Merge remote-tracking branch 'upstream/main'

2022-10-27 00:28:53 +00:00 · 2022-10-27 00:28:53 +00:00 · 5612130bcf
commit 5612130bcf
parent f133e9ca11 096aed5c1d
389 changed files with 3796 additions and 2022 deletions
--- a/.eslintrc.yaml
+++ b/.eslintrc.yaml
@ -35,9 +35,6 @@ overrides:
    rules:
      import/no-unresolved: [0]
      import/no-extraneous-dependencies: [0]
-  - files: ["*.test.js"]
-    env:
-      jest: true
  - files: ["*.config.js"]
    rules:
      import/no-unused-modules: [0]
--- a/.gitpod.yml
+++ b/.gitpod.yml
@ -1,6 +1,7 @@
 tasks:
  - name: Setup
    init: |
+      cp -r contrib/ide/vscode .vscode
      make deps
      make build
    command: |
@ -32,6 +33,7 @@ vscode:
    - johnsoncodehk.volar
    - ms-azuretools.vscode-docker
    - zixuanchen.vitest-explorer
+    - alexcvzz.vscode-sqlite

 ports:
  - name: Gitea
--- a/1
+++ b/1
@ -49,3 +49,4 @@ silentcode <silentcode@senga.org> (@silentcodeg)
 Wim <wim@42.be> (@42wim)
 xinyu <xinyu@nerv.org.cn> (@penlinux)
 Jason Song <i@wolfogre.com> (@wolfogre)
+Yarden Shoham <hrsi88@gmail.com> (@yardenshoham)
--- a/cmd/admin.go
+++ b/cmd/admin.go
@ -588,7 +588,7 @@ func runCreateUser(c *cli.Context) error {
 	}

 	if err := user_model.CreateUser(u, overwriteDefault); err != nil {
-		return fmt.Errorf("CreateUser: %v", err)
+		return fmt.Errorf("CreateUser: %w", err)
 	}

 	if c.Bool("access-token") {
@ -735,7 +735,7 @@ func runRepoSyncReleases(_ *cli.Context) error {
 			Private: true,
 		})
 		if err != nil {
-			return fmt.Errorf("SearchRepositoryByName: %v", err)
+			return fmt.Errorf("SearchRepositoryByName: %w", err)
 		}
 		if len(repos) == 0 {
 			break
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@ -68,7 +68,7 @@ Ensure you are running in the correct environment or set the correct configurati
 If this is the intended configuration file complete the [database] section.`, setting.CustomConf)
 	}
 	if err := db.InitEngine(ctx); err != nil {
-		return fmt.Errorf("unable to initialize the database using the configuration in %q. Error: %v", setting.CustomConf, err)
+		return fmt.Errorf("unable to initialize the database using the configuration in %q. Error: %w", setting.CustomConf, err)
 	}
 	return nil
 }
--- a/cmd/dump.go
+++ b/cmd/dump.go
@ -146,6 +146,10 @@ It can be used for backup and capture Gitea server image to send to maintainer`,
 			Name:  "skip-package-data",
 			Usage: "Skip package data",
 		},
+		cli.BoolFlag{
+			Name:  "skip-index",
+			Usage: "Skip bleve index data",
+		},
 		cli.GenericFlag{
 			Name:  "type",
 			Value: outputTypeEnum,
@ -327,6 +331,11 @@ func runDump(ctx *cli.Context) error {
 			excludes = append(excludes, opts.ProviderConfig)
 		}

+		if ctx.IsSet("skip-index") && ctx.Bool("skip-index") {
+			excludes = append(excludes, setting.Indexer.RepoPath)
+			excludes = append(excludes, setting.Indexer.IssuePath)
+		}
+
 		excludes = append(excludes, setting.RepoRootPath)
 		excludes = append(excludes, setting.LFS.Path)
 		excludes = append(excludes, setting.Attachment.Path)
--- a/cmd/dump_repo.go
+++ b/cmd/dump_repo.go
@ -166,7 +166,7 @@ func runDumpRepository(ctx *cli.Context) error {
 	// make sure the directory doesn't exist or is empty, prevent from deleting user files
 	repoDir := ctx.String("repo_dir")
 	if exists, err := util.IsExist(repoDir); err != nil {
-		return fmt.Errorf("unable to stat repo_dir %q: %v", repoDir, err)
+		return fmt.Errorf("unable to stat repo_dir %q: %w", repoDir, err)
 	} else if exists {
 		if isDir, _ := util.IsDir(repoDir); !isDir {
 			return fmt.Errorf("repo_dir %q already exists but it's not a directory", repoDir)
--- a/cmd/embedded.go
+++ b/cmd/embedded.go
@ -186,11 +186,11 @@ func runViewDo(c *cli.Context) error {

 	data, err := assets[0].Section.Asset(assets[0].Name)
 	if err != nil {
-		return fmt.Errorf("%s: %v", assets[0].Path, err)
+		return fmt.Errorf("%s: %w", assets[0].Path, err)
 	}

 	if _, err = os.Stdout.Write(data); err != nil {
-		return fmt.Errorf("%s: %v", assets[0].Path, err)
+		return fmt.Errorf("%s: %w", assets[0].Path, err)
 	}

 	return nil
@ -251,11 +251,11 @@ func extractAsset(d string, a asset, overwrite, rename bool) error {

 	data, err := a.Section.Asset(a.Name)
 	if err != nil {
-		return fmt.Errorf("%s: %v", a.Path, err)
+		return fmt.Errorf("%s: %w", a.Path, err)
 	}

 	if err := os.MkdirAll(dir, os.ModePerm); err != nil {
-		return fmt.Errorf("%s: %v", dir, err)
+		return fmt.Errorf("%s: %w", dir, err)
 	}

 	perms := os.ModePerm & 0o666
@ -263,7 +263,7 @@ func extractAsset(d string, a asset, overwrite, rename bool) error {
 	fi, err := os.Lstat(dest)
 	if err != nil {
 		if !errors.Is(err, os.ErrNotExist) {
-			return fmt.Errorf("%s: %v", dest, err)
+			return fmt.Errorf("%s: %w", dest, err)
 		}
 	} else if !overwrite && !rename {
 		fmt.Printf("%s already exists; skipped.\n", dest)
@ -272,7 +272,7 @@ func extractAsset(d string, a asset, overwrite, rename bool) error {
 		return fmt.Errorf("%s already exists, but it's not a regular file", dest)
 	} else if rename {
 		if err := util.Rename(dest, dest+".bak"); err != nil {
-			return fmt.Errorf("Error creating backup for %s: %v", dest, err)
+			return fmt.Errorf("Error creating backup for %s: %w", dest, err)
 		}
 		// Attempt to respect file permissions mask (even if user:group will be set anew)
 		perms = fi.Mode()
@ -280,12 +280,12 @@ func extractAsset(d string, a asset, overwrite, rename bool) error {

 	file, err := os.OpenFile(dest, os.O_WRONLY|os.O_TRUNC|os.O_CREATE, perms)
 	if err != nil {
-		return fmt.Errorf("%s: %v", dest, err)
+		return fmt.Errorf("%s: %w", dest, err)
 	}
 	defer file.Close()

 	if _, err = file.Write(data); err != nil {
-		return fmt.Errorf("%s: %v", dest, err)
+		return fmt.Errorf("%s: %w", dest, err)
 	}

 	fmt.Println(dest)
@ -325,7 +325,7 @@ func getPatterns(args []string) ([]glob.Glob, error) {
 	pat := make([]glob.Glob, len(args))
 	for i := range args {
 		if g, err := glob.Compile(args[i], '/'); err != nil {
-			return nil, fmt.Errorf("'%s': Invalid glob pattern: %v", args[i], err)
+			return nil, fmt.Errorf("'%s': Invalid glob pattern: %w", args[i], err)
 		} else {
 			pat[i] = g
 		}
--- a/cmd/hook.go
+++ b/cmd/hook.go
@ -312,7 +312,7 @@ func runHookPostReceive(c *cli.Context) error {

 	// First of all run update-server-info no matter what
 	if _, _, err := git.NewCommand(ctx, "update-server-info").RunStdString(nil); err != nil {
-		return fmt.Errorf("Failed to call 'git update-server-info': %v", err)
+		return fmt.Errorf("Failed to call 'git update-server-info': %w", err)
 	}

 	// Now if we're an internal don't do anything else
--- a/contrib/pr/checkout.go
+++ b/contrib/pr/checkout.go
@ -33,6 +33,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/routers"
+	markup_service "code.gitea.io/gitea/services/markup"

 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/config"
@ -112,7 +113,7 @@ func runPR() {
 	log.Printf("[PR] Setting up router\n")
 	// routers.GlobalInit()
 	external.RegisterRenderers()
-	markup.Init()
+	markup.Init(markup_service.ProcessorHelper())
 	c := routers.NormalRoutes(graceful.GetManager().HammerContext())

 	log.Printf("[PR] Ready for testing !\n")
--- a/docs/content/doc/developers/oauth2-provider.md
+++ b/docs/content/doc/developers/oauth2-provider.md
@ -44,6 +44,12 @@ To use the Authorization Code Grant as a third party application it is required

 Currently Gitea does not support scopes (see [#4300](https://github.com/go-gitea/gitea/issues/4300)) and all third party applications will be granted access to all resources of the user and their organizations.

+## Client types
+
+Gitea supports both confidential and public client types, [as defined by RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1).
+
+For public clients, a redirect URI of a loopback IP address such as `http://127.0.0.1/` allows any port. Avoid using `localhost`, [as recommended by RFC 8252](https://datatracker.ietf.org/doc/html/rfc8252#section-8.3).
+
 ## Example

 **Note:** This example does not use PKCE.
--- a/docs/content/doc/installation/from-package.zh-cn.md
+++ b/docs/content/doc/installation/from-package.zh-cn.md
@ -71,7 +71,7 @@ choco install gitea
 macOS 平台下当前我们仅支持通过 `brew` 来安装。如果你没有安装 [Homebrew](http://brew.sh/)，你也可以查看 [从二进制安装]({{< relref "from-binary.zh-cn.md" >}})。在你安装了 `brew` 之后， 你可以执行以下命令：

 ```
-brew tap go-gitea/gitea
+brew tap gitea/tap https://gitea.com/gitea/homebrew-gitea
 brew install gitea
 ```

--- a/go.mod
+++ b/go.mod
@ -6,7 +6,7 @@ require (
 	code.gitea.io/gitea-vet v0.2.2-0.20220122151748-48ebc902541b
 	code.gitea.io/sdk/gitea v0.15.1
 	codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570
-	gitea.com/go-chi/binding v0.0.0-20220309004920-114340dabecb
+	gitea.com/go-chi/binding v0.0.0-20221013104517-b29891619681
 	gitea.com/go-chi/cache v0.2.0
 	gitea.com/go-chi/captcha v0.0.0-20211013065431-70641c1a35d5
 	gitea.com/go-chi/session v0.0.0-20211218221615-e3605d8b28b8
--- a/go.sum
+++ b/go.sum
@ -81,8 +81,8 @@ contrib.go.opencensus.io/resource v0.1.1/go.mod h1:F361eGI91LCmW1I/Saf+rX0+OFcig
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078 h1:cliQ4HHsCo6xi2oWZYKWW4bly/Ory9FuTpFPRxj/mAg=
 git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078/go.mod h1:g/V2Hjas6Z1UHUp4yIx6bATpNzJ7DYtD0FG3+xARWxs=
-gitea.com/go-chi/binding v0.0.0-20220309004920-114340dabecb h1:Yy0Bxzc8R2wxiwXoG/rECGplJUSpXqCsog9PuJFgiHs=
-gitea.com/go-chi/binding v0.0.0-20220309004920-114340dabecb/go.mod h1:77TZu701zMXWJFvB8gvTbQ92zQ3DQq/H7l5wAEjQRKc=
+gitea.com/go-chi/binding v0.0.0-20221013104517-b29891619681 h1:MMSPgnVULVwV9kEBgvyEUhC9v/uviZ55hPJEMjpbNR4=
+gitea.com/go-chi/binding v0.0.0-20221013104517-b29891619681/go.mod h1:77TZu701zMXWJFvB8gvTbQ92zQ3DQq/H7l5wAEjQRKc=
 gitea.com/go-chi/cache v0.0.0-20210110083709-82c4c9ce2d5e/go.mod h1:k2V/gPDEtXGjjMGuBJiapffAXTv76H4snSmlJRLUhH0=
 gitea.com/go-chi/cache v0.2.0 h1:E0npuTfDW6CT1yD8NMDVc1SK6IeRjfmRL2zlEsCEd7w=
 gitea.com/go-chi/cache v0.2.0/go.mod h1:iQlVK2aKTZ/rE9UcHyz9pQWGvdP9i1eI2spOpzgCrtE=
--- a/models/activities/action.go
+++ b/models/activities/action.go
@ -360,11 +360,11 @@ func GetFeeds(ctx context.Context, opts GetFeedsOptions) (ActionList, error) {
 	actions := make([]*Action, 0, opts.PageSize)

 	if err := sess.Desc("`action`.created_unix").Find(&actions); err != nil {
-		return nil, fmt.Errorf("Find: %v", err)
+		return nil, fmt.Errorf("Find: %w", err)
 	}

 	if err := ActionList(actions).loadAttributes(ctx); err != nil {
-		return nil, fmt.Errorf("LoadAttributes: %v", err)
+		return nil, fmt.Errorf("LoadAttributes: %w", err)
 	}

 	return actions, nil
@ -416,7 +416,7 @@ func activityQueryCondition(opts GetFeedsOptions) (builder.Cond, error) {
 		env := organization.OrgFromUser(opts.RequestedUser).AccessibleTeamReposEnv(opts.RequestedTeam)
 		teamRepoIDs, err := env.RepoIDs(1, opts.RequestedUser.NumRepos)
 		if err != nil {
-			return nil, fmt.Errorf("GetTeamRepositories: %v", err)
+			return nil, fmt.Errorf("GetTeamRepositories: %w", err)
 		}
 		cond = cond.And(builder.In("repo_id", teamRepoIDs))
 	}
@ -482,14 +482,14 @@ func notifyWatchers(ctx context.Context, actions ...*Action) error {
 			// Add feeds for user self and all watchers.
 			watchers, err = repo_model.GetWatchers(ctx, act.RepoID)
 			if err != nil {
-				return fmt.Errorf("get watchers: %v", err)
+				return fmt.Errorf("get watchers: %w", err)
 			}
 		}

 		// Add feed for actioner.
 		act.UserID = act.ActUserID
 		if _, err = e.Insert(act); err != nil {
-			return fmt.Errorf("insert new actioner: %v", err)
+			return fmt.Errorf("insert new actioner: %w", err)
 		}

 		if repoChanged {
@ -498,7 +498,7 @@ func notifyWatchers(ctx context.Context, actions ...*Action) error {

 			// check repo owner exist.
 			if err := act.Repo.GetOwner(ctx); err != nil {
-				return fmt.Errorf("can't get repo owner: %v", err)
+				return fmt.Errorf("can't get repo owner: %w", err)
 			}
 		} else if act.Repo == nil {
 			act.Repo = repo
@ -509,7 +509,7 @@ func notifyWatchers(ctx context.Context, actions ...*Action) error {
 			act.ID = 0
 			act.UserID = act.Repo.Owner.ID
 			if err = db.Insert(ctx, act); err != nil {
-				return fmt.Errorf("insert new actioner: %v", err)
+				return fmt.Errorf("insert new actioner: %w", err)
 			}
 		}

@ -562,7 +562,7 @@ func notifyWatchers(ctx context.Context, actions ...*Action) error {
 			}

 			if err = db.Insert(ctx, act); err != nil {
-				return fmt.Errorf("insert new action: %v", err)
+				return fmt.Errorf("insert new action: %w", err)
 			}
 		}
 	}
--- a/models/activities/action_list.go
+++ b/models/activities/action_list.go
@ -36,7 +36,7 @@ func (actions ActionList) loadUsers(ctx context.Context) (map[int64]*user_model.
 		In("id", userIDs).
 		Find(&userMaps)
 	if err != nil {
-		return nil, fmt.Errorf("find user: %v", err)
+		return nil, fmt.Errorf("find user: %w", err)
 	}

 	for _, action := range actions {
@ -62,7 +62,7 @@ func (actions ActionList) loadRepositories(ctx context.Context) error {
 	repoMaps := make(map[int64]*repo_model.Repository, len(repoIDs))
 	err := db.GetEngine(ctx).In("id", repoIDs).Find(&repoMaps)
 	if err != nil {
-		return fmt.Errorf("find repository: %v", err)
+		return fmt.Errorf("find repository: %w", err)
 	}

 	for _, action := range actions {
--- a/models/activities/notification.go
+++ b/models/activities/notification.go
@ -403,7 +403,7 @@ func (n *Notification) loadRepo(ctx context.Context) (err error) {
 	if n.Repository == nil {
 		n.Repository, err = repo_model.GetRepositoryByIDCtx(ctx, n.RepoID)
 		if err != nil {
-			return fmt.Errorf("getRepositoryByID [%d]: %v", n.RepoID, err)
+			return fmt.Errorf("getRepositoryByID [%d]: %w", n.RepoID, err)
 		}
 	}
 	return nil
@ -413,7 +413,7 @@ func (n *Notification) loadIssue(ctx context.Context) (err error) {
 	if n.Issue == nil && n.IssueID != 0 {
 		n.Issue, err = issues_model.GetIssueByID(ctx, n.IssueID)
 		if err != nil {
-			return fmt.Errorf("getIssueByID [%d]: %v", n.IssueID, err)
+			return fmt.Errorf("getIssueByID [%d]: %w", n.IssueID, err)
 		}
 		return n.Issue.LoadAttributes(ctx)
 	}
@ -440,7 +440,7 @@ func (n *Notification) loadUser(ctx context.Context) (err error) {
 	if n.User == nil {
 		n.User, err = user_model.GetUserByIDCtx(ctx, n.UserID)
 		if err != nil {
-			return fmt.Errorf("getUserByID [%d]: %v", n.UserID, err)
+			return fmt.Errorf("getUserByID [%d]: %w", n.UserID, err)
 		}
 	}
 	return nil
--- a/models/activities/repo_activity.go
+++ b/models/activities/repo_activity.go
@ -49,32 +49,32 @@ func GetActivityStats(ctx context.Context, repo *repo_model.Repository, timeFrom
 	stats := &ActivityStats{Code: &git.CodeActivityStats{}}
 	if releases {
 		if err := stats.FillReleases(repo.ID, timeFrom); err != nil {
-			return nil, fmt.Errorf("FillReleases: %v", err)
+			return nil, fmt.Errorf("FillReleases: %w", err)
 		}
 	}
 	if prs {
 		if err := stats.FillPullRequests(repo.ID, timeFrom); err != nil {
-			return nil, fmt.Errorf("FillPullRequests: %v", err)
+			return nil, fmt.Errorf("FillPullRequests: %w", err)
 		}
 	}
 	if issues {
 		if err := stats.FillIssues(repo.ID, timeFrom); err != nil {
-			return nil, fmt.Errorf("FillIssues: %v", err)
+			return nil, fmt.Errorf("FillIssues: %w", err)
 		}
 	}
 	if err := stats.FillUnresolvedIssues(repo.ID, timeFrom, issues, prs); err != nil {
-		return nil, fmt.Errorf("FillUnresolvedIssues: %v", err)
+		return nil, fmt.Errorf("FillUnresolvedIssues: %w", err)
 	}
 	if code {
 		gitRepo, closer, err := git.RepositoryFromContextOrOpen(ctx, repo.RepoPath())
 		if err != nil {
-			return nil, fmt.Errorf("OpenRepository: %v", err)
+			return nil, fmt.Errorf("OpenRepository: %w", err)
 		}
 		defer closer.Close()

 		code, err := gitRepo.GetCodeActivityStats(timeFrom, repo.DefaultBranch)
 		if err != nil {
-			return nil, fmt.Errorf("FillFromGit: %v", err)
+			return nil, fmt.Errorf("FillFromGit: %w", err)
 		}
 		stats.Code = code
 	}
@ -85,13 +85,13 @@ func GetActivityStats(ctx context.Context, repo *repo_model.Repository, timeFrom
 func GetActivityStatsTopAuthors(ctx context.Context, repo *repo_model.Repository, timeFrom time.Time, count int) ([]*ActivityAuthorData, error) {
 	gitRepo, closer, err := git.RepositoryFromContextOrOpen(ctx, repo.RepoPath())
 	if err != nil {
-		return nil, fmt.Errorf("OpenRepository: %v", err)
+		return nil, fmt.Errorf("OpenRepository: %w", err)
 	}
 	defer closer.Close()

 	code, err := gitRepo.GetCodeActivityStats(timeFrom, "")
 	if err != nil {
-		return nil, fmt.Errorf("FillFromGit: %v", err)
+		return nil, fmt.Errorf("FillFromGit: %w", err)
 	}
 	if code.Authors == nil {
 		return nil, nil
--- a/models/asymkey/gpg_key.go
+++ b/models/asymkey/gpg_key.go
@ -226,7 +226,7 @@ func DeleteGPGKey(doer *user_model.User, id int64) (err error) {
 		if IsErrGPGKeyNotExist(err) {
 			return nil
 		}
-		return fmt.Errorf("GetPublicKeyByID: %v", err)
+		return fmt.Errorf("GetPublicKeyByID: %w", err)
 	}

 	// Check if user has access to delete this key.
--- a/models/asymkey/ssh_key.go
+++ b/models/asymkey/ssh_key.go
@ -130,7 +130,7 @@ func AddPublicKey(ownerID int64, name, content string, authSourceID int64) (*Pub
 		LoginSourceID: authSourceID,
 	}
 	if err = addKey(ctx, key); err != nil {
-		return nil, fmt.Errorf("addKey: %v", err)
+		return nil, fmt.Errorf("addKey: %w", err)
 	}

 	return key, committer.Commit()
--- a/models/asymkey/ssh_key_deploy.go
+++ b/models/asymkey/ssh_key_deploy.go
@ -151,7 +151,7 @@ func AddDeployKey(repoID int64, name, content string, readOnly bool) (*DeployKey
 		pkey.Content = content
 		pkey.Name = name
 		if err = addKey(ctx, pkey); err != nil {
-			return nil, fmt.Errorf("addKey: %v", err)
+			return nil, fmt.Errorf("addKey: %w", err)
 		}
 	}

--- a/models/asymkey/ssh_key_fingerprint.go
+++ b/models/asymkey/ssh_key_fingerprint.go
@ -95,7 +95,7 @@ func CalcFingerprint(publicKeyContent string) (string, error) {
 			log.Info("%s", publicKeyContent)
 			return "", err
 		}
-		return "", fmt.Errorf("%s: %v", fnName, err)
+		return "", fmt.Errorf("%s: %w", fnName, err)
 	}
 	return fp, nil
 }
--- a/models/asymkey/ssh_key_parse.go
+++ b/models/asymkey/ssh_key_parse.go
@ -44,7 +44,7 @@ const ssh2keyStart = "---- BEGIN SSH2 PUBLIC KEY ----"
 func extractTypeFromBase64Key(key string) (string, error) {
 	b, err := base64.StdEncoding.DecodeString(key)
 	if err != nil || len(b) < 4 {
-		return "", fmt.Errorf("invalid key format: %v", err)
+		return "", fmt.Errorf("invalid key format: %w", err)
 	}

 	keyLength := int(binary.BigEndian.Uint32(b))
@ -85,7 +85,7 @@ func parseKeyString(content string) (string, error) {

 		t, err := extractTypeFromBase64Key(keyContent)
 		if err != nil {
-			return "", fmt.Errorf("extractTypeFromBase64Key: %v", err)
+			return "", fmt.Errorf("extractTypeFromBase64Key: %w", err)
 		}
 		keyType = t
 	} else {
@ -104,14 +104,14 @@ func parseKeyString(content string) (string, error) {
 				var pk rsa.PublicKey
 				_, err2 := asn1.Unmarshal(block.Bytes, &pk)
 				if err2 != nil {
-					return "", fmt.Errorf("failed to parse DER encoded public key as either PKIX or PEM RSA Key: %v %v", err, err2)
+					return "", fmt.Errorf("failed to parse DER encoded public key as either PKIX or PEM RSA Key: %v %w", err, err2)
 				}
 				pub = &pk
 			}

 			sshKey, err := ssh.NewPublicKey(pub)
 			if err != nil {
-				return "", fmt.Errorf("unable to convert to ssh public key: %v", err)
+				return "", fmt.Errorf("unable to convert to ssh public key: %w", err)
 			}
 			content = string(ssh.MarshalAuthorizedKey(sshKey))
 		}
@ -138,7 +138,7 @@ func parseKeyString(content string) (string, error) {
 		// If keyType is not given, extract it from content. If given, validate it.
 		t, err := extractTypeFromBase64Key(keyContent)
 		if err != nil {
-			return "", fmt.Errorf("extractTypeFromBase64Key: %v", err)
+			return "", fmt.Errorf("extractTypeFromBase64Key: %w", err)
 		}
 		if len(keyType) == 0 {
 			keyType = t
@ -149,7 +149,7 @@ func parseKeyString(content string) (string, error) {
 	// Finally we need to check whether we can actually read the proposed key:
 	_, _, _, _, err := ssh.ParseAuthorizedKey([]byte(keyType + " " + keyContent + " " + keyComment))
 	if err != nil {
-		return "", fmt.Errorf("invalid ssh public key: %v", err)
+		return "", fmt.Errorf("invalid ssh public key: %w", err)
 	}
 	return keyType + " " + keyContent + " " + keyComment, nil
 }
@ -191,7 +191,7 @@ func CheckPublicKeyString(content string) (_ string, err error) {
 		keyType, length, err = SSHKeyGenParsePublicKey(content)
 	}
 	if err != nil {
-		return "", fmt.Errorf("%s: %v", fnName, err)
+		return "", fmt.Errorf("%s: %w", fnName, err)
 	}
 	log.Trace("Key info [native: %v]: %s-%d", setting.SSH.StartBuiltinServer, keyType, length)

@ -220,7 +220,7 @@ func SSHNativeParsePublicKey(keyLine string) (string, int, error) {
 		if strings.Contains(err.Error(), "ssh: unknown key algorithm") {
 			return "", 0, ErrKeyUnableVerify{err.Error()}
 		}
-		return "", 0, fmt.Errorf("ParsePublicKey: %v", err)
+		return "", 0, fmt.Errorf("ParsePublicKey: %w", err)
 	}

 	// The ssh library can parse the key, so next we find out what key exactly we have.
@ -267,12 +267,12 @@ func SSHNativeParsePublicKey(keyLine string) (string, int, error) {
 func writeTmpKeyFile(content string) (string, error) {
 	tmpFile, err := os.CreateTemp(setting.SSH.KeyTestPath, "gitea_keytest")
 	if err != nil {
-		return "", fmt.Errorf("TempFile: %v", err)
+		return "", fmt.Errorf("TempFile: %w", err)
 	}
 	defer tmpFile.Close()

 	if _, err = tmpFile.WriteString(content); err != nil {
-		return "", fmt.Errorf("WriteString: %v", err)
+		return "", fmt.Errorf("WriteString: %w", err)
 	}
 	return tmpFile.Name(), nil
 }
@ -281,7 +281,7 @@ func writeTmpKeyFile(content string) (string, error) {
 func SSHKeyGenParsePublicKey(key string) (string, int, error) {
 	tmpName, err := writeTmpKeyFile(key)
 	if err != nil {
-		return "", 0, fmt.Errorf("writeTmpKeyFile: %v", err)
+		return "", 0, fmt.Errorf("writeTmpKeyFile: %w", err)
 	}
 	defer func() {
 		if err := util.Remove(tmpName); err != nil {
--- a/models/asymkey/ssh_key_principals.go
+++ b/models/asymkey/ssh_key_principals.go
@ -51,7 +51,7 @@ func AddPrincipalKey(ownerID int64, content string, authSourceID int64) (*Public
 		LoginSourceID: authSourceID,
 	}
 	if err = db.Insert(ctx, key); err != nil {
-		return nil, fmt.Errorf("addKey: %v", err)
+		return nil, fmt.Errorf("addKey: %w", err)
 	}

 	if err = committer.Commit(); err != nil {
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@ -31,9 +31,14 @@ type OAuth2Application struct {
 	Name         string
 	ClientID     string `xorm:"unique"`
 	ClientSecret string
-	RedirectURIs []string           `xorm:"redirect_uris JSON TEXT"`
-	CreatedUnix  timeutil.TimeStamp `xorm:"INDEX created"`
-	UpdatedUnix  timeutil.TimeStamp `xorm:"INDEX updated"`
+	// OAuth defines both Confidential and Public client types
+	// https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
+	// "Authorization servers MUST record the client type in the client registration details"
+	// https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
+	ConfidentialClient bool               `xorm:"NOT NULL DEFAULT TRUE"`
+	RedirectURIs       []string           `xorm:"redirect_uris JSON TEXT"`
+	CreatedUnix        timeutil.TimeStamp `xorm:"INDEX created"`
+	UpdatedUnix        timeutil.TimeStamp `xorm:"INDEX updated"`
 }

 func init() {
@ -57,15 +62,17 @@ func (app *OAuth2Application) PrimaryRedirectURI() string {

 // ContainsRedirectURI checks if redirectURI is allowed for app
 func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {
-	uri, err := url.Parse(redirectURI)
-	// ignore port for http loopback uris following https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
-	if err == nil && uri.Scheme == "http" && uri.Port() != "" {
-		ip := net.ParseIP(uri.Hostname())
-		if ip != nil && ip.IsLoopback() {
-			// strip port
-			uri.Host = uri.Hostname()
-			if util.IsStringInSlice(uri.String(), app.RedirectURIs, true) {
-				return true
+	if !app.ConfidentialClient {
+		uri, err := url.Parse(redirectURI)
+		// ignore port for http loopback uris following https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
+		if err == nil && uri.Scheme == "http" && uri.Port() != "" {
+			ip := net.ParseIP(uri.Hostname())
+			if ip != nil && ip.IsLoopback() {
+				// strip port
+				uri.Host = uri.Hostname()
+				if util.IsStringInSlice(uri.String(), app.RedirectURIs, true) {
+					return true
+				}
 			}
 		}
 	}
@ -161,19 +168,21 @@ func GetOAuth2ApplicationsByUserID(ctx context.Context, userID int64) (apps []*O

 // CreateOAuth2ApplicationOptions holds options to create an oauth2 application
 type CreateOAuth2ApplicationOptions struct {
-	Name         string
-	UserID       int64
-	RedirectURIs []string
+	Name               string
+	UserID             int64
+	ConfidentialClient bool
+	RedirectURIs       []string
 }

 // CreateOAuth2Application inserts a new oauth2 application
 func CreateOAuth2Application(ctx context.Context, opts CreateOAuth2ApplicationOptions) (*OAuth2Application, error) {
 	clientID := uuid.New().String()
 	app := &OAuth2Application{
-		UID:          opts.UserID,
-		Name:         opts.Name,
-		ClientID:     clientID,
-		RedirectURIs: opts.RedirectURIs,
+		UID:                opts.UserID,
+		Name:               opts.Name,
+		ClientID:           clientID,
+		RedirectURIs:       opts.RedirectURIs,
+		ConfidentialClient: opts.ConfidentialClient,
 	}
 	if err := db.Insert(ctx, app); err != nil {
 		return nil, err
@ -183,10 +192,11 @@ func CreateOAuth2Application(ctx context.Context, opts CreateOAuth2ApplicationOp

 // UpdateOAuth2ApplicationOptions holds options to update an oauth2 application
 type UpdateOAuth2ApplicationOptions struct {
-	ID           int64
-	Name         string
-	UserID       int64
-	RedirectURIs []string
+	ID                 int64
+	Name               string
+	UserID             int64
+	ConfidentialClient bool
+	RedirectURIs       []string
 }

 // UpdateOAuth2Application updates an oauth2 application
@ -207,6 +217,7 @@ func UpdateOAuth2Application(opts UpdateOAuth2ApplicationOptions) (*OAuth2Applic

 	app.Name = opts.Name
 	app.RedirectURIs = opts.RedirectURIs
+	app.ConfidentialClient = opts.ConfidentialClient

 	if err = updateOAuth2Application(ctx, app); err != nil {
 		return nil, err
@ -217,7 +228,7 @@ func UpdateOAuth2Application(opts UpdateOAuth2ApplicationOptions) (*OAuth2Applic
 }

 func updateOAuth2Application(ctx context.Context, app *OAuth2Application) error {
-	if _, err := db.GetEngine(ctx).ID(app.ID).Update(app); err != nil {
+	if _, err := db.GetEngine(ctx).ID(app.ID).UseBool("confidential_client").Update(app); err != nil {
 		return err
 	}
 	return nil
@ -559,7 +570,7 @@ func DeleteOAuth2RelictsByUserID(ctx context.Context, userID int64) error {
 		&OAuth2Application{UID: userID},
 		&OAuth2Grant{UserID: userID},
 	); err != nil {
-		return fmt.Errorf("DeleteBeans: %v", err)
+		return fmt.Errorf("DeleteBeans: %w", err)
 	}

 	return nil
--- a/models/auth/oauth2_test.go
+++ b/models/auth/oauth2_test.go
@ -45,7 +45,8 @@ func TestOAuth2Application_ContainsRedirectURI(t *testing.T) {

 func TestOAuth2Application_ContainsRedirectURI_WithPort(t *testing.T) {
 	app := &auth_model.OAuth2Application{
-		RedirectURIs: []string{"http://127.0.0.1/", "http://::1/", "http://192.168.0.1/", "http://intranet/", "https://127.0.0.1/"},
+		RedirectURIs:       []string{"http://127.0.0.1/", "http://::1/", "http://192.168.0.1/", "http://intranet/", "https://127.0.0.1/"},
+		ConfidentialClient: false,
 	}

 	// http loopback uris should ignore port
--- a/models/auth/token.go
+++ b/models/auth/token.go
@ -86,7 +86,7 @@ func init() {
 			var err error
 			successfulAccessTokenCache, err = lru.New(setting.SuccessfulTokensCacheSize)
 			if err != nil {
-				return fmt.Errorf("unable to allocate AccessToken cache: %v", err)
+				return fmt.Errorf("unable to allocate AccessToken cache: %w", err)
 			}
 		} else {
 			successfulAccessTokenCache = nil
--- a/models/db/engine.go
+++ b/models/db/engine.go
@ -130,7 +130,7 @@ func SyncAllTables() error {
 func InitEngine(ctx context.Context) error {
 	xormEngine, err := newXORMEngine()
 	if err != nil {
-		return fmt.Errorf("failed to connect to database: %v", err)
+		return fmt.Errorf("failed to connect to database: %w", err)
 	}

 	xormEngine.SetMapper(names.GonicMapper{})
@ -189,16 +189,16 @@ func InitEngineWithMigration(ctx context.Context, migrateFunc func(*xorm.Engine)
 	// However, we should think carefully about should we support re-install on an installed instance,
 	// as there may be other problems due to secret reinitialization.
 	if err = migrateFunc(x); err != nil {
-		return fmt.Errorf("migrate: %v", err)
+		return fmt.Errorf("migrate: %w", err)
 	}

 	if err = SyncAllTables(); err != nil {
-		return fmt.Errorf("sync database struct error: %v", err)
+		return fmt.Errorf("sync database struct error: %w", err)
 	}

 	for _, initFunc := range initFuncs {
 		if err := initFunc(); err != nil {
-			return fmt.Errorf("initFunc failed: %v", err)
+			return fmt.Errorf("initFunc failed: %w", err)
 		}
 	}

--- a/models/fixtures/hook_task.yml
+++ b/models/fixtures/hook_task.yml
@ -1,6 +1,5 @@
 -
  id: 1
-  repo_id: 1
  hook_id: 1
  uuid: uuid1
  is_delivered: true
--- a/models/fixtures/oauth2_application.yml
+++ b/models/fixtures/oauth2_application.yml
@ -7,3 +7,14 @@
  redirect_uris: '["a", "https://example.com/xyzzy"]'
  created_unix: 1546869730
  updated_unix: 1546869730
+  confidential_client: true
+-
+  id: 2
+  uid: 2
+  name: "Test native app"
+  client_id: "ce5a1322-42a7-11ed-b878-0242ac120002"
+  client_secret: "$2a$10$UYRgUSgekzBp6hYe8pAdc.cgB4Gn06QRKsORUnIYTYQADs.YR/uvi" # bcrypt of "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=
+  redirect_uris: '["http://127.0.0.1"]'
+  created_unix: 1546869730
+  updated_unix: 1546869730
+  confidential_client: false
--- a/models/fixtures/oauth2_authorization_code.yml
+++ b/models/fixtures/oauth2_authorization_code.yml
@ -6,3 +6,10 @@
  redirect_uri: "a"
  valid_until: 3546869730

+- id: 2
+  grant_id: 4
+  code: "authcodepublic"
+  code_challenge: "CjvyTLSdR47G5zYenDA-eDWW4lRrO8yvjcWwbD_deOg" # Code Verifier: N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt
+  code_challenge_method: "S256"
+  redirect_uri: "http://127.0.0.1/"
+  valid_until: 3546869730
--- a/models/fixtures/oauth2_grant.yml
+++ b/models/fixtures/oauth2_grant.yml
@ -20,4 +20,12 @@
  counter: 1
  scope: "openid profile email"
  created_unix: 1546869730
-  updated_unix: 1546869730
+  updated_unix: 1546869730
+
+- id: 4
+  user_id: 99
+  application_id: 2
+  counter: 1
+  scope: "whatever"
+  created_unix: 1546869730
+  updated_unix: 1546869730
--- a/models/git/branches.go
+++ b/models/git/branches.go
@ -270,7 +270,7 @@ type WhitelistOptions struct {
 // to avoid unnecessary whitelist delete and regenerate.
 func UpdateProtectBranch(ctx context.Context, repo *repo_model.Repository, protectBranch *ProtectedBranch, opts WhitelistOptions) (err error) {
 	if err = repo.GetOwner(ctx); err != nil {
-		return fmt.Errorf("GetOwner: %v", err)
+		return fmt.Errorf("GetOwner: %w", err)
 	}

 	whitelist, err := updateUserWhitelist(ctx, repo, protectBranch.WhitelistUserIDs, opts.UserIDs)
@ -313,13 +313,13 @@ func UpdateProtectBranch(ctx context.Context, repo *repo_model.Repository, prote
 	// Make sure protectBranch.ID is not 0 for whitelists
 	if protectBranch.ID == 0 {
 		if _, err = db.GetEngine(ctx).Insert(protectBranch); err != nil {
-			return fmt.Errorf("Insert: %v", err)
+			return fmt.Errorf("Insert: %w", err)
 		}
 		return nil
 	}

 	if _, err = db.GetEngine(ctx).ID(protectBranch.ID).AllCols().Update(protectBranch); err != nil {
-		return fmt.Errorf("Update: %v", err)
+		return fmt.Errorf("Update: %w", err)
 	}

 	return nil
@ -378,11 +378,11 @@ func updateUserWhitelist(ctx context.Context, repo *repo_model.Repository, curre
 	for _, userID := range newWhitelist {
 		user, err := user_model.GetUserByIDCtx(ctx, userID)
 		if err != nil {
-			return nil, fmt.Errorf("GetUserByID [user_id: %d, repo_id: %d]: %v", userID, repo.ID, err)
+			return nil, fmt.Errorf("GetUserByID [user_id: %d, repo_id: %d]: %w", userID, repo.ID, err)
 		}
 		perm, err := access_model.GetUserRepoPermission(ctx, repo, user)
 		if err != nil {
-			return nil, fmt.Errorf("GetUserRepoPermission [user_id: %d, repo_id: %d]: %v", userID, repo.ID, err)
+			return nil, fmt.Errorf("GetUserRepoPermission [user_id: %d, repo_id: %d]: %w", userID, repo.ID, err)
 		}

 		if !perm.CanWrite(unit.TypeCode) {
@ -405,7 +405,7 @@ func updateTeamWhitelist(ctx context.Context, repo *repo_model.Repository, curre

 	teams, err := organization.GetTeamsWithAccessToRepo(ctx, repo.OwnerID, repo.ID, perm.AccessModeRead)
 	if err != nil {
-		return nil, fmt.Errorf("GetTeamsWithAccessToRepo [org_id: %d, repo_id: %d]: %v", repo.OwnerID, repo.ID, err)
+		return nil, fmt.Errorf("GetTeamsWithAccessToRepo [org_id: %d, repo_id: %d]: %w", repo.OwnerID, repo.ID, err)
 	}

 	whitelist = make([]int64, 0, len(teams))
--- a/models/git/commit_status.go
+++ b/models/git/commit_status.go
@ -128,13 +128,13 @@ func (status *CommitStatus) loadAttributes(ctx context.Context) (err error) {
 	if status.Repo == nil {
 		status.Repo, err = repo_model.GetRepositoryByIDCtx(ctx, status.RepoID)
 		if err != nil {
-			return fmt.Errorf("getRepositoryByID [%d]: %v", status.RepoID, err)
+			return fmt.Errorf("getRepositoryByID [%d]: %w", status.RepoID, err)
 		}
 	}
 	if status.Creator == nil && status.CreatorID > 0 {
 		status.Creator, err = user_model.GetUserByIDCtx(ctx, status.CreatorID)
 		if err != nil {
-			return fmt.Errorf("getUserByID [%d]: %v", status.CreatorID, err)
+			return fmt.Errorf("getUserByID [%d]: %w", status.CreatorID, err)
 		}
 	}
 	return nil
@ -294,12 +294,12 @@ func NewCommitStatus(opts NewCommitStatusOptions) error {
 	// Get the next Status Index
 	idx, err := GetNextCommitStatusIndex(opts.Repo.ID, opts.SHA)
 	if err != nil {
-		return fmt.Errorf("generate commit status index failed: %v", err)
+		return fmt.Errorf("generate commit status index failed: %w", err)
 	}

 	ctx, committer, err := db.TxContext()
 	if err != nil {
-		return fmt.Errorf("NewCommitStatus[repo_id: %d, user_id: %d, sha: %s]: %v", opts.Repo.ID, opts.Creator.ID, opts.SHA, err)
+		return fmt.Errorf("NewCommitStatus[repo_id: %d, user_id: %d, sha: %s]: %w", opts.Repo.ID, opts.Creator.ID, opts.SHA, err)
 	}
 	defer committer.Close()

@ -316,7 +316,7 @@ func NewCommitStatus(opts NewCommitStatusOptions) error {

 	// Insert new CommitStatus
 	if _, err = db.GetEngine(ctx).Insert(opts.CommitStatus); err != nil {
-		return fmt.Errorf("Insert CommitStatus[%s, %s]: %v", repoPath, opts.SHA, err)
+		return fmt.Errorf("Insert CommitStatus[%s, %s]: %w", repoPath, opts.SHA, err)
 	}

 	return committer.Commit()
--- a/models/git/lfs.go
+++ b/models/git/lfs.go
@ -316,7 +316,7 @@ func CopyLFS(ctx context.Context, newRepo, oldRepo *repo_model.Repository) error
 func GetRepoLFSSize(ctx context.Context, repoID int64) (int64, error) {
 	lfsSize, err := db.GetEngine(ctx).Where("repository_id = ?", repoID).SumInt(new(LFSMetaObject), "size")
 	if err != nil {
-		return 0, fmt.Errorf("updateSize: GetLFSMetaObjects: %v", err)
+		return 0, fmt.Errorf("updateSize: GetLFSMetaObjects: %w", err)
 	}
 	return lfsSize, nil
 }
--- a/models/issues/assignees.go
+++ b/models/issues/assignees.go
@ -85,12 +85,12 @@ func ToggleIssueAssignee(issue *Issue, doer *user_model.User, assigneeID int64)
 func toggleIssueAssignee(ctx context.Context, issue *Issue, doer *user_model.User, assigneeID int64, isCreate bool) (removed bool, comment *Comment, err error) {
 	removed, err = toggleUserAssignee(ctx, issue, assigneeID)
 	if err != nil {
-		return false, nil, fmt.Errorf("UpdateIssueUserByAssignee: %v", err)
+		return false, nil, fmt.Errorf("UpdateIssueUserByAssignee: %w", err)
 	}

 	// Repo infos
 	if err = issue.LoadRepo(ctx); err != nil {
-		return false, nil, fmt.Errorf("loadRepo: %v", err)
+		return false, nil, fmt.Errorf("loadRepo: %w", err)
 	}

 	opts := &CreateCommentOptions{
@ -104,7 +104,7 @@ func toggleIssueAssignee(ctx context.Context, issue *Issue, doer *user_model.Use
 	// Comment
 	comment, err = CreateCommentCtx(ctx, opts)
 	if err != nil {
-		return false, nil, fmt.Errorf("createComment: %v", err)
+		return false, nil, fmt.Errorf("createComment: %w", err)
 	}

 	// if pull request is in the middle of creation - don't call webhook
--- a/models/issues/comment.go
+++ b/models/issues/comment.go
@ -573,13 +573,13 @@ func (c *Comment) UpdateAttachments(uuids []string) error {

 	attachments, err := repo_model.GetAttachmentsByUUIDs(ctx, uuids)
 	if err != nil {
-		return fmt.Errorf("getAttachmentsByUUIDs [uuids: %v]: %v", uuids, err)
+		return fmt.Errorf("getAttachmentsByUUIDs [uuids: %v]: %w", uuids, err)
 	}
 	for i := 0; i < len(attachments); i++ {
 		attachments[i].IssueID = c.IssueID
 		attachments[i].CommentID = c.ID
 		if err := repo_model.UpdateAttachment(ctx, attachments[i]); err != nil {
-			return fmt.Errorf("update attachment [id: %d]: %v", attachments[i].ID, err)
+			return fmt.Errorf("update attachment [id: %d]: %w", attachments[i].ID, err)
 		}
 	}
 	return committer.Commit()
@ -874,7 +874,7 @@ func updateCommentInfos(ctx context.Context, opts *CreateCommentOptions, comment
 		// Check attachments
 		attachments, err := repo_model.GetAttachmentsByUUIDs(ctx, opts.Attachments)
 		if err != nil {
-			return fmt.Errorf("getAttachmentsByUUIDs [uuids: %v]: %v", opts.Attachments, err)
+			return fmt.Errorf("getAttachmentsByUUIDs [uuids: %v]: %w", opts.Attachments, err)
 		}

 		for i := range attachments {
@ -882,11 +882,11 @@ func updateCommentInfos(ctx context.Context, opts *CreateCommentOptions, comment
 			attachments[i].CommentID = comment.ID
 			// No assign value could be 0, so ignore AllCols().
 			if _, err = db.GetEngine(ctx).ID(attachments[i].ID).Update(attachments[i]); err != nil {
-				return fmt.Errorf("update attachment [%d]: %v", attachments[i].ID, err)
+				return fmt.Errorf("update attachment [%d]: %w", attachments[i].ID, err)
 			}
 		}
 	case CommentTypeReopen, CommentTypeClose:
-		if err = updateIssueClosedNum(ctx, opts.Issue); err != nil {
+		if err = repo_model.UpdateRepoIssueNumbers(ctx, opts.Issue.RepoID, opts.Issue.IsPull, true); err != nil {
 			return err
 		}
 	}
@ -1034,7 +1034,7 @@ func CreateRefComment(doer *user_model.User, repo *repo_model.Repository, issue
 		CommitSHA: commitSHA,
 	})
 	if err != nil {
-		return fmt.Errorf("check reference comment: %v", err)
+		return fmt.Errorf("check reference comment: %w", err)
 	} else if has {
 		return nil
 	}
@ -1152,7 +1152,7 @@ func UpdateComment(c *Comment, doer *user_model.User) error {
 		return err
 	}
 	if err := committer.Commit(); err != nil {
-		return fmt.Errorf("Commit: %v", err)
+		return fmt.Errorf("Commit: %w", err)
 	}

 	return nil
--- a/models/issues/issue.go
+++ b/models/issues/issue.go
@ -196,7 +196,7 @@ func (issue *Issue) LoadRepo(ctx context.Context) (err error) {
 	if issue.Repo == nil {
 		issue.Repo, err = repo_model.GetRepositoryByIDCtx(ctx, issue.RepoID)
 		if err != nil {
-			return fmt.Errorf("getRepositoryByID [%d]: %v", issue.RepoID, err)
+			return fmt.Errorf("getRepositoryByID [%d]: %w", issue.RepoID, err)
 		}
 	}
 	return nil
@ -234,7 +234,7 @@ func (issue *Issue) LoadLabels(ctx context.Context) (err error) {
 	if issue.Labels == nil {
 		issue.Labels, err = GetLabelsByIssueID(ctx, issue.ID)
 		if err != nil {
-			return fmt.Errorf("getLabelsByIssueID [%d]: %v", issue.ID, err)
+			return fmt.Errorf("getLabelsByIssueID [%d]: %w", issue.ID, err)
 		}
 	}
 	return nil
@ -252,7 +252,7 @@ func (issue *Issue) loadPoster(ctx context.Context) (err error) {
 			issue.PosterID = -1
 			issue.Poster = user_model.NewGhostUser()
 			if !user_model.IsErrUserNotExist(err) {
-				return fmt.Errorf("getUserByID.(poster) [%d]: %v", issue.PosterID, err)
+				return fmt.Errorf("getUserByID.(poster) [%d]: %w", issue.PosterID, err)
 			}
 			err = nil
 			return
@ -268,7 +268,7 @@ func (issue *Issue) loadPullRequest(ctx context.Context) (err error) {
 			if IsErrPullRequestNotExist(err) {
 				return err
 			}
-			return fmt.Errorf("getPullRequestByIssueID [%d]: %v", issue.ID, err)
+			return fmt.Errorf("getPullRequestByIssueID [%d]: %w", issue.ID, err)
 		}
 		issue.PullRequest.Issue = issue
 	}
@ -361,7 +361,7 @@ func (issue *Issue) loadMilestone(ctx context.Context) (err error) {
 	if (issue.Milestone == nil || issue.Milestone.ID != issue.MilestoneID) && issue.MilestoneID > 0 {
 		issue.Milestone, err = GetMilestoneByRepoID(ctx, issue.RepoID, issue.MilestoneID)
 		if err != nil && !IsErrMilestoneNotExist(err) {
-			return fmt.Errorf("getMilestoneByRepoID [repo_id: %d, milestone_id: %d]: %v", issue.RepoID, issue.MilestoneID, err)
+			return fmt.Errorf("getMilestoneByRepoID [repo_id: %d, milestone_id: %d]: %w", issue.RepoID, issue.MilestoneID, err)
 		}
 	}
 	return nil
@ -401,7 +401,7 @@ func (issue *Issue) LoadAttributes(ctx context.Context) (err error) {
 	if issue.Attachments == nil {
 		issue.Attachments, err = repo_model.GetAttachmentsByIssueID(ctx, issue.ID)
 		if err != nil {
-			return fmt.Errorf("getAttachmentsByIssueID [%d]: %v", issue.ID, err)
+			return fmt.Errorf("getAttachmentsByIssueID [%d]: %w", issue.ID, err)
 		}
 	}

@ -518,19 +518,19 @@ func (issue *Issue) getLabels(ctx context.Context) (err error) {

 	issue.Labels, err = GetLabelsByIssueID(ctx, issue.ID)
 	if err != nil {
-		return fmt.Errorf("getLabelsByIssueID: %v", err)
+		return fmt.Errorf("getLabelsByIssueID: %w", err)
 	}
 	return nil
 }

 func clearIssueLabels(ctx context.Context, issue *Issue, doer *user_model.User) (err error) {
 	if err = issue.getLabels(ctx); err != nil {
-		return fmt.Errorf("getLabels: %v", err)
+		return fmt.Errorf("getLabels: %w", err)
 	}

 	for i := range issue.Labels {
 		if err = deleteIssueLabel(ctx, issue, issue.Labels[i], doer); err != nil {
-			return fmt.Errorf("removeLabel: %v", err)
+			return fmt.Errorf("removeLabel: %w", err)
 		}
 	}

@ -565,7 +565,7 @@ func ClearIssueLabels(issue *Issue, doer *user_model.User) (err error) {
 	}

 	if err = committer.Commit(); err != nil {
-		return fmt.Errorf("Commit: %v", err)
+		return fmt.Errorf("Commit: %w", err)
 	}

 	return nil
@ -635,13 +635,13 @@ func ReplaceIssueLabels(issue *Issue, labels []*Label, doer *user_model.User) (e

 	if len(toAdd) > 0 {
 		if err = newIssueLabels(ctx, issue, toAdd, doer); err != nil {
-			return fmt.Errorf("addLabels: %v", err)
+			return fmt.Errorf("addLabels: %w", err)
 		}
 	}

 	for _, l := range toRemove {
 		if err = deleteIssueLabel(ctx, issue, l, doer); err != nil {
-			return fmt.Errorf("removeLabel: %v", err)
+			return fmt.Errorf("removeLabel: %w", err)
 		}
 	}

@ -725,7 +725,8 @@ func doChangeIssueStatus(ctx context.Context, issue *Issue, doer *user_model.Use
 		}
 	}

-	if err := updateIssueClosedNum(ctx, issue); err != nil {
+	// update repository's issue closed number
+	if err := repo_model.UpdateRepoIssueNumbers(ctx, issue.RepoID, issue.IsPull, true); err != nil {
 		return nil, err
 	}

@ -766,11 +767,11 @@ func ChangeIssueTitle(issue *Issue, doer *user_model.User, oldTitle string) (err
 	defer committer.Close()

 	if err = UpdateIssueCols(ctx, issue, "name"); err != nil {
-		return fmt.Errorf("updateIssueCols: %v", err)
+		return fmt.Errorf("updateIssueCols: %w", err)
 	}

 	if err = issue.LoadRepo(ctx); err != nil {
-		return fmt.Errorf("loadRepo: %v", err)
+		return fmt.Errorf("loadRepo: %w", err)
 	}

 	opts := &CreateCommentOptions{
@ -782,7 +783,7 @@ func ChangeIssueTitle(issue *Issue, doer *user_model.User, oldTitle string) (err
 		NewTitle: issue.Title,
 	}
 	if _, err = CreateCommentCtx(ctx, opts); err != nil {
-		return fmt.Errorf("createComment: %v", err)
+		return fmt.Errorf("createComment: %w", err)
 	}
 	if err = issue.AddCrossReferences(ctx, doer, true); err != nil {
 		return err
@ -800,11 +801,11 @@ func ChangeIssueRef(issue *Issue, doer *user_model.User, oldRef string) (err err
 	defer committer.Close()

 	if err = UpdateIssueCols(ctx, issue, "ref"); err != nil {
-		return fmt.Errorf("updateIssueCols: %v", err)
+		return fmt.Errorf("updateIssueCols: %w", err)
 	}

 	if err = issue.LoadRepo(ctx); err != nil {
-		return fmt.Errorf("loadRepo: %v", err)
+		return fmt.Errorf("loadRepo: %w", err)
 	}
 	oldRefFriendly := strings.TrimPrefix(oldRef, git.BranchPrefix)
 	newRefFriendly := strings.TrimPrefix(issue.Ref, git.BranchPrefix)
@ -818,7 +819,7 @@ func ChangeIssueRef(issue *Issue, doer *user_model.User, oldRef string) (err err
 		NewRef: newRefFriendly,
 	}
 	if _, err = CreateCommentCtx(ctx, opts); err != nil {
-		return fmt.Errorf("createComment: %v", err)
+		return fmt.Errorf("createComment: %w", err)
 	}

 	return committer.Commit()
@ -850,12 +851,12 @@ func UpdateIssueAttachments(issueID int64, uuids []string) (err error) {
 	defer committer.Close()
 	attachments, err := repo_model.GetAttachmentsByUUIDs(ctx, uuids)
 	if err != nil {
-		return fmt.Errorf("getAttachmentsByUUIDs [uuids: %v]: %v", uuids, err)
+		return fmt.Errorf("getAttachmentsByUUIDs [uuids: %v]: %w", uuids, err)
 	}
 	for i := 0; i < len(attachments); i++ {
 		attachments[i].IssueID = issueID
 		if err := repo_model.UpdateAttachment(ctx, attachments[i]); err != nil {
-			return fmt.Errorf("update attachment [id: %d]: %v", attachments[i].ID, err)
+			return fmt.Errorf("update attachment [id: %d]: %w", attachments[i].ID, err)
 		}
 	}
 	return committer.Commit()
@ -871,28 +872,28 @@ func ChangeIssueContent(issue *Issue, doer *user_model.User, content string) (er

 	hasContentHistory, err := HasIssueContentHistory(ctx, issue.ID, 0)
 	if err != nil {
-		return fmt.Errorf("HasIssueContentHistory: %v", err)
+		return fmt.Errorf("HasIssueContentHistory: %w", err)
 	}
 	if !hasContentHistory {
 		if err = SaveIssueContentHistory(ctx, issue.PosterID, issue.ID, 0,
 			issue.CreatedUnix, issue.Content, true); err != nil {
-			return fmt.Errorf("SaveIssueContentHistory: %v", err)
+			return fmt.Errorf("SaveIssueContentHistory: %w", err)
 		}
 	}

 	issue.Content = content

 	if err = UpdateIssueCols(ctx, issue, "content"); err != nil {
-		return fmt.Errorf("UpdateIssueCols: %v", err)
+		return fmt.Errorf("UpdateIssueCols: %w", err)
 	}

 	if err = SaveIssueContentHistory(ctx, doer.ID, issue.ID, 0,
 		timeutil.TimeStampNow(), issue.Content, false); err != nil {
-		return fmt.Errorf("SaveIssueContentHistory: %v", err)
+		return fmt.Errorf("SaveIssueContentHistory: %w", err)
 	}

 	if err = issue.AddCrossReferences(ctx, doer, true); err != nil {
-		return fmt.Errorf("addCrossReferences: %v", err)
+		return fmt.Errorf("addCrossReferences: %w", err)
 	}

 	return committer.Commit()
@ -969,7 +970,7 @@ func NewIssueWithIndex(ctx context.Context, doer *user_model.User, opts NewIssue
 	if opts.Issue.MilestoneID > 0 {
 		milestone, err := GetMilestoneByRepoID(ctx, opts.Issue.RepoID, opts.Issue.MilestoneID)
 		if err != nil && !IsErrMilestoneNotExist(err) {
-			return fmt.Errorf("getMilestoneByID: %v", err)
+			return fmt.Errorf("getMilestoneByID: %w", err)
 		}

 		// Assume milestone is invalid and drop silently.
@ -1023,7 +1024,7 @@ func NewIssueWithIndex(ctx context.Context, doer *user_model.User, opts NewIssue
 		// So we have to get all needed labels first.
 		labels := make([]*Label, 0, len(opts.LabelIDs))
 		if err = e.In("id", opts.LabelIDs).Find(&labels); err != nil {
-			return fmt.Errorf("find all labels [label_ids: %v]: %v", opts.LabelIDs, err)
+			return fmt.Errorf("find all labels [label_ids: %v]: %w", opts.LabelIDs, err)
 		}

 		if err = opts.Issue.loadPoster(ctx); err != nil {
@ -1037,7 +1038,7 @@ func NewIssueWithIndex(ctx context.Context, doer *user_model.User, opts NewIssue
 			}

 			if err = newIssueLabel(ctx, opts.Issue, label, opts.Issue.Poster); err != nil {
-				return fmt.Errorf("addLabel [id: %d]: %v", label.ID, err)
+				return fmt.Errorf("addLabel [id: %d]: %w", label.ID, err)
 			}
 		}
 	}
@ -1049,13 +1050,13 @@ func NewIssueWithIndex(ctx context.Context, doer *user_model.User, opts NewIssue
 	if len(opts.Attachments) > 0 {
 		attachments, err := repo_model.GetAttachmentsByUUIDs(ctx, opts.Attachments)
 		if err != nil {
-			return fmt.Errorf("getAttachmentsByUUIDs [uuids: %v]: %v", opts.Attachments, err)
+			return fmt.Errorf("getAttachmentsByUUIDs [uuids: %v]: %w", opts.Attachments, err)
 		}

 		for i := 0; i < len(attachments); i++ {
 			attachments[i].IssueID = opts.Issue.ID
 			if _, err = e.ID(attachments[i].ID).Update(attachments[i]); err != nil {
-				return fmt.Errorf("update attachment [id: %d]: %v", attachments[i].ID, err)
+				return fmt.Errorf("update attachment [id: %d]: %w", attachments[i].ID, err)
 			}
 		}
 	}
@ -1090,11 +1091,11 @@ func NewIssue(repo *repo_model.Repository, issue *Issue, labelIDs []int64, uuids
 		if repo_model.IsErrUserDoesNotHaveAccessToRepo(err) || IsErrNewIssueInsert(err) {
 			return err
 		}
-		return fmt.Errorf("newIssue: %v", err)
+		return fmt.Errorf("newIssue: %w", err)
 	}

 	if err = committer.Commit(); err != nil {
-		return fmt.Errorf("Commit: %v", err)
+		return fmt.Errorf("Commit: %w", err)
 	}

 	return nil
@ -1614,7 +1615,7 @@ func UpdateIssueMentions(ctx context.Context, issueID int64, mentions []*user_mo
 		ids[i] = u.ID
 	}
 	if err := UpdateIssueUsersByMentions(ctx, issueID, ids); err != nil {
-		return fmt.Errorf("UpdateIssueUsersByMentions: %v", err)
+		return fmt.Errorf("UpdateIssueUsersByMentions: %w", err)
 	}
 	return nil
 }
@ -1992,7 +1993,7 @@ func UpdateIssueByAPI(issue *Issue, doer *user_model.User) (statusChangeComment
 	defer committer.Close()

 	if err := issue.LoadRepo(ctx); err != nil {
-		return nil, false, fmt.Errorf("loadRepo: %v", err)
+		return nil, false, fmt.Errorf("loadRepo: %w", err)
 	}

 	// Reload the issue
@ -2020,7 +2021,7 @@ func UpdateIssueByAPI(issue *Issue, doer *user_model.User) (statusChangeComment
 		}
 		_, err := CreateCommentCtx(ctx, opts)
 		if err != nil {
-			return nil, false, fmt.Errorf("createComment: %v", err)
+			return nil, false, fmt.Errorf("createComment: %w", err)
 		}
 	}

@ -2056,7 +2057,7 @@ func UpdateIssueDeadline(issue *Issue, deadlineUnix timeutil.TimeStamp, doer *us

 	// Make the comment
 	if _, err = createDeadlineComment(ctx, doer, issue, deadlineUnix); err != nil {
-		return fmt.Errorf("createRemovedDueDateComment: %v", err)
+		return fmt.Errorf("createRemovedDueDateComment: %w", err)
 	}

 	return committer.Commit()
@ -2093,7 +2094,7 @@ func (issue *Issue) GetParticipantIDsByIssue(ctx context.Context) ([]int64, erro
 		Join("INNER", "`user`", "`user`.id = `comment`.poster_id").
 		Distinct("poster_id").
 		Find(&userIDs); err != nil {
-		return nil, fmt.Errorf("get poster IDs: %v", err)
+		return nil, fmt.Errorf("get poster IDs: %w", err)
 	}
 	if !util.IsInt64InSlice(issue.PosterID, userIDs) {
 		return append(userIDs, issue.PosterID), nil
@ -2137,24 +2138,15 @@ func (issue *Issue) BlockingDependencies(ctx context.Context) (issueDeps []*Depe
 	return issueDeps, err
 }

-func updateIssueClosedNum(ctx context.Context, issue *Issue) (err error) {
-	if issue.IsPull {
-		err = repo_model.StatsCorrectNumClosed(ctx, issue.RepoID, true, "num_closed_pulls")
-	} else {
-		err = repo_model.StatsCorrectNumClosed(ctx, issue.RepoID, false, "num_closed_issues")
-	}
-	return err
-}
-
 // FindAndUpdateIssueMentions finds users mentioned in the given content string, and saves them in the database.
 func FindAndUpdateIssueMentions(ctx context.Context, issue *Issue, doer *user_model.User, content string) (mentions []*user_model.User, err error) {
 	rawMentions := references.FindAllMentionsMarkdown(content)
 	mentions, err = ResolveIssueMentionsByVisibility(ctx, issue, doer, rawMentions)
 	if err != nil {
-		return nil, fmt.Errorf("UpdateIssueMentions [%d]: %v", issue.ID, err)
+		return nil, fmt.Errorf("UpdateIssueMentions [%d]: %w", issue.ID, err)
 	}
 	if err = UpdateIssueMentions(ctx, issue.ID, mentions); err != nil {
-		return nil, fmt.Errorf("UpdateIssueMentions [%d]: %v", issue.ID, err)
+		return nil, fmt.Errorf("UpdateIssueMentions [%d]: %w", issue.ID, err)
 	}
 	return mentions, err
 }
@ -2206,7 +2198,7 @@ func ResolveIssueMentionsByVisibility(ctx context.Context, issue *Issue, doer *u
 			Where("team_repo.repo_id=?", issue.Repo.ID).
 			In("team.lower_name", mentionTeams).
 			Find(&teams); err != nil {
-			return nil, fmt.Errorf("find mentioned teams: %v", err)
+			return nil, fmt.Errorf("find mentioned teams: %w", err)
 		}
 		if len(teams) != 0 {
 			checked := make([]int64, 0, len(teams))
@ -2222,7 +2214,7 @@ func ResolveIssueMentionsByVisibility(ctx context.Context, issue *Issue, doer *u
 				}
 				has, err := db.GetEngine(ctx).Get(&organization.TeamUnit{OrgID: issue.Repo.Owner.ID, TeamID: team.ID, Type: unittype})
 				if err != nil {
-					return nil, fmt.Errorf("get team units (%d): %v", team.ID, err)
+					return nil, fmt.Errorf("get team units (%d): %w", team.ID, err)
 				}
 				if has {
 					checked = append(checked, team.ID)
@ -2237,7 +2229,7 @@ func ResolveIssueMentionsByVisibility(ctx context.Context, issue *Issue, doer *u
 					And("`user`.is_active = ?", true).
 					And("`user`.prohibit_login = ?", false).
 					Find(&teamusers); err != nil {
-					return nil, fmt.Errorf("get teams users: %v", err)
+					return nil, fmt.Errorf("get teams users: %w", err)
 				}
 				if len(teamusers) > 0 {
 					users = make([]*user_model.User, 0, len(teamusers))
@ -2273,7 +2265,7 @@ func ResolveIssueMentionsByVisibility(ctx context.Context, issue *Issue, doer *u
 		And("`user`.prohibit_login = ?", false).
 		In("`user`.lower_name", mentionUsers).
 		Find(&unchecked); err != nil {
-		return nil, fmt.Errorf("find mentioned users: %v", err)
+		return nil, fmt.Errorf("find mentioned users: %w", err)
 	}
 	for _, user := range unchecked {
 		if already := resolved[user.LowerName]; already || user.IsOrganization() {
@ -2282,7 +2274,7 @@ func ResolveIssueMentionsByVisibility(ctx context.Context, issue *Issue, doer *u
 		// Normal users must have read access to the referencing issue
 		perm, err := access_model.GetUserRepoPermission(ctx, issue.Repo, user)
 		if err != nil {
-			return nil, fmt.Errorf("GetUserRepoPermission [%d]: %v", user.ID, err)
+			return nil, fmt.Errorf("GetUserRepoPermission [%d]: %w", user.ID, err)
 		}
 		if !perm.CanReadIssuesOrPulls(issue.IsPull) {
 			continue
--- a/models/issues/issue_list.go
+++ b/models/issues/issue_list.go
@ -51,7 +51,7 @@ func (issues IssueList) loadRepositories(ctx context.Context) ([]*repo_model.Rep
 			In("id", repoIDs[:limit]).
 			Find(&repoMaps)
 		if err != nil {
-			return nil, fmt.Errorf("find repository: %v", err)
+			return nil, fmt.Errorf("find repository: %w", err)
 		}
 		left -= limit
 		repoIDs = repoIDs[limit:]
@ -161,7 +161,7 @@ func (issues IssueList) loadLabels(ctx context.Context) error {
 			err = rows.Scan(&labelIssue)
 			if err != nil {
 				if err1 := rows.Close(); err1 != nil {
-					return fmt.Errorf("IssueList.loadLabels: Close: %v", err1)
+					return fmt.Errorf("IssueList.loadLabels: Close: %w", err1)
 				}
 				return err
 			}
@ -170,7 +170,7 @@ func (issues IssueList) loadLabels(ctx context.Context) error {
 		// When there are no rows left and we try to close it.
 		// Since that is not relevant for us, we can safely ignore it.
 		if err1 := rows.Close(); err1 != nil {
-			return fmt.Errorf("IssueList.loadLabels: Close: %v", err1)
+			return fmt.Errorf("IssueList.loadLabels: Close: %w", err1)
 		}
 		left -= limit
 		issueIDs = issueIDs[limit:]
@ -287,7 +287,7 @@ func (issues IssueList) loadAssignees(ctx context.Context) error {
 			err = rows.Scan(&assigneeIssue)
 			if err != nil {
 				if err1 := rows.Close(); err1 != nil {
-					return fmt.Errorf("IssueList.loadAssignees: Close: %v", err1)
+					return fmt.Errorf("IssueList.loadAssignees: Close: %w", err1)
 				}
 				return err
 			}
@ -295,7 +295,7 @@ func (issues IssueList) loadAssignees(ctx context.Context) error {
 			assignees[assigneeIssue.IssueAssignee.IssueID] = append(assignees[assigneeIssue.IssueAssignee.IssueID], assigneeIssue.Assignee)
 		}
 		if err1 := rows.Close(); err1 != nil {
-			return fmt.Errorf("IssueList.loadAssignees: Close: %v", err1)
+			return fmt.Errorf("IssueList.loadAssignees: Close: %w", err1)
 		}
 		left -= limit
 		issueIDs = issueIDs[limit:]
@ -342,14 +342,14 @@ func (issues IssueList) loadPullRequests(ctx context.Context) error {
 			err = rows.Scan(&pr)
 			if err != nil {
 				if err1 := rows.Close(); err1 != nil {
-					return fmt.Errorf("IssueList.loadPullRequests: Close: %v", err1)
+					return fmt.Errorf("IssueList.loadPullRequests: Close: %w", err1)
 				}
 				return err
 			}
 			pullRequestMaps[pr.IssueID] = &pr
 		}
 		if err1 := rows.Close(); err1 != nil {
-			return fmt.Errorf("IssueList.loadPullRequests: Close: %v", err1)
+			return fmt.Errorf("IssueList.loadPullRequests: Close: %w", err1)
 		}
 		left -= limit
 		issuesIDs = issuesIDs[limit:]
@ -387,14 +387,14 @@ func (issues IssueList) loadAttachments(ctx context.Context) (err error) {
 			err = rows.Scan(&attachment)
 			if err != nil {
 				if err1 := rows.Close(); err1 != nil {
-					return fmt.Errorf("IssueList.loadAttachments: Close: %v", err1)
+					return fmt.Errorf("IssueList.loadAttachments: Close: %w", err1)
 				}
 				return err
 			}
 			attachments[attachment.IssueID] = append(attachments[attachment.IssueID], &attachment)
 		}
 		if err1 := rows.Close(); err1 != nil {
-			return fmt.Errorf("IssueList.loadAttachments: Close: %v", err1)
+			return fmt.Errorf("IssueList.loadAttachments: Close: %w", err1)
 		}
 		left -= limit
 		issuesIDs = issuesIDs[limit:]
@ -433,14 +433,14 @@ func (issues IssueList) loadComments(ctx context.Context, cond builder.Cond) (er
 			err = rows.Scan(&comment)
 			if err != nil {
 				if err1 := rows.Close(); err1 != nil {
-					return fmt.Errorf("IssueList.loadComments: Close: %v", err1)
+					return fmt.Errorf("IssueList.loadComments: Close: %w", err1)
 				}
 				return err
 			}
 			comments[comment.IssueID] = append(comments[comment.IssueID], &comment)
 		}
 		if err1 := rows.Close(); err1 != nil {
-			return fmt.Errorf("IssueList.loadComments: Close: %v", err1)
+			return fmt.Errorf("IssueList.loadComments: Close: %w", err1)
 		}
 		left -= limit
 		issuesIDs = issuesIDs[limit:]
@ -492,14 +492,14 @@ func (issues IssueList) loadTotalTrackedTimes(ctx context.Context) (err error) {
 			err = rows.Scan(&totalTime)
 			if err != nil {
 				if err1 := rows.Close(); err1 != nil {
-					return fmt.Errorf("IssueList.loadTotalTrackedTimes: Close: %v", err1)
+					return fmt.Errorf("IssueList.loadTotalTrackedTimes: Close: %w", err1)
 				}
 				return err
 			}
 			trackedTimes[totalTime.IssueID] = totalTime.Time
 		}
 		if err1 := rows.Close(); err1 != nil {
-			return fmt.Errorf("IssueList.loadTotalTrackedTimes: Close: %v", err1)
+			return fmt.Errorf("IssueList.loadTotalTrackedTimes: Close: %w", err1)
 		}
 		left -= limit
 		ids = ids[limit:]
@ -514,35 +514,35 @@ func (issues IssueList) loadTotalTrackedTimes(ctx context.Context) (err error) {
 // loadAttributes loads all attributes, expect for attachments and comments
 func (issues IssueList) loadAttributes(ctx context.Context) error {
 	if _, err := issues.loadRepositories(ctx); err != nil {
-		return fmt.Errorf("issue.loadAttributes: loadRepositories: %v", err)
+		return fmt.Errorf("issue.loadAttributes: loadRepositories: %w", err)
 	}

 	if err := issues.loadPosters(ctx); err != nil {
-		return fmt.Errorf("issue.loadAttributes: loadPosters: %v", err)
+		return fmt.Errorf("issue.loadAttributes: loadPosters: %w", err)
 	}

 	if err := issues.loadLabels(ctx); err != nil {
-		return fmt.Errorf("issue.loadAttributes: loadLabels: %v", err)
+		return fmt.Errorf("issue.loadAttributes: loadLabels: %w", err)
 	}

 	if err := issues.loadMilestones(ctx); err != nil {
-		return fmt.Errorf("issue.loadAttributes: loadMilestones: %v", err)
+		return fmt.Errorf("issue.loadAttributes: loadMilestones: %w", err)
 	}

 	if err := issues.loadProjects(ctx); err != nil {
-		return fmt.Errorf("issue.loadAttributes: loadProjects: %v", err)
+		return fmt.Errorf("issue.loadAttributes: loadProjects: %w", err)
 	}

 	if err := issues.loadAssignees(ctx); err != nil {
-		return fmt.Errorf("issue.loadAttributes: loadAssignees: %v", err)
+		return fmt.Errorf("issue.loadAttributes: loadAssignees: %w", err)
 	}

 	if err := issues.loadPullRequests(ctx); err != nil {
-		return fmt.Errorf("issue.loadAttributes: loadPullRequests: %v", err)
+		return fmt.Errorf("issue.loadAttributes: loadPullRequests: %w", err)
 	}

 	if err := issues.loadTotalTrackedTimes(ctx); err != nil {
-		return fmt.Errorf("issue.loadAttributes: loadTotalTrackedTimes: %v", err)
+		return fmt.Errorf("issue.loadAttributes: loadTotalTrackedTimes: %w", err)
 	}

 	return nil
--- a/models/issues/issue_user.go
+++ b/models/issues/issue_user.go
@ -29,7 +29,7 @@ func init() {
 func NewIssueUsers(ctx context.Context, repo *repo_model.Repository, issue *Issue) error {
 	assignees, err := repo_model.GetRepoAssignees(ctx, repo)
 	if err != nil {
-		return fmt.Errorf("getAssignees: %v", err)
+		return fmt.Errorf("getAssignees: %w", err)
 	}

 	// Poster can be anyone, append later if not one of assignees.
--- a/models/issues/issue_xref.go
+++ b/models/issues/issue_xref.go
@ -334,7 +334,7 @@ func (pr *PullRequest) ResolveCrossReferences(ctx context.Context) ([]*Comment,
 		In("ref_action", []references.XRefAction{references.XRefActionCloses, references.XRefActionReopens}).
 		OrderBy("id").
 		Find(&unfiltered); err != nil {
-		return nil, fmt.Errorf("get reference: %v", err)
+		return nil, fmt.Errorf("get reference: %w", err)
 	}

 	refs := make([]*Comment, 0, len(unfiltered))
--- a/models/issues/label.go
+++ b/models/issues/label.go
@ -667,7 +667,7 @@ func newIssueLabels(ctx context.Context, issue *Issue, labels []*Label, doer *us
 		}

 		if err = newIssueLabel(ctx, issue, label, doer); err != nil {
-			return fmt.Errorf("newIssueLabel: %v", err)
+			return fmt.Errorf("newIssueLabel: %w", err)
 		}
 	}

--- a/models/issues/pull.go
+++ b/models/issues/pull.go
@ -228,7 +228,7 @@ func (pr *PullRequest) loadAttributes(ctx context.Context) (err error) {
 			pr.MergerID = -1
 			pr.Merger = user_model.NewGhostUser()
 		} else if err != nil {
-			return fmt.Errorf("getUserByID [%d]: %v", pr.MergerID, err)
+			return fmt.Errorf("getUserByID [%d]: %w", pr.MergerID, err)
 		}
 	}

@ -255,7 +255,7 @@ func (pr *PullRequest) LoadHeadRepoCtx(ctx context.Context) (err error) {

 		pr.HeadRepo, err = repo_model.GetRepositoryByIDCtx(ctx, pr.HeadRepoID)
 		if err != nil && !repo_model.IsErrRepoNotExist(err) { // Head repo maybe deleted, but it should still work
-			return fmt.Errorf("getRepositoryByID(head): %v", err)
+			return fmt.Errorf("getRepositoryByID(head): %w", err)
 		}
 		pr.isHeadRepoLoaded = true
 	}
@ -290,7 +290,7 @@ func (pr *PullRequest) LoadBaseRepoCtx(ctx context.Context) (err error) {

 	pr.BaseRepo, err = repo_model.GetRepositoryByIDCtx(ctx, pr.BaseRepoID)
 	if err != nil {
-		return fmt.Errorf("repo_model.GetRepositoryByID(base): %v", err)
+		return fmt.Errorf("repo_model.GetRepositoryByID(base): %w", err)
 	}
 	return nil
 }
@ -482,7 +482,7 @@ func (pr *PullRequest) SetMerged(ctx context.Context) (bool, error) {
 	}

 	if _, err := changeIssueStatus(ctx, pr.Issue, pr.Merger, true, true); err != nil {
-		return false, fmt.Errorf("Issue.changeStatus: %v", err)
+		return false, fmt.Errorf("Issue.changeStatus: %w", err)
 	}

 	// reset the conflicted files as there cannot be any if we're merged
@ -490,7 +490,7 @@ func (pr *PullRequest) SetMerged(ctx context.Context) (bool, error) {

 	// We need to save all of the data used to compute this merge as it may have already been changed by TestPatch. FIXME: need to set some state to prevent TestPatch from running whilst we are merging.
 	if _, err := sess.Where("id = ?", pr.ID).Cols("has_merged, status, merge_base, merged_commit_id, merger_id, merged_unix, conflicted_files").Update(pr); err != nil {
-		return false, fmt.Errorf("Failed to update pr[%d]: %v", pr.ID, err)
+		return false, fmt.Errorf("Failed to update pr[%d]: %w", pr.ID, err)
 	}

 	return true, nil
@ -507,7 +507,7 @@ func NewPullRequest(outerCtx context.Context, repo *repo_model.Repository, issue

 	idx, err := db.GetNextResourceIndex(ctx, "issue_index", repo.ID)
 	if err != nil {
-		return fmt.Errorf("generate pull request index failed: %v", err)
+		return fmt.Errorf("generate pull request index failed: %w", err)
 	}

 	issue.Index = idx
@ -522,18 +522,18 @@ func NewPullRequest(outerCtx context.Context, repo *repo_model.Repository, issue
 		if repo_model.IsErrUserDoesNotHaveAccessToRepo(err) || IsErrNewIssueInsert(err) {
 			return err
 		}
-		return fmt.Errorf("newIssue: %v", err)
+		return fmt.Errorf("newIssue: %w", err)
 	}

 	pr.Index = issue.Index
 	pr.BaseRepo = repo
 	pr.IssueID = issue.ID
 	if err = db.Insert(ctx, pr); err != nil {
-		return fmt.Errorf("insert pull repo: %v", err)
+		return fmt.Errorf("insert pull repo: %w", err)
 	}

 	if err = committer.Commit(); err != nil {
-		return fmt.Errorf("Commit: %v", err)
+		return fmt.Errorf("Commit: %w", err)
 	}

 	return nil
--- a/models/issues/pull_list.go
+++ b/models/issues/pull_list.go
@ -168,7 +168,7 @@ func (prs PullRequestList) loadAttributes(ctx context.Context) error {
 		Where("id > 0").
 		In("id", issueIDs).
 		Find(&issues); err != nil {
-		return fmt.Errorf("find issues: %v", err)
+		return fmt.Errorf("find issues: %w", err)
 	}

 	set := make(map[int64]*Issue)
@ -205,7 +205,7 @@ func (prs PullRequestList) InvalidateCodeComments(ctx context.Context, doer *use
 		Where("type = ? and invalidated = ?", CommentTypeCode, false).
 		In("issue_id", issueIDs).
 		Find(&codeComments); err != nil {
-		return fmt.Errorf("find code comments: %v", err)
+		return fmt.Errorf("find code comments: %w", err)
 	}
 	for _, comment := range codeComments {
 		if err := comment.CheckInvalidation(repo, doer, branch); err != nil {
--- a/models/issues/reaction.go
+++ b/models/issues/reaction.go
@ -355,7 +355,7 @@ func (list ReactionList) LoadUsers(ctx context.Context, repo *repo_model.Reposit
 		In("id", userIDs).
 		Find(&userMaps)
 	if err != nil {
-		return nil, fmt.Errorf("find user: %v", err)
+		return nil, fmt.Errorf("find user: %w", err)
 	}

 	for _, reaction := range list {
--- a/models/issues/review.go
+++ b/models/issues/review.go
@ -790,10 +790,10 @@ func AddTeamReviewRequest(issue *Issue, reviewer *organization.Team, doer *user_

 	official, err := IsOfficialReviewerTeam(ctx, issue, reviewer)
 	if err != nil {
-		return nil, fmt.Errorf("isOfficialReviewerTeam(): %v", err)
+		return nil, fmt.Errorf("isOfficialReviewerTeam(): %w", err)
 	} else if !official {
 		if official, err = IsOfficialReviewer(ctx, issue, doer); err != nil {
-			return nil, fmt.Errorf("isOfficialReviewer(): %v", err)
+			return nil, fmt.Errorf("isOfficialReviewer(): %w", err)
 		}
 	}

@ -823,7 +823,7 @@ func AddTeamReviewRequest(issue *Issue, reviewer *organization.Team, doer *user_
 		ReviewID:        review.ID,
 	})
 	if err != nil {
-		return nil, fmt.Errorf("CreateCommentCtx(): %v", err)
+		return nil, fmt.Errorf("CreateCommentCtx(): %w", err)
 	}

 	return comment, committer.Commit()
@ -852,7 +852,7 @@ func RemoveTeamReviewRequest(issue *Issue, reviewer *organization.Team, doer *us

 	official, err := IsOfficialReviewerTeam(ctx, issue, reviewer)
 	if err != nil {
-		return nil, fmt.Errorf("isOfficialReviewerTeam(): %v", err)
+		return nil, fmt.Errorf("isOfficialReviewerTeam(): %w", err)
 	}

 	if official {
@ -882,7 +882,7 @@ func RemoveTeamReviewRequest(issue *Issue, reviewer *organization.Team, doer *us
 		AssigneeTeamID:  reviewer.ID, // Use AssigneeTeamID as reviewer team ID
 	})
 	if err != nil {
-		return nil, fmt.Errorf("CreateCommentCtx(): %v", err)
+		return nil, fmt.Errorf("CreateCommentCtx(): %w", err)
 	}

 	return comment, committer.Commit()
--- a/models/migrations/fixtures/Test_addConfidentialClientColumnToOAuth2ApplicationTable/o_auth2_application.yml
+++ b/models/migrations/fixtures/Test_addConfidentialClientColumnToOAuth2ApplicationTable/o_auth2_application.yml
@ -0,0 +1,2 @@
+-
+  id: 1
--- a/models/migrations/fixtures/Test_updateOpenMilestoneCounts/expected_milestone.yml
+++ b/models/migrations/fixtures/Test_updateOpenMilestoneCounts/expected_milestone.yml
@ -0,0 +1,19 @@
+# type Milestone struct {
+#   ID              int64                  `xorm:"pk autoincr"`
+#   IsClosed        bool
+#   NumIssues       int
+#   NumClosedIssues int
+#   Completeness    int  // Percentage(1-100).
+# }
+-
+  id: 1
+  is_closed: false
+  num_issues: 3
+  num_closed_issues: 1
+  completeness: 33
+-
+  id: 2
+  is_closed: true
+  num_issues: 5
+  num_closed_issues: 5
+  completeness: 100
--- a/models/migrations/fixtures/Test_updateOpenMilestoneCounts/issue.yml
+++ b/models/migrations/fixtures/Test_updateOpenMilestoneCounts/issue.yml
@ -0,0 +1,25 @@
+# type Issue struct {
+#   ID               int64 `xorm:"pk autoincr"`
+#   RepoID           int64 `xorm:"INDEX UNIQUE(repo_index)"`
+#   Index            int64 `xorm:"UNIQUE(repo_index)"` // Index in one repository.
+#   MilestoneID      int64 `xorm:"INDEX"`
+#   IsClosed         bool  `xorm:"INDEX"`
+# }
+-
+  id: 1
+  repo_id: 1
+  index: 1
+  milestone_id: 1
+  is_closed: false
+-
+  id: 2
+  repo_id: 1
+  index: 2
+  milestone_id: 1
+  is_closed: true
+-
+  id: 4
+  repo_id: 1
+  index: 3
+  milestone_id: 1
+  is_closed: false
--- a/models/migrations/fixtures/Test_updateOpenMilestoneCounts/milestone.yml
+++ b/models/migrations/fixtures/Test_updateOpenMilestoneCounts/milestone.yml
@ -0,0 +1,19 @@
+# type Milestone struct {
+#   ID              int64                  `xorm:"pk autoincr"`
+#   IsClosed        bool
+#   NumIssues       int
+#   NumClosedIssues int
+#   Completeness    int  // Percentage(1-100).
+# }
+-
+  id: 1
+  is_closed: false
+  num_issues: 4
+  num_closed_issues: 2
+  completeness: 50
+-
+  id: 2
+  is_closed: true
+  num_issues: 5
+  num_closed_issues: 5
+  completeness: 100
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@ -417,18 +417,24 @@ var migrations = []Migration{
 	NewMigration("Conan and generic packages do not need to be semantically versioned", fixPackageSemverField),
 	// v227 -> v228
 	NewMigration("Create key/value table for system settings", createSystemSettingsTable),
+	// v228 -> v229
+	NewMigration("Add TeamInvite table", addTeamInviteTable),
+	// v229 -> v230
+	NewMigration("Update counts of all open milestones", updateOpenMilestoneCounts),
+	// v230 -> v231
+	NewMigration("Add ConfidentialClient column (default true) to OAuth2Application table", addConfidentialClientColumnToOAuth2ApplicationTable),
 }

 // GetCurrentDBVersion returns the current db version
 func GetCurrentDBVersion(x *xorm.Engine) (int64, error) {
 	if err := x.Sync(new(Version)); err != nil {
-		return -1, fmt.Errorf("sync: %v", err)
+		return -1, fmt.Errorf("sync: %w", err)
 	}

 	currentVersion := &Version{ID: 1}
 	has, err := x.Get(currentVersion)
 	if err != nil {
-		return -1, fmt.Errorf("get: %v", err)
+		return -1, fmt.Errorf("get: %w", err)
 	}
 	if !has {
 		return -1, nil
@ -470,13 +476,13 @@ func Migrate(x *xorm.Engine) error {
 	// Set a new clean the default mapper to GonicMapper as that is the default for Gitea.
 	x.SetMapper(names.GonicMapper{})
 	if err := x.Sync(new(Version)); err != nil {
-		return fmt.Errorf("sync: %v", err)
+		return fmt.Errorf("sync: %w", err)
 	}

 	currentVersion := &Version{ID: 1}
 	has, err := x.Get(currentVersion)
 	if err != nil {
-		return fmt.Errorf("get: %v", err)
+		return fmt.Errorf("get: %w", err)
 	} else if !has {
 		// If the version record does not exist we think
 		// it is a fresh installation and we can skip all migrations.
@ -484,7 +490,7 @@ func Migrate(x *xorm.Engine) error {
 		currentVersion.Version = int64(minDBVersion + len(migrations))

 		if _, err = x.InsertOne(currentVersion); err != nil {
-			return fmt.Errorf("insert: %v", err)
+			return fmt.Errorf("insert: %w", err)
 		}
 	}

@ -513,7 +519,7 @@ Please try upgrading to a lower version first (suggested v1.6.4), then upgrade t
 		// Reset the mapper between each migration - migrations are not supposed to depend on each other
 		x.SetMapper(names.GonicMapper{})
 		if err = m.Migrate(x); err != nil {
-			return fmt.Errorf("migration[%d]: %s failed: %v", v+int64(i), m.Description(), err)
+			return fmt.Errorf("migration[%d]: %s failed: %w", v+int64(i), m.Description(), err)
 		}
 		currentVersion.Version = v + int64(i) + 1
 		if _, err = x.ID(1).Update(currentVersion); err != nil {
@ -912,7 +918,7 @@ func dropTableColumns(sess *xorm.Session, tableName string, columnNames ...strin
 			cols += "DROP COLUMN `" + col + "` CASCADE"
 		}
 		if _, err := sess.Exec(fmt.Sprintf("ALTER TABLE `%s` %s", tableName, cols)); err != nil {
-			return fmt.Errorf("Drop table `%s` columns %v: %v", tableName, columnNames, err)
+			return fmt.Errorf("Drop table `%s` columns %v: %w", tableName, columnNames, err)
 		}
 	case setting.Database.UseMySQL:
 		// Drop indexes on columns first
@ -940,7 +946,7 @@ func dropTableColumns(sess *xorm.Session, tableName string, columnNames ...strin
 			cols += "DROP COLUMN `" + col + "`"
 		}
 		if _, err := sess.Exec(fmt.Sprintf("ALTER TABLE `%s` %s", tableName, cols)); err != nil {
-			return fmt.Errorf("Drop table `%s` columns %v: %v", tableName, columnNames, err)
+			return fmt.Errorf("Drop table `%s` columns %v: %w", tableName, columnNames, err)
 		}
 	case setting.Database.UseMSSQL:
 		cols := ""
@ -954,27 +960,27 @@ func dropTableColumns(sess *xorm.Session, tableName string, columnNames ...strin
 			tableName, strings.ReplaceAll(cols, "`", "'"))
 		constraints := make([]string, 0)
 		if err := sess.SQL(sql).Find(&constraints); err != nil {
-			return fmt.Errorf("Find constraints: %v", err)
+			return fmt.Errorf("Find constraints: %w", err)
 		}
 		for _, constraint := range constraints {
 			if _, err := sess.Exec(fmt.Sprintf("ALTER TABLE `%s` DROP CONSTRAINT `%s`", tableName, constraint)); err != nil {
-				return fmt.Errorf("Drop table `%s` default constraint `%s`: %v", tableName, constraint, err)
+				return fmt.Errorf("Drop table `%s` default constraint `%s`: %w", tableName, constraint, err)
 			}
 		}
 		sql = fmt.Sprintf("SELECT DISTINCT Name FROM sys.indexes INNER JOIN sys.index_columns ON indexes.index_id = index_columns.index_id AND indexes.object_id = index_columns.object_id WHERE indexes.object_id = OBJECT_ID('%[1]s') AND index_columns.column_id IN (SELECT column_id FROM sys.columns WHERE LOWER(name) IN (%[2]s) AND object_id = OBJECT_ID('%[1]s'))",
 			tableName, strings.ReplaceAll(cols, "`", "'"))
 		constraints = make([]string, 0)
 		if err := sess.SQL(sql).Find(&constraints); err != nil {
-			return fmt.Errorf("Find constraints: %v", err)
+			return fmt.Errorf("Find constraints: %w", err)
 		}
 		for _, constraint := range constraints {
 			if _, err := sess.Exec(fmt.Sprintf("DROP INDEX `%[2]s` ON `%[1]s`", tableName, constraint)); err != nil {
-				return fmt.Errorf("Drop index `%[2]s` on `%[1]s`: %v", tableName, constraint, err)
+				return fmt.Errorf("Drop index `%s` on `%s`: %w", constraint, tableName, err)
 			}
 		}

 		if _, err := sess.Exec(fmt.Sprintf("ALTER TABLE `%s` DROP COLUMN %s", tableName, cols)); err != nil {
-			return fmt.Errorf("Drop table `%s` columns %v: %v", tableName, columnNames, err)
+			return fmt.Errorf("Drop table `%s` columns %v: %w", tableName, columnNames, err)
 		}
 	default:
 		log.Fatal("Unrecognized DB")
--- a/models/migrations/v113.go
+++ b/models/migrations/v113.go
@ -17,7 +17,7 @@ func featureChangeTargetBranch(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(Comment)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v115.go
+++ b/models/migrations/v115.go
@ -45,11 +45,11 @@ func renameExistingUserAvatarName(x *xorm.Engine) error {
 	migrated := 0
 	for {
 		if err := sess.Begin(); err != nil {
-			return fmt.Errorf("session.Begin: %v", err)
+			return fmt.Errorf("session.Begin: %w", err)
 		}
 		users := make([]*User, 0, 50)
 		if err := sess.Table("user").Asc("id").Limit(50, start).Find(&users); err != nil {
-			return fmt.Errorf("select users from id [%d]: %v", start, err)
+			return fmt.Errorf("select users from id [%d]: %w", start, err)
 		}
 		if len(users) == 0 {
 			_ = sess.Rollback()
@ -76,7 +76,7 @@ func renameExistingUserAvatarName(x *xorm.Engine) error {
 			newAvatar, err := copyOldAvatarToNewLocation(user.ID, oldAvatar)
 			if err != nil {
 				_ = sess.Rollback()
-				return fmt.Errorf("[user: %s] %v", user.LowerName, err)
+				return fmt.Errorf("[user: %s] %w", user.LowerName, err)
 			} else if newAvatar == oldAvatar {
 				continue
 			}
@ -84,7 +84,7 @@ func renameExistingUserAvatarName(x *xorm.Engine) error {
 			user.Avatar = newAvatar
 			if _, err := sess.ID(user.ID).Cols("avatar").Update(user); err != nil {
 				_ = sess.Rollback()
-				return fmt.Errorf("[user: %s] user table update: %v", user.LowerName, err)
+				return fmt.Errorf("[user: %s] user table update: %w", user.LowerName, err)
 			}

 			deleteList.Add(filepath.Join(setting.Avatar.Path, oldAvatar))
@ -104,7 +104,7 @@ func renameExistingUserAvatarName(x *xorm.Engine) error {
 		}
 		if err := sess.Commit(); err != nil {
 			_ = sess.Rollback()
-			return fmt.Errorf("commit session: %v", err)
+			return fmt.Errorf("commit session: %w", err)
 		}
 	}

@ -138,13 +138,13 @@ func renameExistingUserAvatarName(x *xorm.Engine) error {
 func copyOldAvatarToNewLocation(userID int64, oldAvatar string) (string, error) {
 	fr, err := os.Open(filepath.Join(setting.Avatar.Path, oldAvatar))
 	if err != nil {
-		return "", fmt.Errorf("os.Open: %v", err)
+		return "", fmt.Errorf("os.Open: %w", err)
 	}
 	defer fr.Close()

 	data, err := io.ReadAll(fr)
 	if err != nil {
-		return "", fmt.Errorf("io.ReadAll: %v", err)
+		return "", fmt.Errorf("io.ReadAll: %w", err)
 	}

 	newAvatar := fmt.Sprintf("%x", md5.Sum([]byte(fmt.Sprintf("%d-%x", userID, md5.Sum(data)))))
@ -153,7 +153,7 @@ func copyOldAvatarToNewLocation(userID int64, oldAvatar string) (string, error)
 	}

 	if err := os.WriteFile(filepath.Join(setting.Avatar.Path, newAvatar), data, 0o666); err != nil {
-		return "", fmt.Errorf("os.WriteFile: %v", err)
+		return "", fmt.Errorf("os.WriteFile: %w", err)
 	}

 	return newAvatar, nil
--- a/models/migrations/v125.go
+++ b/models/migrations/v125.go
@ -17,7 +17,7 @@ func addReviewMigrateInfo(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(Review)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v127.go
+++ b/models/migrations/v127.go
@ -36,10 +36,10 @@ func addLanguageStats(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(LanguageStat)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	if err := x.Sync2(new(RepoIndexerStatus)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v128.go
+++ b/models/migrations/v128.go
@ -59,7 +59,7 @@ func fixMergeBase(x *xorm.Engine) error {
 	for {
 		prs := make([]PullRequest, 0, 50)
 		if err := x.Limit(limit, start).Asc("id").Find(&prs); err != nil {
-			return fmt.Errorf("Find: %v", err)
+			return fmt.Errorf("Find: %w", err)
 		}
 		if len(prs) == 0 {
 			break
@ -70,7 +70,7 @@ func fixMergeBase(x *xorm.Engine) error {
 			baseRepo := &Repository{ID: pr.BaseRepoID}
 			has, err := x.Table("repository").Get(baseRepo)
 			if err != nil {
-				return fmt.Errorf("Unable to get base repo %d %v", pr.BaseRepoID, err)
+				return fmt.Errorf("Unable to get base repo %d %w", pr.BaseRepoID, err)
 			}
 			if !has {
 				log.Error("Missing base repo with id %d for PR ID %d", pr.BaseRepoID, pr.ID)
@ -83,17 +83,17 @@ func fixMergeBase(x *xorm.Engine) error {

 			if !pr.HasMerged {
 				var err error
-				pr.MergeBase, _, err = git.NewCommand(git.DefaultContext, "merge-base", "--", pr.BaseBranch, gitRefName).RunStdString(&git.RunOpts{Dir: repoPath})
+				pr.MergeBase, _, err = git.NewCommand(git.DefaultContext, "merge-base").AddDashesAndList(pr.BaseBranch, gitRefName).RunStdString(&git.RunOpts{Dir: repoPath})
 				if err != nil {
 					var err2 error
-					pr.MergeBase, _, err2 = git.NewCommand(git.DefaultContext, "rev-parse", git.BranchPrefix+pr.BaseBranch).RunStdString(&git.RunOpts{Dir: repoPath})
+					pr.MergeBase, _, err2 = git.NewCommand(git.DefaultContext, "rev-parse").AddDynamicArguments(git.BranchPrefix + pr.BaseBranch).RunStdString(&git.RunOpts{Dir: repoPath})
 					if err2 != nil {
 						log.Error("Unable to get merge base for PR ID %d, Index %d in %s/%s. Error: %v & %v", pr.ID, pr.Index, baseRepo.OwnerName, baseRepo.Name, err, err2)
 						continue
 					}
 				}
 			} else {
-				parentsString, _, err := git.NewCommand(git.DefaultContext, "rev-list", "--parents", "-n", "1", pr.MergedCommitID).RunStdString(&git.RunOpts{Dir: repoPath})
+				parentsString, _, err := git.NewCommand(git.DefaultContext, "rev-list", "--parents", "-n", "1").AddDynamicArguments(pr.MergedCommitID).RunStdString(&git.RunOpts{Dir: repoPath})
 				if err != nil {
 					log.Error("Unable to get parents for merged PR ID %d, Index %d in %s/%s. Error: %v", pr.ID, pr.Index, baseRepo.OwnerName, baseRepo.Name, err)
 					continue
@ -103,10 +103,11 @@ func fixMergeBase(x *xorm.Engine) error {
 					continue
 				}

-				args := append([]string{"merge-base", "--"}, parents[1:]...)
-				args = append(args, gitRefName)
+				refs := append([]string{}, parents[1:]...)
+				refs = append(refs, gitRefName)
+				cmd := git.NewCommand(git.DefaultContext, "merge-base").AddDashesAndList(refs...)

-				pr.MergeBase, _, err = git.NewCommand(git.DefaultContext, args...).RunStdString(&git.RunOpts{Dir: repoPath})
+				pr.MergeBase, _, err = cmd.RunStdString(&git.RunOpts{Dir: repoPath})
 				if err != nil {
 					log.Error("Unable to get merge base for merged PR ID %d, Index %d in %s/%s. Error: %v", pr.ID, pr.Index, baseRepo.OwnerName, baseRepo.Name, err)
 					continue
--- a/models/migrations/v131.go
+++ b/models/migrations/v131.go
@ -16,7 +16,7 @@ func addSystemWebhookColumn(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(Webhook)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v132.go
+++ b/models/migrations/v132.go
@ -16,7 +16,7 @@ func addBranchProtectionProtectedFilesColumn(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(ProtectedBranch)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v134.go
+++ b/models/migrations/v134.go
@ -58,7 +58,7 @@ func refixMergeBase(x *xorm.Engine) error {
 	for {
 		prs := make([]PullRequest, 0, 50)
 		if err := x.Limit(limit, start).Asc("id").Where("has_merged = ?", true).Find(&prs); err != nil {
-			return fmt.Errorf("Find: %v", err)
+			return fmt.Errorf("Find: %w", err)
 		}
 		if len(prs) == 0 {
 			break
@ -69,7 +69,7 @@ func refixMergeBase(x *xorm.Engine) error {
 			baseRepo := &Repository{ID: pr.BaseRepoID}
 			has, err := x.Table("repository").Get(baseRepo)
 			if err != nil {
-				return fmt.Errorf("Unable to get base repo %d %v", pr.BaseRepoID, err)
+				return fmt.Errorf("Unable to get base repo %d %w", pr.BaseRepoID, err)
 			}
 			if !has {
 				log.Error("Missing base repo with id %d for PR ID %d", pr.BaseRepoID, pr.ID)
@ -80,7 +80,7 @@ func refixMergeBase(x *xorm.Engine) error {

 			gitRefName := fmt.Sprintf("refs/pull/%d/head", pr.Index)

-			parentsString, _, err := git.NewCommand(git.DefaultContext, "rev-list", "--parents", "-n", "1", pr.MergedCommitID).RunStdString(&git.RunOpts{Dir: repoPath})
+			parentsString, _, err := git.NewCommand(git.DefaultContext, "rev-list", "--parents", "-n", "1").AddDynamicArguments(pr.MergedCommitID).RunStdString(&git.RunOpts{Dir: repoPath})
 			if err != nil {
 				log.Error("Unable to get parents for merged PR ID %d, Index %d in %s/%s. Error: %v", pr.ID, pr.Index, baseRepo.OwnerName, baseRepo.Name, err)
 				continue
@ -91,10 +91,11 @@ func refixMergeBase(x *xorm.Engine) error {
 			}

 			// we should recalculate
-			args := append([]string{"merge-base", "--"}, parents[1:]...)
-			args = append(args, gitRefName)
+			refs := append([]string{}, parents[1:]...)
+			refs = append(refs, gitRefName)
+			cmd := git.NewCommand(git.DefaultContext, "merge-base").AddDashesAndList(refs...)

-			pr.MergeBase, _, err = git.NewCommand(git.DefaultContext, args...).RunStdString(&git.RunOpts{Dir: repoPath})
+			pr.MergeBase, _, err = cmd.RunStdString(&git.RunOpts{Dir: repoPath})
 			if err != nil {
 				log.Error("Unable to get merge base for merged PR ID %d, Index %d in %s/%s. Error: %v", pr.ID, pr.Index, baseRepo.OwnerName, baseRepo.Name, err)
 				continue
--- a/models/migrations/v135.go
+++ b/models/migrations/v135.go
@ -16,7 +16,7 @@ func addOrgIDLabelColumn(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(Label)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v136.go
+++ b/models/migrations/v136.go
@ -44,7 +44,7 @@ func addCommitDivergenceToPulls(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(PullRequest)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}

 	last := 0
@ -80,7 +80,7 @@ func addCommitDivergenceToPulls(x *xorm.Engine) error {
 			baseRepo := &Repository{ID: pr.BaseRepoID}
 			has, err := x.Table("repository").Get(baseRepo)
 			if err != nil {
-				return fmt.Errorf("Unable to get base repo %d %v", pr.BaseRepoID, err)
+				return fmt.Errorf("Unable to get base repo %d %w", pr.BaseRepoID, err)
 			}
 			if !has {
 				log.Error("Missing base repo with id %d for PR ID %d", pr.BaseRepoID, pr.ID)
@ -101,7 +101,7 @@ func addCommitDivergenceToPulls(x *xorm.Engine) error {
 			pr.CommitsBehind = divergence.Behind

 			if _, err = sess.ID(pr.ID).Cols("commits_ahead", "commits_behind").Update(pr); err != nil {
-				return fmt.Errorf("Update Cols: %v", err)
+				return fmt.Errorf("Update Cols: %w", err)
 			}
 			migrated++
 		}
--- a/models/migrations/v138.go
+++ b/models/migrations/v138.go
@ -16,7 +16,7 @@ func addResolveDoerIDCommentColumn(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(Comment)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v140.go
+++ b/models/migrations/v140.go
@ -34,7 +34,7 @@ func fixLanguageStatsToSaveSize(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(LanguageStat)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}

 	x.Delete(&RepoIndexerStatus{IndexerType: RepoIndexerTypeStats})
--- a/models/migrations/v141.go
+++ b/models/migrations/v141.go
@ -16,7 +16,7 @@ func addKeepActivityPrivateUserColumn(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(User)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v145.go
+++ b/models/migrations/v145.go
@ -53,16 +53,16 @@ func increaseLanguageField(x *xorm.Engine) error {
 		if err := sess.SQL(`SELECT i.name AS Name
 			FROM sys.indexes i INNER JOIN sys.index_columns ic
      			ON i.index_id = ic.index_id AND i.object_id = ic.object_id
-   			INNER JOIN sys.tables AS t 
+   			INNER JOIN sys.tables AS t
      			ON t.object_id = i.object_id
 			INNER JOIN sys.columns c
 				ON t.object_id = c.object_id AND ic.column_id = c.column_id
 			WHERE t.name = 'language_stat' AND c.name = 'language'`).Find(&constraints); err != nil {
-			return fmt.Errorf("Find constraints: %v", err)
+			return fmt.Errorf("Find constraints: %w", err)
 		}
 		for _, constraint := range constraints {
 			if _, err := sess.Exec(fmt.Sprintf("DROP INDEX [%s] ON `language_stat`", constraint)); err != nil {
-				return fmt.Errorf("Drop table `language_stat` constraint `%s`: %v", constraint, err)
+				return fmt.Errorf("Drop table `language_stat` constraint `%s`: %w", constraint, err)
 			}
 		}
 		if _, err := sess.Exec(fmt.Sprintf("ALTER TABLE language_stat ALTER COLUMN language %s", sqlType)); err != nil {
--- a/models/migrations/v149.go
+++ b/models/migrations/v149.go
@ -19,7 +19,7 @@ func addCreatedAndUpdatedToMilestones(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(Milestone)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v155.go
+++ b/models/migrations/v155.go
@ -16,7 +16,7 @@ func addChangedProtectedFilesPullRequestColumn(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(PullRequest)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v156.go
+++ b/models/migrations/v156.go
@ -123,7 +123,7 @@ func fixPublisherIDforTagReleases(x *xorm.Engine) error {
 					continue
 				}
 				log.Error("Error whilst getting commit for Tag: %s in [%d]%s/%s. Error: %v", release.TagName, repo.ID, repo.OwnerName, repo.Name, err)
-				return fmt.Errorf("GetTagCommit: %v", err)
+				return fmt.Errorf("GetTagCommit: %w", err)
 			}

 			if commit.Author.Email == "" {
@ -135,7 +135,7 @@ func fixPublisherIDforTagReleases(x *xorm.Engine) error {
 						continue
 					}
 					log.Error("Error whilst getting commit for Tag: %s in [%d]%s/%s. Error: %v", release.TagName, repo.ID, repo.OwnerName, repo.Name, err)
-					return fmt.Errorf("GetCommit: %v", err)
+					return fmt.Errorf("GetCommit: %w", err)
 				}
 			}

--- a/models/migrations/v164.go
+++ b/models/migrations/v164.go
@ -32,7 +32,7 @@ func (grant *OAuth2Grant) TableName() string {

 func addScopeAndNonceColumnsToOAuth2Grant(x *xorm.Engine) error {
 	if err := x.Sync2(new(OAuth2Grant)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v167.go
+++ b/models/migrations/v167.go
@ -18,7 +18,7 @@ func addUserRedirect(x *xorm.Engine) (err error) {
 	}

 	if err := x.Sync2(new(UserRedirect)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v170.go
+++ b/models/migrations/v170.go
@ -16,7 +16,7 @@ func addDismissedReviewColumn(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(Review)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v171.go
+++ b/models/migrations/v171.go
@ -16,7 +16,7 @@ func addSortingColToProjectBoard(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(ProjectBoard)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v173.go
+++ b/models/migrations/v173.go
@ -16,7 +16,7 @@ func addTimeIDCommentColumn(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(Comment)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v174.go
+++ b/models/migrations/v174.go
@ -28,7 +28,7 @@ func addRepoTransfer(x *xorm.Engine) error {
 	}

 	if err := sess.Sync2(new(RepoTransfer)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}

 	return sess.Commit()
--- a/models/migrations/v177.go
+++ b/models/migrations/v177.go
@ -25,7 +25,7 @@ func deleteOrphanedIssueLabels(x *xorm.Engine) error {
 	}

 	if err := sess.Sync2(new(IssueLabel)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}

 	if _, err := sess.Exec(`DELETE FROM issue_label WHERE issue_label.id IN (
--- a/models/migrations/v183.go
+++ b/models/migrations/v183.go
@ -32,7 +32,7 @@ func createPushMirrorTable(x *xorm.Engine) error {
 	}

 	if err := sess.Sync2(new(PushMirror)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}

 	return sess.Commit()
--- a/models/migrations/v184.go
+++ b/models/migrations/v184.go
@ -43,7 +43,7 @@ func renameTaskErrorsToMessage(x *xorm.Engine) error {
 	}

 	if err := sess.Sync2(new(Task)); err != nil {
-		return fmt.Errorf("error on Sync2: %v", err)
+		return fmt.Errorf("error on Sync2: %w", err)
 	}

 	if messageExist {
--- a/models/migrations/v190.go
+++ b/models/migrations/v190.go
@ -18,7 +18,7 @@ func addAgitFlowPullRequest(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(PullRequest)); err != nil {
-		return fmt.Errorf("sync2: %v", err)
+		return fmt.Errorf("sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v194.go
+++ b/models/migrations/v194.go
@ -16,7 +16,7 @@ func addBranchProtectionUnprotectedFilesColumn(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(ProtectedBranch)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v195.go
+++ b/models/migrations/v195.go
@ -20,7 +20,7 @@ func addTableCommitStatusIndex(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(CommitStatusIndex)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}

 	sess := x.NewSession()
--- a/models/migrations/v196.go
+++ b/models/migrations/v196.go
@ -16,7 +16,7 @@ func addColorColToProjectBoard(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(ProjectBoard)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v198.go
+++ b/models/migrations/v198.go
@ -27,7 +27,7 @@ func addTableIssueContentHistory(x *xorm.Engine) error {
 	sess := x.NewSession()
 	defer sess.Close()
 	if err := sess.Sync2(new(IssueContentHistory)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return sess.Commit()
 }
--- a/models/migrations/v200.go
+++ b/models/migrations/v200.go
@ -17,7 +17,7 @@ func addTableAppState(x *xorm.Engine) error {
 		Content  string `xorm:"LONGTEXT"`
 	}
 	if err := x.Sync2(new(AppState)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v202.go
+++ b/models/migrations/v202.go
@ -18,7 +18,7 @@ func createUserSettingsTable(x *xorm.Engine) error {
 		SettingValue string `xorm:"text"`
 	}
 	if err := x.Sync2(new(UserSetting)); err != nil {
-		return fmt.Errorf("sync2: %v", err)
+		return fmt.Errorf("sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v206.go
+++ b/models/migrations/v206.go
@ -20,7 +20,7 @@ func addAuthorizeColForTeamUnit(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(TeamUnit)); err != nil {
-		return fmt.Errorf("sync2: %v", err)
+		return fmt.Errorf("sync2: %w", err)
 	}

 	// migrate old permission
--- a/models/migrations/v210.go
+++ b/models/migrations/v210.go
@ -144,7 +144,7 @@ func remigrateU2FCredentials(x *xorm.Engine) error {
 				if !has {
 					has, err := sess.Where("`lower_name`=?", remigrated.LowerName).And("`user_id`=?", remigrated.UserID).Exist(new(webauthnCredential))
 					if err != nil {
-						return fmt.Errorf("unable to check webauthn_credential[lower_name: %s, user_id:%v]. Error: %w", remigrated.LowerName, remigrated.UserID, err)
+						return fmt.Errorf("unable to check webauthn_credential[lower_name: %s, user_id: %d]. Error: %w", remigrated.LowerName, remigrated.UserID, err)
 					}
 					if !has {
 						_, err = sess.Insert(remigrated)
--- a/models/migrations/v211.go
+++ b/models/migrations/v211.go
@ -20,7 +20,7 @@ func createForeignReferenceTable(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(ForeignReference)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v223.go
+++ b/models/migrations/v223.go
@ -54,7 +54,7 @@ func renameCredentialIDBytes(x *xorm.Engine) error {
 		}

 		if err := sess.Sync2(new(webauthnCredential)); err != nil {
-			return fmt.Errorf("error on Sync2: %v", err)
+			return fmt.Errorf("error on Sync2: %w", err)
 		}

 		if credentialIDExist {
--- a/models/migrations/v227.go
+++ b/models/migrations/v227.go
@ -45,7 +45,7 @@ func insertSettingsIfNotExist(x *xorm.Engine, sysSettings []*SystemSetting) erro

 func createSystemSettingsTable(x *xorm.Engine) error {
 	if err := x.Sync2(new(SystemSetting)); err != nil {
-		return fmt.Errorf("sync2: %v", err)
+		return fmt.Errorf("sync2: %w", err)
 	}

 	// migrate xx to database
--- a/models/migrations/v228.go
+++ b/models/migrations/v228.go
@ -0,0 +1,26 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"code.gitea.io/gitea/modules/timeutil"
+
+	"xorm.io/xorm"
+)
+
+func addTeamInviteTable(x *xorm.Engine) error {
+	type TeamInvite struct {
+		ID          int64              `xorm:"pk autoincr"`
+		Token       string             `xorm:"UNIQUE(token) INDEX NOT NULL DEFAULT ''"`
+		InviterID   int64              `xorm:"NOT NULL DEFAULT 0"`
+		OrgID       int64              `xorm:"INDEX NOT NULL DEFAULT 0"`
+		TeamID      int64              `xorm:"UNIQUE(team_mail) INDEX NOT NULL DEFAULT 0"`
+		Email       string             `xorm:"UNIQUE(team_mail) NOT NULL DEFAULT ''"`
+		CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
+		UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
+	}
+
+	return x.Sync2(new(TeamInvite))
+}
--- a/models/migrations/v229.go
+++ b/models/migrations/v229.go
@ -0,0 +1,47 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"fmt"
+
+	"code.gitea.io/gitea/models/issues"
+
+	"xorm.io/builder"
+	"xorm.io/xorm"
+)
+
+func updateOpenMilestoneCounts(x *xorm.Engine) error {
+	var openMilestoneIDs []int64
+	err := x.Table("milestone").Select("id").Where(builder.Neq{"is_closed": 1}).Find(&openMilestoneIDs)
+	if err != nil {
+		return fmt.Errorf("error selecting open milestone IDs: %w", err)
+	}
+
+	for _, id := range openMilestoneIDs {
+		_, err := x.ID(id).
+			SetExpr("num_issues", builder.Select("count(*)").From("issue").Where(
+				builder.Eq{"milestone_id": id},
+			)).
+			SetExpr("num_closed_issues", builder.Select("count(*)").From("issue").Where(
+				builder.Eq{
+					"milestone_id": id,
+					"is_closed":    true,
+				},
+			)).
+			Update(&issues.Milestone{})
+		if err != nil {
+			return fmt.Errorf("error updating issue counts in milestone %d: %w", id, err)
+		}
+		_, err = x.Exec("UPDATE `milestone` SET completeness=100*num_closed_issues/(CASE WHEN num_issues > 0 THEN num_issues ELSE 1 END) WHERE id=?",
+			id,
+		)
+		if err != nil {
+			return fmt.Errorf("error setting completeness on milestone %d: %w", id, err)
+		}
+	}
+
+	return nil
+}
--- a/models/migrations/v229_test.go
+++ b/models/migrations/v229_test.go
@ -0,0 +1,46 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models/issues"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_updateOpenMilestoneCounts(t *testing.T) {
+	type ExpectedMilestone issues.Milestone
+
+	// Prepare and load the testing database
+	x, deferable := prepareTestEnv(t, 0, new(issues.Milestone), new(ExpectedMilestone), new(issues.Issue))
+	defer deferable()
+	if x == nil || t.Failed() {
+		return
+	}
+
+	if err := updateOpenMilestoneCounts(x); err != nil {
+		assert.NoError(t, err)
+		return
+	}
+
+	expected := []ExpectedMilestone{}
+	if err := x.Table("expected_milestone").Asc("id").Find(&expected); !assert.NoError(t, err) {
+		return
+	}
+
+	got := []issues.Milestone{}
+	if err := x.Table("milestone").Asc("id").Find(&got); !assert.NoError(t, err) {
+		return
+	}
+
+	for i, e := range expected {
+		got := got[i]
+		assert.Equal(t, e.ID, got.ID)
+		assert.Equal(t, e.NumIssues, got.NumIssues)
+		assert.Equal(t, e.NumClosedIssues, got.NumClosedIssues)
+	}
+}
--- a/models/migrations/v230.go
+++ b/models/migrations/v230.go
@ -0,0 +1,18 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"xorm.io/xorm"
+)
+
+// addConfidentialColumnToOAuth2ApplicationTable: add ConfidentialClient column, setting existing rows to true
+func addConfidentialClientColumnToOAuth2ApplicationTable(x *xorm.Engine) error {
+	type OAuth2Application struct {
+		ConfidentialClient bool `xorm:"NOT NULL DEFAULT TRUE"`
+	}
+
+	return x.Sync(new(OAuth2Application))
+}
--- a/models/migrations/v230_test.go
+++ b/models/migrations/v230_test.go
@ -0,0 +1,46 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_addConfidentialClientColumnToOAuth2ApplicationTable(t *testing.T) {
+	// premigration
+	type OAuth2Application struct {
+		ID int64
+	}
+
+	// Prepare and load the testing database
+	x, deferable := prepareTestEnv(t, 0, new(OAuth2Application))
+	defer deferable()
+	if x == nil || t.Failed() {
+		return
+	}
+
+	if err := addConfidentialClientColumnToOAuth2ApplicationTable(x); err != nil {
+		assert.NoError(t, err)
+		return
+	}
+
+	// postmigration
+	type ExpectedOAuth2Application struct {
+		ID                 int64
+		ConfidentialClient bool
+	}
+
+	got := []ExpectedOAuth2Application{}
+	if err := x.Table("o_auth2_application").Select("id, confidential_client").Find(&got); !assert.NoError(t, err) {
+		return
+	}
+
+	assert.NotEmpty(t, got)
+	for _, e := range got {
+		assert.True(t, e.ConfidentialClient)
+	}
+}
--- a/models/migrations/v70.go
+++ b/models/migrations/v70.go
@ -38,7 +38,7 @@ func addIssueDependencies(x *xorm.Engine) (err error) {
 	)

 	if err = x.Sync(new(IssueDependency)); err != nil {
-		return fmt.Errorf("Error creating issue_dependency_table column definition: %v", err)
+		return fmt.Errorf("Error creating issue_dependency_table column definition: %w", err)
 	}

 	// Update Comment definition
@ -76,7 +76,7 @@ func addIssueDependencies(x *xorm.Engine) (err error) {
 	}

 	if err = x.Sync(new(Comment)); err != nil {
-		return fmt.Errorf("Error updating issue_comment table column definition: %v", err)
+		return fmt.Errorf("Error updating issue_comment table column definition: %w", err)
 	}

 	// RepoUnit describes all units of a repository
@ -93,7 +93,7 @@ func addIssueDependencies(x *xorm.Engine) (err error) {
 	units := make([]*RepoUnit, 0, 100)
 	err = x.Where("`type` = ?", v16UnitTypeIssues).Find(&units)
 	if err != nil {
-		return fmt.Errorf("Query repo units: %v", err)
+		return fmt.Errorf("Query repo units: %w", err)
 	}
 	for _, unit := range units {
 		if unit.Config == nil {
--- a/models/migrations/v71.go
+++ b/models/migrations/v71.go
@ -30,7 +30,7 @@ func addScratchHash(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(TwoFactor)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}

 	sess := x.NewSession()
@ -61,7 +61,7 @@ func addScratchHash(x *xorm.Engine) error {
 			tfa.ScratchHash = hashToken(tfa.ScratchToken, salt)

 			if _, err := sess.ID(tfa.ID).Cols("scratch_salt, scratch_hash").Update(tfa); err != nil {
-				return fmt.Errorf("couldn't add in scratch_hash and scratch_salt: %v", err)
+				return fmt.Errorf("couldn't add in scratch_hash and scratch_salt: %w", err)
 			}

 		}
--- a/models/migrations/v72.go
+++ b/models/migrations/v72.go
@ -25,7 +25,7 @@ func addReview(x *xorm.Engine) error {
 	}

 	if err := x.Sync2(new(Review)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return nil
 }
--- a/models/migrations/v76.go
+++ b/models/migrations/v76.go
@ -43,7 +43,7 @@ func addPullRequestRebaseWithMerge(x *xorm.Engine) error {
 	// Updating existing issue units
 	units := make([]*RepoUnit, 0, 100)
 	if err := sess.Where("`type` = ?", v16UnitTypePRs).Find(&units); err != nil {
-		return fmt.Errorf("Query repo units: %v", err)
+		return fmt.Errorf("Query repo units: %w", err)
 	}
 	for _, unit := range units {
 		if unit.Config == nil {
--- a/models/migrations/v81.go
+++ b/models/migrations/v81.go
@ -24,7 +24,7 @@ func changeU2FCounterType(x *xorm.Engine) error {
 	}

 	if err != nil {
-		return fmt.Errorf("Error changing u2f_registration counter column type: %v", err)
+		return fmt.Errorf("Error changing u2f_registration counter column type: %w", err)
 	}

 	return nil
--- a/models/migrations/v85.go
+++ b/models/migrations/v85.go
@ -41,7 +41,7 @@ func hashAppToken(x *xorm.Engine) error {
 	}

 	if err := sess.Sync2(new(AccessToken)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}

 	if err := sess.Commit(); err != nil {
@ -79,7 +79,7 @@ func hashAppToken(x *xorm.Engine) error {
 			token.Sha1 = "" // ensure to blank out column in case drop column doesn't work

 			if _, err := sess.ID(token.ID).Cols("token_hash, token_salt, token_last_eight, sha1").Update(token); err != nil {
-				return fmt.Errorf("couldn't add in sha1, token_hash, token_salt and token_last_eight: %v", err)
+				return fmt.Errorf("couldn't add in sha1, token_hash, token_salt and token_last_eight: %w", err)
 			}

 		}
@ -113,7 +113,7 @@ func resyncHashAppTokenWithUniqueHash(x *xorm.Engine) error {
 		return err
 	}
 	if err := sess.Sync2(new(AccessToken)); err != nil {
-		return fmt.Errorf("Sync2: %v", err)
+		return fmt.Errorf("Sync2: %w", err)
 	}
 	return sess.Commit()
 }
--- a/Show more
+++ b/Show more