `topic/…`:  Determines the conceptual component of Gitea that is affected, i.e. issues, projects, or authentication. At best, PRs should only target one component but there might be overlap. Must be set manually.
-- `type/…`: Determines the type of an issue or PR (feature, refactoring, docs, bug, …). If GitHub supported scoped labels, these labels would be exclusive, so you should set **exactly** one, not more or less (every PR should fall into one of the provided categories, and only one).
-- `issue/…` / `lgtm/…`: Labels that are specific to issues or PRs respectively and that are only necessary in a given context, i.e. `issue/not-a-bug` or `lgtm/need 2`
-
-Every PR should be labeled correctly with every label that applies.
-
-There are also some labels that will be managed automatically.\
-In particular, these are
-
-- the amount of pending required approvals
-- has all `backport`s or needs a manual backport
-
-### Reviewing PRs
-
-Maintainers are encouraged to review pull requests in areas where they have expertise or particular interest.
-
-#### For reviewers
-
-- **Verification**: Verify that the PR accurately reflects the changes, and verify that the tests and documentation are complete and aligned with the implementation.
-- **Actionable feedback**: Say what should change and why, and distinguish required changes from optional suggestions.
-- **Feedback**: Focus feedback on the issue itself and avoid comments about the contributor's abilities.
-- **Request changes**: If you request changes (i.e., block a PR), give a clear rationale and, whenever possible, a concrete path to resolution.
-- **Approval**: Only approve a PR when you are fully satisfied with its current state - "rubber-stamp" approvals need to be highlighted as such.
-
-### Getting PRs merged
-
-Changes to Gitea must be reviewed before they are accepted, including changes from owners and maintainers. The exception is critical bugs that prevent Gitea from compiling or starting.
-
-We require two maintainer approvals for every PR. When that is satisfied, your PR gets the `lgtm/done` label. After that, you mainly fix merge conflicts and respond to or implement maintainer requests; maintainers drive getting the PR merged.
-
-If a PR has `lgtm/done`, no open discussions, and no merge conflicts, any maintainer may add `reviewed/wait-merge`. That puts the PR in the merge queue. PRs are merged from the queue in the order of this list:
-
-<https://github.com/go-gitea/gitea/pulls?q=is%3Apr+label%3Areviewed%2Fwait-merge+sort%3Acreated-asc+is%3Aopen>
-
-Gitea uses its own tool, <https://github.com/GiteaBot/gitea-backporter>, to automate parts of the review process. The backporter:
-
-- Creates a backport PR when needed after the initial PR merges.
-- Removes the PR from the merge queue after it merges.
-- Keeps the oldest branch in the merge queue up to date with merges.
-
-### Final call
-
-If a PR has been ignored for more than 7 days with no comments or reviews, and the author or any maintainer believes it will not survive a long wait (such as a refactoring PR), they can send "final call" to the TOC by mentioning them in a comment.
-
-After another 7 days, if there is still zero approval, this is considered a polite refusal, and the PR will be closed to avoid wasting further time. Therefore, the "final call" has a cost, and should be used cautiously.
-
-However, if there are no objections from maintainers, the PR can be merged with only one approval from the TOC (not the author).
-
-### Commit messages
-
-Mergers are required to rewrite the PR title and the first comment (the summary) when necessary so the squash commit message is clear.
-
-The final commit message should not hedge: replace phrases like `hopefully, <x> won't happen anymore` with definite wording.
-
-#### PR Co-authors
-
-A person counts as a PR co-author once they (co-)authored a commit that is not simply a `Merge base branch into branch` commit. Mergers must remove such false-positive co-authors when writing the squash message. Every true co-author must remain in the commit message.
-
-#### PRs targeting `main`
-
-The commit message of PRs targeting `main` is always
-
-```bash
-$PR_TITLE ($PR_INDEX)
-
-$REWRITTEN_PR_SUMMARY
-```
-
-#### Backport PRs
-
-The commit message of backport PRs is always
-
-```bash
-$PR_TITLE ($INITIAL_PR_INDEX) ($BACKPORT_PR_INDEX)
-
-$REWRITTEN_PR_SUMMARY
-```
-
-## Maintainers
-
-We list [maintainers](../MAINTAINERS) so every PR gets proper review.
-
-#### Review expectations
-
-Every PR **must** be reviewed by at least two maintainers (or owners) before merge. **Exception:** after one week, refactoring PRs and documentation-only PRs need only one maintainer approval.
-
-Maintainers are expected to spend time on code reviews.
-
-#### Becoming a maintainer
-
-A maintainer should already be a Gitea contributor with at least four merged PRs. To apply, use the [Discord](https://discord.gg/Gitea) `#develop` channel. Maintainer teams may also invite contributors.
-
-#### Stepping down, advisors, and inactivity
-
-If you cannot keep reviewing, apply to leave the maintainers team. You can join the [advisors team](https://github.com/orgs/go-gitea/teams/advisors); advisors who want to review again are welcome back as maintainers.
-
-If a maintainer is inactive for more than three months and has not left the team, owners may move them to the advisors team.
-
-#### Account security
-
-For security, maintainers should enable 2FA and sign commits with GPG when possible:
-
-- [Two-factor authentication](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication)
-- [Signing commits with GPG](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits)
-
-Any account with write access (including bots and TOC members) **must** use [2FA](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication).
-
-## Technical Oversight Committee (TOC)
-
-At the start of 2023, the `Owners` team was dissolved. Instead, the governance charter proposed a technical oversight committee (TOC) which expands the ownership team of the Gitea project from three elected positions to six positions. Three positions are elected as it has been over the past years, and the other three consist of appointed members from the Gitea company.
-https://blog.gitea.com/quarterly-23q1/
-
-### TOC election process
-
-Any maintainer is eligible to be part of the community TOC if they are not associated with the Gitea company.
-A maintainer can either nominate themselves, or can be nominated by other maintainers to be a candidate for the TOC election.
-If you are nominated by someone else, you must first accept your nomination before the vote starts to be a candidate.
-
-The TOC is elected for one year, the TOC election happens yearly.
-After the announcement of the results of the TOC election, elected members have two weeks time to confirm or refuse the seat.
-If an elected member does not answer within this timeframe, they are automatically assumed to refuse the seat.
-Refusals result in the person with the next highest vote getting the same choice.
-As long as seats are empty in the TOC, members of the previous TOC can fill them until an elected member accepts the seat.
-
-If an elected member that accepts the seat does not have 2FA configured yet, they will be temporarily counted as `answer pending` until they manage to configure 2FA, thus leaving their seat empty for this duration.
-
-### Current TOC members
-
-- 2024-01-01 ~ 2024-12-31
-  - Company
-    - [Jason Song](https://gitea.com/wolfogre) <i@wolfogre.com>
-    - [Lunny Xiao](https://gitea.com/lunny) <xiaolunwen@gmail.com>
-    - [Matti Ranta](https://gitea.com/techknowlogick) <techknowlogick@gitea.com>
-  - Community
-    - [6543](https://gitea.com/6543) <6543@obermui.de>
-    - [delvh](https://gitea.com/delvh) <dev.lh@web.de>
-    - [John Olheiser](https://gitea.com/jolheiser) <john.olheiser@gmail.com>
-
-### Previous TOC/owners members
-
-Here's the history of the owners and the time they served:
-
-- [Lunny Xiao](https://gitea.com/lunny) - 2016, 2017, [2018](https://github.com/go-gitea/gitea/issues/3255), [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872), 2023
-- [Kim Carlbäcker](https://github.com/bkcsoft) - 2016, 2017
-- [Thomas Boerger](https://gitea.com/tboerger) - 2016, 2017
-- [Lauris Bukšis-Haberkorns](https://gitea.com/lafriks) - [2018](https://github.com/go-gitea/gitea/issues/3255), [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801)
-- [Matti Ranta](https://gitea.com/techknowlogick) - [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872), 2023
-- [Andrew Thornton](https://gitea.com/zeripath) - [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872), 2023
-- [6543](https://gitea.com/6543) - 2023
-- [John Olheiser](https://gitea.com/jolheiser) - 2023
-- [Jason Song](https://gitea.com/wolfogre) - 2023
-
-## Governance Compensation
-
-Each member of the community elected TOC will be granted $500 each month as compensation for their work.
-
-Furthermore, any community release manager for a specific release or LTS will be compensated $500 for the delivery of said release.
-
-These funds will come from community sources like the OpenCollective rather than directly from the company.
-Only non-company members are eligible for this compensation, and if a member of the community TOC takes the responsibility of release manager, they would only be compensated for their TOC duties.
-Gitea Ltd employees are not eligible to receive any funds from the OpenCollective unless it is reimbursement for a purchase made for the Gitea project itself.
-
-## TOC & Working groups
-
-With Gitea covering many projects outside of the main repository, several groups will be created to help focus on specific areas instead of requiring maintainers to be a jack-of-all-trades. Maintainers are of course more than welcome to be part of multiple groups should they wish to contribute in multiple places.
-
-The currently proposed groups are:
-
-- **Core Group**: maintain the primary Gitea repository
-- **Integration Group**: maintain the Gitea ecosystem's related tools, including go-sdk/tea/changelog/bots etc.
-- **Documentation Group**: maintain related documents and repositories
-- **Translation Group**: coordinate with translators and maintain translations
-- **Security Group**: managed by TOC directly, members are decided by TOC, maintains security patches/responsible for security items
-
-## Roadmap
-
-Each year a roadmap will be discussed with the entire Gitea maintainers team, and feedback will be solicited from various stakeholders.
-TOC members need to review the roadmap every year and work together on the direction of the project.
-
-When a vote is required for a proposal or other change, the vote of community elected TOC members count slightly more than the vote of company elected TOC members. With this approach, we both avoid ties and ensure that changes align with the mission statement and community opinion.
-
-You can visit our roadmap on the wiki.

docs/guideline-backend.md

@@ -1,58 +0,0 @@
-# Backend development
-
-This document covers backend-specific contribution expectations. For general contribution workflow, see [CONTRIBUTING.md](../CONTRIBUTING.md).
-
-For coding style and architecture, see also the [backend development guideline](https://docs.gitea.com/contributing/guidelines-backend) on the documentation site.
-
-## Dependencies
-
-Go dependencies are managed using [Go Modules](https://go.dev/cmd/go/#hdr-Module_maintenance). \
-You can find more details in the [go mod documentation](https://go.dev/ref/mod) and the [Go Modules Wiki](https://github.com/golang/go/wiki/Modules).
-
-Pull requests should only modify `go.mod` and `go.sum` where it is related to your change, be it a bugfix or a new feature. \
-Apart from that, these files should only be modified by Pull Requests whose only purpose is to update dependencies.
-
-The `go.mod`, `go.sum` update needs to be justified as part of the PR description,
-and must be verified by the reviewers and/or merger to always reference
-an existing upstream commit.
-
-## API v1
-
-The API is documented by [swagger](https://gitea.com/api/swagger) and is based on [the GitHub API](https://docs.github.com/en/rest).
-
-### GitHub API compatibility
-
-Gitea's API should use the same endpoints and fields as the GitHub API as far as possible, unless there are good reasons to deviate. \
-If Gitea provides functionality that GitHub does not, a new endpoint can be created. \
-If information is provided by Gitea that is not provided by the GitHub API, a new field can be used that doesn't collide with any GitHub fields. \
-Updating an existing API should not remove existing fields unless there is a really good reason to do so. \
-The same applies to status responses. If you notice a problem, feel free to leave a comment in the code for future refactoring to API v2 (which is currently not planned).
-
-### Adding/Maintaining API routes
-
-All expected results (errors, success, fail messages) must be documented ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L319-L327)). \
-All JSON input types must be defined as a struct in [modules/structs/](modules/structs/) ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/modules/structs/issue.go#L76-L91)) \
-and referenced in [routers/api/v1/swagger/options.go](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/swagger/options.go). \
-They can then be used like [this example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L318). \
-All JSON responses must be defined as a struct in [modules/structs/](modules/structs/) ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/modules/structs/issue.go#L36-L68)) \
-and referenced in its category in [routers/api/v1/swagger/](routers/api/v1/swagger/) ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/swagger/issue.go#L11-L16)) \
-They can be used like [this example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L277-L279).
-
-### When to use what HTTP method
-
-In general, HTTP methods are chosen as follows:
-
-- **GET** endpoints return the requested object(s) and status **OK (200)**
-- **DELETE** endpoints return the status **No Content (204)** and no content either
-- **POST** endpoints are used to **create** new objects (e.g. a User) and return the status **Created (201)** and the created object
-- **PUT** endpoints are used to **add/assign** existing Objects (e.g. a user to a team) and return the status **No Content (204)** and no content either
-- **PATCH** endpoints are used to **edit/change** an existing object and return the changed object and the status **OK (200)**
-
-### Requirements for API routes
-
-All parameters of endpoints changing/editing an object must be optional (except the ones to identify the object, which are required).
-
-Endpoints returning lists must
-
-- support pagination (`page` & `limit` options in query)
-- set `X-Total-Count` header via **SetTotalCountHeader** ([example](https://github.com/go-gitea/gitea/blob/7aae98cc5d4113f1e9918b7ee7dd09f67c189e3e/routers/api/v1/repo/issue.go#L444))

docs/guideline-frontend.md

@@ -1,17 +0,0 @@
-# Frontend development
-
-This document covers frontend-specific contribution expectations. For general contribution workflow, see [CONTRIBUTING.md](../CONTRIBUTING.md).
-
-## Dependencies
-
-For the frontend, we use [npm](https://www.npmjs.com/).
-
-The same restrictions apply for frontend dependencies as for [backend dependencies](guideline-backend.md#dependencies), with the exceptions that the files for it are `package.json` and `package-lock.json`, and that new versions must always reference an existing version.
-
-## Design guideline
-
-Depending on your change, please read the
-
-- [backend development guideline](https://docs.gitea.com/contributing/guidelines-backend)
-- [frontend development guideline](https://docs.gitea.com/contributing/guidelines-frontend)
-- [refactoring guideline](https://docs.gitea.com/contributing/guidelines-refactoring)

docs/release-management.md

@@ -1,115 +0,0 @@
-# Release management
-
-This document describes the release cycle, backports, versioning, and the release manager checklist. For everyday contribution workflow, see [CONTRIBUTING.md](../CONTRIBUTING.md).
-
-## Backports and Frontports
-
-### What is backported?
-
-We backport PRs given the following circumstances:
-
-1. Feature freeze is active, but `<version>-rc0` has not been released yet. Here, we backport as much as possible. <!-- TODO: Is that our definition with the new backport bot? -->
-2. `rc0` has been released. Here, we only backport bug- and security-fixes, and small enhancements. Large PRs such as refactors are not backported anymore. <!-- TODO: Is that our definition with the new backport bot? -->
-3. We never backport new features.
-4. We never backport breaking changes except when
-    1. The breaking change has no effect on the vast majority of users
-    2. The component triggering the breaking change is marked as experimental
-
-### How to backport?
-
-In the past, it was necessary to manually backport your PRs. \
-Now, that's not a requirement anymore as our [backport bot](https://github.com/GiteaBot) tries to create backports automatically once the PR is merged when the PR
-
-- does not have the label `backport/manual`
-- has the label `backport/<version>`
-
-The `backport/manual` label signifies either that you want to backport the change yourself, or that there were conflicts when backporting, thus you **must** do it yourself.
-
-### Format of backport PRs
-
-The title of backport PRs should be
-
-```
-<original PR title> (#<original pr number>)
-```
-
-The first two lines of the summary of the backporting PR should be
-
-```
-Backport #<original pr number>
-
-```
-
-with the rest of the summary and labels matching the original PR.
-
-### Frontports
-
-Frontports behave exactly as described above for backports.
-
-## Release Cycle
-
-We use a release schedule so work, stabilization, and releases stay predictable.
-
-### Cadence
-
-- Aim for a major release about every three or four months.
-- Roughly two or three months of general development, then about one month of testing and polish called the **release freeze**.
-- *Starting with v1.26 the release cycle will be more predictable and follow a more regular schedule.*
-
-### Release schedule
-
-We will try to publish a new major version every three months:
-
-- v1.26.0 in April 2026
-- v1.27.0 in June 2026
-- v1.28.0 in September 2026
-- v1.29.0 in December 2026
-
-#### How is the release handled?
-- The release manager will tag the release candidate (e.g. `v1.26.0-rc0`) and publish it for testing in the **first week of the release month**.
-- If there are no major issues, the release manager will check with the other maintainers and then tag the final release (e.g. `v1.26.0`) in the **one or two weeks following the release candidate**.
-
-### Feature freeze
-
-- Merge feature PRs before the freeze when you can.
-- Feature PRs still open at the freeze move to the next milestone. Watch Discord for the freeze announcement.
-- During the freeze, a **release branch** takes fixes backported from `main`. Release candidates ship for testing; the final release for that line is maintained from that branch.
-
-### Patch releases
-
-During a cycle we may ship patch releases for an older line. For example, if the latest release is v1.2, we can still publish v1.1.1 after v1.1.0.
-
-### End of life (EOL)
-
-We support per standard the last major release. For example, if the latest release is v1.26, we support v1.26 and v1.25, but not v1.24 anymore. We will only publish security fixes for the last major release, so if you are using an older release, please upgrade to a supported release as soon as possible.
-Also we always try to support the latest on main branch, so if you are using the latest on main, you should be fine.
-
-## Versions
-
-Gitea has the `main` branch as a tip branch and has version branches
-such as `release/v1.19`. `release/v1.19` is a release branch and we will
-tag `v1.19.0` for binary download. If `v1.19.0` has bugs, we will accept
-pull requests on the `release/v1.19` branch and publish a `v1.19.1` tag,
-after bringing the bug fix also to the main branch.
-
-Since the `main` branch is a tip version, if you wish to use Gitea
-in production, please download the latest release tag version. All the
-branches will be protected via GitHub, all the PRs to every branch must
-be reviewed by two maintainers and must pass the automatic tests.
-
-## Releasing Gitea
-
-- Let MAJOR, MINOR and PATCH be Major, Minor and Patch version numbers, PATCH should be rc1, rc2, 0, 1, ...... MAJOR.MINOR will be kept the same as milestones on github or gitea in future.
-- Before releasing, confirm all the version's milestone issues or PRs has been resolved. Then discuss the release on Discord channel #maintainers and get agreed with almost all the owners and mergers. Or you can declare the version and if nobody is against it in about several hours.
-- If this is a big version first you have to create PR for changelog on branch `main` with PRs with label `changelog` and after it has been merged do following steps:
-  - Create `-dev` tag as `git tag -s -F release.notes vMAJOR.MINOR.0-dev` and push the tag as `git push origin vMAJOR.MINOR.0-dev`.
-  - When CI has finished building tag then you have to create a new branch named `release/vMAJOR.MINOR`
-- If it is bugfix version create PR for changelog on branch `release/vMAJOR.MINOR` and wait till it is reviewed and merged.
-- Add a tag as `git tag -s -F release.notes vMAJOR.MINOR.PATCH`, release.notes file could be a temporary file to only include the changelog this version which you added to `CHANGELOG.md`.
-- And then push the tag as `git push origin vMAJOR.MINOR.$`. CI will automatically create a release and upload all the compiled binary. (But currently it doesn't add the release notes automatically. Maybe we should fix that.)
-- If needed send a frontport PR for the changelog to branch `main` and update the version in `docs/config.yaml` to refer to the new version.
-- Send PR to [blog repository](https://gitea.com/gitea/blog) announcing the release.
-- Verify all release assets were correctly published through CI on dl.gitea.com and GitHub releases. Once ACKed:
-  - bump the version of https://dl.gitea.com/gitea/version.json
-  - merge the blog post PR
-  - announce the release in discord `#announcements`

models/activities/statistic.go

@@ -6,6 +6,7 @@ package activities
 import (
 	"context"
 
+	actions_model "code.gitea.io/gitea/models/actions"
 	asymkey_model "code.gitea.io/gitea/models/asymkey"
 	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
@@ -18,6 +19,7 @@ import (
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/models/webhook"
 	"code.gitea.io/gitea/modules/optional"
+	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
 )
@@ -37,6 +39,11 @@ type Statistic struct {
 		Branches, Tags, CommitStatus int64
 		IssueByLabel      []IssueByLabelCount
 		IssueByRepository []IssueByRepositoryCount
+
+		// MokoGitea extended metrics
+		ActiveUsers30d     int64
+		ActionsQueueLength int64
+		ActionsRunningJobs int64
 	}
 }
 
@@ -131,5 +138,19 @@ func GetStatistic(ctx context.Context) (stats Statistic) {
 	stats.Counter.Attachment, _ = e.Count(new(repo_model.Attachment))
 	stats.Counter.Project, _ = e.Count(new(project_model.Project))
 	stats.Counter.ProjectColumn, _ = e.Count(new(project_model.Column))
+
+	// MokoGitea extended metrics
+	// Active users in last 30 days (users who performed any action)
+	stats.Counter.ActiveUsers30d, _ = e.Where("last_login_unix > ?",
+		timeutil.TimeStampNow()-30*24*60*60).Count(new(user_model.User))
+
+	// Actions queue and running jobs (if actions enabled)
+	if setting.Actions.Enabled {
+		stats.Counter.ActionsQueueLength, _ = e.Where("status = ?", 1). // StatusWaiting
+										Count(new(actions_model.ActionRunJob))
+		stats.Counter.ActionsRunningJobs, _ = e.Where("status = ?", 2). // StatusRunning
+										Count(new(actions_model.ActionRunJob))
+	}
+
 	return stats
 }

models/asymkey/ssh_key_principals.go

@@ -40,7 +40,7 @@ func CheckPrincipalKeyString(ctx context.Context, user *user_model.User, content
 				if !email.IsActivated {
 					continue
 				}
-				if content == email.Email {
+				if strings.EqualFold(content, email.LowerEmail) {
 					return content, nil
 				}
 			}

modules/badge/presets.go

@@ -0,0 +1,123 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package badge
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"code.gitea.io/gitea/models/db"
+	git_model "code.gitea.io/gitea/models/git"
+	repo_model "code.gitea.io/gitea/models/repo"
+)
+
+// Preset colors for repo badges
+const (
+	ColorGreen  = "#4c1"
+	ColorYellow = "#dfb317"
+	ColorRed    = "#e05d44"
+	ColorGrey   = "#9f9f9f"
+	ColorBlue   = "#007ec6"
+)
+
+// GenerateRepoBadge creates a badge for the given repo and badge type.
+func GenerateRepoBadge(ctx context.Context, repo *repo_model.Repository, badgeType string) Badge {
+	switch strings.ToLower(badgeType) {
+	case "version":
+		return versionBadge(ctx, repo)
+	case "build":
+		return buildBadge(ctx, repo)
+	case "license":
+		return licenseBadge(ctx, repo)
+	case "health":
+		return healthBadge(ctx, repo)
+	default:
+		return GenerateBadge("badge", "unknown", ColorGrey)
+	}
+}
+
+func versionBadge(ctx context.Context, repo *repo_model.Repository) Badge {
+	release, err := repo_model.GetLatestReleaseByRepoID(ctx, repo.ID)
+	if err != nil || release == nil {
+		return GenerateBadge("version", "none", ColorGrey)
+	}
+	return GenerateBadge("version", release.TagName, ColorBlue)
+}
+
+func buildBadge(ctx context.Context, repo *repo_model.Repository) Badge {
+	status, err := git_model.GetLatestCommitStatus(ctx, repo.ID, repo.DefaultBranch, db.ListOptions{PageSize: 1})
+	if err != nil || len(status) == 0 {
+		return GenerateBadge("build", "unknown", ColorGrey)
+	}
+
+	switch status[0].State.String() {
+	case "success":
+		return GenerateBadge("build", "passing", ColorGreen)
+	case "failure", "error":
+		return GenerateBadge("build", "failing", ColorRed)
+	case "pending":
+		return GenerateBadge("build", "pending", ColorYellow)
+	default:
+		return GenerateBadge("build", status[0].State.String(), ColorGrey)
+	}
+}
+
+func licenseBadge(ctx context.Context, repo *repo_model.Repository) Badge {
+	licenses, err := repo_model.GetRepoLicenses(ctx, repo)
+	if err != nil || len(licenses) == 0 {
+		return GenerateBadge("license", "none", ColorGrey)
+	}
+	return GenerateBadge("license", licenses.StringList()[0], ColorBlue)
+}
+
+func healthBadge(ctx context.Context, repo *repo_model.Repository) Badge {
+	score := 0
+	licenses, _ := repo_model.GetRepoLicenses(ctx, repo)
+	if len(licenses) > 0 {
+		score++
+	}
+	if repo.Description != "" {
+		score++
+	}
+	if len(repo.Topics) > 0 {
+		score++
+	}
+
+	switch {
+	case score >= 3:
+		return GenerateBadge("health", "healthy", ColorGreen)
+	case score >= 2:
+		return GenerateBadge("health", "fair", ColorYellow)
+	default:
+		return GenerateBadge("health", "needs work", ColorRed)
+	}
+}
+
+// FormatRepoBadgeSVG returns the badge as SVG HTML for the given repo badge type.
+func FormatRepoBadgeSVG(ctx context.Context, repo *repo_model.Repository, badgeType, style string) (string, error) {
+	b := GenerateRepoBadge(ctx, repo, badgeType)
+	switch style {
+	case "flat-square":
+		return b.RenderFlatSquare(), nil
+	default:
+		return b.RenderFlat(), nil
+	}
+}
+
+// RenderFlat returns the badge as flat-style SVG.
+func (b Badge) RenderFlat() string {
+	return fmt.Sprintf(`<svg xmlns="http://www.w3.org/2000/svg" width="%d" height="20">
+<rect width="%d" height="20" fill="#555"/><rect x="%d" width="%d" height="20" fill="%s"/>
+<g fill="#fff" text-anchor="middle" font-family="Verdana,sans-serif" font-size="11">
+<text x="%d" y="14">%s</text><text x="%d" y="14">%s</text>
+</g></svg>`,
+		b.Label.Width()+b.Message.Width(), b.Label.Width(), b.Label.Width(), b.Message.Width(), b.Color,
+		b.Label.X(), b.Label.Text(), b.Message.X(), b.Message.Text())
+}
+
+// RenderFlatSquare returns the badge as flat-square-style SVG.
+func (b Badge) RenderFlatSquare() string {
+	return b.RenderFlat() // same for now
+}

modules/metrics/collector.go

@@ -46,6 +46,11 @@ type Collector struct {
 	Users              *prometheus.Desc
 	Watches            *prometheus.Desc
 	Webhooks           *prometheus.Desc
+
+	// MokoGitea extended metrics
+	ActiveUsers30d     *prometheus.Desc
+	ActionsQueueLength *prometheus.Desc
+	ActionsRunningJobs *prometheus.Desc
 }
 
 // NewCollector returns a new Collector with all prometheus.Desc initialized
@@ -196,6 +201,21 @@ func NewCollector() Collector {
 			"Number of Webhooks",
 			nil, nil,
 		),
+		ActiveUsers30d: prometheus.NewDesc(
+			namespace+"active_users_30d",
+			"Number of active users in the last 30 days",
+			nil, nil,
+		),
+		ActionsQueueLength: prometheus.NewDesc(
+			namespace+"actions_queue_length",
+			"Number of actions jobs waiting to run",
+			nil, nil,
+		),
+		ActionsRunningJobs: prometheus.NewDesc(
+			namespace+"actions_running_jobs",
+			"Number of actions jobs currently running",
+			nil, nil,
+		),
 	}
 }
 
@@ -229,6 +249,9 @@ func (c Collector) Describe(ch chan<- *prometheus.Desc) {
 	ch <- c.Users
 	ch <- c.Watches
 	ch <- c.Webhooks
+	ch <- c.ActiveUsers30d
+	ch <- c.ActionsQueueLength
+	ch <- c.ActionsRunningJobs
 }
 
 // Collect returns the metrics with values
@@ -392,4 +415,21 @@ func (c Collector) Collect(ch chan<- prometheus.Metric) {
 		prometheus.GaugeValue,
 		float64(stats.Counter.Webhook),
 	)
+
+	// MokoGitea extended metrics
+	ch <- prometheus.MustNewConstMetric(
+		c.ActiveUsers30d,
+		prometheus.GaugeValue,
+		float64(stats.Counter.ActiveUsers30d),
+	)
+	ch <- prometheus.MustNewConstMetric(
+		c.ActionsQueueLength,
+		prometheus.GaugeValue,
+		float64(stats.Counter.ActionsQueueLength),
+	)
+	ch <- prometheus.MustNewConstMetric(
+		c.ActionsRunningJobs,
+		prometheus.GaugeValue,
+		float64(stats.Counter.ActionsRunningJobs),
+	)
 }

modules/setting/incoming_email.go

@@ -12,10 +12,11 @@ import (
 	"code.gitea.io/gitea/modules/log"
 )
 
+const IncomingEmailTokenPlaceholder = "%{token}"
+
 var IncomingEmail = struct {
 	Enabled              bool
 	ReplyToAddress       string
-	TokenPlaceholder     string `ini:"-"`
 	Host                 string
 	Port                 int
 	UseTLS               bool `ini:"USE_TLS"`
@@ -28,7 +29,6 @@ var IncomingEmail = struct {
 }{
 	Mailbox:              "INBOX",
 	DeleteHandledMessage: true,
-	TokenPlaceholder:     "%{token}",
 	MaximumMessageSize:   10485760,
 }
 
@@ -54,19 +54,10 @@ func checkReplyToAddress() error {
 		return errors.New("name must not be set")
 	}
 
-	c := strings.Count(IncomingEmail.ReplyToAddress, IncomingEmail.TokenPlaceholder)
-	switch c {
-	case 0:
-		return fmt.Errorf("%s must appear in the user part of the address (before the @)", IncomingEmail.TokenPlaceholder)
-	case 1:
-	default:
-		return fmt.Errorf("%s must appear only once", IncomingEmail.TokenPlaceholder)
+	placeholderCount := strings.Count(IncomingEmail.ReplyToAddress, IncomingEmailTokenPlaceholder)
+	userPart, _, _ := strings.Cut(IncomingEmail.ReplyToAddress, "@")
+	if placeholderCount != 1 || !strings.Contains(userPart, IncomingEmailTokenPlaceholder) {
+		return fmt.Errorf("%s must appear in the user part of the address (before the @)", IncomingEmailTokenPlaceholder)
 	}
-
-	parts := strings.Split(IncomingEmail.ReplyToAddress, "@")
-	if !strings.Contains(parts[0], IncomingEmail.TokenPlaceholder) {
-		return fmt.Errorf("%s must appear in the user part of the address (before the @)", IncomingEmail.TokenPlaceholder)
-	}
-
 	return nil
 }

modules/setting/ntfy.go

@@ -0,0 +1,24 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package setting
+
+// Ntfy holds ntfy push notification settings.
+var Ntfy = struct {
+	Enabled      bool
+	ServerURL    string
+	DefaultTopic string
+	Token        string
+}{
+	Enabled:      false,
+	ServerURL:    "https://ntfy.mokoconsulting.tech",
+	DefaultTopic: "mokogitea",
+}
+
+func loadNtfyFrom(cfg ConfigProvider) {
+	sec := cfg.Section("ntfy")
+	Ntfy.Enabled = sec.Key("ENABLED").MustBool(false)
+	Ntfy.ServerURL = sec.Key("SERVER_URL").MustString(Ntfy.ServerURL)
+	Ntfy.DefaultTopic = sec.Key("DEFAULT_TOPIC").MustString(Ntfy.DefaultTopic)
+	Ntfy.Token = sec.Key("TOKEN").String()
+}

modules/setting/setting.go

@@ -28,6 +28,15 @@ var (
 	CfgProvider ConfigProvider
 	IsWindows   bool
 
+	// UpdateChecker configuration for MokoGitea version checking
+	UpdateChecker = struct {
+		Enabled  bool
+		Endpoint string
+	}{
+		Enabled:  true,
+		Endpoint: "https://git.mokoconsulting.tech/api/v1/repos/MokoConsulting/MokoGitea/releases/latest",
+	}
+
 	// IsInTesting indicates whether the testing is running (unit test or integration test). It can be used for:
 	// * Skip nonsense error logs during testing caused by unreliable code (TODO: this is only a temporary solution, we should make the test code more reliable)
 	// * Panic in dev or testing mode to make the problem more obvious and easier to debug
@@ -158,9 +167,17 @@ func loadCommonSettingsFrom(cfg ConfigProvider) error {
 	loadMarkupFrom(cfg)
 	loadGlobalLockFrom(cfg)
 	loadOtherFrom(cfg)
+	loadUpdateCheckerFrom(cfg)
+	loadNtfyFrom(cfg)
 	return nil
 }
 
+func loadUpdateCheckerFrom(cfg ConfigProvider) {
+	sec := cfg.Section("update_checker")
+	UpdateChecker.Enabled = sec.Key("ENABLED").MustBool(true)
+	UpdateChecker.Endpoint = sec.Key("ENDPOINT").MustString(UpdateChecker.Endpoint)
+}
+
 func loadRunModeFrom(rootCfg ConfigProvider) {
 	rootSec := rootCfg.Section("")
 	RunUser = rootSec.Key("RUN_USER").MustString(user.CurrentUsername())

modules/structs/issue_bulk.go

@@ -0,0 +1,58 @@
+// Copyright 2026 The MokoGitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package structs
+
+// IssueBulkLabelsOption options for bulk label operations on issues
+type IssueBulkLabelsOption struct {
+	// issue indexes to operate on
+	// required: true
+	Issues []int64 `json:"issues" binding:"Required"`
+	// Labels can be a list of integers representing label IDs
+	// or a list of strings representing label names
+	// required: true
+	Labels []any `json:"labels" binding:"Required"`
+	// action to perform: "add" (default), "remove", or "replace"
+	Action string `json:"action"`
+}
+
+// IssueBulkStateOption options for bulk state changes on issues
+type IssueBulkStateOption struct {
+	// issue indexes to operate on
+	// required: true
+	Issues []int64 `json:"issues" binding:"Required"`
+	// new state for the issues, "open" or "closed"
+	// required: true
+	State string `json:"state" binding:"Required"`
+}
+
+// IssueBulkMilestoneOption options for bulk milestone assignment on issues
+type IssueBulkMilestoneOption struct {
+	// issue indexes to operate on
+	// required: true
+	Issues []int64 `json:"issues" binding:"Required"`
+	// milestone id to assign, 0 to remove milestone
+	// required: true
+	MilestoneID int64 `json:"milestone_id"`
+}
+
+// IssueBulkAssigneesOption options for bulk assignee operations on issues
+type IssueBulkAssigneesOption struct {
+	// issue indexes to operate on
+	// required: true
+	Issues []int64 `json:"issues" binding:"Required"`
+	// list of assignee usernames to add or set
+	// required: true
+	Assignees []string `json:"assignees" binding:"Required"`
+}
+
+// IssueBulkResult represents the result of a bulk issue operation
+// swagger:model
+type IssueBulkResult struct {
+	// count of successfully updated issues
+	SuccessCount int `json:"success_count"`
+	// count of issues that failed to update
+	FailureCount int `json:"failure_count"`
+	// details of failures, keyed by issue index
+	Failures map[int64]string `json:"failures,omitempty"`
+}

modules/updatechecker/updatechecker.go

@@ -0,0 +1,106 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package updatechecker
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+)
+
+// UpdateInfo holds the result of the latest update check.
+type UpdateInfo struct {
+	UpdateAvailable bool
+	LatestVersion   string
+	ReleaseURL      string
+	CheckedAt       time.Time
+}
+
+var (
+	cachedInfo *UpdateInfo
+	mu         sync.RWMutex
+)
+
+// giteaRelease is the subset of Gitea's release API response we need.
+type giteaRelease struct {
+	TagName string `json:"tag_name"`
+	HTMLURL string `json:"html_url"`
+	Draft   bool   `json:"draft"`
+}
+
+// CheckForUpdate fetches the latest release from the configured endpoint
+// and compares it to the running version.
+func CheckForUpdate() error {
+	if !setting.UpdateChecker.Enabled || setting.UpdateChecker.Endpoint == "" {
+		return nil
+	}
+
+	client := &http.Client{Timeout: 15 * time.Second}
+	resp, err := client.Get(setting.UpdateChecker.Endpoint)
+	if err != nil {
+		return fmt.Errorf("update check failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("update check returned status %d", resp.StatusCode)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("reading update response: %w", err)
+	}
+
+	var release giteaRelease
+	if err := json.Unmarshal(body, &release); err != nil {
+		return fmt.Errorf("parsing update response: %w", err)
+	}
+
+	if release.Draft || release.TagName == "" {
+		return nil
+	}
+
+	latestVersion := strings.TrimPrefix(release.TagName, "v")
+	currentVersion := setting.AppVer
+
+	info := &UpdateInfo{
+		LatestVersion: latestVersion,
+		ReleaseURL:    release.HTMLURL,
+		CheckedAt:     time.Now(),
+	}
+
+	// Simple comparison: if latest != current, update is available.
+	// This handles both upgrades and the case where versions differ
+	// in any way (patch, upstream bump, etc.)
+	info.UpdateAvailable = latestVersion != "" && !strings.HasPrefix(currentVersion, latestVersion)
+
+	mu.Lock()
+	cachedInfo = info
+	mu.Unlock()
+
+	if info.UpdateAvailable {
+		log.Info("MokoGitea update available: %s (current: %s)", latestVersion, currentVersion)
+	} else {
+		log.Debug("MokoGitea is up to date: %s", currentVersion)
+	}
+
+	return nil
+}
+
+// GetUpdateInfo returns the cached update check result.
+func GetUpdateInfo() *UpdateInfo {
+	mu.RLock()
+	defer mu.RUnlock()
+	if cachedInfo == nil {
+		return &UpdateInfo{}
+	}
+	return cachedInfo
+}

options/fileicon/material-icon-rules.json

@@ -617,6 +617,7 @@
     "__github/workflows__": "folder-gh-workflows",
     "gitea/workflows": "folder-gitea-workflows",
     ".gitea/workflows": "folder-gitea-workflows",
+    ".mokogitea/workflows": "folder-gitea-workflows",
     "_gitea/workflows": "folder-gitea-workflows",
     "-gitea/workflows": "folder-gitea-workflows",
     "__gitea/workflows__": "folder-gitea-workflows",
@@ -5237,6 +5238,7 @@
     "__github/workflows__": "folder-gh-workflows-open",
     "gitea/workflows": "folder-gitea-workflows-open",
     ".gitea/workflows": "folder-gitea-workflows-open",
+    ".mokogitea/workflows": "folder-gitea-workflows-open",
     "_gitea/workflows": "folder-gitea-workflows-open",
     "-gitea/workflows": "folder-gitea-workflows-open",
     "__gitea/workflows__": "folder-gitea-workflows-open",

routers/api/v1/api.go

@@ -1430,7 +1430,9 @@ func Routes() *web.Router {
 							Delete(reqToken(), repo.DeleteTopic)
 					}, reqAdmin())
 				}, reqAnyRepoReader())
-				m.Get("/issue_templates", context.ReferencesGitRepo(), repo.GetIssueTemplates)
+				// MokoGitea badge engine
+			m.Get("/badge/{type}.svg", repo.GetRepoBadge)
+			m.Get("/issue_templates", context.ReferencesGitRepo(), repo.GetIssueTemplates)
 				m.Get("/issue_config", context.ReferencesGitRepo(), repo.GetIssueConfig)
 				m.Get("/issue_config/validate", context.ReferencesGitRepo(), repo.ValidateIssueConfig)
 				m.Get("/languages", reqRepoReader(unit.TypeCode), repo.GetLanguages)
@@ -1468,6 +1470,12 @@ func Routes() *web.Router {
 					m.Combo("").Get(repo.ListIssues).
 						Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueOption{}), reqRepoReader(unit.TypeIssues), repo.CreateIssue)
 					m.Get("/pinned", reqRepoReader(unit.TypeIssues), repo.ListPinnedIssues)
+					m.Group("/bulk", func() {
+						m.Post("/labels", bind(api.IssueBulkLabelsOption{}), repo.BulkSetIssueLabels)
+						m.Post("/state", bind(api.IssueBulkStateOption{}), repo.BulkSetIssueState)
+						m.Post("/milestone", bind(api.IssueBulkMilestoneOption{}), repo.BulkSetIssueMilestone)
+						m.Post("/assignees", bind(api.IssueBulkAssigneesOption{}), repo.BulkSetIssueAssignees)
+					}, reqToken(), mustNotBeArchived)
 					m.Group("/comments", func() {
 						m.Get("", repo.ListRepoIssueComments)
 						m.Group("/{id}", func() {

routers/api/v1/repo/badge.go

@@ -0,0 +1,29 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package repo
+
+import (
+	"fmt"
+	"net/http"
+
+	"code.gitea.io/gitea/modules/badge"
+	"code.gitea.io/gitea/services/context"
+)
+
+// GetRepoBadge returns an SVG badge for the repository.
+func GetRepoBadge(ctx *context.APIContext) {
+	badgeType := ctx.PathParam("type")
+	style := ctx.FormString("style")
+
+	svg, err := badge.FormatRepoBadgeSVG(ctx, ctx.Repo.Repository, badgeType, style)
+	if err != nil {
+		ctx.APIErrorInternal(fmt.Errorf("rendering badge: %w", err))
+		return
+	}
+
+	ctx.Resp.Header().Set("Content-Type", "image/svg+xml")
+	ctx.Resp.Header().Set("Cache-Control", "public, max-age=300")
+	ctx.Resp.WriteHeader(http.StatusOK)
+	_, _ = ctx.Resp.Write([]byte(svg))
+}

routers/api/v1/repo/issue_bulk.go

@@ -0,0 +1,416 @@
+// Copyright 2026 The MokoGitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package repo
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"reflect"
+
+	issues_model "code.gitea.io/gitea/models/issues"
+	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
+	"code.gitea.io/gitea/services/context"
+	issue_service "code.gitea.io/gitea/services/issue"
+)
+
+// BulkSetIssueLabels adds, removes, or replaces labels on multiple issues
+func BulkSetIssueLabels(ctx *context.APIContext) {
+	// swagger:operation POST /repos/{owner}/{repo}/issues/bulk/labels issue issueBulkSetLabels
+	// ---
+	// summary: Add, remove, or replace labels on multiple issues
+	// consumes:
+	// - application/json
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: body
+	//   in: body
+	//   schema:
+	//     "$ref": "#/definitions/IssueBulkLabelsOption"
+	// responses:
+	//   "200":
+	//     "$ref": "#/responses/IssueBulkResult"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+	//   "422":
+	//     "$ref": "#/responses/validationError"
+
+	form := web.GetForm(ctx).(*api.IssueBulkLabelsOption)
+	if len(form.Issues) == 0 {
+		ctx.APIError(http.StatusUnprocessableEntity, errors.New("issues list must not be empty"))
+		return
+	}
+
+	action := form.Action
+	if action == "" {
+		action = "add"
+	}
+	if action != "add" && action != "remove" && action != "replace" {
+		ctx.APIError(http.StatusUnprocessableEntity, fmt.Errorf("invalid action %q: must be add, remove, or replace", action))
+		return
+	}
+
+	labels, err := resolveBulkLabels(ctx, form.Labels)
+	if err != nil {
+		return // error already written to ctx
+	}
+
+	result := api.IssueBulkResult{Failures: make(map[int64]string)}
+
+	for _, index := range form.Issues {
+		issue, err := issues_model.GetIssueByIndex(ctx, ctx.Repo.Repository.ID, index)
+		if err != nil {
+			if issues_model.IsErrIssueNotExist(err) {
+				result.Failures[index] = "issue not found"
+			} else {
+				result.Failures[index] = err.Error()
+			}
+			result.FailureCount++
+			continue
+		}
+
+		if !ctx.Repo.Permission.CanWriteIssuesOrPulls(issue.IsPull) {
+			result.Failures[index] = "no write permission"
+			result.FailureCount++
+			continue
+		}
+
+		switch action {
+		case "add":
+			err = issue_service.AddLabels(ctx, issue, ctx.Doer, labels)
+		case "remove":
+			for _, label := range labels {
+				if err = issue_service.RemoveLabel(ctx, issue, ctx.Doer, label); err != nil {
+					break
+				}
+			}
+		case "replace":
+			err = issue_service.ReplaceLabels(ctx, issue, ctx.Doer, labels)
+		}
+
+		if err != nil {
+			result.Failures[index] = err.Error()
+			result.FailureCount++
+			continue
+		}
+		result.SuccessCount++
+	}
+
+	ctx.JSON(http.StatusOK, result)
+}
+
+// BulkSetIssueState closes or reopens multiple issues
+func BulkSetIssueState(ctx *context.APIContext) {
+	// swagger:operation POST /repos/{owner}/{repo}/issues/bulk/state issue issueBulkSetState
+	// ---
+	// summary: Close or reopen multiple issues
+	// consumes:
+	// - application/json
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: body
+	//   in: body
+	//   schema:
+	//     "$ref": "#/definitions/IssueBulkStateOption"
+	// responses:
+	//   "200":
+	//     "$ref": "#/responses/IssueBulkResult"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+	//   "422":
+	//     "$ref": "#/responses/validationError"
+
+	form := web.GetForm(ctx).(*api.IssueBulkStateOption)
+	if len(form.Issues) == 0 {
+		ctx.APIError(http.StatusUnprocessableEntity, errors.New("issues list must not be empty"))
+		return
+	}
+	if form.State != "open" && form.State != "closed" {
+		ctx.APIError(http.StatusUnprocessableEntity, fmt.Errorf("invalid state %q: must be open or closed", form.State))
+		return
+	}
+
+	result := api.IssueBulkResult{Failures: make(map[int64]string)}
+
+	for _, index := range form.Issues {
+		issue, err := issues_model.GetIssueByIndex(ctx, ctx.Repo.Repository.ID, index)
+		if err != nil {
+			if issues_model.IsErrIssueNotExist(err) {
+				result.Failures[index] = "issue not found"
+			} else {
+				result.Failures[index] = err.Error()
+			}
+			result.FailureCount++
+			continue
+		}
+
+		if !ctx.Repo.Permission.CanWriteIssuesOrPulls(issue.IsPull) {
+			result.Failures[index] = "no write permission"
+			result.FailureCount++
+			continue
+		}
+
+		if err := issue.LoadRepo(ctx); err != nil {
+			result.Failures[index] = err.Error()
+			result.FailureCount++
+			continue
+		}
+
+		if form.State == "closed" && !issue.IsClosed {
+			if err := issue_service.CloseIssue(ctx, issue, ctx.Doer, ""); err != nil {
+				result.Failures[index] = err.Error()
+				result.FailureCount++
+				continue
+			}
+		} else if form.State == "open" && issue.IsClosed {
+			if err := issue_service.ReopenIssue(ctx, issue, ctx.Doer, ""); err != nil {
+				result.Failures[index] = err.Error()
+				result.FailureCount++
+				continue
+			}
+		}
+		result.SuccessCount++
+	}
+
+	ctx.JSON(http.StatusOK, result)
+}
+
+// BulkSetIssueMilestone assigns a milestone to multiple issues
+func BulkSetIssueMilestone(ctx *context.APIContext) {
+	// swagger:operation POST /repos/{owner}/{repo}/issues/bulk/milestone issue issueBulkSetMilestone
+	// ---
+	// summary: Assign a milestone to multiple issues
+	// consumes:
+	// - application/json
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: body
+	//   in: body
+	//   schema:
+	//     "$ref": "#/definitions/IssueBulkMilestoneOption"
+	// responses:
+	//   "200":
+	//     "$ref": "#/responses/IssueBulkResult"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+	//   "422":
+	//     "$ref": "#/responses/validationError"
+
+	form := web.GetForm(ctx).(*api.IssueBulkMilestoneOption)
+	if len(form.Issues) == 0 {
+		ctx.APIError(http.StatusUnprocessableEntity, errors.New("issues list must not be empty"))
+		return
+	}
+
+	// Validate milestone exists if non-zero
+	if form.MilestoneID > 0 {
+		has, err := issues_model.HasMilestoneByRepoID(ctx, ctx.Repo.Repository.ID, form.MilestoneID)
+		if err != nil {
+			ctx.APIErrorInternal(err)
+			return
+		}
+		if !has {
+			ctx.APIErrorNotFound("milestone not found")
+			return
+		}
+	}
+
+	result := api.IssueBulkResult{Failures: make(map[int64]string)}
+
+	for _, index := range form.Issues {
+		issue, err := issues_model.GetIssueByIndex(ctx, ctx.Repo.Repository.ID, index)
+		if err != nil {
+			if issues_model.IsErrIssueNotExist(err) {
+				result.Failures[index] = "issue not found"
+			} else {
+				result.Failures[index] = err.Error()
+			}
+			result.FailureCount++
+			continue
+		}
+
+		if !ctx.Repo.Permission.CanWriteIssuesOrPulls(issue.IsPull) {
+			result.Failures[index] = "no write permission"
+			result.FailureCount++
+			continue
+		}
+
+		oldMilestoneID := issue.MilestoneID
+		issue.MilestoneID = form.MilestoneID
+
+		if err := issue_service.ChangeMilestoneAssign(ctx, issue, ctx.Doer, oldMilestoneID); err != nil {
+			result.Failures[index] = err.Error()
+			result.FailureCount++
+			continue
+		}
+		result.SuccessCount++
+	}
+
+	ctx.JSON(http.StatusOK, result)
+}
+
+// BulkSetIssueAssignees sets assignees on multiple issues
+func BulkSetIssueAssignees(ctx *context.APIContext) {
+	// swagger:operation POST /repos/{owner}/{repo}/issues/bulk/assignees issue issueBulkSetAssignees
+	// ---
+	// summary: Set assignees on multiple issues
+	// consumes:
+	// - application/json
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: body
+	//   in: body
+	//   schema:
+	//     "$ref": "#/definitions/IssueBulkAssigneesOption"
+	// responses:
+	//   "200":
+	//     "$ref": "#/responses/IssueBulkResult"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+	//   "422":
+	//     "$ref": "#/responses/validationError"
+
+	form := web.GetForm(ctx).(*api.IssueBulkAssigneesOption)
+	if len(form.Issues) == 0 {
+		ctx.APIError(http.StatusUnprocessableEntity, errors.New("issues list must not be empty"))
+		return
+	}
+
+	result := api.IssueBulkResult{Failures: make(map[int64]string)}
+
+	for _, index := range form.Issues {
+		issue, err := issues_model.GetIssueByIndex(ctx, ctx.Repo.Repository.ID, index)
+		if err != nil {
+			if issues_model.IsErrIssueNotExist(err) {
+				result.Failures[index] = "issue not found"
+			} else {
+				result.Failures[index] = err.Error()
+			}
+			result.FailureCount++
+			continue
+		}
+
+		if !ctx.Repo.Permission.CanWriteIssuesOrPulls(issue.IsPull) {
+			result.Failures[index] = "no write permission"
+			result.FailureCount++
+			continue
+		}
+
+		if err := issue.LoadRepo(ctx); err != nil {
+			result.Failures[index] = err.Error()
+			result.FailureCount++
+			continue
+		}
+
+		if err := issue.LoadAssignees(ctx); err != nil {
+			result.Failures[index] = err.Error()
+			result.FailureCount++
+			continue
+		}
+
+		if err := issue_service.UpdateAssignees(ctx, issue, "", form.Assignees, ctx.Doer); err != nil {
+			result.Failures[index] = err.Error()
+			result.FailureCount++
+			continue
+		}
+		result.SuccessCount++
+	}
+
+	ctx.JSON(http.StatusOK, result)
+}
+
+// resolveBulkLabels resolves label IDs or names into label models
+func resolveBulkLabels(ctx *context.APIContext, rawLabels []any) ([]*issues_model.Label, error) {
+	var (
+		labelIDs   []int64
+		labelNames []string
+	)
+	for _, label := range rawLabels {
+		rv := reflect.ValueOf(label)
+		switch rv.Kind() {
+		case reflect.Float64:
+			labelIDs = append(labelIDs, int64(rv.Float()))
+		case reflect.String:
+			labelNames = append(labelNames, rv.String())
+		default:
+			ctx.APIError(http.StatusBadRequest, errors.New("a label must be an integer or a string"))
+			return nil, errors.New("invalid label")
+		}
+	}
+	if len(labelIDs) > 0 && len(labelNames) > 0 {
+		ctx.APIError(http.StatusBadRequest, errors.New("labels should be an array of strings or integers, not both"))
+		return nil, errors.New("invalid labels")
+	}
+	if len(labelNames) > 0 {
+		repoLabelIDs, err := issues_model.GetLabelIDsInRepoByNames(ctx, ctx.Repo.Repository.ID, labelNames)
+		if err != nil {
+			ctx.APIErrorInternal(err)
+			return nil, err
+		}
+		labelIDs = append(labelIDs, repoLabelIDs...)
+		if ctx.Repo.Owner.IsOrganization() {
+			orgLabelIDs, err := issues_model.GetLabelIDsInOrgByNames(ctx, ctx.Repo.Owner.ID, labelNames)
+			if err != nil {
+				ctx.APIErrorInternal(err)
+				return nil, err
+			}
+			labelIDs = append(labelIDs, orgLabelIDs...)
+		}
+	}
+
+	labels, err := issues_model.GetLabelsByIDs(ctx, labelIDs, "id", "repo_id", "org_id", "name", "exclusive")
+	if err != nil {
+		ctx.APIErrorInternal(err)
+		return nil, err
+	}
+
+	return labels, nil
+}

routers/api/v1/swagger/issue.go

@@ -98,6 +98,13 @@ type swaggerIssueTemplates struct {
 	Body []api.IssueTemplate `json:"body"`
 }
 
+// IssueBulkResult
+// swagger:response IssueBulkResult
+type swaggerResponseIssueBulkResult struct {
+	// in:body
+	Body api.IssueBulkResult `json:"body"`
+}
+
 // StopWatch
 // swagger:response StopWatch
 type swaggerResponseStopWatch struct {

routers/web/admin/admin.go

@@ -21,6 +21,7 @@ import (
 	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/updatechecker"
 	"code.gitea.io/gitea/modules/templates"
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/services/context"
@@ -135,8 +136,13 @@ func prepareStartupProblemsAlert(ctx *context.Context) {
 func Dashboard(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("admin.dashboard")
 	ctx.Data["PageIsAdminDashboard"] = true
-	// MokoGitea: upstream update checker removed — this is an independent fork
-	ctx.Data["NeedUpdate"] = false
+
+	// MokoGitea update checker
+	info := updatechecker.GetUpdateInfo()
+	ctx.Data["NeedUpdate"] = info.UpdateAvailable
+	ctx.Data["LatestVersion"] = info.LatestVersion
+	ctx.Data["ReleaseURL"] = info.ReleaseURL
+
 	updateSystemStatus()
 	ctx.Data["SysStatus"] = sysStatus
 	ctx.Data["SSH"] = setting.SSH

routers/web/repo/issue.go

@@ -58,6 +58,12 @@ var IssueTemplateCandidates = []string{
 	"issue_template.md",
 	"issue_template.yaml",
 	"issue_template.yml",
+	".mokogitea/ISSUE_TEMPLATE.md",
+	".mokogitea/ISSUE_TEMPLATE.yaml",
+	".mokogitea/ISSUE_TEMPLATE.yml",
+	".mokogitea/issue_template.md",
+	".mokogitea/issue_template.yaml",
+	".mokogitea/issue_template.yml",
 	".gitea/ISSUE_TEMPLATE.md",
 	".gitea/ISSUE_TEMPLATE.yaml",
 	".gitea/ISSUE_TEMPLATE.yml",

routers/web/repo/pull.go

@@ -71,6 +71,12 @@ var pullRequestTemplateCandidates = []string{
 	"pull_request_template.md",
 	"pull_request_template.yaml",
 	"pull_request_template.yml",
+	".mokogitea/PULL_REQUEST_TEMPLATE.md",
+	".mokogitea/PULL_REQUEST_TEMPLATE.yaml",
+	".mokogitea/PULL_REQUEST_TEMPLATE.yml",
+	".mokogitea/pull_request_template.md",
+	".mokogitea/pull_request_template.yaml",
+	".mokogitea/pull_request_template.yml",
 	".gitea/PULL_REQUEST_TEMPLATE.md",
 	".gitea/PULL_REQUEST_TEMPLATE.yaml",
 	".gitea/PULL_REQUEST_TEMPLATE.yml",

services/actions/concurrency.go

@@ -35,11 +35,16 @@ func EvaluateRunConcurrencyFillModel(ctx context.Context, run *actions_model.Act
 		}
 	}
 
-	var err error
-	attempt.ConcurrencyGroup, attempt.ConcurrencyCancel, err = jobparser.EvaluateConcurrency(wfRawConcurrency, "", nil, actionsRunCtx, jobResults, vars, inputs)
+	concurrencyGroup, concurrencyCancel, err := jobparser.EvaluateConcurrency(wfRawConcurrency, "", nil, actionsRunCtx, jobResults, vars, inputs)
 	if err != nil {
 		return fmt.Errorf("evaluate concurrency: %w", err)
 	}
+	run.ConcurrencyGroup = concurrencyGroup
+	run.ConcurrencyCancel = concurrencyCancel
+	if attempt != nil {
+		attempt.ConcurrencyGroup = concurrencyGroup
+		attempt.ConcurrencyCancel = concurrencyCancel
+	}
 	return nil
 }
 

services/actions/context_test.go

@@ -31,11 +31,15 @@ func TestEvaluateRunConcurrency_RunIDFallback(t *testing.T) {
 		CancelInProgress: "true",
 	}
 
-	assert.NoError(t, EvaluateRunConcurrencyFillModel(ctx, runA, expr, nil, nil))
-	assert.NoError(t, EvaluateRunConcurrencyFillModel(ctx, runB, expr, nil, nil))
+	attemptA := &actions_model.ActionRunAttempt{RunID: runA.ID, RepoID: runA.RepoID}
+	attemptB := &actions_model.ActionRunAttempt{RunID: runB.ID, RepoID: runB.RepoID}
+	assert.NoError(t, EvaluateRunConcurrencyFillModel(ctx, runA, attemptA, expr, nil, nil))
+	assert.NoError(t, EvaluateRunConcurrencyFillModel(ctx, runB, attemptB, expr, nil, nil))
 
 	assert.Contains(t, runA.ConcurrencyGroup, "791")
 	assert.Contains(t, runB.ConcurrencyGroup, "792")
+	assert.Equal(t, runA.ConcurrencyGroup, attemptA.ConcurrencyGroup)
+	assert.Equal(t, runB.ConcurrencyGroup, attemptB.ConcurrencyGroup)
 	assert.NotEqual(t, runA.ConcurrencyGroup, runB.ConcurrencyGroup)
 }
 

services/actions/run.go

@@ -88,10 +88,11 @@ func InsertRun(ctx context.Context, run *actions_model.ActionRun, content []byte
 		}
 
 		if wfRawConcurrency != nil {
-			if err := EvaluateRunConcurrencyFillModel(ctx, run, nil, wfRawConcurrency, vars, inputs); err != nil {
+			attempt := &actions_model.ActionRunAttempt{RunID: run.ID, RepoID: run.RepoID}
+			if err := EvaluateRunConcurrencyFillModel(ctx, run, attempt, wfRawConcurrency, vars, inputs); err != nil {
 				return fmt.Errorf("EvaluateRunConcurrencyFillModel: %w", err)
 			}
-			run.Status, _, err = PrepareToStartRunWithConcurrency(ctx, &actions_model.ActionRunAttempt{RunID: run.ID})
+			run.Status, _, err = PrepareToStartRunWithConcurrency(ctx, attempt)
 			if err != nil {
 				return err
 			}

services/actions/schedule_tasks.go

@@ -132,14 +132,22 @@ func CreateScheduleTask(ctx context.Context, spec *actions_model.ActionScheduleS
 }
 
 func withScheduleInEventPayload(eventPayload, schedule string) string {
-	if schedule == "" || eventPayload == "" {
+	if schedule == "" {
 		return eventPayload
 	}
 
-	event := map[string]any{}
-	if err := json.Unmarshal([]byte(eventPayload), &event); err != nil {
-		log.Error("withScheduleInEventPayload: unmarshal: %v", err)
-		return eventPayload
+	// eventPayload originates from json.Marshal(input.Payload) in handleSchedules,
+	// so a nil payload is stored as the literal "null" and pre-existing rows may be
+	// empty. Both cases start from a fresh map so the schedule field can still be set.
+	var event map[string]any
+	if eventPayload != "" {
+		if err := json.Unmarshal([]byte(eventPayload), &event); err != nil {
+			log.Error("withScheduleInEventPayload: unmarshal: %v", err)
+			return eventPayload
+		}
+	}
+	if event == nil {
+		event = map[string]any{}
 	}
 
 	event["schedule"] = schedule

services/actions/schedule_tasks_test.go

@@ -22,9 +22,20 @@ func TestWithScheduleInEventPayload(t *testing.T) {
 		assert.Equal(t, "refs/heads/main", event["ref"])
 	})
 
-	t.Run("keeps empty payload", func(t *testing.T) {
+	t.Run("adds schedule to null payload", func(t *testing.T) {
+		updated := withScheduleInEventPayload("null", "37 12 5 1 2")
+
+		event := map[string]any{}
+		assert.NoError(t, json.Unmarshal([]byte(updated), &event))
+		assert.Equal(t, "37 12 5 1 2", event["schedule"])
+	})
+
+	t.Run("adds schedule to empty payload", func(t *testing.T) {
 		updated := withScheduleInEventPayload("", "37 12 5 1 2")
-		assert.Empty(t, updated)
+
+		event := map[string]any{}
+		assert.NoError(t, json.Unmarshal([]byte(updated), &event))
+		assert.Equal(t, "37 12 5 1 2", event["schedule"])
 	})
 
 	t.Run("keeps payload when schedule empty", func(t *testing.T) {

services/cron/tasks_basic.go

@@ -13,6 +13,7 @@ import (
 	"code.gitea.io/gitea/models/webhook"
 	"code.gitea.io/gitea/modules/git/gitcmd"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/updatechecker"
 	"code.gitea.io/gitea/services/auth"
 	"code.gitea.io/gitea/services/migrations"
 	mirror_service "code.gitea.io/gitea/services/mirror"
@@ -183,4 +184,17 @@ func initBasicTasks() {
 		registerCleanupPackages()
 	}
 	registerSyncRepoLicenses()
+	if setting.UpdateChecker.Enabled {
+		registerUpdateChecker()
+	}
+}
+
+func registerUpdateChecker() {
+	RegisterTaskFatal("update_checker", &BaseConfig{
+		Enabled:    true,
+		RunAtStart: true,
+		Schedule:   "@every 24h",
+	}, func(ctx context.Context, _ *user_model.User, _ Config) error {
+		return updatechecker.CheckForUpdate()
+	})
 }

services/issue/template.go

@@ -23,6 +23,8 @@ import (
 var templateDirCandidates = []string{
 	"ISSUE_TEMPLATE",
 	"issue_template",
+	".mokogitea/ISSUE_TEMPLATE",
+	".mokogitea/issue_template",
 	".gitea/ISSUE_TEMPLATE",
 	".gitea/issue_template",
 	".github/ISSUE_TEMPLATE",
@@ -32,6 +34,8 @@ var templateDirCandidates = []string{
 }
 
 var templateConfigCandidates = []string{
+	".mokogitea/ISSUE_TEMPLATE/config",
+	".mokogitea/issue_template/config",
 	".gitea/ISSUE_TEMPLATE/config",
 	".gitea/issue_template/config",
 	".github/ISSUE_TEMPLATE/config",

services/mailer/incoming/incoming.go

@@ -9,7 +9,6 @@ import (
 	"errors"
 	"fmt"
 	net_mail "net/mail"
-	"regexp"
 	"strings"
 	"time"
 
@@ -24,31 +23,10 @@ import (
 	"github.com/jhillyerd/enmime/v2"
 )
 
-var (
-	addressTokenRegex   *regexp.Regexp
-	referenceTokenRegex *regexp.Regexp
-)
-
 func Init(ctx context.Context) error {
 	if !setting.IncomingEmail.Enabled {
 		return nil
 	}
-
-	var err error
-	addressTokenRegex, err = regexp.Compile(
-		fmt.Sprintf(
-			`\A%s\z`,
-			strings.Replace(regexp.QuoteMeta(setting.IncomingEmail.ReplyToAddress), regexp.QuoteMeta(setting.IncomingEmail.TokenPlaceholder), "(.+)", 1),
-		),
-	)
-	if err != nil {
-		return err
-	}
-	referenceTokenRegex, err = regexp.Compile(fmt.Sprintf(`\Areply-(.+)@%s\z`, regexp.QuoteMeta(setting.Domain)))
-	if err != nil {
-		return err
-	}
-
 	go func() {
 		ctx, _, finished := process.GetManager().AddTypedContext(ctx, "Incoming Email", process.SystemProcessType, true)
 		defer finished()
@@ -241,7 +219,7 @@ loop:
 					return nil
 				}
 
-				handlerType, user, payload, err := token.ExtractToken(ctx, t)
+				handlerType, user, payload, err := token.DecodeToken(ctx, t)
 				if err != nil {
 					if _, ok := err.(*token.ErrToken); ok {
 						log.Info("Invalid incoming email token: %v", err)
@@ -292,22 +270,31 @@ func isAutomaticReply(env *enmime.Envelope) bool {
 	return autoRespond != ""
 }
 
+func extractToken(s, tokenPrefix, tokenSuffix string) string {
+	if len(s) <= len(tokenPrefix)+len(tokenSuffix) {
+		return ""
+	}
+	prefix, suffix := s[0:len(tokenPrefix)], s[len(s)-len(tokenSuffix):]
+	if strings.EqualFold(prefix, tokenPrefix) && strings.EqualFold(suffix, tokenSuffix) {
+		return s[len(tokenPrefix) : len(s)-len(tokenSuffix)]
+	}
+	return ""
+}
+
 // searchTokenInHeaders looks for the token in To, Delivered-To and References
 func searchTokenInHeaders(env *enmime.Envelope) string {
-	if addressTokenRegex != nil {
-		to, _ := env.AddressList("To")
+	to, _ := env.AddressList("To")
 
-		token := searchTokenInAddresses(to)
-		if token != "" {
-			return token
-		}
+	token := searchTokenInAddresses(to)
+	if token != "" {
+		return token
+	}
 
-		deliveredTo, _ := env.AddressList("Delivered-To")
+	deliveredTo, _ := env.AddressList("Delivered-To")
 
-		token = searchTokenInAddresses(deliveredTo)
-		if token != "" {
-			return token
-		}
+	token = searchTokenInAddresses(deliveredTo)
+	if token != "" {
+		return token
 	}
 
 	references := env.GetHeader("References")
@@ -322,10 +309,9 @@ func searchTokenInHeaders(env *enmime.Envelope) string {
 		if end == -1 || begin > end {
 			break
 		}
-
-		match := referenceTokenRegex.FindStringSubmatch(references[begin:end])
-		if len(match) == 2 {
-			return match[1]
+		t := extractToken(references[begin:end], "reply-", "@"+setting.Domain)
+		if t != "" {
+			return t
 		}
 
 		references = references[end+1:]
@@ -336,15 +322,15 @@ func searchTokenInHeaders(env *enmime.Envelope) string {
 
 // searchTokenInAddresses looks for the token in an address
 func searchTokenInAddresses(addresses []*net_mail.Address) string {
-	for _, address := range addresses {
-		match := addressTokenRegex.FindStringSubmatch(address.Address)
-		if len(match) != 2 {
-			continue
-		}
-
-		return match[1]
+	tokenPrefix, tokenSuffix, _ := strings.Cut(setting.IncomingEmail.ReplyToAddress, setting.IncomingEmailTokenPlaceholder)
+	if tokenSuffix == "" {
+		return ""
+	}
+	for _, address := range addresses {
+		if t := extractToken(address.Address, tokenPrefix, tokenSuffix); t != "" {
+			return t
+		}
 	}
-
 	return ""
 }
 

services/mailer/incoming/incoming_test.go

@@ -7,6 +7,8 @@ import (
 	"strings"
 	"testing"
 
+	"code.gitea.io/gitea/modules/setting"
+
 	"github.com/jhillyerd/enmime/v2"
 	"github.com/stretchr/testify/assert"
 )
@@ -68,6 +70,18 @@ func TestIsAutomaticReply(t *testing.T) {
 	}
 }
 
+func TestSearchTokenInHeadersCaseInsensitive(t *testing.T) {
+	setting.IncomingEmail.ReplyToAddress = "InComing+%{token}@ExAmPle.com"
+	setting.Domain = "DoMain.com"
+	mkEnv := func(s string) *enmime.Envelope {
+		env, _ := enmime.ReadEnvelope(strings.NewReader(s + "\r\n\r\n"))
+		return env
+	}
+	assert.Equal(t, "abc", searchTokenInHeaders(mkEnv("To: incoming+abc@EXAMPLE.COM")))
+	assert.Equal(t, "abc", searchTokenInHeaders(mkEnv("Delivered-To: INCOMING+abc@example.com")))
+	assert.Equal(t, "abc", searchTokenInHeaders(mkEnv("References: <ReplY-abc@DomaiN.COM>")))
+}
+
 func TestGetContentFromMailReader(t *testing.T) {
 	mailString := "Content-Type: multipart/mixed; boundary=message-boundary\r\n" +
 		"\r\n" +

services/mailer/mail_issue_common.go

@@ -182,7 +182,7 @@ func composeIssueCommentMessages(ctx context.Context, comment *mailComment, lang
 				if err != nil {
 					log.Error("CreateToken failed: %v", err)
 				} else {
-					replyAddress := strings.Replace(setting.IncomingEmail.ReplyToAddress, setting.IncomingEmail.TokenPlaceholder, token, 1)
+					replyAddress := strings.Replace(setting.IncomingEmail.ReplyToAddress, setting.IncomingEmailTokenPlaceholder, token, 1)
 					msg.ReplyTo = replyAddress
 					msg.SetHeader("List-Post", fmt.Sprintf("<mailto:%s>", replyAddress))
 
@@ -194,7 +194,7 @@ func composeIssueCommentMessages(ctx context.Context, comment *mailComment, lang
 			if err != nil {
 				log.Error("CreateToken failed: %v", err)
 			} else {
-				unsubAddress := strings.Replace(setting.IncomingEmail.ReplyToAddress, setting.IncomingEmail.TokenPlaceholder, token, 1)
+				unsubAddress := strings.Replace(setting.IncomingEmail.ReplyToAddress, setting.IncomingEmailTokenPlaceholder, token, 1)
 				listUnsubscribe = append(listUnsubscribe, "<mailto:"+unsubAddress+">")
 			}
 		}

services/mailer/token/token.go

@@ -9,6 +9,7 @@ import (
 	"crypto/sha256"
 	"encoding/base32"
 	"fmt"
+	"strings"
 	"time"
 
 	user_model "code.gitea.io/gitea/models/user"
@@ -73,9 +74,11 @@ func CreateToken(ht HandlerType, user *user_model.User, data []byte) (string, er
 	return encodingWithoutPadding.EncodeToString(append([]byte{tokenVersion1}, packagedData...)), nil
 }
 
-// ExtractToken extracts the action/user tuple from the token and verifies the content
-func ExtractToken(ctx context.Context, token string) (HandlerType, *user_model.User, []byte, error) {
-	data, err := encodingWithoutPadding.DecodeString(token)
+// DecodeToken decodes the handler, user and payload from the token and verifies the content
+func DecodeToken(ctx context.Context, token string) (HandlerType, *user_model.User, []byte, error) {
+	// MTAs are permitted to alter the case of the local-part (RFC 5321 §2.4), so normalize
+	// to the base32 alphabet before decoding to survive a lowercased reply-to address.
+	data, err := encodingWithoutPadding.DecodeString(strings.ToUpper(token))
 	if err != nil {
 		return UnknownHandlerType, nil, nil, err
 	}
@@ -118,11 +121,11 @@ func ExtractToken(ctx context.Context, token string) (HandlerType, *user_model.U
 	return handlerType, user, innerPayload, nil
 }
 
-// generateHmac creates a trunkated HMAC for the given payload
+// generateHmac creates a truncated HMAC for the given payload
 func generateHmac(secret, payload []byte) []byte {
 	mac := crypto_hmac.New(sha256.New, secret)
 	mac.Write(payload)
 	hmac := mac.Sum(nil)
 
-	return hmac[:10] // RFC2104 recommends not using less then 80 bits
+	return hmac[:10] // RFC2104 recommends not using less than 80 bits
 }

services/ntfy/notifier.go

@@ -0,0 +1,107 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package ntfy
+
+import (
+	"context"
+	"fmt"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	issues_model "code.gitea.io/gitea/models/issues"
+	repo_model "code.gitea.io/gitea/models/repo"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/setting"
+	notify_service "code.gitea.io/gitea/services/notify"
+)
+
+func init() {
+	if setting.Ntfy.Enabled {
+		notify_service.RegisterNotifier(NewNotifier())
+	}
+}
+
+type ntfyNotifier struct {
+	notify_service.NullNotifier
+}
+
+// NewNotifier creates a new ntfy notifier.
+func NewNotifier() notify_service.Notifier {
+	return &ntfyNotifier{}
+}
+
+func (*ntfyNotifier) Run() {}
+
+func repoTopic(repo *repo_model.Repository) string {
+	if repo == nil {
+		return setting.Ntfy.DefaultTopic
+	}
+	return setting.Ntfy.DefaultTopic
+}
+
+func (*ntfyNotifier) NewIssue(_ context.Context, issue *issues_model.Issue, _ []*user_model.User) {
+	_ = issue.LoadRepo(context.Background())
+	SendAsync(repoTopic(issue.Repo),
+		fmt.Sprintf("New Issue: %s", issue.Title),
+		fmt.Sprintf("#%d in %s\n%s", issue.Index, issue.Repo.FullName(), issue.Content),
+		"default",
+		"issue,new")
+}
+
+func (*ntfyNotifier) IssueChangeStatus(_ context.Context, doer *user_model.User, _ string, issue *issues_model.Issue, _ *issues_model.Comment, closeOrReopen bool) {
+	_ = issue.LoadRepo(context.Background())
+	action := "reopened"
+	if !closeOrReopen {
+		action = "closed"
+	}
+	SendAsync(repoTopic(issue.Repo),
+		fmt.Sprintf("Issue %s: %s", action, issue.Title),
+		fmt.Sprintf("#%d %s by %s", issue.Index, action, doer.Name),
+		"low",
+		"issue,"+action)
+}
+
+func (*ntfyNotifier) NewPullRequest(_ context.Context, pr *issues_model.PullRequest, _ []*user_model.User) {
+	_ = pr.LoadIssue(context.Background())
+	_ = pr.Issue.LoadRepo(context.Background())
+	SendAsync(repoTopic(pr.Issue.Repo),
+		fmt.Sprintf("New PR: %s", pr.Issue.Title),
+		fmt.Sprintf("#%d in %s\n%s → %s", pr.Issue.Index, pr.Issue.Repo.FullName(), pr.HeadBranch, pr.BaseBranch),
+		"default",
+		"git-pull-request,new")
+}
+
+func (*ntfyNotifier) MergePullRequest(_ context.Context, doer *user_model.User, pr *issues_model.PullRequest) {
+	_ = pr.LoadIssue(context.Background())
+	_ = pr.Issue.LoadRepo(context.Background())
+	SendAsync(repoTopic(pr.Issue.Repo),
+		fmt.Sprintf("PR Merged: %s", pr.Issue.Title),
+		fmt.Sprintf("#%d merged by %s", pr.Issue.Index, doer.Name),
+		"default",
+		"git-merge,merged")
+}
+
+func (*ntfyNotifier) NewRelease(_ context.Context, rel *repo_model.Release) {
+	SendAsync(repoTopic(rel.Repo),
+		fmt.Sprintf("New Release: %s", rel.TagName),
+		fmt.Sprintf("%s in %s\n%s", rel.TagName, rel.Repo.FullName(), rel.Note),
+		"high",
+		"rocket,release")
+}
+
+func (*ntfyNotifier) WorkflowRunStatusUpdate(_ context.Context, repo *repo_model.Repository, _ *user_model.User, run *actions_model.ActionRun) {
+	if run.Status.String() != "success" && run.Status.String() != "failure" {
+		return // only notify on completion
+	}
+	priority := "default"
+	tags := "white_check_mark,ci"
+	if run.Status.String() == "failure" {
+		priority = "high"
+		tags = "x,ci-fail"
+	}
+	SendAsync(repoTopic(repo),
+		fmt.Sprintf("CI %s: %s", run.Status.String(), run.Title),
+		fmt.Sprintf("Workflow in %s", repo.FullName()),
+		priority,
+		tags)
+}

services/ntfy/ntfy.go

@@ -0,0 +1,66 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package ntfy
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+)
+
+// Send publishes a notification to the ntfy server.
+func Send(topic, title, message, priority, tags string) error {
+	if !setting.Ntfy.Enabled || setting.Ntfy.ServerURL == "" {
+		return nil
+	}
+
+	if topic == "" {
+		topic = setting.Ntfy.DefaultTopic
+	}
+
+	url := fmt.Sprintf("%s/%s", strings.TrimRight(setting.Ntfy.ServerURL, "/"), topic)
+
+	req, err := http.NewRequest("POST", url, strings.NewReader(message))
+	if err != nil {
+		return fmt.Errorf("ntfy request: %w", err)
+	}
+
+	req.Header.Set("Title", title)
+	if priority != "" {
+		req.Header.Set("Priority", priority)
+	}
+	if tags != "" {
+		req.Header.Set("Tags", tags)
+	}
+	if setting.Ntfy.Token != "" {
+		req.Header.Set("Authorization", "Bearer "+setting.Ntfy.Token)
+	}
+
+	client := &http.Client{Timeout: 5 * time.Second}
+	resp, err := client.Do(req)
+	if err != nil {
+		return fmt.Errorf("ntfy send: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode >= 400 {
+		return fmt.Errorf("ntfy returned status %d", resp.StatusCode)
+	}
+
+	log.Debug("ntfy notification sent: %s — %s", topic, title)
+	return nil
+}
+
+// SendAsync sends a notification in a goroutine (non-blocking).
+func SendAsync(topic, title, message, priority, tags string) {
+	go func() {
+		if err := Send(topic, title, message, priority, tags); err != nil {
+			log.Error("ntfy async send failed: %v", err)
+		}
+	}()
+}

templates/admin/dashboard.tmpl

@@ -1,5 +1,12 @@
 {{template "admin/layout_head" (dict "pageClass" "admin dashboard")}}
 	<div class="admin-setting-content">
+		{{if .NeedUpdate}}
+		<div class="ui positive message">
+			<div class="header">{{svg "octicon-info"}} MokoGitea Update Available</div>
+			<p>A new version <strong>{{.LatestVersion}}</strong> is available.
+			{{if .ReleaseURL}}<a href="{{.ReleaseURL}}" target="_blank" rel="noopener noreferrer">View release notes</a>{{end}}</p>
+		</div>
+		{{end}}
 		<h4 class="ui top attached header">
 			{{ctx.Locale.Tr "admin.dashboard.maintenance_operations"}}
 		</h4>

templates/base/head_navbar.tmpl

@@ -2,7 +2,7 @@
 	<div class="navbar-left">
 		<!-- the logo -->
 		<a class="item" id="navbar-logo" href="{{AppSubUrl}}/" aria-label="{{if .IsSigned}}{{ctx.Locale.Tr "dashboard"}}{{else}}{{ctx.Locale.Tr "home_title"}}{{end}}">
-			<img width="30" height="30" src="{{AssetUrlPrefix}}/img/logo.svg" alt="{{ctx.Locale.Tr "logo"}}" aria-hidden="true">
+			<img width="30" height="30" src="https://mokoconsulting.tech/images/branding/logo.png" alt="{{ctx.Locale.Tr "logo"}}" aria-hidden="true">
 		</a>
 
 		<!-- mobile right menu, it must be here because in mobile view, each item is a flex column, the first item is a full row column -->

templates/base/head_opengraph.tmpl

@@ -39,7 +39,7 @@
 {{else}}
 	<meta property="og:title" content="{{AppName}}">
 	<meta property="og:type" content="website">
-	<meta property="og:image" content="{{AssetUrlPrefix}}/img/logo.png">
+	<meta property="og:image" content="https://mokoconsulting.tech/images/branding/logo.png">
 	<meta property="og:url" content="{{ctx.AppFullLink}}">
 	<meta property="og:description" content="{{MetaDescription}}">
 {{end}}

templates/repo/actions/runs_list.tmpl

@@ -1,4 +1,4 @@
-<div class="flex-list run-list">
+<div class="flex-divided-list items-with-main run-list">
 	{{if not .Runs}}
 	<div class="empty-placeholder">
 		{{svg "octicon-no-entry" 48}}
@@ -6,19 +6,19 @@
 	</div>
 	{{end}}
 	{{range $run := .Runs}}
-		<div class="flex-item tw-items-center">
-			<div class="flex-item-leading">
+		<div class="item tw-items-center">
+			<div class="item-leading">
 				{{template "repo/actions/status" (dict "status" $run.Status.String)}}
 			</div>
-			<div class="flex-item-main">
-				<span class="flex-item-title" title="{{$run.Title}}">
+			<div class="item-main">
+				<span class="item-title" title="{{$run.Title}}">
 					{{if $run.Title}}
 						{{ctx.RenderUtils.RenderCommitMessageLinkSubject $run.Title $run.Link $.Repository}}
 					{{else}}
 						<a href="{{$run.Link}}">{{ctx.Locale.Tr "actions.runs.empty_commit_message"}}</a>
 					{{end}}
 				</span>
-				<div class="flex-item-body">
+				<div class="item-body">
 					<span><b>{{if not $.CurWorkflow}}{{$run.WorkflowID}} {{end}}#{{$run.Index}}</b>:</span>
 
 					{{- if $run.ScheduleID -}}
@@ -38,7 +38,7 @@
 					{{end}}
 				</div>
 			</div>
-			<div class="flex-item-trailing">
+			<div class="item-trailing">
 				{{if $run.IsRefDeleted}}
 					<span class="ui label run-list-ref gt-ellipsis tw-line-through" data-tooltip-content="{{$run.RefTooltip}}">{{$run.PrettyRef}}</span>
 				{{else}}

templates/status/500.tmpl

@@ -21,7 +21,7 @@
 			<div class="ui container tw-flex">
 				<div class="item tw-flex-1">
 					<a href="{{AppSubUrl}}/" aria-label="{{ctx.Locale.Tr "home_title"}}">
-						<img width="30" height="30" src="{{AssetUrlPrefix}}/img/logo.svg" alt="{{ctx.Locale.Tr "logo"}}" aria-hidden="true">
+						<img width="30" height="30" src="https://mokoconsulting.tech/images/branding/logo.png" alt="{{ctx.Locale.Tr "logo"}}" aria-hidden="true">
 					</a>
 				</div>
 				<div class="item">

templates/user/auth/signin_openid.tmpl

@@ -3,7 +3,7 @@
 	<div class="ui middle very relaxed page grid">
 		<div class="column tw-flex tw-flex-col tw-gap-4 tw-max-w-2xl tw-m-auto">
 			<a href="{{AppSubUrl}}/user/login" class="tw-mx-auto">
-				<img width="100" height="100" src="{{AssetUrlPrefix}}/img/logo.svg" alt="{{ctx.Locale.Tr "logo"}}">
+				<img width="100" height="100" src="https://mokoconsulting.tech/images/branding/logo.png" alt="{{ctx.Locale.Tr "logo"}}">
 			</a>
 
 			<div class="ui container fluid">

tests/integration/incoming_email_test.go

@@ -66,7 +66,14 @@ func TestIncomingEmail(t *testing.T) {
 			assert.NoError(t, err)
 			assert.NotEmpty(t, token)
 
-			ht, u, p, err := token_service.ExtractToken(t.Context(), token)
+			ht, u, p, err := token_service.DecodeToken(t.Context(), token)
+			assert.NoError(t, err)
+			assert.Equal(t, token_service.ReplyHandlerType, ht)
+			assert.Equal(t, user.ID, u.ID)
+			assert.Equal(t, payload, p)
+
+			// MTAs may lowercase the local-part of the reply-to address (RFC 5321 §2.4).
+			ht, u, p, err = token_service.DecodeToken(t.Context(), strings.ToLower(token))
 			assert.NoError(t, err)
 			assert.Equal(t, token_service.ReplyHandlerType, ht)
 			assert.Equal(t, user.ID, u.ID)
@@ -189,7 +196,7 @@ func TestIncomingEmail(t *testing.T) {
 				assert.NoError(t, err)
 
 				msg := sender_service.NewMessageFrom(
-					strings.Replace(setting.IncomingEmail.ReplyToAddress, setting.IncomingEmail.TokenPlaceholder, token, 1),
+					strings.Replace(setting.IncomingEmail.ReplyToAddress, setting.IncomingEmailTokenPlaceholder, token, 1),
 					"",
 					user.Email,
 					"",