Commit graph

20356 commits

Author SHA1 Message Date
Earl Warren
fb311fcf10 Merge pull request 'Update dependency @playwright/test to v1.46.0 (forgejo)' (#4841) from renovate/forgejo-playwright-monorepo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4841
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-06 05:32:09 +00:00
Renovate Bot
10647bb50f Update dependency @playwright/test to v1.46.0 2024-08-06 02:05:18 +00:00
Gusted
7fb82afa20 Merge pull request 'Update dependency postcss to v8.4.41 (forgejo)' (#4837) from renovate/forgejo-postcss-packages into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4837
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-06 01:48:44 +00:00
Gusted
14850847ee Merge pull request '[BUG] Allow 4 charachter SHA in /src/commit' (#4828) from gusted/forgejo-short-sha into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4828
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-06 01:06:34 +00:00
Renovate Bot
d122196fac Update dependency postcss to v8.4.41 2024-08-06 00:16:18 +00:00
Gusted
b967fce25d
[BUG] Allow 4 charachter SHA in /src/commit
- Adjust the `RepoRefByType` middleware to allow for commit SHAs that
are as short as 4 characters (the minium that Git requires).
- Integration test added.
- Follow up to 4d76bbeda7
- Resolves #4781
2024-08-06 01:45:41 +02:00
Earl Warren
641b0f74b6 Merge pull request 'Remove dachary from CODEOWNERS' (#4826) from gusted-patch-1 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4826
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-05 21:08:12 +00:00
Earl Warren
ed3fe01dd3 Merge pull request '[CHORE] Remove SSH DSA tests' (#4827) from gusted/forgejo-rm-dsa into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4827
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-05 21:03:25 +00:00
Gusted
eb8c125788
[CHORE] Remove SSH DSA tests
- Partially resolves #4659
- Fixes CI.
2024-08-05 20:34:19 +02:00
Gusted
4d789163bc Remove dachary from CODEOWNERS
I've asked dachary personally if this okay and he agreed.
2024-08-05 18:12:11 +00:00
Earl Warren
b7a4703231 Merge pull request 'Update module github.com/google/go-github/v57 to v63 (forgejo)' (#4824) from renovate/forgejo-github.com-google-go-github-v57-63.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4824
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-05 15:07:43 +00:00
Earl Warren
d853c8465d
Update module github.com/google/go-github/v57 to v63 (license update) 2024-08-05 16:26:06 +02:00
Earl Warren
6e98a57096 Merge pull request 'Implement an instance-wide activitypub actor' (#4811) from algernon/forgejo:to-be-or-not-to-be into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4811
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-05 14:23:02 +00:00
Renovate Bot
eab599de41 Update module github.com/google/go-github/v57 to v63 2024-08-05 13:21:39 +00:00
Gergely Nagy
f121e87aa6
activitypub: Implement an instance-wide actor
An instance-wide actor is required for outgoing signed requests that are
done on behalf of the instance, rather than on behalf of other actors.
Such things include updating profile information, or fetching public
keys.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-08-05 10:50:26 +02:00
Earl Warren
057256553b Merge pull request 'Update module golang.org/x/oauth2 to v0.22.0 (forgejo)' (#4816) from renovate/forgejo-golang.org-x-oauth2-0.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4816
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-08-05 07:52:39 +00:00
Earl Warren
88d5d78403
Update module golang.org/x/oauth2 to v0.22.0 (license update) 2024-08-05 09:01:07 +02:00
Renovate Bot
8e3b33dd53
Update module golang.org/x/oauth2 to v0.22.0 2024-08-05 09:01:05 +02:00
Earl Warren
98457eb67d Merge pull request 'Update module golang.org/x/sys to v0.23.0 (forgejo)' (#4817) from renovate/forgejo-golang.org-x-sys-0.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4817
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-08-05 06:59:14 +00:00
TheFox0x7
c738542201 Open telemetry integration (#3972)
This PR adds opentelemetry and chi wrapper to have basic instrumentation

<!--start release-notes-assistant-->

## Draft release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/3972): <!--number 3972 --><!--line 0 --><!--description YWRkIHN1cHBvcnQgZm9yIGJhc2ljIHJlcXVlc3QgdHJhY2luZyB3aXRoIG9wZW50ZWxlbWV0cnk=-->add support for basic request tracing with opentelemetry<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3972
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>
Co-committed-by: TheFox0x7 <thefox0x7@gmail.com>
2024-08-05 06:04:39 +00:00
0ko
7c74def6ff i18n(en): remove unused strings (#4805)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4805
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-05 05:54:29 +00:00
Earl Warren
e08e47bbec
Update module golang.org/x/sys to v0.23.0 (license updates) 2024-08-05 07:45:16 +02:00
forgejo-renovate-action
3d4271e731 Merge pull request 'Update renovate to v38.18.12 (forgejo)' (#4815) from renovate/forgejo-renovate into forgejo 2024-08-05 05:29:17 +00:00
Earl Warren
811d96e74a Merge pull request 'Lock file maintenance (forgejo)' (#4818) from renovate/forgejo-lock-file-maintenance into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4818
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-05 05:27:45 +00:00
Solomon Victorino
3ee5bc262f fix(ui): handle out-of-bounds end line in code selection (#4788)
- fallback to the last line, preventing TypeError
- add E2E test

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4788
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Solomon Victorino <git@solomonvictorino.com>
Co-committed-by: Solomon Victorino <git@solomonvictorino.com>
2024-08-05 04:45:07 +00:00
Renovate Bot
a3fa6c7d8e Lock file maintenance 2024-08-05 02:06:16 +00:00
Renovate Bot
2c95baffeb Update module golang.org/x/sys to v0.23.0 2024-08-05 02:04:33 +00:00
Renovate Bot
00ae44129d Update renovate to v38.18.12 2024-08-05 00:02:57 +00:00
Gergely Nagy
cd17eb0fa7
activitypub: Sign the Host header too
Mastodon with `AUTHORIZED_FETCH` enabled requires the `Host` header to
be signed too, add it to the default for `setting.Federation.GetHeaders`
and `setting.Federation.PostHeaders`.

For this to work, we need to sign the request later: not immediately
after `NewRequest`, but just before sending them out with `client.Do`.
Doing so also lets us use `setting.Federation.GetHeaders` (we were using
`.PostHeaders` even for GET requests before).

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-08-04 23:57:48 +02:00
Earl Warren
c031881a20 Merge pull request 'Update module github.com/meilisearch/meilisearch-go to v0.27.2 (forgejo)' (#4799) from renovate/forgejo-github.com-meilisearch-meilisearch-go-0.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4799
Reviewed-by: Shiny Nematoda <snematoda@noreply.codeberg.org>
2024-08-04 16:25:38 +00:00
Earl Warren
fd33cc5b45 Merge pull request 'Prevent uppercase in header of dashboard context selector' (#4806) from 0ko/forgejo:ui-dashboard-context-fix into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4806
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-04 13:21:30 +00:00
0ko
a4f1d0bc43 fix(ui): prevent uppercase in header of dashboard context selector 2024-08-04 16:10:15 +05:00
Exploding Dragon
f17194ca91 Arch packages implementation (#4785)
This PR is from https://github.com/go-gitea/gitea/pull/31037

This PR was originally created by @d1nch8g , and the original source code comes from https://ion.lc/core/gitea.

This PR adds a package registry for [Arch Linux](https://archlinux.org/) packages with support for package files, [signatures](https://wiki.archlinux.org/title/Pacman/Package_signing), and automatic [pacman-database](https://archlinux.org/pacman/repo-add.8.html) management.

Features:

1. Push any ` tar.zst ` package and Gitea sign it.
2. Delete endpoint for specific package version and all related files
3. Supports trust levels with `SigLevel = Required`.
4. Package UI with instructions to connect to the new pacman database and visualised package metadata

![](/attachments/810ca6df-bd20-44c2-bdf7-95e94886d750)

You can follow [this tutorial](https://wiki.archlinux.org/title/Creating_packages) to build a *.pkg.tar.zst package for testing

docs pr: https://codeberg.org/forgejo/docs/pulls/791

Co-authored-by: d1nch8g@ion.lc
Co-authored-by: @KN4CK3R
Co-authored-by: @mahlzahn
Co-authored-by: @silverwind
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4785
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Exploding Dragon <explodingfkl@gmail.com>
Co-committed-by: Exploding Dragon <explodingfkl@gmail.com>
2024-08-04 06:16:29 +00:00
0ko
22d3659803 i18n(en): remove unused string admin.auths.enable_auto_register (#4797)
Introduced in d2aff9a46a.
Removed in cd37fccdfb.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4797
Reviewed-by: Otto <otto@codeberg.org>
2024-08-04 03:09:02 +00:00
Renovate Bot
d0684334b3 Update module github.com/meilisearch/meilisearch-go to v0.27.2 2024-08-04 00:03:09 +00:00
Earl Warren
e99be039d4 Merge pull request 'chore(ci): do not hardcode go version, use go.mod instead' (#4792) from earl-warren/forgejo:wip-go-mod into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4792
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: thefox <thefox@noreply.codeberg.org>
2024-08-03 14:51:59 +00:00
Earl Warren
94f3589623
chore(ci): do not hardcode go version, use go.mod instead 2024-08-03 11:53:55 +02:00
0ko
37151d75cb Merge pull request 'Refactor user-cards as a grid' (#4760) from 0ko/forgejo:ui-usercards-grid into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4760
Reviewed-by: Caesar Schinas <caesar@caesarschinas.com>
2024-08-02 17:43:40 +00:00
0ko
cad8d09ba8 ui: refactor user-cards as a grid 2024-08-02 19:27:31 +05:00
Earl Warren
63fdc1298f Merge pull request 'Soft-quota foundations' (#4212) from algernon/forgejo:quota/helpers into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4212
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-02 12:27:45 +00:00
Gergely Nagy
f826f673d1
feat(quota): Add a terse release not about quotas
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-08-02 11:10:34 +02:00
Gergely Nagy
67fa52dedb
feat(quota): Quota enforcement
The previous commit laid out the foundation of the quota engine, this
one builds on top of it, and implements the actual enforcement.

Enforcement happens at the route decoration level, whenever possible. In
case of the API, when over quota, a 413 error is returned, with an
appropriate JSON payload. In case of web routes, a 413 HTML page is
rendered with similar information.

This implementation is for a **soft quota**: quota usage is checked
before an operation is to be performed, and the operation is *only*
denied if the user is already over quota. This makes it possible to go
over quota, but has the significant advantage of being practically
implementable within the current Forgejo architecture.

The goal of enforcement is to deny actions that can make the user go
over quota, and allow the rest. As such, deleting things should - in
almost all cases - be possible. A prime exemption is deleting files via
the web ui: that creates a new commit, which in turn increases repo
size, thus, is denied if the user is over quota.

Limitations
-----------

Because we generally work at a route decorator level, and rarely
look *into* the operation itself, `size:repos:public` and
`size:repos:private` are not enforced at this level, the engine enforces
against `size:repos:all`. This will be improved in the future.

AGit does not play very well with this system, because AGit PRs count
toward the repo they're opened against, while in the GitHub-style fork +
pull model, it counts against the fork. This too, can be improved in the
future.

There's very little done on the UI side to guard against going over
quota. What this patch implements, is enforcement, not prevention. The
UI will still let you *try* operations that *will* result in a denial.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-08-02 11:10:34 +02:00
Gergely Nagy
a414703c09
tests: Add an IsTemplate option to DeclarativeRepoOptions
This lets us use `CreateDeclarativeRepoWithOptions` to create template
repositories.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-08-02 11:10:34 +02:00
Gergely Nagy
e1fe3bbdc0
feat(quota): Humble beginnings of a quota engine
This is an implementation of a quota engine, and the API routes to
manage its settings. This does *not* contain any enforcement code: this
is just the bedrock, the engine itself.

The goal of the engine is to be flexible and future proof: to be nimble
enough to build on it further, without having to rewrite large parts of
it.

It might feel a little more complicated than necessary, because the goal
was to be able to support scenarios only very few Forgejo instances
need, scenarios the vast majority of mostly smaller instances simply do
not care about. The goal is to support both big and small, and for that,
we need a solid, flexible foundation.

There are thee big parts to the engine: counting quota use, setting
limits, and evaluating whether the usage is within the limits. Sounds
simple on paper, less so in practice!

Quota counting
==============

Quota is counted based on repo ownership, whenever possible, because
repo owners are in ultimate control over the resources they use: they
can delete repos, attachments, everything, even if they don't *own*
those themselves. They can clean up, and will always have the permission
and access required to do so. Would we count quota based on the owning
user, that could lead to situations where a user is unable to free up
space, because they uploaded a big attachment to a repo that has been
taken private since. It's both more fair, and much safer to count quota
against repo owners.

This means that if user A uploads an attachment to an issue opened
against organization O, that will count towards the quota of
organization O, rather than user A.

One's quota usage stats can be queried using the `/user/quota` API
endpoint. To figure out what's eating into it, the
`/user/repos?order_by=size`, `/user/quota/attachments`,
`/user/quota/artifacts`, and `/user/quota/packages` endpoints should be
consulted. There's also `/user/quota/check?subject=<...>` to check
whether the signed-in user is within a particular quota limit.

Quotas are counted based on sizes stored in the database.

Setting quota limits
====================

There are different "subjects" one can limit usage for. At this time,
only size-based limits are implemented, which are:

- `size:all`: As the name would imply, the total size of everything
  Forgejo tracks.
- `size:repos:all`: The total size of all repositories (not including
  LFS).
- `size:repos:public`: The total size of all public repositories (not
  including LFS).
- `size:repos:private`: The total size of all private repositories (not
  including LFS).
- `size:git:all`: The total size of all git data (including all
  repositories, and LFS).
- `size:git:lfs`: The size of all git LFS data (either in private or
  public repos).
- `size:assets:all`: The size of all assets tracked by Forgejo.
- `size:assets:attachments:all`: The size of all kinds of attachments
  tracked by Forgejo.
- `size:assets:attachments:issues`: Size of all attachments attached to
  issues, including issue comments.
- `size:assets:attachments:releases`: Size of all attachments attached
  to releases. This does *not* include automatically generated archives.
- `size:assets:artifacts`: Size of all Action artifacts.
- `size:assets:packages:all`: Size of all Packages.
- `size:wiki`: Wiki size

Wiki size is currently not tracked, and the engine will always deem it
within quota.

These subjects are built into Rules, which set a limit on *all* subjects
within a rule. Thus, we can create a rule that says: "1Gb limit on all
release assets, all packages, and git LFS, combined". For a rule to
stand, the total sum of all subjects must be below the rule's limit.

Rules are in turn collected into groups. A group is just a name, and a
list of rules. For a group to stand, all of its rules must stand. Thus,
if we have a group with two rules, one that sets a combined 1Gb limit on
release assets, all packages, and git LFS, and another rule that sets a
256Mb limit on packages, if the user has 512Mb of packages, the group
will not stand, because the second rule deems it over quota. Similarly,
if the user has only 128Mb of packages, but 900Mb of release assets, the
group will not stand, because the combined size of packages and release
assets is over the 1Gb limit of the first rule.

Groups themselves are collected into Group Lists. A group list stands
when *any* of the groups within stand. This allows an administrator to
set conservative defaults, but then place select users into additional
groups that increase some aspect of their limits.

To top it off, it is possible to set the default quota groups a user
belongs to in `app.ini`. If there's no explicit assignment, the engine
will use the default groups. This makes it possible to avoid having to
assign each and every user a list of quota groups, and only those need
to be explicitly assigned who need a different set of groups than the
defaults.

If a user has any quota groups assigned to them, the default list will
not be considered for them.

The management APIs
===================

This commit contains the engine itself, its unit tests, and the quota
management APIs. It does not contain any enforcement.

The APIs are documented in-code, and in the swagger docs, and the
integration tests can serve as an example on how to use them.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-08-02 11:10:34 +02:00
Gergely Nagy
250f87db59
feat(api): An order_by param for user.ListMyRepos
Add an optional `order_by` parameter to the `user.ListMyRepos`
handler (which handles the `/api/v1/user/repos` route), allowing a user
to sort repos by name (the default), id, or size.

The latter will be useful later for figuring out which repos use most
space, which repos eat most into a user's quota.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-08-02 10:52:21 +02:00
Gusted
b0a104d3d4 Merge pull request 'Distinguish between new tags, releases and pre-releases on activity page' (#4782) from mahlzahn/forgejo:repo_activity_releases into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4782
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-02 08:11:39 +00:00
Exploding Dragon
471265c4e0 Add signature support for the RPM module (#4780)
This pull request comes from https://github.com/go-gitea/gitea/pull/27069.

If the rpm package does not contain a matching gpg signature, the installation will fail. See ([gitea/gitea#27031](https://github.com/go-gitea/gitea/issues/27031)) , now auto-signing all new rpm uploads.

This option is turned off by default for compatibility.

<!--start release-notes-assistant-->

## Draft release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/4780): <!--number 4780 --><!--line 0 --><!--description QWRkIHNpZ25hdHVyZSBzdXBwb3J0IGZvciB0aGUgUlBNIG1vZHVsZQ==-->Add signature support for the RPM module<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4780
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Exploding Dragon <explodingfkl@gmail.com>
Co-committed-by: Exploding Dragon <explodingfkl@gmail.com>
2024-08-02 05:56:57 +00:00
Robert Wolff
2795f5bc0e feat(UI): fix links, add labels for releases on repo activity page 2024-08-02 07:56:03 +02:00
Earl Warren
35ea74576e Merge pull request 'fix(release-notes-assistant): categorize multiline drafts & cleanup & update milestones' (#4779) from earl-warren/forgejo:wip-rna-preview into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4779
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2024-08-01 19:33:02 +00:00
Earl Warren
9597e041da
fix(release-notes-assistant): categorize multiline drafts & cleanup
Upgrade to release-notes-assistant 1.1.1:

* multiline release notes drafts were incorrectly categorized
  according the first line, instead of for each line
* when there is a backport, link the original PR first
* remove spurious </a>
2024-08-01 20:56:34 +02:00