make fmt

Fix some annoying segfaults
Merge remote-tracking branch 'origin/main' into forgejo-federation
2023-03-16 01:34:48 +00:00 · 2023-03-15 20:14:00 +00:00 · 2023-03-12 23:19:57 +00:00 · 2023-03-12 19:09:20 +08:00 · 2023-03-12 03:48:07 -04:00 · 2023-03-12 00:16:02 +00:00
3130 changed files with 66117 additions and 32585 deletions
--- a/.air.toml
+++ b/.air.toml
@ -5,6 +5,6 @@ tmp_dir = ".air"
 cmd = "make backend"
 bin = "gitea"
 include_ext = ["go", "tmpl"]
-exclude_dir = ["modules/git/tests", "services/gitdiff/testdata", "modules/avatar/testdata"]
-include_dir = ["cmd", "models", "modules", "options", "routers", "services", "templates"]
+exclude_dir = ["modules/git/tests", "services/gitdiff/testdata", "modules/avatar/testdata", "models/fixtures", "models/migrations/fixtures", "modules/migration/file_format_testdata", "modules/avatar/identicon/testdata"]
+include_dir = ["cmd", "models", "modules", "options", "routers", "services"]
 exclude_regex = ["_test.go$", "_gen.go$"]
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,114 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# IntelliJ
+.idea
+# Goland's output filename can not be set manually
+/go_build_*
+
+# MS VSCode
+.vscode
+__debug_bin
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
+
+*coverage.out
+coverage.all
+cpu.out
+
+/modules/migration/bindata.go
+/modules/migration/bindata.go.hash
+/modules/options/bindata.go
+/modules/options/bindata.go.hash
+/modules/public/bindata.go
+/modules/public/bindata.go.hash
+/modules/templates/bindata.go
+/modules/templates/bindata.go.hash
+
+*.db
+*.log
+
+/gitea
+/gitea-vet
+/debug
+/integrations.test
+
+/bin
+/dist
+/custom/*
+!/custom/conf
+/custom/conf/*
+!/custom/conf/app.example.ini
+/data
+/indexers
+/log
+/public/img/avatar
+/tests/integration/gitea-integration-*
+/tests/integration/indexers-*
+/tests/e2e/gitea-e2e-*
+/tests/e2e/indexers-*
+/tests/e2e/reports
+/tests/e2e/test-artifacts
+/tests/e2e/test-snapshots
+/tests/*.ini
+/node_modules
+/yarn.lock
+/yarn-error.log
+/npm-debug.log*
+/public/js
+/public/serviceworker.js
+/public/css
+/public/fonts
+/public/img/webpack
+/vendor
+/web_src/fomantic/node_modules
+/web_src/fomantic/build/*
+!/web_src/fomantic/build/semantic.js
+!/web_src/fomantic/build/semantic.css
+!/web_src/fomantic/build/themes
+/web_src/fomantic/build/themes/*
+!/web_src/fomantic/build/themes/default
+/web_src/fomantic/build/themes/default/assets/*
+!/web_src/fomantic/build/themes/default/assets/fonts
+/web_src/fomantic/build/themes/default/assets/fonts/*
+!/web_src/fomantic/build/themes/default/assets/fonts/icons.woff2
+!/web_src/fomantic/build/themes/default/assets/fonts/outline-icons.woff2
+/VERSION
+/.air
+/.go-licenses
+
+# Snapcraft
+snap/.snapcraft/
+parts/
+stage/
+prime/
+*.snap
+*.snap-build
+*_source.tar.bz2
+.DS_Store
+
+# Make evidence files
+/.make_evidence
+
+# Manpage
+/man
--- a/.drone.yml
+++ b/.drone.yml
--- a/.eslintrc.yaml
+++ b/.eslintrc.yaml
@ -84,6 +84,7 @@ rules:
  id-length: [0]
  id-match: [0]
  implicit-arrow-linebreak: [0]
+  import/consistent-type-specifier-style: [0]
  import/default: [0]
  import/dynamic-import-chunkname: [0]
  import/export: [2]
@ -103,6 +104,7 @@ rules:
  import/no-default-export: [0]
  import/no-deprecated: [0]
  import/no-dynamic-require: [0]
+  import/no-empty-named-blocks: [2]
  import/no-extraneous-dependencies: [2]
  import/no-import-module-exports: [0]
  import/no-internal-modules: [0]
@ -147,7 +149,7 @@ rules:
  jquery/no-global-eval: [2]
  jquery/no-grep: [2]
  jquery/no-has: [2]
-  jquery/no-hide: [0]
+  jquery/no-hide: [2]
  jquery/no-html: [0]
  jquery/no-in-array: [2]
  jquery/no-is-array: [2]
@ -164,13 +166,13 @@ rules:
  jquery/no-proxy: [2]
  jquery/no-ready: [0]
  jquery/no-serialize: [2]
-  jquery/no-show: [0]
+  jquery/no-show: [2]
  jquery/no-size: [2]
  jquery/no-sizzle: [0]
  jquery/no-slide: [0]
  jquery/no-submit: [0]
  jquery/no-text: [0]
-  jquery/no-toggle: [0]
+  jquery/no-toggle: [2]
  jquery/no-trigger: [0]
  jquery/no-trim: [2]
  jquery/no-val: [0]
@ -199,7 +201,7 @@ rules:
  newline-per-chained-call: [0]
  no-alert: [0]
  no-array-constructor: [2]
-  no-async-promise-executor: [2]
+  no-async-promise-executor: [0]
  no-await-in-loop: [0]
  no-bitwise: [0]
  no-buffer-constructor: [0]
@ -229,6 +231,7 @@ rules:
  no-empty-character-class: [2]
  no-empty-function: [0]
  no-empty-pattern: [2]
+  no-empty-static-block: [2]
  no-empty: [2, {allowEmptyCatch: true}]
  no-eq-null: [2]
  no-eval: [2]
@ -254,7 +257,7 @@ rules:
  no-irregular-whitespace: [2]
  no-iterator: [2]
  no-label-var: [2]
-  no-labels: [0]
+  no-labels: [0] # handled by no-restricted-syntax
  no-lone-blocks: [2]
  no-lonely-if: [0]
  no-loop-func: [0]
@ -269,6 +272,7 @@ rules:
  no-negated-condition: [0]
  no-nested-ternary: [0]
  no-new-func: [2]
+  no-new-native-nonconstructor: [2]
  no-new-object: [2]
  no-new-symbol: [2]
  no-new-wrappers: [2]
@ -333,7 +337,7 @@ rules:
  no-void: [2]
  no-warning-comments: [0]
  no-whitespace-before-property: [2]
-  no-with: [0]
+  no-with: [0] # handled by no-restricted-syntax
  nonblock-statement-body-position: [2]
  object-curly-newline: [0]
  object-curly-spacing: [2, never]
@ -443,6 +447,7 @@ rules:
  unicorn/no-invalid-remove-event-listener: [2]
  unicorn/no-keyword-prefix: [0]
  unicorn/no-lonely-if: [2]
+  unicorn/no-negated-condition: [0]
  unicorn/no-nested-ternary: [0]
  unicorn/no-new-array: [0]
  unicorn/no-new-buffer: [0]
@ -453,6 +458,7 @@ rules:
  unicorn/no-static-only-class: [2]
  unicorn/no-thenable: [2]
  unicorn/no-this-assignment: [2]
+  unicorn/no-typeof-undefined: [2]
  unicorn/no-unnecessary-await: [2]
  unicorn/no-unreadable-array-destructuring: [0]
  unicorn/no-unreadable-iife: [2]
@ -491,7 +497,7 @@ rules:
  unicorn/prefer-native-coercion-functions: [2]
  unicorn/prefer-negative-index: [2]
  unicorn/prefer-node-append: [0]
-  unicorn/prefer-node-protocol: [0]
+  unicorn/prefer-node-protocol: [2]
  unicorn/prefer-node-remove: [0]
  unicorn/prefer-number-properties: [0]
  unicorn/prefer-object-from-entries: [2]
@ -503,6 +509,7 @@ rules:
  unicorn/prefer-regexp-test: [2]
  unicorn/prefer-replace-all: [0]
  unicorn/prefer-set-has: [0]
+  unicorn/prefer-set-size: [2]
  unicorn/prefer-spread: [0]
  unicorn/prefer-starts-ends-with: [2]
  unicorn/prefer-string-slice: [0]
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,9 +1,9 @@
-<!--
-
+<!-- start tips --> 
 Please check the following:
-
-1. Make sure you are targeting the `main` branch, pull requests on release branches are only allowed for bug fixes.
-2. Read contributing guidelines: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md
-3. Describe what your pull request does and which issue you're targeting (if any)
-
-->  
+1. Make sure you are targeting the `main` branch, pull requests on release branches are only allowed for backports.
+2. Make sure you have read contributing guidelines: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md .
+3. Describe what your pull request does and which issue you're targeting (if any).
+4. It is recommended to enable "Allow edits by maintainers", so maintainers can help more easily.
+5. Your input here will be included in the commit message when this PR has been merged. If you don't want some content to be included, please separate them with a line like `---`.
+6. Delete all these tips before posting.
+<!-- end tips -->
--- a/.gitpod.yml
+++ b/.gitpod.yml
@ -7,21 +7,26 @@ tasks:
    command: |
      gp sync-done setup
      exit 0
+  - name: Run backend
+    command: |
+      gp sync-await setup
+      if [ ! -f custom/conf/app.ini ]
+      then
+        mkdir -p custom/conf/
+        echo -e "[server]\nROOT_URL=$(gp url 3000)/" > custom/conf/app.ini
+        echo -e "\n[database]\nDB_TYPE = sqlite3\nPATH = $GITPOD_REPO_ROOT/data/gitea.db" >> custom/conf/app.ini
+      fi
+      export TAGS="sqlite sqlite_unlock_notify"
+      make watch-backend
  - name: Run frontend
    command: |
      gp sync-await setup
      make watch-frontend
-  - name: Run backend
-    command: |
-      gp sync-await setup
-      mkdir -p custom/conf/
-      echo -e "[server]\nROOT_URL=$(gp url 3000)/" > custom/conf/app.ini
-      echo -e "\n[database]\nDB_TYPE = sqlite3\nPATH = $GITPOD_REPO_ROOT/data/gitea.db" >> custom/conf/app.ini
-      export TAGS="sqlite sqlite_unlock_notify"
-      make watch-backend
+    openMode: split-right
  - name: Run docs
    before: sudo bash -c "$(grep 'https://github.com/gohugoio/hugo/releases/download' Makefile | tr -d '\')" # install hugo
    command: cd docs && make clean update && hugo server -D -F --baseUrl $(gp url 1313) --liveReloadPort=443 --appendPort=false --bind=0.0.0.0
+    openMode: split-right

 vscode:
  extensions:
--- a/.golangci.yml
+++ b/.golangci.yml
@ -1,34 +1,34 @@
 linters:
  enable:
-    - gosimple
-    - deadcode
-    - typecheck
-    - govet
-    - errcheck
-    - staticcheck
-    - unused
-    - structcheck
-    - varcheck
-    - dupl
-    #- gocyclo # The cyclomatic complexety of a lot of functions is too high, we should refactor those another time.
-    - gofmt
-    - gocritic
    - bidichk
-    - ineffassign
-    - revive
-    - gofumpt
+    # - deadcode # deprecated - https://github.com/golangci/golangci-lint/issues/1841
    - depguard
+    - dupl
+    - errcheck
+    - gocritic
+    # - gocyclo # The cyclomatic complexety of a lot of functions is too high, we should refactor those another time.
+    - gofmt
+    - gofumpt
+    - gosimple
+    - govet
+    - ineffassign
    - nakedret
-    - unconvert
-    - wastedassign
    - nolintlint
+    - revive
+    - staticcheck
+    # - structcheck # deprecated - https://github.com/golangci/golangci-lint/issues/1841
    - stylecheck
+    - typecheck
+    - unconvert
+    - unused
+    # - varcheck # deprecated - https://github.com/golangci/golangci-lint/issues/1841
+    # - wastedassign # disabled - https://github.com/golangci/golangci-lint/issues/2649
  enable-all: false
  disable-all: true
  fast: false

 run:
-  go: 1.19
+  go: "1.20"
  timeout: 10m
  skip-dirs:
    - node_modules
@ -74,15 +74,17 @@ linters-settings:
      - name: modifies-value-receiver
  gofumpt:
    extra-rules: true
-    lang-version: "1.19"
+    lang-version: "1.20"
  depguard:
-    # TODO: use depguard to replace import checks in gitea-vet
    list-type: denylist
    # Check the list against standard lib.
    include-go-root: true
    packages-with-error-message:
      - encoding/json: "use gitea's modules/json instead of encoding/json"
      - github.com/unknwon/com: "use gitea's util and replacements"
+      - io/ioutil: "use os or io instead"
+      - golang.org/x/exp: "it's experimental and unreliable."
+      - code.gitea.io/gitea/modules/git/internal: "do not use the internal package, use AddXxx function instead"

 issues:
  max-issues-per-linter: 0
--- a/.stylelintrc.yaml
+++ b/.stylelintrc.yaml
@ -1,33 +1,139 @@
-extends: stylelint-config-standard
+plugins:
+  - stylelint-declaration-strict-value
+
+ignoreFiles:
+  - "**/*.go"

 overrides:
  - files: ["**/*.less"]
    customSyntax: postcss-less
+  - files: ["**/chroma/*", "**/codemirror/*", "**/standalone/*", "**/console/*"]
+    rules:
+      scale-unlimited/declaration-strict-value: null
+  - files: ["**/chroma/*", "**/codemirror/*"]
+    rules:
+      block-no-empty: null

 rules:
  alpha-value-notation: null
+  annotation-no-unknown: true
+  at-rule-allowed-list: null
+  at-rule-disallowed-list: null
  at-rule-empty-line-before: null
-  block-closing-brace-empty-line-before: null
+  at-rule-no-unknown: true
+  at-rule-no-vendor-prefix: true
+  at-rule-property-required-list: null
+  block-no-empty: true
  color-function-notation: null
+  color-hex-alpha: null
  color-hex-length: null
+  color-named: null
+  color-no-hex: null
+  color-no-invalid-hex: true
  comment-empty-line-before: null
+  comment-no-empty: true
+  comment-pattern: null
+  comment-whitespace-inside: null
+  comment-word-disallowed-list: null
+  custom-media-pattern: null
+  custom-property-empty-line-before: null
+  custom-property-no-missing-var-function: true
+  custom-property-pattern: null
+  declaration-block-no-duplicate-custom-properties: true
+  declaration-block-no-duplicate-properties: [true, {ignore: [consecutive-duplicates-with-different-values]}]
  declaration-block-no-redundant-longhand-properties: null
+  declaration-block-no-shorthand-property-overrides: null
  declaration-block-single-line-max-declarations: null
  declaration-empty-line-before: null
+  declaration-no-important: null
+  declaration-property-max-values: null
+  declaration-property-unit-allowed-list: null
+  declaration-property-unit-disallowed-list: null
+  declaration-property-value-allowed-list: null
+  declaration-property-value-disallowed-list: null
+  declaration-property-value-no-unknown: true
+  font-family-name-quotes: always-where-recommended
+  font-family-no-duplicate-names: true
+  font-family-no-missing-generic-family-keyword: true
+  font-weight-notation: null
+  function-allowed-list: null
+  function-calc-no-unspaced-operator: true
+  function-disallowed-list: null
+  function-linear-gradient-no-nonstandard-direction: true
+  function-name-case: lower
  function-no-unknown: null
+  function-url-no-scheme-relative: null
+  function-url-quotes: always
+  function-url-scheme-allowed-list: null
+  function-url-scheme-disallowed-list: null
  hue-degree-notation: null
  import-notation: string
-  indentation: 2
-  max-line-length: null
+  keyframe-block-no-duplicate-selectors: true
+  keyframe-declaration-no-important: true
+  keyframe-selector-notation: null
+  keyframes-name-pattern: null
+  length-zero-no-unit: true
+  max-nesting-depth: null
+  media-feature-name-allowed-list: null
+  media-feature-name-disallowed-list: null
+  media-feature-name-no-unknown: true
+  media-feature-name-no-vendor-prefix: true
+  media-feature-name-unit-allowed-list: null
+  media-feature-name-value-allowed-list: null
+  media-feature-range-notation: null
+  named-grid-areas-no-invalid: true
  no-descending-specificity: null
+  no-duplicate-at-import-rules: true
+  no-duplicate-selectors: true
+  no-empty-source: true
+  no-invalid-double-slash-comments: true
  no-invalid-position-at-import-rule: null
-  number-leading-zero: never
+  no-irregular-whitespace: true
+  no-unknown-animations: null
  number-max-precision: null
+  property-allowed-list: null
+  property-disallowed-list: null
+  property-no-unknown: true
  property-no-vendor-prefix: null
  rule-empty-line-before: null
+  rule-selector-property-disallowed-list: null
+  scale-unlimited/declaration-strict-value: [color, {ignoreValues: /^(inherit|transparent|unset|initial|currentcolor)$/}]
+  selector-attribute-name-disallowed-list: null
+  selector-attribute-operator-allowed-list: null
+  selector-attribute-operator-disallowed-list: null
+  selector-attribute-quotes: always
  selector-class-pattern: null
+  selector-combinator-allowed-list: null
+  selector-combinator-disallowed-list: null
+  selector-disallowed-list: null
  selector-id-pattern: null
+  selector-max-attribute: null
+  selector-max-class: null
+  selector-max-combinators: null
+  selector-max-compound-selectors: null
+  selector-max-id: null
+  selector-max-pseudo-class: null
+  selector-max-specificity: null
+  selector-max-type: null
+  selector-max-universal: null
+  selector-nested-pattern: null
+  selector-no-qualifying-type: null
+  selector-no-vendor-prefix: true
+  selector-not-notation: null
+  selector-pseudo-class-allowed-list: null
+  selector-pseudo-class-disallowed-list: null
+  selector-pseudo-class-no-unknown: true
+  selector-pseudo-element-allowed-list: null
  selector-pseudo-element-colon-notation: double
+  selector-pseudo-element-disallowed-list: null
+  selector-pseudo-element-no-unknown: true
+  selector-type-case: lower
+  selector-type-no-unknown: [true, {ignore: [custom-elements]}]
  shorthand-property-no-redundant-values: true
-  string-quotes: null
-  value-no-vendor-prefix: null
+  string-no-newline: true
+  time-min-milliseconds: null
+  unit-allowed-list: null
+  unit-disallowed-list: null
+  unit-no-unknown: true
+  value-keyword-case: null
+  value-no-vendor-prefix: [true, {ignoreValues: [box, inline-box]}]
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,366 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).

+## [1.18.5](https://github.com/go-gitea/gitea/releases/tag/v1.18.5) - 2023-02-21
+
+* ENHANCEMENTS
+  * Hide 2FA status from other members in organization members list (#22999) (#23023)
+* BUGFIXES
+  * Add force_merge to merge request and fix checking mergable (#23010) (#23032)
+  * Use `--message=%s` for git commit message (#23028) (#23029)
+  * Render access log template as text instead of HTML (#23013) (#23025)
+  * Fix the Manually Merged form (#23015) (#23017)
+  * Use beforeCommit instead of baseCommit (#22949) (#22996)
+  * Display attachments of review comment when comment content is blank (#23035) (#23046)
+  * Return empty url for submodule tree entries (#23043) (#23048)
+
+## [1.18.4](https://github.com/go-gitea/gitea/releases/tag/1.18.4) - 2023-02-20
+
+* SECURITY
+  * Provide the ability to set password hash algorithm parameters (#22942) (#22943)
+  * Add command to bulk set must-change-password (#22823) (#22928)
+* ENHANCEMENTS
+  * Use import of OCI structs (#22765) (#22805)
+  * Fix color of tertiary button on dark theme (#22739) (#22744)
+  * Link issue and pull requests status change in UI notifications directly to their event in the timelined view. (#22627) (#22642)
+* BUGFIXES
+  * Notify on container image create (#22806) (#22965)
+  * Fix blame view missing lines (#22826) (#22929)
+  * Fix incorrect role labels for migrated issues and comments (#22914) (#22923)
+  * Fix PR file tree folders no longer collapsing (#22864) (#22872)
+  * Escape filename when assemble URL (#22850) (#22871)
+  * Fix isAllowed of escapeStreamer (#22814) (#22837)
+  * Load issue before accessing index in merge message (#22822) (#22830)
+  * Improve trace logging for pulls and processes (#22633) (#22812)
+  * Fix restore repo bug, clarify the problem of ForeignIndex (#22776) (#22794)
+  * Add default user visibility to cli command "admin user create" (#22750) (#22760)
+  * Escape path for the file list (#22741) (#22757)
+  * Fix bugs with WebAuthn preventing sign in and registration. (#22651) (#22721)
+  * Add missing close bracket in imagediff (#22710) (#22712)
+  * Move code comments to a standalone file and fix the bug when adding a reply to an outdated review appears to not post(#20821) (#22707)
+  * Fix line spacing for plaintext previews (#22699) (#22701)
+  * Fix wrong hint when deleting a branch successfully from pull request UI (#22673) (#22698)
+  * Fix README TOC links (#22577) (#22677)
+  * Fix missing message in git hook when pull requests disabled on fork (#22625) (#22658)
+  * Improve checkIfPRContentChanged (#22611) (#22644)
+  * Prevent duplicate labels when importing more than 99 (#22591) (#22598)
+  * Don't return duplicated users who can create org repo (#22560) (#22562)
+* BUILD
+  * Upgrade golangcilint to v1.51.0 (#22764)
+* MISC
+  * Use proxy for pull mirror (#22771) (#22772)
+  * Use `--index-url` in PyPi description (#22620) (#22636)
+
+## [1.18.3](https://github.com/go-gitea/gitea/releases/tag/v1.18.3) - 2023-01-23
+
+* SECURITY
+  * Prevent multiple `To` recipients (#22566) (#22569)
+* BUGFIXES
+  * Truncate commit summary on repo files table. (#22551) (#22552)
+  * Mute all links in issue timeline (#22534)
+
+## [1.18.2](https://github.com/go-gitea/gitea/releases/tag/v1.18.2) - 2023-01-19
+
+* BUGFIXES
+  * Fix issue not auto-closing when it includes a reference to a branch (#22514) (#22521)
+  * Fix invalid issue branch reference if not specified in template (#22513) (#22520)
+  * Fix 500 error viewing pull request when fork has pull requests disabled (#22512) (#22515)
+  * Reliable selection of admin user (#22509) (#22511)
+  * Set disable_gravatar/enable_federated_avatar when offline mode is true (#22479) (#22496)
+* BUILD
+  * cgo cross-compile for freebsd (#22397) (#22519)
+
+## [1.18.1](https://github.com/go-gitea/gitea/releases/tag/v1.18.1) - 2023-01-17
+
+* API
+  * Add `sync_on_commit` option for push mirrors api (#22271) (#22292)
+* BUGFIXES
+  * Update `github.com/zeripath/zapx/v15` (#22485)
+  * Fix pull request API field `closed_at` always being `null` (#22482) (#22483)
+  * Fix container blob mount (#22226) (#22476)
+  * Fix error when calculating repository size (#22392) (#22474)
+  * Fix Operator does not exist bug on explore page with ONLY_SHOW_RELEVANT_REPOS (#22454) (#22472)
+  * Fix environments for KaTeX and error reporting (#22453) (#22473)
+  * Remove the netgo tag for Windows build (#22467) (#22468)
+  * Fix migration from GitBucket (#22477) (#22465)
+  * Prevent panic on looking at api "git" endpoints for empty repos (#22457) (#22458)
+  * Fix PR status layout on mobile (#21547) (#22441)
+  * Fix wechatwork webhook sends empty content in PR review (#21762) (#22440)
+  * Remove duplicate "Actions" label in mobile view (#21974) (#22439)
+  * Fix leaving organization bug on user settings -> orgs (#21983) (#22438)
+  * Fixed colour transparency regex matching in project board sorting (#22092) (#22437)
+  * Correctly handle select on multiple channels in Queues (#22146) (#22428)
+  * Prepend refs/heads/ to issue template refs (#20461) (#22427)
+  * Restore function to "Show more" buttons (#22399) (#22426)
+  * Continue GCing other repos on error in one repo (#22422) (#22425)
+  * Allow HOST has no port (#22280) (#22409)
+  * Fix omit avatar_url in discord payload when empty (#22393) (#22394)
+  * Don't display stop watch top bar icon when disabled and hidden when click other place (#22374) (#22387)
+  * Don't lookup mail server when using sendmail (#22300) (#22383)
+  * Fix gravatar disable bug (#22337)
+  * Fix update settings table on install (#22326) (#22327)
+  * Fix sitemap (#22272) (#22320)
+  * Fix code search title translation (#22285) (#22316)
+  * Fix due date rendering the wrong date in issue (#22302) (#22306)
+  * Fix get system setting bug when enabled redis cache (#22298)
+  * Fix bug of DisableGravatar default value (#22297)
+  * Fix key signature error page (#22229) (#22230)
+* TESTING
+  * Remove test session cache to reduce possible concurrent problem (#22199) (#22429)
+* MISC
+  * Restore previous official review when an official review is deleted (#22449) (#22460)
+  * Log STDERR of external renderer when it fails (#22442) (#22444)
+
+## [1.18.0](https://github.com/go-gitea/gitea/releases/tag/v1.18.0) - 2022-12-29
+
+* SECURITY
+  * Remove ReverseProxy authentication from the API (#22219) (#22251)
+  * Support Go Vulnerability Management (#21139)
+  * Forbid HTML string tooltips (#20935)
+* BREAKING
+  * Rework mailer settings (#18982)
+  * Remove U2F support (#20141)
+  * Refactor `i18n` to `locale` (#20153)
+  * Enable contenthash in filename for dynamic assets (#20813)
+* FEATURES
+  * Add color previews in markdown (#21474)
+  * Allow package version sorting (#21453)
+  * Add support for Chocolatey/NuGet v2 API (#21393)
+  * Add API endpoint to get changed files of a PR (#21177)
+  * Add filetree on left of diff view (#21012)
+  * Support Issue forms and PR forms (#20987)
+  * Add support for Vagrant packages (#20930)
+  * Add support for `npm unpublish` (#20688)
+  * Add badge capabilities to users (#20607)
+  * Add issue filter for Author (#20578)
+  * Add KaTeX rendering to Markdown. (#20571)
+  * Add support for Pub packages (#20560)
+  * Support localized README (#20508)
+  * Add support mCaptcha as captcha provider (#20458)
+  * Add team member invite by email (#20307)
+  * Added email notification option to receive all own messages (#20179)
+  * Switch Unicode Escaping to a VSCode-like system (#19990)
+  * Add user/organization code search (#19977)
+  * Only show relevant repositories on explore page (#19361)
+  * User keypairs and HTTP signatures for ActivityPub federation using go-ap (#19133)
+  * Add sitemap support (#18407)
+  * Allow creation of OAuth2 applications for orgs (#18084)
+  * Add system setting table with cache and also add cache supports for user setting (#18058)
+  * Add pages to view watched repos and subscribed issues/PRs (#17156)
+  * Support Proxy protocol (#12527)
+  * Implement sync push mirror on commit (#19411)
+* API
+  * Allow empty assignees on pull request edit (#22150) (#22214)
+  * Make external issue tracker regexp configurable via API (#21338)
+  * Add name field for org api (#21270)
+  * Show teams with no members if user is admin (#21204)
+  * Add latest commit's SHA to content response (#20398)
+  * Add allow_rebase_update, default_delete_branch_after_merge to repository api response (#20079)
+  * Add new endpoints for push mirrors management (#19841)
+* ENHANCEMENTS
+  * Add setting to disable the git apply step in test patch (#22130) (#22170)
+  * Multiple improvements for comment edit diff (#21990) (#22007)
+  * Fix button in branch list, avoid unexpected page jump before restore branch actually done (#21562) (#21928)
+  * Fix flex layout for repo list icons (#21896) (#21920)
+  * Fix vertical align of committer avatar rendered by email address (#21884) (#21918)
+  * Fix setting HTTP headers after write (#21833) (#21877)
+  * Color and Style enhancements (#21784, #21799) (#21868)
+  * Ignore line anchor links with leading zeroes (#21728) (#21776)
+  * Quick fixes monaco-editor error: "vs.editor.nullLanguage" (#21734) (#21738)
+  * Use CSS color-scheme instead of invert (#21616) (#21623)
+  * Respect user's locale when rendering the date range in the repo activity page (#21410)
+  * Change `commits-table` column width (#21564)
+  * Refactor git command arguments and make all arguments to be safe to be used (#21535)
+  * CSS color enhancements (#21534)
+  * Add link to user profile in markdown mention only if user exists (#21533, #21554)
+  * Add option to skip index dirs (#21501)
+  * Diff file tree tweaks (#21446)
+  * Localize all timestamps (#21440)
+  * Add `code` highlighting in issue titles (#21432)
+  * Use Name instead of DisplayName in LFS Lock (#21415)
+  * Consolidate more CSS colors into variables (#21402)
+  * Redirect to new repository owner (#21398)
+  * Use ISO date format instead of hard-coded English date format for date range in repo activity page (#21396)
+  * Use weighted algorithm for string matching when finding files in repo (#21370)
+  * Show private data in feeds (#21369)
+  * Refactor parseTreeEntries, speed up tree list (#21368)
+  * Add GET and DELETE endpoints for Docker blob uploads (#21367)
+  * Add nicer error handling on template compile errors (#21350)
+  * Add `stat` to `ToCommit` function for speed (#21337)
+  * Support instance-wide OAuth2 applications (#21335)
+  * Record OAuth client type at registration (#21316)
+  * Add new CSS variables --color-accent and --color-small-accent (#21305)
+  * Improve error descriptions for unauthorized_client (#21292)
+  * Case-insensitive "find files in repo" (#21269)
+  * Consolidate more CSS rules, fix inline code on arc-green (#21260)
+  * Log real ip of requests from ssh (#21216)
+  * Save files in local storage as group readable (#21198)
+  * Enable fluid page layout on medium size viewports (#21178)
+  * File header tweaks (#21175)
+  * Added missing headers on user packages page (#21172)
+  * Display image digest for container packages (#21170)
+  * Skip dirty check for team forms (#21154)
+  * Keep path when creating a new branch (#21153)
+  * Remove fomantic image module (#21145)
+  * Make labels clickable in the comments section. (#21137)
+  * Sort branches and tags by date descending (#21136)
+  * Better repo API unit checks (#21130)
+  * Improve commit status icons (#21124)
+  * Limit length of repo description and repo url input fields (#21119)
+  * Show .editorconfig errors in frontend (#21088)
+  * Allow poster to choose reviewers (#21084)
+  * Remove black labels and CSS cleanup (#21003)
+  * Make e-mail sanity check more precise (#20991)
+  * Use native inputs in whitespace dropdown (#20980)
+  * Enhance package date display (#20928)
+  * Display total blob size of a package version (#20927)
+  * Show language name on hover (#20923)
+  * Show instructions for all generic package files (#20917)
+  * Refactor AssertExistsAndLoadBean to use generics (#20797)
+  * Move the official website link at the footer of gitea (#20777)
+  * Add support for full name in reverse proxy auth (#20776)
+  * Remove useless JS operation for relative time tooltips (#20756)
+  * Replace some icons with SVG (#20741)
+  * Change commit status icons to SVG (#20736)
+  * Improve single repo action for issue and pull requests (#20730)
+  * Allow multiple files in generic packages (#20661)
+  * Add option to create new issue from /issues page (#20650)
+  * Background color of private list-items updated (#20630)
+  * Added search input field to issue filter (#20623)
+  * Increase default item listing size `ISSUE_PAGING_NUM` to 20 (#20547)
+  * Modify milestone search keywords to be case insensitive again (#20513)
+  * Show hint to link package to repo when viewing empty repo package list (#20504)
+  * Add Tar ZSTD support (#20493)
+  * Make code review checkboxes clickable (#20481)
+  * Add "X-Gitea-Object-Type" header for GET `/raw/` & `/media/` API (#20438)
+  * Display project in issue list (#20434)
+  * Prepend commit message to template content when opening a new PR (#20429)
+  * Replace fomantic popup module with tippy.js (#20428)
+  * Allow to specify colors for text in markup (#20363)
+  * Allow access to the Public Organization Member lists with minimal permissions (#20330)
+  * Use default values when provided values are empty (#20318)
+  * Vertical align navbar avatar at middle (#20302)
+  * Delete cancel button in repo creation page (#21381)
+  * Include login_name in adminCreateUser response (#20283)
+  * fix: icon margin in user/settings/repos (#20281)
+  * Remove blue text on migrate page (#20273)
+  * Modify milestone search keywords to be case insensitive (#20266)
+  * Move some files into models' sub packages (#20262)
+  * Add tooltip to repo icons in explore page (#20241)
+  * Remove deprecated licenses (#20222)
+  * Webhook for Wiki changes (#20219)
+  * Share HTML template renderers and create a watcher framework (#20218)
+  * Allow enable LDAP source and disable user sync via CLI (#20206)
+  * Adds a checkbox to select all issues/PRs (#20177)
+  * Refactor `i18n` to `locale` (#20153)
+  * Disable status checks in template if none found (#20088)
+  * Allow manager logging to set SQL (#20064)
+  * Add order by for assignee no sort issue (#20053)
+  * Take a stab at porting existing components to Vue3 (#20044)
+  * Add doctor command to write commit-graphs (#20007)
+  * Add support for authentication based on reverse proxy email (#19949)
+  * Enable spellcheck for EasyMDE, use contenteditable mode (#19776)
+  * Allow specifying SECRET_KEY_URI, similar to INTERNAL_TOKEN_URI (#19663)
+  * Rework mailer settings (#18982)
+  * Add option to purge users (#18064)
+  * Add author search input (#21246)
+  * Make rss/atom identifier globally unique (#21550)
+* BUGFIXES
+  * Auth interface return error when verify failure (#22119) (#22259)
+  * Use complete SHA to create and query commit status (#22244) (#22257)
+  * Update bleve and zapx to fix unaligned atomic (#22031) (#22218)
+  * Prevent panic in doctor command when running default checks (#21791) (#21807)
+  * Load GitRepo in API before deleting issue (#21720) (#21796)
+  * Ignore line anchor links with leading zeroes (#21728) (#21776)
+  * Set last login when activating account (#21731) (#21755)
+  * Fix UI language switching bug (#21597) (#21749)
+  * Quick fixes monaco-editor error: "vs.editor.nullLanguage" (#21734) (#21738)
+  * Allow local package identifiers for PyPI packages (#21690) (#21727)
+  * Deal with markdown template without metadata (#21639) (#21654)
+  * Fix opaque background on mermaid diagrams (#21642) (#21652)
+  * Fix repository adoption on Windows (#21646) (#21650)
+  * Sync git hooks when config file path changed (#21619) (#21626)
+  * Fix 500 on PR files API (#21602) (#21607)
+  * Fix `Timestamp.IsZero` (#21593) (#21603)
+  * Fix viewing user subscriptions (#21482)
+  * Fix mermaid-related bugs (#21431)
+  * Fix branch dropdown shifting on page load (#21428)
+  * Fix default theme-auto selector when nologin (#21346)
+  * Fix and improve incorrect error messages (#21342)
+  * Fix formatted link for PR review notifications to matrix (#21319)
+  * Center-aligning content of WebAuthN page (#21127)
+  * Remove follow from commits by file (#20765)
+  * Fix commit status popup (#20737)
+  * Fix init mail render logic (#20704)
+  * Use correct page size for link header pagination (#20546)
+  * Preserve unix socket file (#20499)
+  * Use tippy.js for context popup (#20393)
+  * Add missing parameter for error in log message (#20144)
+  * Do not allow organisation owners add themselves as collaborator (#20043)
+  * Rework file highlight rendering and fix yaml copy-paste (#19967)
+  * Improve code diff highlight, fix incorrect rendered diff result (#19958)
+* TESTING
+  * Improve OAuth integration tests (#21390)
+  * Add playwright tests (#20123)
+* BUILD
+  * Switch to building with go1.19 (#20695)
+  * Update JS dependencies, adjust eslint (#20659)
+  * Add more linters to improve code readability (#19989)
+
+## [1.17.4](https://github.com/go-gitea/gitea/releases/tag/v1.17.4) - 2022-12-21
+
+* SECURITY
+  * Do not allow Ghost access to limited visible user/org (#21849) (#21875)
+  * Fix package access for admins and inactive users (#21580) (#21592)
+* ENHANCEMENTS
+  * Fix button in branch list, avoid unexpected page jump before restore branch actually done (#21562) (#21927)
+  * Fix vertical align of committer avatar rendered by email address (#21884) (#21919)
+  * Fix setting HTTP headers after write (#21833) (#21874)
+  * Ignore line anchor links with leading zeroes (#21728) (#21777)
+  * Enable Monaco automaticLayout (#21516)
+* BUGFIXES
+  * Do not list active repositories as unadopted (#22034) (#22167)
+  * Correctly handle moved files in apply patch (#22118) (#22136)
+  * Fix condition for is_internal (#22095) (#22131)
+  * Fix permission check on issue/pull lock (#22114)
+  * Fix sorting admin user list by last login (#22081) (#22106)
+  * Workaround for container registry push/pull errors (#21862) (#22069)
+  * Fix issue/PR numbers (#22037) (#22045)
+  * Handle empty author names (#21902) (#22028)
+  * Fix ListBranches to handle empty case (#21921) (#22025)
+  * Fix enabling partial clones on 1.17 (#21809)
+  * Prevent panic in doctor command when running default checks (#21791) (#21808)
+  * Upgrade golang.org/x/crypto (#21792) (#21794)
+  * Init git module before database migration (#21764) (#21766)
+  * Set last login when activating account (#21731) (#21754)
+  * Add HEAD fix to gitea doctor (#21352) (#21751)
+  * Fix UI language switching bug (#21597) (#21748)
+  * Remove semver compatible flag and change pypi to an array of test cases (#21708) (#21729)
+  * Allow local package identifiers for PyPI packages (#21690) (#21726)
+  * Fix repository adoption on Windows (#21646) (#21651)
+  * Sync git hooks when config file path changed (#21619) (#21625)
+  * Added check for disabled Packages (#21540) (#21614)
+  * Fix `Timestamp.IsZero` (#21593) (#21604)
+  * Fix issues count bug (#21600)
+  * Support binary deploy in npm packages (#21589)
+  * Update milestone counters when issue is deleted (#21459) (#21586)
+  * SessionUser protection against nil pointer dereference (#21581)
+  * Case-insensitive NuGet symbol file GUID (#21409) (#21575)
+  * Suppress `ExternalLoginUserNotExist` error (#21504) (#21572)
+  * Prevent Authorization header for presigned LFS urls (#21531) (#21569)
+  * Update binding to fix bugs (#21560)
+  * Fix generating compare link (#21519) (#21530)
+  * Ignore error when retrieving changed PR review files (#21487) (#21524)
+  * Fix incorrect notification commit url (#21479) (#21483)
+  * Display total commit count in hook message (#21400) (#21481)
+  * Enforce grouped NuGet search results (#21442) (#21480)
+  * Return 404 when user is not found on avatar (#21476) (#21477)
+  * Normalize NuGet package version on upload (#22186) (#22201)
+* MISC
+  * Check for zero time instant in TimeStamp.IsZero() (#22171) (#22173)
+  * Fix warn in database structs sync (#22111)
+  * Allow for resolution of NPM registry paths that match upstream (#21568) (#21723)
+
 ## [1.17.3](https://github.com/go-gitea/gitea/releases/tag/v1.17.3) - 2022-10-15

 * SECURITY
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -0,0 +1,96 @@
+# Gitea Community Code of Conduct
+
+## About
+
+Online communities include people from many different backgrounds. The Gitea contributors are committed to providing a friendly, safe and welcoming environment for all, regardless of gender identity and expression, sexual orientation, disabilities, neurodiversity, physical appearance, body size, ethnicity, nationality, race, age, religion, or similar personal characteristics.
+
+The first goal of the Code of Conduct is to specify a baseline standard of behavior so that people with different social values and communication styles can talk about Gitea effectively, productively, and respectfully.
+
+The second goal is to provide a mechanism for resolving conflicts in the community when they arise.
+
+The third goal of the Code of Conduct is to make our community welcoming to people from different backgrounds. Diversity is critical to the project; for Gitea to be successful, it needs contributors and users from all backgrounds.
+
+We believe that healthy debate and disagreement are essential to a healthy project and community. However, it is never ok to be disrespectful. We value diverse opinions, but we value respectful behavior more.
+
+## Community values
+
+These are the values to which people in the Gitea community should aspire.
+
+- **Be friendly and welcoming.**
+- **Be patient.**
+  - Remember that people have varying communication styles and that not everyone is using their native language. (Meaning and tone can be lost in translation.)
+- **Be thoughtful.**
+  - Productive communication requires effort. Think about how your words will be interpreted.
+  - Remember that sometimes it is best to refrain entirely from commenting.
+- **Be respectful.**
+  - In particular, respect differences of opinion.
+- **Be charitable.**
+  - Interpret the arguments of others in good faith, do not seek to disagree.
+  - When we do disagree, try to understand why.
+- **Be constructive.**
+  - Avoid derailing: stay on topic; if you want to talk about something else, start a new conversation.
+  - Avoid unconstructive criticism: don't merely decry the current state of affairs; offer—or at least solicit—suggestions as to how things may be improved.
+  - Avoid snarking (pithy, unproductive, sniping comments)
+  - Avoid discussing potentially offensive or sensitive issues; this all too often leads to unnecessary conflict.
+  - Avoid microaggressions (brief and commonplace verbal, behavioral and environmental indignities that communicate hostile, derogatory or negative slights and insults to a person or group).
+- **Be responsible.**
+  - What you say and do matters. Take responsibility for your words and actions, including their consequences, whether intended or otherwise.
+
+People are complicated. You should expect to be misunderstood and to misunderstand others; when this inevitably occurs, resist the urge to be defensive or assign blame. Try not to take offense where no offense was intended. Give people the benefit of the doubt. Even if the intent was to provoke, do not rise to it. It is the responsibility of all parties to de-escalate conflict when it arises.
+
+## Code of Conduct
+
+### Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+### Our Standards
+
+Examples of behavior that contributes to creating a positive environment include:
+
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+- The use of sexualized language or imagery and unwelcome sexual attention or advances
+- Trolling, insulting/derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others’ private information, such as a physical or electronic address, without explicit permission
+- Other conduct which could reasonably be considered inappropriate in a professional setting
+
+### Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject: comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, as well as to ban (temporarily or permanently) any contributor for behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+### Scope
+
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+
+This Code of Conduct also applies outside the project spaces when the Project Stewards have a reasonable belief that an individual’s behavior may have a negative impact on the project or its community.
+
+### Conflict Resolution
+
+We do not believe that all conflict is bad; healthy debate and disagreement often yield positive results. However, it is never okay to be disrespectful or to engage in behavior that violates the project’s code of conduct.
+
+If you see someone violating the code of conduct, you are encouraged to address the behavior directly with those involved. Many issues can be resolved quickly and easily, and this gives people more control over the outcome of their dispute. If you are unable to resolve the matter for any reason, or if the behavior is threatening or harassing, report it. We are dedicated to providing an environment where participants feel welcome and safe.
+
+Reports should be directed to the Gitea Project Stewards at conduct@gitea.com. It is the Project Stewards’ duty to receive and address reported violations of the code of conduct. They will then work with a committee consisting of representatives from the technical-oversight-committee.
+
+We will investigate every complaint, but you may not receive a direct response. We will use our discretion in determining when and how to follow up on reported incidents, which may range from not taking action to permanent expulsion from the project and project-sponsored spaces. Under normal circumstances, we will notify the accused of the report and provide them an opportunity to discuss it before any action is taken. If there is a consensus between maintainers that such an endeavor would be useless (i.e. in case of an obvious spammer), we reserve the right to take action without notifying the accused first. The identity of the reporter will be omitted from the details of the report supplied to the accused. In potentially harmful situations, such as ongoing harassment or threats to anyone’s safety, we may take action without notice.
+
+### Attribution
+
+This Code of Conduct is adapted from the Contributor Covenant, version 1.4, available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+## Summary
+
+- Treat everyone with respect and kindness.
+- Be thoughtful in how you communicate.
+- Don’t be destructive or inflammatory.
+- If you encounter an issue, please mail conduct@gitea.com.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -190,6 +190,8 @@ To maintain understandable code and avoid circular dependencies it is important
 - **templates:** Golang templates for generating the html output.
 - **tests/e2e:** End to end tests
 - **tests/integration:** Integration tests
+- **tests/gitea-repositories-meta:** Sample repos used in integration tests. Adding a new repo requires editing `models/fixtures/repositories.yml` and `models/fixtures/repo_unit.yml` to match.
+- **tests/gitea-lfs-meta:** Sample LFS objects used in integration tests. Adding a new object requires editing `models/fixtures/lfs_meta_object.yml` to match.
 - **vendor:** External code that Gitea depends on.

 ## Documentation
@ -265,26 +267,10 @@ with the rest of the summary matching the original PR. Similarly for frontports

 ---

-The below is a script that may be helpful in creating backports. YMMV.
+A command to help create backports can be found in `contrib/backport` and can be installed (from inside the gitea repo root directory) using:

 ```bash
-#!/bin/sh
-PR="$1"
-SHA="$2"
-VERSION="$3"
-
-if [ -z "$SHA" ]; then
-    SHA=$(gh api /repos/go-gitea/gitea/pulls/$PR -q '.merge_commit_sha')
-fi
-
-if [ -z "$VERSION" ]; then
-    VERSION="v1.16"
-fi
-
-echo git checkout origin/release/"$VERSION" -b backport-$PR-$VERSION
-git checkout origin/release/"$VERSION" -b backport-$PR-$VERSION
-git cherry-pick $SHA && git commit --amend && git push zeripath backport-$PR-$VERSION && xdg-open https://github.com/go-gitea/gitea/compare/release/"$VERSION"...zeripath:backport-$PR-$VERSION
-
+go install contrib/backport/backport.go
 ```

 ## Developer Certificate of Origin (DCO)
@ -313,9 +299,7 @@ known as the release freeze. All the feature pull requests should be
 merged before feature freeze. And, during the frozen period, a corresponding
 release branch is open for fixes backported from main branch. Release candidates
 are made during this period for user testing to
-obtain a final version that is maintained in this branch. A release is
-maintained by issuing patch releases to only correct critical problems
-such as crashes or security issues.
+obtain a final version that is maintained in this branch.

 Major release cycles are seasonal. They always begin on the 25th and end on
 the 24th (i.e., the 25th of December to March 24th).
@ -325,6 +309,16 @@ for the previous version. For example, if the latest, published release is
 v1.2, then minor changes for the previous release—e.g., v1.1.0 -> v1.1.1—are
 still possible.

+The previous release gets fixes for:
+
+- Security issues
+- Critical bugs
+- Regressions
+- Build issues
+- Necessary enhancements (including necessary UI/UX fixes)
+
+The backported fixes should avoid breaking downgrade between minor releases as much as possible.
+
 ## Maintainers

 To make sure every PR is checked, we have [team
@ -439,9 +433,9 @@ be reviewed by two maintainers and must pass the automatic tests.
 Code that you contribute should use the standard copyright header:

 ```
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// Copyright <year> The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 ```

 Files in the repository contain copyright from the year they are added
--- a/4
+++ b/4
@ -2,8 +2,6 @@ Developer Certificate of Origin
 Version 1.1

 Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
-660 York Street, Suite 102,
-San Francisco, CA 94110 USA

 Everyone is permitted to copy and distribute verbatim copies of this
 license document, but changing it is not allowed.
@ -33,4 +31,4 @@ By making a contribution to this project, I certify that:
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
-    this project or the open source license(s) involved.
+    this project or the open source license(s) involved.
--- a/6
+++ b/6
@ -1,5 +1,5 @@
 #Build stage
-FROM golang:1.19-alpine3.16 AS build-env
+FROM golang:1.20-alpine3.17 AS build-env

 ARG GOPROXY
 ENV GOPROXY ${GOPROXY:-direct}
@ -23,7 +23,7 @@ RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
 # Begin env-to-ini build
 RUN go build contrib/environment-to-ini/environment-to-ini.go

-FROM alpine:3.16
+FROM alpine:3.17
 LABEL maintainer="maintainers@gitea.io"

 EXPOSE 22 3000
@ -64,5 +64,7 @@ CMD ["/bin/s6-svscan", "/etc/s6"]
 COPY docker/root /
 COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
 COPY --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
+COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
 RUN chmod 755 /usr/bin/entrypoint /app/gitea/gitea /usr/local/bin/gitea /usr/local/bin/environment-to-ini
 RUN chmod 755 /etc/s6/gitea/* /etc/s6/openssh/* /etc/s6/.s6-svscan/*
+RUN chmod 644 /etc/profile.d/gitea_bash_autocomplete.sh
--- a/Dockerfile.rootless
+++ b/Dockerfile.rootless
@ -1,5 +1,5 @@
 #Build stage
-FROM golang:1.19-alpine3.16 AS build-env
+FROM golang:1.20-alpine3.17 AS build-env

 ARG GOPROXY
 ENV GOPROXY ${GOPROXY:-direct}
@ -23,7 +23,7 @@ RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
 # Begin env-to-ini build
 RUN go build contrib/environment-to-ini/environment-to-ini.go

-FROM alpine:3.16
+FROM alpine:3.17
 LABEL maintainer="maintainers@gitea.io"

 EXPOSE 2222 3000
@ -31,6 +31,7 @@ EXPOSE 2222 3000
 RUN apk --no-cache add \
    bash \
    ca-certificates \
+    dumb-init \
    gettext \
    git \
    curl \
@ -53,7 +54,9 @@ RUN chown git:git /var/lib/gitea /etc/gitea
 COPY docker/rootless /
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
+COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
 RUN chmod 755 /usr/local/bin/docker-entrypoint.sh /usr/local/bin/docker-setup.sh /app/gitea/gitea /usr/local/bin/gitea /usr/local/bin/environment-to-ini
+RUN chmod 644 /etc/profile.d/gitea_bash_autocomplete.sh

 #git:git
 USER 1000:1000
@ -68,6 +71,6 @@ ENV HOME "/var/lib/gitea/git"
 VOLUME ["/var/lib/gitea", "/etc/gitea"]
 WORKDIR /var/lib/gitea

-ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
+ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/docker-entrypoint.sh"]
 CMD []

--- a/7
+++ b/7
@ -6,7 +6,6 @@ Kim Carlbäcker <kim.carlbacker@gmail.com> (@bkcsoft)
 LefsFlare <nobody@nobody.tld> (@LefsFlarey)
 Lunny Xiao <xiaolunwen@gmail.com> (@lunny)
 Matthias Loibl <mail@matthiasloibl.com> (@metalmatze)
-Morgan Bazalgette <the@howl.moe> (@thehowl)
 Rachid Zarouali <nobody@nobody.tld> (@xinity)
 Rémy Boulanouar <admin@dblk.org> (@DblK)
 Sandro Santilli <strk@kbt.io> (@strk)
@ -44,8 +43,10 @@ Janis Estelmann <admin@oldschoolhack.me> (@KN4CK3R)
 Steven Kriegler <sk.bunsenbrenner@gmail.com> (@justusbunsi)
 Jimmy Praet <jimmy.praet@telenet.be> (@jpraet)
 Leon Hofmeister <dev.lh@web.de> (@delvh) 
-silentcode <silentcode@senga.org> (@silentcodeg)
 Wim <wim@42.be> (@42wim)
-xinyu <xinyu@nerv.org.cn> (@penlinux)
 Jason Song <i@wolfogre.com> (@wolfogre)
 Yarden Shoham <hrsi88@gmail.com> (@yardenshoham)
+Yu Tian <zettat123@gmail.com> (@Zettat123)
+Eddie Yang <576951401@qq.com> (@yp05327)
+Dong Ge <gedong_1994@163.com> (@sillyguodong)
+Xinyi Gong <hestergong@gmail.com> (@HesterG)
--- a/41
+++ b/41
@ -23,18 +23,18 @@ SHASUM ?= shasum -a 256
 HAS_GO = $(shell hash $(GO) > /dev/null 2>&1 && echo "GO" || echo "NOGO" )
 COMMA := ,

-XGO_VERSION := go-1.19.x
+XGO_VERSION := go-1.20.x

 AIR_PACKAGE ?= github.com/cosmtrek/air@v1.40.4
-EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/cmd/editorconfig-checker@2.5.0
-ERRCHECK_PACKAGE ?= github.com/kisielk/errcheck@v1.6.1
-GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.3.1
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.47.0
+EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/cmd/editorconfig-checker@2.6.0
+ERRCHECK_PACKAGE ?= github.com/kisielk/errcheck@v1.6.2
+GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.4.0
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.51.0
 GXZ_PAGAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.10
 MISSPELL_PACKAGE ?= github.com/client9/misspell/cmd/misspell@v0.3.4
-SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.30.0
+SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.30.4
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
-GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.3.0
+GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.5.0
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@latest

 DOCKER_IMAGE ?= gitea/gitea
@ -190,6 +190,7 @@ help:
 	@echo " - deps                             install dependencies"
 	@echo " - deps-frontend                    install frontend dependencies"
 	@echo " - deps-backend                     install backend dependencies"
+	@echo " - deps-tools                       install tool dependencies"
 	@echo " - lint                             lint everything"
 	@echo " - lint-frontend                    lint frontend files"
 	@echo " - lint-backend                     lint backend files"
@ -333,7 +334,7 @@ checks: checks-frontend checks-backend
 checks-frontend: lockfile-check svg-check

 .PHONY: checks-backend
-checks-backend: tidy-check swagger-check fmt-check misspell-check swagger-validate
+checks-backend: tidy-check swagger-check fmt-check misspell-check swagger-validate security-check

 .PHONY: lint
 lint: lint-frontend lint-backend
@ -359,7 +360,7 @@ watch-frontend: node-check node_modules

 .PHONY: watch-backend
 watch-backend: go-check
-	$(GO) run $(AIR_PACKAGE) -c .air.toml
+	GITEA_RUN_MODE=dev $(GO) run $(AIR_PACKAGE) -c .air.toml

 .PHONY: test
 test: test-frontend test-backend
@ -745,22 +746,22 @@ generate-go: $(TAGS_PREREQ)

 .PHONY: security-check
 security-check:
-	govulncheck -v ./...
+	go run $(GOVULNCHECK_PACKAGE) -v ./...

 $(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@

 .PHONY: release
-release: frontend generate release-windows release-linux release-darwin release-copy release-compress vendor release-sources release-docs release-check
+release: frontend generate release-windows release-linux release-darwin release-freebsd release-copy release-compress vendor release-sources release-docs release-check

 $(DIST_DIRS):
 	mkdir -p $(DIST_DIRS)

 .PHONY: release-windows
 release-windows: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out gitea-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out gitea-$(VERSION) .
 ifeq (,$(findstring gogit,$(TAGS)))
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'netgo osusergo gogit $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out gitea-$(VERSION)-gogit .
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'osusergo gogit $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out gitea-$(VERSION)-gogit .
 endif
 ifeq ($(CI),true)
 	cp /build/* $(DIST)/binaries
@ -780,6 +781,13 @@ ifeq ($(CI),true)
 	cp /build/* $(DIST)/binaries
 endif

+.PHONY: release-freebsd
+release-freebsd: | $(DIST_DIRS)
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '$(LDFLAGS)' -targets 'freebsd/amd64' -out gitea-$(VERSION) .
+ifeq ($(CI),true)
+	cp /build/* $(DIST)/binaries
+endif
+
 .PHONY: release-copy
 release-copy: | $(DIST_DIRS)
 	cd $(DIST); for file in `find . -type f -name "*"`; do cp $${file} ./release/; done;
@ -814,7 +822,7 @@ docs:
 	cd docs; make trans-copy clean build-offline;

 .PHONY: deps
-deps: deps-frontend deps-backend
+deps: deps-frontend deps-backend deps-tools

 .PHONY: deps-frontend
 deps-frontend: node_modules
@ -822,6 +830,9 @@ deps-frontend: node_modules
 .PHONY: deps-backend
 deps-backend:
 	$(GO) mod download
+
+.PHONY: deps-tools
+deps-tools:
 	$(GO) install $(AIR_PACKAGE)
 	$(GO) install $(EDITORCONFIG_CHECKER_PACKAGE)
 	$(GO) install $(ERRCHECK_PACKAGE)
@ -852,6 +863,8 @@ fomantic:
 	cp -f $(FOMANTIC_WORK_DIR)/theme.config.less $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/theme.config
 	cp -rf $(FOMANTIC_WORK_DIR)/_site $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/
 	cd $(FOMANTIC_WORK_DIR) && npx gulp -f node_modules/fomantic-ui/gulpfile.js build
+	# fomantic uses "touchstart" as click event for some browsers, it's not ideal, so we force fomantic to always use "click" as click event
+	$(SED_INPLACE) -e 's/clickEvent[ \t]*=/clickEvent = "click", unstableClickEvent =/g' $(FOMANTIC_WORK_DIR)/build/semantic.js
 	$(SED_INPLACE) -e 's/\r//g' $(FOMANTIC_WORK_DIR)/build/semantic.css $(FOMANTIC_WORK_DIR)/build/semantic.js
 	rm -f $(FOMANTIC_WORK_DIR)/build/*.min.*

--- a/README.md
+++ b/README.md
@ -12,14 +12,14 @@
  <a href="https://discord.gg/Gitea" title="Join the Discord chat at https://discord.gg/Gitea">
    <img src="https://img.shields.io/discord/322538954119184384.svg">
  </a>
-  <a href="https://codecov.io/gh/go-gitea/gitea" title="Codecov">
+  <a href="https://app.codecov.io/gh/go-gitea/gitea" title="Codecov">
    <img src="https://codecov.io/gh/go-gitea/gitea/branch/main/graph/badge.svg">
  </a>
  <a href="https://goreportcard.com/report/code.gitea.io/gitea" title="Go Report Card">
    <img src="https://goreportcard.com/badge/code.gitea.io/gitea">
  </a>
-  <a href="https://godoc.org/code.gitea.io/gitea" title="GoDoc">
-    <img src="https://godoc.org/code.gitea.io/gitea?status.svg">
+  <a href="https://pkg.go.dev/code.gitea.io/gitea" title="GoDoc">
+    <img src="https://pkg.go.dev/badge/code.gitea.io/gitea?status.svg">
  </a>
  <a href="https://github.com/go-gitea/gitea/releases/latest" title="GitHub release">
    <img src="https://img.shields.io/github/release/go-gitea/gitea.svg">
@ -45,7 +45,7 @@
  <a href="https://www.tickgit.com/browse?repo=github.com/go-gitea/gitea&branch=main" title="TODOs">
    <img src="https://badgen.net/https/api.tickgit.com/badgen/github.com/go-gitea/gitea/main">
  </a>
-  <a href="https://www.bountysource.com/teams/gitea" title="Bountysource">
+  <a href="https://app.bountysource.com/teams/gitea" title="Bountysource">
    <img src="https://img.shields.io/bountysource/team/gitea/activity">
  </a>
 </p>
--- a/README_ZH.md
+++ b/README_ZH.md
@ -12,14 +12,14 @@
  <a href="https://discord.gg/Gitea" title="Join the Discord chat at https://discord.gg/Gitea">
    <img src="https://img.shields.io/discord/322538954119184384.svg">
  </a>
-  <a href="https://codecov.io/gh/go-gitea/gitea" title="Codecov">
+  <a href="https://app.codecov.io/gh/go-gitea/gitea" title="Codecov">
    <img src="https://codecov.io/gh/go-gitea/gitea/branch/main/graph/badge.svg">
  </a>
  <a href="https://goreportcard.com/report/code.gitea.io/gitea" title="Go Report Card">
    <img src="https://goreportcard.com/badge/code.gitea.io/gitea">
  </a>
-  <a href="https://godoc.org/code.gitea.io/gitea" title="GoDoc">
-    <img src="https://godoc.org/code.gitea.io/gitea?status.svg">
+  <a href="https://pkg.go.dev/code.gitea.io/gitea" title="GoDoc">
+    <img src="https://pkg.go.dev/badge/code.gitea.io/gitea?status.svg">
  </a>
  <a href="https://github.com/go-gitea/gitea/releases/latest" title="GitHub release">
    <img src="https://img.shields.io/github/release/go-gitea/gitea.svg">
@ -45,7 +45,7 @@
  <a href="https://www.tickgit.com/browse?repo=github.com/go-gitea/gitea&branch=main" title="TODOs">
    <img src="https://badgen.net/https/api.tickgit.com/badgen/github.com/go-gitea/gitea/main">
  </a>
-  <a href="https://img.shields.io/bountysource/team/gitea" title="Bountysource">
+  <a href="https://app.bountysource.com/teams/gitea" title="Bountysource">
    <img src="https://img.shields.io/bountysource/team/gitea/activity">
  </a>
 </p>
--- a/assets/emoji.json
+++ b/assets/emoji.json
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
--- a/build.go
+++ b/build.go
@ -1,6 +1,6 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT
+

 //go:build vendor

--- a/build/code-batch-process.go
+++ b/build/code-batch-process.go
@ -1,6 +1,5 @@
 // Copyright 2021 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 //go:build ignore

--- a/build/codeformat/formatimports.go
+++ b/build/codeformat/formatimports.go
@ -1,6 +1,5 @@
 // Copyright 2021 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package codeformat

--- a/build/codeformat/formatimports_test.go
+++ b/build/codeformat/formatimports_test.go
@ -1,6 +1,5 @@
 // Copyright 2021 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package codeformat

--- a/build/generate-bindata.go
+++ b/build/generate-bindata.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 //go:build ignore

@ -33,11 +32,15 @@ func needsUpdate(dir, filename string) (bool, []byte) {

 	hasher := sha1.New()

-	err = filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
+	err = filepath.WalkDir(dir, func(path string, d os.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
-		_, _ = hasher.Write([]byte(info.Name()))
+		info, err := d.Info()
+		if err != nil {
+			return err
+		}
+		_, _ = hasher.Write([]byte(d.Name()))
 		_, _ = hasher.Write([]byte(info.ModTime().String()))
 		_, _ = hasher.Write([]byte(strconv.FormatInt(info.Size(), 16)))
 		return nil
--- a/build/generate-emoji.go
+++ b/build/generate-emoji.go
@ -1,7 +1,6 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
 // Copyright 2015 Kenneth Shaw
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 //go:build ignore

@ -26,7 +25,7 @@ import (

 const (
 	gemojiURL         = "https://raw.githubusercontent.com/github/gemoji/master/db/emoji.json"
-	maxUnicodeVersion = 12
+	maxUnicodeVersion = 14
 )

 var flagOut = flag.String("o", "modules/emoji/emoji_data.go", "out")
@ -190,6 +189,10 @@ func generate() ([]byte, error) {
 		}
 	}

+	sort.Slice(data, func(i, j int) bool {
+		return data[i].Aliases[0] < data[j].Aliases[0]
+	})
+
 	// add header
 	str := replacer.Replace(fmt.Sprintf(hdr, gemojiURL, data))

@ -209,8 +212,8 @@ func generate() ([]byte, error) {

 const hdr = `
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT
+

 package emoji

--- a/build/generate-go-licenses.go
+++ b/build/generate-go-licenses.go
@ -1,6 +1,5 @@
 // Copyright 2022 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 //go:build ignore

@ -10,6 +9,7 @@ import (
 	"encoding/json"
 	"io/fs"
 	"os"
+	goPath "path"
 	"path/filepath"
 	"regexp"
 	"sort"
@ -48,13 +48,15 @@ func main() {

 	entries := []LicenseEntry{}
 	for _, path := range paths {
+		path := filepath.ToSlash(path)
+
 		licenseText, err := os.ReadFile(path)
 		if err != nil {
 			panic(err)
 		}

-		path := strings.Replace(path, base+string(os.PathSeparator), "", 1)
-		name := filepath.Dir(path)
+		path = strings.Replace(path, base+"/", "", 1)
+		name := goPath.Dir(path)

 		// There might be a bug somewhere in go-licenses that sometimes interprets the
 		// root package as "." and sometimes as "code.gitea.io/gitea". Workaround by
--- a/build/generate-images.js
+++ b/build/generate-images.js
@ -2,7 +2,7 @@
 import imageminZopfli from 'imagemin-zopfli';
 import {optimize} from 'svgo';
 import {fabric} from 'fabric';
-import {readFile, writeFile} from 'fs/promises';
+import {readFile, writeFile} from 'node:fs/promises';

 function exit(err) {
  if (err) console.error(err);
--- a/build/generate-svg.js
+++ b/build/generate-svg.js
@ -1,9 +1,9 @@
 #!/usr/bin/env node
 import fastGlob from 'fast-glob';
 import {optimize} from 'svgo';
-import {parse} from 'path';
-import {readFile, writeFile, mkdir} from 'fs/promises';
-import {fileURLToPath} from 'url';
+import {parse} from 'node:path';
+import {readFile, writeFile, mkdir} from 'node:fs/promises';
+import {fileURLToPath} from 'node:url';

 const glob = (pattern) => fastGlob.sync(pattern, {
  cwd: fileURLToPath(new URL('..', import.meta.url)),
--- a/build/gocovmerge.go
+++ b/build/gocovmerge.go
@ -1,7 +1,6 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
 // Copyright (c) 2015, Wade Simmons
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 // gocovmerge takes the results from multiple `go test -coverprofile` runs and
 // merges them into one profile
--- a/build/update-locales.sh
+++ b/build/update-locales.sh
@ -1,14 +1,50 @@
 #!/bin/sh

+# this script runs in alpine image which only has `sh` shell
+
+set +e
+if sed --version 2>/dev/null | grep -q GNU; then
+  SED_INPLACE="sed -i"
+else
+  SED_INPLACE="sed -i ''"
+fi
+set -e
+
+if [ ! -f ./options/locale/locale_en-US.ini ]; then
+  echo "please run this script in the root directory of the project"
+  exit 1
+fi
+
 mv ./options/locale/locale_en-US.ini ./options/

-# Make sure to only change lines that have the translation enclosed between quotes
-sed -i -r -e '/^[a-zA-Z0-9_.-]+[ ]*=[ ]*".*"$/ {
-	s/^([a-zA-Z0-9_.-]+)[ ]*="/\1=/
-	s/\\"/"/g
+# the "ini" library for locale has many quirks
+#  * `a="xx"` gets `xx` (no quote)
+#  * `a=x\"y` gets `x\"y` (no unescaping)
+#  * `a="x\"y"` gets `"x\"y"` (no unescaping, the quotes are still there)
+#  * `a='x\"y'` gets `x\"y` (no unescaping, no quote)
+#  * `a="foo` gets `"foo` (although the quote is not closed)
+#  * 'a=`foo`' works like single-quote
+# crowdin needs the strings to be quoted correctly and doesn't like incomplete quotes
+# crowdin always outputs quoted strings if there are quotes in the strings.
+
+# this script helps to unquote the crowdin outputs for the quirky ini library
+# * find all `key="...\"..."` lines
+# * remove the leading quote
+# * remove the trailing quote
+# * unescape the quotes
+# * eg: key="...\"..." => key=..."...
+$SED_INPLACE -r -e '/^[-.A-Za-z0-9_]+[ ]*=[ ]*".*"$/ {
+	s/^([-.A-Za-z0-9_]+)[ ]*=[ ]*"/\1=/
 	s/"$//
+	s/\\"/"/g
 	}' ./options/locale/*.ini

+# * if the escaped line is incomplete like `key="...` or `key=..."`, quote it with backticks
+# * eg: key="... => key=`"...`
+# * eg: key=..." => key=`..."`
+$SED_INPLACE -r -e 's/^([-.A-Za-z0-9_]+)[ ]*=[ ]*(".*[^"])$/\1=`\2`/' ./options/locale/*.ini
+$SED_INPLACE -r -e 's/^([-.A-Za-z0-9_]+)[ ]*=[ ]*([^"].*")$/\1=`\2`/' ./options/locale/*.ini
+
 # Remove translation under 25% of en_us
 baselines=$(wc -l "./options/locale_en-US.ini" | cut -d" " -f1)
 baselines=$((baselines / 4))
--- a/cmd/admin.go
+++ b/cmd/admin.go
@ -1,14 +1,13 @@
 // Copyright 2016 The Gogs Authors. All rights reserved.
 // Copyright 2016 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

 import (
-	"context"
 	"errors"
 	"fmt"
+	"net/url"
 	"os"
 	"strings"
 	"text/tabwriter"
@ -17,20 +16,15 @@ import (
 	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
-	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/graceful"
 	"code.gitea.io/gitea/modules/log"
-	pwd "code.gitea.io/gitea/modules/password"
 	repo_module "code.gitea.io/gitea/modules/repository"
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/storage"
 	"code.gitea.io/gitea/modules/util"
 	auth_service "code.gitea.io/gitea/services/auth"
 	"code.gitea.io/gitea/services/auth/source/oauth2"
 	"code.gitea.io/gitea/services/auth/source/smtp"
 	repo_service "code.gitea.io/gitea/services/repository"
-	user_service "code.gitea.io/gitea/services/user"

 	"github.com/urfave/cli"
 )
@ -49,142 +43,6 @@ var (
 		},
 	}

-	subcmdUser = cli.Command{
-		Name:  "user",
-		Usage: "Modify users",
-		Subcommands: []cli.Command{
-			microcmdUserCreate,
-			microcmdUserList,
-			microcmdUserChangePassword,
-			microcmdUserDelete,
-			microcmdUserGenerateAccessToken,
-		},
-	}
-
-	microcmdUserList = cli.Command{
-		Name:   "list",
-		Usage:  "List users",
-		Action: runListUsers,
-		Flags: []cli.Flag{
-			cli.BoolFlag{
-				Name:  "admin",
-				Usage: "List only admin users",
-			},
-		},
-	}
-
-	microcmdUserCreate = cli.Command{
-		Name:   "create",
-		Usage:  "Create a new user in database",
-		Action: runCreateUser,
-		Flags: []cli.Flag{
-			cli.StringFlag{
-				Name:  "name",
-				Usage: "Username. DEPRECATED: use username instead",
-			},
-			cli.StringFlag{
-				Name:  "username",
-				Usage: "Username",
-			},
-			cli.StringFlag{
-				Name:  "password",
-				Usage: "User password",
-			},
-			cli.StringFlag{
-				Name:  "email",
-				Usage: "User email address",
-			},
-			cli.BoolFlag{
-				Name:  "admin",
-				Usage: "User is an admin",
-			},
-			cli.BoolFlag{
-				Name:  "random-password",
-				Usage: "Generate a random password for the user",
-			},
-			cli.BoolFlag{
-				Name:  "must-change-password",
-				Usage: "Set this option to false to prevent forcing the user to change their password after initial login, (Default: true)",
-			},
-			cli.IntFlag{
-				Name:  "random-password-length",
-				Usage: "Length of the random password to be generated",
-				Value: 12,
-			},
-			cli.BoolFlag{
-				Name:  "access-token",
-				Usage: "Generate access token for the user",
-			},
-			cli.BoolFlag{
-				Name:  "restricted",
-				Usage: "Make a restricted user account",
-			},
-		},
-	}
-
-	microcmdUserChangePassword = cli.Command{
-		Name:   "change-password",
-		Usage:  "Change a user's password",
-		Action: runChangePassword,
-		Flags: []cli.Flag{
-			cli.StringFlag{
-				Name:  "username,u",
-				Value: "",
-				Usage: "The user to change password for",
-			},
-			cli.StringFlag{
-				Name:  "password,p",
-				Value: "",
-				Usage: "New password to set for user",
-			},
-		},
-	}
-
-	microcmdUserDelete = cli.Command{
-		Name:  "delete",
-		Usage: "Delete specific user by id, name or email",
-		Flags: []cli.Flag{
-			cli.Int64Flag{
-				Name:  "id",
-				Usage: "ID of user of the user to delete",
-			},
-			cli.StringFlag{
-				Name:  "username,u",
-				Usage: "Username of the user to delete",
-			},
-			cli.StringFlag{
-				Name:  "email,e",
-				Usage: "Email of the user to delete",
-			},
-			cli.BoolFlag{
-				Name:  "purge",
-				Usage: "Purge user, all their repositories, organizations and comments",
-			},
-		},
-		Action: runDeleteUser,
-	}
-
-	microcmdUserGenerateAccessToken = cli.Command{
-		Name:  "generate-access-token",
-		Usage: "Generate a access token for a specific user",
-		Flags: []cli.Flag{
-			cli.StringFlag{
-				Name:  "username,u",
-				Usage: "Username",
-			},
-			cli.StringFlag{
-				Name:  "token-name,t",
-				Usage: "Token name",
-				Value: "gitea-admin",
-			},
-			cli.BoolFlag{
-				Name:  "raw",
-				Usage: "Display only the token value",
-			},
-		},
-		Action: runGenerateAccessToken,
-	}
-
 	subcmdRepoSyncReleases = cli.Command{
 		Name:   "repo-sync-releases",
 		Usage:  "Synchronize repository releases with tags",
@ -304,6 +162,11 @@ var (
 			Value: "false",
 			Usage: "Use custom URLs for GitLab/GitHub OAuth endpoints",
 		},
+		cli.StringFlag{
+			Name:  "custom-tenant-id",
+			Value: "",
+			Usage: "Use custom Tenant ID for OAuth endpoints",
+		},
 		cli.StringFlag{
 			Name:  "custom-auth-url",
 			Value: "",
@ -363,6 +226,15 @@ var (
 			Value: "",
 			Usage: "Group Claim value for restricted users",
 		},
+		cli.StringFlag{
+			Name:  "group-team-map",
+			Value: "",
+			Usage: "JSON mapping between groups and org teams",
+		},
+		cli.BoolFlag{
+			Name:  "group-team-map-removal",
+			Usage: "Activate automatic team membership removal depending on groups",
+		},
 	}

 	microcmdAuthUpdateOauth = cli.Command{
@ -413,9 +285,9 @@ var (
 			Usage: "SMTP Authentication Type (PLAIN/LOGIN/CRAM-MD5) default PLAIN",
 		},
 		cli.StringFlag{
-			Name:  "addr",
+			Name:  "host",
 			Value: "",
-			Usage: "SMTP Addr",
+			Usage: "SMTP Host",
 		},
 		cli.IntFlag{
 			Name:  "port",
@ -468,255 +340,6 @@ var (
 	}
 )

-func runChangePassword(c *cli.Context) error {
-	if err := argsSet(c, "username", "password"); err != nil {
-		return err
-	}
-
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-	if len(c.String("password")) < setting.MinPasswordLength {
-		return fmt.Errorf("Password is not long enough. Needs to be at least %d", setting.MinPasswordLength)
-	}
-
-	if !pwd.IsComplexEnough(c.String("password")) {
-		return errors.New("Password does not meet complexity requirements")
-	}
-	pwned, err := pwd.IsPwned(context.Background(), c.String("password"))
-	if err != nil {
-		return err
-	}
-	if pwned {
-		return errors.New("The password you chose is on a list of stolen passwords previously exposed in public data breaches. Please try again with a different password.\nFor more details, see https://haveibeenpwned.com/Passwords")
-	}
-	uname := c.String("username")
-	user, err := user_model.GetUserByName(ctx, uname)
-	if err != nil {
-		return err
-	}
-	if err = user.SetPassword(c.String("password")); err != nil {
-		return err
-	}
-
-	if err = user_model.UpdateUserCols(ctx, user, "passwd", "passwd_hash_algo", "salt"); err != nil {
-		return err
-	}
-
-	fmt.Printf("%s's password has been successfully updated!\n", user.Name)
-	return nil
-}
-
-func runCreateUser(c *cli.Context) error {
-	if err := argsSet(c, "email"); err != nil {
-		return err
-	}
-
-	if c.IsSet("name") && c.IsSet("username") {
-		return errors.New("Cannot set both --name and --username flags")
-	}
-	if !c.IsSet("name") && !c.IsSet("username") {
-		return errors.New("One of --name or --username flags must be set")
-	}
-
-	if c.IsSet("password") && c.IsSet("random-password") {
-		return errors.New("cannot set both -random-password and -password flags")
-	}
-
-	var username string
-	if c.IsSet("username") {
-		username = c.String("username")
-	} else {
-		username = c.String("name")
-		fmt.Fprintf(os.Stderr, "--name flag is deprecated. Use --username instead.\n")
-	}
-
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-
-	var password string
-	if c.IsSet("password") {
-		password = c.String("password")
-	} else if c.IsSet("random-password") {
-		var err error
-		password, err = pwd.Generate(c.Int("random-password-length"))
-		if err != nil {
-			return err
-		}
-		fmt.Printf("generated random password is '%s'\n", password)
-	} else {
-		return errors.New("must set either password or random-password flag")
-	}
-
-	// always default to true
-	changePassword := true
-
-	// If this is the first user being created.
-	// Take it as the admin and don't force a password update.
-	if n := user_model.CountUsers(nil); n == 0 {
-		changePassword = false
-	}
-
-	if c.IsSet("must-change-password") {
-		changePassword = c.Bool("must-change-password")
-	}
-
-	restricted := util.OptionalBoolNone
-
-	if c.IsSet("restricted") {
-		restricted = util.OptionalBoolOf(c.Bool("restricted"))
-	}
-
-	u := &user_model.User{
-		Name:               username,
-		Email:              c.String("email"),
-		Passwd:             password,
-		IsAdmin:            c.Bool("admin"),
-		MustChangePassword: changePassword,
-	}
-
-	overwriteDefault := &user_model.CreateUserOverwriteOptions{
-		IsActive:     util.OptionalBoolTrue,
-		IsRestricted: restricted,
-	}
-
-	if err := user_model.CreateUser(u, overwriteDefault); err != nil {
-		return fmt.Errorf("CreateUser: %w", err)
-	}
-
-	if c.Bool("access-token") {
-		t := &auth_model.AccessToken{
-			Name: "gitea-admin",
-			UID:  u.ID,
-		}
-
-		if err := auth_model.NewAccessToken(t); err != nil {
-			return err
-		}
-
-		fmt.Printf("Access token was successfully created... %s\n", t.Token)
-	}
-
-	fmt.Printf("New user '%s' has been successfully created!\n", username)
-	return nil
-}
-
-func runListUsers(c *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-
-	users, err := user_model.GetAllUsers()
-	if err != nil {
-		return err
-	}
-
-	w := tabwriter.NewWriter(os.Stdout, 5, 0, 1, ' ', 0)
-
-	if c.IsSet("admin") {
-		fmt.Fprintf(w, "ID\tUsername\tEmail\tIsActive\n")
-		for _, u := range users {
-			if u.IsAdmin {
-				fmt.Fprintf(w, "%d\t%s\t%s\t%t\n", u.ID, u.Name, u.Email, u.IsActive)
-			}
-		}
-	} else {
-		twofa := user_model.UserList(users).GetTwoFaStatus()
-		fmt.Fprintf(w, "ID\tUsername\tEmail\tIsActive\tIsAdmin\t2FA\n")
-		for _, u := range users {
-			fmt.Fprintf(w, "%d\t%s\t%s\t%t\t%t\t%t\n", u.ID, u.Name, u.Email, u.IsActive, u.IsAdmin, twofa[u.ID])
-		}
-
-	}
-
-	w.Flush()
-	return nil
-}
-
-func runDeleteUser(c *cli.Context) error {
-	if !c.IsSet("id") && !c.IsSet("username") && !c.IsSet("email") {
-		return fmt.Errorf("You must provide the id, username or email of a user to delete")
-	}
-
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-
-	if err := storage.Init(); err != nil {
-		return err
-	}
-
-	var err error
-	var user *user_model.User
-	if c.IsSet("email") {
-		user, err = user_model.GetUserByEmail(c.String("email"))
-	} else if c.IsSet("username") {
-		user, err = user_model.GetUserByName(ctx, c.String("username"))
-	} else {
-		user, err = user_model.GetUserByID(c.Int64("id"))
-	}
-	if err != nil {
-		return err
-	}
-	if c.IsSet("username") && user.LowerName != strings.ToLower(strings.TrimSpace(c.String("username"))) {
-		return fmt.Errorf("The user %s who has email %s does not match the provided username %s", user.Name, c.String("email"), c.String("username"))
-	}
-
-	if c.IsSet("id") && user.ID != c.Int64("id") {
-		return fmt.Errorf("The user %s does not match the provided id %d", user.Name, c.Int64("id"))
-	}
-
-	return user_service.DeleteUser(ctx, user, c.Bool("purge"))
-}
-
-func runGenerateAccessToken(c *cli.Context) error {
-	if !c.IsSet("username") {
-		return fmt.Errorf("You must provide the username to generate a token for them")
-	}
-
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-
-	user, err := user_model.GetUserByName(ctx, c.String("username"))
-	if err != nil {
-		return err
-	}
-
-	t := &auth_model.AccessToken{
-		Name: c.String("token-name"),
-		UID:  user.ID,
-	}
-
-	if err := auth_model.NewAccessToken(t); err != nil {
-		return err
-	}
-
-	if c.Bool("raw") {
-		fmt.Printf("%s\n", t.Token)
-	} else {
-		fmt.Printf("Access token was successfully created: %s\n", t.Token)
-	}
-
-	return nil
-}
-
 func runRepoSyncReleases(_ *cli.Context) error {
 	ctx, cancel := installSignals()
 	defer cancel()
@ -727,7 +350,7 @@ func runRepoSyncReleases(_ *cli.Context) error {

 	log.Trace("Synchronizing repository releases (this may take a while)")
 	for page := 1; ; page++ {
-		repos, count, err := repo_model.SearchRepositoryByName(&repo_model.SearchRepoOptions{
+		repos, count, err := repo_model.SearchRepositoryByName(ctx, &repo_model.SearchRepoOptions{
 			ListOptions: db.ListOptions{
 				PageSize: repo_model.RepositoryListDefaultPageSize,
 				Page:     page,
@ -779,6 +402,7 @@ func runRepoSyncReleases(_ *cli.Context) error {

 func getReleaseCount(id int64) (int64, error) {
 	return repo_model.GetReleaseCountByRepoID(
+		db.DefaultContext,
 		id,
 		repo_model.FindReleasesOptions{
 			IncludeTags: true,
@ -814,6 +438,7 @@ func parseOAuth2Config(c *cli.Context) *oauth2.Source {
 			AuthURL:    c.String("custom-auth-url"),
 			ProfileURL: c.String("custom-profile-url"),
 			EmailURL:   c.String("custom-email-url"),
+			Tenant:     c.String("custom-tenant-id"),
 		}
 	} else {
 		customURLMapping = nil
@ -832,6 +457,8 @@ func parseOAuth2Config(c *cli.Context) *oauth2.Source {
 		GroupClaimName:                c.String("group-claim-name"),
 		AdminGroup:                    c.String("admin-group"),
 		RestrictedGroup:               c.String("restricted-group"),
+		GroupTeamMap:                  c.String("group-team-map"),
+		GroupTeamMapRemoval:           c.Bool("group-team-map-removal"),
 	}
 }

@ -843,11 +470,19 @@ func runAddOauth(c *cli.Context) error {
 		return err
 	}

+	config := parseOAuth2Config(c)
+	if config.Provider == "openidConnect" {
+		discoveryURL, err := url.Parse(config.OpenIDConnectAutoDiscoveryURL)
+		if err != nil || (discoveryURL.Scheme != "http" && discoveryURL.Scheme != "https") {
+			return fmt.Errorf("invalid Auto Discovery URL: %s (this must be a valid URL starting with http:// or https://)", config.OpenIDConnectAutoDiscoveryURL)
+		}
+	}
+
 	return auth_model.CreateSource(&auth_model.Source{
 		Type:     auth_model.OAuth2,
 		Name:     c.String("name"),
 		IsActive: true,
-		Cfg:      parseOAuth2Config(c),
+		Cfg:      config,
 	})
 }

@ -914,6 +549,12 @@ func runUpdateOauth(c *cli.Context) error {
 	if c.IsSet("restricted-group") {
 		oAuth2Config.RestrictedGroup = c.String("restricted-group")
 	}
+	if c.IsSet("group-team-map") {
+		oAuth2Config.GroupTeamMap = c.String("group-team-map")
+	}
+	if c.IsSet("group-team-map-removal") {
+		oAuth2Config.GroupTeamMapRemoval = c.Bool("group-team-map-removal")
+	}

 	// update custom URL mapping
 	customURLMapping := &oauth2.CustomURLMapping{}
@ -923,6 +564,7 @@ func runUpdateOauth(c *cli.Context) error {
 		customURLMapping.AuthURL = oAuth2Config.CustomURLMapping.AuthURL
 		customURLMapping.ProfileURL = oAuth2Config.CustomURLMapping.ProfileURL
 		customURLMapping.EmailURL = oAuth2Config.CustomURLMapping.EmailURL
+		customURLMapping.Tenant = oAuth2Config.CustomURLMapping.Tenant
 	}
 	if c.IsSet("use-custom-urls") && c.IsSet("custom-token-url") {
 		customURLMapping.TokenURL = c.String("custom-token-url")
@ -940,6 +582,10 @@ func runUpdateOauth(c *cli.Context) error {
 		customURLMapping.EmailURL = c.String("custom-email-url")
 	}

+	if c.IsSet("use-custom-urls") && c.IsSet("custom-tenant-id") {
+		customURLMapping.Tenant = c.String("custom-tenant-id")
+	}
+
 	oAuth2Config.CustomURLMapping = customURLMapping
 	source.Cfg = oAuth2Config

@ -950,13 +596,13 @@ func parseSMTPConfig(c *cli.Context, conf *smtp.Source) error {
 	if c.IsSet("auth-type") {
 		conf.Auth = c.String("auth-type")
 		validAuthTypes := []string{"PLAIN", "LOGIN", "CRAM-MD5"}
-		if !contains(validAuthTypes, strings.ToUpper(c.String("auth-type"))) {
+		if !util.SliceContainsString(validAuthTypes, strings.ToUpper(c.String("auth-type"))) {
 			return errors.New("Auth must be one of PLAIN/LOGIN/CRAM-MD5")
 		}
 		conf.Auth = c.String("auth-type")
 	}
-	if c.IsSet("addr") {
-		conf.Addr = c.String("addr")
+	if c.IsSet("host") {
+		conf.Host = c.String("host")
 	}
 	if c.IsSet("port") {
 		conf.Port = c.Int("port")
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@ -1,6 +1,5 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/admin_auth_ldap_test.go
+++ b/cmd/admin_auth_ldap_test.go
@ -1,6 +1,5 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/admin_user.go
+++ b/cmd/admin_user.go
@ -0,0 +1,21 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"github.com/urfave/cli"
+)
+
+var subcmdUser = cli.Command{
+	Name:  "user",
+	Usage: "Modify users",
+	Subcommands: []cli.Command{
+		microcmdUserCreate,
+		microcmdUserList,
+		microcmdUserChangePassword,
+		microcmdUserDelete,
+		microcmdUserGenerateAccessToken,
+		microcmdUserMustChangePassword,
+	},
+}
--- a/cmd/admin_user_change_password.go
+++ b/cmd/admin_user_change_password.go
@ -0,0 +1,76 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	user_model "code.gitea.io/gitea/models/user"
+	pwd "code.gitea.io/gitea/modules/auth/password"
+	"code.gitea.io/gitea/modules/setting"
+
+	"github.com/urfave/cli"
+)
+
+var microcmdUserChangePassword = cli.Command{
+	Name:   "change-password",
+	Usage:  "Change a user's password",
+	Action: runChangePassword,
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "username,u",
+			Value: "",
+			Usage: "The user to change password for",
+		},
+		cli.StringFlag{
+			Name:  "password,p",
+			Value: "",
+			Usage: "New password to set for user",
+		},
+	},
+}
+
+func runChangePassword(c *cli.Context) error {
+	if err := argsSet(c, "username", "password"); err != nil {
+		return err
+	}
+
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+	if len(c.String("password")) < setting.MinPasswordLength {
+		return fmt.Errorf("Password is not long enough. Needs to be at least %d", setting.MinPasswordLength)
+	}
+
+	if !pwd.IsComplexEnough(c.String("password")) {
+		return errors.New("Password does not meet complexity requirements")
+	}
+	pwned, err := pwd.IsPwned(context.Background(), c.String("password"))
+	if err != nil {
+		return err
+	}
+	if pwned {
+		return errors.New("The password you chose is on a list of stolen passwords previously exposed in public data breaches. Please try again with a different password.\nFor more details, see https://haveibeenpwned.com/Passwords")
+	}
+	uname := c.String("username")
+	user, err := user_model.GetUserByName(ctx, uname)
+	if err != nil {
+		return err
+	}
+	if err = user.SetPassword(c.String("password")); err != nil {
+		return err
+	}
+
+	if err = user_model.UpdateUserCols(ctx, user, "passwd", "passwd_hash_algo", "salt"); err != nil {
+		return err
+	}
+
+	fmt.Printf("%s's password has been successfully updated!\n", user.Name)
+	return nil
+}
--- a/cmd/admin_user_create.go
+++ b/cmd/admin_user_create.go
@ -0,0 +1,169 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"errors"
+	"fmt"
+	"os"
+
+	auth_model "code.gitea.io/gitea/models/auth"
+	user_model "code.gitea.io/gitea/models/user"
+	pwd "code.gitea.io/gitea/modules/auth/password"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
+
+	"github.com/urfave/cli"
+)
+
+var microcmdUserCreate = cli.Command{
+	Name:   "create",
+	Usage:  "Create a new user in database",
+	Action: runCreateUser,
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "name",
+			Usage: "Username. DEPRECATED: use username instead",
+		},
+		cli.StringFlag{
+			Name:  "username",
+			Usage: "Username",
+		},
+		cli.StringFlag{
+			Name:  "password",
+			Usage: "User password",
+		},
+		cli.StringFlag{
+			Name:  "email",
+			Usage: "User email address",
+		},
+		cli.BoolFlag{
+			Name:  "admin",
+			Usage: "User is an admin",
+		},
+		cli.BoolFlag{
+			Name:  "random-password",
+			Usage: "Generate a random password for the user",
+		},
+		cli.BoolFlag{
+			Name:  "must-change-password",
+			Usage: "Set this option to false to prevent forcing the user to change their password after initial login, (Default: true)",
+		},
+		cli.IntFlag{
+			Name:  "random-password-length",
+			Usage: "Length of the random password to be generated",
+			Value: 12,
+		},
+		cli.BoolFlag{
+			Name:  "access-token",
+			Usage: "Generate access token for the user",
+		},
+		cli.BoolFlag{
+			Name:  "restricted",
+			Usage: "Make a restricted user account",
+		},
+	},
+}
+
+func runCreateUser(c *cli.Context) error {
+	if err := argsSet(c, "email"); err != nil {
+		return err
+	}
+
+	if c.IsSet("name") && c.IsSet("username") {
+		return errors.New("Cannot set both --name and --username flags")
+	}
+	if !c.IsSet("name") && !c.IsSet("username") {
+		return errors.New("One of --name or --username flags must be set")
+	}
+
+	if c.IsSet("password") && c.IsSet("random-password") {
+		return errors.New("cannot set both -random-password and -password flags")
+	}
+
+	var username string
+	if c.IsSet("username") {
+		username = c.String("username")
+	} else {
+		username = c.String("name")
+		fmt.Fprintf(os.Stderr, "--name flag is deprecated. Use --username instead.\n")
+	}
+
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+
+	var password string
+	if c.IsSet("password") {
+		password = c.String("password")
+	} else if c.IsSet("random-password") {
+		var err error
+		password, err = pwd.Generate(c.Int("random-password-length"))
+		if err != nil {
+			return err
+		}
+		fmt.Printf("generated random password is '%s'\n", password)
+	} else {
+		return errors.New("must set either password or random-password flag")
+	}
+
+	// always default to true
+	changePassword := true
+
+	// If this is the first user being created.
+	// Take it as the admin and don't force a password update.
+	if n := user_model.CountUsers(nil); n == 0 {
+		changePassword = false
+	}
+
+	if c.IsSet("must-change-password") {
+		changePassword = c.Bool("must-change-password")
+	}
+
+	restricted := util.OptionalBoolNone
+
+	if c.IsSet("restricted") {
+		restricted = util.OptionalBoolOf(c.Bool("restricted"))
+	}
+
+	// default user visibility in app.ini
+	visibility := setting.Service.DefaultUserVisibilityMode
+
+	u := &user_model.User{
+		Name:               username,
+		Email:              c.String("email"),
+		Passwd:             password,
+		IsAdmin:            c.Bool("admin"),
+		MustChangePassword: changePassword,
+		Visibility:         visibility,
+	}
+
+	overwriteDefault := &user_model.CreateUserOverwriteOptions{
+		IsActive:     util.OptionalBoolTrue,
+		IsRestricted: restricted,
+	}
+
+	if err := user_model.CreateUser(u, overwriteDefault); err != nil {
+		return fmt.Errorf("CreateUser: %w", err)
+	}
+
+	if c.Bool("access-token") {
+		t := &auth_model.AccessToken{
+			Name: "gitea-admin",
+			UID:  u.ID,
+		}
+
+		if err := auth_model.NewAccessToken(t); err != nil {
+			return err
+		}
+
+		fmt.Printf("Access token was successfully created... %s\n", t.Token)
+	}
+
+	fmt.Printf("New user '%s' has been successfully created!\n", username)
+	return nil
+}
--- a/cmd/admin_user_delete.go
+++ b/cmd/admin_user_delete.go
@ -0,0 +1,78 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/storage"
+	user_service "code.gitea.io/gitea/services/user"
+
+	"github.com/urfave/cli"
+)
+
+var microcmdUserDelete = cli.Command{
+	Name:  "delete",
+	Usage: "Delete specific user by id, name or email",
+	Flags: []cli.Flag{
+		cli.Int64Flag{
+			Name:  "id",
+			Usage: "ID of user of the user to delete",
+		},
+		cli.StringFlag{
+			Name:  "username,u",
+			Usage: "Username of the user to delete",
+		},
+		cli.StringFlag{
+			Name:  "email,e",
+			Usage: "Email of the user to delete",
+		},
+		cli.BoolFlag{
+			Name:  "purge",
+			Usage: "Purge user, all their repositories, organizations and comments",
+		},
+	},
+	Action: runDeleteUser,
+}
+
+func runDeleteUser(c *cli.Context) error {
+	if !c.IsSet("id") && !c.IsSet("username") && !c.IsSet("email") {
+		return fmt.Errorf("You must provide the id, username or email of a user to delete")
+	}
+
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+
+	if err := storage.Init(); err != nil {
+		return err
+	}
+
+	var err error
+	var user *user_model.User
+	if c.IsSet("email") {
+		user, err = user_model.GetUserByEmail(ctx, c.String("email"))
+	} else if c.IsSet("username") {
+		user, err = user_model.GetUserByName(ctx, c.String("username"))
+	} else {
+		user, err = user_model.GetUserByID(ctx, c.Int64("id"))
+	}
+	if err != nil {
+		return err
+	}
+	if c.IsSet("username") && user.LowerName != strings.ToLower(strings.TrimSpace(c.String("username"))) {
+		return fmt.Errorf("The user %s who has email %s does not match the provided username %s", user.Name, c.String("email"), c.String("username"))
+	}
+
+	if c.IsSet("id") && user.ID != c.Int64("id") {
+		return fmt.Errorf("The user %s does not match the provided id %d", user.Name, c.Int64("id"))
+	}
+
+	return user_service.DeleteUser(ctx, user, c.Bool("purge"))
+}
--- a/cmd/admin_user_generate_access_token.go
+++ b/cmd/admin_user_generate_access_token.go
@ -0,0 +1,80 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"fmt"
+
+	auth_model "code.gitea.io/gitea/models/auth"
+	user_model "code.gitea.io/gitea/models/user"
+
+	"github.com/urfave/cli"
+)
+
+var microcmdUserGenerateAccessToken = cli.Command{
+	Name:  "generate-access-token",
+	Usage: "Generate an access token for a specific user",
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "username,u",
+			Usage: "Username",
+		},
+		cli.StringFlag{
+			Name:  "token-name,t",
+			Usage: "Token name",
+			Value: "gitea-admin",
+		},
+		cli.BoolFlag{
+			Name:  "raw",
+			Usage: "Display only the token value",
+		},
+		cli.StringFlag{
+			Name:  "scopes",
+			Value: "",
+			Usage: "Comma separated list of scopes to apply to access token",
+		},
+	},
+	Action: runGenerateAccessToken,
+}
+
+func runGenerateAccessToken(c *cli.Context) error {
+	if !c.IsSet("username") {
+		return fmt.Errorf("You must provide a username to generate a token for")
+	}
+
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+
+	user, err := user_model.GetUserByName(ctx, c.String("username"))
+	if err != nil {
+		return err
+	}
+
+	accessTokenScope, err := auth_model.AccessTokenScope(c.String("scopes")).Normalize()
+	if err != nil {
+		return err
+	}
+
+	t := &auth_model.AccessToken{
+		Name:  c.String("token-name"),
+		UID:   user.ID,
+		Scope: accessTokenScope,
+	}
+
+	if err := auth_model.NewAccessToken(t); err != nil {
+		return err
+	}
+
+	if c.Bool("raw") {
+		fmt.Printf("%s\n", t.Token)
+	} else {
+		fmt.Printf("Access token was successfully created: %s\n", t.Token)
+	}
+
+	return nil
+}
--- a/cmd/admin_user_list.go
+++ b/cmd/admin_user_list.go
@ -0,0 +1,60 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"text/tabwriter"
+
+	user_model "code.gitea.io/gitea/models/user"
+
+	"github.com/urfave/cli"
+)
+
+var microcmdUserList = cli.Command{
+	Name:   "list",
+	Usage:  "List users",
+	Action: runListUsers,
+	Flags: []cli.Flag{
+		cli.BoolFlag{
+			Name:  "admin",
+			Usage: "List only admin users",
+		},
+	},
+}
+
+func runListUsers(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+
+	users, err := user_model.GetAllUsers()
+	if err != nil {
+		return err
+	}
+
+	w := tabwriter.NewWriter(os.Stdout, 5, 0, 1, ' ', 0)
+
+	if c.IsSet("admin") {
+		fmt.Fprintf(w, "ID\tUsername\tEmail\tIsActive\n")
+		for _, u := range users {
+			if u.IsAdmin {
+				fmt.Fprintf(w, "%d\t%s\t%s\t%t\n", u.ID, u.Name, u.Email, u.IsActive)
+			}
+		}
+	} else {
+		twofa := user_model.UserList(users).GetTwoFaStatus()
+		fmt.Fprintf(w, "ID\tUsername\tEmail\tIsActive\tIsAdmin\t2FA\n")
+		for _, u := range users {
+			fmt.Fprintf(w, "%d\t%s\t%s\t%t\t%t\t%t\n", u.ID, u.Name, u.Email, u.IsActive, u.IsAdmin, twofa[u.ID])
+		}
+	}
+
+	w.Flush()
+	return nil
+}
--- a/cmd/admin_user_must_change_password.go
+++ b/cmd/admin_user_must_change_password.go
@ -0,0 +1,58 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"errors"
+	"fmt"
+
+	user_model "code.gitea.io/gitea/models/user"
+
+	"github.com/urfave/cli"
+)
+
+var microcmdUserMustChangePassword = cli.Command{
+	Name:   "must-change-password",
+	Usage:  "Set the must change password flag for the provided users or all users",
+	Action: runMustChangePassword,
+	Flags: []cli.Flag{
+		cli.BoolFlag{
+			Name:  "all,A",
+			Usage: "All users must change password, except those explicitly excluded with --exclude",
+		},
+		cli.StringSliceFlag{
+			Name:  "exclude,e",
+			Usage: "Do not change the must-change-password flag for these users",
+		},
+		cli.BoolFlag{
+			Name:  "unset",
+			Usage: "Instead of setting the must-change-password flag, unset it",
+		},
+	},
+}
+
+func runMustChangePassword(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	if c.NArg() == 0 && !c.IsSet("all") {
+		return errors.New("either usernames or --all must be provided")
+	}
+
+	mustChangePassword := !c.Bool("unset")
+	all := c.Bool("all")
+	exclude := c.StringSlice("exclude")
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+
+	n, err := user_model.SetMustChangePassword(ctx, all, mustChangePassword, c.Args(), exclude)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Updated %d users setting MustChangePassword to %t\n", n, mustChangePassword)
+	return nil
+}
--- a/cmd/cert.go
+++ b/cmd/cert.go
@ -1,8 +1,7 @@
 // Copyright 2009 The Go Authors. All rights reserved.
 // Copyright 2014 The Gogs Authors. All rights reserved.
 // Copyright 2016 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@ -1,6 +1,5 @@
 // Copyright 2018 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 // Package cmd provides subcommands to the gitea binary - such as "web" or
 // "admin".
@ -58,9 +57,10 @@ func confirm() (bool, error) {
 }

 func initDB(ctx context.Context) error {
-	setting.LoadFromExisting()
-	setting.InitDBConfig()
-	setting.NewXORMLogService(false)
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()
+	setting.LoadDBSetting()
+	setting.InitSQLLog(false)

 	if setting.Database.Type == "" {
 		log.Fatal(`Database settings are missing from the configuration file: %q.
--- a/cmd/convert.go
+++ b/cmd/convert.go
@ -1,6 +1,5 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -33,10 +32,10 @@ func runConvert(ctx *cli.Context) error {
 	log.Info("AppPath: %s", setting.AppPath)
 	log.Info("AppWorkPath: %s", setting.AppWorkPath)
 	log.Info("Custom path: %s", setting.CustomPath)
-	log.Info("Log path: %s", setting.LogRootPath)
+	log.Info("Log path: %s", setting.Log.RootPath)
 	log.Info("Configuration file: %s", setting.CustomConf)

-	if !setting.Database.UseMySQL {
+	if !setting.Database.Type.IsMySQL() {
 		fmt.Println("This command can only be used with a MySQL database")
 		return nil
 	}
--- a/cmd/docs.go
+++ b/cmd/docs.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/doctor.go
+++ b/cmd/doctor.go
@ -1,6 +1,5 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -88,14 +87,16 @@ func runRecreateTable(ctx *cli.Context) error {
 	golog.SetPrefix("")
 	golog.SetOutput(log.NewLoggerAsWriter("INFO", log.GetLogger(log.DEFAULT)))

-	setting.LoadFromExisting()
-	setting.InitDBConfig()
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()
+	setting.LoadDBSetting()

-	setting.EnableXORMLog = ctx.Bool("debug")
+	setting.Log.EnableXORMLog = ctx.Bool("debug")
 	setting.Database.LogSQL = ctx.Bool("debug")
-	setting.Cfg.Section("log").Key("XORM").SetValue(",")
+	// FIXME: don't use CfgProvider directly
+	setting.CfgProvider.Section("log").Key("XORM").SetValue(",")

-	setting.NewXORMLogService(!ctx.Bool("debug"))
+	setting.InitSQLLog(!ctx.Bool("debug"))
 	stdCtx, cancel := installSignals()
 	defer cancel()

--- a/cmd/dump.go
+++ b/cmd/dump.go
@ -1,7 +1,6 @@
 // Copyright 2014 The Gogs Authors. All rights reserved.
 // Copyright 2016 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -182,20 +181,22 @@ func runDump(ctx *cli.Context) error {
 		}
 		fileName += "." + outType
 	}
-	setting.LoadFromExisting()
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()

 	// make sure we are logging to the console no matter what the configuration tells us do to
-	if _, err := setting.Cfg.Section("log").NewKey("MODE", "console"); err != nil {
+	// FIXME: don't use CfgProvider directly
+	if _, err := setting.CfgProvider.Section("log").NewKey("MODE", "console"); err != nil {
 		fatal("Setting logging mode to console failed: %v", err)
 	}
-	if _, err := setting.Cfg.Section("log.console").NewKey("STDERR", "true"); err != nil {
+	if _, err := setting.CfgProvider.Section("log.console").NewKey("STDERR", "true"); err != nil {
 		fatal("Setting console logger to stderr failed: %v", err)
 	}
 	if !setting.InstallLock {
 		log.Error("Is '%s' really the right config path?\n", setting.CustomConf)
 		return fmt.Errorf("gitea is not initialized")
 	}
-	setting.NewServices() // cannot access session settings otherwise
+	setting.LoadSettings() // cannot access session settings otherwise

 	stdCtx, cancel := installSignals()
 	defer cancel()
@ -271,13 +272,14 @@ func runDump(ctx *cli.Context) error {
 		fatal("Failed to create tmp file: %v", err)
 	}
 	defer func() {
+		_ = dbDump.Close()
 		if err := util.Remove(dbDump.Name()); err != nil {
 			log.Warn("Unable to remove temporary file: %s: Error: %v", dbDump.Name(), err)
 		}
 	}()

 	targetDBType := ctx.String("database")
-	if len(targetDBType) > 0 && targetDBType != setting.Database.Type {
+	if len(targetDBType) > 0 && targetDBType != setting.Database.Type.String() {
 		log.Info("Dumping database %s => %s...", setting.Database.Type, targetDBType)
 	} else {
 		log.Info("Dumping database...")
@ -323,7 +325,7 @@ func runDump(ctx *cli.Context) error {
 		log.Info("Packing data directory...%s", setting.AppDataPath)

 		var excludes []string
-		if setting.Cfg.Section("session").Key("PROVIDER").Value() == "file" {
+		if setting.SessionConfig.OriginalProvider == "file" {
 			var opts session.Options
 			if err = json.Unmarshal([]byte(setting.SessionConfig.ProviderConfig), &opts); err != nil {
 				return err
@ -340,7 +342,7 @@ func runDump(ctx *cli.Context) error {
 		excludes = append(excludes, setting.LFS.Path)
 		excludes = append(excludes, setting.Attachment.Path)
 		excludes = append(excludes, setting.Packages.Path)
-		excludes = append(excludes, setting.LogRootPath)
+		excludes = append(excludes, setting.Log.RootPath)
 		excludes = append(excludes, absFileName)
 		if err := addRecursiveExclude(w, "data", setting.AppDataPath, excludes, verbose); err != nil {
 			fatal("Failed to include data directory: %v", err)
@ -379,12 +381,12 @@ func runDump(ctx *cli.Context) error {
 	if ctx.IsSet("skip-log") && ctx.Bool("skip-log") {
 		log.Info("Skip dumping log files")
 	} else {
-		isExist, err := util.IsExist(setting.LogRootPath)
+		isExist, err := util.IsExist(setting.Log.RootPath)
 		if err != nil {
-			log.Error("Unable to check if %s exists. Error: %v", setting.LogRootPath, err)
+			log.Error("Unable to check if %s exists. Error: %v", setting.Log.RootPath, err)
 		}
 		if isExist {
-			if err := addRecursiveExclude(w, "log", setting.LogRootPath, []string{absFileName}, verbose); err != nil {
+			if err := addRecursiveExclude(w, "log", setting.Log.RootPath, []string{absFileName}, verbose); err != nil {
 				fatal("Failed to include log: %v", err)
 			}
 		}
@ -410,15 +412,6 @@ func runDump(ctx *cli.Context) error {
 	return nil
 }

-func contains(slice []string, s string) bool {
-	for _, v := range slice {
-		if v == s {
-			return true
-		}
-	}
-	return false
-}
-
 // addRecursiveExclude zips absPath to specified insidePath inside writer excluding excludeAbsPath
 func addRecursiveExclude(w archiver.Writer, insidePath, absPath string, excludeAbsPath []string, verbose bool) error {
 	absPath, err := filepath.Abs(absPath)
@ -439,7 +432,7 @@ func addRecursiveExclude(w archiver.Writer, insidePath, absPath string, excludeA
 		currentAbsPath := path.Join(absPath, file.Name())
 		currentInsidePath := path.Join(insidePath, file.Name())
 		if file.IsDir() {
-			if !contains(excludeAbsPath, currentAbsPath) {
+			if !util.SliceContainsString(excludeAbsPath, currentAbsPath) {
 				if err := addFile(w, currentInsidePath, currentAbsPath, false); err != nil {
 					return err
 				}
--- a/cmd/dump_repo.go
+++ b/cmd/dump_repo.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -11,13 +10,13 @@ import (
 	"os"
 	"strings"

-	"code.gitea.io/gitea/modules/convert"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/log"
 	base "code.gitea.io/gitea/modules/migration"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/services/convert"
 	"code.gitea.io/gitea/services/migrations"

 	"github.com/urfave/cli"
@ -95,7 +94,7 @@ func runDumpRepository(ctx *cli.Context) error {
 	log.Info("AppPath: %s", setting.AppPath)
 	log.Info("AppWorkPath: %s", setting.AppWorkPath)
 	log.Info("Custom path: %s", setting.CustomPath)
-	log.Info("Log path: %s", setting.LogRootPath)
+	log.Info("Log path: %s", setting.Log.RootPath)
 	log.Info("Configuration file: %s", setting.CustomConf)

 	var (
--- a/cmd/embedded.go
+++ b/cmd/embedded.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 //go:build bindata

@ -113,7 +112,8 @@ func initEmbeddedExtractor(c *cli.Context) error {
 	log.DelNamedLogger(log.DEFAULT)

 	// Read configuration file
-	setting.LoadAllowEmpty()
+	setting.InitProviderAllowEmpty()
+	setting.LoadCommonSettings()

 	pats, err := getPatterns(c.Args())
 	if err != nil {
--- a/cmd/embedded_stub.go
+++ b/cmd/embedded_stub.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 //go:build !bindata

--- a/cmd/generate.go
+++ b/cmd/generate.go
@ -1,7 +1,6 @@
 // Copyright 2016 The Gogs Authors. All rights reserved.
 // Copyright 2016 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/hook.go
+++ b/cmd/hook.go
@ -1,6 +1,5 @@
 // Copyright 2017 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -186,6 +185,7 @@ Gitea or set your environment appropriately.`, "")
 	userID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvPusherID), 10, 64)
 	prID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvPRID), 10, 64)
 	deployKeyID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvDeployKeyID), 10, 64)
+	actionPerm, _ := strconv.ParseInt(os.Getenv(repo_module.EnvActionPerm), 10, 64)

 	hookOptions := private.HookOptions{
 		UserID:                          userID,
@ -195,6 +195,7 @@ Gitea or set your environment appropriately.`, "")
 		GitPushOptions:                  pushOptions(),
 		PullRequestID:                   prID,
 		DeployKeyID:                     deployKeyID,
+		ActionPerm:                      int(actionPerm),
 	}

 	scanner := bufio.NewScanner(os.Stdin)
@ -218,9 +219,9 @@ Gitea or set your environment appropriately.`, "")
 		}
 	}

-	supportProcRecive := false
+	supportProcReceive := false
 	if git.CheckGitVersionAtLeast("2.29") == nil {
-		supportProcRecive = true
+		supportProcReceive = true
 	}

 	for scanner.Scan() {
@ -241,9 +242,9 @@ Gitea or set your environment appropriately.`, "")
 		lastline++

 		// If the ref is a branch or tag, check if it's protected
-		// if supportProcRecive all ref should be checked because
+		// if supportProcReceive all ref should be checked because
 		// permission check was delayed
-		if supportProcRecive || strings.HasPrefix(refFullName, git.BranchPrefix) || strings.HasPrefix(refFullName, git.TagPrefix) {
+		if supportProcReceive || strings.HasPrefix(refFullName, git.BranchPrefix) || strings.HasPrefix(refFullName, git.TagPrefix) {
 			oldCommitIDs[count] = oldCommitID
 			newCommitIDs[count] = newCommitID
 			refFullNames[count] = refFullName
--- a/cmd/hook_test.go
+++ b/cmd/hook_test.go
@ -1,6 +1,5 @@
 // Copyright 2021 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/keys.go
+++ b/cmd/keys.go
@ -1,6 +1,5 @@
 // Copyright 2018 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/mailer.go
+++ b/cmd/mailer.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -18,7 +17,8 @@ func runSendMail(c *cli.Context) error {
 	ctx, cancel := installSignals()
 	defer cancel()

-	setting.LoadFromExisting()
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()

 	if err := argsSet(c, "title"); err != nil {
 		return err
--- a/cmd/main_test.go
+++ b/cmd/main_test.go
@ -1,6 +1,5 @@
 // Copyright 2022 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -13,7 +12,7 @@ import (

 func init() {
 	setting.SetCustomPathAndConf("", "", "")
-	setting.LoadForTest()
+	setting.InitProviderAndLoadCommonSettingsForTest()
 }

 func TestMain(m *testing.M) {
--- a/cmd/manager.go
+++ b/cmd/manager.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/manager_logging.go
+++ b/cmd/manager_logging.go
@ -1,6 +1,5 @@
 // Copyright 2022 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/migrate.go
+++ b/cmd/migrate.go
@ -1,6 +1,5 @@
 // Copyright 2018 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -34,7 +33,7 @@ func runMigrate(ctx *cli.Context) error {
 	log.Info("AppPath: %s", setting.AppPath)
 	log.Info("AppWorkPath: %s", setting.AppWorkPath)
 	log.Info("Custom path: %s", setting.CustomPath)
-	log.Info("Log path: %s", setting.LogRootPath)
+	log.Info("Log path: %s", setting.Log.RootPath)
 	log.Info("Configuration file: %s", setting.CustomConf)

 	if err := db.InitEngineWithMigration(context.Background(), migrations.Migrate); err != nil {
--- a/cmd/migrate_storage.go
+++ b/cmd/migrate_storage.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -137,7 +136,7 @@ func runMigrateStorage(ctx *cli.Context) error {
 	log.Info("AppPath: %s", setting.AppPath)
 	log.Info("AppWorkPath: %s", setting.AppWorkPath)
 	log.Info("Custom path: %s", setting.CustomPath)
-	log.Info("Log path: %s", setting.LogRootPath)
+	log.Info("Log path: %s", setting.Log.RootPath)
 	log.Info("Configuration file: %s", setting.CustomConf)

 	if err := db.InitEngineWithMigration(context.Background(), migrations.Migrate); err != nil {
--- a/cmd/migrate_storage_test.go
+++ b/cmd/migrate_storage_test.go
@ -1,6 +1,5 @@
 // Copyright 2022 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -44,8 +43,9 @@ func TestMigratePackages(t *testing.T) {
 		PackageFileInfo: packages_service.PackageFileInfo{
 			Filename: "a.go",
 		},
-		Data:   buf,
-		IsLead: true,
+		Creator: creator,
+		Data:    buf,
+		IsLead:  true,
 	})
 	assert.NoError(t, err)
 	assert.NotNil(t, v)
--- a/cmd/restore_repo.go
+++ b/cmd/restore_repo.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -55,7 +54,8 @@ func runRestoreRepository(c *cli.Context) error {
 	ctx, cancel := installSignals()
 	defer cancel()

-	setting.LoadFromExisting()
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()
 	var units []string
 	if s := c.String("units"); s != "" {
 		units = strings.Split(s, ",")
--- a/cmd/serv.go
+++ b/cmd/serv.go
@ -1,7 +1,6 @@
 // Copyright 2014 The Gogs Authors. All rights reserved.
 // Copyright 2016 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -12,6 +11,7 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"regexp"
 	"strconv"
 	"strings"
@ -62,7 +62,8 @@ func setup(logPath string, debug bool) {
 	} else {
 		_ = log.NewLogger(1000, "console", "console", `{"level":"fatal","stacktracelevel":"NONE","stderr":true}`)
 	}
-	setting.LoadFromExisting()
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()
 	if debug {
 		setting.RunMode = "dev"
 	}
@ -290,17 +291,21 @@ func runServ(c *cli.Context) error {
 		return nil
 	}

-	// Special handle for Windows.
-	if setting.IsWindows {
-		verb = strings.Replace(verb, "-", " ", 1)
-	}
-
 	var gitcmd *exec.Cmd
-	verbs := strings.Split(verb, " ")
-	if len(verbs) == 2 {
-		gitcmd = exec.CommandContext(ctx, verbs[0], verbs[1], repoPath)
-	} else {
-		gitcmd = exec.CommandContext(ctx, verb, repoPath)
+	gitBinPath := filepath.Dir(git.GitExecutable) // e.g. /usr/bin
+	gitBinVerb := filepath.Join(gitBinPath, verb) // e.g. /usr/bin/git-upload-pack
+	if _, err := os.Stat(gitBinVerb); err != nil {
+		// if the command "git-upload-pack" doesn't exist, try to split "git-upload-pack" to use the sub-command with git
+		// ps: Windows only has "git.exe" in the bin path, so Windows always uses this way
+		verbFields := strings.SplitN(verb, "-", 2)
+		if len(verbFields) == 2 {
+			// use git binary with the sub-command part: "C:\...\bin\git.exe", "upload-pack", ...
+			gitcmd = exec.CommandContext(ctx, git.GitExecutable, verbFields[1], repoPath)
+		}
+	}
+	if gitcmd == nil {
+		// by default, use the verb (it has been checked above by allowedCommands)
+		gitcmd = exec.CommandContext(ctx, gitBinVerb, repoPath)
 	}

 	process.SetSysProcAttribute(gitcmd)
--- a/cmd/web.go
+++ b/cmd/web.go
@ -1,6 +1,5 @@
 // Copyright 2014 The Gogs Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -159,7 +158,8 @@ func runWeb(ctx *cli.Context) error {

 	log.Info("Global init")
 	// Perform global initialization
-	setting.LoadFromExisting()
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()
 	routers.GlobalInitInstalled(graceful.GetManager().HammerContext())

 	// We check that AppDataPath exists here (it should have been created during installation)
--- a/cmd/web_acme.go
+++ b/cmd/web_acme.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/web_graceful.go
+++ b/cmd/web_graceful.go
@ -1,6 +1,5 @@
 // Copyright 2016 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/web_https.go
+++ b/cmd/web_https.go
@ -1,6 +1,5 @@
 // Copyright 2021 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/contrib/autocompletion/README
+++ b/contrib/autocompletion/README
@ -0,0 +1,17 @@
+Bash and Zsh completion
+=======================
+
+From within the gitea root run:
+
+```bash
+source contrib/autocompletion/bash_autocomplete
+```
+
+or for zsh run:
+
+```bash
+source contrib/autocompletion/zsh_autocomplete
+```
+
+These scripts will check if gitea is on the path and if so add autocompletion for `gitea`. Or if not autocompletion will work for `./gitea`.
+If gitea has been installed as a different program pass in the `PROG` environment variable to set the correct program name.
--- a/contrib/autocompletion/bash_autocomplete
+++ b/contrib/autocompletion/bash_autocomplete
@ -0,0 +1,30 @@
+#! /bin/bash
+# Heavily inspired by https://github.com/urfave/cli
+
+_cli_bash_autocomplete() {
+  if [[ "${COMP_WORDS[0]}" != "source" ]]; then
+    local cur opts base
+    COMPREPLY=()
+    cur="${COMP_WORDS[COMP_CWORD]}"
+    if [[ "$cur" == "-"* ]]; then
+      opts=$( ${COMP_WORDS[@]:0:$COMP_CWORD} ${cur} --generate-bash-completion )
+    else
+      opts=$( ${COMP_WORDS[@]:0:$COMP_CWORD} --generate-bash-completion )
+    fi
+    COMPREPLY=( $(compgen -W "${opts}" -- ${cur}) )
+    return 0
+  fi
+}
+
+if [ -z "$PROG" ] && [ ! "$(command -v gitea &> /dev/null)" ] ; then
+  complete -o bashdefault -o default -o nospace -F _cli_bash_autocomplete gitea
+elif [ -z "$PROG" ]; then
+  complete -o bashdefault -o default -o nospace -F _cli_bash_autocomplete ./gitea
+  complete -o bashdefault -o default -o nospace -F _cli_bash_autocomplete "$PWD/gitea"
+else
+  complete -o bashdefault -o default -o nospace -F _cli_bash_autocomplete "$PROG"
+  unset PROG
+fi
+
+
+
--- a/contrib/autocompletion/zsh_autocomplete
+++ b/contrib/autocompletion/zsh_autocomplete
@ -0,0 +1,30 @@
+#compdef ${PROG:=gitea}
+
+
+# Heavily inspired by https://github.com/urfave/cli
+
+_cli_zsh_autocomplete() {
+
+  local -a opts
+  local cur
+  cur=${words[-1]}
+  if [[ "$cur" == "-"* ]]; then
+    opts=("${(@f)$(_CLI_ZSH_AUTOCOMPLETE_HACK=1 ${words[@]:0:#words[@]-1} ${cur} --generate-bash-completion)}")
+  else
+    opts=("${(@f)$(_CLI_ZSH_AUTOCOMPLETE_HACK=1 ${words[@]:0:#words[@]-1} --generate-bash-completion)}")
+  fi
+
+  if [[ "${opts[1]}" != "" ]]; then
+    _describe 'values' opts
+  else
+    _files
+  fi
+
+  return
+}
+
+if [ -z $PROG ] ; then
+  compdef _cli_zsh_autocomplete gitea
+else
+  compdef _cli_zsh_autocomplete $(basename $PROG)
+fi
--- a/contrib/backport/README
+++ b/contrib/backport/README
@ -0,0 +1,41 @@
+`backport`
+==========
+
+`backport` is a command to help create backports of PRs. It backports a
+provided PR from main on to a released version.
+
+It will create a backport branch, cherry-pick the PR's merge commit, adjust
+the commit message and then push this back up to your fork's remote.
+
+The default version will read from `docs/config.yml`. You can override this
+using the option `--version`.
+
+The upstream branches will be fetched, using the remote `origin`. This can
+be overrided using `--upstream`, and fetching can be avoided using
+`--no-fetch`.
+
+By default the branch created will be called `backport-$PR-$VERSION`. You
+can override this using the option `--backport-branch`. This branch will
+be created from `--release-branch` which is `release/$(VERSION)`
+by default and will be pulled from `$(UPSTREAM)`.
+
+The merge-commit as determined by the github API will be used as the SHA to
+cherry-pick. You can override this using `--cherry-pick`.
+
+The commit message will be amended to add the `Backport` header.
+`--no-amend-message` can be set to stop this from happening.
+
+If cherry-pick is successful the backported branch will be pushed up to your
+fork using your remote. These will be determined using `git remote -v`. You
+can set your fork name using `--fork-user` and your remote name using
+`--remote`. You can avoid pushing using `--no-push`.
+
+If the push is successful, `xdg-open` will be called to open a backport url.
+You can stop this using `--no-xdg-open`.
+
+Installation
+============
+
+```bash
+go install contrib/backport/backport.go
+```
--- a/contrib/backport/backport.go
+++ b/contrib/backport/backport.go
@ -0,0 +1,473 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"github.com/google/go-github/v45/github"
+	"github.com/urfave/cli"
+	"gopkg.in/yaml.v3"
+)
+
+const defaultVersion = "v1.18" // to backport to
+
+func main() {
+	app := cli.NewApp()
+	app.Name = "backport"
+	app.Usage = "Backport provided PR-number on to the current or previous released version"
+	app.Description = `Backport will look-up the PR in Gitea's git log and attempt to cherry-pick it on the current version`
+	app.ArgsUsage = "<PR-to-backport>"
+
+	app.Flags = []cli.Flag{
+		cli.StringFlag{
+			Name:  "version",
+			Usage: "Version branch to backport on to",
+		},
+		cli.StringFlag{
+			Name:  "upstream",
+			Value: "origin",
+			Usage: "Upstream remote for the Gitea upstream",
+		},
+		cli.StringFlag{
+			Name:  "release-branch",
+			Value: "",
+			Usage: "Release branch to backport on. Will default to release/<version>",
+		},
+		cli.StringFlag{
+			Name:  "cherry-pick",
+			Usage: "SHA to cherry-pick as backport",
+		},
+		cli.StringFlag{
+			Name:  "backport-branch",
+			Usage: "Backport branch to backport on to (default: backport-<pr>-<version>",
+		},
+		cli.StringFlag{
+			Name:  "remote",
+			Value: "",
+			Usage: "Remote for your fork of the Gitea upstream",
+		},
+		cli.StringFlag{
+			Name:  "fork-user",
+			Value: "",
+			Usage: "Forked user name on Github",
+		},
+		cli.BoolFlag{
+			Name:  "no-fetch",
+			Usage: "Set this flag to prevent fetch of remote branches",
+		},
+		cli.BoolFlag{
+			Name:  "no-amend-message",
+			Usage: "Set this flag to prevent automatic amendment of the commit message",
+		},
+		cli.BoolFlag{
+			Name:  "no-push",
+			Usage: "Set this flag to prevent pushing the backport up to your fork",
+		},
+		cli.BoolFlag{
+			Name:  "no-xdg-open",
+			Usage: "Set this flag to not use xdg-open to open the PR URL",
+		},
+		cli.BoolFlag{
+			Name:  "continue",
+			Usage: "Set this flag to continue from a git cherry-pick that has broken",
+		},
+	}
+	cli.AppHelpTemplate = `NAME:
+	{{.Name}} - {{.Usage}}
+USAGE:
+	{{.HelpName}} {{if .VisibleFlags}}[options]{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}[arguments...]{{end}}
+	{{if len .Authors}}
+AUTHOR:
+	{{range .Authors}}{{ . }}{{end}}
+	{{end}}{{if .Commands}}
+OPTIONS:
+	{{range .VisibleFlags}}{{.}}
+	{{end}}{{end}}
+`
+
+	app.Action = runBackport
+
+	if err := app.Run(os.Args); err != nil {
+		fmt.Fprintf(os.Stderr, "Unable to backport: %v\n", err)
+	}
+}
+
+func runBackport(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	continuing := c.Bool("continue")
+
+	var pr string
+
+	version := c.String("version")
+	if version == "" && continuing {
+		// determine version from current branch name
+		var err error
+		pr, version, err = readCurrentBranch(ctx)
+		if err != nil {
+			return err
+		}
+	}
+	if version == "" {
+		version = readVersion()
+	}
+	if version == "" {
+		version = defaultVersion
+	}
+
+	upstream := c.String("upstream")
+	if upstream == "" {
+		upstream = "origin"
+	}
+
+	forkUser := c.String("fork-user")
+	remote := c.String("remote")
+	if remote == "" && !c.Bool("--no-push") {
+		var err error
+		remote, forkUser, err = determineRemote(ctx, forkUser)
+		if err != nil {
+			return err
+		}
+	}
+
+	upstreamReleaseBranch := c.String("release-branch")
+	if upstreamReleaseBranch == "" {
+		upstreamReleaseBranch = path.Join("release", version)
+	}
+
+	localReleaseBranch := path.Join(upstream, upstreamReleaseBranch)
+
+	args := c.Args()
+	if len(args) == 0 && pr == "" {
+		return fmt.Errorf("no PR number provided\nProvide a PR number to backport")
+	} else if len(args) != 1 && pr == "" {
+		return fmt.Errorf("multiple PRs provided %v\nOnly a single PR can be backported at a time", args)
+	}
+	if pr == "" {
+		pr = args[0]
+	}
+
+	backportBranch := c.String("backport-branch")
+	if backportBranch == "" {
+		backportBranch = "backport-" + pr + "-" + version
+	}
+
+	fmt.Printf("* Backporting %s to %s as %s\n", pr, localReleaseBranch, backportBranch)
+
+	sha := c.String("cherry-pick")
+	if sha == "" {
+		var err error
+		sha, err = determineSHAforPR(ctx, pr)
+		if err != nil {
+			return err
+		}
+	}
+	if sha == "" {
+		return fmt.Errorf("unable to determine sha for cherry-pick of %s", pr)
+	}
+
+	if !c.Bool("no-fetch") {
+		if err := fetchRemoteAndMain(ctx, upstream, upstreamReleaseBranch); err != nil {
+			return err
+		}
+	}
+
+	if !continuing {
+		if err := checkoutBackportBranch(ctx, backportBranch, localReleaseBranch); err != nil {
+			return err
+		}
+	}
+
+	if err := cherrypick(ctx, sha); err != nil {
+		return err
+	}
+
+	if !c.Bool("no-amend-message") {
+		if err := amendCommit(ctx, pr); err != nil {
+			return err
+		}
+	}
+
+	if !c.Bool("no-push") {
+		url := "https://github.com/go-gitea/gitea/compare/" + upstreamReleaseBranch + "..." + forkUser + ":" + backportBranch
+
+		if err := gitPushUp(ctx, remote, backportBranch); err != nil {
+			return err
+		}
+
+		if !c.Bool("no-xdg-open") {
+			if err := xdgOpen(ctx, url); err != nil {
+				return err
+			}
+		} else {
+			fmt.Printf("* Navigate to %s to open PR\n", url)
+		}
+	}
+	return nil
+}
+
+func xdgOpen(ctx context.Context, url string) error {
+	fmt.Printf("* `xdg-open %s`\n", url)
+	out, err := exec.CommandContext(ctx, "xdg-open", url).Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "%s", string(out))
+		return fmt.Errorf("unable to xdg-open to %s: %w", url, err)
+	}
+	return nil
+}
+
+func gitPushUp(ctx context.Context, remote, backportBranch string) error {
+	fmt.Printf("* `git push -u %s %s`\n", remote, backportBranch)
+	out, err := exec.CommandContext(ctx, "git", "push", "-u", remote, backportBranch).Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "%s", string(out))
+		return fmt.Errorf("unable to push up to %s: %w", remote, err)
+	}
+	return nil
+}
+
+func amendCommit(ctx context.Context, pr string) error {
+	fmt.Printf("* Amending commit to prepend `Backport #%s` to body\n", pr)
+	out, err := exec.CommandContext(ctx, "git", "log", "-1", "--pretty=format:%B").Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "%s", string(out))
+		return fmt.Errorf("unable to get last log message: %w", err)
+	}
+
+	parts := strings.SplitN(string(out), "\n", 2)
+
+	if len(parts) != 2 {
+		return fmt.Errorf("unable to interpret log message:\n%s", string(out))
+	}
+	subject, body := parts[0], parts[1]
+	if !strings.HasSuffix(subject, " (#"+pr+")") {
+		subject = subject + " (#" + pr + ")"
+	}
+
+	out, err = exec.CommandContext(ctx, "git", "commit", "--amend", "-m", subject+"\n\nBackport #"+pr+"\n"+body).Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "%s", string(out))
+		return fmt.Errorf("unable to amend last log message: %w", err)
+	}
+	return nil
+}
+
+func cherrypick(ctx context.Context, sha string) error {
+	// Check if a CHERRY_PICK_HEAD exists
+	if _, err := os.Stat(".git/CHERRY_PICK_HEAD"); err == nil {
+		// Assume that we are in the middle of cherry-pick - continue it
+		fmt.Println("* Attempting git cherry-pick --continue")
+		out, err := exec.CommandContext(ctx, "git", "cherry-pick", "--continue").Output()
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "git cherry-pick --continue failed:\n%s\n", string(out))
+			return fmt.Errorf("unable to continue cherry-pick: %w", err)
+		}
+		return nil
+	}
+
+	fmt.Printf("* Attempting git cherry-pick %s\n", sha)
+	out, err := exec.CommandContext(ctx, "git", "cherry-pick", sha).Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "git cherry-pick %s failed:\n%s\n", sha, string(out))
+		return fmt.Errorf("git cherry-pick %s failed: %w", sha, err)
+	}
+	return nil
+}
+
+func checkoutBackportBranch(ctx context.Context, backportBranch, releaseBranch string) error {
+	out, err := exec.CommandContext(ctx, "git", "branch", "--show-current").Output()
+	if err != nil {
+		return fmt.Errorf("unable to check current branch %w", err)
+	}
+
+	currentBranch := strings.TrimSpace(string(out))
+	fmt.Printf("* Current branch is %s\n", currentBranch)
+	if currentBranch == backportBranch {
+		fmt.Printf("* Current branch is %s - not checking out\n", currentBranch)
+		return nil
+	}
+
+	if _, err := exec.CommandContext(ctx, "git", "rev-list", "-1", backportBranch).Output(); err == nil {
+		fmt.Printf("* Branch %s already exists. Checking it out...\n", backportBranch)
+		return exec.CommandContext(ctx, "git", "checkout", "-f", backportBranch).Run()
+	}
+
+	fmt.Printf("* `git checkout -b %s %s`\n", backportBranch, releaseBranch)
+	return exec.CommandContext(ctx, "git", "checkout", "-b", backportBranch, releaseBranch).Run()
+}
+
+func fetchRemoteAndMain(ctx context.Context, remote, releaseBranch string) error {
+	fmt.Printf("* `git fetch %s main`\n", remote)
+	out, err := exec.CommandContext(ctx, "git", "fetch", remote, "main").Output()
+	if err != nil {
+		fmt.Println(string(out))
+		return fmt.Errorf("unable to fetch %s from %s: %w", "main", remote, err)
+	}
+	fmt.Println(string(out))
+
+	fmt.Printf("* `git fetch %s %s`\n", remote, releaseBranch)
+	out, err = exec.CommandContext(ctx, "git", "fetch", remote, releaseBranch).Output()
+	if err != nil {
+		fmt.Println(string(out))
+		return fmt.Errorf("unable to fetch %s from %s: %w", releaseBranch, remote, err)
+	}
+	fmt.Println(string(out))
+
+	return nil
+}
+
+func determineRemote(ctx context.Context, forkUser string) (string, string, error) {
+	out, err := exec.CommandContext(ctx, "git", "remote", "-v").Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Unable to list git remotes:\n%s\n", string(out))
+		return "", "", fmt.Errorf("unable to determine forked remote: %w", err)
+	}
+	lines := strings.Split(string(out), "\n")
+	for _, line := range lines {
+		fields := strings.Split(line, "\t")
+		name, remote := fields[0], fields[1]
+		// only look at pushers
+		if !strings.HasSuffix(remote, " (push)") {
+			continue
+		}
+		// only look at github.com pushes
+		if !strings.Contains(remote, "github.com") {
+			continue
+		}
+		// ignore go-gitea/gitea
+		if strings.Contains(remote, "go-gitea/gitea") {
+			continue
+		}
+		if !strings.Contains(remote, forkUser) {
+			continue
+		}
+		if strings.HasPrefix(remote, "git@github.com:") {
+			forkUser = strings.TrimPrefix(remote, "git@github.com:")
+		} else if strings.HasPrefix(remote, "https://github.com/") {
+			forkUser = strings.TrimPrefix(remote, "https://github.com/")
+		} else if strings.HasPrefix(remote, "https://www.github.com/") {
+			forkUser = strings.TrimPrefix(remote, "https://www.github.com/")
+		} else if forkUser == "" {
+			return "", "", fmt.Errorf("unable to extract forkUser from remote %s: %s", name, remote)
+		}
+		idx := strings.Index(forkUser, "/")
+		if idx >= 0 {
+			forkUser = forkUser[:idx]
+		}
+		return name, forkUser, nil
+	}
+	return "", "", fmt.Errorf("unable to find appropriate remote in:\n%s", string(out))
+}
+
+func readCurrentBranch(ctx context.Context) (pr, version string, err error) {
+	out, err := exec.CommandContext(ctx, "git", "branch", "--show-current").Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Unable to read current git branch:\n%s\n", string(out))
+		return "", "", fmt.Errorf("unable to read current git branch: %w", err)
+	}
+	parts := strings.Split(strings.TrimSpace(string(out)), "-")
+
+	if len(parts) != 3 || parts[0] != "backport" {
+		fmt.Fprintf(os.Stderr, "Unable to continue from git branch:\n%s\n", string(out))
+		return "", "", fmt.Errorf("unable to continue from git branch:\n%s", string(out))
+	}
+
+	return parts[1], parts[2], nil
+}
+
+func readVersion() string {
+	bs, err := os.ReadFile("docs/config.yaml")
+	if err != nil {
+		if err == os.ErrNotExist {
+			log.Println("`docs/config.yaml` not present")
+			return ""
+		}
+		fmt.Fprintf(os.Stderr, "Unable to read `docs/config.yaml`: %v\n", err)
+		return ""
+	}
+
+	type params struct {
+		Version string
+	}
+	type docConfig struct {
+		Params params
+	}
+	dc := &docConfig{}
+	if err := yaml.Unmarshal(bs, dc); err != nil {
+		fmt.Fprintf(os.Stderr, "Unable to read `docs/config.yaml`: %v\n", err)
+		return ""
+	}
+
+	if dc.Params.Version == "" {
+		fmt.Fprintf(os.Stderr, "No version in `docs/config.yaml`")
+		return ""
+	}
+
+	version := dc.Params.Version
+	if version[0] != 'v' {
+		version = "v" + version
+	}
+
+	split := strings.SplitN(version, ".", 3)
+
+	return strings.Join(split[:2], ".")
+}
+
+func determineSHAforPR(ctx context.Context, prStr string) (string, error) {
+	prNum, err := strconv.Atoi(prStr)
+	if err != nil {
+		return "", err
+	}
+
+	client := github.NewClient(http.DefaultClient)
+
+	pr, _, err := client.PullRequests.Get(ctx, "go-gitea", "gitea", prNum)
+	if err != nil {
+		return "", err
+	}
+
+	if pr.Merged == nil || !*pr.Merged {
+		return "", fmt.Errorf("PR #%d is not yet merged - cannot determine sha to backport", prNum)
+	}
+
+	if pr.MergeCommitSHA != nil {
+		return *pr.MergeCommitSHA, nil
+	}
+
+	return "", nil
+}
+
+func installSignals() (context.Context, context.CancelFunc) {
+	ctx, cancel := context.WithCancel(context.Background())
+	go func() {
+		// install notify
+		signalChannel := make(chan os.Signal, 1)
+
+		signal.Notify(
+			signalChannel,
+			syscall.SIGINT,
+			syscall.SIGTERM,
+		)
+		select {
+		case <-signalChannel:
+		case <-ctx.Done():
+		}
+		cancel()
+		signal.Reset()
+	}()
+
+	return ctx, cancel
+}
--- a/contrib/environment-to-ini/environment-to-ini.go
+++ b/contrib/environment-to-ini/environment-to-ini.go
@ -1,6 +1,5 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package main

--- a/contrib/fixtures/fixture_generation.go
+++ b/contrib/fixtures/fixture_generation.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package main

--- a/contrib/gitea-monitoring-mixin/dashboards/overview.libsonnet
+++ b/contrib/gitea-monitoring-mixin/dashboards/overview.libsonnet
@ -29,7 +29,7 @@ local addIssueLabelsOverrides(labels) =

  grafanaDashboards+:: {

-    local giteaSelector = 'job="$job", instance="$instance"',
+    local giteaSelector = 'job=~"$job", instance=~"$instance"',
    local giteaStatsPanel =
      grafana.statPanel.new(
        'Gitea stats',
@ -399,25 +399,31 @@ local addIssueLabelsOverrides(labels) =
      .addTemplate(
        {
          hide: 0,
-          label: null,
+          label: 'job',
          name: 'job',
          options: [],
+          datasource: '$datasource',
          query: 'label_values(gitea_organizations, job)',
          refresh: 1,
          regex: '',
          type: 'query',
+          multi: true,
+          allValue: '.+'
        },
      )
      .addTemplate(
        {
          hide: 0,
-          label: null,
+          label: 'instance',
          name: 'instance',
          options: [],
+          datasource: '$datasource',
          query: 'label_values(gitea_organizations{job="$job"}, instance)',
          refresh: 1,
          regex: '',
          type: 'query',
+          multi: true,
+          allValue: '.+'
        },
      )
      .addTemplate(
--- a/contrib/init/ubuntu/gitea
+++ b/contrib/init/ubuntu/gitea
@ -0,0 +1,84 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          gitea
+# Required-Start:    $syslog $network
+# Required-Stop:     $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: A self-hosted Git service written in Go.
+# Description:       A self-hosted Git service written in Go.
+### END INIT INFO
+
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin
+DESC="Gitea - Git with a cup of tea"
+NAME=gitea
+SERVICEVERBOSE=yes
+PIDFILE=/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/$NAME
+WORKINGDIR=/var/lib/$NAME
+DAEMON=/usr/local/bin/$NAME
+DAEMON_ARGS="web -c /etc/$NAME/app.ini"
+USER=git
+STOP_SCHEDULE="${STOP_SCHEDULE:-QUIT/5/TERM/1/KILL/5}"
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+do_start()
+{
+    GITEA_ENVS="USER=$USER GITEA_WORK_DIR=$WORKINGDIR HOME=/home/$USER"
+    GITEA_EXEC="$DAEMON -- $DAEMON_ARGS"
+    sh -c "start-stop-daemon --start --quiet --pidfile $PIDFILE --make-pidfile \\
+        --background --chdir $WORKINGDIR --chuid $USER \\
+        --exec /bin/bash -- -c '/usr/bin/env $GITEA_ENVS $GITEA_EXEC'"
+}
+
+do_stop()
+{
+    start-stop-daemon --stop --quiet --retry=$STOP_SCHEDULE --pidfile $PIDFILE --name $NAME --oknodo
+    rm -f $PIDFILE
+}
+
+do_status()
+{
+    if [ -f $PIDFILE ]; then
+        if kill -0 $(cat "$PIDFILE"); then
+            echo "$NAME is running, PID is $(cat $PIDFILE)"
+        else
+            echo "$NAME process is dead, but pidfile exists"
+        fi
+    else
+        echo "$NAME is not running"
+    fi
+}
+
+case "$1" in
+    start)
+        echo "Starting $DESC" "$NAME"
+        do_start
+        ;;
+    stop)
+        echo "Stopping $DESC" "$NAME"
+        do_stop
+        ;;
+    status)
+        do_status
+        ;;
+    restart)
+        echo "Restarting $DESC" "$NAME"
+        do_stop
+        do_start
+        ;;
+    *)
+        echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2
+        exit 2
+        ;;
+esac
+
+exit 0
--- a/contrib/pr/checkout.go
+++ b/contrib/pr/checkout.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package main

@ -50,7 +49,8 @@ func runPR() {
 		log.Fatal(err)
 	}
 	setting.SetCustomPathAndConf("", "", "")
-	setting.LoadAllowEmpty()
+	setting.InitProviderAllowEmpty()
+	setting.LoadCommonSettings()

 	setting.RepoRootPath, err = os.MkdirTemp(os.TempDir(), "repos")
 	if err != nil {
@ -83,7 +83,7 @@ func runPR() {
 		setting.Database.Path = ":memory:"
 		setting.Database.Timeout = 500
 	*/
-	dbCfg := setting.Cfg.Section("database")
+	dbCfg := setting.CfgProvider.Section("database")
 	dbCfg.NewKey("DB_TYPE", "sqlite3")
 	dbCfg.NewKey("PATH", ":memory:")

--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@ -7,6 +7,38 @@
 ;; see https://docs.gitea.io/en-us/config-cheat-sheet/ for additional documentation.


+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Default Configuration (non-`app.ini` configuration)
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; These values are environment-dependent but form the basis of a lot of values. They will be
+;; reported as part of the default configuration when running `gitea --help` or on start-up. The order they are emitted there is slightly different but we will list them here in the order they are set-up.
+;;
+;; - _`AppPath`_: This is the absolute path of the running gitea binary.
+;; - _`AppWorkPath`_: This refers to "working path" of the `gitea` binary. It is determined by using the first set thing in the following hierarchy:
+;;   - The `--work-path` flag passed to the binary
+;;   - The environment variable `$GITEA_WORK_DIR`
+;;   - A built-in value set at build time (see building from source)
+;;   - Otherwise it defaults to the directory of the _`AppPath`_
+;;   - If any of the above are relative paths then they are made absolute against the
+;; the directory of the _`AppPath`_
+;; - _`CustomPath`_: This is the base directory for custom templates and other options.
+;; It is determined by using the first set thing in the following hierarchy:
+;;   - The `--custom-path` flag passed to the binary
+;;   - The environment variable `$GITEA_CUSTOM`
+;;   - A built-in value set at build time (see building from source)
+;;   - Otherwise it defaults to _`AppWorkPath`_`/custom`
+;;   - If any of the above are relative paths then they are made absolute against the
+;; the directory of the _`AppWorkPath`_
+;; - _`CustomConf`_: This is the path to the `app.ini` file.
+;;   - The `--config` flag passed to the binary
+;;   - A built-in value set at build time (see building from source)
+;;   - Otherwise it defaults to _`CustomPath`_`/conf/app.ini`
+;;   - If any of the above are relative paths then they are made absolute against the
+;; the directory of the _`CustomPath`_
+;;
+;; In addition there is _`StaticRootPath`_ which can be set as a built-in at build time, but will otherwise default to _`AppWorkPath`_
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; General Settings
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -26,7 +58,7 @@ RUN_MODE = ; prod
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
-;; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'. Defaults to 'http'
+;; The protocol the server listens on. One of 'http', 'https', 'http+unix', 'fcgi' or 'fcgi+unix'. Defaults to 'http'
 ;PROTOCOL = http
 ;;
 ;; Expect PROXY protocol headers on connections
@ -51,6 +83,8 @@ RUN_MODE = ; prod
 ;STATIC_URL_PREFIX =
 ;;
 ;; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
+;; If PROTOCOL is set to `http+unix` or `fcgi+unix`, this should be the name of the Unix socket file to use.
+;; Relative paths will be made absolute against the _`AppWorkPath`_.
 ;HTTP_ADDR = 0.0.0.0
 ;;
 ;; The port to listen on. Leave empty when using a unix socket.
@ -64,7 +98,7 @@ RUN_MODE = ; prod
 ;PORT_TO_REDIRECT = 80
 ;;
 ;; expect PROXY protocol header on connections to https redirector.
-;REDIRECTOR_USE_PROXY_PROTOCOL = %(USE_PROXY_PROTOCOL)
+;REDIRECTOR_USE_PROXY_PROTOCOL = %(USE_PROXY_PROTOCOL)s
 ;; Minimum and maximum supported TLS versions
 ;SSL_MIN_VERSION=TLSv1.2
 ;SSL_MAX_VERSION=
@ -91,7 +125,7 @@ RUN_MODE = ; prod
 ;LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
 ;;
 ;; When making local connections pass the PROXY protocol header.
-;LOCAL_USE_PROXY_PROTOCOL = %(USE_PROXY_PROTOCOL)
+;LOCAL_USE_PROXY_PROTOCOL = %(USE_PROXY_PROTOCOL)s
 ;;
 ;; Disable SSH feature when not available
 ;DISABLE_SSH = false
@ -145,7 +179,7 @@ RUN_MODE = ; prod
 ;;
 ;; For the built-in SSH server, choose the keypair to offer as the host key
 ;; The private key should be at SSH_SERVER_HOST_KEY and the public SSH_SERVER_HOST_KEY.pub
-;; relative paths are made absolute relative to the APP_DATA_PATH
+;; relative paths are made absolute relative to the %(APP_DATA_PATH)s
 ;SSH_SERVER_HOST_KEYS=ssh/gitea.rsa, ssh/gogs.rsa
 ;;
 ;; Directory to create temporary files in when testing public keys using ssh-keygen,
@ -241,10 +275,10 @@ RUN_MODE = ; prod
 ;;
 ;; Root directory containing templates and static files.
 ;; default is the path where Gitea is executed
-;STATIC_ROOT_PATH =
+;STATIC_ROOT_PATH = ; Will default to the built-in value _`StaticRootPath`_
 ;;
 ;; Default path for App data
-;APP_DATA_PATH = data
+;APP_DATA_PATH = data ; relative paths will be made absolute with _`AppWorkPath`_
 ;;
 ;; Enable gzip compression for runtime-generated content, static resources excluded
 ;ENABLE_GZIP = false
@ -255,7 +289,7 @@ RUN_MODE = ; prod
 ;ENABLE_PPROF = false
 ;;
 ;; PPROF_DATA_PATH, use an absolute path when you start gitea as service
-;PPROF_DATA_PATH = data/tmp/pprof
+;PPROF_DATA_PATH = data/tmp/pprof ; Path is relative to _`AppWorkPath`_
 ;;
 ;; Landing page, can be "home", "explore", "organizations", "login", or any URL such as "/org/repo" or even "https://anotherwebsite.com"
 ;; The "login" choice is not a security measure but just a UI flow change, use REQUIRE_SIGNIN_VIEW to force users to log in.
@ -369,6 +403,9 @@ LOG_SQL = false ; if unset defaults to true
 ;;
 ;; Database maximum number of open connections, default is 0 meaning no maximum
 ;MAX_OPEN_CONNS = 0
+;;
+;; Whether execute database models migrations automatically
+;AUTO_MIGRATION = true

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -539,6 +576,22 @@ ROUTER = console
 ;; The routing level will default to that of the system but individual router level can be set in
 ;; [log.<mode>.router] LEVEL
 ;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; Print request id which parsed from request headers in access log, when access log is enabled.
+;; * E.g:
+;; * In request Header:         X-Request-ID: test-id-123
+;; * Configuration in app.ini:  REQUEST_ID_HEADERS = X-Request-ID
+;; * Print in log:              127.0.0.1:58384 - - [14/Feb/2023:16:33:51 +0800] "test-id-123"
+;; 
+;; If you configure more than one in the .ini file, it will match in the order of configuration, 
+;; and the first match will be finally printed in the log.
+;; * E.g:
+;; * In reuqest Header:         X-Trace-ID: trace-id-1q2w3e4r
+;; * Configuration in app.ini:  REQUEST_ID_HEADERS = X-Request-ID, X-Trace-ID, X-Req-ID
+;; * Print in log:              127.0.0.1:58384 - - [14/Feb/2023:16:33:51 +0800] "trace-id-1q2w3e4r"
+;;
+;; REQUEST_ID_HEADERS = 

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@ -633,7 +686,7 @@ ROUTER = console
 ;PATH =
 ;;
 ;; The HOME directory for Git
-;HOME_PATH = %(APP_DATA_PATH)/home
+;HOME_PATH = %(APP_DATA_PATH)s/home
 ;;
 ;; Disables highlight of added and removed changes
 ;DISABLE_DIFF_HIGHLIGHT = false
@ -725,7 +778,10 @@ ROUTER = console
 ;; Enable captcha validation for registration
 ;ENABLE_CAPTCHA = false
 ;;
-;; Type of captcha you want to use. Options: image, recaptcha, hcaptcha, mcaptcha.
+;; Enable this to require captcha validation for login
+;REQUIRE_CAPTCHA_FOR_LOGIN = false
+;;
+;; Type of captcha you want to use. Options: image, recaptcha, hcaptcha, mcaptcha, cfturnstile.
 ;CAPTCHA_TYPE = image
 ;;
 ;; Change this to use recaptcha.net or other recaptcha service
@ -747,6 +803,10 @@ ROUTER = console
 ;MCAPTCHA_SECRET =
 ;MCAPTCHA_SITEKEY =
 ;;
+;; Go to https://dash.cloudflare.com/?to=/:account/turnstile to sign up for a key
+;CF_TURNSTILE_SITEKEY =
+;CF_TURNSTILE_SECRET =
+;;
 ;; Default value for KeepEmailPrivate
 ;; Each new user will get the value of this setting copied into their profile
 ;DEFAULT_KEEP_EMAIL_PRIVATE = false
@ -838,8 +898,8 @@ ROUTER = console
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[repository]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)/gitea-repositories.
-;; A relative path is interpreted as %(GITEA_WORK_DIR)/%(ROOT)
+;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)s/gitea-repositories.
+;; A relative path is interpreted as _`AppWorkPath`_/%(ROOT)s
 ;ROOT =
 ;;
 ;; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available.
@ -887,14 +947,18 @@ ROUTER = console
 ;USE_COMPAT_SSH_URI = false
 ;;
 ;; Close issues as long as a commit on any branch marks it as fixed
-;; Comma separated list of globally disabled repo units. Allowed values: repo.issues, repo.ext_issues, repo.pulls, repo.wiki, repo.ext_wiki, repo.projects
+;; Comma separated list of globally disabled repo units. Allowed values: repo.issues, repo.ext_issues, repo.pulls, repo.wiki, repo.ext_wiki, repo.projects, repo.packages
 ;DISABLED_REPO_UNITS =
 ;;
-;; Comma separated list of default repo units. Allowed values: repo.code, repo.releases, repo.issues, repo.pulls, repo.wiki, repo.projects.
+;; Comma separated list of default new repo units. Allowed values: repo.code, repo.releases, repo.issues, repo.pulls, repo.wiki, repo.projects, repo.packages.
 ;; Note: Code and Releases can currently not be deactivated. If you specify default repo units you should still list them for future compatibility.
 ;; External wiki and issue tracker can't be enabled by default as it requires additional settings.
 ;; Disabled repo units will not be added to new repositories regardless if it is in the default list.
-;DEFAULT_REPO_UNITS = repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects
+;DEFAULT_REPO_UNITS = repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects,repo.packages
+;;
+;; Comma separated list of default forked repo units.
+;; The set of allowed values and rules are the same as DEFAULT_REPO_UNITS.
+;DEFAULT_FORK_REPO_UNITS = repo.code,repo.pulls
 ;;
 ;; Prefix archive files by placing them in a directory named after the repository
 ;PREFIX_ARCHIVE_FILES = true
@ -917,6 +981,9 @@ ROUTER = console
 ;; Don't allow download source archive files from UI
 ;DISABLE_DOWNLOAD_SOURCE_ARCHIVES = false

+;; Allow fork repositories without maximum number limit
+;ALLOW_FORK_WITHOUT_MAXIMUM_LIMIT = true
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[repository.editor]
@ -996,6 +1063,9 @@ ROUTER = console
 ;;
 ;; Add co-authored-by and co-committed-by trailers if committer does not match author
 ;ADD_CO_COMMITTER_TRAILERS = true
+;;
+;; In addition to testing patches using the three-way merge method, re-test conflicting patches with git apply
+;TEST_CONFLICTING_PATCHES_WITH_GIT_APPLY = false

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1104,6 +1174,9 @@ ROUTER = console
 ;; allow request with credentials
 ;ALLOW_CREDENTIALS = false
 ;;
+;; headers to permit
+;HEADERS = Content-Type,User-Agent
+;;
 ;; set X-FRAME-OPTIONS header
 ;X_FRAME_OPTIONS = SAMEORIGIN

@ -1169,10 +1242,6 @@ ROUTER = console
 ;;
 ;; Whether to enable a Service Worker to cache frontend assets
 ;USE_SERVICE_WORKER = false
-;;
-;; Whether to only show relevant repos on the explore page when no keyword is specified and default sorting is used.
-;; A repo is considered irrelevant if it's a fork or if it has no metadata (no description, no icon, no topic).
-;ONLY_SHOW_RELEVANT_REPOS = false

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1296,7 +1365,7 @@ ROUTER = console
 ;ISSUE_INDEXER_TYPE = bleve
 ;;
 ;; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
-;ISSUE_INDEXER_PATH = indexers/issues.bleve
+;ISSUE_INDEXER_PATH = indexers/issues.bleve ; Relative paths will be made absolute against _`AppWorkPath`_.
 ;;
 ;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch
 ;ISSUE_INDEXER_CONN_STR = http://elastic:changeme@localhost:9200
@ -1314,7 +1383,7 @@ ROUTER = console
 ;; When ISSUE_INDEXER_QUEUE_TYPE is levelqueue, this will be the path where the queue will be saved.
 ;; This can be overridden by `ISSUE_INDEXER_QUEUE_CONN_STR`.
 ;; default is queues/common
-;ISSUE_INDEXER_QUEUE_DIR = queues/common; **DEPRECATED** use settings in `[queue.issue_indexer]`.
+;ISSUE_INDEXER_QUEUE_DIR = queues/common; **DEPRECATED** use settings in `[queue.issue_indexer]`. Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
 ;;
 ;; When `ISSUE_INDEXER_QUEUE_TYPE` is `redis`, this will store the redis connection string.
 ;; When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this is a directory or additional options of
@ -1370,7 +1439,7 @@ ROUTER = console
 ;TYPE = persistable-channel
 ;;
 ;; data-dir for storing persistable queues and level queues, individual queues will default to `queues/common` meaning the queue is shared.
-;DATADIR = queues/
+;DATADIR = queues/ ; Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
 ;;
 ;; Default queue length before a channel queue will block
 ;LENGTH = 20
@ -1550,7 +1619,7 @@ ROUTER = console
 ;; Prefix displayed before subject in mail
 ;SUBJECT_PREFIX =
 ;;
-;; Mail server protocol. One of "smtp", "smtps", "smtp+startls", "smtp+unix", "sendmail", "dummy".
+;; Mail server protocol. One of "smtp", "smtps", "smtp+starttls", "smtp+unix", "sendmail", "dummy".
 ;; - sendmail: use the operating system's `sendmail` command instead of SMTP. This is common on Linux systems.
 ;; - dummy: send email messages to the log as a testing phase.
 ;; If your provider does not explicitly say which protocol it uses but does provide a port,
@ -1615,6 +1684,47 @@ ROUTER = console
 ;; convert \r\n to \n for Sendmail
 ;SENDMAIL_CONVERT_CRLF = true

+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;[email.incoming]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; Enable handling of incoming emails.
+;ENABLED = false
+;;
+;; The email address including the %{token} placeholder that will be replaced per user/action.
+;; Example: incoming+%{token}@example.com
+;; The placeholder must appear in the user part of the address (before the @).
+;REPLY_TO_ADDRESS =
+;;
+;; IMAP server host
+;HOST =
+;;
+;; IMAP server port
+;PORT =
+;;
+;; Username of the receiving account
+;USERNAME =
+;;
+;; Password of the receiving account
+;PASSWORD =
+;;
+;; Whether the IMAP server uses TLS.
+;USE_TLS = false
+;;
+;; If set to true, completely ignores server certificate validation errors. This option is unsafe.
+;SKIP_TLS_VERIFY = true
+;;
+;; The mailbox name where incoming mail will end up.
+;MAILBOX = INBOX
+;;
+;; Whether handled messages should be deleted from the mailbox.
+;DELETE_HANDLED_MESSAGE = true
+;;
+;; Maximum size of a message to handle. Bigger messages are ignored. Set to 0 to allow every size.
+;MAXIMUM_MESSAGE_SIZE = 10485760
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[cache]
@ -1631,7 +1741,7 @@ ROUTER = console
 ;INTERVAL = 60
 ;;
 ;; For "redis" and "memcache", connection host address
-;; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
+;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
 ;; memcache: `127.0.0.1:11211`
 ;; twoqueue: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000`
 ;HOST =
@ -1670,9 +1780,9 @@ ROUTER = console
 ;; Provider config options
 ;; memory: doesn't have any config yet
 ;; file: session file path, e.g. `data/sessions`
-;; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
+;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
 ;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
-;PROVIDER_CONFIG = data/sessions
+;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
 ;;
 ;; Session cookie name
 ;COOKIE_NAME = i_like_gitea
@ -1777,6 +1887,9 @@ ROUTER = console
 ;;
 ;; Minio enabled ssl only available when STORAGE_TYPE is `minio`
 ;MINIO_USE_SSL = false
+;;
+;; Minio skip SSL verification available when STORAGE_TYPE is `minio`
+;MINIO_INSECURE_SKIP_VERIFY = false

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2104,7 +2217,7 @@ ROUTER = console
 ;[cron.update_checker]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;ENABLED = false
+;ENABLED = true
 ;RUN_AT_START = false
 ;ENABLE_SUCCESS_NOTICE = false
 ;SCHEDULE = @every 168h
@ -2123,6 +2236,28 @@ ROUTER = console
 ;SCHEDULE = @every 168h
 ;OLDER_THAN = 8760h

+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Garbage collect LFS pointers in repositories
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;[cron.gc_lfs]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;ENABLED = false
+;; Garbage collect LFS pointers in repositories (default false)
+;RUN_AT_START = false
+;; Interval as a duration between each gc run (default every 24h)
+;SCHEDULE = @every 24h
+;; Only attempt to garbage collect LFSMetaObjects older than this (default 7 days)
+;OLDER_THAN = 168h
+;; Only attempt to garbage collect LFSMetaObjects that have not been attempted to be garbage collected for this long (default 3 days)
+;LAST_UPDATED_MORE_THAN_AGO = 72h
+; Minimum number of stale LFSMetaObjects to check per repo. Set to `0` to always check all.
+;NUMBER_TO_CHECK_PER_REPO = 100
+;Check at least this proportion of LFSMetaObjects per repo. (This may cause all stale LFSMetaObjects to be checked.)
+;PROPORTION_TO_CHECK_PER_REPO = 0.6
+
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Git Operation timeout in seconds
@ -2197,7 +2332,9 @@ ROUTER = console
 ;; Show template execution time in the footer
 ;SHOW_FOOTER_TEMPLATE_LOAD_TIME = true
 ;; Generate sitemap. Defaults to `true`.
-; ENABLE_SITEMAP = true
+;ENABLE_SITEMAP = true
+;; Enable/Disable RSS/Atom feed
+;ENABLE_FEED = true

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2266,8 +2403,8 @@ ROUTER = console
 ;QUEUE_LENGTH = 1000
 ;;
 ;; Task queue connection string, available only when `QUEUE_TYPE` is `redis`.
-;; If there is a password of redis, use `addrs=127.0.0.1:6379 password=123 db=0`.
-;QUEUE_CONN_STR = "addrs=127.0.0.1:6379 db=0"
+;; If there is a password of redis, use `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`.
+;QUEUE_CONN_STR = "redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s"

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2335,6 +2472,41 @@ ROUTER = console
 ;;
 ;; Path for chunked uploads. Defaults to APP_DATA_PATH + `tmp/package-upload`
 ;CHUNKED_UPLOAD_PATH = tmp/package-upload
+;;
+;; Maximum count of package versions a single owner can have (`-1` means no limits)
+;LIMIT_TOTAL_OWNER_COUNT = -1
+;; Maximum size of packages a single owner can use (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_TOTAL_OWNER_SIZE = -1
+;; Maximum size of a Cargo upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_CARGO = -1
+;; Maximum size of a Chef upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_CHEF = -1
+;; Maximum size of a Composer upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_COMPOSER = -1
+;; Maximum size of a Conan upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_CONAN = -1
+;; Maximum size of a Conda upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_CONDA = -1
+;; Maximum size of a Container upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_CONTAINER = -1
+;; Maximum size of a Generic upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_GENERIC = -1
+;; Maximum size of a Helm upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_HELM = -1
+;; Maximum size of a Maven upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_MAVEN = -1
+;; Maximum size of a npm upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_NPM = -1
+;; Maximum size of a NuGet upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_NUGET = -1
+;; Maximum size of a Pub upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_PUB = -1
+;; Maximum size of a PyPI upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_PYPI = -1
+;; Maximum size of a RubyGems upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_RUBYGEMS = -1
+;; Maximum size of a Vagrant upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_VAGRANT = -1

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2399,6 +2571,9 @@ ROUTER = console
 ;;
 ;; Minio enabled ssl only available when STORAGE_TYPE is `minio`
 ;MINIO_USE_SSL = false
+;;
+;; Minio skip SSL verification available when STORAGE_TYPE is `minio`
+;MINIO_INSECURE_SKIP_VERIFY = false

 ;[proxy]
 ;; Enable the proxy, all requests to external via HTTP will be affected
@ -2407,3 +2582,19 @@ ROUTER = console
 ;PROXY_URL =
 ;; Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts.
 ;PROXY_HOSTS =
+
+; [actions]
+;; Enable/Disable actions capabilities
+;ENABLED = false
+;; Default address to get action plugins, e.g. the default value means downloading from "https://gitea.com/actions/checkout" for "uses: actions/checkout@v3"
+;DEFAULT_ACTIONS_URL = https://gitea.com
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; settings for action logs, will override storage setting
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;[storage.actions_log]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; storage type
+;STORAGE_TYPE = local
--- a/docker/manifest.rootless.tmpl
+++ b/docker/manifest.rootless.tmpl
@ -1,10 +1,12 @@
 image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}{{#if (hasPrefix "refs/heads/release/v" build.ref)}}{{trimPrefix "refs/heads/release/v" build.ref}}-{{/if}}dev{{/if}}-rootless
 {{#if build.tags}}
+{{#unless (contains "-rc" build.tag)}}
 tags:
 {{#each build.tags}}
  - {{this}}-rootless
 {{/each}}
  - "latest-rootless"
+{{/unless}}
 {{/if}}
 manifests:
  -
--- a/docker/manifest.tmpl
+++ b/docker/manifest.tmpl
@ -1,10 +1,12 @@
 image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}{{#if (hasPrefix "refs/heads/release/v" build.ref)}}{{trimPrefix "refs/heads/release/v" build.ref}}-{{/if}}dev{{/if}}
 {{#if build.tags}}
+{{#unless (contains "-rc" build.tag)}}
 tags:
 {{#each build.tags}}
  - {{this}}
 {{/each}}
  - "latest"
+{{/unless}}
 {{/if}}
 manifests:
  -
--- a/docker/rootless/etc/templates/app.ini
+++ b/docker/rootless/etc/templates/app.ini
@ -37,7 +37,7 @@ PROVIDER_CONFIG = $GITEA_WORK_DIR/data/sessions

 [picture]
 AVATAR_UPLOAD_PATH = $GITEA_WORK_DIR/data/avatars
-REPOSITORY_AVATAR_UPLOAD_PATH = $GITEA_WORK_DIR/data/gitea/repo-avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = $GITEA_WORK_DIR/data/repo-avatars

 [attachment]
 PATH = $GITEA_WORK_DIR/data/attachments
--- a/docs/Makefile
+++ b/docs/Makefile
@ -2,6 +2,8 @@ THEME := themes/gitea
 PUBLIC := public
 ARCHIVE := https://dl.gitea.io/theme/master.tar.gz

+HUGO_PACKAGE := github.com/gohugoio/hugo@v0.82.0
+
 .PHONY: all
 all: build

@ -11,19 +13,19 @@ clean:

 .PHONY: trans-copy
 trans-copy:
-	@bash scripts/trans-copy
+	bash scripts/trans-copy.sh

 .PHONY: server
 server: $(THEME)
-	hugo server
+	go run $(HUGO_PACKAGE) server

 .PHONY: build
 build: $(THEME)
-	hugo --cleanDestinationDir
+	go run $(HUGO_PACKAGE) --cleanDestinationDir

 .PHONY: build-offline
 build-offline: $(THEME)
-	hugo --baseURL="/" --cleanDestinationDir
+	go run $(HUGO_PACKAGE) --baseURL="/" --cleanDestinationDir

 .PHONY: update
 update: $(THEME)
--- a/docs/config.yaml
+++ b/docs/config.yaml
@ -18,11 +18,13 @@ params:
  description: Git with a cup of tea
  author: The Gitea Authors
  website: https://docs.gitea.io
-  version: 1.17.3
-  minGoVersion: 1.18
-  goVersion: 1.19
-  minNodeVersion: 14
+  version: 1.18.5
+  minGoVersion: 1.19
+  goVersion: 1.20
+  minNodeVersion: 16
  search: nav
+  repo: "https://github.com/go-gitea/gitea"
+  docContentPath: "docs/content"

 outputs:
  home:
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@ -27,23 +27,56 @@ accurately recorded in [app.example.ini](https://github.com/go-gitea/gitea/blob/
 (s/main/\<tag|release\>). Any string in the format `%(X)s` is a feature powered
 by [ini](https://github.com/go-ini/ini/#recursive-values), for reading values recursively.

+In the default values below, a value in the form `$XYZ` refers to an environment variable. (However, see `environment-to-ini`.) Values in the form  _`XxYyZz`_ refer to values listed as part of the default configuration. These notation forms will not work in your own `app.ini` file and are only listed here as documentation.
+
 Values containing `#` or `;` must be quoted using `` ` `` or `"""`.

 **Note:** A full restart is required for Gitea configuration changes to take effect.

 {{< toc >}}

+## Default Configuration (non-`app.ini` configuration)
+
+These values are environment-dependent but form the basis of a lot of values. They will be
+reported as part of the default configuration when running `gitea --help` or on start-up. The order they are emitted there is slightly different but we will list them here in the order they are set-up.
+
+- _`AppPath`_: This is the absolute path of the running gitea binary.
+- _`AppWorkPath`_: This refers to "working path" of the `gitea` binary. It is determined by using the first set thing in the following hierarchy:
+  - The `--work-path` flag passed to the binary
+  - The environment variable `$GITEA_WORK_DIR`
+  - A built-in value set at build time (see building from source)
+  - Otherwise it defaults to the directory of the _`AppPath`_
+  - If any of the above are relative paths then they are made absolute against the
+the directory of the _`AppPath`_
+- _`CustomPath`_: This is the base directory for custom templates and other options.
+It is determined by using the first set thing in the following hierarchy:
+  - The `--custom-path` flag passed to the binary
+  - The environment variable `$GITEA_CUSTOM`
+  - A built-in value set at build time (see building from source)
+  - Otherwise it defaults to _`AppWorkPath`_`/custom`
+  - If any of the above are relative paths then they are made absolute against the
+the directory of the _`AppWorkPath`_
+- _`CustomConf`_: This is the path to the `app.ini` file.
+  - The `--config` flag passed to the binary
+  - A built-in value set at build time (see building from source)
+  - Otherwise it defaults to _`CustomPath`_`/conf/app.ini`
+  - If any of the above are relative paths then they are made absolute against the
+the directory of the _`CustomPath`_
+
+In addition there is _`StaticRootPath`_ which can be set as a built-in at build time, but will otherwise default to _`AppWorkPath`_
+
 ## Overall (`DEFAULT`)

 - `APP_NAME`: **Gitea: Git with a cup of tea**: Application name, used in the page title.
- `RUN_USER`: **git**: The user Gitea will run as. This should be a dedicated system
-   (non-user) account. Setting this incorrectly will cause Gitea to not start.
+- `RUN_USER`: **_current OS username_/`$USER`/`$USERNAME` e.g. git**: The user Gitea will run as.
+   This should be a dedicated system (non-user) account. Setting this incorrectly will cause Gitea
+   to not start.
 - `RUN_MODE`: **prod**: Application run mode, affects performance and debugging. Either "dev", "prod" or "test".

 ## Repository (`repository`)

- `ROOT`: **%(APP_DATA_PATH)/gitea-repositories**: Root path for storing all repository data.
-   A relative path is interpreted as **%(GITEA_WORK_DIR)/%(ROOT)**.
+- `ROOT`: **%(APP_DATA_PATH)s/gitea-repositories**: Root path for storing all repository data.
+   A relative path is interpreted as **_`AppWorkPath`_/%(ROOT)s**.
 - `SCRIPT_TYPE`: **bash**: The script type this server supports. Usually this is `bash`,
   but some users report that only `sh` is available.
 - `DETECTED_CHARSETS_ORDER`: **UTF-8, UTF-16BE, UTF-16LE, UTF-32BE, UTF-32LE, ISO-8859, windows-1252, ISO-8859, windows-1250, ISO-8859, ISO-8859, ISO-8859, windows-1253, ISO-8859, windows-1255, ISO-8859, windows-1251, windows-1256, KOI8-R, ISO-8859, windows-1254, Shift_JIS, GB18030, EUC-JP, EUC-KR, Big5, ISO-2022, ISO-2022, ISO-2022, IBM424_rtl, IBM424_ltr, IBM420_rtl, IBM420_ltr**: Tie-break order of detected charsets - if the detected charsets have equal confidence, charsets earlier in the list will be chosen in preference to those later. Adding `defaults` will place the unnamed charsets at that point.
@ -71,7 +104,8 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `ENABLE_PUSH_CREATE_USER`:  **false**: Allow users to push local repositories to Gitea and have them automatically created for a user.
 - `ENABLE_PUSH_CREATE_ORG`:  **false**: Allow users to push local repositories to Gitea and have them automatically created for an org.
 - `DISABLED_REPO_UNITS`: **_empty_**: Comma separated list of globally disabled repo units. Allowed values: \[repo.issues, repo.ext_issues, repo.pulls, repo.wiki, repo.ext_wiki, repo.projects\]
- `DEFAULT_REPO_UNITS`: **repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects**: Comma separated list of default repo units. Allowed values: \[repo.code, repo.releases, repo.issues, repo.pulls, repo.wiki, repo.projects\]. Note: Code and Releases can currently not be deactivated. If you specify default repo units you should still list them for future compatibility. External wiki and issue tracker can't be enabled by default as it requires additional settings. Disabled repo units will not be added to new repositories regardless if it is in the default list.
+- `DEFAULT_REPO_UNITS`: **repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects,repo.packages**: Comma separated list of default new repo units. Allowed values: \[repo.code, repo.releases, repo.issues, repo.pulls, repo.wiki, repo.projects\]. Note: Code and Releases can currently not be deactivated. If you specify default repo units you should still list them for future compatibility. External wiki and issue tracker can't be enabled by default as it requires additional settings. Disabled repo units will not be added to new repositories regardless if it is in the default list.
+- `DEFAULT_FORK_REPO_UNITS`: **repo.code,repo.pulls**: Comma separated list of default forked repo units. The set of allowed values and rules is the same as `DEFAULT_REPO_UNITS`.
 - `PREFIX_ARCHIVE_FILES`: **true**: Prefix archive files by placing them in a directory named after the repository.
 - `DISABLE_MIGRATIONS`: **false**: Disable migrating feature.
 - `DISABLE_STARS`: **false**: Disable stars feature.
@ -79,6 +113,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `ALLOW_ADOPTION_OF_UNADOPTED_REPOSITORIES`: **false**: Allow non-admin users to adopt unadopted repositories
 - `ALLOW_DELETION_OF_UNADOPTED_REPOSITORIES`: **false**: Allow non-admin users to delete unadopted repositories
 - `DISABLE_DOWNLOAD_SOURCE_ARCHIVES`: **false**: Don't allow download source archive files from UI
+- `ALLOW_FORK_WITHOUT_MAXIMUM_LIMIT`: **true**: Allow fork repositories without maximum number limit

 ### Repository - Editor (`repository.editor`)

@ -101,6 +136,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `DEFAULT_MERGE_MESSAGE_OFFICIAL_APPROVERS_ONLY`: **true**: In default merge messages only include approvers who are officially allowed to review.
 - `POPULATE_SQUASH_COMMENT_WITH_COMMIT_MESSAGES`: **false**: In default squash-merge messages include the commit message of all commits comprising the pull request.
 - `ADD_CO_COMMITTER_TRAILERS`: **true**: Add co-authored-by and co-committed-by trailers to merge commit messages if committer does not match author.
+- `TEST_CONFLICTING_PATCHES_WITH_GIT_APPLY`: **false**: PR patches are tested using a three-way merge method to discover if there are conflicts. If this setting is set to **true**, conflicting patches will be retested using `git apply` - This was the previous behaviour in 1.18 (and earlier) but is somewhat inefficient. Please report if you find that this setting is required.

 ### Repository - Issue (`repository.issue`)

@ -167,6 +203,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request
 - `MAX_AGE`: **10m**: max time to cache response
 - `ALLOW_CREDENTIALS`: **false**: allow request with credentials
+- `HEADERS`: **Content-Type,User-Agent**: additional headers that are permitted in requests
 - `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value.

 ## UI (`ui`)
@ -194,8 +231,6 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `DEFAULT_SHOW_FULL_NAME`: **false**: Whether the full name of the users should be shown where possible. If the full name isn't set, the username will be used.
 - `SEARCH_REPO_DESCRIPTION`: **true**: Whether to search within description at repository search on explore page.
 - `USE_SERVICE_WORKER`: **false**: Whether to enable a Service Worker to cache frontend assets.
- `ONLY_SHOW_RELEVANT_REPOS`: **false** Whether to only show relevant repos on the explore page when no keyword is specified and default sorting is used.
-    A repo is considered irrelevant if it's a fork or if it has no metadata (no description, no icon, no topic).

 ### UI - Admin (`ui.admin`)

@ -204,6 +239,10 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `NOTICE_PAGING_NUM`: **25**: Number of notices that are shown in one page.
 - `ORG_PAGING_NUM`: **50**: Number of organizations that are shown in one page.

+### UI - User (`ui.user`)
+
+- `REPO_PAGING_NUM`: **15**: Number of repos that are shown in one page.
+
 ### UI - Metadata (`ui.meta`)

 - `AUTHOR`: **Gitea - Git with a cup of tea**: Author meta tag of the homepage.
@ -240,6 +279,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a

 ## Server (`server`)

+- `APP_DATA_PATH`: **_`AppWorkPath`_/data**: This is the default root path for storing data.
 - `PROTOCOL`: **http**: \[http, https, fcgi, http+unix, fcgi+unix\]
 - `USE_PROXY_PROTOCOL`: **false**: Expect PROXY protocol headers on connections
 - `PROXY_PROTOCOL_TLS_BRIDGING`: **false**: When protocol is https, expect PROXY protocol headers after TLS negotiation.
@ -254,12 +294,17 @@ The following configuration set `Content-Type: application/vnd.android.package-a
   This includes CSS files, images, JS files and web fonts.
   Avatar images are dynamic resources and still served by Gitea.
   The option can be just a different path, as in `/static`, or another domain, as in `https://cdn.example.com`.
-   Requests are then made as `%(ROOT_URL)s/static/css/index.css` and `https://cdn.example.com/css/index.css` respective.
+   Requests are then made as `%(ROOT_URL)s/static/assets/css/index.css` or `https://cdn.example.com/assets/css/index.css` respectively.
   The static files are located in the `public/` directory of the Gitea source repository.
+   You can proxy the STATIC_URL_PREFIX requests to Gitea server to serve the static
+   assets, or copy the manually built Gitea assets from `$GITEA_BUILD/public` to
+   the assets location, eg: `/var/www/assets`, make sure `$STATIC_URL_PREFIX/assets/css/index.css`
+   points to `/var/www/assets/css/index.css`.
+
 - `HTTP_ADDR`: **0.0.0.0**: HTTP listen address.
  - If `PROTOCOL` is set to `fcgi`, Gitea will listen for FastCGI requests on TCP socket
     defined by `HTTP_ADDR` and `HTTP_PORT` configuration settings.
-  - If `PROTOCOL` is set to `http+unix` or `fcgi+unix`, this should be the name of the Unix socket file to use. Relative paths will be made absolute against the AppWorkPath.
+  - If `PROTOCOL` is set to `http+unix` or `fcgi+unix`, this should be the name of the Unix socket file to use. Relative paths will be made absolute against the _`AppWorkPath`_.
 - `HTTP_PORT`: **3000**: HTTP listen port.
  - If `PROTOCOL` is set to `fcgi`, Gitea will listen for FastCGI requests on TCP socket
     defined by `HTTP_ADDR` and `HTTP_PORT` configuration settings.
@ -269,7 +314,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
   most cases you do not need to change the default value. Alter it only if
   your SSH server node is not the same as HTTP node. Do not set this variable
   if `PROTOCOL` is set to `http+unix`.
- `LOCAL_USE_PROXY_PROTOCOL`: **%(USE_PROXY_PROTOCOL)**: When making local connections pass the PROXY protocol header.
+- `LOCAL_USE_PROXY_PROTOCOL`: **%(USE_PROXY_PROTOCOL)s**: When making local connections pass the PROXY protocol header.
   This should be set to false if the local connection will go through the proxy.
 - `PER_WRITE_TIMEOUT`: **30s**: Timeout for any write to the connection. (Set to -1 to
   disable all timeouts.)
@ -279,7 +324,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `START_SSH_SERVER`: **false**: When enabled, use the built-in SSH server.
 - `SSH_SERVER_USE_PROXY_PROTOCOL`: **false**: Expect PROXY protocol header on connections to the built-in SSH Server.
 - `BUILTIN_SSH_SERVER_USER`: **%(RUN_USER)s**: Username to use for the built-in SSH Server.
- `SSH_USER`: **%(BUILTIN_SSH_SERVER_USER)**: SSH username displayed in clone URLs. This is only for people who configure the SSH server themselves; in most cases, you want to leave this blank and modify the `BUILTIN_SSH_SERVER_USER`.
+- `SSH_USER`: **%(BUILTIN_SSH_SERVER_USER)s**: SSH username displayed in clone URLs. This is only for people who configure the SSH server themselves; in most cases, you want to leave this blank and modify the `BUILTIN_SSH_SERVER_USER`.
 - `SSH_DOMAIN`: **%(DOMAIN)s**: Domain name of this server, used for displayed clone URL.
 - `SSH_PORT`: **22**: SSH port displayed in clone URL.
 - `SSH_LISTEN_HOST`: **0.0.0.0**: Listen address for the built-in SSH server.
@ -308,22 +353,22 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `OFFLINE_MODE`: **false**: Disables use of CDN for static files and Gravatar for profile pictures.
 - `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. When chaining, the server certificate must come first, then intermediate CA certificates (if any). This is ignored if `ENABLE_ACME=true`. Paths are relative to `CUSTOM_PATH`.
 - `KEY_FILE`: **https/key.pem**: Key file path used for HTTPS. This is ignored if `ENABLE_ACME=true`. Paths are relative to `CUSTOM_PATH`.
- `STATIC_ROOT_PATH`: **./**: Upper level of template and static files path.
- `APP_DATA_PATH`: **data** (**/data/gitea** on docker): Default path for application data.
+- `STATIC_ROOT_PATH`: **_`StaticRootPath`_**: Upper level of template and static files path.
+- `APP_DATA_PATH`: **data** (**/data/gitea** on docker): Default path for application data. Relative paths will be made absolute against _`AppWorkPath`_.
 - `STATIC_CACHE_TIME`: **6h**: Web browser cache time for static resources on `custom/`, `public/` and all uploaded avatars. Note that this cache is disabled when `RUN_MODE` is "dev".
 - `ENABLE_GZIP`: **false**: Enable gzip compression for runtime-generated content, static resources excluded.
 - `ENABLE_PPROF`: **false**: Application profiling (memory and cpu). For "web" command it listens on `localhost:6060`. For "serv" command it dumps to disk at `PPROF_DATA_PATH` as `(cpuprofile|memprofile)_<username>_<temporary id>`
- `PPROF_DATA_PATH`: **data/tmp/pprof**: `PPROF_DATA_PATH`, use an absolute path when you start Gitea as service
+- `PPROF_DATA_PATH`: **_`AppWorkPath`_/data/tmp/pprof**: `PPROF_DATA_PATH`, use an absolute path when you start Gitea as service
 - `LANDING_PAGE`: **home**: Landing page for unauthenticated users \[home, explore, organizations, login, **custom**\]. Where custom would instead be any URL such as "/org/repo" or even `https://anotherwebsite.com`
 - `LFS_START_SERVER`: **false**: Enables Git LFS support.
- `LFS_CONTENT_PATH`: **%(APP_DATA_PATH)/lfs**: Default LFS content path. (if it is on local storage.) **DEPRECATED** use settings in `[lfs]`.
+- `LFS_CONTENT_PATH`: **%(APP_DATA_PATH)s/lfs**: Default LFS content path. (if it is on local storage.) **DEPRECATED** use settings in `[lfs]`.
 - `LFS_JWT_SECRET`: **\<empty\>**: LFS authentication secret, change this a unique string.
 - `LFS_HTTP_AUTH_EXPIRY`: **20m**: LFS authentication validity period in time.Duration, pushes taking longer than this may fail.
 - `LFS_MAX_FILE_SIZE`: **0**: Maximum allowed LFS file size in bytes (Set to 0 for no limit).
 - `LFS_LOCKS_PAGING_NUM`: **50**: Maximum number of LFS Locks returned per page.

 - `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, allows redirecting http requests on `PORT_TO_REDIRECT` to the https port Gitea listens on.
- `REDIRECTOR_USE_PROXY_PROTOCOL`: **%(USE_PROXY_PROTOCOL)**: expect PROXY protocol header on connections to https redirector.
+- `REDIRECTOR_USE_PROXY_PROTOCOL`: **%(USE_PROXY_PROTOCOL)s**: expect PROXY protocol header on connections to https redirector.
 - `PORT_TO_REDIRECT`: **80**: Port for the http redirection service to listen on. Used when `REDIRECT_OTHER_PORT` is true.
 - `SSL_MIN_VERSION`: **TLSv1.2**: Set the minimum version of ssl support.
 - `SSL_MAX_VERSION`: **\<empty\>**: Set the maximum version of ssl support.
@ -404,6 +449,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `MAX_OPEN_CONNS` **0**: Database maximum open connections - default is 0, meaning there is no limit.
 - `MAX_IDLE_CONNS` **2**: Max idle database connections on connection pool, default is 2 - this will be capped to `MAX_OPEN_CONNS`.
 - `CONN_MAX_LIFETIME` **0 or 3s**: Sets the maximum amount of time a DB connection may be reused - default is 0, meaning there is no limit (except on MySQL where it is 3s - see #6804 & #7071).
+- `AUTO_MIGRATION` **true**: Whether execute database models migrations automatically.

 Please see #8540 & #8273 for further discussion of the appropriate values for `MAX_OPEN_CONNS`, `MAX_IDLE_CONNS` & `CONN_MAX_LIFETIME` and their
 relation to port exhaustion.
@ -413,10 +459,10 @@ relation to port exhaustion.
 - `ISSUE_INDEXER_TYPE`: **bleve**: Issue indexer type, currently supported: `bleve`, `db` or `elasticsearch`.
 - `ISSUE_INDEXER_CONN_STR`: ****: Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch. i.e. http://elastic:changeme@localhost:9200
 - `ISSUE_INDEXER_NAME`: **gitea_issues**: Issue indexer name, available when ISSUE_INDEXER_TYPE is elasticsearch
- `ISSUE_INDEXER_PATH`: **indexers/issues.bleve**: Index file used for issue search; available when ISSUE_INDEXER_TYPE is bleve and elasticsearch.
+- `ISSUE_INDEXER_PATH`: **indexers/issues.bleve**: Index file used for issue search; available when ISSUE_INDEXER_TYPE is bleve and elasticsearch. Relative paths will be made absolute against _`AppWorkPath`_.
 - The next 4 configuration values are deprecated and should be set in `queue.issue_indexer` however are kept for backwards compatibility:
 - `ISSUE_INDEXER_QUEUE_TYPE`: **levelqueue**: Issue indexer queue, currently supports:`channel`, `levelqueue`, `redis`. **DEPRECATED** use settings in `[queue.issue_indexer]`.
- `ISSUE_INDEXER_QUEUE_DIR`: **queues/common**: When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this will be the path where the queue will be saved. **DEPRECATED** use settings in `[queue.issue_indexer]`.
+- `ISSUE_INDEXER_QUEUE_DIR`: **queues/common**: When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this will be the path where the queue will be saved. **DEPRECATED** use settings in `[queue.issue_indexer]`. Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
 - `ISSUE_INDEXER_QUEUE_CONN_STR`: **addrs=127.0.0.1:6379 db=0**: When `ISSUE_INDEXER_QUEUE_TYPE` is `redis`, this will store the redis connection string. When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this is a directory or additional options of the form `leveldb://path/to/db?option=value&....`, and overrides `ISSUE_INDEXER_QUEUE_DIR`. **DEPRECATED** use settings in `[queue.issue_indexer]`.
 - `ISSUE_INDEXER_QUEUE_BATCH_NUMBER`: **20**: Batch queue number. **DEPRECATED** use settings in `[queue.issue_indexer]`.

@ -438,7 +484,7 @@ relation to port exhaustion.
 Configuration at `[queue]` will set defaults for queues with overrides for individual queues at `[queue.*]`. (However see below.)

 - `TYPE`: **persistable-channel**: General queue type, currently support: `persistable-channel` (uses a LevelDB internally), `channel`, `level`, `redis`, `dummy`
- `DATADIR`: **queues/**: Base DataDir for storing persistent and level queues. `DATADIR` for individual queues can be set in `queue.name` sections but will default to `DATADIR/`**`common`**. (Previously each queue would default to `DATADIR/`**`name`**.)
+- `DATADIR`: **queues/**: Base DataDir for storing persistent and level queues. `DATADIR` for individual queues can be set in `queue.name` sections but will default to `DATADIR/`**`common`**. (Previously each queue would default to `DATADIR/`**`name`**.) Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
 - `LENGTH`: **20**: Maximal queue size before channel queues block
 - `BATCH_LENGTH`: **20**: Batch data before passing to the handler
 - `CONN_STR`: **redis://127.0.0.1:6379/0**: Connection string for the redis queue type. Options can be set using query params. Similarly LevelDB options can also be set using: **leveldb://relative/path?option=value** or **leveldb:///absolute/path?option=value**, and will override `DATADIR`
@ -522,7 +568,22 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o
 - `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server.
 - `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary.
 - `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining INTERNAL_TOKEN in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`)
- `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \[argon2, pbkdf2, scrypt, bcrypt\], argon2 will spend more memory than others.
+- `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \[argon2, pbkdf2, pbkdf2_v1, pbkdf2_hi, scrypt, bcrypt\], argon2 and scrypt will spend significant amounts of memory.
+  - Note: The default parameters for `pbkdf2` hashing have changed - the previous settings are available as `pbkdf2_v1` but are not recommended.
+  - The hash functions may be tuned by using `$` after the algorithm:
+    - `argon2$<time>$<memory>$<threads>$<key-length>`
+    - `bcrypt$<cost>`
+    - `pbkdf2$<iterations>$<key-length>`
+    - `scrypt$<n>$<r>$<p>$<key-length>`
+  - The defaults are:
+    - `argon2`:    `argon2$2$65536$8$50`
+    - `bcrypt`:    `bcrypt$10`
+    - `pbkdf2`:    `pbkdf2$50000$50`
+    - `pbkdf2_v1`: `pbkdf2$10000$50`
+    - `pbkdf2_v2`: `pbkdf2$50000$50`
+    - `pbkdf2_hi`: `pbkdf2$320000$50`
+    - `scrypt`:    `scrypt$65536$16$2$50`
+  - Adjusting the algorithm parameters using this functionality is done at your own risk.
 - `CSRF_COOKIE_HTTP_ONLY`: **true**: Set false to allow JavaScript to read CSRF cookie.
 - `MIN_PASSWORD_LENGTH`: **6**: Minimum password length for new users.
 - `PASSWORD_COMPLEXITY`: **off**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, checking is disabled (off):
@ -594,9 +655,10 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o
 - `ENABLE_REVERSE_PROXY_FULL_NAME`: **false**: Enable this to allow to auto-registration with a
   provided full name for the user.
 - `ENABLE_CAPTCHA`: **false**: Enable this to use captcha validation for registration.
+- `REQUIRE_CAPTCHA_FOR_LOGIN`: **false**: Enable this to require captcha validation for login. You also must enable `ENABLE_CAPTCHA`.
 - `REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA`: **false**: Enable this to force captcha validation
   even for External Accounts (i.e. GitHub, OpenID Connect, etc). You also must enable `ENABLE_CAPTCHA`.
- `CAPTCHA_TYPE`: **image**: \[image, recaptcha, hcaptcha, mcaptcha\]
+- `CAPTCHA_TYPE`: **image**: \[image, recaptcha, hcaptcha, mcaptcha, cfturnstile\]
 - `RECAPTCHA_SECRET`: **""**: Go to https://www.google.com/recaptcha/admin to get a secret for recaptcha.
 - `RECAPTCHA_SITEKEY`: **""**: Go to https://www.google.com/recaptcha/admin to get a sitekey for recaptcha.
 - `RECAPTCHA_URL`: **https://www.google.com/recaptcha/**: Set the recaptcha url - allows the use of recaptcha net.
@ -605,6 +667,8 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o
 - `MCAPTCHA_SECRET`: **""**: Go to your mCaptcha instance to get a secret for mCaptcha.
 - `MCAPTCHA_SITEKEY`: **""**: Go to your mCaptcha instance to get a sitekey for mCaptcha.
 - `MCAPTCHA_URL` **https://demo.mcaptcha.org/**: Set the mCaptcha URL.
+- `CF_TURNSTILE_SECRET` **""**: Go to https://dash.cloudflare.com/?to=/:account/turnstile to get a secret for cloudflare turnstile.
+- `CF_TURNSTILE_SITEKEY` **""**: Go to https://dash.cloudflare.com/?to=/:account/turnstile to get a sitekey for cloudflare turnstile.
 - `DEFAULT_KEEP_EMAIL_PRIVATE`: **false**: By default set users to keep their email address private.
 - `DEFAULT_ALLOW_CREATE_ORGANIZATION`: **true**: Allow new users to create organizations by default.
 - `DEFAULT_USER_IS_RESTRICTED`: **false**: Give new users restricted permissions by default
@ -672,7 +736,7 @@ and
 [Gitea 1.17 configuration document](https://github.com/go-gitea/gitea/blob/release/v1.17/docs/content/doc/advanced/config-cheat-sheet.en-us.md)

 - `ENABLED`: **false**: Enable to use a mail service.
- `PROTOCOL`: **\<empty\>**: Mail server protocol. One of "smtp", "smtps", "smtp+startls", "smtp+unix", "sendmail", "dummy". _Before 1.18, this was inferred from a combination of `MAILER_TYPE` and `IS_TLS_ENABLED`._
+- `PROTOCOL`: **\<empty\>**: Mail server protocol. One of "smtp", "smtps", "smtp+starttls", "smtp+unix", "sendmail", "dummy". _Before 1.18, this was inferred from a combination of `MAILER_TYPE` and `IS_TLS_ENABLED`._
  - SMTP family, if your provider does not explicitly say which protocol it uses but does provide a port, you can set SMTP_PORT instead and this will be inferred.
  - **sendmail** Use the operating system's `sendmail` command instead of SMTP. This is common on Linux systems.
  - **dummy** Send email messages to the log as a testing phase.
@ -702,6 +766,20 @@ and
 - `SEND_BUFFER_LEN`: **100**: Buffer length of mailing queue. **DEPRECATED** use `LENGTH` in `[queue.mailer]`
 - `SEND_AS_PLAIN_TEXT`: **false**: Send mails only in plain text, without HTML alternative.

+## Incoming Email (`email.incoming`)
+
+- `ENABLED`: **false**: Enable handling of incoming emails.
+- `REPLY_TO_ADDRESS`: **\<empty\>**: The email address including the `%{token}` placeholder that will be replaced per user/action. Example: `incoming+%{token}@example.com`. The placeholder must appear in the user part of the address (before the `@`).
+- `HOST`: **\<empty\>**: IMAP server host.
+- `PORT`: **\<empty\>**: IMAP server port.
+- `USERNAME`: **\<empty\>**: Username of the receiving account.
+- `PASSWORD`: **\<empty\>**: Password of the receiving account.
+- `USE_TLS`: **false**: Whether the IMAP server uses TLS.
+- `SKIP_TLS_VERIFY`: **false**: If set to `true`, completely ignores server certificate validation errors. This option is unsafe.
+- `MAILBOX`: **INBOX**: The mailbox name where incoming mail will end up.
+- `DELETE_HANDLED_MESSAGE`: **true**: Whether handled messages should be deleted from the mailbox.
+- `MAXIMUM_MESSAGE_SIZE`: **10485760**: Maximum size of a message to handle. Bigger messages are ignored. Set to 0 to allow every size.
+
 ## Cache (`cache`)

 - `ENABLED`: **true**: Enable the cache.
@ -722,7 +800,7 @@ and
 ## Session (`session`)

 - `PROVIDER`: **memory**: Session engine provider \[memory, file, redis, db, mysql, couchbase, memcache, postgres\]. Setting `db` will reuse the configuration in `[database]`
- `PROVIDER_CONFIG`: **data/sessions**: For file, the root path; for db, empty (database config will be used); for others, the connection string.
+- `PROVIDER_CONFIG`: **data/sessions**: For file, the root path; for db, empty (database config will be used); for others, the connection string. Relative paths will be made absolute against _`AppWorkPath`_.
 - `COOKIE_SECURE`: **false**: Enable this to force using HTTPS for all session access.
 - `COOKIE_NAME`: **i\_like\_gitea**: The name of the cookie used for the session ID.
 - `GC_INTERVAL_TIME`: **86400**: GC interval in seconds.
@ -734,9 +812,9 @@ and

 - `GRAVATAR_SOURCE`: **gravatar**: Can be `gravatar`, `duoshuo` or anything like
   `http://cn.gravatar.com/avatar/`.
- `DISABLE_GRAVATAR`: **false**: Enable this to use local avatars only.
+- `DISABLE_GRAVATAR`: **false**: Enable this to use local avatars only. **DEPRECATED [v1.18+]** moved to database. Use admin panel to configure.
 - `ENABLE_FEDERATED_AVATAR`: **false**: Enable support for federated avatars (see
-   [http://www.libravatar.org](http://www.libravatar.org)).
+   [http://www.libravatar.org](http://www.libravatar.org)). **DEPRECATED [v1.18+]** moved to database. Use admin panel to configure.

 - `AVATAR_STORAGE_TYPE`: **default**: Storage type defined in `[storage.xxx]`. Default is `default` which will read `[storage]` if no section `[storage]` will be a type `local`.
 - `AVATAR_UPLOAD_PATH`: **data/avatars**: Path to store user avatar image files.
@ -776,6 +854,7 @@ Default templates for project boards:
 - `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket only available when STORAGE_TYPE is `minio`
 - `MINIO_BASE_PATH`: **attachments/**: Minio base path on the bucket only available when STORAGE_TYPE is `minio`
 - `MINIO_USE_SSL`: **false**: Minio enabled ssl only available when STORAGE_TYPE is `minio`
+- `MINIO_INSECURE_SKIP_VERIFY`: **false**: Minio skip SSL verification available when STORAGE_TYPE is `minio`

 ## Log (`log`)

@ -802,7 +881,13 @@ Default templates for project boards:
  - `Identity`: the SignedUserName or `"-"` if not logged in.
  - `Start`: the start time of the request.
  - `ResponseWriter`: the responseWriter from the request.
+  - `RequestID`: the value matching REQUEST_ID_HEADERS（default: `-`, if not matched）.
  - You must be very careful to ensure that this template does not throw errors or panics as this template runs outside of the panic/recovery script.
+- `REQUEST_ID_HEADERS`: **\<empty\>**: You can configure multiple values that are splited by comma here. It will match in the order of configuration, and the first match will be finally printed in the access log.
+  - e.g.
+  - In the Request Header:        X-Request-ID: **test-id-123**
+  - Configuration in app.ini:     REQUEST_ID_HEADERS = X-Request-ID
+  - Print in log:                 127.0.0.1:58384 - - [14/Feb/2023:16:33:51 +0800]  "**test-id-123**" ...

 ### Log subsections (`log.name`, `log.name.*`)

@ -963,7 +1048,7 @@ Default templates for project boards:

 #### Cron -  Check for new Gitea versions ('cron.update_checker')

- `ENABLED`: **false**: Enable service.
+- `ENABLED`: **true**: Enable service.
 - `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
 - `ENABLE_SUCCESS_NOTICE`: **true**: Set to false to switch off success notices.
 - `SCHEDULE`: **@every 168h**: Cron syntax for scheduling a work, e.g. `@every 168h`.
@ -977,10 +1062,20 @@ Default templates for project boards:
 - `SCHEDULE`: **@every 168h**: Cron syntax to set how often to check.
 - `OLDER_THAN`: **@every 8760h**: any system notice older than this expression will be deleted from database.

+#### Cron -  Garbage collect LFS pointers in repositories ('cron.gc_lfs')
+
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `SCHEDULE`: **@every 24h**: Cron syntax to set how often to check.
+- `OLDER_THAN`: **168h**: Only attempt to garbage collect LFSMetaObjects older than this (default 7 days)
+- `LAST_UPDATED_MORE_THAN_AGO`: **72h**: Only attempt to garbage collect LFSMetaObjects that have not been attempted to be garbage collected for this long (default 3 days)
+- `NUMBER_TO_CHECK_PER_REPO`: **100**: Minimum number of stale LFSMetaObjects to check per repo. Set to `0` to always check all.
+- `PROPORTION_TO_CHECK_PER_REPO`: **0.6**: Check at least this proportion of LFSMetaObjects per repo. (This may cause all stale LFSMetaObjects to be checked.)
+
 ## Git (`git`)

 - `PATH`: **""**: The path of Git executable. If empty, Gitea searches through the PATH environment.
- `HOME_PATH`: **%(APP_DATA_PATH)/home**: The HOME directory for Git.
+- `HOME_PATH`: **%(APP_DATA_PATH)s/home**: The HOME directory for Git.
   This directory will be used to contain the `.gitconfig` and possible `.gnupg` directories that Gitea's git calls will use. If you can confirm Gitea is the only application running in this environment, you can set it to the normal home directory for Gitea user.
 - `DISABLE_DIFF_HIGHLIGHT`: **false**: Disables highlight of added and removed changes.
 - `MAX_GIT_DIFF_LINES`: **1000**: Max number of lines allowed of a single file in diff view.
@ -1000,7 +1095,7 @@ Default templates for project boards:

 ## Git - Timeout settings (`git.timeout`)

- `DEFAUlT`: **360**: Git operations default timeout seconds.
+- `DEFAULT`: **360**: Git operations default timeout seconds.
 - `MIGRATE`: **600**: Migrate external repositories timeout seconds.
 - `MIRROR`: **300**: Mirror external repositories timeout seconds.
 - `CLONE`: **300**: Git clone from internal repositories timeout seconds.
@ -1102,7 +1197,7 @@ in this mapping or the filetype using heuristics.
 ## Time (`time`)

 - `FORMAT`: Time format to display on UI. i.e. RFC1123 or 2006-01-02 15:04:05
- `DEFAULT_UI_LOCATION`: Default location of time on the UI, so that we can display correct user's time on UI. i.e. Shanghai/Asia
+- `DEFAULT_UI_LOCATION`: Default location of time on the UI, so that we can display correct user's time on UI. i.e. Asia/Shanghai

 ## Task (`task`)

@ -1138,6 +1233,23 @@ Task queue configuration has been moved to `queue.task`. However, the below conf

 - `ENABLED`: **true**: Enable/Disable package registry capabilities
 - `CHUNKED_UPLOAD_PATH`: **tmp/package-upload**: Path for chunked uploads. Defaults to `APP_DATA_PATH` + `tmp/package-upload`
+- `LIMIT_TOTAL_OWNER_COUNT`: **-1**: Maximum count of package versions a single owner can have (`-1` means no limits)
+- `LIMIT_TOTAL_OWNER_SIZE`: **-1**: Maximum size of packages a single owner can use (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_CARGO`: **-1**: Maximum size of a Cargo upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_CHEF`: **-1**: Maximum size of a Chef upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_COMPOSER`: **-1**: Maximum size of a Composer upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_CONAN`: **-1**: Maximum size of a Conan upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_CONDA`: **-1**: Maximum size of a Conda upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_CONTAINER`: **-1**: Maximum size of a Container upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_GENERIC`: **-1**: Maximum size of a Generic upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_HELM`: **-1**: Maximum size of a Helm upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_MAVEN`: **-1**: Maximum size of a Maven upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_NPM`: **-1**: Maximum size of a npm upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_NUGET`: **-1**: Maximum size of a NuGet upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_PUB`: **-1**: Maximum size of a Pub upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_PYPI`: **-1**: Maximum size of a PyPI upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_RUBYGEMS`: **-1**: Maximum size of a RubyGems upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_VAGRANT`: **-1**: Maximum size of a Vagrant upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)

 ## Mirror (`mirror`)

@ -1163,6 +1275,7 @@ is `data/lfs` and the default of `MINIO_BASE_PATH` is `lfs/`.
 - `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket only available when `STORAGE_TYPE` is `minio`
 - `MINIO_BASE_PATH`: **lfs/**: Minio base path on the bucket only available when `STORAGE_TYPE` is `minio`
 - `MINIO_USE_SSL`: **false**: Minio enabled ssl only available when `STORAGE_TYPE` is `minio`
+- `MINIO_INSECURE_SKIP_VERIFY`: **false**: Minio skip SSL verification available when STORAGE_TYPE is `minio`

 ## Storage (`storage`)

@ -1175,6 +1288,7 @@ Default storage configuration for attachments, lfs, avatars and etc.
 - `MINIO_BUCKET`: **gitea**: Minio bucket to store the data only available when `STORAGE_TYPE` is `minio`
 - `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket only available when `STORAGE_TYPE` is `minio`
 - `MINIO_USE_SSL`: **false**: Minio enabled ssl only available when `STORAGE_TYPE` is `minio`
+- `MINIO_INSECURE_SKIP_VERIFY`: **false**: Minio skip SSL verification available when STORAGE_TYPE is `minio`

 And you can also define a customize storage like below:

@ -1193,6 +1307,8 @@ MINIO_BUCKET = gitea
 MINIO_LOCATION = us-east-1
 ; Minio enabled ssl only available when STORAGE_TYPE is `minio`
 MINIO_USE_SSL = false
+; Minio skip SSL verification available when STORAGE_TYPE is `minio`
+MINIO_INSECURE_SKIP_VERIFY = false
 ```

 And used by `[attachment]`, `[lfs]` and etc. as `STORAGE_TYPE`.
@ -1213,6 +1329,7 @@ is `data/repo-archive` and the default of `MINIO_BASE_PATH` is `repo-archive/`.
 - `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket only available when `STORAGE_TYPE` is `minio`
 - `MINIO_BASE_PATH`: **repo-archive/**: Minio base path on the bucket only available when `STORAGE_TYPE` is `minio`
 - `MINIO_USE_SSL`: **false**: Minio enabled ssl only available when `STORAGE_TYPE` is `minio`
+- `MINIO_INSECURE_SKIP_VERIFY`: **false**: Minio skip SSL verification available when STORAGE_TYPE is `minio`

 ## Proxy (`proxy`)

@ -1228,9 +1345,45 @@ PROXY_URL = socks://127.0.0.1:1080
 PROXY_HOSTS = *.github.com
 ```

+## Actions (`actions`)
+
+- `ENABLED`: **false**: Enable/Disable actions capabilities
+- `DEFAULT_ACTIONS_URL`: **https://gitea.com**: Default address to get action plugins, e.g. the default value means downloading from "<https://gitea.com/actions/checkout>" for "uses: actions/checkout@v3"
+
+`DEFAULT_ACTIONS_URL` indicates where should we find the relative path action plugin. i.e. when use an action in a workflow file like
+
+```yaml
+name: versions
+on:
+  push:
+    branches:
+      - main
+      - releases/*
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+```
+
+Now we need to know how to get actions/checkout, this configuration is the default git server to get it. That means we will get the repository via git clone ${DEFAULT_ACTIONS_URL}/actions/checkout and fetch tag v3.
+
+To help people who don't want to mirror these actions in their git instances, the default value is https://gitea.com
+To help people run actions totally in their network, they can change the value and copy all necessary action repositories into their git server.
+
+Of course we should support the form in future PRs like
+
+```yaml
+steps:
+  - uses: gitea.com/actions/checkout@v3
+```
+
+although Github don't support this form.
+
 ## Other (`other`)

 - `SHOW_FOOTER_BRANDING`: **false**: Show Gitea branding in the footer.
 - `SHOW_FOOTER_VERSION`: **true**: Show Gitea and Go version information in the footer.
 - `SHOW_FOOTER_TEMPLATE_LOAD_TIME`: **true**: Show time of template execution in the footer.
 - `ENABLE_SITEMAP`: **true**: Generate sitemap.
+- `ENABLE_FEED`: **true**: Enable/Disable RSS/Atom feed.
--- a/docs/content/doc/advanced/config-cheat-sheet.zh-cn.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.zh-cn.md
@ -145,7 +145,19 @@ menu:
 - `ENABLE_NOTIFY_MAIL`: 是否发送工单创建等提醒邮件，需要 `Mailer` 被激活。
 - `ENABLE_REVERSE_PROXY_AUTHENTICATION`: 允许反向代理认证，更多细节见：https://github.com/gogits/gogs/issues/165
 - `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION`: 允许通过反向认证做自动注册。
- `ENABLE_CAPTCHA`: 注册时使用图片验证码。
+- `ENABLE_CAPTCHA`: **false**: 注册时使用图片验证码。
+- `REQUIRE_CAPTCHA_FOR_LOGIN`: **false**: 登录时需要图片验证码。需要同时开启 `ENABLE_CAPTCHA`。
+- `CAPTCHA_TYPE`: **image**: \[image, recaptcha, hcaptcha, mcaptcha, cfturnstile\]，人机验证类型，分别表示图片认证、 recaptcha 、 hcaptcha 、mcaptcha 、和 cloudlfare 的 turnstile。
+- `RECAPTCHA_SECRET`: **""**: recaptcha 服务的密钥，可在 https://www.google.com/recaptcha/admin 获取。
+- `RECAPTCHA_SITEKEY`: **""**: recaptcha 服务的网站密钥 ，可在 https://www.google.com/recaptcha/admin 获取。
+- `RECAPTCHA_URL`: **https://www.google.com/recaptcha/**: 设置 recaptcha 的 url 。
+- `HCAPTCHA_SECRET`: **""**: hcaptcha 服务的密钥，可在 https://www.hcaptcha.com/ 获取。
+- `HCAPTCHA_SITEKEY`: **""**: hcaptcha 服务的网站密钥，可在 https://www.hcaptcha.com/ 获取。
+- `MCAPTCHA_SECRET`: **""**: mCaptcha 服务的密钥。
+- `MCAPTCHA_SITEKEY`: **""**: mCaptcha 服务的网站密钥。
+- `MCAPTCHA_URL` **https://demo.mcaptcha.org/**: 设置 remCaptchacaptcha 的 url 。
+- `CF_TURNSTILE_SECRET` **""**: cloudlfare turnstile 服务的密钥，可在 https://dash.cloudflare.com/?to=/:account/turnstile 获取。
+- `CF_TURNSTILE_SITEKEY` **""**: cloudlfare turnstile 服务的网站密钥 ，可在 https://www.google.com/recaptcha/admin 获取。

 ### Service - Expore (`service.explore`)

@ -250,7 +262,22 @@ test01.xls: application/vnd.ms-excel; charset=binary

 - `ROOT_PATH`: 日志文件根目录。
 - `MODE`: 日志记录模式，默认是为 `console`。如果要写到多个通道，用逗号分隔
- `LEVEL`: 日志级别，默认为`Trace`。
+- `LEVEL`: 日志级别，默认为 `Trace`。
+- `DISABLE_ROUTER_LOG`: 关闭日志中的路由日志。
+- `ENABLE_ACCESS_LOG`: 是否开启 Access Log, 默认为 false。
+- `ACCESS_LOG_TEMPLATE`: `access.log` 输出内容的模板，默认模板：**`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`**
+  模板支持以下参数:
+  - `Ctx`: 请求上下文。
+  - `Identity`: 登录用户名，默认: “`-`”。
+  - `Start`: 请求开始时间。
+  - `ResponseWriter`:
+  - `RequestID`: 从请求头中解析得到的与 `REQUEST_ID_HEADERS` 匹配的值，默认: “`-`”。
+  - 一定要谨慎配置该模板，否则可能会引起panic.
+- `REQUEST_ID_HEADERS`: 从 Request Header 中匹配指定 Key，并将匹配到的值输出到 `access.log` 中(需要在 `ACCESS_LOG_TEMPLATE` 中指定输出位置)。如果在该参数中配置多个 Key， 请用逗号分割，程序将按照配置的顺序进行匹配。
+  - 示例：
+  - 请求头：       X-Request-ID: **test-id-123**
+  - 配置文件：     REQUEST_ID_HEADERS = X-Request-ID
+  - 日志输出：     127.0.0.1:58384 - - [14/Feb/2023:16:33:51 +0800]  "**test-id-123**" ...

 ## Cron (`cron`)

@ -419,6 +446,8 @@ MINIO_BUCKET = gitea
 MINIO_LOCATION = us-east-1
 ; Minio enabled ssl only available when STORAGE_TYPE is `minio`
 MINIO_USE_SSL = false
+; Minio skip SSL verification available when STORAGE_TYPE is `minio`
+MINIO_INSECURE_SKIP_VERIFY = false
 ```

 然后你在 `[attachment]`, `[lfs]` 等中可以把这个名字用作 `STORAGE_TYPE` 的值。
--- a/docs/content/doc/advanced/customizing-gitea.en-us.md
+++ b/docs/content/doc/advanced/customizing-gitea.en-us.md
@ -282,9 +282,22 @@ To add custom .gitignore, add a file with existing [.gitignore rules](https://gi

 ### Labels

-To add a custom label set, add a file that follows the [label format](https://github.com/go-gitea/gitea/blob/main/options/label/Default) to `$GITEA_CUSTOM/options/label`
+Starting with Gitea 1.19, you can add a file that follows the [YAML label format](https://github.com/go-gitea/gitea/blob/main/options/label/Advanced.yaml) to `$GITEA_CUSTOM/options/label`:
+
+```yaml
+labels:
+  - name: "foo/bar"  # name of the label that will appear in the dropdown
+    exclusive: true # whether to use the exclusive namespace for scoped labels. scoped delimiter is /
+    color: aabbcc # hex colour coding
+    description: Some label # long description of label intent
+ ```
+
+The [legacy file format](https://github.com/go-gitea/gitea/blob/main/options/label/Default) can still be used following the format below, however we strongly recommend using the newer YAML format instead.
+
 `#hex-color label name ; label description`

+For more information, see the [labels documentation]({{< relref "doc/usage/labels.en-us.md" >}}).
+
 ### Licenses

 To add a custom license, add a file with the license text to `$GITEA_CUSTOM/options/license`
--- a/docs/content/doc/advanced/external-renderers.en-us.md
+++ b/docs/content/doc/advanced/external-renderers.en-us.md
@ -192,5 +192,5 @@ And so you could write some CSS:
 Add your stylesheet to your custom directory e.g `custom/public/css/my-style-XXXXX.css` and import it using a custom header file `custom/templates/custom/header.tmpl`:

 ```html
-<link type="text/css" href="{{AppSubUrl}}/assets/css/my-style-XXXXX.css" />
+<link rel="stylesheet" href="{{AppSubUrl}}/assets/css/my-style-XXXXX.css" />
 ```
--- a/docs/content/doc/advanced/logging-documentation.en-us.md
+++ b/docs/content/doc/advanced/logging-documentation.en-us.md
@ -15,6 +15,14 @@ menu:

 # Logging Configuration

+The logging configuration of Gitea mainly consists of 3 types of components:
+
+- The `[log]` section for general configuration
+- `[log.<sublogger>]` sections for the configuration of different log outputs
+- `[log.<sublogger>.<group>]` sections for output specific configuration of a log group
+
+As mentioned below, there is a fully functional log output by default, so it is not necessary to define one.
+
 **Table of Contents**

 {{< toc >}}
@ -23,6 +31,166 @@ menu:

 To collect logs for help and issue report, see [Support Options]({{< relref "doc/help/seek-help.en-us.md" >}}).

+## The `[log]` section
+
+Configuration of logging facilities in Gitea happen in the `[log]` section and it's subsections.
+
+In the top level `[log]` section the following configurations can be placed:
+
+- `ROOT_PATH`: (Default: **%(GITEA_WORK_DIR)/log**): Base path for log files
+- `MODE`: (Default: **console**) List of log outputs to use for the Default logger.
+- `ROUTER`: (Default: **console**): List of log outputs to use for the Router logger.
+- `ACCESS`: List of log outputs to use for the Access logger.
+- `XORM`: (Default: **,**) List of log outputs to use for the XORM logger.
+- `ENABLE_ACCESS_LOG`: (Default: **false**): whether the Access logger is allowed to emit logs
+- `ENABLE_XORM_LOG`: (Default: **true**): whether the XORM logger is allowed to emit logs
+
+For details on the loggers check the "Log Groups" section.
+Important: log outputs won't be used if you don't enable them for the desired loggers in the corresponding list value.
+
+Lists are specified as comma separated values. This format also works in subsection.
+
+This section may be used for defining default values for subsections.
+Examples:
+
+- `LEVEL`: (Default: **Info**) Least severe log events to persist. Case insensitive. The full list of levels as of v1.17.3 can be read [here](https://github.com/go-gitea/gitea/blob/v1.17.3/custom/conf/app.example.ini#L507).
+- `STACKTRACE_LEVEL`: (Default: **None**) For this and more severe events the stacktrace will be printed upon getting logged.
+
+Some values are not inherited by subsections. For details see the "Non-inherited default values" section.
+
+## Log outputs
+
+Log outputs are the targets to which log messages will be sent.
+The content and the format of the log messages to be saved can be configured in these.
+
+Log outputs are also called subloggers.
+
+Gitea provides 4 possible log outputs:
+
+- `console` - Log to `os.Stdout` or `os.Stderr`
+- `file` - Log to a file
+- `conn` - Log to a socket (network or unix)
+- `smtp` - Log via email
+
+By default, Gitea has a `console` output configured, which is used by the loggers as seen in the section "The log section" above.
+
+### Common configuration
+
+Certain configuration is common to all modes of log output:
+
+- `MODE` is the mode of the log output. It will default to the sublogger
+  name, thus `[log.console.router]` will default to `MODE = console`.
+  For mode specific confgurations read further.
+- `LEVEL` is the lowest level that this output will log. This value
+  is inherited from `[log]` and in the case of the non-default loggers
+  from `[log.sublogger]`.
+- `STACKTRACE_LEVEL` is the lowest level that this output will print
+  a stacktrace. This value is inherited.
+- `COLORIZE` will default to `true` for `console` as
+  described, otherwise it will default to `false`.
+
+### Non-inherited default values
+
+There are several values which are not inherited as described above but
+rather default to those specific to type of logger, these are:
+`EXPRESSION`, `FLAGS`, `PREFIX` and `FILE_NAME`.
+
+#### `EXPRESSION`
+
+`EXPRESSION` represents a regular expression that log events must match to be logged by the sublogger. Either the log message, (with colors removed), must match or the `longfilename:linenumber:functionname` must match. NB: the whole message or string doesn't need to completely match.
+
+Please note this expression will be run in the sublogger's goroutine
+not the logging event subroutine. Therefore it can be complicated.
+
+#### `FLAGS`
+
+`FLAGS` represents the preceding logging context information that is
+printed before each message. It is a comma-separated string set. The order of values does not matter.
+
+Possible values are:
+
+- `none` or `,` - No flags.
+- `date` - the date in the local time zone: `2009/01/23`.
+- `time` - the time in the local time zone: `01:23:23`.
+- `microseconds` - microsecond resolution: `01:23:23.123123`. Assumes
+  time.
+- `longfile` - full file name and line number: `/a/b/c/d.go:23`.
+- `shortfile` - final file name element and line number: `d.go:23`.
+- `funcname` - function name of the caller: `runtime.Caller()`.
+- `shortfuncname` - last part of the function name. Overrides
+  `funcname`.
+- `utc` - if date or time is set, use UTC rather than the local time
+  zone.
+- `levelinitial` - Initial character of the provided level in brackets eg. `[I]` for info.
+- `level` - Provided level in brackets `[INFO]`
+- `medfile` - Last 20 characters of the filename - equivalent to
+  `shortfile,longfile`.
+- `stdflags` - Equivalent to `date,time,medfile,shortfuncname,levelinitial`
+
+### Console mode
+
+In this mode the logger will forward log messages to the stdout and
+stderr streams attached to the Gitea process.
+
+For loggers in console mode, `COLORIZE` will default to `true` if not
+on windows, or the windows terminal can be set into ANSI mode or is a
+cygwin or Msys pipe.
+
+Settings:
+
+- `STDERR`: **false**: Whether the logger should print to `stderr` instead of `stdout`.
+
+### File mode
+
+In this mode the logger will save log messages to a file.
+
+Settings:
+
+- `FILE_NAME`: The file to write the log events to. For details see below.
+- `MAX_SIZE_SHIFT`: **28**: Maximum size shift of a single file. 28 represents 256Mb. For details see below.
+- `LOG_ROTATE` **true**: Whether to rotate the log files. TODO: if false, will it delete instead on daily rotate, or do nothing?.
+- `DAILY_ROTATE`: **true**: Whether to rotate logs daily.
+- `MAX_DAYS`: **7**: Delete rotated log files after this number of days.
+- `COMPRESS`: **true**: Whether to compress old log files by default with gzip.
+- `COMPRESSION_LEVEL`: **-1**: Compression level. For details see below.
+
+The default value of `FILE_NAME` depends on the respective logger facility.
+If unset, their own default will be used.
+If set it will be relative to the provided `ROOT_PATH` in the master `[log]` section.
+
+`MAX_SIZE_SHIFT` defines the maximum size of a file by left shifting 1 the given number of times (`1 << x`).
+The exact behavior at the time of v1.17.3 can be seen [here](https://github.com/go-gitea/gitea/blob/v1.17.3/modules/setting/log.go#L185).
+
+The useful values of `COMPRESSION_LEVEL` are from 1 to (and including) 9, where higher numbers mean better compression.
+Beware that better compression might come with higher resource usage.
+Must be preceded with a `-` sign.
+
+### Conn mode
+
+In this mode the logger will send log messages over a network socket.
+
+Settings:
+
+- `ADDR`: **:7020**: Sets the address to connect to.
+- `PROTOCOL`: **tcp**: Set the protocol, either "tcp", "unix" or "udp".
+- `RECONNECT`: **false**: Try to reconnect when connection is lost.
+- `RECONNECT_ON_MSG`: **false**: Reconnect host for every single message.
+
+### SMTP mode
+
+In this mode the logger will send log messages in email.
+
+It is not recommended to use this logger to send general logging
+messages. However, you could perhaps set this logger to work on `FATAL` messages only.
+
+Settings:
+
+- `HOST`: **127.0.0.1:25**: The SMTP host to connect to.
+- `USER`: User email address to send from.
+- `PASSWD`: Password for the smtp server.
+- `RECEIVERS`: Email addresses to send to.
+- `SUBJECT`: **Diagnostic message from Gitea**. The content of the email's subject field.
+
 ## Log Groups

 The fundamental thing to be aware of in Gitea is that there are several
@ -172,106 +340,6 @@ which will not be inherited from the `[log]` or relevant
 - `EXPRESSION` will default to `""`
 - `PREFIX` will default to `""`

-## Log outputs
-
-Gitea provides 4 possible log outputs:
-
- `console` - Log to `os.Stdout` or `os.Stderr`
- `file` - Log to a file
- `conn` - Log to a keep-alive TCP connection
- `smtp` - Log via email
-
-Certain configuration is common to all modes of log output:
-
- `LEVEL` is the lowest level that this output will log. This value
-  is inherited from `[log]` and in the case of the non-default loggers
-  from `[log.sublogger]`.
- `STACKTRACE_LEVEL` is the lowest level that this output will print
-  a stacktrace. This value is inherited.
- `MODE` is the mode of the log output. It will default to the sublogger
-  name. Thus `[log.console.router]` will default to `MODE = console`.
- `COLORIZE` will default to `true` for `console` as
-  described, otherwise it will default to `false`.
-
-### Non-inherited default values
-
-There are several values which are not inherited as described above but
-rather default to those specific to type of logger, these are:
-`EXPRESSION`, `FLAGS`, `PREFIX` and `FILE_NAME`.
-
-#### `EXPRESSION`
-
-`EXPRESSION` represents a regular expression that log events must match to be logged by the sublogger. Either the log message, (with colors removed), must match or the `longfilename:linenumber:functionname` must match. NB: the whole message or string doesn't need to completely match.
-
-Please note this expression will be run in the sublogger's goroutine
-not the logging event subroutine. Therefore it can be complicated.
-
-#### `FLAGS`
-
-`FLAGS` represents the preceding logging context information that is
-printed before each message. It is a comma-separated string set. The order of values does not matter.
-
-Possible values are:
-
- `none` or `,` - No flags.
- `date` - the date in the local time zone: `2009/01/23`.
- `time` - the time in the local time zone: `01:23:23`.
- `microseconds` - microsecond resolution: `01:23:23.123123`. Assumes
-  time.
- `longfile` - full file name and line number: `/a/b/c/d.go:23`.
- `shortfile` - final file name element and line number: `d.go:23`.
- `funcname` - function name of the caller: `runtime.Caller()`.
- `shortfuncname` - last part of the function name. Overrides
-  `funcname`.
- `utc` - if date or time is set, use UTC rather than the local time
-  zone.
- `levelinitial` - Initial character of the provided level in brackets eg. `[I]` for info.
- `level` - Provided level in brackets `[INFO]`
- `medfile` - Last 20 characters of the filename - equivalent to
-  `shortfile,longfile`.
- `stdflags` - Equivalent to `date,time,medfile,shortfuncname,levelinitial`
-
-### Console mode
-
-For loggers in console mode, `COLORIZE` will default to `true` if not
-on windows, or the windows terminal can be set into ANSI mode or is a
-cygwin or Msys pipe.
-
-If `STDERR` is set to `true` the logger will use `os.Stderr` instead of
-`os.Stdout`.
-
-### File mode
-
-The `FILE_NAME` defaults as described above. If set it will be relative
-to the provided `ROOT_PATH` in the master `[log]` section.
-
-Other values:
-
- `LOG_ROTATE`: **true**: Rotate the log files.
- `MAX_SIZE_SHIFT`: **28**: Maximum size shift of a single file, 28 represents 256Mb.
- `DAILY_ROTATE`: **true**: Rotate logs daily.
- `MAX_DAYS`: **7**: Delete the log file after n days
- `COMPRESS`: **true**: Compress old log files by default with gzip
- `COMPRESSION_LEVEL`: **-1**: Compression level
-
-### Conn mode
-
- `RECONNECT_ON_MSG`: **false**: Reconnect host for every single message.
- `RECONNECT`: **false**: Try to reconnect when connection is lost.
- `PROTOCOL`: **tcp**: Set the protocol, either "tcp", "unix" or "udp".
- `ADDR`: **:7020**: Sets the address to connect to.
-
-### SMTP mode
-
-It is not recommended to use this logger to send general logging
-messages. However, you could perhaps set this logger to work on `FATAL`.
-
- `USER`: User email address to send from.
- `PASSWD`: Password for the smtp server.
- `HOST`: **127.0.0.1:25**: The SMTP host to connect to.
- `RECEIVERS`: Email addresses to send to.
- `SUBJECT`: **Diagnostic message from Gitea**
-
 ## Debugging problems

 When submitting logs in Gitea issues it is often helpful to submit
--- a/docs/content/doc/advanced/repo-mirror.en-us.md
+++ b/docs/content/doc/advanced/repo-mirror.en-us.md
@ -41,13 +41,15 @@ For an existing remote repository, you can set up pull mirroring as follows:

 The repository now gets mirrored periodically from the remote repository. You can force a sync by selecting **Synchronize Now** in the repository settings.

+:exclamation::exclamation: **NOTE:** You can only set up pull mirroring for repos that don't exist yet on your instance. Once the repo is created, you can't convert it into a pull mirror anymore. :exclamation::exclamation:
+
 ## Pushing to a remote repository

 For an existing repository, you can set up push mirroring as follows:

 1. In your repository, go to **Settings** > **Repository**, and then the **Mirror Settings** section.
 2. Enter a repository URL.
-3. If the repository needs authentication expand the **Authorization** section and fill in your authentication information.
+3. If the repository needs authentication expand the **Authorization** section and fill in your authentication information. Note that the requested **password** can also be your access token.
 4. Select **Add Push Mirror** to save the configuration.

 The repository now gets mirrored periodically to the remote repository. You can force a sync by selecting **Synchronize Now**. In case of an error a message displayed to help you resolve it.
@ -59,9 +61,11 @@ The repository now gets mirrored periodically to the remote repository. You can
 To set up a mirror from Gitea to GitHub, you need to follow these steps:

 1. Create a [GitHub personal access token](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) with the *public_repo* box checked.
-2. Fill in the **Git Remote Repository URL**: `https://github.com/<your_github_group>/<your_github_project>.git`.
-3. Fill in the **Authorization** fields with your GitHub username and the personal access token.
-4. Select **Add Push Mirror** to save the configuration.
+2. Create a repository with that name on GitHub. Unlike Gitea, GitHub does not support creating repositories by pushing to the remote. You can also use an existing remote repo if it has the same commit history as your Gitea repo.
+3. In the settings of your Gitea repo, fill in the **Git Remote Repository URL**: `https://github.com/<your_github_group>/<your_github_project>.git`.
+4. Fill in the **Authorization** fields with your GitHub username and the personal access token as **Password**.
+5. (Optional, available on Gitea 1.18+) Select `Sync when new commits are pushed` so that the mirror will be updated as well as soon as there are changes. You can also disable the periodic sync if you like.
+6. Select **Add Push Mirror** to save the configuration.

 The repository pushes shortly thereafter. To force a push, select the **Synchronize Now** button.

--- a/docs/content/doc/developers/guidelines-backend.en-us.md
+++ b/docs/content/doc/developers/guidelines-backend.en-us.md
@ -54,7 +54,7 @@ To maintain understandable code and avoid circular dependencies it is important

 ### Package Dependencies

-Since Golang don't support import cycles, we have to decide the package dependencies carefully. There are some levels between those packages. Below is the ideal package dependencies direction.
+Since Golang doesn't support import cycles, we have to decide the package dependencies carefully. There are some levels between those packages. Below is the ideal package dependencies direction.

 `cmd` -> `routers` -> `services` -> `models` -> `modules`

--- a/docs/content/doc/developers/guidelines-frontend.en-us.md
+++ b/docs/content/doc/developers/guidelines-frontend.en-us.md
@ -39,12 +39,22 @@ We recommend [Google HTML/CSS Style Guide](https://google.github.io/styleguide/h
 ### Gitea specific guidelines:

 1. Every feature (Fomantic-UI/jQuery module) should be put in separate files/directories.
-2. HTML ids and classes should use kebab-case.
+2. HTML ids and classes should use kebab-case, it's preferred to contain 2-3 feature related keywords.
 3. HTML ids and classes used in JavaScript should be unique for the whole project, and should contain 2-3 feature related keywords. We recommend to use the `js-` prefix for classes that are only used in JavaScript.
-4. jQuery events across different features could use their own namespaces if there are potential conflicts.
-5. CSS styling for classes provided by frameworks should not be overwritten. Always use new class-names with 2-3 feature related keywords to overwrite framework styles.
-6. The backend can pass complex data to the frontend by using `ctx.PageData["myModuleData"] = map[]{}`
-7. Simple pages and SEO-related pages use Go HTML Template render to generate static Fomantic-UI HTML output. Complex pages can use Vue3.
+4. CSS styling for classes provided by frameworks should not be overwritten. Always use new class names with 2-3 feature related keywords to overwrite framework styles. Gitea's helper CSS classes in `helpers.less` could be helpful.
+5. The backend can pass complex data to the frontend by using `ctx.PageData["myModuleData"] = map[]{}`, but do not expose whole models to the frontend to avoid leaking sensitive data.
+6. Simple pages and SEO-related pages use Go HTML Template render to generate static Fomantic-UI HTML output. Complex pages can use Vue3.
+7. Clarify variable types, prefer `elem.disabled = true` instead of `elem.setAttribute('disabled', 'anything')`, prefer `$el.prop('checked', var === 'yes')` instead of `$el.prop('checked', var)`.
+8. Use semantic elements, prefer `<button class="ui button">` instead of `<div class="ui button">`.
+9. Avoid unnecessary `!important` in CSS, add comments to explain why it's necessary if it can't be avoided.
+10. Avoid mixing different events in one event listener, prefer to use individual event listeners for every event.
+11. Custom event names are recommended to use `ce-` prefix.
+
+### Accessibility / ARIA
+
+In history, Gitea heavily uses Fomantic UI which is not an accessibility-friendly framework.
+Gitea uses some patches to make Fomantic UI more accessible (see the `aria.js` and `aria.md`),
+but there are still many problems which need a lot of work and time to fix.

 ### Framework Usage

@ -75,6 +85,9 @@ It's not recommended to use `async` event listeners, which may lead to problems.
 The reason is that the code after await is executed outside the event dispatch.
 Reference: https://github.com/github/eslint-plugin-github/blob/main/docs/rules/async-preventdefault.md

+If an event listener must be `async`, the `e.preventDefault()` should be before any `await`,
+it's recommended to put it at the beginning of the function.
+
 If we want to call an `async` function in a non-async context,
 it's recommended to use `const _promise = asyncFoo()` to tell readers
 that this is done by purpose, we want to call the async function and ignore the Promise.
@ -93,6 +106,27 @@ However, there are still some special cases, so the current guideline is:
  * `node.dataset` should not be used, use `node.getAttribute` instead.
  * never bind any user data to a DOM node, use a suitable design pattern to describe the relation between node and data.

+### Show/Hide Elements
+
+* Vue components are recommended to use `v-if` and `v-show` to show/hide elements.
+* Go template code should use Gitea's `.gt-hidden` and `showElem()/hideElem()/toggleElem()`, see more details in `.gt-hidden`'s comment.
+
+### Styles and Attributes in Go HTML Template
+
+It's recommended to use:
+
+```html
+<div class="gt-name1 gt-name2 {{if .IsFoo}}gt-foo{{end}}" {{if .IsFoo}}data-foo{{end}}></div>
+```
+
+instead of:
+
+```html
+<div class="gt-name1 gt-name2{{if .IsFoo}} gt-foo{{end}}"{{if .IsFoo}} data-foo{{end}}></div>
+```
+
+to make the code more readable.
+
 ### Legacy Code

 A lot of legacy code already existed before this document's written. It's recommended to refactor legacy code to follow the guidelines.
--- a/docs/content/doc/developers/guidelines-refactoring.en-us.md
+++ b/docs/content/doc/developers/guidelines-refactoring.en-us.md
@ -0,0 +1,51 @@
+---
+date: "2023-02-14T00:00:00+00:00"
+title: "Guidelines for Refactoring"
+slug: "guidelines-refactoring"
+weight: 20
+toc: false
+draft: false
+menu:
+  sidebar:
+    parent: "developers"
+    name: "Guidelines for Refactoring"
+    weight: 20
+    identifier: "guidelines-refactoring"
+---
+
+# Guidelines for Refactoring
+
+**Table of Contents**
+
+{{< toc >}}
+
+## Background
+
+Since the first line of code was written at Feb 12, 2014, Gitea has grown to be a large project.
+As a result, the codebase has become larger and larger. The larger the codebase is, the more difficult it is to maintain.
+A lot of outdated mechanisms exist, a lot of frameworks are mixed together, some legacy code might cause bugs and block new features.
+To make the codebase more maintainable and make Gitea better, developers should keep in mind to use modern mechanisms to refactor the old code.
+
+This document is a collection of guidelines for refactoring the codebase.
+
+## Refactoring Suggestions
+
+* Design more about the future, but not only resolve the current problem.
+* Reduce ambiguity, reduce conflicts, improve maintainability.
+* Describe the refactoring, for example:
+  * Why the refactoring is needed.
+  * How the legacy problems would be solved.
+  * What's the Pros/Cons of the refactoring.
+* Only do necessary changes, keep the old logic as much as possible.
+* Introduce some intermediate steps to make the refactoring easier to review, a complete refactoring plan could be done in several PRs.
+* If there is any divergence, the TOC(Technical Oversight Committee) should be involved to help to make decisions.
+* Add necessary tests to make sure the refactoring is correct.
+* Non-bug refactoring is preferred to be done at the beginning of a milestone, it would be easier to find problems before the release.
+
+## Reviewing & Merging Suggestions
+
+* A refactoring PR shouldn't be kept open for a long time (usually 7 days), it should be reviewed as soon as possible.
+* A refactoring PR should be merged as soon as possible, it should not be blocked by other PRs.
+* If there is no objection from TOC, a refactoring PR could be merged after 7 days with one core member's approval (not the author).
+* Tolerate some dirty/hacky intermediate steps if the final result is good.
+* Tolerate some regression bugs if the refactoring is necessary, fix bugs as soon as possible.
--- a/docs/content/doc/developers/hacking-on-gitea.zh-cn.md
+++ b/docs/content/doc/developers/hacking-on-gitea.zh-cn.md
@ -0,0 +1,349 @@
+---
+date: "2016-12-01T16:00:00+02:00"
+title: "玩转 Gitea"
+slug: "hacking-on-gitea"
+weight: 10
+toc: false
+draft: false
+menu:
+  sidebar:
+    parent: "developers"
+    name: "玩转 Gitea"
+    weight: 10
+    identifier: "hacking-on-gitea"
+---
+
+# Hacking on Gitea
+
+**目录**
+
+{{< toc >}}
+
+## 快速入门
+
+要获得快速工作的开发环境，您可以使用 Gitpod。
+
+[![在 Gitpod 中打开](/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/go-gitea/gitea)
+
+## 安装 Golang
+
+您需要 [安装 go]( https://golang.org/doc/install ) 并设置您的 go 环境。
+
+接下来，[使用 npm 安装 Node.js](https://nodejs.org/en/download/) ，这是构建
+JavaScript 和 CSS 文件的必要工具。最低支持的 Node.js 版本是 {{< min-node-version >}}
+并且推荐使用最新的 LTS 版本。
+
+**注意** ：当执行需要外部工具的 make 任务时，比如
+`make watch-backend`，Gitea 会自动下载并构建这些必要的组件。为了能够使用这些，你必须
+将 `"$GOPATH"/bin` 目录加入到可执行路径上。如果你不把go bin目录添加到可执行路径你必须手动
+指定可执行程序路径。
+
+**注意2** ：Go版本 {{< min-go-version >}} 或更高版本是必须的。Gitea 使用 `gofmt` 来
+格式化源代码。然而，`gofmt` 的结果可能因 `go` 的版本而有差异。因此推荐安装我们持续集成使用
+的 Go版本。截至上次更新，Go 版本应该是 {{< go-version >}}。
+
+## 安装 Make
+
+Gitea 大量使用 `Make` 来自动化任务和改进开发。本指南涵盖了如何安装 Make。
+
+### 在 Linux 上
+
+使用包管理器安装。
+
+在 Ubuntu/Debian 上：
+
+```bash
+sudo apt-get install make
+```
+
+在 Fedora/RHEL/CentOS 上：
+
+```bash
+sudo yum install make
+```
+
+### 在 Windows 上
+
+Make 的这三个发行版都可以在 Windows 上运行：
+
+- [单个二进制构建]( http://www.equation.com/servlet/equation.cmd?fa=make )。复制到某处并添加到 `PATH`。
+  - [32 位版本](http://www.equation.com/ftpdir/make/32/make.exe)
+  - [64 位版本](http://www.equation.com/ftpdir/make/64/make.exe)
+- [MinGW-w64](https://www.mingw-w64.org) / [MSYS2](https://www.msys2.org/)。
+  - MSYS2 是一个工具和库的集合，为您提供一个易于使用的环境来构建、安装和运行本机 Windows 软件，它包括 MinGW-w64。
+  - 在 MingGW-w64 中，二进制文件称为 `mingw32-make.exe` 而不是 `make.exe`。将 `bin` 文件夹添加到 `PATH`。
+  - 在 MSYS2 中，您可以直接使用 `make`。请参阅 [MSYS2 移植](https://www.msys2.org/wiki/Porting/)。
+  - 要使用 CGO_ENABLED（例如：SQLite3）编译 Gitea，您可能需要使用 [tdm-gcc](https://jmeubank.github.io/tdm-gcc/) 而不是 MSYS2 gcc，因为 MSYS2 gcc 标头缺少一些 Windows -只有 CRT 函数像 _beginthread 一样。
+- [Chocolatey包管理器]( https://chocolatey.org/packages/make )。运行`choco install make`
+
+**注意** ：如果您尝试在 Windows 命令提示符下使用 make 进行构建，您可能会遇到问题。建议使用上述提示（Git bash 或 MinGW），但是如果您只有命令提示符（或可能是 PowerShell），则可以使用 [set](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/set_1) 命令，例如 `set TAGS=bindata`。
+
+## 下载并克隆 Gitea 源代码
+
+获取源代码的推荐方法是使用 `git clone`。
+
+```bash
+git clone https://github.com/go-gitea/gitea
+```
+
+（自从go modules出现后，不再需要构建 go 项目从 `$GOPATH` 中获取，因此不再推荐使用 `go get` 方法。）
+
+## 派生 Gitea
+
+如上所述下载主要的 Gitea 源代码。然后，派生 [Gitea 仓库](https://github.com/go-gitea/gitea)，
+并为您的本地仓库切换 git 远程源，或添加另一个远程源：
+
+```bash
+# 将原来的 Gitea origin 重命名为 upstream
+git remote rename origin upstream
+git remote add origin "git@github.com:$GITHUB_USERNAME/gitea.git"
+git fetch --all --prune
+```
+
+或者：
+
+```bash
+# 为我们的 fork 添加新的远程
+git remote add "$FORK_NAME" "git@github.com:$GITHUB_USERNAME/gitea.git"
+git fetch --all --prune
+```
+
+为了能够创建合并请求，应将分叉存储库添加为 Gitea 本地仓库的远程，否则无法推送更改。
+
+## 构建 Gitea（基本）
+
+看看我们的
+<a href='{{ < relref "doc/installation/from-source.en-us.md" > }}'>说明</a>
+关于如何 <a href='{{ < relref "doc/installation/from-source.en-us.md" > }}'>从源代码构建</a> 。
+
+从源代码构建的最简单推荐方法是：
+
+```bash
+TAGS="bindata sqlite sqlite_unlock_notify" make build
+```
+
+`build` 目标将同时执行 `frontend` 和 `backend` 子目标。如果存在 `bindata` 标签，资源文件将被编译成二进制文件。建议在进行前端开发时省略 `bindata` 标签，以便实时反映更改。
+
+有关所有可用的 `make` 目标，请参阅 `make help`。另请参阅 [`.drone.yml`](https://github.com/go-gitea/gitea/blob/main/.drone.yml) 以了解我们的持续集成是如何工作的。
+
+## 持续构建
+
+要在源文件更改时运行并持续构建：
+
+```bash
+# 对于前端和后端
+make watch
+
+# 或者：只看前端文件（html/js/css）
+make watch-frontend
+
+# 或者：只看后端文件 (go)
+make watch-backend
+```
+
+在 macOS 上，监视所有后端源文件可能会达到默认的打开文件限制，这可以通过当前 shell 的 `ulimit -n 12288` 或所有未来 shell 的 shell 启动文件来增加。
+
+### 格式化、代码分析和拼写检查
+
+我们的持续集成将拒绝未通过代码检查（包括格式检查、代码分析和拼写检查）的 PR。
+
+你应该格式化你的代码：
+
+```bash
+make fmt
+```
+
+并检查源代码：
+
+```bash
+# lint 前端和后端代码
+make lint
+# 仅 lint 后端代码
+make lint-backend
+```
+
+**注意** ：`gofmt` 的结果取决于 `go` 的版本。您应该运行与持续集成相同的 go 版本。
+
+### 处理 JS 和 CSS
+
+前端开发应遵循 [Guidelines for Frontend Development]({{ < 相关参考 "doc/developers/guidelines-frontend.en-us.md" > }})
+
+要使用前端资源构建，请使用上面提到的“watch-frontend”目标或只构建一次：
+
+```bash
+make build && ./gitea
+```
+
+在提交之前，确保 linters 通过：
+
+```bash
+make lint-frontend
+```
+
+### 配置本地 ElasticSearch 实例
+
+使用 docker 启动本地 ElasticSearch 实例：
+
+```sh
+mkdir -p $(pwd) /data/elasticsearch
+sudo chown -R 1000:1000 $(pwd) /data/elasticsearch
+docker run --rm --memory= "4g" -p 127.0.0.1:9200:9200 -p 127.0.0.1:9300:9300 -e "discovery.type=single-node" -v "$(pwd)/data /elasticsearch:/usr/share/elasticsearch/data" docker.elastic.co/elasticsearch/elasticsearch:7.16.3
+```
+
+配置`app.ini`：
+
+```ini
+[indexer]
+ISSUE_INDEXER_TYPE = elasticsearch
+ISSUE_INDEXER_CONN_STR = http://elastic:changeme@localhost:9200
+REPO_INDEXER_ENABLED = true
+REPO_INDEXER_TYPE = elasticsearch
+REPO_INDEXER_CONN_STR = http://elastic:changeme@localhost:9200
+```
+
+### 构建和添加 SVGs
+
+SVG 图标是使用 `make svg` 目标构建的，该目标将 `build/generate-svg.js` 中定义的图标源编译到输出目录 `public/img/svg` 中。可以在 `web_src/svg` 目录中添加自定义图标。
+
+### 构建 Logo
+
+Gitea Logo的 PNG 和 SVG 版本是使用 `TAGS="gitea" make generate-images` 目标从单个 SVG 源文件 assets/logo.svg 构建的。要运行它，Node.js 和 npm 必须可用。
+
+通过更新 `assets/logo.svg` 并运行 `make generate-images`，同样的过程也可用于从 SVG 源文件生成自定义 Logo PNG。忽略 gitea 编译选项将仅更新用户指定的 LOGO 文件。
+
+### 更新 API
+
+创建新的 API 路由或修改现有的 API 路由时，您**必须**
+更新和/或创建 [Swagger](https://swagger.io/docs/specification/2-0/what-is-swagger/)
+这些使用 [go-swagger](https://goswagger.io/) 评论的文档。
+[规范]( https://goswagger.io/use/spec.html#annotation-syntax )中描述了这些注释的结构。
+如果您想了解更多有关 Swagger 结构的信息，可以查看
+[Swagger 2.0 文档](https://swagger.io/docs/specification/2-0/basic-structure/)
+或与添加新 API 端点的先前 PR 进行比较，例如 [PR #5483](https://github.com/go-gitea/gitea/pull/5843/files#diff-2e0a7b644cf31e1c8ef7d76b444fe3aaR20)
+
+您应该注意不要破坏下游用户依赖的 API。在稳定的 API 上，一般来说添加是可以接受的，但删除
+或对 API 进行根本性更改将会被拒绝。
+
+创建或更改 API 端点后，请用以下命令重新生成 Swagger 文档：
+
+```bash
+make generate-swagger
+```
+
+您应该验证生成的 Swagger 文件并使用以下命令对其进行拼写检查：
+
+```bash
+make swagger-validate misspell-check
+```
+
+您应该提交更改后的 swagger JSON 文件。持续集成服务器将使用以下方法检查是否已完成：
+
+```bash
+make swagger-check
+```
+
+**注意** ：请注意，您应该使用 Swagger 2.0 文档，而不是 OpenAPI 3 文档。
+
+### 创建新的配置选项
+
+创建新的配置选项时，将它们添加到 `modules/setting` 的对应文件。您应该将信息添加到 `custom/conf/app.ini`
+并到 <a href = '{{ < relref "doc/advanced/config-cheat-sheet.en-us.md" > }}'>配置备忘单</a>
+在 `docs/content/doc/advanced/config-cheat-sheet.en-us.md` 中找到
+
+### 更改Logo
+
+更改 Gitea Logo SVG 时，您将需要运行并提交结果的：
+
+```bash
+make generate-images
+```
+
+这将创建必要的 Gitea 图标和其他图标。
+
+### 数据库迁移
+
+如果您对数据库中的任何数据库持久结构进行重大更改
+`models/` 目录，您将需要进行新的迁移。可以找到这些
+在 `models/migrations/` 中。您可以确保您的迁移适用于主要
+数据库类型使用：
+
+```bash
+make test-sqlite-migration # 将 SQLite 切换为适当的数据库
+```
+
+## 测试
+
+Gitea 运行两种类型的测试：单元测试和集成测试。
+
+### 单元测试
+
+`go test` 系统中的`*_test.go` 涵盖了单元测试。
+您可以设置环境变量 `GITEA_UNIT_TESTS_LOG_SQL=1` 以在详细模式下运行测试时显示所有 SQL 语句（即设置`GOTESTFLAGS=-v` 时）。
+
+```bash
+TAGS="bindata sqlite sqlite_unlock_notify" make test # Runs the unit tests
+```
+
+### 集成测试
+
+单元测试不会也不能完全单独测试 Gitea。因此，我们编写了集成测试；但是，这些依赖于数据库。
+
+```bash
+TAGS="bindata sqlite sqlite_unlock_notify" make build test-sqlite
+```
+
+将在 SQLite 环境中运行集成测试。集成测试需要安装 `git lfs`。其他数据库测试可用，但
+可能需要适应当地环境。
+
+看看 [`tests/integration/README.md`](https://github.com/go-gitea/gitea/blob/main/tests/integration/README.md) 有关更多信息以及如何运行单个测试。
+
+### 测试 PR
+
+我们的持续集成将测试代码是否通过了单元测试，并且所有支持的数据库都将在 Docker 环境中通过集成测试。
+还将测试从几个最新版本的 Gitea 迁移。
+
+请在PR中附带提交适当的单元测试和集成测试。
+
+## 网站文档
+
+该网站的文档位于 `docs/` 中。如果你改变了文档内容，你可以使用以下测试方法进行持续集成：
+
+```bash
+# 来自 Gitea 中的 docs 目录
+make trans-copy clean build
+```
+
+运行此任务依赖于 [Hugo](https://gohugo.io/)。请注意：这可能会生成一些未跟踪的 Git 对象，
+需要被清理干净。
+
+## Visual Studio Code
+
+`contrib/ide/vscode` 中为 Visual Studio Code 提供了 `launch.json` 和 `tasks.json`。查看
+[`contrib/ide/README.md`](https://github.com/go-gitea/gitea/blob/main/contrib/ide/README.md) 了解更多信息。
+
+## Goland
+
+单击 `/main.go` 中函数 `func main()` 上的 `Run Application` 箭头
+可以快速启动一个可调试的 Gitea 实例。
+
+`Run/Debug Configuration` 中的 `Output Directory` 必须设置为
+gitea 项目目录（包含 `main.go` 和 `go.mod`），
+否则，启动实例的工作目录是 GoLand 的临时目录
+并防止 Gitea 在开发环境中加载动态资源（例如：模板）。
+
+要在 GoLand 中使用 SQLite 运行单元测试，请设置 `-tags sqlite,sqlite_unlock_notify`
+在 `运行/调试配置` 的 `Go 工具参数` 中。
+
+## 提交 PR
+
+对更改感到满意后，将它们推送并打开拉取请求。它建议您允许 Gitea Managers 和 Owners 修改您的 PR
+分支，因为我们需要在合并之前将其更新为 main 和/或可能是能够直接帮助解决问题。
+
+任何 PR 都需要 Gitea 维护者的两次批准，并且需要通过持续集成。看看我们的
+[CONTRIBUTING.md](https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md)
+文档。
+
+如果您需要更多帮助，请访问 [Discord](https://discord.gg/gitea) #Develop 频道
+并在那里聊天。
+
+现在，您已准备好 Hacking Gitea。
--- a/docs/content/doc/developers/oauth2-provider.en-us.md
+++ b/docs/content/doc/developers/oauth2-provider.en-us.md
@ -42,7 +42,42 @@ To use the Authorization Code Grant as a third party application it is required

 ## Scopes

-Currently Gitea does not support scopes (see [#4300](https://github.com/go-gitea/gitea/issues/4300)) and all third party applications will be granted access to all resources of the user and their organizations.
+Gitea supports the following scopes for tokens:
+
+| Name | Description |
+| ---- | ----------- |
+| **(no scope)** | Grants read-only access to public user profile and public repositories. |
+| **repo** | Full control over all repositories. |
+| &nbsp;&nbsp;&nbsp; **repo:status** | Grants read/write access to commit status in all repositories. |
+| &nbsp;&nbsp;&nbsp; **public_repo** | Grants read/write access to public repositories only. |
+| **admin:repo_hook** | Grants access to repository hooks of all repositories. This is included in the `repo` scope. |
+| &nbsp;&nbsp;&nbsp; **write:repo_hook** | Grants read/write access to repository hooks |
+| &nbsp;&nbsp;&nbsp; **read:repo_hook** | Grants read-only access to repository hooks |
+| **admin:org** | Grants full access to organization settings |
+| &nbsp;&nbsp;&nbsp; **write:org** | Grants read/write access to organization settings |
+| &nbsp;&nbsp;&nbsp; **read:org** | Grants read-only access to organization settings |
+| **admin:public_key** | Grants full access for managing public keys |
+| &nbsp;&nbsp;&nbsp; **write:public_key** | Grant read/write access to public keys |
+| &nbsp;&nbsp;&nbsp; **read:public_key** | Grant read-only access to public keys |
+| **admin:org_hook** | Grants full access to organizational-level hooks |
+| **admin:user_hook** | Grants full access to user-level hooks |
+| **notification** | Grants full access to notifications |
+| **user** | Grants full access to user profile info |
+| &nbsp;&nbsp;&nbsp; **read:user** | Grants read access to user's profile |
+| &nbsp;&nbsp;&nbsp; **user:email** | Grants read access to user's email addresses |
+| &nbsp;&nbsp;&nbsp; **user:follow** | Grants access to follow/un-follow a user |
+| **delete_repo** | Grants access to delete repositories as an admin |
+| **package** | Grants full access to hosted packages |
+| &nbsp;&nbsp;&nbsp; **write:package** | Grants read/write access to packages |
+| &nbsp;&nbsp;&nbsp; **read:package** | Grants read access to packages |
+| &nbsp;&nbsp;&nbsp; **delete:package** | Grants delete access to packages |
+| **admin:gpg_key** | Grants full access for managing GPG keys |
+| &nbsp;&nbsp;&nbsp; **write:gpg_key** | Grants read/write access to GPG keys |
+| &nbsp;&nbsp;&nbsp; **read:gpg_key** | Grants read-only access to GPG keys |
+| **admin:application** | Grants full access to manage applications |
+| &nbsp;&nbsp;&nbsp; **write:application** | Grants read/write access for managing applications |
+| &nbsp;&nbsp;&nbsp; **read:application** | Grants read access for managing applications |
+| **sudo** | Allows to perform actions as the site admin. |

 ## Client types

--- a/docs/content/doc/features/authentication.en-us.md
+++ b/docs/content/doc/features/authentication.en-us.md
@ -166,11 +166,47 @@ Uses the following fields:

 ## PAM (Pluggable Authentication Module)

-To configure PAM, set the 'PAM Service Name' to a filename in `/etc/pam.d/`. To
-work with normal Linux passwords, the user running Gitea must have read access
-to `/etc/shadow`.
+This procedure enables PAM authentication.  Users may still be added to the
+system manually using the user administration.  PAM provides a mechanism to
+automatically add users to the current database by testing them against PAM
+authentication.  To work with normal Linux passwords, the user running Gitea
+must also have read access to `/etc/shadow` in order to check the validity of
+the account when logging in using a public key.

-**Note**: PAM support is added via [build-time flags](https://docs.gitea.io/en-us/install-from-source/#build), and the official binaries provided do not have this enabled.
+**Note**: If a user has added SSH public keys into Gitea, the use of these
+keys _may_ bypass the login check system.  Therefore, if you wish to disable a user who
+authenticates with PAM, you _should_ also manually disable the account in Gitea using the
+built-in user manager.
+
+1. Configure and prepare the installation.
+    - It is recommended that you create an administrative user.
+    - Deselecting automatic sign-up may also be desired.
+1. Once the database has been initialized, log in as the newly created
+administrative user.
+1. Navigate to the user setting (icon in top-right corner), and select
+`Site Administration` -> `Authentication Sources`, and select
+`Add Authentication Source`.
+1. Fill out the field as follows:
+    - `Authentication Type` : `PAM`
+    - `Name` : Any value should be valid here, use "System Authentication" if
+    you'd like.
+    - `PAM Service Name` : Select the appropriate file listed under `/etc/pam.d/`
+    that performs the authentication desired.[^1]
+    - `PAM Email Domain` : The e-mail suffix to append to user authentication.
+    For example, if the login system expects a user called `gituser`, and this
+    field is set to `mail.com`, then Gitea will expect the `user email` field
+    for an authenticated GIT instance to be `gituser@mail.com`.[^2]
+
+**Note**: PAM support is added via [build-time flags](https://docs.gitea.io/en-us/install-from-source/#build),
+and the official binaries provided do not have this enabled.  PAM requires that
+the necessary libpam dynamic library be available and the necessary PAM
+development headers be accessible to the compiler.
+
+[^1]: For example, using standard Linux log-in on Debian "Bullseye" use
+`common-session-noninteractive` - this value may be valid for other flavors of
+Debian including Ubuntu and Mint, consult your distribution's documentation.
+[^2]: **This is a required field for PAM**.  Be aware: In the above example, the
+user will log into the Gitea web interface as `gituser` and not `gituser@mail.com`

 ## SMTP (Simple Mail Transfer Protocol)

@ -293,3 +329,22 @@ Before activating SSPI single sign-on authentication (SSO) you have to prepare y
  - You have added the URL of the web app to the `Local intranet zone`
  - The clocks of the server and client should not differ with more than 5 minutes (depends on group policy)
  - `Integrated Windows Authentication` should be enabled in Internet Explorer (under `Advanced settings`)
+
+## Reverse Proxy
+
+Gitea supports Reverse Proxy Header authentication, it will read headers as a trusted login user name or user email address. This hasn't been enabled by default, you can enable it with
+
+```ini
+[service]
+ENABLE_REVERSE_PROXY_AUTHENTICATION = true
+```
+
+The default login user name is in the `X-WEBAUTH-USER` header, you can change it via changing `REVERSE_PROXY_AUTHENTICATION_USER` in app.ini. If the user doesn't exist, you can enable automatic registration with `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION=true`.
+
+The default login user email is `X-WEBAUTH-EMAIL`, you can change it via changing `REVERSE_PROXY_AUTHENTICATION_EMAIL` in app.ini, this could also be disabled with `ENABLE_REVERSE_PROXY_EMAIL`
+
+If set `ENABLE_REVERSE_PROXY_FULL_NAME=true`, a user full name expected in `X-WEBAUTH-FULLNAME` will be assigned to the user when auto creating the user. You can also change the header name with `REVERSE_PROXY_AUTHENTICATION_FULL_NAME`.
+
+You can also limit the reverse proxy's IP address range with `REVERSE_PROXY_TRUSTED_PROXIES` which default value is `127.0.0.0/8,::1/128`. By `REVERSE_PROXY_LIMIT`, you can limit trusted proxies level.
+
+Notice: Reverse Proxy Auth doesn't support the API. You still need an access token or basic auth to make API requests.
--- a/docs/content/doc/features/authentication.zh-cn.md
+++ b/docs/content/doc/features/authentication.zh-cn.md
@ -15,4 +15,21 @@ menu:

 # 认证

-## TBD
+## 反向代理认证
+
+Gitea 支持通过读取反向代理传递的 HTTP 头中的登录名或者 email 地址来支持反向代理来认证。默认是不启用的，你可以用以下配置启用。
+
+```ini
+[service]
+ENABLE_REVERSE_PROXY_AUTHENTICATION = true
+```
+
+默认的登录用户名的 HTTP 头是 `X-WEBAUTH-USER`，你可以通过修改 `REVERSE_PROXY_AUTHENTICATION_USER` 来变更它。如果用户不存在，可以自动创建用户，当然你需要修改 `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION=true` 来启用它。
+
+默认的登录用户 Email 的 HTTP 头是 `X-WEBAUTH-EMAIL`，你可以通过修改 `REVERSE_PROXY_AUTHENTICATION_EMAIL` 来变更它。如果用户不存在，可以自动创建用户，当然你需要修改 `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION=true` 来启用它。你也可以通过修改 `ENABLE_REVERSE_PROXY_EMAIL` 来启用或停用这个 HTTP 头。
+
+如果设置了 `ENABLE_REVERSE_PROXY_FULL_NAME=true`，则用户的全名会从 `X-WEBAUTH-FULLNAME` 读取，这样在自动创建用户时将使用这个字段作为用户全名，你也可以通过修改 `REVERSE_PROXY_AUTHENTICATION_FULL_NAME` 来变更 HTTP 头。
+
+你也可以通过修改 `REVERSE_PROXY_TRUSTED_PROXIES` 来设置反向代理的IP地址范围，加强安全性，默认值是 `127.0.0.0/8,::1/128`。 通过 `REVERSE_PROXY_LIMIT`， 可以设置最多信任几级反向代理。
+
+注意：反向代理认证不支持认证 API，API 仍旧需要用 access token 来进行认证。
--- a/docs/content/doc/features/comparison.en-us.md
+++ b/docs/content/doc/features/comparison.en-us.md
@ -56,7 +56,7 @@ _Symbols used in table:_
 | Deploy Tokens                                    | ✓                                                   | ✓    | ✓         | ✓         | ✓         | ✓         | ✓            |
 | Repository Tokens with write rights              | ✓                                                   | ✘    | ✓         | ✓         | ✓         | ✓         | ✓            |
 | RSS Feeds                                        | ✓                                                   | ✘    | ✓         | ✘         | ✘         | ✘         | ✘            |
-| Built-in CI/CD                                   | [✘](https://github.com/go-gitea/gitea/issues/13539) | ✘    | ✓         | ✓         | ✓         | ✘         | ✘            |
+| Built-in CI/CD                                   | ✓                                                   | ✘    | ✓         | ✓         | ✓         | ✘         | ✘            |
 | Subgroups: groups within groups                  | [✘](https://github.com/go-gitea/gitea/issues/1872)  | ✘    | ✘         | ✓         | ✓         | ✘         | ✓            |
 | Interaction with other instances                 | [/](https://github.com/go-gitea/gitea/issues/18240) | ✘    | ✘         | ✘         | ✘         | ✘         | ✘            |
 | Mermaid diagrams in Markdown                     | ✓                                                   | ✘    | ✓         | ✓         | ✓         | ✘         | ✘            |
@ -74,7 +74,7 @@ _Symbols used in table:_
 | Granular user roles (Code, Issues, Wiki, …) | ✓                                                   | ✘    | ✘         | ✓         | ✓         | ✘         | ✘            |
 | Verified Committer                          | ⁄                                                   | ✘    | ?         | ✓         | ✓         | ✓         | ✘            |
 | GPG Signed Commits                          | ✓                                                   | ✘    | ✓         | ✓         | ✓         | ✓         | ✓            |
-| SSH Signed Commits                          | ✓                                                   | ✘    | ✓         | ✘         | ✘         | ?         | ?            |
+| SSH Signed Commits                          | ✓                                                   | ✘    | ✓         | ✓         | ✓         | ?         | ?            |
 | Reject unsigned commits                     | ✓                                                   | ✘    | ✓         | ✓         | ✓         | ✓         | ✓            |
 | Migrating repos from other services         | ✓                                                   | ✘    | ✓         | ✓         | ✓         | ✓         | ✓            |
 | Repository Activity page                    | ✓                                                   | ✘    | ✓         | ✓         | ✓         | ✓         | ✓            |
@ -106,7 +106,7 @@ _Symbols used in table:_
 | Issue search                  | ✓                                                   | ✘    | ✓         | ✓         | ✓         | ✓         | ✘            |
 | Global issue search           | [/](https://github.com/go-gitea/gitea/issues/2434)  | ✘    | ✓         | ✓         | ✓         | ✓         | ✘            |
 | Issue dependency              | ✓                                                   | ✘    | ✘         | ✘         | ✘         | ✘         | ✘            |
-| Create issue via email        | [✘](https://github.com/go-gitea/gitea/issues/6226)  | ✘    | ✘         | ✘         | ✓         | ✓         | ✘            |
+| Create issue via email        | [✘](https://github.com/go-gitea/gitea/issues/6226)  | ✘    | ✘         | ✓         | ✓         | ✓         | ✘            |
 | Service Desk                  | [✘](https://github.com/go-gitea/gitea/issues/6219)  | ✘    | ✘         | ✓         | ✓         | ✘         | ✘            |

 ## Pull/Merge requests
--- a/docs/content/doc/features/comparison.zh-cn.md
+++ b/docs/content/doc/features/comparison.zh-cn.md
@ -49,7 +49,7 @@ _表格中的符号含义:_
 | 内置容器 Registry     | ✓                                                  | ✘    | ✓         | ✓         | ✓         | ✘              | ✘            |
 | 外部 Git 镜像         | ✓                                                  | ✓    | ✘         | ✘         | ✓         | ✓              | ✓            |
 | WebAuthn (2FA)        | ✓                                                  | ✘    | ✓         | ✓         | ✓         | ✓              | ?            |
-| 内置 CI/CD            | ✘                                                  | ✘    | ✓         | ✓         | ✓         | ✘              | ✘            |
+| 内置 CI/CD            | ✓                                                  | ✘    | ✓         | ✓         | ✓         | ✘              | ✘            |
 | 子组织：组织内的组织  | [✘](https://github.com/go-gitea/gitea/issues/1872) | ✘    | ✘         | ✓         | ✓         | ✘              | ✓            |

 #### 代码管理
@ -92,7 +92,7 @@ _表格中的符号含义:_
 | 工单搜索            | ✓                                                  | ✘                                             | ✓         | ✓                                                                       | ✓         | ✓              | ✘            |
 | 工单全局搜索        | [✘](https://github.com/go-gitea/gitea/issues/2434) | ✘                                             | ✓         | ✓                                                                       | ✓         | ✓              | ✘            |
 | 工单依赖关系        | ✓                                                  | ✘                                             | ✘         | ✘                                                                       | ✘         | ✘              | ✘            |
-| 通过 Email 创建工单 | [✘](https://github.com/go-gitea/gitea/issues/6226) | [✘](https://github.com/gogs/gogs/issues/2602) | ✘         | ✘                                                                       | ✓         | ✓              | ✘            |
+| 通过 Email 创建工单 | [✘](https://github.com/go-gitea/gitea/issues/6226) | [✘](https://github.com/gogs/gogs/issues/2602) | ✘         | ✓                                                                       | ✓         | ✓              | ✘            |
 | 服务台              | [✘](https://github.com/go-gitea/gitea/issues/6219) | ✘                                             | ✘         | [✓](https://gitlab.com/groups/gitlab-org/-/epics/3103)                  | ✓         | ✘              | ✘            |

 #### Pull/Merge requests
--- a/docs/content/doc/features/comparison.zh-tw.md
+++ b/docs/content/doc/features/comparison.zh-tw.md
@ -51,7 +51,7 @@ menu:
 | 內建 Container Registry  | [✘](https://github.com/go-gitea/gitea/issues/2316) | ✘    | ✘         | ✓         | ✓         | ✘         | ✘            |
 | 對外部 Git 鏡像          | ✓                                                  | ✓    | ✘         | ✘         | ✓         | ✓         | ✓            |
 | FIDO (2FA)               | ✓                                                  | ✘    | ✓         | ✓         | ✓         | ✓         | ✘            |
-| 內建 CI/CD               | ✘                                                  | ✘    | ✓         | ✓         | ✓         | ✘         | ✘            |
+| 內建 CI/CD               | ✓                                                  | ✘    | ✓         | ✓         | ✓         | ✘         | ✘            |
 | 子群組: 群組中的群組     | ✘                                                  | ✘    | ✘         | ✓         | ✓         | ✘         | ✓            |

 ## 程式碼管理
@ -93,7 +93,7 @@ menu:
 | 問題搜尋             | ✓                                                  | ✘                                             | ✓         | ✓                                                                       | ✓         | ✓         | ✘            |
 | 全域問題搜尋         | [✘](https://github.com/go-gitea/gitea/issues/2434) | ✘                                             | ✓         | ✓                                                                       | ✓         | ✓         | ✘            |
 | 問題相依             | ✓                                                  | ✘                                             | ✘         | ✘                                                                       | ✘         | ✘         | ✘            |
-| 從電子郵件建立問題   | [✘](https://github.com/go-gitea/gitea/issues/6226) | [✘](https://github.com/gogs/gogs/issues/2602) | ✘         | ✘                                                                       | ✓         | ✓         | ✘            |
+| 從電子郵件建立問題   | [✘](https://github.com/go-gitea/gitea/issues/6226) | [✘](https://github.com/gogs/gogs/issues/2602) | ✘         | ✓                                                                       | ✓         | ✓         | ✘            |
 | 服務台               | [✘](https://github.com/go-gitea/gitea/issues/6219) | ✘                                             | ✘         | [✓](https://gitlab.com/groups/gitlab-org/-/epics/3103)                  | ✓         | ✘         | ✘            |

 ## 拉取/合併請求
--- a/docs/content/doc/help/faq.en-us.md
+++ b/docs/content/doc/help/faq.en-us.md
@ -58,29 +58,33 @@ https://github.com/loganinak/MigrateGitlabToGogs

 ## Where does Gitea store what file

- WorkPath
-  - Environment variable `GITEA_WORK_DIR`
-  - Else `--work-path` flag
+- _`AppWorkPath`_
+  - The `--work-path` flag
+  - Else Environment variable `GITEA_WORK_DIR`
+  - Else a built-in value set at build time
  - Else the directory that contains the Gitea binary
- AppDataPath (default for database, indexers, etc.)
+- `%(APP_DATA_PATH)` (default for database, indexers, etc.)
  - `APP_DATA_PATH` from `app.ini`
-  - Else `%(WorkPath)/data`
- CustomPath (custom templates)
-  - Environment variable `GITEA_CUSTOM`
-  - Else `%(WorkPath)/custom`
+  - Else _`AppWorkPath`_`/data`
+- _`CustomPath`_ (custom templates)
+  - The `--custom-path` flag
+  - Else Environment variable `GITEA_CUSTOM`
+  - Else a built-in value set at build time
+  - Else _`AppWorkPath`_`/custom`
 - HomeDir
  - Unix: Environment variable `HOME`
  - Windows: Environment variable `USERPROFILE`, else environment variables `HOMEDRIVE`+`HOMEPATH`
 - RepoRootPath
  - `ROOT` in the \[repository] section of `app.ini` if absolute
-  - Else `%(AppWorkPath)/ROOT` if `ROOT` in the \[repository] section of `app.ini` if relative
-  - Default `%(AppDataPath)/gitea-repositories`
+  - Else _`AppWorkPath`_`/ROOT` if `ROOT` in the \[repository] section of `app.ini` if relative
+  - Default `%(APP_DATA_PATH)/gitea-repositories`
 - INI (config file)
-  - `-c` flag
-  - Else `%(CustomPath)/conf/app.ini`
+  - `--config` flag
+  - A possible built-in value set a build time
+  - Else _`CustomPath`_`/conf/app.ini`
 - SQLite Database
  - `PATH` in `database` section of `app.ini`
-  - Else `%(AppDataPath)/gitea.db`
+  - Else `%(APP_DATA_PATH)/gitea.db`

 ## Not seeing a clone URL or the clone URL being incorrect

@ -134,6 +138,8 @@ For more information, refer to Gitea's [API docs]({{< relref "doc/developers/api

 You can see the latest API (for example) on <https://try.gitea.io/api/swagger>.

+You can also see an example of the `swagger.json` file at <https://try.gitea.io/swagger.v1.json>.
+
 ## Adjusting your server for public/private use

 ### Preventing spammers
@ -443,3 +449,14 @@ It is highly recommended to back-up your database before running these commands.
 If you are using Cloudflare, turn off the auto-minify option in the dashboard.

 `Speed` -> `Optimization` -> Uncheck `HTML` within the `Auto-Minify` settings.
+
+## How to adopt repositories from disk
+
+- Add your (bare) repositories to the correct spot for your configuration (`repository.ROOT`), ensuring they are in the correct layout `<REPO_ROOT>/[user]/[repo].git`.
+  - **Note:** the directory names must be lowercase.
+  - You can also check `<ROOT_URL>/admin/config` for the repository root path.
+- Ensure that the user/org exists that you want to adopt repositories for.
+- As an admin, go to `<ROOT_URL>/admin/repos/unadopted` and search.
+  - Users can also be given similar permissions via config [`ALLOW_ADOPTION_OF_UNADOPTED_REPOSITORIES`]({{< relref "doc/advanced/config-cheat-sheet.en-us.md#repository" >}}).
+- If the above steps are done correctly, you should be able to select repositories to adopt.
+  - If no repositories are found, enable [debug logging]({{< relref "doc/advanced/config-cheat-sheet.en-us.md#repository" >}}) to check for any specific errors.
--- a/Show more
+++ b/Show more