Merge branch 'main' into feature/clear-merge-commit-content-button

2022-11-04 17:05:51 +08:00 · 2022-11-04 17:05:51 +08:00 · 1f947a8576
commit 1f947a8576
parent 84a5110275 2900dc90a7
60 changed files with 927 additions and 356 deletions
--- a/1
+++ b/1
@ -44,7 +44,6 @@ Janis Estelmann <admin@oldschoolhack.me> (@KN4CK3R)
 Steven Kriegler <sk.bunsenbrenner@gmail.com> (@justusbunsi)
 Jimmy Praet <jimmy.praet@telenet.be> (@jpraet)
 Leon Hofmeister <dev.lh@web.de> (@delvh) 
 Gusted <williamzijl7@hotmail.com) (@Gusted)
 silentcode <silentcode@senga.org> (@silentcodeg)
 Wim <wim@42.be> (@42wim)
 xinyu <xinyu@nerv.org.cn> (@penlinux)
--- a/docker/root/etc/s6/openssh/setup
+++ b/docker/root/etc/s6/openssh/setup
@ -14,11 +14,6 @@ if [ ! -f /data/ssh/ssh_host_rsa_key ]; then
    ssh-keygen -t rsa -b 2048 -f /data/ssh/ssh_host_rsa_key -N "" > /dev/null
 fi
 if [ ! -f /data/ssh/ssh_host_dsa_key ]; then
    echo "Generating /data/ssh/ssh_host_dsa_key..."
    ssh-keygen -t dsa -f /data/ssh/ssh_host_dsa_key -N "" > /dev/null
 fi
 if [ ! -f /data/ssh/ssh_host_ecdsa_key ]; then
    echo "Generating /data/ssh/ssh_host_ecdsa_key..."
    ssh-keygen -t ecdsa -b 256 -f /data/ssh/ssh_host_ecdsa_key -N "" > /dev/null
@ -36,17 +31,12 @@ if [ -e /data/ssh/ssh_host_ecdsa_cert ]; then
  SSH_ECDSA_CERT=${SSH_ECDSA_CERT:-"/data/ssh/ssh_host_ecdsa_cert"}
 fi
 if [ -e /data/ssh/ssh_host_dsa_cert ]; then
  SSH_DSA_CERT=${SSH_DSA_CERT:-"/data/ssh/ssh_host_dsa_cert"}
 fi
 if [ -d /etc/ssh ]; then
    SSH_PORT=${SSH_PORT:-"22"} \
    SSH_LISTEN_PORT=${SSH_LISTEN_PORT:-"${SSH_PORT}"} \
    SSH_ED25519_CERT="${SSH_ED25519_CERT:+"HostCertificate "}${SSH_ED25519_CERT}" \
    SSH_RSA_CERT="${SSH_RSA_CERT:+"HostCertificate "}${SSH_RSA_CERT}" \
    SSH_ECDSA_CERT="${SSH_ECDSA_CERT:+"HostCertificate "}${SSH_ECDSA_CERT}" \
    SSH_DSA_CERT="${SSH_DSA_CERT:+"HostCertificate "}${SSH_DSA_CERT}" \
    SSH_MAX_STARTUPS="${SSH_MAX_STARTUPS:+"MaxStartups "}${SSH_MAX_STARTUPS}" \
    SSH_MAX_SESSIONS="${SSH_MAX_SESSIONS:+"MaxSessions "}${SSH_MAX_SESSIONS}" \
    SSH_INCLUDE_FILE="${SSH_INCLUDE_FILE:+"Include "}${SSH_INCLUDE_FILE}" \
--- a/docker/root/etc/templates/sshd_config
+++ b/docker/root/etc/templates/sshd_config
@ -16,8 +16,6 @@ HostKey /data/ssh/ssh_host_rsa_key
 ${SSH_RSA_CERT}
 HostKey /data/ssh/ssh_host_ecdsa_key
 ${SSH_ECDSA_CERT}
 HostKey /data/ssh/ssh_host_dsa_key
 ${SSH_DSA_CERT}
 AuthorizedKeysFile .ssh/authorized_keys
 AuthorizedPrincipalsFile .ssh/authorized_principals
--- a/docs/content/doc/features/webhooks.en-us.md
+++ b/docs/content/doc/features/webhooks.en-us.md
@ -188,3 +188,7 @@ if (json_last_error() !== JSON_ERROR_NONE) {
 ```
 There is a Test Delivery button in the webhook settings that allows to test the configuration as well as a list of the most Recent Deliveries.
 ### Authorization header
 **With 1.19**, Gitea hooks can be configured to send an [authorization header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization) to the webhook target.
--- a/models/activities/action.go
+++ b/models/activities/action.go
@ -64,6 +64,7 @@ const (
 	ActionPublishRelease                                  // 24
 	ActionPullReviewDismissed                             // 25
 	ActionPullRequestReadyForReview                       // 26
 	ActionAutoMergePullRequest                            // 27
 )
 // Action represents user operation type and other information to
@ -550,7 +551,7 @@ func notifyWatchers(ctx context.Context, actions ...*Action) error {
 				if !permIssue[i] {
 					continue
 				}
-			case ActionCreatePullRequest, ActionCommentPull, ActionMergePullRequest, ActionClosePullRequest, ActionReopenPullRequest:
+			case ActionCreatePullRequest, ActionCommentPull, ActionMergePullRequest, ActionClosePullRequest, ActionReopenPullRequest, ActionAutoMergePullRequest:
 				if !permPR[i] {
 					continue
 				}
--- a/models/migrations/fixtures/Test_addHeaderAuthorizationEncryptedColWebhook/expected_webhook.yml
+++ b/models/migrations/fixtures/Test_addHeaderAuthorizationEncryptedColWebhook/expected_webhook.yml
@ -0,0 +1,9 @@
 # for matrix, the access_token has been moved to "header_authorization"
 -
  id: 1
  meta: '{"homeserver_url":"https://matrix.example.com","room_id":"roomID","message_type":1}'
  header_authorization: "Bearer s3cr3t"
 -
  id: 2
  meta: ''
  header_authorization: ""
--- a/models/migrations/fixtures/Test_addHeaderAuthorizationEncryptedColWebhook/hook_task.yml
+++ b/models/migrations/fixtures/Test_addHeaderAuthorizationEncryptedColWebhook/hook_task.yml
@ -0,0 +1,8 @@
 # unsafe payload
 - id: 1
  hook_id: 1
  payload_content: '{"homeserver_url":"https://matrix.example.com","room_id":"roomID","access_token":"s3cr3t","message_type":1}'
 # safe payload
 - id: 2
  hook_id: 2
  payload_content: '{"homeserver_url":"https://matrix.example.com","room_id":"roomID","message_type":1}'
--- a/models/migrations/fixtures/Test_addHeaderAuthorizationEncryptedColWebhook/webhook.yml
+++ b/models/migrations/fixtures/Test_addHeaderAuthorizationEncryptedColWebhook/webhook.yml
@ -0,0 +1,10 @@
 # matrix webhook
 - id: 1
  type: matrix
  meta: '{"homeserver_url":"https://matrix.example.com","room_id":"roomID","access_token":"s3cr3t","message_type":1}'
  header_authorization_encrypted: ''
 # gitea webhook
 - id: 2
  type: gitea
  meta: ''
  header_authorization_encrypted: ''
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@ -435,6 +435,8 @@ var migrations = []Migration{
 	NewMigration("Add index for hook_task", v1_19.AddIndexForHookTask),
 	// v232 -> v233
 	NewMigration("Alter package_version.metadata_json to LONGTEXT", v1_19.AlterPackageVersionMetadataToLongText),
 	// v233 -> v234
 	NewMigration("Add header_authorization_encrypted column to webhook table", v1_19.AddHeaderAuthorizationEncryptedColWebhook),
 }
 // GetCurrentDBVersion returns the current db version
--- a/models/migrations/v1_19/v233.go
+++ b/models/migrations/v1_19/v233.go
@ -0,0 +1,183 @@
 // Copyright 2022 The Gitea Authors. All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 package v1_19 //nolint
 import (
 	"fmt"
 	"code.gitea.io/gitea/models/webhook"
 	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/secret"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
 	"xorm.io/builder"
 	"xorm.io/xorm"
 )
 func batchProcess[T any](x *xorm.Engine, buf []T, query func(limit, start int) *xorm.Session, process func(*xorm.Session, T) error) error {
 	size := cap(buf)
 	start := 0
 	for {
 		err := query(size, start).Find(&buf)
 		if err != nil {
 			return err
 		}
 		if len(buf) == 0 {
 			return nil
 		}
 		err = func() error {
 			sess := x.NewSession()
 			defer sess.Close()
 			if err := sess.Begin(); err != nil {
 				return fmt.Errorf("unable to allow start session. Error: %w", err)
 			}
 			for _, record := range buf {
 				if err := process(sess, record); err != nil {
 					return err
 				}
 			}
 			return sess.Commit()
 		}()
 		if err != nil {
 			return err
 		}
 		if len(buf) < size {
 			return nil
 		}
 		start += size
 		buf = buf[:0]
 	}
 }
 func AddHeaderAuthorizationEncryptedColWebhook(x *xorm.Engine) error {
 	// Add the column to the table
 	type Webhook struct {
 		ID   int64            `xorm:"pk autoincr"`
 		Type webhook.HookType `xorm:"VARCHAR(16) 'type'"`
 		Meta string           `xorm:"TEXT"` // store hook-specific attributes
 		// HeaderAuthorizationEncrypted should be accessed using HeaderAuthorization() and SetHeaderAuthorization()
 		HeaderAuthorizationEncrypted string `xorm:"TEXT"`
 	}
 	err := x.Sync(new(Webhook))
 	if err != nil {
 		return err
 	}
 	// Migrate the matrix webhooks
 	type MatrixMeta struct {
 		HomeserverURL string `json:"homeserver_url"`
 		Room          string `json:"room_id"`
 		MessageType   int    `json:"message_type"`
 	}
 	type MatrixMetaWithAccessToken struct {
 		MatrixMeta
 		AccessToken string `json:"access_token"`
 	}
 	err = batchProcess(x,
 		make([]*Webhook, 0, 50),
 		func(limit, start int) *xorm.Session {
 			return x.Where("type=?", "matrix").OrderBy("id").Limit(limit, start)
 		},
 		func(sess *xorm.Session, hook *Webhook) error {
 			// retrieve token from meta
 			var withToken MatrixMetaWithAccessToken
 			err := json.Unmarshal([]byte(hook.Meta), &withToken)
 			if err != nil {
 				return fmt.Errorf("unable to unmarshal matrix meta for webhook[id=%d]: %w", hook.ID, err)
 			}
 			if withToken.AccessToken == "" {
 				return nil
 			}
 			// encrypt token
 			authorization := "Bearer " + withToken.AccessToken
 			hook.HeaderAuthorizationEncrypted, err = secret.EncryptSecret(setting.SecretKey, authorization)
 			if err != nil {
 				return fmt.Errorf("unable to encrypt access token for webhook[id=%d]: %w", hook.ID, err)
 			}
 			// remove token from meta
 			withoutToken, err := json.Marshal(withToken.MatrixMeta)
 			if err != nil {
 				return fmt.Errorf("unable to marshal matrix meta for webhook[id=%d]: %w", hook.ID, err)
 			}
 			hook.Meta = string(withoutToken)
 			// save in database
 			count, err := sess.ID(hook.ID).Cols("meta", "header_authorization_encrypted").Update(hook)
 			if count != 1 || err != nil {
 				return fmt.Errorf("unable to update header_authorization_encrypted for webhook[id=%d]: %d,%w", hook.ID, count, err)
 			}
 			return nil
 		})
 	if err != nil {
 		return err
 	}
 	// Remove access_token from HookTask
 	type HookTask struct {
 		ID             int64 `xorm:"pk autoincr"`
 		HookID         int64
 		PayloadContent string `xorm:"LONGTEXT"`
 	}
 	type MatrixPayloadSafe struct {
 		Body          string               `json:"body"`
 		MsgType       string               `json:"msgtype"`
 		Format        string               `json:"format"`
 		FormattedBody string               `json:"formatted_body"`
 		Commits       []*api.PayloadCommit `json:"io.gitea.commits,omitempty"`
 	}
 	type MatrixPayloadUnsafe struct {
 		MatrixPayloadSafe
 		AccessToken string `json:"access_token"`
 	}
 	err = batchProcess(x,
 		make([]*HookTask, 0, 50),
 		func(limit, start int) *xorm.Session {
 			return x.Where(builder.And(
 				builder.In("hook_id", builder.Select("id").From("webhook").Where(builder.Eq{"type": "matrix"})),
 				builder.Like{"payload_content", "access_token"},
 			)).OrderBy("id").Limit(limit, 0) // ignore the provided "start", since other payload were already converted and don't contain 'payload_content' anymore
 		},
 		func(sess *xorm.Session, hookTask *HookTask) error {
 			// retrieve token from payload_content
 			var withToken MatrixPayloadUnsafe
 			err := json.Unmarshal([]byte(hookTask.PayloadContent), &withToken)
 			if err != nil {
 				return fmt.Errorf("unable to unmarshal payload_content for hook_task[id=%d]: %w", hookTask.ID, err)
 			}
 			if withToken.AccessToken == "" {
 				return nil
 			}
 			// remove token from payload_content
 			withoutToken, err := json.Marshal(withToken.MatrixPayloadSafe)
 			if err != nil {
 				return fmt.Errorf("unable to marshal payload_content for hook_task[id=%d]: %w", hookTask.ID, err)
 			}
 			hookTask.PayloadContent = string(withoutToken)
 			// save in database
 			count, err := sess.ID(hookTask.ID).Cols("payload_content").Update(hookTask)
 			if count != 1 || err != nil {
 				return fmt.Errorf("unable to update payload_content for hook_task[id=%d]: %d,%w", hookTask.ID, count, err)
 			}
 			return nil
 		})
 	if err != nil {
 		return err
 	}
 	return nil
 }
--- a/models/migrations/v1_19/v233_test.go
+++ b/models/migrations/v1_19/v233_test.go
@ -0,0 +1,88 @@
 // Copyright 2022 The Gitea Authors. All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 package v1_19 //nolint
 import (
 	"testing"
 	"code.gitea.io/gitea/models/migrations/base"
 	"code.gitea.io/gitea/models/webhook"
 	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/secret"
 	"code.gitea.io/gitea/modules/setting"
 	"github.com/stretchr/testify/assert"
 )
 func Test_addHeaderAuthorizationEncryptedColWebhook(t *testing.T) {
 	// Create Webhook table
 	type Webhook struct {
 		ID   int64            `xorm:"pk autoincr"`
 		Type webhook.HookType `xorm:"VARCHAR(16) 'type'"`
 		Meta string           `xorm:"TEXT"` // store hook-specific attributes
 		// HeaderAuthorizationEncrypted should be accessed using HeaderAuthorization() and SetHeaderAuthorization()
 		HeaderAuthorizationEncrypted string `xorm:"TEXT"`
 	}
 	type ExpectedWebhook struct {
 		ID                  int64 `xorm:"pk autoincr"`
 		Meta                string
 		HeaderAuthorization string
 	}
 	type HookTask struct {
 		ID             int64 `xorm:"pk autoincr"`
 		HookID         int64
 		PayloadContent string `xorm:"LONGTEXT"`
 	}
 	// Prepare and load the testing database
 	x, deferable := base.PrepareTestEnv(t, 0, new(Webhook), new(ExpectedWebhook), new(HookTask))
 	defer deferable()
 	if x == nil || t.Failed() {
 		return
 	}
 	if err := AddHeaderAuthorizationEncryptedColWebhook(x); err != nil {
 		assert.NoError(t, err)
 		return
 	}
 	expected := []ExpectedWebhook{}
 	if err := x.Table("expected_webhook").Asc("id").Find(&expected); !assert.NoError(t, err) {
 		return
 	}
 	got := []Webhook{}
 	if err := x.Table("webhook").Select("id, meta, header_authorization_encrypted").Asc("id").Find(&got); !assert.NoError(t, err) {
 		return
 	}
 	for i, e := range expected {
 		assert.Equal(t, e.Meta, got[i].Meta)
 		if e.HeaderAuthorization == "" {
 			assert.Equal(t, "", got[i].HeaderAuthorizationEncrypted)
 		} else {
 			cipherhex := got[i].HeaderAuthorizationEncrypted
 			cleartext, err := secret.DecryptSecret(setting.SecretKey, cipherhex)
 			assert.NoError(t, err)
 			assert.Equal(t, e.HeaderAuthorization, cleartext)
 		}
 	}
 	// ensure that no hook_task has some remaining "access_token"
 	hookTasks := []HookTask{}
 	if err := x.Table("hook_task").Select("id, payload_content").Asc("id").Find(&hookTasks); !assert.NoError(t, err) {
 		return
 	}
 	for _, h := range hookTasks {
 		var m map[string]interface{}
 		err := json.Unmarshal([]byte(h.PayloadContent), &m)
 		assert.NoError(t, err)
 		assert.Nil(t, m["access_token"])
 	}
 }
--- a/models/user/user.go
+++ b/models/user/user.go
@ -29,6 +29,7 @@ import (
 	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/validation"
 	"golang.org/x/crypto/argon2"
 	"golang.org/x/crypto/bcrypt"
@ -621,7 +622,7 @@ var (
 // IsUsableUsername returns an error when a username is reserved
 func IsUsableUsername(name string) error {
 	// Validate username make sure it satisfies requirement.
-	if db.AlphaDashDotPattern.MatchString(name) {
+	if !validation.IsValidUsername(name) {
 		// Note: usually this error is normally caught up earlier in the UI
 		return db.ErrNameCharsNotAllowed{Name: name}
 	}
--- a/models/webhook/webhook.go
+++ b/models/webhook/webhook.go
@ -13,6 +13,8 @@ import (
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/secret"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
@ -195,6 +197,9 @@ type Webhook struct {
 	Meta            string     `xorm:"TEXT"` // store hook-specific attributes
 	LastStatus      HookStatus // Last delivery status
 	// HeaderAuthorizationEncrypted should be accessed using HeaderAuthorization() and SetHeaderAuthorization()
 	HeaderAuthorizationEncrypted string `xorm:"TEXT"`
 	CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
 	UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
 }
@ -401,6 +406,29 @@ func (w *Webhook) EventsArray() []string {
 	return events
 }
 // HeaderAuthorization returns the decrypted Authorization header.
 // Not on the reference (*w), to be accessible on WebhooksNew.
 func (w Webhook) HeaderAuthorization() (string, error) {
 	if w.HeaderAuthorizationEncrypted == "" {
 		return "", nil
 	}
 	return secret.DecryptSecret(setting.SecretKey, w.HeaderAuthorizationEncrypted)
 }
 // SetHeaderAuthorization encrypts and sets the Authorization header.
 func (w *Webhook) SetHeaderAuthorization(cleartext string) error {
 	if cleartext == "" {
 		w.HeaderAuthorizationEncrypted = ""
 		return nil
 	}
 	ciphertext, err := secret.EncryptSecret(setting.SecretKey, cleartext)
 	if err != nil {
 		return err
 	}
 	w.HeaderAuthorizationEncrypted = ciphertext
 	return nil
 }
 // CreateWebhook creates a new web hook.
 func CreateWebhook(ctx context.Context, w *Webhook) error {
 	w.Type = strings.TrimSpace(w.Type)
--- a/modules/convert/convert.go
+++ b/modules/convert/convert.go
@ -243,7 +243,7 @@ func ToGPGKeyEmail(email *user_model.EmailAddress) *api.GPGKeyEmail {
 }
 // ToHook convert models.Webhook to api.Hook
-func ToHook(repoLink string, w *webhook.Webhook) *api.Hook {
+func ToHook(repoLink string, w *webhook.Webhook) (*api.Hook, error) {
 	config := map[string]string{
 		"url":          w.URL,
 		"content_type": w.ContentType.Name(),
@ -256,16 +256,22 @@ func ToHook(repoLink string, w *webhook.Webhook) *api.Hook {
 		config["color"] = s.Color
 	}
-	return &api.Hook{
+	authorizationHeader, err := w.HeaderAuthorization()
-		ID:      w.ID,
+	if err != nil {
-		Type:    w.Type,
+		return nil, err
 		URL:     fmt.Sprintf("%s/settings/hooks/%d", repoLink, w.ID),
 		Active:  w.IsActive,
 		Config:  config,
 		Events:  w.EventsArray(),
 		Updated: w.UpdatedUnix.AsTime(),
 		Created: w.CreatedUnix.AsTime(),
 	}
 	return &api.Hook{
 		ID:                  w.ID,
 		Type:                w.Type,
 		URL:                 fmt.Sprintf("%s/settings/hooks/%d", repoLink, w.ID),
 		Active:              w.IsActive,
 		Config:              config,
 		Events:              w.EventsArray(),
 		AuthorizationHeader: authorizationHeader,
 		Updated:             w.UpdatedUnix.AsTime(),
 		Created:             w.CreatedUnix.AsTime(),
 	}, nil
 }
 // ToGitHook convert git.Hook to api.GitHook
--- a/modules/notification/action/action.go
+++ b/modules/notification/action/action.go
@ -283,6 +283,20 @@ func (*actionNotifier) NotifyMergePullRequest(pr *issues_model.PullRequest, doer
 	}
 }
 func (*actionNotifier) NotifyAutoMergePullRequest(pr *issues_model.PullRequest, doer *user_model.User) {
 	if err := activities_model.NotifyWatchers(&activities_model.Action{
 		ActUserID: doer.ID,
 		ActUser:   doer,
 		OpType:    activities_model.ActionAutoMergePullRequest,
 		Content:   fmt.Sprintf("%d|%s", pr.Issue.Index, pr.Issue.Title),
 		RepoID:    pr.Issue.Repo.ID,
 		Repo:      pr.Issue.Repo,
 		IsPrivate: pr.Issue.Repo.IsPrivate,
 	}); err != nil {
 		log.Error("NotifyWatchers [%d]: %v", pr.ID, err)
 	}
 }
 func (*actionNotifier) NotifyPullRevieweDismiss(doer *user_model.User, review *issues_model.Review, comment *issues_model.Comment) {
 	reviewerName := review.Reviewer.Name
 	if len(review.OriginalAuthor) > 0 {
--- a/modules/notification/base/notifier.go
+++ b/modules/notification/base/notifier.go
@ -34,7 +34,8 @@ type Notifier interface {
 	NotifyIssueChangeLabels(doer *user_model.User, issue *issues_model.Issue,
 		addedLabels, removedLabels []*issues_model.Label)
 	NotifyNewPullRequest(pr *issues_model.PullRequest, mentions []*user_model.User)
-	NotifyMergePullRequest(*issues_model.PullRequest, *user_model.User)
+	NotifyMergePullRequest(pr *issues_model.PullRequest, doer *user_model.User)
 	NotifyAutoMergePullRequest(pr *issues_model.PullRequest, doer *user_model.User)
 	NotifyPullRequestSynchronized(doer *user_model.User, pr *issues_model.PullRequest)
 	NotifyPullRequestReview(pr *issues_model.PullRequest, review *issues_model.Review, comment *issues_model.Comment, mentions []*user_model.User)
 	NotifyPullRequestCodeComment(pr *issues_model.PullRequest, comment *issues_model.Comment, mentions []*user_model.User)
--- a/modules/notification/base/null.go
+++ b/modules/notification/base/null.go
@ -54,6 +54,10 @@ func (*NullNotifier) NotifyPullRequestCodeComment(pr *issues_model.PullRequest,
 func (*NullNotifier) NotifyMergePullRequest(pr *issues_model.PullRequest, doer *user_model.User) {
 }
 // NotifyAutoMergePullRequest places a place holder function
 func (*NullNotifier) NotifyAutoMergePullRequest(pr *issues_model.PullRequest, doer *user_model.User) {
 }
 // NotifyPullRequestSynchronized places a place holder function
 func (*NullNotifier) NotifyPullRequestSynchronized(doer *user_model.User, pr *issues_model.PullRequest) {
 }
--- a/modules/notification/mail/mail.go
+++ b/modules/notification/mail/mail.go
@ -153,6 +153,16 @@ func (m *mailNotifier) NotifyMergePullRequest(pr *issues_model.PullRequest, doer
 	}
 }
 func (m *mailNotifier) NotifyAutoMergePullRequest(pr *issues_model.PullRequest, doer *user_model.User) {
 	if err := pr.LoadIssue(); err != nil {
 		log.Error("pr.LoadIssue: %v", err)
 		return
 	}
 	if err := mailer.MailParticipants(pr.Issue, doer, activities_model.ActionAutoMergePullRequest, nil); err != nil {
 		log.Error("MailParticipants: %v", err)
 	}
 }
 func (m *mailNotifier) NotifyPullRequestPushCommits(doer *user_model.User, pr *issues_model.PullRequest, comment *issues_model.Comment) {
 	ctx, _, finished := process.GetManager().AddContext(graceful.GetManager().HammerContext(), fmt.Sprintf("mailNotifier.NotifyPullRequestPushCommits Pull[%d] #%d in [%d]", pr.ID, pr.Index, pr.BaseRepoID))
 	defer finished()
--- a/modules/notification/notification.go
+++ b/modules/notification/notification.go
@ -98,6 +98,13 @@ func NotifyMergePullRequest(pr *issues_model.PullRequest, doer *user_model.User)
 	}
 }
 // NotifyAutoMergePullRequest notifies merge pull request to notifiers
 func NotifyAutoMergePullRequest(pr *issues_model.PullRequest, doer *user_model.User) {
 	for _, notifier := range notifiers {
 		notifier.NotifyAutoMergePullRequest(pr, doer)
 	}
 }
 // NotifyNewPullRequest notifies new pull request to notifiers
 func NotifyNewPullRequest(pr *issues_model.PullRequest, mentions []*user_model.User) {
 	for _, notifier := range notifiers {
--- a/modules/notification/ui/ui.go
+++ b/modules/notification/ui/ui.go
@ -119,6 +119,10 @@ func (ns *notificationService) NotifyMergePullRequest(pr *issues_model.PullReque
 	})
 }
 func (ns *notificationService) NotifyAutoMergePullRequest(pr *issues_model.PullRequest, doer *user_model.User) {
 	ns.NotifyMergePullRequest(pr, doer)
 }
 func (ns *notificationService) NotifyNewPullRequest(pr *issues_model.PullRequest, mentions []*user_model.User) {
 	if err := pr.LoadIssue(); err != nil {
 		log.Error("Unable to load issue: %d for pr: %d: Error: %v", pr.IssueID, pr.ID, err)
--- a/modules/notification/webhook/webhook.go
+++ b/modules/notification/webhook/webhook.go
@ -632,6 +632,11 @@ func (m *webhookNotifier) NotifyPushCommits(pusher *user_model.User, repo *repo_
 	}
 }
 func (m *webhookNotifier) NotifyAutoMergePullRequest(pr *issues_model.PullRequest, doer *user_model.User) {
 	// just redirect to the NotifyMergePullRequest
 	m.NotifyMergePullRequest(pr, doer)
 }
 func (*webhookNotifier) NotifyMergePullRequest(pr *issues_model.PullRequest, doer *user_model.User) {
 	ctx, _, finished := process.GetManager().AddContext(graceful.GetManager().HammerContext(), fmt.Sprintf("webhook.NotifyMergePullRequest Pull[%d] #%d in [%d]", pr.ID, pr.Index, pr.BaseRepoID))
 	defer finished()
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@ -1158,6 +1158,8 @@ func parseAuthorizedPrincipalsAllow(values []string) ([]string, bool) {
 	return authorizedPrincipalsAllow, true
 }
 // loadSecret load the secret from ini by uriKey or verbatimKey, only one of them could be set
 // If the secret is loaded from uriKey (file), the file should be non-empty, to guarantee the behavior stable and clear.
 func loadSecret(sec *ini.Section, uriKey, verbatimKey string) string {
 	// don't allow setting both URI and verbatim string
 	uri := sec.Key(uriKey).String()
@ -1181,7 +1183,15 @@ func loadSecret(sec *ini.Section, uriKey, verbatimKey string) string {
 		if err != nil {
 			log.Fatal("Failed to read %s (%s): %v", uriKey, tempURI.RequestURI(), err)
 		}
-		return strings.TrimSpace(string(buf))
+		val := strings.TrimSpace(string(buf))
 		if val == "" {
 			// The file shouldn't be empty, otherwise we can not know whether the user has ever set the KEY or KEY_URI
 			// For example: if INTERNAL_TOKEN_URI=file:///empty-file,
 			// Then if the token is re-generated during installation and saved to INTERNAL_TOKEN
 			// Then INTERNAL_TOKEN and INTERNAL_TOKEN_URI both exist, that's a fatal error (they shouldn't)
 			log.Fatal("Failed to read %s (%s): the file is empty", uriKey, tempURI.RequestURI())
 		}
 		return val
 	// only file URIs are allowed
 	default:
--- a/modules/structs/admin_user.go
+++ b/modules/structs/admin_user.go
@ -10,7 +10,7 @@ type CreateUserOption struct {
 	SourceID  int64  `json:"source_id"`
 	LoginName string `json:"login_name"`
 	// required: true
-	Username string `json:"username" binding:"Required;AlphaDashDot;MaxSize(40)"`
+	Username string `json:"username" binding:"Required;Username;MaxSize(40)"`
 	FullName string `json:"full_name" binding:"MaxSize(100)"`
 	// required: true
 	// swagger:strfmt email
--- a/modules/structs/hook.go
+++ b/modules/structs/hook.go
@ -18,12 +18,13 @@ var ErrInvalidReceiveHook = errors.New("Invalid JSON payload received over webho
 // Hook a hook is a web hook when one repository changed
 type Hook struct {
-	ID     int64             `json:"id"`
+	ID                  int64             `json:"id"`
-	Type   string            `json:"type"`
+	Type                string            `json:"type"`
-	URL    string            `json:"-"`
+	URL                 string            `json:"-"`
-	Config map[string]string `json:"config"`
+	Config              map[string]string `json:"config"`
-	Events []string          `json:"events"`
+	Events              []string          `json:"events"`
-	Active bool              `json:"active"`
+	AuthorizationHeader string            `json:"authorization_header"`
 	Active              bool              `json:"active"`
 	// swagger:strfmt date-time
 	Updated time.Time `json:"updated_at"`
 	// swagger:strfmt date-time
@ -43,19 +44,21 @@ type CreateHookOption struct {
 	// enum: dingtalk,discord,gitea,gogs,msteams,slack,telegram,feishu,wechatwork,packagist
 	Type string `json:"type" binding:"Required"`
 	// required: true
-	Config       CreateHookOptionConfig `json:"config" binding:"Required"`
+	Config              CreateHookOptionConfig `json:"config" binding:"Required"`
-	Events       []string               `json:"events"`
+	Events              []string               `json:"events"`
-	BranchFilter string                 `json:"branch_filter" binding:"GlobPattern"`
+	BranchFilter        string                 `json:"branch_filter" binding:"GlobPattern"`
 	AuthorizationHeader string                 `json:"authorization_header"`
 	// default: false
 	Active bool `json:"active"`
 }
 // EditHookOption options when modify one hook
 type EditHookOption struct {
-	Config       map[string]string `json:"config"`
+	Config              map[string]string `json:"config"`
-	Events       []string          `json:"events"`
+	Events              []string          `json:"events"`
-	BranchFilter string            `json:"branch_filter" binding:"GlobPattern"`
+	BranchFilter        string            `json:"branch_filter" binding:"GlobPattern"`
-	Active       *bool             `json:"active"`
+	AuthorizationHeader string            `json:"authorization_header"`
 	Active              *bool             `json:"active"`
 }
 // Payloader payload is some part of one hook
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@ -905,7 +905,7 @@ func ActionIcon(opType activities_model.ActionType) string {
 		return "git-pull-request"
 	case activities_model.ActionCommentIssue, activities_model.ActionCommentPull:
 		return "comment-discussion"
-	case activities_model.ActionMergePullRequest:
+	case activities_model.ActionMergePullRequest, activities_model.ActionAutoMergePullRequest:
 		return "git-merge"
 	case activities_model.ActionCloseIssue, activities_model.ActionClosePullRequest:
 		return "issue-closed"
--- a/modules/validation/binding.go
+++ b/modules/validation/binding.go
@ -24,6 +24,9 @@ const (
 	// ErrRegexPattern is returned when a regex pattern is invalid
 	ErrRegexPattern = "RegexPattern"
 	// ErrUsername is username error
 	ErrUsername = "UsernameError"
 )
 // AddBindingRules adds additional binding rules
@ -34,6 +37,7 @@ func AddBindingRules() {
 	addGlobPatternRule()
 	addRegexPatternRule()
 	addGlobOrRegexPatternRule()
 	addUsernamePatternRule()
 }
 func addGitRefNameBindingRule() {
@ -148,6 +152,22 @@ func addGlobOrRegexPatternRule() {
 	})
 }
 func addUsernamePatternRule() {
 	binding.AddRule(&binding.Rule{
 		IsMatch: func(rule string) bool {
 			return rule == "Username"
 		},
 		IsValid: func(errs binding.Errors, name string, val interface{}) (bool, binding.Errors) {
 			str := fmt.Sprintf("%v", val)
 			if !IsValidUsername(str) {
 				errs.Add([]string{name}, ErrUsername, "invalid username")
 				return false, errs
 			}
 			return true, errs
 		},
 	})
 }
 func portOnly(hostport string) string {
 	colon := strings.IndexByte(hostport, ':')
 	if colon == -1 {
--- a/modules/validation/helpers.go
+++ b/modules/validation/helpers.go
@ -91,3 +91,15 @@ func IsValidExternalTrackerURLFormat(uri string) bool {
 	return true
 }
 var (
 	validUsernamePattern   = regexp.MustCompile(`^[\da-zA-Z][-.\w]*$`)
 	invalidUsernamePattern = regexp.MustCompile(`[-._]{2,}|[-._]$`) // No consecutive or trailing non-alphanumeric chars
 )
 // IsValidUsername checks if username is valid
 func IsValidUsername(name string) bool {
 	// It is difficult to find a single pattern that is both readable and effective,
 	// but it's easier to use positive and negative checks.
 	return validUsernamePattern.MatchString(name) && !invalidUsernamePattern.MatchString(name)
 }
--- a/modules/validation/helpers_test.go
+++ b/modules/validation/helpers_test.go
@ -155,3 +155,34 @@ func Test_IsValidExternalTrackerURLFormat(t *testing.T) {
 		})
 	}
 }
 func TestIsValidUsername(t *testing.T) {
 	tests := []struct {
 		arg  string
 		want bool
 	}{
 		{arg: "a", want: true},
 		{arg: "abc", want: true},
 		{arg: "0.b-c", want: true},
 		{arg: "a.b-c_d", want: true},
 		{arg: "", want: false},
 		{arg: ".abc", want: false},
 		{arg: "abc.", want: false},
 		{arg: "a..bc", want: false},
 		{arg: "a...bc", want: false},
 		{arg: "a.-bc", want: false},
 		{arg: "a._bc", want: false},
 		{arg: "a_-bc", want: false},
 		{arg: "a/bc", want: false},
 		{arg: "☁️", want: false},
 		{arg: "-", want: false},
 		{arg: "--diff", want: false},
 		{arg: "-im-here", want: false},
 		{arg: "a space", want: false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.arg, func(t *testing.T) {
 			assert.Equalf(t, tt.want, IsValidUsername(tt.arg), "IsValidUsername(%v)", tt.arg)
 		})
 	}
 }
--- a/modules/web/middleware/binding.go
+++ b/modules/web/middleware/binding.go
@ -135,6 +135,8 @@ func Validate(errs binding.Errors, data map[string]interface{}, f Form, l transl
 				data["ErrorMsg"] = trName + l.Tr("form.glob_pattern_error", errs[0].Message)
 			case validation.ErrRegexPattern:
 				data["ErrorMsg"] = trName + l.Tr("form.regex_pattern_error", errs[0].Message)
 			case validation.ErrUsername:
 				data["ErrorMsg"] = trName + l.Tr("form.username_error")
 			default:
 				msg := errs[0].Classification
 				if msg != "" && errs[0].Message != "" {
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@ -463,6 +463,7 @@ url_error = `'%s' is not a valid URL.`
 include_error = ` must contain substring '%s'.`
 glob_pattern_error = ` glob pattern is invalid: %s.`
 regex_pattern_error = ` regex pattern is invalid: %s.`
 username_error = ` can only contain alphanumeric chars ('0-9','a-z','A-Z'), dash ('-'), underscore ('_') and dot ('.'). It cannot begin or end with non-alphanumeric chars, and consecutive non-alphanumeric chars are also forbidden.`
 unknown_error = Unknown error:
 captcha_incorrect = The CAPTCHA code is incorrect.
 password_not_match = The passwords do not match.
@ -2014,6 +2015,8 @@ settings.event_package = Package
 settings.event_package_desc = Package created or deleted in a repository.
 settings.branch_filter = Branch filter
 settings.branch_filter_desc = Branch whitelist for push, branch creation and branch deletion events, specified as glob pattern. If empty or <code>*</code>, events for all branches are reported. See <a href="https://pkg.go.dev/github.com/gobwas/glob#Compile">github.com/gobwas/glob</a> documentation for syntax. Examples: <code>master</code>, <code>{master,release*}</code>.
 settings.authorization_header = Authorization Header
 settings.authorization_header_desc = Will be included as authorization header for requests when present. Examples: %s.
 settings.active = Active
 settings.active_helper = Information about triggered events will be sent to this webhook URL.
 settings.add_hook_success = The webhook has been added.
@ -2128,7 +2131,6 @@ settings.bot_token = Bot Token
 settings.chat_id = Chat ID
 settings.matrix.homeserver_url = Homeserver URL
 settings.matrix.room_id = Room ID
 settings.matrix.access_token = Access Token
 settings.matrix.message_type = Message Type
 settings.archive.button = Archive Repo
 settings.archive.header = Archive This Repo
@ -3005,6 +3007,7 @@ reopen_pull_request = `reopened pull request <a href="%[1]s">%[3]s#%[2]s</a>`
 comment_issue = `commented on issue <a href="%[1]s">%[3]s#%[2]s</a>`
 comment_pull = `commented on pull request <a href="%[1]s">%[3]s#%[2]s</a>`
 merge_pull_request = `merged pull request <a href="%[1]s">%[3]s#%[2]s</a>`
 auto_merge_pull_request = `automatically merged pull request <a href="%[1]s">%[3]s#%[2]s</a>`
 transfer_repo = transferred repository <code>%s</code> to <a href="%s">%s</a>
 push_tag = pushed tag <a href="%[2]s">%[3]s</a> to <a href="%[1]s">%[4]s</a>
 delete_tag = deleted tag %[2]s from <a href="%[1]s">%[3]s</a>
--- a/routers/api/v1/org/hook.go
+++ b/routers/api/v1/org/hook.go
@ -59,7 +59,11 @@ func ListHooks(ctx *context.APIContext) {
 	hooks := make([]*api.Hook, len(orgHooks))
 	for i, hook := range orgHooks {
-		hooks[i] = convert.ToHook(ctx.Org.Organization.AsUser().HomeLink(), hook)
+		hooks[i], err = convert.ToHook(ctx.Org.Organization.AsUser().HomeLink(), hook)
 		if err != nil {
 			ctx.InternalServerError(err)
 			return
 		}
 	}
 	ctx.SetTotalCountHeader(count)
@ -95,7 +99,13 @@ func GetHook(ctx *context.APIContext) {
 	if err != nil {
 		return
 	}
-	ctx.JSON(http.StatusOK, convert.ToHook(org.AsUser().HomeLink(), hook))
+
 	apiHook, err := convert.ToHook(org.AsUser().HomeLink(), hook)
 	if err != nil {
 		ctx.InternalServerError(err)
 		return
 	}
 	ctx.JSON(http.StatusOK, apiHook)
 }
 // CreateHook create a hook for an organization
--- a/routers/api/v1/repo/hook.go
+++ b/routers/api/v1/repo/hook.go
@ -69,7 +69,11 @@ func ListHooks(ctx *context.APIContext) {
 	apiHooks := make([]*api.Hook, len(hooks))
 	for i := range hooks {
-		apiHooks[i] = convert.ToHook(ctx.Repo.RepoLink, hooks[i])
+		apiHooks[i], err = convert.ToHook(ctx.Repo.RepoLink, hooks[i])
 		if err != nil {
 			ctx.InternalServerError(err)
 			return
 		}
 	}
 	ctx.SetTotalCountHeader(count)
@ -112,7 +116,12 @@ func GetHook(ctx *context.APIContext) {
 	if err != nil {
 		return
 	}
-	ctx.JSON(http.StatusOK, convert.ToHook(repo.RepoLink, hook))
+	apiHook, err := convert.ToHook(repo.RepoLink, hook)
 	if err != nil {
 		ctx.InternalServerError(err)
 		return
 	}
 	ctx.JSON(http.StatusOK, apiHook)
 }
 // TestHook tests a hook
--- a/routers/api/v1/repo/pull.go
+++ b/routers/api/v1/repo/pull.go
@ -839,7 +839,7 @@ func MergePullRequest(ctx *context.APIContext) {
 		}
 	}
-	if err := pull_service.Merge(ctx, pr, ctx.Doer, ctx.Repo.GitRepo, repo_model.MergeStyle(form.Do), form.HeadCommitID, message); err != nil {
+	if err := pull_service.Merge(ctx, pr, ctx.Doer, ctx.Repo.GitRepo, repo_model.MergeStyle(form.Do), form.HeadCommitID, message, false); err != nil {
 		if models.IsErrInvalidMergeStyle(err) {
 			ctx.Error(http.StatusMethodNotAllowed, "Invalid merge style", fmt.Errorf("%s is not allowed an allowed merge style for this repository", repo_model.MergeStyle(form.Do)))
 		} else if models.IsErrMergeConflicts(err) {
--- a/routers/api/v1/utils/hook.go
+++ b/routers/api/v1/utils/hook.go
@ -72,18 +72,39 @@ func CheckCreateHookOption(ctx *context.APIContext, form *api.CreateHookOption)
 func AddOrgHook(ctx *context.APIContext, form *api.CreateHookOption) {
 	org := ctx.Org.Organization
 	hook, ok := addHook(ctx, form, org.ID, 0)
-	if ok {
+	if !ok {
-		ctx.JSON(http.StatusCreated, convert.ToHook(org.AsUser().HomeLink(), hook))
+		return
 	}
 	apiHook, ok := toAPIHook(ctx, org.AsUser().HomeLink(), hook)
 	if !ok {
 		return
 	}
 	ctx.JSON(http.StatusCreated, apiHook)
 }
 // AddRepoHook add a hook to a repo. Writes to `ctx` accordingly
 func AddRepoHook(ctx *context.APIContext, form *api.CreateHookOption) {
 	repo := ctx.Repo
 	hook, ok := addHook(ctx, form, 0, repo.Repository.ID)
-	if ok {
+	if !ok {
-		ctx.JSON(http.StatusCreated, convert.ToHook(repo.RepoLink, hook))
+		return
 	}
 	apiHook, ok := toAPIHook(ctx, repo.RepoLink, hook)
 	if !ok {
 		return
 	}
 	ctx.JSON(http.StatusCreated, apiHook)
 }
 // toAPIHook converts the hook to its API representation.
 // If there is an error, write to `ctx` accordingly. Return (hook, ok)
 func toAPIHook(ctx *context.APIContext, repoLink string, hook *webhook.Webhook) (*api.Hook, bool) {
 	apiHook, err := convert.ToHook(repoLink, hook)
 	if err != nil {
 		ctx.Error(http.StatusInternalServerError, "ToHook", err)
 		return nil, false
 	}
 	return apiHook, true
 }
 func issuesHook(events []string, event string) bool {
@ -135,6 +156,11 @@ func addHook(ctx *context.APIContext, form *api.CreateHookOption, orgID, repoID
 		IsActive: form.Active,
 		Type:     form.Type,
 	}
 	err := w.SetHeaderAuthorization(form.AuthorizationHeader)
 	if err != nil {
 		ctx.Error(http.StatusInternalServerError, "SetHeaderAuthorization", err)
 		return nil, false
 	}
 	if w.Type == webhook.SLACK {
 		channel, ok := form.Config["channel"]
 		if !ok {
@ -185,7 +211,11 @@ func EditOrgHook(ctx *context.APIContext, form *api.EditHookOption, hookID int64
 	if err != nil {
 		return
 	}
-	ctx.JSON(http.StatusOK, convert.ToHook(org.AsUser().HomeLink(), updated))
+	apiHook, ok := toAPIHook(ctx, org.AsUser().HomeLink(), updated)
 	if !ok {
 		return
 	}
 	ctx.JSON(http.StatusOK, apiHook)
 }
 // EditRepoHook edit webhook `w` according to `form`. Writes to `ctx` accordingly
@ -202,7 +232,11 @@ func EditRepoHook(ctx *context.APIContext, form *api.EditHookOption, hookID int6
 	if err != nil {
 		return
 	}
-	ctx.JSON(http.StatusOK, convert.ToHook(repo.RepoLink, updated))
+	apiHook, ok := toAPIHook(ctx, repo.RepoLink, updated)
 	if !ok {
 		return
 	}
 	ctx.JSON(http.StatusOK, apiHook)
 }
 // editHook edit the webhook `w` according to `form`. If an error occurs, write
@ -254,6 +288,12 @@ func editHook(ctx *context.APIContext, form *api.EditHookOption, w *webhook.Webh
 	w.Release = util.IsStringInSlice(string(webhook.HookEventRelease), form.Events, true)
 	w.BranchFilter = form.BranchFilter
 	err := w.SetHeaderAuthorization(form.AuthorizationHeader)
 	if err != nil {
 		ctx.Error(http.StatusInternalServerError, "SetHeaderAuthorization", err)
 		return false
 	}
 	// Issues
 	w.Issues = issuesHook(form.Events, "issues_only")
 	w.IssueAssign = issuesHook(form.Events, string(webhook.HookEventIssueAssign))
--- a/routers/install/install.go
+++ b/routers/install/install.go
@ -474,12 +474,16 @@ func SubmitInstall(ctx *context.Context) {
 	cfg.Section("security").Key("INSTALL_LOCK").SetValue("true")
-	var internalToken string
+	// the internal token could be read from INTERNAL_TOKEN or INTERNAL_TOKEN_URI (the file is guaranteed to be non-empty)
-	if internalToken, err = generate.NewInternalToken(); err != nil {
+	// if there is no InternalToken, generate one and save to security.INTERNAL_TOKEN
-		ctx.RenderWithErr(ctx.Tr("install.internal_token_failed", err), tplInstall, &form)
+	if setting.InternalToken == "" {
-		return
+		var internalToken string
 		if internalToken, err = generate.NewInternalToken(); err != nil {
 			ctx.RenderWithErr(ctx.Tr("install.internal_token_failed", err), tplInstall, &form)
 			return
 		}
 		cfg.Section("security").Key("INTERNAL_TOKEN").SetValue(internalToken)
 	}
 	cfg.Section("security").Key("INTERNAL_TOKEN").SetValue(internalToken)
 	// if there is already a SECRET_KEY, we should not overwrite it, otherwise the encrypted data will not be able to be decrypted
 	if setting.SecretKey == "" {
--- a/routers/web/feed/convert.go
+++ b/routers/web/feed/convert.go
@ -115,6 +115,12 @@ func feedActionsToFeedItems(ctx *context.Context, actions activities_model.Actio
 				link.Href = pullLink
 			}
 			title += ctx.TrHTMLEscapeArgs("action.merge_pull_request", pullLink, act.GetIssueInfos()[0], act.ShortRepoPath())
 		case activities_model.ActionAutoMergePullRequest:
 			pullLink := toPullLink(act)
 			if link.Href == "#" {
 				link.Href = pullLink
 			}
 			title += ctx.TrHTMLEscapeArgs("action.auto_merge_pull_request", pullLink, act.GetIssueInfos()[0], act.ShortRepoPath())
 		case activities_model.ActionCloseIssue:
 			issueLink := toIssueLink(act)
 			if link.Href == "#" {
@ -221,7 +227,7 @@ func feedActionsToFeedItems(ctx *context.Context, actions activities_model.Actio
 				if len(comment) != 0 {
 					desc += "\n\n" + renderMarkdown(ctx, act, comment)
 				}
-			case activities_model.ActionMergePullRequest:
+			case activities_model.ActionMergePullRequest, activities_model.ActionAutoMergePullRequest:
 				desc = act.GetIssueInfos()[1]
 			case activities_model.ActionCloseIssue, activities_model.ActionReopenIssue, activities_model.ActionClosePullRequest, activities_model.ActionReopenPullRequest:
 				desc = act.GetIssueTitle()
--- a/routers/web/repo/pull.go
+++ b/routers/web/repo/pull.go
@ -1002,7 +1002,7 @@ func MergePullRequest(ctx *context.Context) {
 		}
 	}
-	if err := pull_service.Merge(ctx, pr, ctx.Doer, ctx.Repo.GitRepo, repo_model.MergeStyle(form.Do), form.HeadCommitID, message); err != nil {
+	if err := pull_service.Merge(ctx, pr, ctx.Doer, ctx.Repo.GitRepo, repo_model.MergeStyle(form.Do), form.HeadCommitID, message, false); err != nil {
 		if models.IsErrInvalidMergeStyle(err) {
 			ctx.Flash.Error(ctx.Tr("repo.pulls.invalid_merge_option"))
 			ctx.Redirect(issue.Link())
--- a/routers/web/repo/webhook.go
+++ b/routers/web/repo/webhook.go
@ -239,6 +239,11 @@ func createWebhook(ctx *context.Context, params webhookParams) {
 		OrgID:           orCtx.OrgID,
 		IsSystemWebhook: orCtx.IsSystemWebhook,
 	}
 	err = w.SetHeaderAuthorization(params.WebhookForm.AuthorizationHeader)
 	if err != nil {
 		ctx.ServerError("SetHeaderAuthorization", err)
 		return
 	}
 	if err := w.UpdateEvent(); err != nil {
 		ctx.ServerError("UpdateEvent", err)
 		return
@ -285,6 +290,12 @@ func editWebhook(ctx *context.Context, params webhookParams) {
 	w.HTTPMethod = params.HTTPMethod
 	w.Meta = string(meta)
 	err = w.SetHeaderAuthorization(params.WebhookForm.AuthorizationHeader)
 	if err != nil {
 		ctx.ServerError("SetHeaderAuthorization", err)
 		return
 	}
 	if err := w.UpdateEvent(); err != nil {
 		ctx.ServerError("UpdateEvent", err)
 		return
@ -445,7 +456,6 @@ func matrixHookParams(ctx *context.Context) webhookParams {
 		Meta: &webhook_service.MatrixMeta{
 			HomeserverURL: form.HomeserverURL,
 			Room:          form.RoomID,
 			AccessToken:   form.AccessToken,
 			MessageType:   form.MessageType,
 		},
 	}
--- a/services/automerge/automerge.go
+++ b/services/automerge/automerge.go
@ -257,7 +257,7 @@ func handlePull(pullID int64, sha string) {
 		defer baseGitRepo.Close()
 	}
-	if err := pull_service.Merge(ctx, pr, doer, baseGitRepo, scheduledPRM.MergeStyle, "", scheduledPRM.Message); err != nil {
+	if err := pull_service.Merge(ctx, pr, doer, baseGitRepo, scheduledPRM.MergeStyle, "", scheduledPRM.Message, true); err != nil {
 		log.Error("pull_service.Merge: %v", err)
 		return
 	}
--- a/services/forms/admin.go
+++ b/services/forms/admin.go
@ -18,7 +18,7 @@ import (
 type AdminCreateUserForm struct {
 	LoginType          string `binding:"Required"`
 	LoginName          string
-	UserName           string `binding:"Required;AlphaDashDot;MaxSize(40)"`
+	UserName           string `binding:"Required;Username;MaxSize(40)"`
 	Email              string `binding:"Required;Email;MaxSize(254)"`
 	Password           string `binding:"MaxSize(255)"`
 	SendNotify         bool
@ -35,7 +35,7 @@ func (f *AdminCreateUserForm) Validate(req *http.Request, errs binding.Errors) b
 // AdminEditUserForm form for admin to create user
 type AdminEditUserForm struct {
 	LoginType               string `binding:"Required"`
-	UserName                string `binding:"AlphaDashDot;MaxSize(40)"`
+	UserName                string `binding:"Username;MaxSize(40)"`
 	LoginName               string
 	FullName                string `binding:"MaxSize(100)"`
 	Email                   string `binding:"Required;Email;MaxSize(254)"`
--- a/services/forms/org.go
+++ b/services/forms/org.go
@ -24,7 +24,7 @@ import (
 // CreateOrgForm form for creating organization
 type CreateOrgForm struct {
-	OrgName                   string `binding:"Required;AlphaDashDot;MaxSize(40)" locale:"org.org_name_holder"`
+	OrgName                   string `binding:"Required;Username;MaxSize(40)" locale:"org.org_name_holder"`
 	Visibility                structs.VisibleType
 	RepoAdminChangeTeamAccess bool
 }
@ -37,7 +37,7 @@ func (f *CreateOrgForm) Validate(req *http.Request, errs binding.Errors) binding
 // UpdateOrgSettingForm form for updating organization settings
 type UpdateOrgSettingForm struct {
-	Name                      string `binding:"Required;AlphaDashDot;MaxSize(40)" locale:"org.org_name_holder"`
+	Name                      string `binding:"Required;Username;MaxSize(40)" locale:"org.org_name_holder"`
 	FullName                  string `binding:"MaxSize(100)"`
 	Description               string `binding:"MaxSize(255)"`
 	Website                   string `binding:"ValidUrl;MaxSize(255)"`
--- a/services/forms/repo_form.go
+++ b/services/forms/repo_form.go
@ -247,6 +247,7 @@ type WebhookForm struct {
 	Package              bool
 	Active               bool
 	BranchFilter         string `binding:"GlobPattern"`
 	AuthorizationHeader  string
 }
 // PushOnly if the hook will be triggered when push
@ -359,7 +360,6 @@ func (f *NewTelegramHookForm) Validate(req *http.Request, errs binding.Errors) b
 type NewMatrixHookForm struct {
 	HomeserverURL string `binding:"Required;ValidUrl"`
 	RoomID        string `binding:"Required"`
 	AccessToken   string `binding:"Required"`
 	MessageType   int
 	WebhookForm
 }
--- a/services/forms/user_form.go
+++ b/services/forms/user_form.go
@ -65,7 +65,7 @@ type InstallForm struct {
 	PasswordAlgorithm string
-	AdminName          string `binding:"OmitEmpty;AlphaDashDot;MaxSize(30)" locale:"install.admin_name"`
+	AdminName          string `binding:"OmitEmpty;Username;MaxSize(30)" locale:"install.admin_name"`
 	AdminPasswd        string `binding:"OmitEmpty;MaxSize(255)" locale:"install.admin_password"`
 	AdminConfirmPasswd string
 	AdminEmail         string `binding:"OmitEmpty;MinSize(3);MaxSize(254);Include(@)" locale:"install.admin_email"`
@ -91,7 +91,7 @@ func (f *InstallForm) Validate(req *http.Request, errs binding.Errors) binding.E
 // RegisterForm form for registering
 type RegisterForm struct {
-	UserName           string `binding:"Required;AlphaDashDot;MaxSize(40)"`
+	UserName           string `binding:"Required;Username;MaxSize(40)"`
 	Email              string `binding:"Required;MaxSize(254)"`
 	Password           string `binding:"MaxSize(255)"`
 	Retype             string
@ -243,7 +243,7 @@ func (f *IntrospectTokenForm) Validate(req *http.Request, errs binding.Errors) b
 // UpdateProfileForm form for updating profile
 type UpdateProfileForm struct {
-	Name                string `binding:"AlphaDashDot;MaxSize(40)"`
+	Name                string `binding:"Username;MaxSize(40)"`
 	FullName            string `binding:"MaxSize(100)"`
 	KeepEmailPrivate    bool
 	Website             string `binding:"ValidSiteUrl;MaxSize(255)"`
--- a/services/forms/user_form_auth_openid.go
+++ b/services/forms/user_form_auth_openid.go
@ -27,7 +27,7 @@ func (f *SignInOpenIDForm) Validate(req *http.Request, errs binding.Errors) bind
 // SignUpOpenIDForm form for signin up with OpenID
 type SignUpOpenIDForm struct {
-	UserName           string `binding:"Required;AlphaDashDot;MaxSize(40)"`
+	UserName           string `binding:"Required;Username;MaxSize(40)"`
 	Email              string `binding:"Required;Email;MaxSize(254)"`
 	GRecaptchaResponse string `form:"g-recaptcha-response"`
 	HcaptchaResponse   string `form:"h-captcha-response"`
--- a/services/mailer/mail.go
+++ b/services/mailer/mail.go
@ -340,7 +340,7 @@ func createReference(issue *issues_model.Issue, comment *issues_model.Comment, a
 			extra = fmt.Sprintf("/close/%d", time.Now().UnixNano()/1e6)
 		case activities_model.ActionReopenIssue, activities_model.ActionReopenPullRequest:
 			extra = fmt.Sprintf("/reopen/%d", time.Now().UnixNano()/1e6)
-		case activities_model.ActionMergePullRequest:
+		case activities_model.ActionMergePullRequest, activities_model.ActionAutoMergePullRequest:
 			extra = fmt.Sprintf("/merge/%d", time.Now().UnixNano()/1e6)
 		case activities_model.ActionPullRequestReadyForReview:
 			extra = fmt.Sprintf("/ready/%d", time.Now().UnixNano()/1e6)
@ -451,7 +451,7 @@ func actionToTemplate(issue *issues_model.Issue, actionType activities_model.Act
 		name = "close"
 	case activities_model.ActionReopenIssue, activities_model.ActionReopenPullRequest:
 		name = "reopen"
-	case activities_model.ActionMergePullRequest:
+	case activities_model.ActionMergePullRequest, activities_model.ActionAutoMergePullRequest:
 		name = "merge"
 	case activities_model.ActionPullReviewDismissed:
 		name = "review_dismissed"
--- a/services/mailer/mail_issue.go
+++ b/services/mailer/mail_issue.go
@ -25,11 +25,12 @@ func fallbackMailSubject(issue *issues_model.Issue) string {
 type mailCommentContext struct {
 	context.Context
-	Issue      *issues_model.Issue
+	Issue                 *issues_model.Issue
-	Doer       *user_model.User
+	Doer                  *user_model.User
-	ActionType activities_model.ActionType
+	ActionType            activities_model.ActionType
-	Content    string
+	Content               string
-	Comment    *issues_model.Comment
+	Comment               *issues_model.Comment
 	ForceDoerNotification bool
 }
 const (
@ -93,7 +94,7 @@ func mailIssueCommentToParticipants(ctx *mailCommentContext, mentions []*user_mo
 	visited := make(container.Set[int64], len(unfiltered)+len(mentions)+1)
 	// Avoid mailing the doer
-	if ctx.Doer.EmailNotificationsPreference != user_model.EmailNotificationsAndYourOwn {
+	if ctx.Doer.EmailNotificationsPreference != user_model.EmailNotificationsAndYourOwn && !ctx.ForceDoerNotification {
 		visited.Add(ctx.Doer.ID)
 	}
@ -181,17 +182,19 @@ func MailParticipants(issue *issues_model.Issue, doer *user_model.User, opType a
 	content := issue.Content
 	if opType == activities_model.ActionCloseIssue || opType == activities_model.ActionClosePullRequest ||
 		opType == activities_model.ActionReopenIssue || opType == activities_model.ActionReopenPullRequest ||
-		opType == activities_model.ActionMergePullRequest {
+		opType == activities_model.ActionMergePullRequest || opType == activities_model.ActionAutoMergePullRequest {
 		content = ""
 	}
 	forceDoerNotification := opType == activities_model.ActionAutoMergePullRequest
 	if err := mailIssueCommentToParticipants(
 		&mailCommentContext{
-			Context:    context.TODO(), // TODO: use a correct context
+			Context:               context.TODO(), // TODO: use a correct context
-			Issue:      issue,
+			Issue:                 issue,
-			Doer:       doer,
+			Doer:                  doer,
-			ActionType: opType,
+			ActionType:            opType,
-			Content:    content,
+			Content:               content,
-			Comment:    nil,
+			Comment:               nil,
 			ForceDoerNotification: forceDoerNotification,
 		}, mentions); err != nil {
 		log.Error("mailIssueCommentToParticipants: %v", err)
 	}
--- a/services/pull/merge.go
+++ b/services/pull/merge.go
@ -133,7 +133,7 @@ func GetDefaultMergeMessage(baseGitRepo *git.Repository, pr *issues_model.PullRe
 // Merge merges pull request to base repository.
 // Caller should check PR is ready to be merged (review and status checks)
-func Merge(ctx context.Context, pr *issues_model.PullRequest, doer *user_model.User, baseGitRepo *git.Repository, mergeStyle repo_model.MergeStyle, expectedHeadCommitID, message string) error {
+func Merge(ctx context.Context, pr *issues_model.PullRequest, doer *user_model.User, baseGitRepo *git.Repository, mergeStyle repo_model.MergeStyle, expectedHeadCommitID, message string, wasAutoMerged bool) error {
 	if err := pr.LoadHeadRepo(); err != nil {
 		log.Error("LoadHeadRepo: %v", err)
 		return fmt.Errorf("LoadHeadRepo: %w", err)
@ -193,7 +193,11 @@ func Merge(ctx context.Context, pr *issues_model.PullRequest, doer *user_model.U
 		log.Error("GetOwner for issue repo [%d]: %v", pr.ID, err)
 	}
-	notification.NotifyMergePullRequest(pr, doer)
+	if wasAutoMerged {
 		notification.NotifyAutoMergePullRequest(pr, doer)
 	} else {
 		notification.NotifyMergePullRequest(pr, doer)
 	}
 	// Reset cached commit count
 	cache.Remove(pr.Issue.Repo.GetCommitsCountCacheKey(pr.BaseBranch, true))
--- a/services/webhook/deliver.go
+++ b/services/webhook/deliver.go
@ -90,7 +90,12 @@ func Deliver(ctx context.Context, t *webhook_model.HookTask) error {
 	case http.MethodPut:
 		switch w.Type {
 		case webhook_model.MATRIX:
-			req, err = getMatrixHookRequest(w, t)
+			txnID, err := getMatrixTxnID([]byte(t.PayloadContent))
 			if err != nil {
 				return err
 			}
 			url := fmt.Sprintf("%s/%s", w.URL, url.PathEscape(txnID))
 			req, err = http.NewRequest("PUT", url, strings.NewReader(t.PayloadContent))
 			if err != nil {
 				return err
 			}
@ -130,6 +135,16 @@ func Deliver(ctx context.Context, t *webhook_model.HookTask) error {
 	req.Header["X-GitHub-Event"] = []string{event}
 	req.Header["X-GitHub-Event-Type"] = []string{eventType}
 	// Add Authorization Header
 	authorization, err := w.HeaderAuthorization()
 	if err != nil {
 		log.Error("Webhook could not get Authorization header [%d]: %v", w.ID, err)
 		return err
 	}
 	if authorization != "" {
 		req.Header["Authorization"] = []string{authorization}
 	}
 	// Record delivery information.
 	t.RequestInfo = &webhook_model.HookRequest{
 		URL:        req.URL.String(),
--- a/services/webhook/deliver_test.go
+++ b/services/webhook/deliver_test.go
@ -5,10 +5,16 @@
 package webhook
 import (
 	"context"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"testing"
 	"time"
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/unittest"
 	webhook_model "code.gitea.io/gitea/models/webhook"
 	"code.gitea.io/gitea/modules/setting"
 	"github.com/stretchr/testify/assert"
@ -38,3 +44,38 @@ func TestWebhookProxy(t *testing.T) {
 		}
 	}
 }
 func TestWebhookDeliverAuthorizationHeader(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	done := make(chan struct{}, 1)
 	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		assert.Equal(t, "/webhook", r.URL.Path)
 		assert.Equal(t, "Bearer s3cr3t-t0ken", r.Header.Get("Authorization"))
 		w.WriteHeader(200)
 		done <- struct{}{}
 	}))
 	t.Cleanup(s.Close)
 	hook := &webhook_model.Webhook{
 		RepoID:      3,
 		URL:         s.URL + "/webhook",
 		ContentType: webhook_model.ContentTypeJSON,
 		IsActive:    true,
 		Type:        webhook_model.GITEA,
 	}
 	err := hook.SetHeaderAuthorization("Bearer s3cr3t-t0ken")
 	assert.NoError(t, err)
 	assert.NoError(t, webhook_model.CreateWebhook(db.DefaultContext, hook))
 	hookTask := &webhook_model.HookTask{HookID: hook.ID, EventType: webhook_model.HookEventPush}
 	assert.NoError(t, Deliver(context.Background(), hookTask))
 	select {
 	case <-done:
 	case <-time.After(5 * time.Second):
 		t.Fatal("waited to long for request to happen")
 	}
 	assert.True(t, hookTask.IsSucceed)
 }
--- a/services/webhook/main_test.go
+++ b/services/webhook/main_test.go
@ -9,6 +9,7 @@ import (
 	"testing"
 	"code.gitea.io/gitea/models/unittest"
 	"code.gitea.io/gitea/modules/hostmatcher"
 	"code.gitea.io/gitea/modules/setting"
 	_ "code.gitea.io/gitea/models"
@ -17,6 +18,9 @@ import (
 func TestMain(m *testing.M) {
 	setting.LoadForTest()
 	setting.NewQueueService()
 	// for tests, allow only loopback IPs
 	setting.Webhook.AllowedHostList = hostmatcher.MatchBuiltinLoopback
 	unittest.MainTest(m, &unittest.TestOptions{
 		GiteaRootPath: filepath.Join("..", ".."),
 		SetUp:         Init,
--- a/services/webhook/matrix.go
+++ b/services/webhook/matrix.go
@ -6,10 +6,10 @@ package webhook
 import (
 	"crypto/sha1"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"html"
 	"net/http"
 	"net/url"
 	"regexp"
 	"strings"
@ -29,7 +29,6 @@ const matrixPayloadSizeLimit = 1024 * 64
 type MatrixMeta struct {
 	HomeserverURL string `json:"homeserver_url"`
 	Room          string `json:"room_id"`
 	AccessToken   string `json:"access_token"`
 	MessageType   int    `json:"message_type"`
 }
@ -47,27 +46,10 @@ func GetMatrixHook(w *webhook_model.Webhook) *MatrixMeta {
 	return s
 }
-// MatrixPayloadUnsafe contains the (unsafe) payload for a Matrix room
+var _ PayloadConvertor = &MatrixPayload{}
 type MatrixPayloadUnsafe struct {
 	MatrixPayloadSafe
 	AccessToken string `json:"access_token"`
 }
-var _ PayloadConvertor = &MatrixPayloadUnsafe{}
+// MatrixPayload contains payload for a Matrix room
-
+type MatrixPayload struct {
 // safePayload "converts" a unsafe payload to a safe payload
 func (m *MatrixPayloadUnsafe) safePayload() *MatrixPayloadSafe {
 	return &MatrixPayloadSafe{
 		Body:          m.Body,
 		MsgType:       m.MsgType,
 		Format:        m.Format,
 		FormattedBody: m.FormattedBody,
 		Commits:       m.Commits,
 	}
 }
 // MatrixPayloadSafe contains (safe) payload for a Matrix room
 type MatrixPayloadSafe struct {
 	Body          string               `json:"body"`
 	MsgType       string               `json:"msgtype"`
 	Format        string               `json:"format"`
@ -75,8 +57,8 @@ type MatrixPayloadSafe struct {
 	Commits       []*api.PayloadCommit `json:"io.gitea.commits,omitempty"`
 }
-// JSONPayload Marshals the MatrixPayloadUnsafe to json
+// JSONPayload Marshals the MatrixPayload to json
-func (m *MatrixPayloadUnsafe) JSONPayload() ([]byte, error) {
+func (m *MatrixPayload) JSONPayload() ([]byte, error) {
 	data, err := json.MarshalIndent(m, "", "  ")
 	if err != nil {
 		return []byte{}, err
@ -103,62 +85,62 @@ func MatrixLinkToRef(repoURL, ref string) string {
 }
 // Create implements PayloadConvertor Create method
-func (m *MatrixPayloadUnsafe) Create(p *api.CreatePayload) (api.Payloader, error) {
+func (m *MatrixPayload) Create(p *api.CreatePayload) (api.Payloader, error) {
 	repoLink := MatrixLinkFormatter(p.Repo.HTMLURL, p.Repo.FullName)
 	refLink := MatrixLinkToRef(p.Repo.HTMLURL, p.Ref)
 	text := fmt.Sprintf("[%s:%s] %s created by %s", repoLink, refLink, p.RefType, p.Sender.UserName)
-	return getMatrixPayloadUnsafe(text, nil, m.AccessToken, m.MsgType), nil
+	return getMatrixPayload(text, nil, m.MsgType), nil
 }
 // Delete composes Matrix payload for delete a branch or tag.
-func (m *MatrixPayloadUnsafe) Delete(p *api.DeletePayload) (api.Payloader, error) {
+func (m *MatrixPayload) Delete(p *api.DeletePayload) (api.Payloader, error) {
 	refName := git.RefEndName(p.Ref)
 	repoLink := MatrixLinkFormatter(p.Repo.HTMLURL, p.Repo.FullName)
 	text := fmt.Sprintf("[%s:%s] %s deleted by %s", repoLink, refName, p.RefType, p.Sender.UserName)
-	return getMatrixPayloadUnsafe(text, nil, m.AccessToken, m.MsgType), nil
+	return getMatrixPayload(text, nil, m.MsgType), nil
 }
 // Fork composes Matrix payload for forked by a repository.
-func (m *MatrixPayloadUnsafe) Fork(p *api.ForkPayload) (api.Payloader, error) {
+func (m *MatrixPayload) Fork(p *api.ForkPayload) (api.Payloader, error) {
 	baseLink := MatrixLinkFormatter(p.Forkee.HTMLURL, p.Forkee.FullName)
 	forkLink := MatrixLinkFormatter(p.Repo.HTMLURL, p.Repo.FullName)
 	text := fmt.Sprintf("%s is forked to %s", baseLink, forkLink)
-	return getMatrixPayloadUnsafe(text, nil, m.AccessToken, m.MsgType), nil
+	return getMatrixPayload(text, nil, m.MsgType), nil
 }
 // Issue implements PayloadConvertor Issue method
-func (m *MatrixPayloadUnsafe) Issue(p *api.IssuePayload) (api.Payloader, error) {
+func (m *MatrixPayload) Issue(p *api.IssuePayload) (api.Payloader, error) {
 	text, _, _, _ := getIssuesPayloadInfo(p, MatrixLinkFormatter, true)
-	return getMatrixPayloadUnsafe(text, nil, m.AccessToken, m.MsgType), nil
+	return getMatrixPayload(text, nil, m.MsgType), nil
 }
 // IssueComment implements PayloadConvertor IssueComment method
-func (m *MatrixPayloadUnsafe) IssueComment(p *api.IssueCommentPayload) (api.Payloader, error) {
+func (m *MatrixPayload) IssueComment(p *api.IssueCommentPayload) (api.Payloader, error) {
 	text, _, _ := getIssueCommentPayloadInfo(p, MatrixLinkFormatter, true)
-	return getMatrixPayloadUnsafe(text, nil, m.AccessToken, m.MsgType), nil
+	return getMatrixPayload(text, nil, m.MsgType), nil
 }
 // Wiki implements PayloadConvertor Wiki method
-func (m *MatrixPayloadUnsafe) Wiki(p *api.WikiPayload) (api.Payloader, error) {
+func (m *MatrixPayload) Wiki(p *api.WikiPayload) (api.Payloader, error) {
 	text, _, _ := getWikiPayloadInfo(p, MatrixLinkFormatter, true)
-	return getMatrixPayloadUnsafe(text, nil, m.AccessToken, m.MsgType), nil
+	return getMatrixPayload(text, nil, m.MsgType), nil
 }
 // Release implements PayloadConvertor Release method
-func (m *MatrixPayloadUnsafe) Release(p *api.ReleasePayload) (api.Payloader, error) {
+func (m *MatrixPayload) Release(p *api.ReleasePayload) (api.Payloader, error) {
 	text, _ := getReleasePayloadInfo(p, MatrixLinkFormatter, true)
-	return getMatrixPayloadUnsafe(text, nil, m.AccessToken, m.MsgType), nil
+	return getMatrixPayload(text, nil, m.MsgType), nil
 }
 // Push implements PayloadConvertor Push method
-func (m *MatrixPayloadUnsafe) Push(p *api.PushPayload) (api.Payloader, error) {
+func (m *MatrixPayload) Push(p *api.PushPayload) (api.Payloader, error) {
 	var commitDesc string
 	if p.TotalCommits == 1 {
@ -181,18 +163,18 @@ func (m *MatrixPayloadUnsafe) Push(p *api.PushPayload) (api.Payloader, error) {
 	}
-	return getMatrixPayloadUnsafe(text, p.Commits, m.AccessToken, m.MsgType), nil
+	return getMatrixPayload(text, p.Commits, m.MsgType), nil
 }
 // PullRequest implements PayloadConvertor PullRequest method
-func (m *MatrixPayloadUnsafe) PullRequest(p *api.PullRequestPayload) (api.Payloader, error) {
+func (m *MatrixPayload) PullRequest(p *api.PullRequestPayload) (api.Payloader, error) {
 	text, _, _, _ := getPullRequestPayloadInfo(p, MatrixLinkFormatter, true)
-	return getMatrixPayloadUnsafe(text, nil, m.AccessToken, m.MsgType), nil
+	return getMatrixPayload(text, nil, m.MsgType), nil
 }
 // Review implements PayloadConvertor Review method
-func (m *MatrixPayloadUnsafe) Review(p *api.PullRequestPayload, event webhook_model.HookEventType) (api.Payloader, error) {
+func (m *MatrixPayload) Review(p *api.PullRequestPayload, event webhook_model.HookEventType) (api.Payloader, error) {
 	senderLink := MatrixLinkFormatter(setting.AppURL+url.PathEscape(p.Sender.UserName), p.Sender.UserName)
 	title := fmt.Sprintf("#%d %s", p.Index, p.PullRequest.Title)
 	titleLink := MatrixLinkFormatter(p.PullRequest.URL, title)
@ -209,11 +191,11 @@ func (m *MatrixPayloadUnsafe) Review(p *api.PullRequestPayload, event webhook_mo
 		text = fmt.Sprintf("[%s] Pull request review %s: %s by %s", repoLink, action, titleLink, senderLink)
 	}
-	return getMatrixPayloadUnsafe(text, nil, m.AccessToken, m.MsgType), nil
+	return getMatrixPayload(text, nil, m.MsgType), nil
 }
 // Repository implements PayloadConvertor Repository method
-func (m *MatrixPayloadUnsafe) Repository(p *api.RepositoryPayload) (api.Payloader, error) {
+func (m *MatrixPayload) Repository(p *api.RepositoryPayload) (api.Payloader, error) {
 	senderLink := MatrixLinkFormatter(setting.AppURL+p.Sender.UserName, p.Sender.UserName)
 	repoLink := MatrixLinkFormatter(p.Repository.HTMLURL, p.Repository.FullName)
 	var text string
@ -225,27 +207,25 @@ func (m *MatrixPayloadUnsafe) Repository(p *api.RepositoryPayload) (api.Payloade
 		text = fmt.Sprintf("[%s] Repository deleted by %s", repoLink, senderLink)
 	}
-	return getMatrixPayloadUnsafe(text, nil, m.AccessToken, m.MsgType), nil
+	return getMatrixPayload(text, nil, m.MsgType), nil
 }
-// GetMatrixPayload converts a Matrix webhook into a MatrixPayloadUnsafe
+// GetMatrixPayload converts a Matrix webhook into a MatrixPayload
 func GetMatrixPayload(p api.Payloader, event webhook_model.HookEventType, meta string) (api.Payloader, error) {
-	s := new(MatrixPayloadUnsafe)
+	s := new(MatrixPayload)
 	matrix := &MatrixMeta{}
 	if err := json.Unmarshal([]byte(meta), &matrix); err != nil {
 		return s, errors.New("GetMatrixPayload meta json:" + err.Error())
 	}
 	s.AccessToken = matrix.AccessToken
 	s.MsgType = messageTypeText[matrix.MessageType]
 	return convertPayloader(s, p, event)
 }
-func getMatrixPayloadUnsafe(text string, commits []*api.PayloadCommit, accessToken, msgType string) *MatrixPayloadUnsafe {
+func getMatrixPayload(text string, commits []*api.PayloadCommit, msgType string) *MatrixPayload {
-	p := MatrixPayloadUnsafe{}
+	p := MatrixPayload{}
 	p.AccessToken = accessToken
 	p.FormattedBody = text
 	p.Body = getMessageBody(text)
 	p.Format = "org.matrix.custom.html"
@ -262,52 +242,17 @@ func getMessageBody(htmlText string) string {
 	return htmlText
 }
-// getMatrixHookRequest creates a new request which contains an Authorization header.
+// getMatrixTxnID computes the transaction ID to ensure idempotency
 // The access_token is removed from t.PayloadContent
 func getMatrixHookRequest(w *webhook_model.Webhook, t *webhook_model.HookTask) (*http.Request, error) {
 	payloadunsafe := MatrixPayloadUnsafe{}
 	if err := json.Unmarshal([]byte(t.PayloadContent), &payloadunsafe); err != nil {
 		log.Error("Matrix Hook delivery failed: %v", err)
 		return nil, err
 	}
 	payloadsafe := payloadunsafe.safePayload()
 	var payload []byte
 	var err error
 	if payload, err = json.MarshalIndent(payloadsafe, "", "  "); err != nil {
 		return nil, err
 	}
 	if len(payload) >= matrixPayloadSizeLimit {
 		return nil, fmt.Errorf("getMatrixHookRequest: payload size %d > %d", len(payload), matrixPayloadSizeLimit)
 	}
 	t.PayloadContent = string(payload)
 	txnID, err := getMatrixTxnID(payload)
 	if err != nil {
 		return nil, fmt.Errorf("getMatrixHookRequest: unable to hash payload: %+v", err)
 	}
 	url := fmt.Sprintf("%s/%s", w.URL, url.PathEscape(txnID))
 	req, err := http.NewRequest(w.HTTPMethod, url, strings.NewReader(string(payload)))
 	if err != nil {
 		return nil, err
 	}
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Add("Authorization", "Bearer "+payloadunsafe.AccessToken)
 	return req, nil
 }
 // getMatrixTxnID creates a txnID based on the payload to ensure idempotency
 func getMatrixTxnID(payload []byte) (string, error) {
 	if len(payload) >= matrixPayloadSizeLimit {
 		return "", fmt.Errorf("getMatrixTxnID: payload size %d > %d", len(payload), matrixPayloadSizeLimit)
 	}
 	h := sha1.New()
 	_, err := h.Write(payload)
 	if err != nil {
 		return "", err
 	}
-	return fmt.Sprintf("%x", h.Sum(nil)), nil
+	return hex.EncodeToString(h.Sum(nil)), nil
 }
--- a/services/webhook/matrix_test.go
+++ b/services/webhook/matrix_test.go
@ -18,275 +18,203 @@ func TestMatrixPayload(t *testing.T) {
 	t.Run("Create", func(t *testing.T) {
 		p := createTestPayload()
-		d := new(MatrixPayloadUnsafe)
+		d := new(MatrixPayload)
 		pl, err := d.Create(p)
 		require.NoError(t, err)
 		require.NotNil(t, pl)
-		require.IsType(t, &MatrixPayloadUnsafe{}, pl)
+		require.IsType(t, &MatrixPayload{}, pl)
-		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo):[test](http://localhost:3000/test/repo/src/branch/test)] branch created by user1", pl.(*MatrixPayloadUnsafe).Body)
+		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo):[test](http://localhost:3000/test/repo/src/branch/test)] branch created by user1", pl.(*MatrixPayload).Body)
-		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>:<a href="http://localhost:3000/test/repo/src/branch/test">test</a>] branch created by user1`, pl.(*MatrixPayloadUnsafe).FormattedBody)
+		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>:<a href="http://localhost:3000/test/repo/src/branch/test">test</a>] branch created by user1`, pl.(*MatrixPayload).FormattedBody)
 	})
 	t.Run("Delete", func(t *testing.T) {
 		p := deleteTestPayload()
-		d := new(MatrixPayloadUnsafe)
+		d := new(MatrixPayload)
 		pl, err := d.Delete(p)
 		require.NoError(t, err)
 		require.NotNil(t, pl)
-		require.IsType(t, &MatrixPayloadUnsafe{}, pl)
+		require.IsType(t, &MatrixPayload{}, pl)
-		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo):test] branch deleted by user1", pl.(*MatrixPayloadUnsafe).Body)
+		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo):test] branch deleted by user1", pl.(*MatrixPayload).Body)
-		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>:test] branch deleted by user1`, pl.(*MatrixPayloadUnsafe).FormattedBody)
+		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>:test] branch deleted by user1`, pl.(*MatrixPayload).FormattedBody)
 	})
 	t.Run("Fork", func(t *testing.T) {
 		p := forkTestPayload()
-		d := new(MatrixPayloadUnsafe)
+		d := new(MatrixPayload)
 		pl, err := d.Fork(p)
 		require.NoError(t, err)
 		require.NotNil(t, pl)
-		require.IsType(t, &MatrixPayloadUnsafe{}, pl)
+		require.IsType(t, &MatrixPayload{}, pl)
-		assert.Equal(t, "[test/repo2](http://localhost:3000/test/repo2) is forked to [test/repo](http://localhost:3000/test/repo)", pl.(*MatrixPayloadUnsafe).Body)
+		assert.Equal(t, "[test/repo2](http://localhost:3000/test/repo2) is forked to [test/repo](http://localhost:3000/test/repo)", pl.(*MatrixPayload).Body)
-		assert.Equal(t, `<a href="http://localhost:3000/test/repo2">test/repo2</a> is forked to <a href="http://localhost:3000/test/repo">test/repo</a>`, pl.(*MatrixPayloadUnsafe).FormattedBody)
+		assert.Equal(t, `<a href="http://localhost:3000/test/repo2">test/repo2</a> is forked to <a href="http://localhost:3000/test/repo">test/repo</a>`, pl.(*MatrixPayload).FormattedBody)
 	})
 	t.Run("Push", func(t *testing.T) {
 		p := pushTestPayload()
-		d := new(MatrixPayloadUnsafe)
+		d := new(MatrixPayload)
 		pl, err := d.Push(p)
 		require.NoError(t, err)
 		require.NotNil(t, pl)
-		require.IsType(t, &MatrixPayloadUnsafe{}, pl)
+		require.IsType(t, &MatrixPayload{}, pl)
-		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] user1 pushed 2 commits to [test](http://localhost:3000/test/repo/src/branch/test):\n[2020558](http://localhost:3000/test/repo/commit/2020558fe2e34debb818a514715839cabd25e778): commit message - user1\n[2020558](http://localhost:3000/test/repo/commit/2020558fe2e34debb818a514715839cabd25e778): commit message - user1", pl.(*MatrixPayloadUnsafe).Body)
+		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] user1 pushed 2 commits to [test](http://localhost:3000/test/repo/src/branch/test):\n[2020558](http://localhost:3000/test/repo/commit/2020558fe2e34debb818a514715839cabd25e778): commit message - user1\n[2020558](http://localhost:3000/test/repo/commit/2020558fe2e34debb818a514715839cabd25e778): commit message - user1", pl.(*MatrixPayload).Body)
-		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] user1 pushed 2 commits to <a href="http://localhost:3000/test/repo/src/branch/test">test</a>:<br><a href="http://localhost:3000/test/repo/commit/2020558fe2e34debb818a514715839cabd25e778">2020558</a>: commit message - user1<br><a href="http://localhost:3000/test/repo/commit/2020558fe2e34debb818a514715839cabd25e778">2020558</a>: commit message - user1`, pl.(*MatrixPayloadUnsafe).FormattedBody)
+		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] user1 pushed 2 commits to <a href="http://localhost:3000/test/repo/src/branch/test">test</a>:<br><a href="http://localhost:3000/test/repo/commit/2020558fe2e34debb818a514715839cabd25e778">2020558</a>: commit message - user1<br><a href="http://localhost:3000/test/repo/commit/2020558fe2e34debb818a514715839cabd25e778">2020558</a>: commit message - user1`, pl.(*MatrixPayload).FormattedBody)
 	})
 	t.Run("Issue", func(t *testing.T) {
 		p := issueTestPayload()
-		d := new(MatrixPayloadUnsafe)
+		d := new(MatrixPayload)
 		p.Action = api.HookIssueOpened
 		pl, err := d.Issue(p)
 		require.NoError(t, err)
 		require.NotNil(t, pl)
-		require.IsType(t, &MatrixPayloadUnsafe{}, pl)
+		require.IsType(t, &MatrixPayload{}, pl)
-		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] Issue opened: [#2 crash](http://localhost:3000/test/repo/issues/2) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayloadUnsafe).Body)
+		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] Issue opened: [#2 crash](http://localhost:3000/test/repo/issues/2) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayload).Body)
-		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] Issue opened: <a href="http://localhost:3000/test/repo/issues/2">#2 crash</a> by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayloadUnsafe).FormattedBody)
+		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] Issue opened: <a href="http://localhost:3000/test/repo/issues/2">#2 crash</a> by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayload).FormattedBody)
 		p.Action = api.HookIssueClosed
 		pl, err = d.Issue(p)
 		require.NoError(t, err)
 		require.NotNil(t, pl)
-		require.IsType(t, &MatrixPayloadUnsafe{}, pl)
+		require.IsType(t, &MatrixPayload{}, pl)
-		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] Issue closed: [#2 crash](http://localhost:3000/test/repo/issues/2) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayloadUnsafe).Body)
+		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] Issue closed: [#2 crash](http://localhost:3000/test/repo/issues/2) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayload).Body)
-		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] Issue closed: <a href="http://localhost:3000/test/repo/issues/2">#2 crash</a> by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayloadUnsafe).FormattedBody)
+		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] Issue closed: <a href="http://localhost:3000/test/repo/issues/2">#2 crash</a> by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayload).FormattedBody)
 	})
 	t.Run("IssueComment", func(t *testing.T) {
 		p := issueCommentTestPayload()
-		d := new(MatrixPayloadUnsafe)
+		d := new(MatrixPayload)
 		pl, err := d.IssueComment(p)
 		require.NoError(t, err)
 		require.NotNil(t, pl)
-		require.IsType(t, &MatrixPayloadUnsafe{}, pl)
+		require.IsType(t, &MatrixPayload{}, pl)
-		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] New comment on issue [#2 crash](http://localhost:3000/test/repo/issues/2) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayloadUnsafe).Body)
+		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] New comment on issue [#2 crash](http://localhost:3000/test/repo/issues/2) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayload).Body)
-		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] New comment on issue <a href="http://localhost:3000/test/repo/issues/2">#2 crash</a> by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayloadUnsafe).FormattedBody)
+		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] New comment on issue <a href="http://localhost:3000/test/repo/issues/2">#2 crash</a> by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayload).FormattedBody)
 	})
 	t.Run("PullRequest", func(t *testing.T) {
 		p := pullRequestTestPayload()
-		d := new(MatrixPayloadUnsafe)
+		d := new(MatrixPayload)
 		pl, err := d.PullRequest(p)
 		require.NoError(t, err)
 		require.NotNil(t, pl)
-		require.IsType(t, &MatrixPayloadUnsafe{}, pl)
+		require.IsType(t, &MatrixPayload{}, pl)
-		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] Pull request opened: [#12 Fix bug](http://localhost:3000/test/repo/pulls/12) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayloadUnsafe).Body)
+		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] Pull request opened: [#12 Fix bug](http://localhost:3000/test/repo/pulls/12) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayload).Body)
-		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] Pull request opened: <a href="http://localhost:3000/test/repo/pulls/12">#12 Fix bug</a> by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayloadUnsafe).FormattedBody)
+		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] Pull request opened: <a href="http://localhost:3000/test/repo/pulls/12">#12 Fix bug</a> by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayload).FormattedBody)
 	})
 	t.Run("PullRequestComment", func(t *testing.T) {
 		p := pullRequestCommentTestPayload()
-		d := new(MatrixPayloadUnsafe)
+		d := new(MatrixPayload)
 		pl, err := d.IssueComment(p)
 		require.NoError(t, err)
 		require.NotNil(t, pl)
-		require.IsType(t, &MatrixPayloadUnsafe{}, pl)
+		require.IsType(t, &MatrixPayload{}, pl)
-		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] New comment on pull request [#12 Fix bug](http://localhost:3000/test/repo/pulls/12) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayloadUnsafe).Body)
+		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] New comment on pull request [#12 Fix bug](http://localhost:3000/test/repo/pulls/12) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayload).Body)
-		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] New comment on pull request <a href="http://localhost:3000/test/repo/pulls/12">#12 Fix bug</a> by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayloadUnsafe).FormattedBody)
+		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] New comment on pull request <a href="http://localhost:3000/test/repo/pulls/12">#12 Fix bug</a> by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayload).FormattedBody)
 	})
 	t.Run("Review", func(t *testing.T) {
 		p := pullRequestTestPayload()
 		p.Action = api.HookIssueReviewed
-		d := new(MatrixPayloadUnsafe)
+		d := new(MatrixPayload)
 		pl, err := d.Review(p, webhook_model.HookEventPullRequestReviewApproved)
 		require.NoError(t, err)
 		require.NotNil(t, pl)
-		require.IsType(t, &MatrixPayloadUnsafe{}, pl)
+		require.IsType(t, &MatrixPayload{}, pl)
-		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] Pull request review approved: [#12 Fix bug](http://localhost:3000/test/repo/pulls/12) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayloadUnsafe).Body)
+		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] Pull request review approved: [#12 Fix bug](http://localhost:3000/test/repo/pulls/12) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayload).Body)
-		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] Pull request review approved: <a href="http://localhost:3000/test/repo/pulls/12">#12 Fix bug</a> by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayloadUnsafe).FormattedBody)
+		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] Pull request review approved: <a href="http://localhost:3000/test/repo/pulls/12">#12 Fix bug</a> by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayload).FormattedBody)
 	})
 	t.Run("Repository", func(t *testing.T) {
 		p := repositoryTestPayload()
-		d := new(MatrixPayloadUnsafe)
+		d := new(MatrixPayload)
 		pl, err := d.Repository(p)
 		require.NoError(t, err)
 		require.NotNil(t, pl)
-		require.IsType(t, &MatrixPayloadUnsafe{}, pl)
+		require.IsType(t, &MatrixPayload{}, pl)
-		assert.Equal(t, `[[test/repo](http://localhost:3000/test/repo)] Repository created by [user1](https://try.gitea.io/user1)`, pl.(*MatrixPayloadUnsafe).Body)
+		assert.Equal(t, `[[test/repo](http://localhost:3000/test/repo)] Repository created by [user1](https://try.gitea.io/user1)`, pl.(*MatrixPayload).Body)
-		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] Repository created by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayloadUnsafe).FormattedBody)
+		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] Repository created by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayload).FormattedBody)
 	})
 	t.Run("Wiki", func(t *testing.T) {
 		p := wikiTestPayload()
-		d := new(MatrixPayloadUnsafe)
+		d := new(MatrixPayload)
 		p.Action = api.HookWikiCreated
 		pl, err := d.Wiki(p)
 		require.NoError(t, err)
 		require.NotNil(t, pl)
-		require.IsType(t, &MatrixPayloadUnsafe{}, pl)
+		require.IsType(t, &MatrixPayload{}, pl)
-		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] New wiki page '[index](http://localhost:3000/test/repo/wiki/index)' (Wiki change comment) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayloadUnsafe).Body)
+		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] New wiki page '[index](http://localhost:3000/test/repo/wiki/index)' (Wiki change comment) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayload).Body)
-		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] New wiki page '<a href="http://localhost:3000/test/repo/wiki/index">index</a>' (Wiki change comment) by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayloadUnsafe).FormattedBody)
+		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] New wiki page '<a href="http://localhost:3000/test/repo/wiki/index">index</a>' (Wiki change comment) by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayload).FormattedBody)
 		p.Action = api.HookWikiEdited
 		pl, err = d.Wiki(p)
 		require.NoError(t, err)
 		require.NotNil(t, pl)
-		require.IsType(t, &MatrixPayloadUnsafe{}, pl)
+		require.IsType(t, &MatrixPayload{}, pl)
-		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] Wiki page '[index](http://localhost:3000/test/repo/wiki/index)' edited (Wiki change comment) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayloadUnsafe).Body)
+		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] Wiki page '[index](http://localhost:3000/test/repo/wiki/index)' edited (Wiki change comment) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayload).Body)
-		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] Wiki page '<a href="http://localhost:3000/test/repo/wiki/index">index</a>' edited (Wiki change comment) by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayloadUnsafe).FormattedBody)
+		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] Wiki page '<a href="http://localhost:3000/test/repo/wiki/index">index</a>' edited (Wiki change comment) by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayload).FormattedBody)
 		p.Action = api.HookWikiDeleted
 		pl, err = d.Wiki(p)
 		require.NoError(t, err)
 		require.NotNil(t, pl)
-		require.IsType(t, &MatrixPayloadUnsafe{}, pl)
+		require.IsType(t, &MatrixPayload{}, pl)
-		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] Wiki page '[index](http://localhost:3000/test/repo/wiki/index)' deleted by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayloadUnsafe).Body)
+		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] Wiki page '[index](http://localhost:3000/test/repo/wiki/index)' deleted by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayload).Body)
-		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] Wiki page '<a href="http://localhost:3000/test/repo/wiki/index">index</a>' deleted by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayloadUnsafe).FormattedBody)
+		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] Wiki page '<a href="http://localhost:3000/test/repo/wiki/index">index</a>' deleted by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayload).FormattedBody)
 	})
 	t.Run("Release", func(t *testing.T) {
 		p := pullReleaseTestPayload()
-		d := new(MatrixPayloadUnsafe)
+		d := new(MatrixPayload)
 		pl, err := d.Release(p)
 		require.NoError(t, err)
 		require.NotNil(t, pl)
-		require.IsType(t, &MatrixPayloadUnsafe{}, pl)
+		require.IsType(t, &MatrixPayload{}, pl)
-		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] Release created: [v1.0](http://localhost:3000/test/repo/releases/tag/v1.0) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayloadUnsafe).Body)
+		assert.Equal(t, "[[test/repo](http://localhost:3000/test/repo)] Release created: [v1.0](http://localhost:3000/test/repo/releases/tag/v1.0) by [user1](https://try.gitea.io/user1)", pl.(*MatrixPayload).Body)
-		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] Release created: <a href="http://localhost:3000/test/repo/releases/tag/v1.0">v1.0</a> by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayloadUnsafe).FormattedBody)
+		assert.Equal(t, `[<a href="http://localhost:3000/test/repo">test/repo</a>] Release created: <a href="http://localhost:3000/test/repo/releases/tag/v1.0">v1.0</a> by <a href="https://try.gitea.io/user1">user1</a>`, pl.(*MatrixPayload).FormattedBody)
 	})
 }
 func TestMatrixJSONPayload(t *testing.T) {
 	p := pushTestPayload()
-	pl, err := new(MatrixPayloadUnsafe).Push(p)
+	pl, err := new(MatrixPayload).Push(p)
 	require.NoError(t, err)
 	require.NotNil(t, pl)
-	require.IsType(t, &MatrixPayloadUnsafe{}, pl)
+	require.IsType(t, &MatrixPayload{}, pl)
 	json, err := pl.JSONPayload()
 	require.NoError(t, err)
 	assert.NotEmpty(t, json)
 }
 func TestMatrixHookRequest(t *testing.T) {
 	w := &webhook_model.Webhook{}
 	h := &webhook_model.HookTask{
 		PayloadContent: `{
  "body": "[[user1/test](http://localhost:3000/user1/test)] user1 pushed 1 commit to [master](http://localhost:3000/user1/test/src/branch/master):\n[5175ef2](http://localhost:3000/user1/test/commit/5175ef26201c58b035a3404b3fe02b4e8d436eee): Merge pull request 'Change readme.md' (#2) from add-matrix-webhook into master\n\nReviewed-on: http://localhost:3000/user1/test/pulls/2\n - user1",
  "msgtype": "m.notice",
  "format": "org.matrix.custom.html",
  "formatted_body": "[\u003ca href=\"http://localhost:3000/user1/test\"\u003euser1/test\u003c/a\u003e] user1 pushed 1 commit to \u003ca href=\"http://localhost:3000/user1/test/src/branch/master\"\u003emaster\u003c/a\u003e:\u003cbr\u003e\u003ca href=\"http://localhost:3000/user1/test/commit/5175ef26201c58b035a3404b3fe02b4e8d436eee\"\u003e5175ef2\u003c/a\u003e: Merge pull request 'Change readme.md' (#2) from add-matrix-webhook into master\n\nReviewed-on: http://localhost:3000/user1/test/pulls/2\n - user1",
  "io.gitea.commits": [
    {
      "id": "5175ef26201c58b035a3404b3fe02b4e8d436eee",
      "message": "Merge pull request 'Change readme.md' (#2) from add-matrix-webhook into master\n\nReviewed-on: http://localhost:3000/user1/test/pulls/2\n",
      "url": "http://localhost:3000/user1/test/commit/5175ef26201c58b035a3404b3fe02b4e8d436eee",
      "author": {
        "name": "user1",
        "email": "user@mail.com",
        "username": ""
      },
      "committer": {
        "name": "user1",
        "email": "user@mail.com",
        "username": ""
      },
      "verification": null,
      "timestamp": "0001-01-01T00:00:00Z",
      "added": null,
      "removed": null,
      "modified": null
    }
  ],
  "access_token": "dummy_access_token"
 }`,
 	}
 	wantPayloadContent := `{
  "body": "[[user1/test](http://localhost:3000/user1/test)] user1 pushed 1 commit to [master](http://localhost:3000/user1/test/src/branch/master):\n[5175ef2](http://localhost:3000/user1/test/commit/5175ef26201c58b035a3404b3fe02b4e8d436eee): Merge pull request 'Change readme.md' (#2) from add-matrix-webhook into master\n\nReviewed-on: http://localhost:3000/user1/test/pulls/2\n - user1",
  "msgtype": "m.notice",
  "format": "org.matrix.custom.html",
  "formatted_body": "[\u003ca href=\"http://localhost:3000/user1/test\"\u003euser1/test\u003c/a\u003e] user1 pushed 1 commit to \u003ca href=\"http://localhost:3000/user1/test/src/branch/master\"\u003emaster\u003c/a\u003e:\u003cbr\u003e\u003ca href=\"http://localhost:3000/user1/test/commit/5175ef26201c58b035a3404b3fe02b4e8d436eee\"\u003e5175ef2\u003c/a\u003e: Merge pull request 'Change readme.md' (#2) from add-matrix-webhook into master\n\nReviewed-on: http://localhost:3000/user1/test/pulls/2\n - user1",
  "io.gitea.commits": [
    {
      "id": "5175ef26201c58b035a3404b3fe02b4e8d436eee",
      "message": "Merge pull request 'Change readme.md' (#2) from add-matrix-webhook into master\n\nReviewed-on: http://localhost:3000/user1/test/pulls/2\n",
      "url": "http://localhost:3000/user1/test/commit/5175ef26201c58b035a3404b3fe02b4e8d436eee",
      "author": {
        "name": "user1",
        "email": "user@mail.com",
        "username": ""
      },
      "committer": {
        "name": "user1",
        "email": "user@mail.com",
        "username": ""
      },
      "verification": null,
      "timestamp": "0001-01-01T00:00:00Z",
      "added": null,
      "removed": null,
      "modified": null
    }
  ]
 }`
 	req, err := getMatrixHookRequest(w, h)
 	require.NoError(t, err)
 	require.NotNil(t, req)
 	assert.Equal(t, "Bearer dummy_access_token", req.Header.Get("Authorization"))
 	assert.Equal(t, wantPayloadContent, h.PayloadContent)
 }
 func Test_getTxnID(t *testing.T) {
 	type args struct {
 		payload []byte
--- a/templates/install.tmpl
+++ b/templates/install.tmpl
@ -163,8 +163,8 @@
 						<span class="help">{{.locale.Tr "install.log_root_path_helper"}}</span>
 					</div>
 					<div class="inline field">
 						<label for="enable_update_checker">{{.locale.Tr "install.enable_update_checker"}}</label>
 						<div class="ui checkbox">
 							<label for="enable_update_checker">{{.locale.Tr "install.enable_update_checker"}}</label>
 							<input name="enable_update_checker" type="checkbox">
 						</div>
 						<span class="help">{{.locale.Tr "install.enable_update_checker_helper"}}</span>
@ -202,13 +202,13 @@
 						</div>
 						<div class="inline field">
 							<div class="ui checkbox">
-								<label><strong>{{.locale.Tr "install.register_confirm"}}</strong></label>
+								<label>{{.locale.Tr "install.register_confirm"}}</label>
 								<input name="register_confirm" type="checkbox" {{if .register_confirm}}checked{{end}}>
 							</div>
 						</div>
 						<div class="inline field">
 							<div class="ui checkbox">
-								<label><strong>{{.locale.Tr "install.mail_notify"}}</strong></label>
+								<label>{{.locale.Tr "install.mail_notify"}}</label>
 								<input name="mail_notify" type="checkbox" {{if .mail_notify}}checked{{end}}>
 							</div>
 						</div>
@ -221,73 +221,73 @@
 						</summary>
 						<div class="inline field">
 							<div class="ui checkbox" id="offline-mode">
-								<label class="tooltip" data-content="{{.locale.Tr "install.offline_mode_popup"}}"><strong>{{.locale.Tr "install.offline_mode"}}</strong></label>
+								<label class="tooltip" data-content="{{.locale.Tr "install.offline_mode_popup"}}">{{.locale.Tr "install.offline_mode"}}</label>
 								<input name="offline_mode" type="checkbox" {{if .offline_mode}}checked{{end}}>
 							</div>
 						</div>
 						<div class="inline field">
 							<div class="ui checkbox" id="disable-gravatar">
-								<label class="tooltip" data-content="{{.locale.Tr "install.disable_gravatar_popup"}}"><strong>{{.locale.Tr "install.disable_gravatar"}}</strong></label>
+								<label class="tooltip" data-content="{{.locale.Tr "install.disable_gravatar_popup"}}">{{.locale.Tr "install.disable_gravatar"}}</label>
 								<input name="disable_gravatar" type="checkbox" {{if .disable_gravatar}}checked{{end}}>
 							</div>
 						</div>
 						<div class="inline field">
 							<div class="ui checkbox" id="federated-avatar-lookup">
-								<label class="tooltip" data-content="{{.locale.Tr "install.federated_avatar_lookup_popup"}}"><strong>{{.locale.Tr "install.federated_avatar_lookup"}}</strong></label>
+								<label class="tooltip" data-content="{{.locale.Tr "install.federated_avatar_lookup_popup"}}">{{.locale.Tr "install.federated_avatar_lookup"}}</label>
 								<input name="enable_federated_avatar" type="checkbox" {{if .enable_federated_avatar}}checked{{end}}>
 							</div>
 						</div>
 						<div class="inline field">
 							<div class="ui checkbox" id="enable-openid-signin">
-								<label class="tooltip" data-content="{{.locale.Tr "install.openid_signin_popup"}}"><strong>{{.locale.Tr "install.openid_signin"}}</strong></label>
+								<label class="tooltip" data-content="{{.locale.Tr "install.openid_signin_popup"}}">{{.locale.Tr "install.openid_signin"}}</label>
 								<input name="enable_open_id_sign_in" type="checkbox" {{if .enable_open_id_sign_in}}checked{{end}}>
 							</div>
 						</div>
 						<div class="inline field">
 							<div class="ui checkbox" id="disable-registration">
-								<label class="tooltip" data-content="{{.locale.Tr "install.disable_registration_popup"}}"><strong>{{.locale.Tr "install.disable_registration"}}</strong></label>
+								<label class="tooltip" data-content="{{.locale.Tr "install.disable_registration_popup"}}">{{.locale.Tr "install.disable_registration"}}</label>
 								<input name="disable_registration" type="checkbox" {{if .disable_registration}}checked{{end}}>
 							</div>
 						</div>
 						<div class="inline field">
 							<div class="ui checkbox" id="allow-only-external-registration">
-								<label class="tooltip" data-content="{{.locale.Tr "install.allow_only_external_registration_popup"}}"><strong>{{.locale.Tr "install.allow_only_external_registration_popup"}}</strong></label>
+								<label class="tooltip" data-content="{{.locale.Tr "install.allow_only_external_registration_popup"}}">{{.locale.Tr "install.allow_only_external_registration_popup"}}</label>
 								<input name="allow_only_external_registration" type="checkbox" {{if .allow_only_external_registration}}checked{{end}}>
 							</div>
 						</div>
 						<div class="inline field">
 							<div class="ui checkbox" id="enable-openid-signup">
-								<label class="tooltip" data-content="{{.locale.Tr "install.openid_signup_popup"}}"><strong>{{.locale.Tr "install.openid_signup"}}</strong></label>
+								<label class="tooltip" data-content="{{.locale.Tr "install.openid_signup_popup"}}">{{.locale.Tr "install.openid_signup"}}</label>
 								<input name="enable_open_id_sign_up" type="checkbox" {{if .enable_open_id_sign_up}}checked{{end}}>
 							</div>
 						</div>
 						<div class="inline field">
 							<div class="ui checkbox" id="enable-captcha">
-								<label class="tooltip" data-content="{{.locale.Tr "install.enable_captcha_popup"}}"><strong>{{.locale.Tr "install.enable_captcha"}}</strong></label>
+								<label class="tooltip" data-content="{{.locale.Tr "install.enable_captcha_popup"}}">{{.locale.Tr "install.enable_captcha"}}</label>
 								<input name="enable_captcha" type="checkbox" {{if .enable_captcha}}checked{{end}}>
 							</div>
 						</div>
 						<div class="inline field">
 							<div class="ui checkbox">
-								<label class="tooltip" data-content="{{.locale.Tr "install.require_sign_in_view_popup"}}"><strong>{{.locale.Tr "install.require_sign_in_view"}}</strong></label>
+								<label class="tooltip" data-content="{{.locale.Tr "install.require_sign_in_view_popup"}}">{{.locale.Tr "install.require_sign_in_view"}}</label>
 								<input name="require_sign_in_view" type="checkbox" {{if .require_sign_in_view}}checked{{end}}>
 							</div>
 						</div>
 						<div class="inline field">
 							<div class="ui checkbox">
-								<label class="tooltip" data-content="{{.locale.Tr "install.default_keep_email_private_popup"}}"><strong>{{.locale.Tr "install.default_keep_email_private"}}</strong></label>
+								<label class="tooltip" data-content="{{.locale.Tr "install.default_keep_email_private_popup"}}">{{.locale.Tr "install.default_keep_email_private"}}</label>
 								<input name="default_keep_email_private" type="checkbox" {{if .default_keep_email_private}}checked{{end}}>
 							</div>
 						</div>
 						<div class="inline field">
 							<div class="ui checkbox">
-								<label class="tooltip" data-content="{{.locale.Tr "install.default_allow_create_organization_popup"}}"><strong>{{.locale.Tr "install.default_allow_create_organization"}}</strong></label>
+								<label class="tooltip" data-content="{{.locale.Tr "install.default_allow_create_organization_popup"}}">{{.locale.Tr "install.default_allow_create_organization"}}</label>
 								<input name="default_allow_create_organization" type="checkbox" {{if .default_allow_create_organization}}checked{{end}}>
 							</div>
 						</div>
 						<div class="inline field">
 							<div class="ui checkbox">
-								<label class="tooltip" data-content="{{.locale.Tr "install.default_enable_timetracking_popup"}}"><strong>{{.locale.Tr "install.default_enable_timetracking"}}</strong></label>
+								<label class="tooltip" data-content="{{.locale.Tr "install.default_enable_timetracking_popup"}}">{{.locale.Tr "install.default_enable_timetracking"}}</label>
 								<input name="default_enable_timetracking" type="checkbox" {{if .default_enable_timetracking}}checked{{end}}>
 							</div>
 						</div>
--- a/templates/repo/settings/webhook/matrix.tmpl
+++ b/templates/repo/settings/webhook/matrix.tmpl
@ -10,10 +10,6 @@
 			<label for="room_id">{{.locale.Tr "repo.settings.matrix.room_id"}}</label>
 			<input id="room_id" name="room_id" type="text" value="{{.MatrixHook.Room}}" required>
 		</div>
 		<div class="required field {{if .Err_AccessToken}}error{{end}}">
 			<label for="access_token">{{.locale.Tr "repo.settings.matrix.access_token"}}</label>
 			<input id="access_token" name="access_token" type="text" value="{{.MatrixHook.AccessToken}}" required>
 		</div>
 		<div class="field">
 			<label>{{.locale.Tr "repo.settings.matrix.message_type"}}</label>
 				<div class="ui selection dropdown">
--- a/templates/repo/settings/webhook/settings.tmpl
+++ b/templates/repo/settings/webhook/settings.tmpl
@ -248,6 +248,15 @@
 	<span class="help">{{.locale.Tr "repo.settings.branch_filter_desc" | Str2html}}</span>
 </div>
 <!-- Authorization Header -->
 <div class="field{{if eq .HookType "matrix"}} required{{end}}">
 	<label for="authorization_header">{{.locale.Tr "repo.settings.authorization_header"}}</label>
 	<input id="authorization_header" name="authorization_header" type="text" value="{{.Webhook.HeaderAuthorization}}"{{if eq .HookType "matrix"}} placeholder="Bearer $access_token" required{{end}}>
 	{{if ne .HookType "matrix"}}{{/* Matrix doesn't make the authorization optional but it is implied by the help string, should be changed.*/}}
 		<span class="help">{{.locale.Tr "repo.settings.authorization_header_desc" "<code>Bearer token123456</code>, <code>Basic YWxhZGRpbjpvcGVuc2VzYW1l</code>" | Str2html}}</span>
 	{{end}}
 </div>
 <div class="ui divider"></div>
 <div class="inline field">
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@ -14448,6 +14448,10 @@
          "default": false,
          "x-go-name": "Active"
        },
        "authorization_header": {
          "type": "string",
          "x-go-name": "AuthorizationHeader"
        },
        "branch_filter": {
          "type": "string",
          "x-go-name": "BranchFilter"
@ -15437,6 +15441,10 @@
          "type": "boolean",
          "x-go-name": "Active"
        },
        "authorization_header": {
          "type": "string",
          "x-go-name": "AuthorizationHeader"
        },
        "branch_filter": {
          "type": "string",
          "x-go-name": "BranchFilter"
@ -16544,6 +16552,10 @@
          "type": "boolean",
          "x-go-name": "Active"
        },
        "authorization_header": {
          "type": "string",
          "x-go-name": "AuthorizationHeader"
        },
        "config": {
          "type": "object",
          "additionalProperties": {
--- a/tests/integration/api_repo_hook_test.go
+++ b/tests/integration/api_repo_hook_test.go
@ -0,0 +1,47 @@
 // Copyright 2022 The Gitea Authors. All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 package integration
 import (
 	"fmt"
 	"net/http"
 	"testing"
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/tests"
 	"github.com/stretchr/testify/assert"
 )
 func TestAPICreateHook(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 37})
 	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 	// user1 is an admin user
 	session := loginUser(t, "user1")
 	token := getTokenForLoggedInUser(t, session)
 	completeURL := func(lastSegment string) string {
 		return fmt.Sprintf("/api/v1/repos/%s/%s/%s?token=%s", owner.Name, repo.Name, lastSegment, token)
 	}
 	req := NewRequestWithJSON(t, "POST", completeURL("hooks"), api.CreateHookOption{
 		Type: "gitea",
 		Config: api.CreateHookOptionConfig{
 			"content_type": "json",
 			"url":          "http://example.com/",
 		},
 		AuthorizationHeader: "Bearer s3cr3t",
 	})
 	resp := MakeRequest(t, req, http.StatusCreated)
 	var apiHook *api.Hook
 	DecodeJSON(t, resp, &apiHook)
 	assert.Equal(t, "http://example.com/", apiHook.Config["url"])
 	assert.Equal(t, "Bearer s3cr3t", apiHook.AuthorizationHeader)
 }
--- a/tests/integration/pull_merge_test.go
+++ b/tests/integration/pull_merge_test.go
@ -245,11 +245,11 @@ func TestCantMergeConflict(t *testing.T) {
 		gitRepo, err := git.OpenRepository(git.DefaultContext, repo_model.RepoPath(user1.Name, repo1.Name))
 		assert.NoError(t, err)
-		err = pull.Merge(context.Background(), pr, user1, gitRepo, repo_model.MergeStyleMerge, "", "CONFLICT")
+		err = pull.Merge(context.Background(), pr, user1, gitRepo, repo_model.MergeStyleMerge, "", "CONFLICT", false)
 		assert.Error(t, err, "Merge should return an error due to conflict")
 		assert.True(t, models.IsErrMergeConflicts(err), "Merge error is not a conflict error")
-		err = pull.Merge(context.Background(), pr, user1, gitRepo, repo_model.MergeStyleRebase, "", "CONFLICT")
+		err = pull.Merge(context.Background(), pr, user1, gitRepo, repo_model.MergeStyleRebase, "", "CONFLICT", false)
 		assert.Error(t, err, "Merge should return an error due to conflict")
 		assert.True(t, models.IsErrRebaseConflicts(err), "Merge error is not a conflict error")
 		gitRepo.Close()
@ -344,7 +344,7 @@ func TestCantMergeUnrelated(t *testing.T) {
 			BaseBranch: "base",
 		})
-		err = pull.Merge(context.Background(), pr, user1, gitRepo, repo_model.MergeStyleMerge, "", "UNRELATED")
+		err = pull.Merge(context.Background(), pr, user1, gitRepo, repo_model.MergeStyleMerge, "", "UNRELATED", false)
 		assert.Error(t, err, "Merge should return an error due to unrelated")
 		assert.True(t, models.IsErrMergeUnrelatedHistories(err), "Merge error is not a unrelated histories error")
 		gitRepo.Close()
--- a/tests/integration/user_test.go
+++ b/tests/integration/user_test.go
@ -53,6 +53,22 @@ func TestRenameInvalidUsername(t *testing.T) {
 		"%00",
 		"thisHas ASpace",
 		"p<A>tho>lo<gical",
 		".",
 		"..",
 		".well-known",
 		".abc",
 		"abc.",
 		"a..bc",
 		"a...bc",
 		"a.-bc",
 		"a._bc",
 		"a_-bc",
 		"a/bc",
 		"☁️",
 		"-",
 		"--diff",
 		"-im-here",
 		"a space",
 	}
 	session := loginUser(t, "user2")
@ -68,7 +84,7 @@ func TestRenameInvalidUsername(t *testing.T) {
 		htmlDoc := NewHTMLParser(t, resp.Body)
 		assert.Contains(t,
 			htmlDoc.doc.Find(".ui.negative.message").Text(),
-			translation.NewLocale("en-US").Tr("form.alpha_dash_dot_error"),
+			translation.NewLocale("en-US").Tr("form.username_error"),
 		)
 		unittest.AssertNotExistsBean(t, &user_model.User{Name: invalidUsername})
@ -79,9 +95,7 @@ func TestRenameReservedUsername(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	reservedUsernames := []string{
-		".",
+		// ".", "..", ".well-known", // The names are not only reserved but also invalid
 		"..",
 		".well-known",
 		"admin",
 		"api",
 		"assets",
--- a/web_src/less/_install.less
+++ b/web_src/less/_install.less
@ -1,36 +1,57 @@
 .page-content.install {
  padding-top: 45px;
-  form {
+  form.ui.form {
-    @input-padding: 320px !important;
+    @input-padding: 30%;
-    .inline.field label {
+    .inline.field > label {
      text-align: right;
      width: @input-padding;
      padding-right: 10px;
      margin-right: 0;
    }
    .inline.field > .ui.checkbox:first-child {
      margin-left: @input-padding;
      padding-left: 5px;
      label {
        width: auto;
      }
    }
    .title {
      margin-left: @input-padding;
      padding-left: 5px;
    }
    input {
-      width: 35% !important;
+      width: 60%;
    }
    details.optional.field {
      &[open] {
        border-bottom: 1px solid var(--color-secondary);
        padding-bottom: 10px;
        summary {
          margin-bottom: 10px;
        }
      }
      * {
        box-sizing: border-box;
      }
    }
    .field {
      text-align: left;
      .help {
-        margin-left: @input-padding+15px;
+        margin-left: @input-padding;
        padding-left: 5px;
        width: 60%;
      }
      &.optional {
        .title {
          margin-left: 38%;
        }
        .checkbox {
          margin-left: 40% !important;
          label {
            width: auto !important;
          }
        }
      }
    }
  }