fix yaml indentation

enable sqlite testing
[DOCS] document the forgejo-federation feature branch
2022-12-03 15:42:21 +01:00 · 2022-12-03 15:40:57 +01:00 · 2022-12-03 12:55:11 +01:00 · 2022-12-03 12:55:11 +01:00 · 2022-12-03 12:55:11 +01:00 · 2022-12-03 12:55:11 +01:00
3122 changed files with 71904 additions and 44597 deletions
--- a/.air.toml
+++ b/.air.toml
@ -7,4 +7,4 @@ bin = "gitea"
 include_ext = ["go", "tmpl"]
 exclude_dir = ["modules/git/tests", "services/gitdiff/testdata", "modules/avatar/testdata"]
 include_dir = ["cmd", "models", "modules", "options", "routers", "services", "templates"]
-exclude_regex = ["_test.go$"]
+exclude_regex = ["_test.go$", "_gen.go$"]
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,114 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# IntelliJ
+.idea
+# Goland's output filename can not be set manually
+/go_build_*
+
+# MS VSCode
+.vscode
+__debug_bin
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
+
+*coverage.out
+coverage.all
+cpu.out
+
+/modules/migration/bindata.go
+/modules/migration/bindata.go.hash
+/modules/options/bindata.go
+/modules/options/bindata.go.hash
+/modules/public/bindata.go
+/modules/public/bindata.go.hash
+/modules/templates/bindata.go
+/modules/templates/bindata.go.hash
+
+*.db
+*.log
+
+/gitea
+/gitea-vet
+/debug
+/integrations.test
+
+/bin
+/dist
+/custom/*
+!/custom/conf
+/custom/conf/*
+!/custom/conf/app.example.ini
+/data
+/indexers
+/log
+/public/img/avatar
+/tests/integration/gitea-integration-*
+/tests/integration/indexers-*
+/tests/e2e/gitea-e2e-*
+/tests/e2e/indexers-*
+/tests/e2e/reports
+/tests/e2e/test-artifacts
+/tests/e2e/test-snapshots
+/tests/*.ini
+/node_modules
+/yarn.lock
+/yarn-error.log
+/npm-debug.log*
+/public/js
+/public/serviceworker.js
+/public/css
+/public/fonts
+/public/img/webpack
+/vendor
+/web_src/fomantic/node_modules
+/web_src/fomantic/build/*
+!/web_src/fomantic/build/semantic.js
+!/web_src/fomantic/build/semantic.css
+!/web_src/fomantic/build/themes
+/web_src/fomantic/build/themes/*
+!/web_src/fomantic/build/themes/default
+/web_src/fomantic/build/themes/default/assets/*
+!/web_src/fomantic/build/themes/default/assets/fonts
+/web_src/fomantic/build/themes/default/assets/fonts/*
+!/web_src/fomantic/build/themes/default/assets/fonts/icons.woff2
+!/web_src/fomantic/build/themes/default/assets/fonts/outline-icons.woff2
+/VERSION
+/.air
+/.go-licenses
+
+# Snapcraft
+snap/.snapcraft/
+parts/
+stage/
+prime/
+*.snap
+*.snap-build
+*_source.tar.bz2
+.DS_Store
+
+# Make evidence files
+/.make_evidence
+
+# Manpage
+/man
--- a/.drone.yml
+++ b/.drone.yml
@ -19,13 +19,13 @@ volumes:

 steps:
  - name: deps-frontend
-    image: node:16
+    image: node:18
    pull: always
    commands:
      - make deps-frontend

  - name: deps-backend
-    image: golang:1.18
+    image: golang:1.19
    pull: always
    commands:
      - make deps-backend
@ -34,7 +34,7 @@ steps:
        path: /go

  - name: lint-frontend
-    image: node:16
+    image: node:18
    commands:
      - make lint-frontend
    depends_on: [deps-frontend]
@ -82,31 +82,31 @@ steps:
        path: /go

  - name: checks-frontend
-    image: node:16
+    image: node:18
    commands:
      - make checks-frontend
    depends_on: [deps-frontend]

  - name: checks-backend
-    image: golang:1.18
+    image: golang:1.19
    commands:
-      - make checks-backend
+      - make --always-make checks-backend # ensure the 'go-licenses' make target runs
    depends_on: [deps-backend]
    volumes:
      - name: deps
        path: /go

  - name: test-frontend
-    image: node:16
+    image: node:18
    commands:
      - make test-frontend
    depends_on: [lint-frontend]

  - name: build-frontend
-    image: node:16
+    image: node:18
    commands:
      - make frontend
-    depends_on: [test-frontend]
+    depends_on: [deps-frontend]

  - name: build-backend-no-gcc
    image: golang:1.18 # this step is kept as the lowest version of golang that we support
@ -122,7 +122,7 @@ steps:
        path: /go

  - name: build-backend-arm64
-    image: golang:1.18
+    image: golang:1.19
    environment:
      GO111MODULE: on
      GOPROXY: https://goproxy.io
@ -138,7 +138,7 @@ steps:
        path: /go

  - name: build-backend-windows
-    image: golang:1.18
+    image: golang:1.19
    environment:
      GO111MODULE: on
      GOPROXY: https://goproxy.io
@ -153,7 +153,7 @@ steps:
        path: /go

  - name: build-backend-386
-    image: golang:1.18
+    image: golang:1.19
    environment:
      GO111MODULE: on
      GOPROXY: https://goproxy.io
@ -243,7 +243,7 @@ steps:
          - pull_request

  - name: deps-backend
-    image: golang:1.18
+    image: golang:1.19
    pull: always
    commands:
      - make deps-backend
@ -360,7 +360,7 @@ steps:
        path: /go

  - name: generate-coverage
-    image: golang:1.18
+    image: golang:1.19
    commands:
      - make coverage
    environment:
@ -436,7 +436,7 @@ steps:
          - pull_request

  - name: deps-backend
-    image: golang:1.18
+    image: golang:1.19
    pull: always
    commands:
      - make deps-backend
@ -498,6 +498,78 @@ steps:
      - name: deps
        path: /go

+---
+kind: pipeline
+type: docker
+name: testing-e2e
+
+platform:
+  os: linux
+  arch: amd64
+
+depends_on:
+  - compliance
+
+trigger:
+  event:
+    - pull_request
+
+volumes:
+  - name: deps
+    temp: {}
+
+services:
+  - name: pgsql
+    pull: default
+    image: postgres:10
+    environment:
+      POSTGRES_DB: testgitea-e2e
+      POSTGRES_PASSWORD: postgres
+      POSTGRES_INITDB_ARGS: --encoding=UTF8 --lc-collate='en_US.UTF-8' --lc-ctype='en_US.UTF-8'
+
+steps:
+  - name: deps-frontend
+    image: node:18
+    pull: always
+    commands:
+      - make deps-frontend
+
+  - name: build-frontend
+    image: node:18
+    commands:
+      - make frontend
+    depends_on: [deps-frontend]
+
+  - name: deps-backend
+    image: golang:1.18
+    pull: always
+    commands:
+      - make deps-backend
+    volumes:
+      - name: deps
+        path: /go
+
+  # TODO: We should probably build all dependencies into a test image
+  - name: test-e2e
+    image: mcr.microsoft.com/playwright:v1.28.0-focal
+    commands:
+      - curl -sLO https://go.dev/dl/go1.19.linux-amd64.tar.gz && tar -C /usr/local -xzf go1.19.linux-amd64.tar.gz
+      - groupadd --gid 1001 gitea && useradd -m --gid 1001 --uid 1001 gitea
+      - apt-get -qq update && apt-get -qqy install build-essential
+      - export TEST_PGSQL_SCHEMA=''
+      - ./build/test-env-prepare.sh
+      - su gitea bash -c "export PATH=$PATH:/usr/local/go/bin && timeout -s ABRT 40m make test-e2e-pgsql"
+    environment:
+      GOPROXY: https://goproxy.io
+      GOSUMDB: sum.golang.org
+      USE_REPO_TEST_DIR: 1
+      TEST_PGSQL_DBNAME: 'testgitea-e2e'
+      DEBIAN_FRONTEND: noninteractive
+    depends_on: [build-frontend, deps-backend]
+    volumes:
+      - name: deps
+        path: /go
+
 ---
 kind: pipeline
 name: update_translations
@ -528,7 +600,7 @@ steps:
        from_secret: crowdin_key

  - name: update
-    image: alpine:3.13
+    image: alpine:3.17
    pull: always
    commands:
      - ./build/update-locales.sh
@ -544,6 +616,8 @@ steps:
      commit_message: "[skip ci] Updated translations via Crowdin"
      remote: "git@github.com:go-gitea/gitea.git"
    environment:
+      DRONE_COMMIT_AUTHOR_EMAIL: "teabot@gitea.io"
+      DRONE_COMMIT_AUTHOR: GiteaBot
      GIT_PUSH_SSH_KEY:
        from_secret: git_push_ssh_key

@ -578,7 +652,7 @@ trigger:

 steps:
  - name: download
-    image: golang:1.18
+    image: golang:1.19
    pull: always
    commands:
      - timeout -s ABRT 40m make generate-license generate-gitignore
@ -588,12 +662,14 @@ steps:
    pull: always
    settings:
      author_email: "teabot@gitea.io"
-      author_name: GiteaBot
+      author_name: "GiteaBot"
      branch: main
      commit: true
-      commit_message: "[skip ci] Updated licenses and gitignores "
+      commit_message: "[skip ci] Updated licenses and gitignores"
      remote: "git@github.com:go-gitea/gitea.git"
    environment:
+      DRONE_COMMIT_AUTHOR_EMAIL: "teabot@gitea.io"
+      DRONE_COMMIT_AUTHOR: "GiteaBot"
      GIT_PUSH_SSH_KEY:
        from_secret: git_push_ssh_key

@ -634,13 +710,13 @@ steps:
      - git fetch --tags --force

  - name: deps-frontend
-    image: node:16
+    image: node:18
    pull: always
    commands:
      - make deps-frontend

  - name: deps-backend
-    image: golang:1.18
+    image: golang:1.19
    pull: always
    commands:
      - make deps-backend
@ -649,15 +725,17 @@ steps:
        path: /go

  - name: static
-    image: techknowlogick/xgo:go-1.18.x
+    image: techknowlogick/xgo:go-1.19.x
    pull: always
    commands:
-      - curl -sL https://deb.nodesource.com/setup_16.x | bash - && apt-get install -y nodejs
+      # Upgrade to node 18 once https://github.com/techknowlogick/xgo/issues/163 is resolved
+      - curl -sL https://deb.nodesource.com/setup_16.x | bash - && apt-get -qqy install nodejs
      - export PATH=$PATH:$GOPATH/bin
      - make release
    environment:
      GOPROXY: https://goproxy.io # proxy.golang.org is blocked in China, this proxy is not
      TAGS: bindata sqlite sqlite_unlock_notify
+      DEBIAN_FRONTEND: noninteractive
    volumes:
      - name: deps
        path: /go
@ -753,13 +831,13 @@ steps:
      - git fetch --tags --force

  - name: deps-frontend
-    image: node:16
+    image: node:18
    pull: always
    commands:
      - make deps-frontend

  - name: deps-backend
-    image: golang:1.18
+    image: golang:1.19
    pull: always
    commands:
      - make deps-backend
@ -768,15 +846,17 @@ steps:
        path: /go

  - name: static
-    image: techknowlogick/xgo:go-1.18.x
+    image: techknowlogick/xgo:go-1.19.x
    pull: always
    commands:
-      - curl -sL https://deb.nodesource.com/setup_16.x | bash - && apt-get install -y nodejs
+      # Upgrade to node 18 once https://github.com/techknowlogick/xgo/issues/163 is resolved
+      - curl -sL https://deb.nodesource.com/setup_16.x | bash - && apt-get -qqy install nodejs
      - export PATH=$PATH:$GOPATH/bin
      - make release
    environment:
      GOPROXY: https://goproxy.io # proxy.golang.org is blocked in China, this proxy is not
      TAGS: bindata sqlite sqlite_unlock_notify
+      DEBIAN_FRONTEND: noninteractive
    depends_on: [fetch-tags]
    volumes:
      - name: deps
--- a/.editorconfig
+++ b/.editorconfig
@ -26,6 +26,3 @@ indent_style = tab

 [*.svg]
 insert_final_newline = false
-
-[*.md]
-trim_trailing_whitespace = false
--- a/.eslintrc.yaml
+++ b/.eslintrc.yaml
@ -11,12 +11,8 @@ parserOptions:
 plugins:
  - eslint-plugin-unicorn
  - eslint-plugin-import
-  - eslint-plugin-vue
-  - eslint-plugin-html
  - eslint-plugin-jquery
-
-extends:
-  - plugin:vue/recommended
+  - eslint-plugin-sonarjs

 env:
  es2022: true
@ -25,30 +21,20 @@ env:
 globals:
  __webpack_public_path__: true

-settings:
-  html/html-extensions: [".tmpl"]
-
 overrides:
-  - files: ["web_src/**/*.js", "web_src/**/*.vue", "templates/**/*.tmpl"]
+  - files: ["web_src/**/*.js", "docs/**/*.js"]
    env:
      browser: true
      node: false
-  - files: ["templates/**/*.tmpl"]
-    rules:
-      no-tabs: [0]
-      indent: [2, tab, {SwitchCase: 1}]
  - files: ["web_src/**/*worker.js"]
    env:
      worker: true
    rules:
-      no-restricted-globals: [2, addEventListener, blur, close, closed, confirm, defaultStatus, defaultstatus, error, event, external, find, focus, frameElement, frames, history, innerHeight, innerWidth, isFinite, isNaN, length, location, locationbar, menubar, moveBy, moveTo, name, onblur, onerror, onfocus, onload, onresize, onunload, open, opener, opera, outerHeight, outerWidth, pageXOffset, pageYOffset, parent, print, removeEventListener, resizeBy, resizeTo, screen, screenLeft, screenTop, screenX, screenY, scroll, scrollbars, scrollBy, scrollTo, scrollX, scrollY, status, statusbar, stop, toolbar, top]
+      no-restricted-globals: [2, addEventListener, blur, close, closed, confirm, defaultStatus, defaultstatus, error, event, external, find, focus, frameElement, frames, history, innerHeight, innerWidth, isFinite, isNaN, length, locationbar, menubar, moveBy, moveTo, name, onblur, onerror, onfocus, onload, onresize, onunload, open, opener, opera, outerHeight, outerWidth, pageXOffset, pageYOffset, parent, print, removeEventListener, resizeBy, resizeTo, screen, screenLeft, screenTop, screenX, screenY, scroll, scrollbars, scrollBy, scrollTo, scrollX, scrollY, status, statusbar, stop, toolbar, top]
  - files: ["build/generate-images.js"]
    rules:
      import/no-unresolved: [0]
      import/no-extraneous-dependencies: [0]
-  - files: ["*.test.js"]
-    env:
-      jest: true
  - files: ["*.config.js"]
    rules:
      import/no-unused-modules: [0]
@ -57,7 +43,7 @@ rules:
  accessor-pairs: [2]
  array-bracket-newline: [0]
  array-bracket-spacing: [2, never]
-  array-callback-return: [0]
+  array-callback-return: [2, {checkForEach: true}]
  array-element-newline: [0]
  arrow-body-style: [0]
  arrow-parens: [2, always]
@ -120,7 +106,7 @@ rules:
  import/no-extraneous-dependencies: [2]
  import/no-import-module-exports: [0]
  import/no-internal-modules: [0]
-  import/no-mutable-exports: [2]
+  import/no-mutable-exports: [0]
  import/no-named-as-default-member: [0]
  import/no-named-as-default: [2]
  import/no-named-default: [0]
@ -132,7 +118,7 @@ rules:
  import/no-restricted-paths: [0]
  import/no-self-import: [2]
  import/no-unassigned-import: [0]
-  import/no-unresolved: [2, {commonjs: true}]
+  import/no-unresolved: [2, {commonjs: true, ignore: ["\\?.+$"]}]
  import/no-unused-modules: [2, {unusedExports: true}]
  import/no-useless-path-segments: [2, {commonjs: true}]
  import/no-webpack-loader-syntax: [2]
@ -196,6 +182,7 @@ rules:
  linebreak-style: [2, unix]
  lines-around-comment: [0]
  lines-between-class-members: [0]
+  logical-assignment-operators: [0]
  max-classes-per-file: [0]
  max-depth: [0]
  max-len: [0]
@ -212,7 +199,7 @@ rules:
  newline-per-chained-call: [0]
  no-alert: [0]
  no-array-constructor: [2]
-  no-async-promise-executor: [2]
+  no-async-promise-executor: [0]
  no-await-in-loop: [0]
  no-bitwise: [0]
  no-buffer-constructor: [0]
@ -222,7 +209,7 @@ rules:
  no-compare-neg-zero: [2]
  no-cond-assign: [2, except-parens]
  no-confusing-arrow: [0]
-  no-console: [1, {allow: [info, warn, error]}]
+  no-console: [1, {allow: [debug, info, warn, error]}]
  no-const-assign: [2]
  no-constant-binary-expression: [2]
  no-constant-condition: [0]
@ -242,6 +229,7 @@ rules:
  no-empty-character-class: [2]
  no-empty-function: [0]
  no-empty-pattern: [2]
+  no-empty-static-block: [2]
  no-empty: [2, {allowEmptyCatch: true}]
  no-eq-null: [2]
  no-eval: [2]
@ -256,7 +244,7 @@ rules:
  no-floating-decimal: [0]
  no-func-assign: [2]
  no-global-assign: [2]
-  no-implicit-coercion: [0]
+  no-implicit-coercion: [2]
  no-implicit-globals: [0]
  no-implied-eval: [2]
  no-import-assign: [2]
@ -267,7 +255,7 @@ rules:
  no-irregular-whitespace: [2]
  no-iterator: [2]
  no-label-var: [2]
-  no-labels: [2]
+  no-labels: [0]
  no-lone-blocks: [2]
  no-lonely-if: [0]
  no-loop-func: [0]
@ -282,6 +270,7 @@ rules:
  no-negated-condition: [0]
  no-nested-ternary: [0]
  no-new-func: [2]
+  no-new-native-nonconstructor: [2]
  no-new-object: [2]
  no-new-symbol: [2]
  no-new-wrappers: [2]
@ -298,7 +287,7 @@ rules:
  no-redeclare: [2]
  no-regex-spaces: [2]
  no-restricted-exports: [0]
-  no-restricted-globals: [2, addEventListener, blur, close, closed, confirm, defaultStatus, defaultstatus, error, event, external, find, focus, frameElement, frames, history, innerHeight, innerWidth, isFinite, isNaN, length, location, locationbar, menubar, moveBy, moveTo, name, onblur, onerror, onfocus, onload, onresize, onunload, open, opener, opera, outerHeight, outerWidth, pageXOffset, pageYOffset, parent, print, removeEventListener, resizeBy, resizeTo, screen, screenLeft, screenTop, screenX, screenY, scroll, scrollbars, scrollBy, scrollTo, scrollX, scrollY, self, status, statusbar, stop, toolbar, top]
+  no-restricted-globals: [2, addEventListener, blur, close, closed, confirm, defaultStatus, defaultstatus, error, event, external, find, focus, frameElement, frames, history, innerHeight, innerWidth, isFinite, isNaN, length, location, locationbar, menubar, moveBy, moveTo, name, onblur, onerror, onfocus, onload, onresize, onunload, open, opener, opera, outerHeight, outerWidth, pageXOffset, pageYOffset, parent, print, removeEventListener, resizeBy, resizeTo, screen, screenLeft, screenTop, screenX, screenY, scroll, scrollbars, scrollBy, scrollTo, scrollX, scrollY, self, status, statusbar, stop, toolbar, top, __dirname, __filename]
  no-restricted-imports: [0]
  no-restricted-syntax: [2, WithStatement, ForInStatement, LabeledStatement]
  no-return-assign: [0]
@ -332,8 +321,8 @@ rules:
  no-unused-labels: [2]
  no-unused-private-class-members: [2]
  no-unused-vars: [2, {args: all, argsIgnorePattern: ^_, varsIgnorePattern: ^_, caughtErrorsIgnorePattern: ^_, destructuredArrayIgnorePattern: ^_, ignoreRestSiblings: false}]
-  no-use-before-define: [2, nofunc]
-  no-useless-backreference: [0]
+  no-use-before-define: [2, {functions: false, classes: true, variables: true, allowNamedExports: true}]
+  no-useless-backreference: [2]
  no-useless-call: [2]
  no-useless-catch: [2]
  no-useless-computed-key: [2]
@ -346,7 +335,7 @@ rules:
  no-void: [2]
  no-warning-comments: [0]
  no-whitespace-before-property: [2]
-  no-with: [2]
+  no-with: [0]
  nonblock-statement-body-position: [2]
  object-curly-newline: [0]
  object-curly-spacing: [2, never]
@ -358,13 +347,13 @@ rules:
  padded-blocks: [2, never]
  padding-line-between-statements: [0]
  prefer-arrow-callback: [2, {allowNamedFunctions: true, allowUnboundThis: true}]
-  prefer-const: [2, {destructuring: all}]
+  prefer-const: [2, {destructuring: all, ignoreReadBeforeAssign: true}]
  prefer-destructuring: [0]
  prefer-exponentiation-operator: [2]
  prefer-named-capture-group: [0]
  prefer-numeric-literals: [2]
  prefer-object-has-own: [0]
-  prefer-object-spread: [0]
+  prefer-object-spread: [2]
  prefer-promise-reject-errors: [2, {allowEmptyReject: false}]
  prefer-regex-literals: [2]
  prefer-rest-params: [2]
@ -381,6 +370,38 @@ rules:
  semi-spacing: [2, {before: false, after: true}]
  semi-style: [2, last]
  semi: [2, always, {omitLastInOneLineBlock: true}]
+  sonarjs/cognitive-complexity: [0]
+  sonarjs/elseif-without-else: [0]
+  sonarjs/max-switch-cases: [0]
+  sonarjs/no-all-duplicated-branches: [2]
+  sonarjs/no-collapsible-if: [0]
+  sonarjs/no-collection-size-mischeck: [2]
+  sonarjs/no-duplicate-string: [0]
+  sonarjs/no-duplicated-branches: [0]
+  sonarjs/no-element-overwrite: [2]
+  sonarjs/no-empty-collection: [2]
+  sonarjs/no-extra-arguments: [2]
+  sonarjs/no-gratuitous-expressions: [2]
+  sonarjs/no-identical-conditions: [2]
+  sonarjs/no-identical-expressions: [2]
+  sonarjs/no-identical-functions: [2, 5]
+  sonarjs/no-ignored-return: [2]
+  sonarjs/no-inverted-boolean-check: [2]
+  sonarjs/no-nested-switch: [0]
+  sonarjs/no-nested-template-literals: [0]
+  sonarjs/no-one-iteration-loop: [2]
+  sonarjs/no-redundant-boolean: [2]
+  sonarjs/no-redundant-jump: [0]
+  sonarjs/no-same-line-conditional: [2]
+  sonarjs/no-small-switch: [0]
+  sonarjs/no-unused-collection: [2]
+  sonarjs/no-use-of-empty-return-value: [2]
+  sonarjs/no-useless-catch: [2]
+  sonarjs/non-existent-operator: [2]
+  sonarjs/prefer-immediate-return: [0]
+  sonarjs/prefer-object-literal: [0]
+  sonarjs/prefer-single-boolean-return: [0]
+  sonarjs/prefer-while: [2]
  sort-imports: [0]
  sort-keys: [0]
  sort-vars: [0]
@ -424,16 +445,19 @@ rules:
  unicorn/no-invalid-remove-event-listener: [2]
  unicorn/no-keyword-prefix: [0]
  unicorn/no-lonely-if: [2]
+  unicorn/no-negated-condition: [0]
  unicorn/no-nested-ternary: [0]
  unicorn/no-new-array: [0]
  unicorn/no-new-buffer: [0]
  unicorn/no-null: [0]
-  unicorn/no-object-as-default-parameter: [2]
+  unicorn/no-object-as-default-parameter: [0]
  unicorn/no-process-exit: [0]
  unicorn/no-reduce: [2]
  unicorn/no-static-only-class: [2]
  unicorn/no-thenable: [2]
  unicorn/no-this-assignment: [2]
+  unicorn/no-typeof-undefined: [2]
+  unicorn/no-unnecessary-await: [2]
  unicorn/no-unreadable-array-destructuring: [0]
  unicorn/no-unreadable-iife: [2]
  unicorn/no-unsafe-regex: [0]
@ -454,14 +478,16 @@ rules:
  unicorn/prefer-array-index-of: [2]
  unicorn/prefer-array-some: [2]
  unicorn/prefer-at: [0]
-  unicorn/prefer-code-point: [2]
+  unicorn/prefer-code-point: [0]
  unicorn/prefer-dataset: [2]
  unicorn/prefer-date-now: [2]
  unicorn/prefer-default-parameters: [0]
  unicorn/prefer-event-key: [2]
+  unicorn/prefer-event-target: [2]
  unicorn/prefer-export-from: [2]
  unicorn/prefer-includes: [2]
  unicorn/prefer-json-parse-buffer: [0]
+  unicorn/prefer-logical-operator-over-ternary: [2]
  unicorn/prefer-math-trunc: [2]
  unicorn/prefer-modern-dom-apis: [0]
  unicorn/prefer-modern-math-apis: [2]
@ -481,6 +507,7 @@ rules:
  unicorn/prefer-regexp-test: [2]
  unicorn/prefer-replace-all: [0]
  unicorn/prefer-set-has: [0]
+  unicorn/prefer-set-size: [2]
  unicorn/prefer-spread: [0]
  unicorn/prefer-starts-ends-with: [2]
  unicorn/prefer-string-slice: [0]
@ -496,17 +523,13 @@ rules:
  unicorn/require-number-to-fixed-digits-argument: [2]
  unicorn/require-post-message-target-origin: [0]
  unicorn/string-content: [0]
+  unicorn/switch-case-braces: [0]
  unicorn/template-indent: [2]
  unicorn/text-encoding-identifier-case: [0]
  unicorn/throw-new-error: [2]
  use-isnan: [2]
  valid-typeof: [2, {requireStringLiterals: true}]
  vars-on-top: [0]
-  vue/attributes-order: [0]
-  vue/component-definition-name-casing: [0]
-  vue/html-closing-bracket-spacing: [0]
-  vue/max-attributes-per-line: [0]
-  vue/one-component-per-file: [0]
  wrap-iife: [2, inside]
  wrap-regex: [0]
  yield-star-spacing: [2, after]
--- a/.gitattributes
+++ b/.gitattributes
@ -1,7 +1,6 @@
 * text=auto eol=lf
 *.tmpl linguist-language=Handlebars
-/.eslintrc linguist-language=YAML
-/.stylelintrc linguist-language=YAML
+/assets/*.json linguist-generated
 /public/vendor/** -text -eol linguist-vendored
 /vendor/** -text -eol linguist-vendored
 /web_src/fomantic/build/** linguist-generated
--- a/.gitea/ISSUE_TEMPLATE/bug-report.md
+++ b/.gitea/ISSUE_TEMPLATE/bug-report.md
@ -0,0 +1,53 @@
+---
+name: "Bug Report"
+about: "Found something you weren't expecting? Report it here!"
+title: "[BUG] "
+---
+<!--
+NOTE: If your issue is a security concern, please email security@forgejo.org (GPG: A4676E79) instead of opening a public issue.
+
+1. Please speak English, as this is the language all maintainers can
+   speak and write.
+
+2. Please ask questions or troubleshoot configuration/deploy problems
+   in our Matrix space (https://matrix.to/#/#forgejo:matrix.org).
+
+3. Please make sure you are using the latest release of Forgejo and
+   take a moment to check that your issue hasn't been reported before.
+
+4. Please give all relevant information below for bug reports, because
+   incomplete details will be handled as an invalid report.
+
+5. If you are using a proxy or a CDN (e.g. CloudFlare) in front of
+   Forgejo, please disable the proxy/CDN fully and connect to Forgejo
+   directly to confirm the issue still persists without those services.
+-->
+
+- Forgejo version (or commit ref):
+- Git version:
+- Operating system:
+- Database (use `[x]`):
+  - [ ] PostgreSQL
+  - [ ] MySQL
+  - [ ] MSSQL
+  - [ ] SQLite
+- How are you running Forgejo?
+<!--
+Please include information on whether you built Forgejo yourself, used one of our downloads, or are using some other package.
+Please also tell us how you are running Forgejo, e.g. if it is being run from docker, a command-line, systemd etc.
+If you are using a package or systemd tell us what distribution you are using.
+-->
+
+## Description
+<!-- Please describe the issue you are having as clearly and succinctly as possible. -->
+
+## Logs
+<!--
+It is really important to provide pertinent logs. We need DEBUG level logs.
+Please read https://docs.gitea.io/en-us/logging-configuration/#debugging-problems
+In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of `app.ini`.
+Please copy and paste your logs here, with any sensitive information (e.g. API keys) removed/hidden.
+-->
+
+## Screenshots
+<!-- If this issue involves the Web Interface, please provide one or more screenshots -->
--- a/.gitea/ISSUE_TEMPLATE/feature-request.md
+++ b/.gitea/ISSUE_TEMPLATE/feature-request.md
@ -0,0 +1,21 @@
+---
+name: "Feature Request"
+about: "Got an idea for a feature that Forgejo doesn't have yet? Submit it here!"
+title: "[FEAT] "
+---
+<!--
+1. Please speak English, as this is the language all maintainers can
+   speak and write.
+
+2. Please ask questions or troubleshoot configuration/deploy problems
+   in our Matrix space (https://matrix.to/#/#forgejo:matrix.org).
+
+3. Please make sure you are using the latest release of Forgejo and
+   take a moment to check that your feature hasn't already been suggested.
+-->
+
+## Feature Description
+<!-- Please describe the feature you would like to see added as clearly and succinctly as possible. -->
+
+## Screenshots
+<!-- If you can, provide screenshots of an implementation on another site, e.g. GitHub. -->
--- a/.gitea/issue_template.md
+++ b/.gitea/issue_template.md
@ -1,42 +0,0 @@
-<!-- NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue -->
-
-<!--
-    1. Please speak English, this is the language all maintainers can speak and write.
-    2. Please ask questions or configuration/deploy problems on our Discord
-       server (https://discord.gg/gitea) or forum (https://discourse.gitea.io).
-    3. Please take a moment to check that your issue doesn't already exist.
-    4. Make sure it's not mentioned in the FAQ (https://docs.gitea.io/en-us/faq)
-    5. Please give all relevant information below for bug reports, because
-       incomplete details will be handled as an invalid report.
-->
-
- Gitea version (or commit ref):
- Git version:
- Operating system:
-  <!-- Please include information on whether you built gitea yourself, used one of our downloads or are using some other package -->
-  <!-- Please also tell us how you are running gitea, e.g. if it is being run from docker, a command-line, systemd etc. --->
-  <!-- If you are using a package or systemd tell us what distribution you are using -->
- Database (use `[x]`):
-  - [ ] PostgreSQL
-  - [ ] MySQL
-  - [ ] MSSQL
-  - [ ] SQLite
- Can you reproduce the bug at https://try.gitea.io:
-  - [ ] Yes (provide example URL)
-  - [ ] No
- Log gist:
-<!-- It really is important to provide pertinent logs -->
-<!-- Please read https://docs.gitea.io/en-us/logging-configuration/#debugging-problems -->
-<!-- In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini -->
-
-## Description
-<!-- If using a proxy or a CDN (e.g. CloudFlare) in front of gitea, please
-     disable the proxy/CDN fully and connect to gitea directly to confirm
-     the issue still persists without those services. -->
-
-...
-
-
-## Screenshots
-
-<!-- **If this issue involves the Web Interface, please include a screenshot** -->
--- a/.gitea/pull_request_template.md
+++ b/.gitea/pull_request_template.md
@ -0,0 +1,4 @@
+<!--
+Before submitting a PR, please read the contributing guidelines:
+https://codeberg.org/forgejo/forgejo/src/branch/main/CONTRIBUTING.md
+-->
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -1,2 +0,0 @@
-open_collective: gitea
-custom: https://www.bountysource.com/teams/gitea
--- a/.github/ISSUE_TEMPLATE/bug-report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug-report.yaml
@ -1,94 +0,0 @@
-name: Bug Report
-description: Found something you weren't expecting? Report it here!
-labels: kind/bug
-body:
- type: markdown
-  attributes:
-    value: |
-      NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue.
- type: markdown
-  attributes:
-    value: |
-      1. Please speak English, this is the language all maintainers can speak and write.
-      2. Please ask questions or configuration/deploy problems on our Discord
-         server (https://discord.gg/gitea) or forum (https://discourse.gitea.io).
-      3. Make sure you are using the latest release and
-         take a moment to check that your issue hasn't been reported before.
-      4. Make sure it's not mentioned in the FAQ (https://docs.gitea.io/en-us/faq)
-      5. Please give all relevant information below for bug reports, because
-         incomplete details will be handled as an invalid report.
-      6. In particular it's really important to provide pertinent logs. You must give us DEBUG level logs.
-         Please read https://docs.gitea.io/en-us/logging-configuration/#debugging-problems
-         In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini
- type: textarea
-  id: description
-  attributes:
-    label: Description
-    description: |
-      Please provide a description of your issue here, with a URL if you were able to reproduce the issue (see below)
-      If you are using a proxy or a CDN (e.g. Cloudflare) in front of Gitea, please disable the proxy/CDN fully and access Gitea directly to confirm the issue still persists without those services.
- type: input
-  id: gitea-ver
-  attributes:
-    label: Gitea Version
-    description: Gitea version (or commit reference) of your instance
-  validations:
-    required: true
- type: dropdown
-  id: can-reproduce
-  attributes:
-    label: Can you reproduce the bug on the Gitea demo site?
-    description: |
-      If so, please provide a URL in the Description field
-      URL of Gitea demo: https://try.gitea.io
-    options:
-    - "Yes"
-    - "No"
-  validations:
-    required: true
- type: markdown
-  attributes:
-    value: |
-      It's really important to provide pertinent logs
-      Please read https://docs.gitea.io/en-us/logging-configuration/#debugging-problems
-      In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini
- type: input
-  id: logs
-  attributes:
-    label: Log Gist
-    description: Please provide a gist URL of your logs, with any sensitive information (e.g. API keys) removed/hidden
- type: textarea
-  id: screenshots
-  attributes:
-    label: Screenshots
-    description: If this issue involves the Web Interface, please provide one or more screenshots
- type: input
-  id: git-ver
-  attributes:
-    label: Git Version
-    description: The version of git running on the server
- type: input
-  id: os-ver
-  attributes:
-    label: Operating System
-    description: The operating system you are using to run Gitea
- type: textarea
-  id: run-info
-  attributes:
-    label: How are you running Gitea?
-    description: |
-      Please include information on whether you built Gitea yourself, used one of our downloads, are using https://try.gitea.io or are using some other package
-      Please also tell us how you are running Gitea, e.g. if it is being run from docker, a command-line, systemd etc.
-      If you are using a package or systemd tell us what distribution you are using
-  validations:
-    required: true
- type: dropdown
-  id: database
-  attributes:
-    label: Database
-    description: What database system are you running?
-    options:
-    - PostgreSQL
-    - MySQL
-    - MSSQL
-    - SQLite
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -1,17 +0,0 @@
-blank_issues_enabled: false
-contact_links:
-  - name: Security Concern
-    url: https://tinyurl.com/security-gitea
-    about: For security concerns, please send a mail to security@gitea.io instead of opening a public issue.
-  - name: Discord Server
-    url: https://discord.gg/Gitea
-    about: Please ask questions and discuss configuration or deployment problems here.
-  - name: Discourse Forum
-    url: https://discourse.gitea.io
-    about: Questions and configuration or deployment problems can also be discussed on our forum.    
-  - name: Frequently Asked Questions
-    url: https://docs.gitea.io/en-us/faq
-    about: Please check if your question isn't mentioned here.
-  - name: Crowdin Translations
-    url: https://crowdin.com/project/gitea
-    about: Translations are managed here.
--- a/.github/ISSUE_TEMPLATE/feature-request.yaml
+++ b/.github/ISSUE_TEMPLATE/feature-request.yaml
@ -1,24 +0,0 @@
-name: Feature Request
-description: Got an idea for a feature that Gitea doesn't have currently?  Submit your idea here!
-labels: ["kind/feature", "kind/proposal"]
-body:
- type: markdown
-  attributes:
-    value: |
-      1. Please speak English, this is the language all maintainers can speak and write.
-      2. Please ask questions or configuration/deploy problems on our Discord
-         server (https://discord.gg/gitea) or forum (https://discourse.gitea.io).
-      3. Please take a moment to check that your feature hasn't already been suggested.
- type: textarea
-  id: description
-  attributes:
-    label: Feature Description
-    placeholder: |
-      I think it would be great if Gitea had...
-  validations:
-    required: true
- type: textarea
-  id: screenshots
-  attributes:
-    label: Screenshots
-    description: If you can, provide screenshots of an implementation on another site e.g. GitHub
--- a/.github/ISSUE_TEMPLATE/ui.bug-report.yaml
+++ b/.github/ISSUE_TEMPLATE/ui.bug-report.yaml
@ -1,66 +0,0 @@
-name: Web Interface Bug Report
-description: Something doesn't look quite as it should?  Report it here!
-labels: ["kind/bug", "kind/ui"]
-body:
- type: markdown
-  attributes:
-    value: |
-      NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue.
- type: markdown
-  attributes:
-    value: |
-      1. Please speak English, this is the language all maintainers can speak and write.
-      2. Please ask questions or configuration/deploy problems on our Discord
-         server (https://discord.gg/gitea) or forum (https://discourse.gitea.io).
-      3. Please take a moment to check that your issue doesn't already exist.
-      4. Make sure it's not mentioned in the FAQ (https://docs.gitea.io/en-us/faq)
-      5. Please give all relevant information below for bug reports, because
-         incomplete details will be handled as an invalid report.
-      6. In particular it's really important to provide pertinent logs. If you are certain that this is a javascript
-         error, show us the javascript console. If the error appears to relate to Gitea the server you must also give us
-         DEBUG level logs. (See https://docs.gitea.io/en-us/logging-configuration/#debugging-problems)
- type: textarea
-  id: description
-  attributes:
-    label: Description
-    description: |
-      Please provide a description of your issue here, with a URL if you were able to reproduce the issue (see below)
-      If using a proxy or a CDN (e.g. CloudFlare) in front of gitea, please disable the proxy/CDN fully and connect to gitea directly to confirm the issue still persists without those services.
- type: textarea
-  id: screenshots
-  attributes:
-    label: Screenshots
-    description: Please provide at least 1 screenshot showing the issue.
-  validations:
-    required: true
- type: input
-  id: gitea-ver
-  attributes:
-    label: Gitea Version
-    description: Gitea version (or commit reference) your instance is running
-  validations:
-    required: true
- type: dropdown
-  id: can-reproduce
-  attributes:
-    label: Can you reproduce the bug on the Gitea demo site?
-    description: |
-      If so, please provide a URL in the Description field
-      URL of Gitea demo: https://try.gitea.io
-    options:
-    - "Yes"
-    - "No"
-  validations:
-    required: true
- type: input
-  id: os-ver
-  attributes:
-    label: Operating System
-    description: The operating system you are using to access Gitea
- type: input
-  id: browser-ver
-  attributes:
-    label: Browser Version
-    description: The browser and version that you are using to access Gitea
-  validations:
-    required: true
--- a/.github/lock.yml
+++ b/.github/lock.yml
@ -1,23 +0,0 @@
-# Configuration for Lock Threads - https://github.com/dessant/lock-threads-app
-
-# Number of days of inactivity before a closed issue or pull request is locked
-daysUntilLock: 60
-
-# Skip issues and pull requests created before a given timestamp. Timestamp must
-# follow ISO 8601 (`YYYY-MM-DD`). `false` is disabled
-skipCreatedBefore: false
-
-# Issues and pull requests with these labels will be ignored.
-exemptLabels: []
-
-# Label to add before locking, such as `outdated`. `false` is disabled
-lockLabel: false
-
-# Comment to post before locking.
-lockComment: >
-  This thread has been automatically locked since there has not been
-  any recent activity after it was closed. Please open a new issue for
-  related bugs and link to relevant comments in this thread.
-
-# Assign `resolved` as the reason for locking. Set to `false` to disable
-setLockReason: true
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,9 +0,0 @@
-<!--
-
-Please check the following:
-
-1. Make sure you are targeting the `main` branch, pull requests on release branches are only allowed for bug fixes.
-2. Read contributing guidelines: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md
-3. Describe what your pull request does and which issue you're targeting (if any)
-
-->  
--- a/.github/stale.yml
+++ b/.github/stale.yml
@ -1,54 +0,0 @@
-# Configuration for probot-stale - https://github.com/probot/stale
-
-# Number of days of inactivity before an Issue or Pull Request becomes stale
-daysUntilStale: 60
-
-# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
-# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
-daysUntilClose: 14
-
-# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
-exemptLabels:
-  - status/blocked 
-  - kind/security 
-  - lgtm/done
-  - reviewed/confirmed
-  - priority/critical
-  - kind/proposal
-
-# Set to true to ignore issues in a project (defaults to false)
-exemptProjects: false
-
-# Set to true to ignore issues in a milestone (defaults to false)
-exemptMilestones: false
-
-# Label to use when marking as stale
-staleLabel: stale
-
-# Comment to post when marking as stale. Set to `false` to disable
-markComment: >
-  This issue has been automatically marked as stale because it has not had recent activity. 
-  I am here to help clear issues left open even if solved or waiting for more insight.
-  This issue will be closed if no further activity occurs during the next 2 weeks.
-  If the issue is still valid just add a comment to keep it alive.
-  Thank you for your contributions.
-
-# Comment to post when closing a stale Issue or Pull Request.
-closeComment: >
-  This issue has been automatically closed because of inactivity.
-  You can re-open it if needed.
-
-# Limit the number of actions per hour, from 1-30. Default is 30
-limitPerRun: 1
-
-# Optionally, specify configuration settings that are specific to just 'issues' or 'pulls':
-pulls:
-  daysUntilStale: 60
-  daysUntilClose: 60
-  markComment: >
-    This pull request has been automatically marked as stale because it has not had
-    recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you
-    for your contributions.
-  closeComment: >
-    This pull request has been automatically closed because of inactivity.
-    You can re-open it if needed.
--- a/.gitignore
+++ b/.gitignore
@ -63,21 +63,14 @@ cpu.out
 /indexers
 /log
 /public/img/avatar
-/integrations/gitea-integration-mysql
-/integrations/gitea-integration-mysql8
-/integrations/gitea-integration-pgsql
-/integrations/gitea-integration-sqlite
-/integrations/gitea-integration-mssql
-/integrations/indexers-mysql
-/integrations/indexers-mysql8
-/integrations/indexers-pgsql
-/integrations/indexers-sqlite
-/integrations/indexers-mssql
-/integrations/sqlite.ini
-/integrations/mysql.ini
-/integrations/mysql8.ini
-/integrations/pgsql.ini
-/integrations/mssql.ini
+/tests/integration/gitea-integration-*
+/tests/integration/indexers-*
+/tests/e2e/gitea-e2e-*
+/tests/e2e/indexers-*
+/tests/e2e/reports
+/tests/e2e/test-artifacts
+/tests/e2e/test-snapshots
+/tests/*.ini
 /node_modules
 /yarn.lock
 /yarn-error.log
@ -102,6 +95,7 @@ cpu.out
 !/web_src/fomantic/build/themes/default/assets/fonts/outline-icons.woff2
 /VERSION
 /.air
+/.go-licenses

 # Snapcraft
 snap/.snapcraft/
--- a/.gitpod.yml
+++ b/.gitpod.yml
@ -0,0 +1,42 @@
+tasks:
+  - name: Setup
+    init: |
+      cp -r contrib/ide/vscode .vscode
+      make deps
+      make build
+    command: |
+      gp sync-done setup
+      exit 0
+  - name: Run frontend
+    command: |
+      gp sync-await setup
+      make watch-frontend
+  - name: Run backend
+    command: |
+      gp sync-await setup
+      mkdir -p custom/conf/
+      echo -e "[server]\nROOT_URL=$(gp url 3000)/" > custom/conf/app.ini
+      echo -e "\n[database]\nDB_TYPE = sqlite3\nPATH = $GITPOD_REPO_ROOT/data/gitea.db" >> custom/conf/app.ini
+      export TAGS="sqlite sqlite_unlock_notify"
+      make watch-backend
+  - name: Run docs
+    before: sudo bash -c "$(grep 'https://github.com/gohugoio/hugo/releases/download' Makefile | tr -d '\')" # install hugo
+    command: cd docs && make clean update && hugo server -D -F --baseUrl $(gp url 1313) --liveReloadPort=443 --appendPort=false --bind=0.0.0.0
+
+vscode:
+  extensions:
+    - editorconfig.editorconfig
+    - dbaeumer.vscode-eslint
+    - golang.go
+    - stylelint.vscode-stylelint
+    - DavidAnson.vscode-markdownlint
+    - johnsoncodehk.volar
+    - ms-azuretools.vscode-docker
+    - zixuanchen.vitest-explorer
+    - alexcvzz.vscode-sqlite
+
+ports:
+  - name: Gitea
+    port: 3000
+  - name: Docs
+    port: 1313
--- a/.golangci.yml
+++ b/.golangci.yml
@ -12,19 +12,23 @@ linters:
    - dupl
    #- gocyclo # The cyclomatic complexety of a lot of functions is too high, we should refactor those another time.
    - gofmt
-    - misspell
    - gocritic
    - bidichk
    - ineffassign
    - revive
    - gofumpt
    - depguard
+    - nakedret
+    - unconvert
+    - wastedassign
+    - nolintlint
+    - stylecheck
  enable-all: false
  disable-all: true
  fast: false

 run:
-  go: 1.18
+  go: 1.19
  timeout: 10m
  skip-dirs:
    - node_modules
@ -32,6 +36,10 @@ run:
    - web_src

 linters-settings:
+  stylecheck:
+    checks: ["all", "-ST1005", "-ST1003"]
+  nakedret:
+    max-func-lines: 0
  gocritic:
    disabled-checks:
      - ifElseChain
@ -66,7 +74,7 @@ linters-settings:
      - name: modifies-value-receiver
  gofumpt:
    extra-rules: true
-    lang-version: "1.18"
+    lang-version: "1.19"
  depguard:
    # TODO: use depguard to replace import checks in gitea-vet
    list-type: denylist
@ -77,6 +85,8 @@ linters-settings:
      - github.com/unknwon/com: "use gitea's util and replacements"

 issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
  exclude-rules:
    # Exclude some linters from running on tests files.
    - path: _test\.go
@ -137,9 +147,6 @@ issues:
    - path: models/issue_comment_list.go
      linters:
        - dupl
-    - linters:
-        - misspell
-      text: '`Unknwon` is a misspelling of `Unknown`'
    - path: models/update.go
      linters:
        - unused
@ -162,3 +169,7 @@ issues:
    - path: models/user/openid.go
      linters:
        - golint
+    - path: models/user/badge.go
+      linters:
+        - revive
+      text: "exported: type name will be used as user.UserBadge by other packages, and that stutters; consider calling this Badge"
--- a/.markdownlint.yaml
+++ b/.markdownlint.yaml
@ -0,0 +1,18 @@
+commands-show-output: false
+fenced-code-language: false
+first-line-h1: false
+header-increment: false
+line-length: {code_blocks: false, tables: false, stern: true, line_length: -1}
+no-alt-text: false
+no-bare-urls: false
+no-blanks-blockquote: false
+no-duplicate-header: {allow_different_nesting: true}
+no-emphasis-as-header: false
+no-empty-links: false
+no-hard-tabs: {code_blocks: false}
+no-inline-html: false
+no-space-in-code: false
+no-space-in-emphasis: false
+no-trailing-punctuation: false
+no-trailing-spaces: {br_spaces: 0}
+single-h1: false
--- a/.spectral.yaml
+++ b/.spectral.yaml
@ -0,0 +1,12 @@
+extends: [[spectral:oas, all]]
+
+rules:
+  info-contact: off
+  oas2-api-host: off
+  oas2-parameter-description: off
+  oas2-schema: off
+  oas2-valid-schema-example: off
+  openapi-tags: off
+  operation-description: off
+  operation-singular-tag: off
+  operation-tag-defined: off
--- a/.stylelintrc.yaml
+++ b/.stylelintrc.yaml
@ -1,8 +1,19 @@
 extends: stylelint-config-standard

+plugins:
+  - stylelint-declaration-strict-value
+
 overrides:
  - files: ["**/*.less"]
    customSyntax: postcss-less
+  - files: ["**/*.less"]
+    rules:
+      scale-unlimited/declaration-strict-value: [color, {
+        ignoreValues: /^(inherit|transparent|unset|initial)$/
+      }]
+  - files: ["**/chroma/*", "**/codemirror/*", "**/standalone/*", "**/console/*"]
+    rules:
+      scale-unlimited/declaration-strict-value: null

 rules:
  alpha-value-notation: null
@ -16,6 +27,7 @@ rules:
  declaration-empty-line-before: null
  function-no-unknown: null
  hue-degree-notation: null
+  import-notation: string
  indentation: 2
  max-line-length: null
  no-descending-specificity: null
--- a/.woodpecker/compliance.yml
+++ b/.woodpecker/compliance.yml
@ -0,0 +1,32 @@
+platform: linux/amd64
+
+workspace:
+  base: /go
+  path: src/codeberg/gitea
+
+pipeline:
+  deps-backend:
+    image: golang:1.19
+    pull: true
+    commands:
+    - make deps-backend
+
+  security-check:
+    image: golang:1.19
+    pull: true
+    commands:
+    - make security-check
+
+  lint-backend:
+    image: gitea/test_env:linux-amd64
+    pull: true
+    environment:
+    - TAGS=bindata sqlite sqlite_unlock_notify
+    - GOSUMDB=sum.golang.org
+    commands:
+    - make lint-backend
+
+  checks-backend:
+    image: golang:1.19
+    commands:
+    - make --always-make checks-backend
--- a/.woodpecker/docker-linux-amd64-release-version.yml
+++ b/.woodpecker/docker-linux-amd64-release-version.yml
@ -0,0 +1,28 @@
+platform: linux/amd64
+
+depends_on:
+- testing-amd64
+
+pipeline:
+  fetch-tags:
+    image: docker:git
+    pull: true
+    commands:
+     - git config --add safe.directory '*'
+     - git fetch --tags --force
+
+  publish:
+    image: woodpeckerci/plugin-docker-buildx
+    pull: true
+    settings:
+      platforms: linux/amd64
+      registry:
+        from_secret: domain
+      tag: ${CI_COMMIT_TAG##v}
+      repo: ${CI_REPO_LINK##https://}
+      password:
+        from_secret: releaseteamtoken
+      username:
+        from_secret: releaseteamuser
+    when:
+      event: tag
--- a/.woodpecker/release-version.yml
+++ b/.woodpecker/release-version.yml
@ -0,0 +1,65 @@
+platform: linux/amd64
+
+depends_on:
+- testing-amd64
+
+workspace:
+  base: /source
+  path: /
+
+pipeline:
+  fetch-tags:
+    image: docker:git
+    pull: true
+    commands:
+     - git config --add safe.directory '*'
+     - git fetch --tags --force
+
+  deps-frontend:
+    image: node:18
+    pull: true
+    commands:
+      - make deps-frontend
+
+  deps-backend:
+    image: golang:1.19
+    pull: true
+    commands:
+     - make deps-backend
+
+  static:
+    image: techknowlogick/xgo:go-1.19.x
+    pull: true
+    commands:
+      - curl -sL https://deb.nodesource.com/setup_16.x | bash - && apt-get -qqy install nodejs
+      - export PATH=$PATH:$GOPATH/bin
+      - make CI=true LINUX_ARCHS=linux/amd64,linux/arm64 release
+    environment:
+      TAGS: bindata sqlite sqlite_unlock_notify
+      DEBIAN_FRONTEND: noninteractive
+
+  gpg-sign:
+    image: plugins/gpgsign:1
+    pull: true
+    settings:
+      detach_sign: true
+      excludes:
+        - "dist/release/*.sha256"
+      files:
+        - "dist/release/*"
+      key:
+        from_secret: releaseteamgpg
+
+  release:
+    image: golang:1.19
+    commands:
+    - curl -sL https://dl.gitea.io/tea/0.9.0/tea-0.9.0-linux-amd64 > /bin/tea && chmod +x /bin/tea
+    - REMOTE=$(echo $CI_REPO_LINK | sed -e 's|.*://||' -e 's|/.*||')
+    - GITEA_SERVER_URL=$CI_REPO_LINK GITEA_SERVER_TOKEN=$RELEASETEAMTOKEN tea login add --name $RELEASETEAMUSER --url $REMOTE
+    - ASSETS=$(ls dist/release/* | sed -e 's/^/-a /')
+    - tea release create $ASSETS --tag $CI_COMMIT_TAG --title $CI_COMMIT_TAG
+    when:
+      event: tag
+    secrets:
+      - releaseteamtoken
+      - releaseteamuser
--- a/.woodpecker/testing-amd64.yml
+++ b/.woodpecker/testing-amd64.yml
@ -0,0 +1,63 @@
+platform: linux/amd64
+
+depends_on:
+- compliance
+
+workspace:
+  base: /go
+  path: src/codeberg/gitea
+
+pipeline:
+  fetch-tags:
+    image: docker:git
+    pull: true
+    commands:
+    - git config --add safe.directory '*'
+    - git fetch --tags --force
+
+  deps-backend:
+    image: golang:1.19
+    pull: true
+    commands:
+    - make deps-backend
+
+  tag-pre-condition:
+    image: drone/git
+    pull: true
+    commands:
+    - git update-ref refs/heads/tag_test ${CI_COMMIT_SHA}
+
+  prepare-test-env:
+    image: gitea/test_env:linux-amd64
+    pull: true
+    commands:
+    - ./build/test-env-prepare.sh
+
+  build:
+    image: gitea/test_env:linux-amd64
+    environment:
+    - GOSUMDB=sum.golang.org
+    - TAGS=bindata sqlite sqlite_unlock_notify
+    commands:
+    - su gitea -c './build/test-env-check.sh'
+    - su gitea -c 'make backend'
+
+  unit-test:
+    image: gitea/test_env:linux-amd64
+    environment:
+    - TAGS=bindata sqlite sqlite_unlock_notify
+    - RACE_ENABLED=true
+    secrets:
+    - github_read_token
+    commands:
+    - su gitea -c 'make unit-test-coverage test-check'
+
+  test-sqlite:
+    image: gitea/test_env:linux-amd64
+    environment:
+    - USE_REPO_TEST_DIR=1
+    - GOPROXY=off
+    - TAGS=bindata gogit sqlite sqlite_unlock_notify
+    - TEST_TAGS=bindata gogit sqlite sqlite_unlock_notify
+    commands:
+    - su gitea -c 'timeout -s ABRT 120m make test-sqlite-migration test-sqlite'
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,458 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).

+## [1.17.3](https://github.com/go-gitea/gitea/releases/tag/v1.17.3) - 2022-10-15
+
+* SECURITY
+  * Sanitize and Escape refs in git backend (#21464) (#21463)
+  * Bump `golang.org/x/text` (#21412) (#21413)
+  * Update bluemonday (#21281) (#21287)
+* ENHANCEMENTS
+  * Fix empty container layer history and UI (#21251) (#21278)
+  * Use en-US as fallback when using other default language (#21200) (#21256)
+  * Make the vscode clone link respect transport protocol (#20557) (#21128)
+* BUGFIXES
+  * Do DB update after merge in hammer context (#21401) (#21416)
+  * Add Num{Issues,Pulls} stats checks (#21404) (#21414)
+  * Stop logging CheckPath returns error: context canceled (#21064) (#21405)
+  * Parse OAuth Authorization header when request omits client secret (#21351) (#21374)
+  * Ignore port for loopback redirect URIs (#21293) (#21373)
+  * Set SemverCompatible to false for Conan packages (#21275) (#21366)
+  * Tag list should include draft releases with existing tags (#21263) (#21365)
+  * Fix linked account translation (#21331) (#21334)
+  * Make NuGet service index publicly accessible (#21242) (#21277)
+  * Foreign ID conflicts if ID is 0 for each item (#21271) (#21272)
+  * Use absolute links in feeds (#21229) (#21265)
+  * Prevent invalid behavior for file reviewing when loading more files (#21230) (#21234)
+  * Respect `REQUIRE_SIGNIN_VIEW` for packages (#20873) (#21232)
+  * Treat git object mode 40755 as directory (#21195) (#21218)
+  * Allow uppercase ASCII alphabet in PyPI package names (#21095) (#21217)
+  * Fix limited user cannot view himself's profile (#21212)
+  * Fix template bug of admin monitor (#21209)
+  * Fix reaction of issues (#21185) (#21196)
+  * Fix CSV diff for added/deleted files (#21189) (#21193)
+  * Fix pagination limit parameter problem (#21111)
+* TESTING
+  * Fix missing m.Run() in TestMain (#21341)
+* BUILD
+  * Use Go 1.19 fmt for Gitea 1.17, sync emoji data (#21239)
+
+## [1.17.2](https://github.com/go-gitea/gitea/releases/tag/v1.17.2) - 2022-09-06
+
+* SECURITY
+  * Double check CloneURL is acceptable (#20869) (#20892)
+  * Add more checks in migration code (#21011) (#21050)
+* ENHANCEMENTS
+  * Fix hard-coded timeout and error panic in API archive download endpoint (#20925) (#21051)
+  * Improve arc-green code theme (#21039) (#21042)
+  * Enable contenthash in filename for dynamic assets (#20813) (#20932)
+  * Don't open new page for ext wiki on same repository (#20725) (#20910)
+  * Disable doctor logging on panic (#20847) (#20898)
+  * Remove calls to load Mirrors in user.Dashboard (#20855) (#20897)
+  * Update codemirror to 5.65.8 (#20875)
+  * Rework repo buttons (#20602, #20718) (#20719)
+* BUGFIXES
+  * Ensure delete user deletes all comments (#21067) (#21068)
+  * Delete unreferenced packages when deleting a package version (#20977) (#21060)
+  * Redirect if user does not exist on admin pages (#20981) (#21059)
+  * Set uploadpack.allowFilter etc on gitea serv to enable partial clones with ssh (#20902) (#21058)
+  * Fix 500 on time in timeline API (#21052) (#21057)
+  * Fill the specified ref in webhook test payload (#20961) (#21055)
+  * Add another index for Action table on postgres (#21033) (#21054)
+  * Fix broken insecureskipverify handling in redis connection uris (#20967) (#21053)
+  * Add Dev, Peer and Optional dependencies to npm PackageMetadataVersion (#21017) (#21044)
+  * Do not add links to Posters or Assignees with ID < 0 (#20577) (#21037)
+  * Fix modified due date message (#20388) (#21032)
+  * Fix missed sort bug (#21006)
+  * Fix input.value attr for RequiredClaimName/Value (#20946) (#21001)
+  * Change review buttons to icons to make space for text (#20934) (#20978)
+  * Fix download archiver of a commit (#20962) (#20971)
+  * Return 404 NotFound if requested attachment does not exist (#20886) (#20941)
+  * Set no-tags in git fetch on compare (#20893) (#20936)
+  * Allow multiple metadata files for Maven packages (#20674) (#20916)
+  * Increase Content field size of gpg_key and public_key to MEDIUMTEXT (#20896) (#20911)
+  * Fix mirror address setting not working (#20850) (#20904)
+  * Fix push mirror address backend get error Address cause setting page display error (#20593) (#20901)
+  * Fix panic when an invalid oauth2 name is passed (#20820) (#20900)
+  * In PushMirrorsIterate and MirrorsIterate if limit is negative do not set it (#20837) (#20899)
+  * Ensure that graceful start-up is informed of unused SSH listener (#20877) (#20888)
+  * Pad GPG Key ID with preceding zeroes (#20878) (#20885)
+  * Fix SQL Query for `SearchTeam` (#20844) (#20872)
+  * Fix the mode of custom dir to 0700 in docker-rootless (#20861) (#20867)
+  * Fix UI mis-align for PR commit history (#20845) (#20859)
+
+## [1.17.1](https://github.com/go-gitea/gitea/releases/tag/1.17.1) - 2022-08-17
+
+* SECURITY
+  * Correctly escape within tribute.js (#20831) (#20832)
+* ENHANCEMENTS
+  * Add support for NuGet API keys (#20721) (#20734)
+  * Display project in issue list (#20583)
+  * Add disable download source configuration (#20548) (#20579)
+  * Add username check to doctor (#20140) (#20671)
+  * Enable Wire 2 for Internal SSH Server (#20616) (#20617)
+* BUGFIXES
+  * Use the total issue count for UI (#20785) (#20827)
+  * Add proxy host into allow list (#20798) (#20819)
+  * Add missing translation for queue flush workers (#20791) (#20792)
+  * Improve comment header for mobile (#20781) (#20789)
+  * Fix git.Init for doctor sub-command (#20782) (#20783)
+  * Check webhooks slice length before calling xorm (#20642) (#20768)
+  * Remove manual rollback for failed generated repositories (#20639) (#20762)
+  * Use correct field name in npm template (#20675) (#20760)
+  * Keep download count on Container tag overwrite (#20728) (#20735)
+  * Fix v220 migration to be compatible for MSSQL 2008 r2 (#20702) (#20707)
+  * Use request timeout for git service rpc (#20689) (#20693)
+  * Send correct NuGet status codes (#20647) (#20677)
+  * Use correct context to get package content (#20673) (#20676)
+  * Fix the JS error "EventSource is not defined" caused by some non-standard browsers (#20584) (#20663)
+  * Add default commit messages to PR for squash merge (#20618) (#20645)
+  * Fix package upload for files >32mb (#20622) (#20635)
+  * Fix the new-line copy-paste for rendered code (#20612)
+  * Clean up and fix clone button script (#20415 & #20600) (#20599)
+  * Fix default merge style (#20564) (#20565)
+  * Add repository condition for issue count (#20454) (#20496)
+  * Make branch icon stand out more (#20726) (#20774)
+  * Fix loading button with invalid form (#20754) (#20759)
+  * Fix SecToTime edge-cases (#20610) (#20611)
+  * Executable check always returns true for windows (#20637) (#20835)
+  * Check issue labels slice length before calling xorm Insert (#20655) (#20836)
+  * Fix owners cannot create organization repos bug (#20841) (#20854)
+  * Prevent 500 is head repo does not have PullRequest unit in IsUserAllowedToUpdate (#20839) (#20848)
+
+## [1.17.0](https://github.com/go-gitea/gitea/releases/tag/v1.17.0) - 2022-07-30
+
+* BREAKING
+  * Require go1.18 for Gitea 1.17 (#19918)
+  * Make AppDataPath absolute against the AppWorkPath if it is not (#19815)
+  * Nuke the incorrect permission report on /api/v1/notifications (#19761)
+  * Refactor git module, make Gitea use internal git config (#19732)
+  * Remove `RequireHighlightJS` field, update plantuml example. (#19615)
+  * Increase minimal required git version to 2.0 (#19577)
+  * Add a directory prefix `gitea-src-VERSION` to release-tar-file (#19396)
+  * Use "main" as default branch name (#19354)
+  * Make cron task no notice on success (#19221)
+  * Add pam account authorization check (#19040)
+  * Show messages for users if the ROOT_URL is wrong, show JavaScript errors (#18971)
+  * Refactor mirror code & fix StartToMirror (#18904)
+  * Remove deprecated SSH ciphers from default (#18697)
+  * Add the possibility to allow the user to have a favicon which differs from the main logo (#18542)
+  * Update reserved usernames list (#18438)
+  * Support custom ACME provider (#18340)
+  * Change initial TrustModel to committer (#18335)
+  * Update HTTP status codes (#18063)
+  * Upgrade Alpine from 3.13 to 3.15 (#18050)
+  * Restrict email address validation (#17688)
+  * Refactor Router Logger (#17308)
+* SECURITY
+  * Use git.HOME_PATH for Git HOME directory (#20114) (#20293)
+  * Add write check for creating Commit Statuses (#20332) (#20333)
+  * Remove deprecated SSH ciphers from default (#18697)
+* FEDERATION
+  * Return statistic information for nodeinfo (#19561)
+  * Add Webfinger endpoint (#19462)
+  * Store the foreign ID of issues during migration (#18446)
+* FEATURES
+  * Automatically render wiki TOC (#19873)
+  * Adding button to link accounts from user settings (#19792)
+  * Allow set default merge style while creating repo (#19751)
+  * Auto merge pull requests when all checks succeeded (#9307 & #19648)
+  * Improve reviewing PR UX (#19612)
+  * Add support for rendering console output with colors (#19497)
+  * Add Helm Chart registry (#19406)
+  * Add Goroutine stack inspector to admin/monitor (#19207)
+  * RSS/Atom support for Orgs & Repos (#17714 & #19055)
+  * Add button for issue deletion (#19032)
+  * Allow to mark files in a PR as viewed (#19007)
+  * Add Index to comment for migrations and mirroring (#18806)
+  * Add health check endpoint (#18465)
+  * Add packagist webhook (#18224)
+  * Add "Allow edits from maintainer" feature (#18002)
+  * Add apply-patch, basic revert and cherry-pick functionality (#17902)
+  * Add Package Registry (#16510)
+  * Add LDAP group sync to Teams (#16299)
+  * Pause queues (#15928)
+  * Added auto-save whitespace behavior if it changed manually (#15566)
+  * Find files in repo (#15028)
+  * Provide configuration to allow camo-media proxying (#12802)
+* API
+  * Add endpoint to serve blob or LFS file content (#19689)
+  * Add endpoint to check if team has repo access (#19540)
+  * More commit info (#19252)
+  * Allow to create file on empty repo (#19224)
+  * Allow removing issues (#18879)
+  * Add endpoint to query collaborators permission for a repository (#18761)
+  * Return primary language and repository language stats API URL (#18396)
+  * Implement http signatures support for the API (#17565)
+* ENHANCEMENTS
+  * Make notification bell more prominent on mobile (#20108, #20236, #20251) (#20269)
+  * Adjust max-widths for the repository file table (#20243) (#20247)
+  * Display full name (#20171) (#20246)
+  * Add dbconsistency checks for Stopwatches (#20010)
+  * Add fetch.writeCommitGraph to gitconfig (#20006)
+  * Add fgprof pprof profiler (#20005)
+  * Move agit dependency (#19998)
+  * Empty log queue on flush and close (#19994)
+  * Remove tab/TabName usage where it's not needed (#19973)
+  * Improve file header on mobile (#19945)
+  * Move issues related files into models/issues (#19931)
+  * Add breaking email restrictions checker in doctor (#19903)
+  * Improve UX on modal for deleting an access token (#19894)
+  * Add alt text to logo (#19892)
+  * Move some code into models/git (#19879)
+  * Remove customized (unmaintained) dropdown, improve aria a11y for dropdown (#19861)
+  * Make user profile image show full image on mobile (#19840)
+  * Replace blue button and label classes with primary (#19763)
+  * Remove fomantic progress module (#19760)
+  * Allows repo search to match against "owner/repo" pattern strings (#19754)
+  * Move org functions (#19753)
+  * Move almost all functions' parameter db.Engine to context.Context (#19748)
+  * Show source/target branches on PR's list (#19747)
+  * Use http.StatusTemporaryRedirect(307) when serve avatar directly (#19739)
+  * Add doctor orphan check for orphaned pull requests without an existing base repo  (#19731)
+  * Make Ctrl+Enter (quick submit) work for issue comment and wiki editor (#19729)
+  * Update go-chi/cache to utilize Ping() (#19719)
+  * Improve commit list/view on mobile (#19712)
+  * Move some repository related code into sub package (#19711)
+  * Use a better OlderThan for DeleteInactiveUsers (#19693)
+  * Introduce eslint-plugin-jquery (#19690)
+  * Tidy up `<head>` template (#19678)
+  * Calculate filename hash only once (#19654)
+  * Simplify `IsVendor` (#19626)
+  * Add "Reference" section to Issue view sidebar (#19609)
+  * Only set CanColorStdout / CanColorStderr to true if the stdout/stderr is a terminal (#19581)
+  * Use for a repo action one database transaction (#19576)
+  * Simplify loops to copy (#19569)
+  * Added X-Mailer header to outgoing emails (#19562)
+  * use middleware to open gitRepo (#19559)
+  * Mute link in diff header (#19556)
+  * Improve UI on mobile (#19546)
+  * Fix Pull Request comment filename word breaks (#19535)
+  * Permalink files In PR diff (#19534)
+  * PullService lock via pullID (#19520)
+  * Make repository file list useable on mobile (#19515)
+  * more context for models  (#19511)
+  * Refactor readme file renderer (#19502)
+  * By default force vertical tabs on mobile (#19486)
+  * Github style following followers (#19482)
+  * Improve action table indices (#19472)
+  * Use horizontal tabs for repo header on mobile (#19468)
+  * pass gitRepo down since its used for main repo and wiki (#19461)
+  * Admin should not delete himself (#19423)
+  * Use queue instead of memory queue in webhook send service (#19390)
+  * Simplify the code to get issue count (#19380)
+  * Add commit status popup to issuelist (#19375)
+  * Add RSS Feed buttons to Repo, User and Org pages (#19370)
+  * Add logic to switch between source/rendered on Markdown (#19356)
+  * Move some helper files out of models (#19355)
+  * Move access and repo permission to models/perm/access (#19350)
+  * Disallow selecting the text of buttons (#19330)
+  * Allow custom redirect for landing page (#19324)
+  * Remove dependent on session auth for api/v1 routers (#19321)
+  * Never use /api/v1 from Gitea UI Pages (#19318)
+  * Remove legacy unmaintained packages, refactor to support change default locale (#19308)
+  * Move milestone to models/issues/ (#19278)
+  * Configure OpenSSH log level via Environment in Docker (#19274)
+  * Move reaction to models/issues/ (#19264)
+  * Make git.OpenRepository accept Context (#19260)
+  * Move some issue methods as functions (#19255)
+  * Show last cron messages on monitor page (#19223)
+  * New cron task: delete old system notices (#19219)
+  * Add Redis Sentinel Authentication Support (#19213)
+  * Add auto logging of goroutine pid label (#19212)
+  * Set OpenGraph title to DisplayName in profile pages  (#19206)
+  * Add pprof labels in processes and for lifecycles (#19202)
+  * Let web and API routes have different auth methods group (#19168)
+  * Move init repository related functions to modules (#19159)
+  * Feeds: render markdown to html (#19058)
+  * Allow users to self-request a PR review (#19030)
+  * Allow render HTML with css/js external links (#19017)
+  * Fix script compatiable with OpenWrt (#19000)
+  * Support ignore all santize for external renderer (#18984)
+  * Add note to GPG key response if user has no keys (#18961)
+  * Improve Stopwatch behavior (#18930)
+  * Improve mirror iterator (#18928)
+  * Uncapitalize errors (#18915)
+  * Prevent Stats Indexer reporting error if repo dir missing (#18870)
+  * Refactor SecToTime() function (#18863)
+  * Replace deprecated String.prototype.substr() with String.prototype.slice() (#18796)
+  * Move deletebeans into models/db (#18781)
+  * Fix display time of milestones (#18753)
+  * Add config option to disable "Update branch by rebase" (#18745)
+  * Display template path of current page in dev mode (#18717)
+  * Add number in queue status to monitor page (#18712)
+  * Change git.cmd to RunWithContext (#18693)
+  * Refactor i18n, use Locale to provide i18n/translation related functions (#18648)
+  * Delete old git.NewCommand() and use it as git.NewCommandContext() (#18552)
+  * Move organization related structs into sub package (#18518)
+  * Warn at startup if the provided `SCRIPT_TYPE` is not on the PATH (#18467)
+  * Use `CryptoRandomBytes` instead of `CryptoRandomString` (#18439)
+  * Use explicit jQuery import, remove unused eslint globals (#18435)
+  * Allow to filter repositories by language in explore, user and organization repositories lists (#18430)
+  * Use base32 for 2FA scratch token (#18384)
+  * Unexport var git.GlobalCommandArgs (#18376)
+  * Don't underline commit status icon on hover (#18372)
+  * Always use git command but not os.Command (#18363)
+  * Switch to non-deprecation setting (#18358)
+  * Set the LastModified header for raw files (#18356)
+  * Refactor jwt.StandardClaims to RegisteredClaims (#18344)
+  * Enable deprecation error for v1.17.0 (#18341)
+  * Refactor httplib (#18338)
+  * Limit max-height of CodeMirror editors for issue comment and wiki (#18271)
+  * Validate migration files (#18203)
+  * Format with gofumpt (#18184)
+  * Allow custom default merge message with .gitea/default_merge_message/<merge_style>_TEMPLATE.md (#18177)
+  * Prettify number of issues (#17760)
+  * Add a "admin user generate-access-token" subcommand (#17722)
+  * Custom regexp external issues (#17624)
+  * Add smtp password to install page (#17564)
+  * Add config options to hide issue events (#17414)
+  * Prevent double click new issue/pull/comment button (#16157)
+  * Show issue assignee on project board (#15232)
+* BUGFIXES
+  * WebAuthn CredentialID field needs to be increased in size (#20530) (#20555)
+  * Ensure that all unmerged files are merged when conflict checking (#20528) (#20536)
+  * Stop logging EOFs and exit(1)s in ssh handler (#20476) (#20529)
+  * Add labels to two buttons that were missing them (#20419) (#20524)
+  * Fix ROOT_URL detection for URLs without trailing slash (#20502) (#20503)
+  * Dismiss prior pull reviews if done via web in review dismiss (#20197) (#20407)
+  * Allow RSA 2047 bit keys (#20272) (#20396)
+  * Add missing return for when topic isn't found (#20351) (#20395)
+  * Fix commit status icon when in subdirectory (#20285) (#20385)
+  * Initialize cron last (#20373) (#20384)
+  * Set target on create release with existing tag (#20381) (#20382)
+  * Update xorm.io/xorm to fix a interpreting db column sizes issue on 32bit systems (#20371) (#20372)
+  * Make sure `repo_dir` is an empty directory or doesn't exist before 'dump-repo' (#20205) (#20370)
+  * Prevent context deadline error propagation in GetCommitsInfo (#20346) (#20361)
+  * Correctly handle draft releases without a tag (#20314) (#20335)
+  * Prevent "empty" scrollbars on Firefox (#20294) (#20308)
+  * Refactor SSH init code, fix directory creation for TrustedUserCAKeys file (#20299) (#20306)
+  * Bump goldmark to v1.4.13 (#20300) (#20301)
+  * Do not create empty ".ssh" directory when loading config (#20289) (#20298)
+  * Fix NPE when using non-numeric (#20277) (#20278)
+  * Store read access in access for team repositories (#20275) (#20276)
+  * EscapeFilter the group dn membership (#20200) (#20254)
+  * Only show Followers that current user can access (#20220) (#20252)
+  * Update Bluemonday to v1.0.19 (#20199) (#20209)
+  * Refix indices on actions table (#20158) (#20198)
+  * Check if project has the same repository id with issue when assign project to issue (#20133) (#20188)
+  * Fix remove file on initial comment (#20127) (#20128)
+  * Catch the error before the response is processed by goth (#20000) (#20102)
+  * Dashboard feed respect setting.UI.FeedPagingNum again (#20094) (#20099)
+  * Alter hook_task TEXT fields to LONGTEXT (#20038) (#20041)
+  * Respond with a 401 on git push when password isn't changed yet (#20026) (#20027)
+  * Return 404 when tag is broken (#20017) (#20024)
+  * Alter hook_task TEXT fields to LONGTEXT (#20038) (#20041)
+  * Respond with a 401 on git push when password isn't changed yet (#20026) (#20027)
+  * Return 404 when tag is broken (#20017) (#20024)
+  * Write Commit-Graphs in RepositoryDumper (#20004)
+  * Use DisplayName() instead of FullName in Oauth Provider (#19991)
+  * Don't buffer doctor logger (#19982)
+  * Always try to fetch repo for mirrors (#19975)
+  * Uppercase first languages letters (#19965)
+  * Fix cli command restore-repo: "units" should be parsed as StringSlice (#19953)
+  * Ensure minimum mirror interval is reported on settings page (#19895)
+  * Exclude Archived repos from Dashboard Milestones (#19882)
+  * gitconfig: set safe.directory = * (#19870)
+  * Prevent NPE on update mirror settings (#19864)
+  * Only return valid stopwatches to the EventSource (#19863)
+  * Prevent NPE whilst migrating if there is a team request review (#19855)
+  * Fix inconsistency in doctor output (#19836)
+  * Fix release tag for webhook (#19830)
+  * Add title attribute to dependencies in sidebar (#19807)
+  * Estimate Action Count in Statistics (#19775)
+  * Do not update user stars numbers unless fix is specified (#19750)
+  * Improved ref comment link when origin is body/title (#19741)
+  * Fix nodeinfo caching and prevent NPE if cache non-existent (#19721)
+  * Fix duplicate entry error when add team member (#19702)
+  * Fix sending empty notifications (#19589)
+  * Update image URL for Discord webhook (#19536)
+  * Don't let repo clone URL overflow (#19517)
+  * Allow commit status popup on /pulls page (#19507)
+  * Fix two UI bugs: JS error in imagediff.js, 500 error in diff/compare.tmpl (#19494)
+  * Fix logging of Transfer API (#19456)
+  * Fix panic in teams API when requesting members (#19360)
+  * Refactor CSRF protection modules, make sure CSRF tokens can be up-to-date. (#19337)
+  * An attempt to sync a non-mirror repo must give 400 (Bad Request) (#19300)
+  * Move checks for pulls before merge into own function (#19271)
+  * Fix `contrib/upgrade.sh` (#19222)
+  * Set the default branch for repositories generated from templates (#19136)
+  * Fix EasyMDE error when input Enter (#19004)
+  * Don't clean up hardcoded `tmp` (#18983)
+  * Delete related notifications on issue deletion too (#18953)
+  * Fix trace log to show value instead of pointers (#18926)
+  * Fix behavior or checkbox submission. (#18851)
+  * Add `ContextUser` (#18798)
+  * Fix some mirror bugs (#18649)
+  * Quote MAKE to prevent path expansion with space error (#18622)
+  * Preserve users if restoring a repository on the same Gitea instance (#18604)
+  * Fix non-ASCII search on database  (#18437)
+  * Automatically pause queue if index service is unavailable (#15066)
+* TESTING
+  * Allow postgres integration tests to run over unix pipe (#19875)
+  * Prevent intermittent NPE in queue tests (#19301)
+  * Add test for importing pull requests in gitea uploader for migrations (#18752)
+  * Remove redundant comparison in repo dump/restore (#18660)
+  * More repo dump/restore tests, including pull requests  (#18621)
+  * Add test coverage for original author conversion during migrations (#18506)
+* TRANSLATION
+  * Update issue_no_dependencies description (#19112)
+  * Refactor webhooks i18n (#18380)
+* BUILD
+  * Use alpine 3.16 (#19797)
+  * Require node 14.0 (#19451)
+* DOCS
+  * Update documents (git/fomantic/db, etc) (#19868)
+  * Update the ROOT documentation and error messages (#19832)
+  * Update document to use FHS `/usr/local/bin/gitea` instead of `/app/...` for Docker (#19794)
+  * Update documentation to disable duration settings with -1 instead of 0 (#19647)
+  * Add warning to set SENDMAIL_ARGS to --  (#19102)
+  * Update nginx reverse proxy docs (#18922)
+  * Add example to render html files (#18736)
+  * Make SSH passtrough documentation better (#18687)
+  * Changelog 1.16.0 & 1.15.11 (#18468 & #18455)  (#18470)
+  * Update the SSH passthrough documentation (#18366)
+  * Add `contrib/upgrade.sh` (#18286)
+* MISC
+  * Fix aria for logo (#19955)
+  * In code search, get code unit accessible repos in one (main) query (#19764)
+  * Add tooltip to pending PR comments (#19662)
+  * Improve sync performance for pull-mirrors (#19125)
+  * Improve dashboard's repo list performance (#18963)
+  * Avoid database lookups for `DescriptionHTML` (#18924)
+  * Remove CodeMirror dependencies (#18911)
+  * Disable unnecessary mirroring elements (#18527)
+  * Disable unnecessary OpenID/OAuth2 elements (#18491)
+  * Disable unnecessary GitHooks elements (#18485)
+  * Change some logging levels (#18421)
+  * Prevent showing webauthn error for every time visiting `/user/settings/security` (#18385)
+  * Use correct translation key for errors (#18342)
+
+## [1.16.9](https://github.com/go-gitea/gitea/releases/tag/v1.16.9) - 2022-07-12
+
+* SECURITY
+  * Add write check for creating Commit status (#20332) (#20334)
+  * Check for permission when fetching user controlled issues (#20133) (#20196)
+* BUGFIXES
+  * Hide notify mail setting ui if not enabled (#20138) (#20337)
+  * Add write check for creating Commit status (#20332) (#20334)
+  * Only show Followers that current user can access (#20220) (#20253)
+  * Release page show all tags in compare dropdown (#20070) (#20071)
+  * Fix permission check for delete tag (#19985) (#20001)
+  * Only log non ErrNotExist errors in git.GetNote  (#19884) (#19905)
+  * Use exact search instead of fuzzy search for branch filter dropdown (#19885) (#19893)
+  * Set Setpgid on child git processes (#19865) (#19881)
+  * Import git from alpine 3.16 repository as 2.30.4 is needed for `safe.directory = '*'` to work but alpine 3.13 has 2.30.3 (#19876)
+  * Ensure responses are context.ResponseWriters (#19843) (#19859)
+  * Fix incorrect usage of `Count` function (#19850)
+  * Fix raw endpoint PDF file headers (#19825) (#19826)
+  * Make WIP prefixes case insensitive, e.g. allow `Draft` as a WIP prefix (#19780) (#19811)
+  * Don't return 500 on NotificationUnreadCount (#19802)
+  * Prevent NPE when cache service is disabled (#19703) (#19783)
+  * Detect truncated utf-8 characters at the end of content as still representing utf-8 (#19773) (#19774)
+  * Fix doctor pq: syntax error at or near "." quote user table name (#19765) (#19770)
+  * Fix bug with assigneees (#19757)
+
 ## [1.16.8](https://github.com/go-gitea/gitea/releases/tag/v1.16.8) - 2022-05-16

 * ENHANCEMENTS
@ -130,12 +582,12 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
  * Don't show context cancelled errors in attribute reader (#19006) (#19027)
  * Fix update hint bug (#18996) (#19002)
 * MISC
-  *  Fix potential assignee query for repo (#18994) (#18999)
+  * Fix potential assignee query for repo (#18994) (#18999)

 ## [1.16.3](https://github.com/go-gitea/gitea/releases/tag/v1.16.3) - 2022-03-02

 * SECURITY
- * Git backend ignore replace objects (#18979) (#18980) 
+  * Git backend ignore replace objects (#18979) (#18980)
 * ENHANCEMENTS
  * Adjust error for already locked db and prevent level db lock on malformed connstr (#18923) (#18938)
 * BUGFIXES
@ -168,7 +620,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
  * Immediately Hammer if second kill is sent (#18823) (#18826)
  * Allow mermaid render error to wrap (#18791)
 * BUGFIXES
-  * Fix ldap user sync missed email in email_address table (#18786) (#18876) 
+  * Fix ldap user sync missed email in email_address table (#18786) (#18876)
  * Update assignees check to include any writing team and change org sidebar (#18680) (#18873)
  * Don't report signal: killed errors in serviceRPC (#18850) (#18865)
  * Fix bug where certain LDAP settings were reverted (#18859)
@ -667,6 +1119,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
  * Fix SVG side by side comparison link (#17375) (#17391)

 ## [1.15.4](https://github.com/go-gitea/gitea/releases/tag/v1.15.4) - 2021-10-08
+
 * BUGFIXES
  * Raw file API: don't try to interpret 40char filenames as commit SHA (#17185) (#17272)
  * Don't allow merged PRs to be reopened (#17192) (#17271)
@ -1313,7 +1766,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
  * Add size to Save function (#15264) (#15270)
  * Monaco improvements (#15333) (#15345)
  * Support .mailmap in code activity stats (#15009)
-  * Sort release attachments by name (#15008)  
+  * Sort release attachments by name (#15008)
  * Add ui.explore settings to control view of explore pages (#14094)
  * Make internal SSH server host key path configurable (#14918)
  * Hide resync all ssh principals when using internal ssh server (#14904)
@ -1608,6 +2061,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
  * Return original URL of Repositories (#13885) (#13886)

 ## [1.13.0](https://github.com/go-gitea/gitea/releases/tag/v1.13.0) - 2020-12-01
+
 * SECURITY
  * Add Allow-/Block-List for Migrate & Mirrors (#13610) (#13776)
  * Prevent git operations for inactive users (#13527) (#13536)
@ -2521,6 +2975,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
  * Blacklist manifest.json & milestones user (#10292) (#10293)

 ## [1.11.0](https://github.com/go-gitea/gitea/releases/tag/v1.11.0) - 2020-02-10
+
 * BREAKING
  * Fix followers and following tabs in profile (#10202) (#10203)
  * Make CertFile and KeyFile relative to CustomPath (#9868) (#9874)
@ -2973,7 +3428,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).

 This is a re-tag version of v1.10.5 and also explicitly built with Go 1.13.

-WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be used.
+WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should __not__ be used.

 ## [1.10.5](https://github.com/go-gitea/gitea/releases/tag/v1.10.5) - 2020-03-06

@ -2994,6 +3449,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Ensure that 2fa is checked on reset-password (#9857) (#9877)

 ## [1.10.3](https://github.com/go-gitea/gitea/releases/tag/v1.10.3) - 2020-01-17
+
 * SECURITY
  * Hide credentials when submitting migration (#9102) (#9704)
  * Never allow an empty password to validate (#9682) (#9684)
@ -3012,6 +3468,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Branches not at ref commit ID should not be listed as Merged (#9614) (#9639)

 ## [1.10.2](https://github.com/go-gitea/gitea/releases/tag/v1.10.2) - 2020-01-02
+
 * BUGFIXES
  * Allow only specific Columns to be updated on Issue via API (#9539) (#9580)
  * Add ErrReactionAlreadyExist error (#9550) (#9564)
@ -3032,6 +3489,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Fix File Edit: Author/Committer interchanged (#9297) (#9300)

 ## [1.10.1](https://github.com/go-gitea/gitea/releases/tag/v1.10.1) - 2019-12-05
+
 * BUGFIXES
  * Fix max length check and limit in multiple repo forms (#9148) (#9204)
  * Properly fix displaying virtual session provider in admin panel (#9137) (#9203)
@ -3053,6 +3511,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Shadow password correctly for session config (#8984) (#9002)

 ## [1.10.0](https://github.com/go-gitea/gitea/releases/tag/v1.10.0) - 2019-11-13
+
 * BREAKING
  * Fix deadline on update issue or PR via API (#8698)
  * Hide some user information via API if user doesn't have enough permission (#8655) (#8657)
@ -3350,6 +3809,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Fix Statuses API only shows first 10 statuses: Add paging and extend API GetCommitStatuses (#7141)

 ## [1.9.6](https://github.com/go-gitea/gitea/releases/tag/v1.9.6) - 2019-11-13
+
 * BUGFIXES
  * Allow to merge if file path contains " or \ (#8629) (#8772)
  * Fix 500 when edit hook (#8782) (#8790)
@ -3358,6 +3818,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Add Close() method to gogitRepository (#8901) (#8958)

 ## [1.9.5](https://github.com/go-gitea/gitea/releases/tag/v1.9.5) - 2019-10-30
+
 * BREAKING
  * Hide some user information via API if user doesn't have enough permission (#8655) (#8658)
 * BUGFIXES
@ -3382,6 +3843,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Update heatmap fixtures to restore tests (#8615) (#8617)

 ## [1.9.4](https://github.com/go-gitea/gitea/releases/tag/v1.9.4) - 2019-10-08
+
 * BUGFIXES
  * Highlight issue references (#8101) (#8404)
  * Fix bug when migrating a private repository #7917 (#8403)
@ -3408,6 +3870,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Make show private icon when repo avatar set (#8144) (#8175)

 ## [1.9.3](https://github.com/go-gitea/gitea/releases/tag/v1.9.3) - 2019-09-06
+
 * BUGFIXES
  * Fix go get from a private repository with Go 1.13 (#8100)
  * Strict name matching for Repository.GetTagID() (#8082)
@ -3423,6 +3886,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Keep blame view buttons sequence consistent with normal view when viewing a file (#8007) (#8009)

 ## [1.9.2](https://github.com/go-gitea/gitea/releases/tag/v1.9.2) - 2019-08-22
+
 * BUGFIXES
  * Fix wrong sender when send slack webhook (#7918) (#7924)
  * Upload support text/plain; charset=utf8 (#7899)
@ -3437,6 +3901,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Drone/docker: prepare multi-arch release + provide arm64 image (#7571) (#7884)

 ## [1.9.1](https://github.com/go-gitea/gitea/releases/tag/v1.9.1) - 2019-08-14
+
 * BREAKING
  * Add pagination for admin api get orgs and fix only list public orgs bug (#7742) (#7752)
 * SECURITY
@ -3464,6 +3929,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Correct wrong datetime format for git (#7689) (#7690)

 ## [1.9.0](https://github.com/go-gitea/gitea/releases/tag/v1.9.0) - 2019-07-30
+
 * BREAKING
  * Better logging (#6038) (#6095)
 * SECURITY
@ -3820,6 +4286,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Added docker example for backup (#5846)

 ## [1.8.3](https://github.com/go-gitea/gitea/releases/tag/v1.8.3) - 2019-06-17
+
 * BUGFIXES
  * Always set userID on LFS authentication (#7224) (Part of #6993)
  * Fix LFS Locks over SSH (#6999) (#7223)
@ -3830,6 +4297,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Fix GCArgs load from ini (#7156) (#7157)

 ## [1.8.2](https://github.com/go-gitea/gitea/releases/tag/v1.8.2) - 2019-05-29
+
 * BUGFIXES
  * Fix possbile mysql invalid connnection error (#7051) (#7071)
  * Handle invalid administrator username on install page (#7060) (#7063)
@ -3845,6 +4313,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Fix wrong init dependency on markup extensions (#7038) (#7074)

 ## [1.8.1](https://github.com/go-gitea/gitea/releases/tag/v1.8.1) - 2019-05-08
+
 * BUGFIXES
  * Fix 404 when sending pull requests in some situations (#6871) (#6873)
  * Enforce osusergo build tag for releases (#6862) (#6869)
@ -3871,6 +4340,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Fix config ui error about cache ttl (#6861) (#6865)

 ## [1.8.0](https://github.com/go-gitea/gitea/releases/tag/v1.8.0) - 2019-04-20
+
 * SECURITY
  * Prevent remote code execution vulnerability with mirror repo URL settings (#6593) (#6594)
  * Resolve 2FA bypass on API (#6676) (#6674)
@ -4105,18 +4575,21 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Migrate database if app.ini found (#5290)

 ## [1.7.6](https://github.com/go-gitea/gitea/releases/tag/v1.7.6) - 2019-04-12
+
 * SECURITY
  * Prevent remote code execution vulnerability with mirror repo URL settings (#6593) (#6595)
 * BUGFIXES
  * Allow resend of confirmation email when logged in (#6482) (#6487)

 ## [1.7.5](https://github.com/go-gitea/gitea/releases/tag/v1.7.5) - 2019-03-27
+
 * BUGFIXES
  * Fix unitTypeCode not being used in accessLevelUnit (#6419) (#6423)
  * Fix bug where manifest.json was being requested without cookies and continuously creating new sessions (#6372) (#6383)
  * Fix ParsePatch function to work with quoted diff --git strings (#6323) (#6332)

 ## [1.7.4](https://github.com/go-gitea/gitea/releases/tag/v1.7.4) - 2019-03-12
+
 * SECURITY
  * Fix potential XSS vulnerability in repository description. (#6306) (#6308)
 * BUGFIXES
@ -4126,6 +4599,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Fix displaying dashboard even if required to change password (#6214) (#6215)

 ## [1.7.3](https://github.com/go-gitea/gitea/releases/tag/v1.7.3) - 2019-02-27
+
 * BUGFIXES
  * Fix server 500 when trying to migrate to an already existing repository (#6188) (#6197)
  * Load Issue attributes for API /repos/{owner}/{repo}/issues/{index} (#6122) (#6185)
@ -4140,6 +4614,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Recover panic in orgmode.Render if bad orgfile (#4982) (#5903) (#6097)

 ## [1.7.2](https://github.com/go-gitea/gitea/releases/tag/v1.7.2) - 2019-02-14
+
 * BUGFIXES
  * Remove all CommitStatus when a repo is deleted (#5940) (#5941)
  * Fix notifications on pushing with deploy keys by setting hook environment variables (#5935) (#5944)
@ -4156,6 +4631,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * In basic auth check for tokens before call UserSignIn (#5725) (#6083)

 ## [1.7.1](https://github.com/go-gitea/gitea/releases/tag/v1.7.1) - 2019-01-31
+
 * SECURITY
  * Disable redirect for i18n (#5910) (#5916)
  * Only allow local login if password is non-empty (#5906) (#5908)
@ -4177,6 +4653,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Include Go toolchain to --version (#5832) (#5830)

 ## [1.7.0](https://github.com/go-gitea/gitea/releases/tag/v1.7.0) - 2019-01-22
+
 * SECURITY
  * Do not display the raw OpenID error in the UI (#5705) (#5712)
  * When redirecting clean the path to avoid redirecting to external site (#5669) (#5679)
@ -4333,18 +4810,21 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Only chown directories during docker setup if necessary. Fix #4425 (#5064)

 ## [1.6.4](https://github.com/go-gitea/gitea/releases/tag/v1.6.4) - 2019-01-15
+
 * BUGFIX
  * Fix SSH key now can be reused as public key after deleting as deploy key (#5671) (#5685)
  * When redirecting clean the path to avoid redirecting to external site (#5669) (#5703)
  * Fix to use correct value for "MSpan Structures Obtained" (#5706) (#5715)

 ## [1.6.3](https://github.com/go-gitea/gitea/releases/tag/v1.6.3) - 2019-01-04
+
 * SECURITY
  * Prevent DeleteFilePost doing arbitrary deletion (#5631)
 * BUGFIX
  * Fix wrong text getting saved on editing second comment on an issue (#5608)

 ## [1.6.2](https://github.com/go-gitea/gitea/releases/tag/v1.6.2) - 2018-12-21
+
 * SECURITY
  * Sanitize uploaded file names (#5571) (#5573)
  * HTMLEncode user added text (#5570) (#5575)
@ -4359,6 +4839,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Fix empty wiki (#5504) (#5508)

 ## [1.6.1](https://github.com/go-gitea/gitea/releases/tag/v1.6.1) - 2018-12-08
+
 * BUGFIXES
  * Fix dependent issue searching when gitea is run in subpath (#5392) (#5400)
  * API: '/orgs/:org/repos': return private repos with read access (#5393)
@ -4369,6 +4850,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Fix topic name length on database (#5493) (#5495)

 ## [1.6.0](https://github.com/go-gitea/gitea/releases/tag/v1.6.0) - 2018-11-22
+
 * BREAKING
  * Respect email privacy option in user search via API (#4512)
  * Simply remove tidb and deps (#3993)
@ -4522,10 +5004,12 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Fix translation (#4355)

 ## [1.5.3](https://github.com/go-gitea/gitea/releases/tag/v1.5.3) - 2018-10-31
+
 * SECURITY
  * Fix remote command execution vulnerability in upstream library (#5177) (#5196)

 ## [1.5.2](https://github.com/go-gitea/gitea/releases/tag/v1.5.2) - 2018-10-09
+
 * SECURITY
  * Enforce token on api routes (#4840) (#4905)
 * BUGFIXES
@ -4542,6 +5026,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Fix trimming of markup section names (#4864)

 ## [1.5.1](https://github.com/go-gitea/gitea/releases/tag/v1.5.1) - 2018-09-03
+
 * SECURITY
  * Don't disclose emails of all users when sending out emails (#4784)
  * Improve URL validation for external wiki and external issues (#4710) (#4740)
@ -4556,6 +5041,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Fix incorrect caption of webhook setting (#4701) (#4718)

 ## [1.5.0](https://github.com/go-gitea/gitea/releases/tag/v1.5.0) - 2018-08-10
+
 * SECURITY
  * Check that repositories can only be migrated to own user or organizations (#4366) (#4370)
  * Limit uploaded avatar image-size to 4096px x 3072px by default (#4353)
@ -4619,6 +5105,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Sign release binaries (#4188)

 ## [1.4.3](https://github.com/go-gitea/gitea/releases/tag/v1.4.3) - 2018-06-26
+
 * SECURITY
  * HTML-escape plain-text READMEs (#4192) (#4214)
  * Fix open redirect vulnerability on login screen (#4312) (#4312)
@ -4631,6 +5118,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Fix webhook type conflation (#4285) (#4285)

 ## [1.4.2](https://github.com/go-gitea/gitea/releases/tag/v1.4.2) - 2018-06-04
+
 * BUGFIXES
  * Adjust z-index for floating labels (#3939) (#3950)
  * Add missing token validation on application settings page (#3976) #3978
@ -4646,6 +5134,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Respository's home page not updated after first push (#4075)

 ## [1.4.1](https://github.com/go-gitea/gitea/releases/tag/v1.4.1) - 2018-05-03
+
 * BREAKING
  * Add "error" as reserved username (#3882) (#3886)
 * SECURITY
@ -4663,6 +5152,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Show clipboard button if disable HTTP of git protocol (#3773) (#3774)

 ## [1.4.0](https://github.com/go-gitea/gitea/releases/tag/v1.4.0) - 2018-03-25
+
 * BREAKING
  * Drop deprecated GOGS\_WORK\_DIR use (#2946)
  * Fix API status code for hook creation (#2814)
@ -4782,6 +5272,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Add owner to delete repo message (#2886)

 ## [1.3.1](https://github.com/go-gitea/gitea/releases/tag/v1.3.1) - 2017-12-08
+
 * BUGFIXES
  * Sanitize logs for mirror sync (#3057, #3082) (#3078)
  * Fix missing branch in release bug (#3108) (#3117)
@ -4792,6 +5283,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Fix missing password length check when change password (#3039) (#3071)

 ## [1.3.0](https://github.com/go-gitea/gitea/releases/tag/v1.3.0) - 2017-11-29
+
 * BREAKING
  * Make URL scheme unambiguous (#2408)
 * FEATURES
@ -5019,11 +5511,13 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Added vendor dir for js/css libs; Documented sources (#1484) (#2241)

 ## [1.2.3](https://github.com/go-gitea/gitea/releases/tag/v1.2.3) - 2017-11-03
+
 * BUGFIXES
  * Only require one email when validating GPG key (#2266, #2467, #2663) (#2788)
  * Fix order of comments (#2835) (#2839)

 ## [1.2.2](https://github.com/go-gitea/gitea/releases/tag/v1.2.2) - 2017-10-26
+
 * BUGFIXES
  * Add checks for commits with missing author and time (#2771) (#2785)
  * Fix sending mail with a non-latin display name (#2559) (#2783)
@ -5032,6 +5526,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Fix emojify image URL (#2769) (#2773)

 ## [1.2.1](https://github.com/go-gitea/gitea/releases/tag/v1.2.1) - 2017-10-16
+
 * BUGFIXES
  * Fix PR, milestone and label functionality if issue unit is disabled (#2710) (#2714)
  * Fix plain readme didn't render correctly on repo home page (#2705) (#2712)
@ -5040,6 +5535,7 @@ WARNING: v1.10.5 is incorrectly tagged targeting 1.12-dev and should **not** be
  * Fix slice out of bounds error in mailer (#2479) (#2696)

 ## [1.2.0](https://github.com/go-gitea/gitea/releases/tag/v1.2.0) - 2017-10-10
+
 * SECURITY
  * Sanitation fix from Gogs (#1461)
 * BREAKING
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,443 +1,23 @@
-# Contribution Guidelines
+# Forgejo Contributor Guide

-## Table of Contents
+The Forgejo project is run by a community of people who are expected to follow this guide when cooperating on a simple bug fix as well as when changing the governance. For more information about the project, take a look at [the documentation explaining what Forgejo provides](README.md).

- [Contribution Guidelines](#contribution-guidelines)
-  - [Table of Contents](#table-of-contents)
-  - [Introduction](#introduction)
-  - [Bug reports](#bug-reports)
-  - [Discuss your design](#discuss-your-design)
-  - [Testing redux](#testing-redux)
-  - [Vendoring](#vendoring)
-  - [Translation](#translation)
-  - [Building Gitea](#building-gitea)
-  - [Code review](#code-review)
-  - [Styleguide](#styleguide)
-  - [Design guideline](#design-guideline)
-  - [API v1](#api-v1)
-  - [Developer Certificate of Origin (DCO)](#developer-certificate-of-origin-dco)
-  - [Release Cycle](#release-cycle)
-  - [Maintainers](#maintainers)
-  - [Owners](#owners)
-  - [Versions](#versions)
-  - [Releasing Gitea](#releasing-gitea)
-  - [Copyright](#copyright)
+Sensitive security-related issues should be reported to [security@forgejo.org](mailto:security@forgejo.org) using [encryption](https://keyoxide.org/security@forgejo.org).

-## Introduction
+## For everyone involved

-This document explains how to contribute changes to the Gitea project.
-It assumes you have followed the
-[installation instructions](https://docs.gitea.io/en-us/).
-Sensitive security-related issues should be reported to
-[security@gitea.io](mailto:security@gitea.io).
+- [Code of Conduct](CONTRIBUTING/COC.md)
+- [Bugs, features, security and others discussions](CONTRIBUTING/DISCUSSIONS.md)
+- [Governance](CONTRIBUTING/GOVERNANCE.md)
+- [Funding](CONTRIBUTING/FUNDING.md)

-For configuring IDE or code editor to develop Gitea see [IDE and code editor configuration](contrib/ide/)
+## For contributors

-## Bug reports
+- [Developer Certificate of Origin (DCO)](CONTRIBUTING/DCO.md)
+- [Development workflow](CONTRIBUTING/WORKFLOW.md)

-Please search the issues on the issue tracker with a variety of keywords
-to ensure your bug is not already reported.
+## For maintainers

-If unique, [open an issue](https://github.com/go-gitea/gitea/issues/new)
-and answer the questions so we can understand and reproduce the
-problematic behavior.
+- [Release management](CONTRIBUTING/RELEASE.md)
+- [Secrets](CONTRIBUTING/SECRETS.md)

-To show us that the issue you are having is in Gitea itself, please
-write clear, concise instructions so we can reproduce the behavior—
-even if it seems obvious. The more detailed and specific you are,
-the faster we can fix the issue. Check out [How to Report Bugs
-Effectively](http://www.chiark.greenend.org.uk/~sgtatham/bugs.html).
-
-Please be kind, remember that Gitea comes at no cost to you, and you're
-getting free help.
-
-## Discuss your design
-
-The project welcomes submissions. If you want to change or add something,
-please let everyone know what you're working on—[file an issue](https://github.com/go-gitea/gitea/issues/new)!
-Significant changes must go through the change proposal process
-before they can be accepted. To create a proposal, file an issue with
-your proposed changes documented, and make sure to note in the title
-of the issue that it is a proposal.
-
-This process gives everyone a chance to validate the design, helps
-prevent duplication of effort, and ensures that the idea fits inside
-the goals for the project and tools. It also checks that the design is
-sound before code is written; the code review tool is not the place for
-high-level discussions.
-
-## Testing redux
-
-Before submitting a pull request, run all the tests for the whole tree
-to make sure your changes don't cause regression elsewhere.
-
-Here's how to run the test suite:
-
- code lint
-
-|                       |                                                                   |
-| :-------------------- | :---------------------------------------------------------------- |
-|``make lint``          | lint everything (not suggest if you only change one type code)    |
-|``make lint-frontend`` | lint frontend files  |
-|``make lint-backend``  | lint backend files   |
-
- run test code (Suggest run in Linux)  
-
-|                                        |                                                  |
-| :------------------------------------- | :----------------------------------------------- |
-|``make test[\#TestSpecificName]``       |  run unit test  |
-|``make test-sqlite[\#TestSpecificName]``|  run [integration](integrations) test for SQLite |  
-|[More details about integrations](integrations/README.md)  |
-
-## Vendoring
-
-We manage dependencies via [Go Modules](https://golang.org/cmd/go/#hdr-Module_maintenance), more details: [go mod](https://go.dev/ref/mod).
-
-Pull requests should only include `go.mod`, `go.sum` updates if they are part of
-the same change, be it a bugfix or a feature addition.
-
-The `go.mod`, `go.sum` update needs to be justified as part of the PR description,
-and must be verified by the reviewers and/or merger to always reference
-an existing upstream commit.
-
-You can find more information on how to get started with it on the [Modules Wiki](https://github.com/golang/go/wiki/Modules).
-
-## Translation
-
-We do all translation work inside [Crowdin](https://crowdin.com/project/gitea).
-The only translation that is maintained in this Git repository is
-[`en_US.ini`](https://github.com/go-gitea/gitea/blob/master/options/locale/locale_en-US.ini)
-and is synced regularly to Crowdin. Once a translation has reached
-A SATISFACTORY PERCENTAGE it will be synced back into this repo and
-included in the next released version.
-
-## Building Gitea
-
-See the [hacking instructions](https://docs.gitea.io/en-us/hacking-on-gitea/).
-
-## Code review
-
-Changes to Gitea must be reviewed before they are accepted—no matter who
-makes the change, even if they are an owner or a maintainer. We use GitHub's
-pull request workflow to do that. And, we also use [LGTM](http://lgtm.co)
-to ensure every PR is reviewed by at least 2 maintainers.
-
-Please try to make your pull request easy to review for us. And, please read
-the *[How to get faster PR reviews](https://github.com/kubernetes/community/blob/261cb0fd089b64002c91e8eddceebf032462ccd6/contributors/guide/pull-requests.md#best-practices-for-faster-reviews)* guide;
-it has lots of useful tips for any project you may want to contribute.
-Some of the key points:
-
-* Make small pull requests. The smaller, the faster to review and the
-  more likely it will be merged soon.
-* Don't make changes unrelated to your PR. Maybe there are typos on
-  some comments, maybe refactoring would be welcome on a function... but
-  if that is not related to your PR, please make *another* PR for that.
-* Split big pull requests into multiple small ones. An incremental change
-  will be faster to review than a huge PR.
-* Use the first comment as a summary explainer of your PR and you should keep this up-to-date as the PR evolves.
-
-If your PR could cause a breaking change you must add a BREAKING section to this comment e.g.:
-
-```
-## :warning: BREAKING :warning:
-```
-
-To explain how this could affect users and how to mitigate these changes.
-
-## Styleguide
-
-For imports you should use the following format (_without_ the comments)
-```go
-import (
-  // stdlib
-  "fmt"
-  "math"
-
-  // local packages
-  "code.gitea.io/gitea/models"
-  "code.gitea.io/sdk/gitea"
-
-  // external packages
-  "github.com/foo/bar"
-  "gopkg.io/baz.v1"
-)
-```
-
-## Design guideline
-
-To maintain understandable code and avoid circular dependencies it is important to have a good structure of the code. The Gitea code is divided into the following parts:
-
- **integration:** Integrations tests
- **models:** Contains the data structures used by xorm to construct database tables. It also contains supporting functions to query and update the database. Dependencies to other code in Gitea should be avoided although some modules might be needed (for example for logging).
- **models/fixtures:** Sample model data used in integration tests.
- **models/migrations:** Handling of database migrations between versions. PRs that changes a database structure shall also have a migration step.
- **modules:** Different modules to handle specific functionality in Gitea.
- **public:** Frontend files (javascript, images, css, etc.)
- **routers:** Handling of server requests. As it uses other Gitea packages to serve the request, other packages (models, modules or services) shall not depend on routers
- **services:** Support functions for common routing operations. Uses models and modules to handle the request.
- **templates:** Golang templates for generating the html output.
- **vendor:** External code that Gitea depends on.
-
-## API v1
-
-The API is documented by [swagger](http://try.gitea.io/api/swagger) and is based on [GitHub API v3](https://developer.github.com/v3/).
-Thus, Gitea´s API should use the same endpoints and fields as GitHub´s API as far as possible, unless there are good reasons to deviate.  
-If Gitea provides functionality that GitHub does not, a new endpoint can be created.  
-If information is provided by Gitea that is not provided by the GitHub API, a new field can be used that doesn't collide with any GitHub fields.
-
-Updating an existing API should not remove existing fields unless there is a really good reason to do so.
-The same applies to status responses. If you notice a problem, feel free to leave a comment in the code for future refactoring to APIv2 (which is currently not planned).
-
-All expected results (errors, success, fail messages) should be documented
-([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L319-L327)).
-
-All JSON input types must be defined as a struct in [modules/structs/](modules/structs/)
-([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/modules/structs/issue.go#L76-L91))
-and referenced in
-[routers/api/v1/swagger/options.go](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/swagger/options.go).  
-They can then be used like the following:
-([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L318)).
-
-All JSON responses must be defined as a struct in [modules/structs/](modules/structs/)
-([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/modules/structs/issue.go#L36-L68))
-and referenced in its category in [routers/api/v1/swagger/](routers/api/v1/swagger/)
-([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/swagger/issue.go#L11-L16))  
-They can be used like the following:
-([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L277-L279))
-
-In general, HTTP methods are chosen as follows:
- * **GET** endpoints return requested object and status **OK (200)**
- * **DELETE** endpoints return status **No Content (204)**
- * **POST** endpoints return status **Created (201)**, used to **create** new objects (e.g. a User)
- * **PUT** endpoints return status **No Content (204)**, used to **add/assign** existing Objects (e.g. User) to something (e.g. Org-Team)
- * **PATCH** endpoints return changed object and status **OK (200)**, used to **edit/change** an existing object
-
-An endpoint which changes/edits an object expects all fields to be optional (except ones to identify the object, which are required).
-### Endpoints returning lists should
- * support pagination (`page` & `limit` options in query)
- * set `X-Total-Count` header via **SetTotalCountHeader** ([example](https://github.com/go-gitea/gitea/blob/7aae98cc5d4113f1e9918b7ee7dd09f67c189e3e/routers/api/v1/repo/issue.go#L444))
-
-## Large Character Comments
-
-Throughout the codebase there are large-text comments for sections of code, e.g.:
-
-```go
-// __________            .__               
-// \______   \ _______  _|__| ______  _  __
-//  |       _// __ \  \/ /  |/ __ \ \/ \/ /
-//  |    |   \  ___/\   /|  \  ___/\     / 
-//  |____|_  /\___  >\_/ |__|\___  >\/\_/  
-//         \/     \/             \/        
-```
-
-These were created using the `figlet` tool with the `graffiti` font.
-
-A simple way of creating these is to use the following:
-
-```bash
-figlet -f graffiti Review | sed  -e's+^+// +' - | xclip -sel clip -in
-```
-
-## Backports and Frontports
-
-Occasionally backports of PRs are required.
-
-The backported PR title should be:
-
-```
-Title of backported PR (#ORIGINAL_PR_NUMBER)
-```
-
-The first two lines of the summary of the backporting PR should be:
-
-```
-Backport #ORIGINAL_PR_NUMBER
-
-```
-
-with the rest of the summary matching the original PR. Similarly for frontports
-
---
-
-The below is a script that may be helpful in creating backports. YMMV.
-
-```bash
-#!/bin/sh
-PR="$1"
-SHA="$2"
-VERSION="$3"
-
-if [ -z "$SHA" ]; then
-    SHA=$(gh api /repos/go-gitea/gitea/pulls/$PR -q '.merge_commit_sha')
-fi
-
-if [ -z "$VERSION" ]; then
-    VERSION="v1.16"
-fi
-
-echo git checkout origin/release/"$VERSION" -b backport-$PR-$VERSION
-git checkout origin/release/"$VERSION" -b backport-$PR-$VERSION
-git cherry-pick $SHA && git commit --amend && git push zeripath backport-$PR-$VERSION && xdg-open https://github.com/go-gitea/gitea/compare/release/"$VERSION"...zeripath:backport-$PR-$VERSION
-
-```
-
-## Developer Certificate of Origin (DCO)
-
-We consider the act of contributing to the code by submitting a Pull
-Request as the "Sign off" or agreement to the certifications and terms
-of the [DCO](DCO) and [MIT license](LICENSE). No further action is required.
-Additionally you could add a line at the end of your commit message.
-
-```
-Signed-off-by: Joe Smith <joe.smith@email.com>
-```
-
-If you set your `user.name` and `user.email` Git configs, you can add the
-line to the end of your commit automatically with `git commit -s`.
-
-We assume in good faith that the information you provide is legally binding.
-
-## Release Cycle
-
-We adopted a release schedule to streamline the process of working
-on, finishing, and issuing releases. The overall goal is to make a
-minor release every three or four months, which breaks down into two or three months of
-general development followed by one month of testing and polishing
-known as the release freeze. All the feature pull requests should be
-merged before feature freeze. And, during the frozen period, a corresponding
-release branch is open for fixes backported from main branch. Release candidates
-are made during this period for user testing to
-obtain a final version that is maintained in this branch. A release is
-maintained by issuing patch releases to only correct critical problems
-such as crashes or security issues.
-
-Major release cycles are seasonal. They always begin on the 25th and end on
-the 24th (i.e., the 25th of December to March 24th).
-
-During a development cycle, we may also publish any necessary minor releases
-for the previous version. For example, if the latest, published release is
-v1.2, then minor changes for the previous release—e.g., v1.1.0 -> v1.1.1—are
-still possible.
-
-## Maintainers
-
-To make sure every PR is checked, we have [team
-maintainers](MAINTAINERS). Every PR **MUST** be reviewed by at least
-two maintainers (or owners) before it can get merged. A maintainer
-should be a contributor of Gitea (or Gogs) and contributed at least
-4 accepted PRs. A contributor should apply as a maintainer in the
-[Discord](https://discord.gg/NsatcWJ) #develop channel. The owners
-or the team maintainers may invite the contributor. A maintainer
-should spend some time on code reviews. If a maintainer has no
-time to do that, they should apply to leave the maintainers team
-and we will give them the honor of being a member of the [advisors
-team](https://github.com/orgs/go-gitea/teams/advisors). Of course, if
-an advisor has time to code review, we will gladly welcome them back
-to the maintainers team. If a maintainer is inactive for more than 3
-months and forgets to leave the maintainers team, the owners may move
-him or her from the maintainers team to the advisors team.
-For security reasons, Maintainers should use 2FA for their accounts and
-if possible provide GPG signed commits.
-https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/
-https://help.github.com/articles/signing-commits-with-gpg/
-
-## Owners
-
-Since Gitea is a pure community organization without any company support,
-to keep the development healthy we will elect three owners every year. All
-contributors may vote to elect up to three candidates, one of which will
-be the main owner, and the other two the assistant owners. When the new
-owners have been elected, the old owners will give up ownership to the
-newly elected owners. If an owner is unable to do so, the other owners
-will assist in ceding ownership to the newly elected owners.
-For security reasons, Owners or any account with write access (like a bot)
-must use 2FA.
-https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/
-
-After the election, the new owners should proactively agree
-with our [CONTRIBUTING](CONTRIBUTING.md) requirements in the
-[Discord](https://discord.gg/NsatcWJ) #general channel. Below are the
-words to speak:
-
-```
-I'm honored to having been elected an owner of Gitea, I agree with
-[CONTRIBUTING](CONTRIBUTING.md). I will spend part of my time on Gitea
-and lead the development of Gitea.
-```
-
-To honor the past owners, here's the history of the owners and the time
-they served:
-
-* 2022-01-01 ~ 2022-12-31 - https://github.com/go-gitea/gitea/issues/17872
-  * [Lunny Xiao](https://gitea.com/lunny) <xiaolunwen@gmail.com>
-  * [Matti Ranta](https://gitea.com/techknowlogick) <techknowlogick@gitea.io>
-  * [Andrew Thornton](https://gitea.com/zeripath) <art27@cantab.net>
-
-* 2021-01-01 ~ 2021-12-31 - https://github.com/go-gitea/gitea/issues/13801
-  * [Lunny Xiao](https://gitea.com/lunny) <xiaolunwen@gmail.com>
-  * [Lauris Bukšis-Haberkorns](https://gitea.com/lafriks) <lauris@nix.lv>
-  * [Matti Ranta](https://gitea.com/techknowlogick) <techknowlogick@gitea.io>
-
-* 2020-01-01 ~ 2020-12-31 - https://github.com/go-gitea/gitea/issues/9230
-  * [Lunny Xiao](https://gitea.com/lunny) <xiaolunwen@gmail.com>
-  * [Lauris Bukšis-Haberkorns](https://gitea.com/lafriks) <lauris@nix.lv>
-  * [Matti Ranta](https://gitea.com/techknowlogick) <techknowlogick@gitea.io>
-
-* 2019-01-01 ~ 2019-12-31 - https://github.com/go-gitea/gitea/issues/5572
-  * [Lunny Xiao](https://github.com/lunny) <xiaolunwen@gmail.com>
-  * [Lauris Bukšis-Haberkorns](https://github.com/lafriks) <lauris@nix.lv>
-  * [Matti Ranta](https://github.com/techknowlogick) <techknowlogick@gitea.io>
-
-* 2018-01-01 ~ 2018-12-31 - https://github.com/go-gitea/gitea/issues/3255
-  * [Lunny Xiao](https://github.com/lunny) <xiaolunwen@gmail.com>
-  * [Lauris Bukšis-Haberkorns](https://github.com/lafriks) <lauris@nix.lv>
-  * [Kim Carlbäcker](https://github.com/bkcsoft) <kim.carlbacker@gmail.com>
-
-* 2016-11-04 ~ 2017-12-31
-  * [Lunny Xiao](https://github.com/lunny) <xiaolunwen@gmail.com>
-  * [Thomas Boerger](https://github.com/tboerger) <thomas@webhippie.de>
-  * [Kim Carlbäcker](https://github.com/bkcsoft) <kim.carlbacker@gmail.com>
-
-## Versions
-
-Gitea has the `main` branch as a tip branch and has version branches
-such as `release/v0.9`. `release/v0.9` is a release branch and we will
-tag `v0.9.0` for binary download. If `v0.9.0` has bugs, we will accept
-pull requests on the `release/v0.9` branch and publish a `v0.9.1` tag,
-after bringing the bug fix also to the main branch.
-
-Since the `main` branch is a tip version, if you wish to use Gitea
-in production, please download the latest release tag version. All the
-branches will be protected via GitHub, all the PRs to every branch must
-be reviewed by two maintainers and must pass the automatic tests.
-
-## Releasing Gitea
-
-* Let $vmaj, $vmin and $vpat be Major, Minor and Patch version numbers, $vpat should be rc1, rc2, 0, 1, ...... $vmaj.$vmin will be kept the same as milestones on github or gitea in future.
-* Before releasing, confirm all the version's milestone issues or PRs has been resolved. Then discuss the release on Discord channel #maintainers and get agreed with almost all the owners and mergers. Or you can declare the version and if nobody against in about serval hours.
-* If this is a big version first you have to create PR for changelog on branch `main` with PRs with label `changelog` and after it has been merged do following steps:
-  * Create `-dev` tag as `git tag -s -F release.notes v$vmaj.$vmin.0-dev` and push the tag as `git push origin v$vmaj.$vmin.0-dev`.
-  * When CI has finished building tag then you have to create a new branch named `release/v$vmaj.$vmin`
-* If it is bugfix version create PR for changelog on branch `release/v$vmaj.$vmin` and wait till it is reviewed and merged.
-* Add a tag as `git tag -s -F release.notes v$vmaj.$vmin.$`, release.notes file could be a temporary file to only include the changelog this version which you added to `CHANGELOG.md`.
-* And then push the tag as `git push origin v$vmaj.$vmin.$`. Drone CI will automatically create a release and upload all the compiled binary. (But currently it doesn't add the release notes automatically. Maybe we should fix that.)
-* If needed send a frontport PR for the changelog to branch `main` and update the version in `docs/config.yaml` to refer to the new version.
-* Send PR to [blog repository](https://gitea.com/gitea/blog) announcing the release.
-* Verify all release assets were correctly published through CI on dl.gitea.io and GitHub releases. Once ACKed:
-  * bump the version of https://dl.gitea.io/gitea/version.json
-  * merge the blog post PR
-  * announce the release in discord `#announcements`
-
-## Copyright
-
-Code that you contribute should use the standard copyright header:
-
-```
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-```
-
-Files in the repository contain copyright from the year they are added
-to the year they are last changed. If the copyright author is changed,
-just paste the header below the old one.
--- a/CONTRIBUTING/COC.md
+++ b/CONTRIBUTING/COC.md
@ -0,0 +1,26 @@
+# Code of Conduct, Well Being and Moderation teams
+
+Forgejo strives to be an inclusive project where everyone can participate in a safe environment. The [Well Being](https://codeberg.org/org/forgejo/teams/well-being) team is doing its best to defuse tensions before they escalate and is available to answer all requests sent its way. When diplomacy fails, the [Moderation](https://codeberg.org/org/forgejo/teams/moderation) will be forced to act to put a stop to actions that are contrary to the [Code of Conduct](https://codeberg.org/forgejo/code-of-conduct).
+
+## Well Being and Moderation teams
+
+Temporary Well Being and Moderation teams [were appointed 10 November 2022](https://codeberg.org/forgejo/meta/issues/13).
+
+The moderation team will rely on this [Code of Conduct](https://codeberg.org/forgejo/code-of-conduct) when diplomacy fails.
+
+### [Well Being](https://codeberg.org/org/forgejo/teams/well-being)
+
+Their goal is to defuse tensions.
+
+It has no power whatsover. The members are approved by the organization and trusted to:
+
+- Read all communications to detect tensions between people before they escalate.
+- Do their best to defuse tensions.
+
+### [Moderation](https://codeberg.org/org/forgejo/teams/moderation)
+
+Their goal is to enforce the [Code of Conduct](https://codeberg.org/forgejo/code-of-conduct) when diplomacy fails.
+
+It has the power to exclude people from a space.
+
+Their decisions must be logical, fact based and transparent to the organization trusting them with the task.
--- a/CONTRIBUTING/DCO.md
+++ b/CONTRIBUTING/DCO.md
@ -0,0 +1,29 @@
+# Developer Certificate of Origin (DCO)
+
+Contributions to Forgejo, in all the repositories in the [Forgejo organization](https://codeberg.org/forgejo) are accepted provided the author agrees to the following Developer Certificate of Origin (DCO).
+
+```
+By making a contribution to Forgejo, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the Free Software
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate Free Software
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same Free Software license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the Free Software license(s) involved.
+```
--- a/CONTRIBUTING/DISCUSSIONS.md
+++ b/CONTRIBUTING/DISCUSSIONS.md
@ -0,0 +1,18 @@
+# Bugs, features and discussions
+
+The [Forgejo issue tracker](https://codeberg.org/forgejo/forgejo/issues) is where **bugs** should be reported and **features** requested.
+
+Dedicated repositories in the [Forgejo organization](https://codeberg.org/forgejo) cover areas such as:
+- the [website](https://codeberg.org/forgejo/website)
+- the [Code of Conduct](https://codeberg.org/forgejo/code-of-conduct)
+- the [funding](https://codeberg.org/forgejo/funding).
+
+Other discussions regarding all **non technical aspects** of Forgejo, such as the governance, happen in the [meta issue tracker](https://codeberg.org/forgejo/meta/issues) and in the [matrix chatroom](https://matrix.to/#/#forgejo-chat:matrix.org).
+
+# Security
+
+The [security team](https://codeberg.org/org/forgejo/teams/security) handle security vulnerabilities. It handles sensitive security-related issues reported to [security@forgejo.org](mailto:security@forgejo.org) using [encryption](https://keyoxide.org/security@forgejo.org).
+
+The security team also keeps the content of the [security.txt](https://codeberg.org/forgejo/website/src/branch/main/public/.well-known/security.txt) file up to date.
+
+The private GPG key for `security@forgejo.org` is shared among all members of the security team and not stored online.
--- a/CONTRIBUTING/FUNDING.md
+++ b/CONTRIBUTING/FUNDING.md
@ -0,0 +1,21 @@
+# Funding per year
+
+## 2022
+
+* 50,000€ [to further forge federation](https://forum.forgefriends.org/t/nlnet-grant-application-for-federation-in-gitea-deadline-august-1st-2022/823)
+* 10,000€ (1,400€ October, 5,600€ November, 2,800€ December) employee delegation from Easter-eggs (Loïc Dachary)
+
+# Funding ideas and prospects
+
+## Grant applications
+
+* [Forgejo NLnet December 1st 2022](https://codeberg.org/forgejo/funding/issues/1)
+* [UX/UI NLnet December 1st 2022](https://codeberg.org/forgejo/funding/issues/4)
+
+## Discussions
+
+* [Proposition](https://codeberg.org/forgejo/meta/issues/51) to log volunteers time so that it is accounted for at a 60€ per hour rate.
+* [A solution for sustaining Free Software forge development](https://blog.dachary.org/2022/11/05/a-solution-for-sustaining-forge-development/)
+    * A French company delegates an employee for X month
+    * The employee's time is paid for by [R&D incentive](https://fr.wikipedia.org/wiki/Cr%C3%A9dit_d%27imp%C3%B4t_recherche)
+* [Donations to Codeberg](https://codeberg.org/forgejo/meta/issues/26)
--- a/CONTRIBUTING/GOVERNANCE.md
+++ b/CONTRIBUTING/GOVERNANCE.md
@ -0,0 +1,21 @@
+# Governance
+
+## Codeberg e.V. stewards of the domains
+
+The Forgejo [domains](https://codeberg.org/forgejo/meta/issues/41) are owned by the democratic non-profit dedicated to Free Software [Codeberg e.V.](https://codeberg.org/Codeberg/org/src/branch/main/en/bylaws.md). Forgejo is therefore ultimately under the control of Codeberg e.V. and its governance. However, although Codeberg e.V. is committed to use and host Forgejo, it is expected that Forgejo defines its own governance, in a way that is compatible with the Codeberg e.V. governance.
+
+## Interim Forgejo Governance
+
+Although Codeberg e.V. guarantees Forgejo is ultimately under the control of a trusted organization, there was a need to establish an interim Forgejo governance for safeguarding credentials, enforcing the Code of Conduct and ensuring security vulnerabilities are handled responsibly for the Forgejo releases.
+
+All people with a role in the interim Forgejo governance pledge to resign as soon as the Forgejo governance is in place.
+
+* [release managers](https://codeberg.org/org/forgejo/teams/releases) safeguard the keys used to sign Forgejo releases
+* [secret keepers](https://codeberg.org/org/Forgejo/teams/owners) safeguard all credentials (registrar, social accounts, etc.)
+* [security team](https://codeberg.org/org/forgejo/teams/security) handle security vulnerabilities
+* [Well Being](https://codeberg.org/org/forgejo/teams/well-being) and [Moderation](https://codeberg.org/org/forgejo/teams/moderation) teams help keep Forgejo an inclusive space
+
+## Forgejo Governance
+
+Forgejo was bootstraped in November 2022 and is [defining its governance](https://codeberg.org/forgejo/meta/issues/19). The [first meeting happened November 24th](https://codeberg.org/forgejo/meta/issues/19#issuecomment-694460) and was recorded. Everyone is welcome to participate in this fully transparent and cooperative process.
+
--- a/CONTRIBUTING/RELEASE.md
+++ b/CONTRIBUTING/RELEASE.md
@ -0,0 +1,62 @@
+# Release management
+
+## Shared user: release-team
+
+The [release-team](https://codeberg.org/release-team) user publishes and signs all releases. The associated email is mailto:release@forgejo.org.
+
+The public GPG key used to sign the releases is [EB114F5E6C0DC2BCDD183550A4B61A2DC5923710](https://codeberg.org/release-team.gpg) `Forgejo Releases <release@forgejo.org>`
+
+## Release numbering
+
+The Forgejo release numbers are composed of the Gitea release number followed by a dash and a serial number. For instance:
+
+* Gitea **v1.18.0** will be Forgejo **v1.18.0-0**, **v1.18.0-1**, etc
+
+The Gitea release candidates are suffixed with **-rcN** which is handled as a special case for packaging: although **X.Y.Z** is lexicographically lower than **X.Y.Z-rc1** is is considered greater. The Forgejo serial number must therefore be inserted before the **-rcN** suffix to preserve the expected version ordering.
+
+* Gitea **v1.18.0-rc0** will be Forgejo **v1.18.0-0-rc0**, **v1.18.0-1-rc0**
+* Gitea **v1.18.0-rc1** will be Forgejo **v1.18.0-2-rc1**, **v1.18.0-3-rc1**, **v1.18.0-4-rc1**
+* Gitea **v1.18.0** will be Forgejo **v1.18.0-5**, **v1.18.0-6**, **v1.18.0-7**
+* etc.
+
+## Release process
+
+* Reset the vX.Y/forgejo-integration branch to the Gitea tag vX.Y.Z
+* Merge all feature branches into the vX.Y/forgejo-integration branch
+* If the CI passes reset the vX.Y/forgejo branch to the tip of vX.Y/forgejo-integration
+* Set the vX.Y.Z-N tag to the tip of the vX.Y/forgejo branch
+* [Binaries](https://codeberg.org/forgejo/forgejo/releases) are built, signed and uploaded by the CI.
+* [Container images](https://codeberg.org/forgejo/-/packages/container/forgejo/versions) are built and uploaded by the CI.
+
+## Release signing keys management
+
+A GPG master key with no expiration date is created and shared with members of the Owners team via encrypted email. A subkey with a one year expiration date is created and stored in the secrets repository, to be used by the CI pipeline. The public master key is stored in the secrets repository and published where relevant.
+
+### Master key creation
+
+* gpg --expert --full-generate-key
+* key type: ECC and ECC option with Curve 25519 as curve
+* no expiration
+* id: Forgejo Releases <contact@forgejo.org>
+* gpg --export-secret-keys --armor EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 and send via encrypted email to Owners
+* gpg --export --armor EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 > release-team-gpg.pub
+* commit to the secret repository
+
+### Subkey creation and renewal
+
+* gpg --expert --edit-key EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
+* addkey
+* key type: ECC (signature only)
+* key validity: one year
+* create [an issue](https://codeberg.org/forgejo/forgejo/issues) to schedule the renewal
+
+#### 2023
+
+* gpg --export --armor F7CBF02094E7665E17ED6C44E381BF3E50D53707 > 2023-release-team-gpg.pub
+* gpg --export-secret-keys --armor F7CBF02094E7665E17ED6C44E381BF3E50D53707 > 2023-release-team-gpg
+* commit to the secrets repository
+* renewal issue https://codeberg.org/forgejo/forgejo/issues/58
+
+### CI configuration
+
+The `releaseteamgpg` secret in the Woodpecker CI configuration is set with the subkey.
--- a/CONTRIBUTING/SECRETS.md
+++ b/CONTRIBUTING/SECRETS.md
@ -0,0 +1,56 @@
+# Secrets
+
+All Forgejo credentials are shared among the [secret keepers](https://codeberg.org/org/Forgejo/teams/owners) teams in a private repository with encrypted content.
+
+## Get started
+
+1. Make sure you have a GPG Key, or [create one](https://github.com/NicoHood/gpgit#12-key-generation)
+2. Send someone else your public key and ask this person to add yourself as a recipient
+```
+# Commands for the other person
+$ gpg --import public_key.asc
+# The following command will open a prompt, with the available public keys. 
+# Choose the one you just added and all secrets will be re-encrypted with this new key.
+$ gopass recipients add
+```
+3. [Install gopass](https://www.gopass.pw/#install)
+> :warning: When installing on Ubuntu or Debian you can either download the deb package, install manually or build from source or use our APT repository ([github comment](https://github.com/gopasspw/gopass/issues/1849#issuecomment-802789285) with more information).
+4. Clone this repo using `gopass` (the name and email are for `git config`)
+```
+$ gopass clone git@codeberg.org:Forgejo/gopass.git
+```
+5. Check the consistency of the gopass storage
+```
+$ gopass fsck
+```
+
+## Get a secret
+
+Show the whole secret file:
+```
+$ gopass show ovh.com/manager
+```
+
+Copy the password in the clipboard:
+```
+$ gopass show -c ovh.com/manager
+```
+
+Copy the `user` part of the secret in the clipboard:
+```
+$ gopass show -c ovh.com/manager user
+```
+
+## Insert or edit a secret
+```
+$ gopass edit ovh.com/manager
+```
+In the editor, insert the password on the first line.
+You may then add lines with a `key: value` syntax (`user: username` for instance).
+
+## Debugging and manual git operations
+
+The following command will show the location and status of the git repo (all git commands are available).
+```
+$ gopass git status
+```
--- a/CONTRIBUTING/WORKFLOW.md
+++ b/CONTRIBUTING/WORKFLOW.md
@ -0,0 +1,79 @@
+# Development workflow
+
+Forgejo is a soft fork, i.e. a set of commits applied to the Gitea development branch and the stable branches. On a regular basis those commits are rebased and modified if necessary to keep working. All Forgejo commits are merged into a branch from which binary releases and packages are created and distributed. The development workflow is a set of conventions Forgejo developers are expected to follow to work together.
+
+Discussions on how the workflow should evolve happen [in the isssue tracker](https://codeberg.org/forgejo/forgejo/issues?type=all&state=open&labels=&milestone=0&assignee=0&q=%5BWORKFLOW%5D).
+
+## Naming conventions
+
+### Development
+
+* Gitea: main
+* Forgejo: forgejo
+* Integration: forgejo-integration
+* Feature branches: forgejo-feature-name
+
+### Stable
+
+* Gitea: release/vX.Y
+* Forgejo: vX.Y/forgejo
+* Integration: vX.Y/forgejo-integration
+* Feature branches: vX.Y/forgejo-feature-name
+
+## Rebasing
+
+### *Feature branch*
+
+The *Gitea* branches are mirrored with the Gitea development and stable branches.
+
+On a regular basis, each *Feature branch* is rebased against the base *Gitea* branch.
+
+### *Integration* and *Forgejo*
+
+The latest *Gitea* branch resets the *Integration* branch and all *Feature branches* are merged into it. 
+
+If tests pass, the *Forgejo* branch is reset to the tip of the *Integration* branch.
+
+If tests do not pass, an issue is filed to the *Feature branch* that fails the test. Once the issue is resolved, another round of rebasing starts.
+
+## Releasing
+
+When a tag is set to a *Stable* *Forgejo* branch, the CI pipeline creates and uploads binaries and packages.
+
+## Feature branches
+
+All *Feature branches* are based on the {vX.Y/,}forgejo-development branch which provides and other development tools and documenation.
+
+The \*forgejo-development branch is based on the {vX.Y/,}forgejo-ci branch which provides the Woodpecker CI configuration.
+
+The purpose of each *Feature branch* is documented below:
+
+### General purpose
+
+* [forgejo-ci](https://codeberg.org/forgejo/forgejo/src/branch/forgejo-ci) based on [main](https://codeberg.org/forgejo/forgejo/src/branch/main)
+  Woodpecker CI configuration, including the release process.
+  * Backports: [v1.18/forgejo-ci](https://codeberg.org/forgejo/forgejo/src/branch/v1.18/forgejo-ci)
+
+* [forgejo-development](https://codeberg.org/forgejo/forgejo/src/branch/forgejo-development) based on [forgejo-ci](https://codeberg.org/forgejo/forgejo/src/branch/forgejo-ci)
+  Forgejo development tools and documentation.
+  * Backports: [v1.18/forgejo-development](https://codeberg.org/forgejo/forgejo/src/branch/v1.18/forgejo-development)
+
+### [Federation](https://codeberg.org/forgejo/forgejo/issues?labels=79349)
+
+* [forgejo-federation](https://codeberg.org/forgejo/forgejo/src/branch/forgejo-federation) based on [forgejo-development](https://codeberg.org/forgejo/forgejo/src/branch/forgejo-development)
+  Federation support for Forgejo
+
+## Pull requests and feature branches
+
+Most people who are used to contributing will be familiar with the workflow of sending a pull request against the default branch. When that happens the reviewer should change the base branch to the appropriate *Feature branch* instead. If the pull request does not fit in any *Feature branch*, the reviewer needs to make decision to either:
+
+* Decline the pull request because it is best contributed to Gitea
+* Create a new *Feature branch*
+
+Returning contributors can figure out which *Feature branch* to base their pull request on using the list of *Feature branches*.
+
+## Granularity
+
+*Feature branches* can contain a number of commits grouped together, for instance for branding the documentation, the landing page and the footer. It makes it convenient for people working on that topic to get the big picture without browsing multiple branches. Creating a new *Feature branch* for each individual commit, while possible, is likely to be difficult to work with.
+
+Observing the granularity of the existing *Feature branches* is the best way to figure out what works and what does not. It requires adjustments from time to time depending on the number of contributors and the complexity of the Forgejo codebase that sits on top of Gitea.
--- a/14
+++ b/14
@ -1,5 +1,5 @@
 #Build stage
-FROM golang:1.18-alpine3.16 AS build-env
+FROM codeberg.org/forgejo/golang:1.19-alpine3.17 AS build-env

 ARG GOPROXY
 ENV GOPROXY ${GOPROXY:-direct}
@ -23,8 +23,8 @@ RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
 # Begin env-to-ini build
 RUN go build contrib/environment-to-ini/environment-to-ini.go

-FROM alpine:3.16
-LABEL maintainer="maintainers@gitea.io"
+FROM codeberg.org/forgejo/alpine:3.17.0
+LABEL maintainer="contact@forgejo.org"

 EXPOSE 22 3000

@ -64,5 +64,9 @@ CMD ["/bin/s6-svscan", "/etc/s6"]
 COPY docker/root /
 COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
 COPY --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
-RUN chmod 755 /usr/bin/entrypoint /app/gitea/gitea /usr/local/bin/gitea /usr/local/bin/environment-to-ini
-RUN chmod 755 /etc/s6/gitea/* /etc/s6/openssh/* /etc/s6/.s6-svscan/*
+#
+# s/755/775/ in the following is to avoid the corrupted layer 4f4fb700ef54
+# https://codeberg.org/Codeberg/Community/issues/800#issue-210309
+#
+RUN chmod 775 /usr/bin/entrypoint /app/gitea/gitea /usr/local/bin/gitea /usr/local/bin/environment-to-ini
+RUN chmod 775 /etc/s6/gitea/* /etc/s6/openssh/* /etc/s6/.s6-svscan/*
--- a/Dockerfile.rootless
+++ b/Dockerfile.rootless
@ -1,5 +1,5 @@
 #Build stage
-FROM golang:1.18-alpine3.16 AS build-env
+FROM golang:1.19-alpine3.17 AS build-env

 ARG GOPROXY
 ENV GOPROXY ${GOPROXY:-direct}
@ -23,7 +23,7 @@ RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
 # Begin env-to-ini build
 RUN go build contrib/environment-to-ini/environment-to-ini.go

-FROM alpine:3.16
+FROM alpine:3.17
 LABEL maintainer="maintainers@gitea.io"

 EXPOSE 2222 3000
@ -62,7 +62,7 @@ ENV GITEA_CUSTOM /var/lib/gitea/custom
 ENV GITEA_TEMP /tmp/gitea
 ENV TMPDIR /tmp/gitea

-#TODO add to docs the ability to define the ini to load (usefull to test and revert a config)
+#TODO add to docs the ability to define the ini to load (useful to test and revert a config)
 ENV GITEA_APP_INI /etc/gitea/app.ini
 ENV HOME "/var/lib/gitea/git"
 VOLUME ["/var/lib/gitea", "/etc/gitea"]
--- a/Dockerfile.tmp
+++ b/Dockerfile.tmp
@ -0,0 +1,4 @@
+FROM golang:1.19-alpine3.16
+
+RUN pwd
+
--- a/4
+++ b/4
@ -44,6 +44,8 @@ Janis Estelmann <admin@oldschoolhack.me> (@KN4CK3R)
 Steven Kriegler <sk.bunsenbrenner@gmail.com> (@justusbunsi)
 Jimmy Praet <jimmy.praet@telenet.be> (@jpraet)
 Leon Hofmeister <dev.lh@web.de> (@delvh) 
-Gusted <williamzijl7@hotmail.com) (@Gusted)
 silentcode <silentcode@senga.org> (@silentcodeg)
 Wim <wim@42.be> (@42wim)
+xinyu <xinyu@nerv.org.cn> (@penlinux)
+Jason Song <i@wolfogre.com> (@wolfogre)
+Yarden Shoham <hrsi88@gmail.com> (@yardenshoham)
--- a/380
+++ b/380
@ -17,24 +17,25 @@ else
 DIST := dist
 DIST_DIRS := $(DIST)/binaries $(DIST)/release
 IMPORT := code.gitea.io/gitea
-export GO111MODULE=on

 GO ?= go
 SHASUM ?= shasum -a 256
 HAS_GO = $(shell hash $(GO) > /dev/null 2>&1 && echo "GO" || echo "NOGO" )
 COMMA := ,

-XGO_VERSION := go-1.18.x
+XGO_VERSION := go-1.19.x

-AIR_PACKAGE ?= github.com/cosmtrek/air@v1.29.0
-EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/cmd/editorconfig-checker@2.4.0
-ERRCHECK_PACKAGE ?= github.com/kisielk/errcheck@v1.6.0
+AIR_PACKAGE ?= github.com/cosmtrek/air@v1.40.4
+EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/cmd/editorconfig-checker@2.5.0
+ERRCHECK_PACKAGE ?= github.com/kisielk/errcheck@v1.6.1
 GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.3.1
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.46.0
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.47.0
 GXZ_PAGAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.10
 MISSPELL_PACKAGE ?= github.com/client9/misspell/cmd/misspell@v0.3.4
-SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.29.0
+SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.30.0
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
+GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.3.0
+GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@latest

 DOCKER_IMAGE ?= gitea/gitea
 DOCKER_TAG ?= latest
@ -82,7 +83,7 @@ ifneq ($(DRONE_TAG),)
 	GITEA_VERSION ?= $(VERSION)
 else
 	ifneq ($(DRONE_BRANCH),)
-		VERSION ?= $(subst release/v,,$(DRONE_BRANCH))
+		VERSION ?= $(shell echo $(DRONE_BRANCH) | sed -e 's|v\([0-9.][0-9.]*\)/.*|\1|')
 	else
 		VERSION ?= main
 	endif
@ -99,7 +100,8 @@ LDFLAGS := $(LDFLAGS) -X "main.MakeVersion=$(MAKE_VERSION)" -X "main.Version=$(G

 LINUX_ARCHS ?= linux/amd64,linux/386,linux/arm-5,linux/arm-6,linux/arm64

-GO_PACKAGES ?= $(filter-out code.gitea.io/gitea/models/migrations code.gitea.io/gitea/integrations/migration-test code.gitea.io/gitea/integrations,$(shell $(GO) list ./... | grep -v /vendor/))
+GO_PACKAGES ?= $(filter-out code.gitea.io/gitea/tests/integration/migration-test code.gitea.io/gitea/tests code.gitea.io/gitea/tests/integration code.gitea.io/gitea/tests/e2e,$(shell $(GO) list ./... | grep -v /vendor/))
+GO_TEST_PACKAGES ?= $(filter-out $(shell $(GO) list code.gitea.io/gitea/models/migrations/...) code.gitea.io/gitea/tests/integration/migration-test code.gitea.io/gitea/tests code.gitea.io/gitea/tests/integration code.gitea.io/gitea/tests/e2e,$(shell $(GO) list ./... | grep -v /vendor/))

 FOMANTIC_WORK_DIR := web_src/fomantic

@ -111,25 +113,39 @@ WEBPACK_DEST_ENTRIES := public/js public/css public/fonts public/img/webpack pub
 BINDATA_DEST := modules/public/bindata.go modules/options/bindata.go modules/templates/bindata.go
 BINDATA_HASH := $(addsuffix .hash,$(BINDATA_DEST))

+GENERATED_GO_DEST := modules/charset/invisible_gen.go modules/charset/ambiguous_gen.go
+
 SVG_DEST_DIR := public/img/svg

 AIR_TMP_DIR := .air

+GO_LICENSE_TMP_DIR := .go-licenses
+GO_LICENSE_FILE := assets/go-licenses.json
+
 TAGS ?=
 TAGS_SPLIT := $(subst $(COMMA), ,$(TAGS))
 TAGS_EVIDENCE := $(MAKE_EVIDENCE_DIR)/tags

 TEST_TAGS ?= sqlite sqlite_unlock_notify

-TAR_EXCLUDES := .git data indexers queues log node_modules $(EXECUTABLE) $(FOMANTIC_WORK_DIR)/node_modules $(DIST) $(MAKE_EVIDENCE_DIR) $(AIR_TMP_DIR)
+TAR_EXCLUDES := .git data indexers queues log node_modules $(EXECUTABLE) $(FOMANTIC_WORK_DIR)/node_modules $(DIST) $(MAKE_EVIDENCE_DIR) $(AIR_TMP_DIR) $(GO_LICENSE_TMP_DIR)

-GO_DIRS := cmd integrations models modules routers build services tools
+GO_DIRS := cmd tests models modules routers build services tools
+WEB_DIRS := web_src/js web_src/less

 GO_SOURCES := $(wildcard *.go)
 GO_SOURCES += $(shell find $(GO_DIRS) -type f -name "*.go" -not -path modules/options/bindata.go -not -path modules/public/bindata.go -not -path modules/templates/bindata.go)
+GO_SOURCES += $(GENERATED_GO_DEST)
+GO_SOURCES_NO_BINDATA := $(GO_SOURCES)

 ifeq ($(filter $(TAGS_SPLIT),bindata),bindata)
 	GO_SOURCES += $(BINDATA_DEST)
+	GENERATED_GO_DEST += $(BINDATA_DEST)
+endif
+
+# Force installation of playwright dependencies by setting this flag
+ifdef DEPS_PLAYWRIGHT
+	PLAYWRIGHT_FLAGS += --with-deps
 endif

 SWAGGER_SPEC := templates/swagger/v1_json.tmpl
@ -183,6 +199,7 @@ help:
 	@echo " - test                             test everything"
 	@echo " - test-frontend                    test frontend files"
 	@echo " - test-backend                     test backend files"
+	@echo " - test-e2e[\#TestSpecificName]     test end to end using playwright"
 	@echo " - webpack                          build webpack files"
 	@echo " - svg                              build svg files"
 	@echo " - fomantic                         build fomantic files"
@ -194,6 +211,7 @@ help:
 	@echo " - generate-swagger                 generate the swagger spec from code comments"
 	@echo " - swagger-validate                 check if the swagger spec is valid"
 	@echo " - golangci-lint                    run golangci-lint linter"
+	@echo " - go-licenses                      regenerate go licenses"
 	@echo " - vet                              examines Go source code and reports suspicious constructs"
 	@echo " - tidy                             run go mod tidy"
 	@echo " - test[\#TestSpecificName]    	    run unit test"
@ -202,9 +220,9 @@ help:

 .PHONY: go-check
 go-check:
-	$(eval MIN_GO_VERSION_STR := $(shell grep -Eo '^go\s+[0-9]+\.[0-9.]+' go.mod | cut -d' ' -f2))
-	$(eval MIN_GO_VERSION := $(shell printf "%03d%03d%03d" $(shell echo '$(MIN_GO_VERSION_STR)' | tr '.' ' ')))
-	$(eval GO_VERSION := $(shell printf "%03d%03d%03d" $(shell $(GO) version | grep -Eo '[0-9]+\.[0-9.]+' | tr '.' ' ');))
+	$(eval MIN_GO_VERSION_STR := $(shell grep -Eo '^go\s+[0-9]+\.[0-9]+' go.mod | cut -d' ' -f2))
+	$(eval MIN_GO_VERSION := $(shell printf "%03d%03d" $(shell echo '$(MIN_GO_VERSION_STR)' | tr '.' ' ')))
+	$(eval GO_VERSION := $(shell printf "%03d%03d" $(shell $(GO) version | grep -Eo '[0-9]+\.[0-9]+' | tr '.' ' ');))
 	@if [ "$(GO_VERSION)" -lt "$(MIN_GO_VERSION)" ]; then \
 		echo "Gitea requires Go $(MIN_GO_VERSION_STR) or greater to build. You can get it at https://go.dev/dl/"; \
 		exit 1; \
@ -237,14 +255,33 @@ clean:
 	$(GO) clean -i ./...
 	rm -rf $(EXECUTABLE) $(DIST) $(BINDATA_DEST) $(BINDATA_HASH) \
 		integrations*.test \
-		integrations/gitea-integration-pgsql/ integrations/gitea-integration-mysql/ integrations/gitea-integration-mysql8/ integrations/gitea-integration-sqlite/ \
-		integrations/gitea-integration-mssql/ integrations/indexers-mysql/ integrations/indexers-mysql8/ integrations/indexers-pgsql integrations/indexers-sqlite \
-		integrations/indexers-mssql integrations/mysql.ini integrations/mysql8.ini integrations/pgsql.ini integrations/mssql.ini man/
+		e2e*.test \
+		tests/integration/gitea-integration-pgsql/ tests/integration/gitea-integration-mysql/ tests/integration/gitea-integration-mysql8/ tests/integration/gitea-integration-sqlite/ \
+		tests/integration/gitea-integration-mssql/ tests/integration/indexers-mysql/ tests/integration/indexers-mysql8/ tests/integration/indexers-pgsql tests/integration/indexers-sqlite \
+		tests/integration/indexers-mssql tests/mysql.ini tests/mysql8.ini tests/pgsql.ini tests/mssql.ini man/ \
+		tests/e2e/gitea-e2e-pgsql/ tests/e2e/gitea-e2e-mysql/ tests/e2e/gitea-e2e-mysql8/ tests/e2e/gitea-e2e-sqlite/ \
+		tests/e2e/gitea-e2e-mssql/ tests/e2e/indexers-mysql/ tests/e2e/indexers-mysql8/ tests/e2e/indexers-pgsql/ tests/e2e/indexers-sqlite/ \
+		tests/e2e/indexers-mssql/ tests/e2e/reports/ tests/e2e/test-artifacts/ tests/e2e/test-snapshots/

 .PHONY: fmt
 fmt:
-	@echo "Running gitea-fmt (with gofumpt)..."
-	@MISSPELL_PACKAGE=$(MISSPELL_PACKAGE) GOFUMPT_PACKAGE=$(GOFUMPT_PACKAGE) $(GO) run build/code-batch-process.go gitea-fmt -w '{file-list}'
+	GOFUMPT_PACKAGE=$(GOFUMPT_PACKAGE) $(GO) run build/code-batch-process.go gitea-fmt -w '{file-list}'
+	$(eval TEMPLATES := $(shell find templates -type f -name '*.tmpl'))
+	@# strip whitespace after '{{' and before `}}` unless there is only whitespace before it
+	@$(SED_INPLACE) -e 's/{{[ 	]\{1,\}/{{/g' -e '/^[ 	]\{1,\}}}/! s/[ 	]\{1,\}}}/}}/g' $(TEMPLATES)
+
+.PHONY: fmt-check
+fmt-check: fmt
+	@diff=$$(git diff $(GO_SOURCES) templates $(WEB_DIRS)); \
+	if [ -n "$$diff" ]; then \
+	  echo "Please run 'make fmt' and commit the result:"; \
+	  echo "$${diff}"; \
+	  exit 1; \
+	fi
+
+.PHONY: misspell-check
+misspell-check:
+	go run $(MISSPELL_PACKAGE) -error $(GO_DIRS) $(WEB_DIRS)

 .PHONY: vet
 vet:
@ -262,7 +299,9 @@ TAGS_PREREQ := $(TAGS_EVIDENCE)
 endif

 .PHONY: generate-swagger
-generate-swagger:
+generate-swagger: $(SWAGGER_SPEC)
+
+$(SWAGGER_SPEC): $(GO_SOURCES_NO_BINDATA)
 	$(GO) run $(SWAGGER_PACKAGE) generate spec -x "$(SWAGGER_EXCLUDE)" -o './$(SWAGGER_SPEC)'
 	$(SED_INPLACE) '$(SWAGGER_SPEC_S_TMPL)' './$(SWAGGER_SPEC)'
 	$(SED_INPLACE) $(SWAGGER_NEWLINE_COMMAND) './$(SWAGGER_SPEC)'
@ -287,16 +326,6 @@ errcheck:
 	@echo "Running errcheck..."
 	$(GO) run $(ERRCHECK_PACKAGE) $(GO_PACKAGES)

-.PHONY: fmt-check
-fmt-check:
-	# get all go files and run gitea-fmt (with gofmt) on them
-	@diff=$$(MISSPELL_PACKAGE=$(MISSPELL_PACKAGE) GOFUMPT_PACKAGE=$(GOFUMPT_PACKAGE) $(GO) run build/code-batch-process.go gitea-fmt -l '{file-list}'); \
-	if [ -n "$$diff" ]; then \
-		echo "Please run 'make fmt' and commit the result:"; \
-		echo "$${diff}"; \
-		exit 1; \
-	fi
-
 .PHONY: checks
 checks: checks-frontend checks-backend

@ -304,15 +333,17 @@ checks: checks-frontend checks-backend
 checks-frontend: lockfile-check svg-check

 .PHONY: checks-backend
-checks-backend: gomod-check swagger-check swagger-validate
+checks-backend: tidy-check swagger-check fmt-check misspell-check swagger-validate security-check

 .PHONY: lint
 lint: lint-frontend lint-backend

 .PHONY: lint-frontend
 lint-frontend: node_modules
-	npx eslint --color --max-warnings=0 web_src/js build templates *.config.js docs/assets/js
+	npx eslint --color --max-warnings=0 --ext js,vue web_src/js build *.config.js docs/assets/js tests/e2e
 	npx stylelint --color --max-warnings=0 web_src/less
+	npx spectral lint -q -F hint $(SWAGGER_SPEC)
+	npx markdownlint docs *.md

 .PHONY: lint-backend
 lint-backend: golangci-lint vet editorconfig-checker
@ -336,11 +367,11 @@ test: test-frontend test-backend
 .PHONY: test-backend
 test-backend:
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_PACKAGES)
+	@$(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)

 .PHONY: test-frontend
 test-frontend: node_modules
-	@NODE_OPTIONS="--experimental-vm-modules --no-warnings" npx jest --color
+	npx vitest

 .PHONY: test-check
 test-check:
@ -357,58 +388,62 @@ test-check:
 .PHONY: test\#%
 test\#%:
 	@echo "Running go test with -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_PACKAGES)
+	@$(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)

 .PHONY: coverage
 coverage:
 	grep '^\(mode: .*\)\|\(.*:[0-9]\+\.[0-9]\+,[0-9]\+\.[0-9]\+ [0-9]\+ [0-9]\+\)$$' coverage.out > coverage-bodged.out
 	grep '^\(mode: .*\)\|\(.*:[0-9]\+\.[0-9]\+,[0-9]\+\.[0-9]\+ [0-9]\+ [0-9]\+\)$$' integration.coverage.out > integration.coverage-bodged.out
-	GO111MODULE=on $(GO) run build/gocovmerge.go integration.coverage-bodged.out coverage-bodged.out > coverage.all || (echo "gocovmerge failed"; echo "integration.coverage.out"; cat integration.coverage.out; echo "coverage.out"; cat coverage.out; exit 1)
+	$(GO) run build/gocovmerge.go integration.coverage-bodged.out coverage-bodged.out > coverage.all

 .PHONY: unit-test-coverage
 unit-test-coverage:
 	@echo "Running unit-test-coverage $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTESTFLAGS) -timeout=20m -tags='$(TEST_TAGS)' -cover -coverprofile coverage.out $(GO_PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1
+	@$(GO) test $(GOTESTFLAGS) -timeout=20m -tags='$(TEST_TAGS)' -cover -coverprofile coverage.out $(GO_TEST_PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1

 .PHONY: tidy
 tidy:
 	$(eval MIN_GO_VERSION := $(shell grep -Eo '^go\s+[0-9]+\.[0-9.]+' go.mod | cut -d' ' -f2))
 	$(GO) mod tidy -compat=$(MIN_GO_VERSION)
+	@$(MAKE) --no-print-directory $(GO_LICENSE_FILE)

-.PHONY: vendor
-vendor: tidy
+vendor: go.mod go.sum
 	$(GO) mod vendor
+	@touch vendor

-.PHONY: gomod-check
-gomod-check: tidy
-	@diff=$$(git diff go.sum); \
+.PHONY: tidy-check
+tidy-check: tidy
+	@diff=$$(git diff go.mod go.sum $(GO_LICENSE_FILE)); \
 	if [ -n "$$diff" ]; then \
 		echo "Please run 'make tidy' and commit the result:"; \
 		echo "$${diff}"; \
 		exit 1; \
 	fi

+.PHONY: go-licenses
+go-licenses: $(GO_LICENSE_FILE)
+
+$(GO_LICENSE_FILE): go.mod go.sum
+	-$(GO) run $(GO_LICENSES_PACKAGE) save . --force --save_path=$(GO_LICENSE_TMP_DIR) 2>/dev/null
+	$(GO) run build/generate-go-licenses.go $(GO_LICENSE_TMP_DIR) $(GO_LICENSE_FILE)
+	@rm -rf $(GO_LICENSE_TMP_DIR)
+
 generate-ini-sqlite:
 	sed -e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
-			integrations/sqlite.ini.tmpl > integrations/sqlite.ini
+		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
+		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
+			tests/sqlite.ini.tmpl > tests/sqlite.ini

 .PHONY: test-sqlite
 test-sqlite: integrations.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./integrations.sqlite.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.sqlite.test

 .PHONY: test-sqlite\#%
 test-sqlite\#%: integrations.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./integrations.sqlite.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.sqlite.test -test.run $(subst .,/,$*)

 .PHONY: test-sqlite-migration
-test-sqlite-migration:  migrations.sqlite.test migrations.individual.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./migrations.sqlite.test
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./migrations.individual.sqlite.test
-
-.PHONY: test-sqlite-migration\#%
-test-sqlite-migration\#%:  migrations.sqlite.test migrations.individual.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./migrations.individual.sqlite.test -test.run $(subst .,/,$*)
-
+test-sqlite-migration:  migrations.sqlite.test migrations.individual.sqlite.test

 generate-ini-mysql:
 	sed -e 's|{{TEST_MYSQL_HOST}}|${TEST_MYSQL_HOST}|g' \
@ -416,20 +451,20 @@ generate-ini-mysql:
 		-e 's|{{TEST_MYSQL_USERNAME}}|${TEST_MYSQL_USERNAME}|g' \
 		-e 's|{{TEST_MYSQL_PASSWORD}}|${TEST_MYSQL_PASSWORD}|g' \
 		-e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
-			integrations/mysql.ini.tmpl > integrations/mysql.ini
+		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
+		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
+			tests/mysql.ini.tmpl > tests/mysql.ini

 .PHONY: test-mysql
 test-mysql: integrations.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql.ini ./integrations.mysql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.mysql.test

 .PHONY: test-mysql\#%
 test-mysql\#%: integrations.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql.ini ./integrations.mysql.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.mysql.test -test.run $(subst .,/,$*)

 .PHONY: test-mysql-migration
-test-mysql-migration: migrations.mysql.test migrations.individual.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql.ini ./migrations.mysql.test
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql.ini ./migrations.individual.mysql.test
+test-mysql-migration: migrations.mysql.test migrations.individual.mysql.test

 generate-ini-mysql8:
 	sed -e 's|{{TEST_MYSQL8_HOST}}|${TEST_MYSQL8_HOST}|g' \
@ -437,20 +472,20 @@ generate-ini-mysql8:
 		-e 's|{{TEST_MYSQL8_USERNAME}}|${TEST_MYSQL8_USERNAME}|g' \
 		-e 's|{{TEST_MYSQL8_PASSWORD}}|${TEST_MYSQL8_PASSWORD}|g' \
 		-e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
-			integrations/mysql8.ini.tmpl > integrations/mysql8.ini
+		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
+		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
+			tests/mysql8.ini.tmpl > tests/mysql8.ini

 .PHONY: test-mysql8
 test-mysql8: integrations.mysql8.test generate-ini-mysql8
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql8.ini ./integrations.mysql8.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql8.ini ./integrations.mysql8.test

 .PHONY: test-mysql8\#%
 test-mysql8\#%: integrations.mysql8.test generate-ini-mysql8
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql8.ini ./integrations.mysql8.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql8.ini ./integrations.mysql8.test -test.run $(subst .,/,$*)

 .PHONY: test-mysql8-migration
-test-mysql8-migration: migrations.mysql8.test migrations.individual.mysql8.test generate-ini-mysql8
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql8.ini ./migrations.mysql8.test
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql8.ini ./migrations.individual.mysql8.test
+test-mysql8-migration: migrations.mysql8.test migrations.individual.mysql8.test

 generate-ini-pgsql:
 	sed -e 's|{{TEST_PGSQL_HOST}}|${TEST_PGSQL_HOST}|g' \
@ -459,20 +494,20 @@ generate-ini-pgsql:
 		-e 's|{{TEST_PGSQL_PASSWORD}}|${TEST_PGSQL_PASSWORD}|g' \
 		-e 's|{{TEST_PGSQL_SCHEMA}}|${TEST_PGSQL_SCHEMA}|g' \
 		-e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
-			integrations/pgsql.ini.tmpl > integrations/pgsql.ini
+		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
+		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
+			tests/pgsql.ini.tmpl > tests/pgsql.ini

 .PHONY: test-pgsql
 test-pgsql: integrations.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/pgsql.ini ./integrations.pgsql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./integrations.pgsql.test

 .PHONY: test-pgsql\#%
 test-pgsql\#%: integrations.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/pgsql.ini ./integrations.pgsql.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./integrations.pgsql.test -test.run $(subst .,/,$*)

 .PHONY: test-pgsql-migration
-test-pgsql-migration: migrations.pgsql.test migrations.individual.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/pgsql.ini ./migrations.pgsql.test
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/pgsql.ini ./migrations.individual.pgsql.test
+test-pgsql-migration: migrations.pgsql.test migrations.individual.pgsql.test

 generate-ini-mssql:
 	sed -e 's|{{TEST_MSSQL_HOST}}|${TEST_MSSQL_HOST}|g' \
@ -480,105 +515,205 @@ generate-ini-mssql:
 		-e 's|{{TEST_MSSQL_USERNAME}}|${TEST_MSSQL_USERNAME}|g' \
 		-e 's|{{TEST_MSSQL_PASSWORD}}|${TEST_MSSQL_PASSWORD}|g' \
 		-e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
-			integrations/mssql.ini.tmpl > integrations/mssql.ini
+		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
+		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
+			tests/mssql.ini.tmpl > tests/mssql.ini

 .PHONY: test-mssql
 test-mssql: integrations.mssql.test generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mssql.ini ./integrations.mssql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./integrations.mssql.test

 .PHONY: test-mssql\#%
 test-mssql\#%: integrations.mssql.test generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mssql.ini ./integrations.mssql.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./integrations.mssql.test -test.run $(subst .,/,$*)

 .PHONY: test-mssql-migration
-test-mssql-migration: migrations.mssql.test migrations.individual.mssql.test generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mssql.ini ./migrations.mssql.test -test.failfast
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mssql.ini ./migrations.individual.mssql.test -test.failfast
+test-mssql-migration: migrations.mssql.test migrations.individual.mssql.test
+
+.PHONY: playwright
+playwright: $(PLAYWRIGHT_DIR)
+	npm install --no-save @playwright/test
+	npx playwright install $(PLAYWRIGHT_FLAGS)
+
+.PHONY: test-e2e%
+test-e2e%: TEST_TYPE ?= e2e
+	# Clear display env variable. Otherwise, chromium tests can fail.
+	DISPLAY=
+
+.PHONY: test-e2e
+test-e2e: test-e2e-sqlite
+
+.PHONY: test-e2e-sqlite
+test-e2e-sqlite: playwright e2e.sqlite.test generate-ini-sqlite
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./e2e.sqlite.test
+
+.PHONY: test-e2e-sqlite\#%
+test-e2e-sqlite\#%: playwright e2e.sqlite.test generate-ini-sqlite
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./e2e.sqlite.test -test.run TestE2e/$*
+
+.PHONY: test-e2e-mysql
+test-e2e-mysql: playwright e2e.mysql.test generate-ini-mysql
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./e2e.mysql.test
+
+.PHONY: test-e2e-mysql\#%
+test-e2e-mysql\#%: playwright e2e.mysql.test generate-ini-mysql
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./e2e.mysql.test -test.run TestE2e/$*
+
+.PHONY: test-e2e-mysql8
+test-e2e-mysql8: playwright e2e.mysql8.test generate-ini-mysql8
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql8.ini ./e2e.mysql8.test
+
+.PHONY: test-e2e-mysql8\#%
+test-e2e-mysql8\#%: playwright e2e.mysql8.test generate-ini-mysql8
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql8.ini ./e2e.mysql8.test -test.run TestE2e/$*
+
+.PHONY: test-e2e-pgsql
+test-e2e-pgsql: playwright e2e.pgsql.test generate-ini-pgsql
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./e2e.pgsql.test
+
+.PHONY: test-e2e-pgsql\#%
+test-e2e-pgsql\#%: playwright e2e.pgsql.test generate-ini-pgsql
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./e2e.pgsql.test -test.run TestE2e/$*
+
+.PHONY: test-e2e-mssql
+test-e2e-mssql: playwright e2e.mssql.test generate-ini-mssql
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./e2e.mssql.test
+
+.PHONY: test-e2e-mssql\#%
+test-e2e-mssql\#%: playwright e2e.mssql.test generate-ini-mssql
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./e2e.mssql.test -test.run TestE2e/$*

 .PHONY: bench-sqlite
 bench-sqlite: integrations.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./integrations.sqlite.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.sqlite.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .

 .PHONY: bench-mysql
 bench-mysql: integrations.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql.ini ./integrations.mysql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.mysql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .

 .PHONY: bench-mssql
 bench-mssql: integrations.mssql.test generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mssql.ini ./integrations.mssql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./integrations.mssql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .

 .PHONY: bench-pgsql
 bench-pgsql: integrations.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/pgsql.ini ./integrations.pgsql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./integrations.pgsql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .

 .PHONY: integration-test-coverage
 integration-test-coverage: integrations.cover.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql.ini ./integrations.cover.test -test.coverprofile=integration.coverage.out
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.cover.test -test.coverprofile=integration.coverage.out

 .PHONY: integration-test-coverage-sqlite
 integration-test-coverage-sqlite: integrations.cover.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./integrations.cover.sqlite.test -test.coverprofile=integration.coverage.out
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.cover.sqlite.test -test.coverprofile=integration.coverage.out

 integrations.mysql.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/integrations -o integrations.mysql.test
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.mysql.test

 integrations.mysql8.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/integrations -o integrations.mysql8.test
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.mysql8.test

 integrations.pgsql.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/integrations -o integrations.pgsql.test
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.pgsql.test

 integrations.mssql.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/integrations -o integrations.mssql.test
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.mssql.test

 integrations.sqlite.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/integrations -o integrations.sqlite.test -tags '$(TEST_TAGS)'
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.sqlite.test -tags '$(TEST_TAGS)'

 integrations.cover.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/integrations -coverpkg $(shell echo $(GO_PACKAGES) | tr ' ' ',') -o integrations.cover.test
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.test

 integrations.cover.sqlite.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/integrations -coverpkg $(shell echo $(GO_PACKAGES) | tr ' ' ',') -o integrations.cover.sqlite.test -tags '$(TEST_TAGS)'
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.sqlite.test -tags '$(TEST_TAGS)'

 .PHONY: migrations.mysql.test
-migrations.mysql.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/integrations/migration-test -o migrations.mysql.test
+migrations.mysql.test: $(GO_SOURCES) generate-ini-mysql
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.mysql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./migrations.mysql.test

 .PHONY: migrations.mysql8.test
-migrations.mysql8.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/integrations/migration-test -o migrations.mysql8.test
+migrations.mysql8.test: $(GO_SOURCES) generate-ini-mysql8
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.mysql8.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql8.ini ./migrations.mysql8.test

 .PHONY: migrations.pgsql.test
-migrations.pgsql.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/integrations/migration-test -o migrations.pgsql.test
+migrations.pgsql.test: $(GO_SOURCES) generate-ini-pgsql
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.pgsql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./migrations.pgsql.test

 .PHONY: migrations.mssql.test
-migrations.mssql.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/integrations/migration-test -o migrations.mssql.test
+migrations.mssql.test: $(GO_SOURCES) generate-ini-mssql
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.mssql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./migrations.mssql.test

 .PHONY: migrations.sqlite.test
-migrations.sqlite.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/integrations/migration-test -o migrations.sqlite.test -tags '$(TEST_TAGS)'
+migrations.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.sqlite.test -tags '$(TEST_TAGS)'
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./migrations.sqlite.test

 .PHONY: migrations.individual.mysql.test
 migrations.individual.mysql.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/models/migrations -o migrations.individual.mysql.test
+	for pkg in $(shell $(GO) list code.gitea.io/gitea/models/migrations/...); do \
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg; \
+	done

 .PHONY: migrations.individual.mysql8.test
 migrations.individual.mysql8.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/models/migrations -o migrations.individual.mysql8.test
+	for pkg in $(shell $(GO) list code.gitea.io/gitea/models/migrations/...); do \
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql8.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg; \
+	done
+
+.PHONY: migrations.individual.mysql8.test\#%
+migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*

 .PHONY: migrations.individual.pgsql.test
 migrations.individual.pgsql.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/models/migrations -o migrations.individual.pgsql.test
+	for pkg in $(shell $(GO) list code.gitea.io/gitea/models/migrations/...); do \
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg; \
+	done
+
+.PHONY: migrations.individual.pgsql.test\#%
+migrations.individual.pgsql.test\#%: $(GO_SOURCES) generate-ini-pgsql
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
+

 .PHONY: migrations.individual.mssql.test
-migrations.individual.mssql.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/models/migrations -o migrations.individual.mssql.test
+migrations.individual.mssql.test: $(GO_SOURCES) generate-ini-mssql
+	for pkg in $(shell $(GO) list code.gitea.io/gitea/models/migrations/...); do \
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg -test.failfast; \
+	done
+
+.PHONY: migrations.individual.mssql.test\#%
+migrations.individual.mssql.test\#%: $(GO_SOURCES) generate-ini-mssql
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*

 .PHONY: migrations.individual.sqlite.test
-migrations.individual.sqlite.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/models/migrations -o migrations.individual.sqlite.test -tags '$(TEST_TAGS)'
+migrations.individual.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
+	for pkg in $(shell $(GO) list code.gitea.io/gitea/models/migrations/...); do \
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg; \
+	done
+
+.PHONY: migrations.individual.sqlite.test\#%
+migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
+
+e2e.mysql.test: $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.mysql.test
+
+e2e.mysql8.test: $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.mysql8.test
+
+e2e.pgsql.test: $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.pgsql.test
+
+e2e.mssql.test: $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.mssql.test
+
+e2e.sqlite.test: $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.sqlite.test -tags '$(TEST_TAGS)'

 .PHONY: check
 check: test
@ -594,18 +729,29 @@ build: frontend backend
 frontend: $(WEBPACK_DEST)

 .PHONY: backend
-backend: go-check generate $(EXECUTABLE)
+backend: go-check generate-backend $(EXECUTABLE)

+# We generate the backend before the frontend in case we in future we want to generate things in the frontend from generated files in backend
 .PHONY: generate
-generate: $(TAGS_PREREQ)
+generate: generate-backend
+
+.PHONY: generate-backend
+generate-backend: $(TAGS_PREREQ) generate-go
+
+.PHONY: generate-go
+generate-go: $(TAGS_PREREQ)
 	@echo "Running go generate..."
 	@CC= GOOS= GOARCH= $(GO) generate -tags '$(TAGS)' $(GO_PACKAGES)

+.PHONY: security-check
+security-check:
+	go run $(GOVULNCHECK_PACKAGE) -v ./...
+
 $(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@

 .PHONY: release
-release: frontend generate release-windows release-linux release-darwin release-copy release-compress vendor release-sources release-docs release-check
+release: frontend generate release-linux release-copy release-compress vendor release-sources release-check

 $(DIST_DIRS):
 	mkdir -p $(DIST_DIRS)
@ -622,7 +768,7 @@ endif

 .PHONY: release-linux
 release-linux: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(LINUX_ARCHS)' -out gitea-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(LINUX_ARCHS)' -out forgejo-$(VERSION) .
 ifeq ($(CI),true)
 	cp /build/* $(DIST)/binaries
 endif
@ -652,8 +798,8 @@ release-sources: | $(DIST_DIRS)
 # bsdtar needs a ^ to prevent matching subdirectories
 	$(eval EXCL := --exclude=$(shell tar --help | grep -q bsdtar && echo "^")./)
 # use transform to a add a release-folder prefix; in bsdtar the transform parameter equivalent is -s
-	$(eval TRANSFORM := $(shell tar --help | grep -q bsdtar && echo "-s '/^./gitea-src-$(VERSION)/'" || echo "--transform 's|^./|gitea-src-$(VERSION)/|'"))
-	tar $(addprefix $(EXCL),$(TAR_EXCLUDES)) $(TRANSFORM) -czf $(DIST)/release/gitea-src-$(VERSION).tar.gz .
+	$(eval TRANSFORM := $(shell tar --help | grep -q bsdtar && echo "-s '/^./forgejo-src-$(VERSION)/'" || echo "--transform 's|^./|forgejo-src-$(VERSION)/|'"))
+	tar $(addprefix $(EXCL),$(TAR_EXCLUDES)) $(TRANSFORM) -czf $(DIST)/release/forgejo-src-$(VERSION).tar.gz .
 	rm -f $(STORED_VERSION_FILE)

 .PHONY: release-docs
@ -685,6 +831,8 @@ deps-backend:
 	$(GO) install $(MISSPELL_PACKAGE)
 	$(GO) install $(SWAGGER_PACKAGE)
 	$(GO) install $(XGO_PACKAGE)
+	$(GO) install $(GO_LICENSES_PACKAGE)
+	$(GO) install $(GOVULNCHECK_PACKAGE)

 node_modules: package-lock.json
 	npm install --no-save
@ -754,11 +902,11 @@ update-translations:

 .PHONY: generate-license
 generate-license:
-	GO111MODULE=on $(GO) run build/generate-licenses.go
+	$(GO) run build/generate-licenses.go

 .PHONY: generate-gitignore
 generate-gitignore:
-	GO111MODULE=on $(GO) run build/generate-gitignores.go
+	$(GO) run build/generate-gitignores.go

 .PHONY: generate-images
 generate-images: | node_modules
@ -771,7 +919,7 @@ generate-manpage:
 	@mkdir -p man/man1/ man/man5
 	@./gitea docs --man > man/man1/gitea.1
 	@gzip -9 man/man1/gitea.1 && echo man/man1/gitea.1.gz created
-	@#TODO A smal script witch format config-cheat-sheet.en-us.md nicely to suit as config man page
+	@#TODO A small script that formats config-cheat-sheet.en-us.md nicely for use as a config man page

 .PHONY: pr\#%
 pr\#%: clean-all
--- a/README.md
+++ b/README.md
@ -1,170 +1,46 @@
-<p align="center">
-  <a href="https://gitea.io/">
-    <img alt="Gitea" src="https://raw.githubusercontent.com/go-gitea/gitea/main/public/img/gitea.svg" width="220"/>
-  </a>
-</p>
-<h1 align="center">Gitea - Git with a cup of tea</h1>
+# Welcome to Forgejo

-<p align="center">
-  <a href="https://drone.gitea.io/go-gitea/gitea" title="Build Status">
-    <img src="https://drone.gitea.io/api/badges/go-gitea/gitea/status.svg?ref=refs/heads/main">
-  </a>
-  <a href="https://discord.gg/Gitea" title="Join the Discord chat at https://discord.gg/Gitea">
-    <img src="https://img.shields.io/discord/322538954119184384.svg">
-  </a>
-  <a href="https://codecov.io/gh/go-gitea/gitea" title="Codecov">
-    <img src="https://codecov.io/gh/go-gitea/gitea/branch/main/graph/badge.svg">
-  </a>
-  <a href="https://goreportcard.com/report/code.gitea.io/gitea" title="Go Report Card">
-    <img src="https://goreportcard.com/badge/code.gitea.io/gitea">
-  </a>
-  <a href="https://godoc.org/code.gitea.io/gitea" title="GoDoc">
-    <img src="https://godoc.org/code.gitea.io/gitea?status.svg">
-  </a>
-  <a href="https://github.com/go-gitea/gitea/releases/latest" title="GitHub release">
-    <img src="https://img.shields.io/github/release/go-gitea/gitea.svg">
-  </a>
-  <a href="https://www.codetriage.com/go-gitea/gitea" title="Help Contribute to Open Source">
-    <img src="https://www.codetriage.com/go-gitea/gitea/badges/users.svg">
-  </a>
-  <a href="https://opencollective.com/gitea" title="Become a backer/sponsor of gitea">
-    <img src="https://opencollective.com/gitea/tiers/backers/badge.svg?label=backers&color=brightgreen">
-  </a>
-  <a href="https://opensource.org/licenses/MIT" title="License: MIT">
-    <img src="https://img.shields.io/badge/License-MIT-blue.svg">
-  </a>
-  <a href="https://crowdin.com/project/gitea" title="Crowdin">
-    <img src="https://badges.crowdin.net/gitea/localized.svg">
-  </a>
-  <a href="https://www.tickgit.com/browse?repo=github.com/go-gitea/gitea&branch=main" title="TODOs">
-    <img src="https://badgen.net/https/api.tickgit.com/badgen/github.com/go-gitea/gitea/main">
-  </a>
-  <a href="https://www.bountysource.com/teams/gitea" title="Bountysource">
-    <img src="https://img.shields.io/bountysource/team/gitea/activity">
-  </a>
-</p>
+Hi there! Tired of big platforms playing monopoly?
+Providing Git hosting for your project, friends, company or community?
+**Forgejo** (inspired by forĝejo \ˈfor.d͡ʒe.jo\ – the Esperanto word for *forge*) has you covered with its intuitive interface,
+light and easy hosting and a lot of builtin functionality.

-<p align="center">
-  <a href="README_ZH.md">View the chinese version of this document</a>
-</p>
+Forgejo was forked from the well-known [Gitea](https://gitea.io) project in 2022,
+because we think that the project should be owned by an independent community instead of a for-profit company.
+If you second that, then Forgejo is for you!
+Our promise: **Independent Free/Libre Software forever!**

-## Purpose

-The goal of this project is to make the easiest, fastest, and most
-painless way of setting up a self-hosted Git service.
-Using Go, this can be done with an independent binary distribution across
-**all platforms** which Go supports, including Linux, macOS, and Windows
-on x86, amd64, ARM and PowerPC architectures.
-Want to try it before doing anything else?
-Do it [with the online demo](https://try.gitea.io/)!
-This project has been
-[forked](https://blog.gitea.io/2016/12/welcome-to-gitea/) from
-[Gogs](https://gogs.io) since 2016.11 but changed a lot.
+## What does Forgejo offer?

-## Building
+If you want to know what Forgejo is like,
+you can check out public instances<!-- could become link to list -->,
+e.g. [Codeberg.org](https://codeberg.org).

-From the root of the source tree, run:
+If you like any of the following, Forgejo is literally meant for you:

-    TAGS="bindata" make build
+- Lightweight: Forgejo can easily be hosted on nearly **every machine**.
+  Running on a Raspberry? Small cloud instance? No problem!
+- Intuitive: We aim for a user experience that is **friendly** to newcomers and **productive** for power users.
+- Project management: Besides Git hosting, Forgejo offers issues,
+  pull requests, wikis, kanban boards and much more to **coordinate with your team**.
+- Publishing: Have something to share? Use **releases** to host your software for download,
+  or use the **package registry** to publish it for docker, npm and many other package managers.
+- Customizable: Want to change your look? Change some settings?
+  There are many **config switches** to make Forgejo work exactly like you want.
+- Powerful: Organizations & team permissions, CI integration, Code Search, LDAP, OAuth and much more.
+  If you have **advanced needs**, Forgejo has you covered.
+- Privacy: From update checker to default settings: Forgejo is built to be **privacy first** for you and your crew.
+- Federation: (WIP) We are actively working to connect software forges with each other through **ActivityPub**,
+  and create a collaborative network of personal instances.
+  Interested? [Read more below](#Status-of-federation)

-or if SQLite support is required:
+## Learn more

-    TAGS="bindata sqlite sqlite_unlock_notify" make build
+We're still working on our website.
+In the meantime, you can <a href="https://floss.social/@Forgejo" rel="me">find us on the Fediverse</a> or hop into [our Matrix room](https://matrix.to/#/#Forgejo-chat:matrix.org) if you have any questions or want to get involved.

-The `build` target is split into two sub-targets:

- `make backend` which requires [Go Stable](https://go.dev/dl/), required version is defined in [go.mod](/go.mod).
- `make frontend` which requires [Node.js LTS](https://nodejs.org/en/download/) or greater and Internet connectivity to download npm dependencies.
+## Get involved

-When building from the official source tarballs which include pre-built frontend files, the `frontend` target will not be triggered, making it possible to build without Node.js and Internet connectivity.
-
-Parallelism (`make -j <num>`) is not supported.
-
-More info: https://docs.gitea.io/en-us/install-from-source/
-
-## Using
-
-    ./gitea web
-
-NOTE: If you're interested in using our APIs, we have experimental
-support with [documentation](https://try.gitea.io/api/swagger).
-
-## Contributing
-
-Expected workflow is: Fork -> Patch -> Push -> Pull Request
-
-NOTES:
-
-1. **YOU MUST READ THE [CONTRIBUTORS GUIDE](CONTRIBUTING.md) BEFORE STARTING TO WORK ON A PULL REQUEST.**
-2. If you have found a vulnerability in the project, please write privately to **security@gitea.io**. Thanks!
-
-## Translating
-
-Translations are done through Crowdin. If you want to translate to a new language ask one of the managers in the Crowdin project to add a new language there. 
-
-You can also just create an issue for adding a language or ask on discord on the #translation channel. If you need context or find some translation issues, you can leave a comment on the string or ask on Discord. For general translation questions there is a section in the docs. Currently a bit empty but we hope fo fill it as questions pop up.
-
-https://docs.gitea.io/en-us/translation-guidelines/
-
-[![Crowdin](https://badges.crowdin.net/gitea/localized.svg)](https://crowdin.com/project/gitea)
-
-## Further information
-
-For more information and instructions about how to install Gitea, please look at our [documentation](https://docs.gitea.io/en-us/).
-If you have questions that are not covered by the documentation, you can get in contact with us on our [Discord server](https://discord.gg/Gitea) or create  a post in the [discourse forum](https://discourse.gitea.io/).
-
-We maintain a list of Gitea-related projects at [gitea/awesome-gitea](https://gitea.com/gitea/awesome-gitea).  
-The hugo-based documentation theme is hosted at [gitea/theme](https://gitea.com/gitea/theme).  
-The official Gitea CLI is developed at [gitea/tea](https://gitea.com/gitea/tea).
-
-## Authors
-
-* [Maintainers](https://github.com/orgs/go-gitea/people)
-* [Contributors](https://github.com/go-gitea/gitea/graphs/contributors)
-* [Translators](options/locale/TRANSLATORS)
-
-## Backers
-
-Thank you to all our backers! 🙏 [[Become a backer](https://opencollective.com/gitea#backer)]
-
-<a href="https://opencollective.com/gitea#backers" target="_blank"><img src="https://opencollective.com/gitea/backers.svg?width=890"></a>
-
-## Sponsors
-
-Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/gitea#sponsor)]
-
-<a href="https://opencollective.com/gitea/sponsor/0/website" target="_blank"><img src="https://opencollective.com/gitea/sponsor/0/avatar.svg"></a>
-<a href="https://opencollective.com/gitea/sponsor/1/website" target="_blank"><img src="https://opencollective.com/gitea/sponsor/1/avatar.svg"></a>
-<a href="https://opencollective.com/gitea/sponsor/2/website" target="_blank"><img src="https://opencollective.com/gitea/sponsor/2/avatar.svg"></a>
-<a href="https://opencollective.com/gitea/sponsor/3/website" target="_blank"><img src="https://opencollective.com/gitea/sponsor/3/avatar.svg"></a>
-<a href="https://opencollective.com/gitea/sponsor/4/website" target="_blank"><img src="https://opencollective.com/gitea/sponsor/4/avatar.svg"></a>
-<a href="https://opencollective.com/gitea/sponsor/5/website" target="_blank"><img src="https://opencollective.com/gitea/sponsor/5/avatar.svg"></a>
-<a href="https://opencollective.com/gitea/sponsor/6/website" target="_blank"><img src="https://opencollective.com/gitea/sponsor/6/avatar.svg"></a>
-<a href="https://opencollective.com/gitea/sponsor/7/website" target="_blank"><img src="https://opencollective.com/gitea/sponsor/7/avatar.svg"></a>
-<a href="https://opencollective.com/gitea/sponsor/8/website" target="_blank"><img src="https://opencollective.com/gitea/sponsor/8/avatar.svg"></a>
-<a href="https://opencollective.com/gitea/sponsor/9/website" target="_blank"><img src="https://opencollective.com/gitea/sponsor/9/avatar.svg"></a>
-
-## FAQ
-
-**How do you pronounce Gitea?**
-
-Gitea is pronounced [/ɡɪ’ti:/](https://youtu.be/EM71-2uDAoY) as in "gi-tea" with a hard g.
-
-**Why is this not hosted on a Gitea instance?**
-
-We're [working on it](https://github.com/go-gitea/gitea/issues/1029).
-
-## License
-
-This project is licensed under the MIT License.
-See the [LICENSE](https://github.com/go-gitea/gitea/blob/main/LICENSE) file
-for the full license text.
-
-## Screenshots
-Looking for an overview of the interface? Check it out!
-
-|![Dashboard](https://dl.gitea.io/screenshots/home_timeline.png)|![User Profile](https://dl.gitea.io/screenshots/user_profile.png)|![Global Issues](https://dl.gitea.io/screenshots/global_issues.png)|
-|:---:|:---:|:---:|
-|![Branches](https://dl.gitea.io/screenshots/branches.png)|![Web Editor](https://dl.gitea.io/screenshots/web_editor.png)|![Activity](https://dl.gitea.io/screenshots/activity.png)|
-|![New Migration](https://dl.gitea.io/screenshots/migration.png)|![Migrating](https://dl.gitea.io/screenshots/migration.gif)|![Pull Request View](https://image.ibb.co/e02dSb/6.png)
-![Pull Request Dark](https://dl.gitea.io/screenshots/pull_requests_dark.png)|![Diff Review Dark](https://dl.gitea.io/screenshots/review_dark.png)|![Diff Dark](https://dl.gitea.io/screenshots/diff_dark.png)|
+If you are interested in making Forgejo better, either by reporting a bug or by changing the governance, please [take a look at the contribution guide](CONTRIBUTING.md).
--- a/README_ZH.md
+++ b/README_ZH.md
@ -1,92 +0,0 @@
-<p align="center">
-  <a href="https://gitea.io/">
-    <img alt="Gitea" src="https://raw.githubusercontent.com/go-gitea/gitea/main/public/img/gitea.svg" width="220"/>
-  </a>
-</p>
-<h1 align="center">Gitea - Git with a cup of tea</h1>
-
-<p align="center">
-  <a href="https://drone.gitea.io/go-gitea/gitea" title="Build Status">
-    <img src="https://drone.gitea.io/api/badges/go-gitea/gitea/status.svg?ref=refs/heads/main">
-  </a>
-  <a href="https://discord.gg/Gitea" title="Join the Discord chat at https://discord.gg/Gitea">
-    <img src="https://img.shields.io/discord/322538954119184384.svg">
-  </a>
-  <a href="https://codecov.io/gh/go-gitea/gitea" title="Codecov">
-    <img src="https://codecov.io/gh/go-gitea/gitea/branch/main/graph/badge.svg">
-  </a>
-  <a href="https://goreportcard.com/report/code.gitea.io/gitea" title="Go Report Card">
-    <img src="https://goreportcard.com/badge/code.gitea.io/gitea">
-  </a>
-  <a href="https://godoc.org/code.gitea.io/gitea" title="GoDoc">
-    <img src="https://godoc.org/code.gitea.io/gitea?status.svg">
-  </a>
-  <a href="https://github.com/go-gitea/gitea/releases/latest" title="GitHub release">
-    <img src="https://img.shields.io/github/release/go-gitea/gitea.svg">
-  </a>
-  <a href="https://www.codetriage.com/go-gitea/gitea" title="Help Contribute to Open Source">
-    <img src="https://www.codetriage.com/go-gitea/gitea/badges/users.svg">
-  </a>
-  <a href="https://opencollective.com/gitea" title="Become a backer/sponsor of gitea">
-    <img src="https://opencollective.com/gitea/tiers/backers/badge.svg?label=backers&color=brightgreen">
-  </a>
-  <a href="https://opensource.org/licenses/MIT" title="License: MIT">
-    <img src="https://img.shields.io/badge/License-MIT-blue.svg">
-  </a>
-  <a href="https://crowdin.com/project/gitea" title="Crowdin">
-    <img src="https://badges.crowdin.net/gitea/localized.svg">
-  </a>
-  <a href="https://www.tickgit.com/browse?repo=github.com/go-gitea/gitea&branch=main" title="TODOs">
-    <img src="https://badgen.net/https/api.tickgit.com/badgen/github.com/go-gitea/gitea/main">
-  </a>
-  <a href="https://img.shields.io/bountysource/team/gitea" title="Bountysource">
-    <img src="https://img.shields.io/bountysource/team/gitea/activity">
-  </a>
-</p>
-
-<p align="center">
-  <a href="README.md">View the english version of this document</a>
-</p>
-
-## 目标
-
-Gitea 的首要目标是创建一个极易安装，运行非常快速，安装和使用体验良好的自建 Git 服务。我们采用 Go 作为后端语言，这使我们只要生成一个可执行程序即可。并且他还支持跨平台，支持 Linux, macOS 和 Windows 以及各种架构，除了 x86，amd64，还包括 ARM 和 PowerPC。
-
-如果您想试用一下，请访问 [在线Demo](https://try.gitea.io/)！
-
-## 提示
-
-1. **开始贡献代码之前请确保你已经看过了 [贡献者向导（英文）](CONTRIBUTING.md)**.
-2. 所有的安全问题，请私下发送邮件给 **security@gitea.io**。谢谢！
-3. 如果你要使用API，请参见 [API 文档](https://godoc.org/code.gitea.io/sdk/gitea).
-
-## 文档
-
-关于如何安装请访问我们的 [文档站](https://docs.gitea.io/zh-cn/)，如果没有找到对应的文档，你也可以通过 [Discord - 英文](https://discord.gg/gitea) 和 QQ群 328432459 来和我们交流。
-
-## 贡献流程
-
-Fork -> Patch -> Push -> Pull Request
-
-## 翻译
-
-多语言翻译是基于Crowdin进行的.
-[![Crowdin](https://badges.crowdin.net/gitea/localized.svg)](https://crowdin.com/project/gitea)
-
-## 作者
-
-* [Maintainers](https://github.com/orgs/go-gitea/people)
-* [Contributors](https://github.com/go-gitea/gitea/graphs/contributors)
-* [Translators](options/locale/TRANSLATORS)
-
-## 授权许可
-
-本项目采用 MIT 开源授权许可证，完整的授权说明已放置在 [LICENSE](https://github.com/go-gitea/gitea/blob/main/LICENSE) 文件中。
-
-## 截图
-
-|![Dashboard](https://dl.gitea.io/screenshots/home_timeline.png)|![User Profile](https://dl.gitea.io/screenshots/user_profile.png)|![Global Issues](https://dl.gitea.io/screenshots/global_issues.png)|
-|:---:|:---:|:---:|
-|![Branches](https://dl.gitea.io/screenshots/branches.png)|![Web Editor](https://dl.gitea.io/screenshots/web_editor.png)|![Activity](https://dl.gitea.io/screenshots/activity.png)|
-|![New Migration](https://dl.gitea.io/screenshots/migration.png)|![Migrating](https://dl.gitea.io/screenshots/migration.gif)|![Pull Request View](https://image.ibb.co/e02dSb/6.png)
-![Pull Request Dark](https://dl.gitea.io/screenshots/pull_requests_dark.png)|![Diff Review Dark](https://dl.gitea.io/screenshots/review_dark.png)|![Diff Dark](https://dl.gitea.io/screenshots/diff_dark.png)|
--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,10 +0,0 @@
-# Reporting security issues
-
-The Gitea maintainers take security seriously.  
-If you discover a security issue, please bring it to their attention right away!
-
-### Reporting a Vulnerability
-
-Please **DO NOT** file a public issue, instead send your report privately to `security@gitea.io`.
-
-Security reports are greatly appreciated and we will publicly thank you for it, although we keep your name confidential if you request it.
--- a/assets/emoji.json
+++ b/assets/emoji.json
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
--- a/build.go
+++ b/build.go
@ -1,6 +1,6 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT
+

 //go:build vendor

--- a/build/code-batch-process.go
+++ b/build/code-batch-process.go
@ -1,6 +1,5 @@
 // Copyright 2021 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 //go:build ignore

@ -20,7 +19,7 @@ import (
 )

 // Windows has a limitation for command line arguments, the size can not exceed 32KB.
-// So we have to feed the files to some tools (like gofmt/misspell) batch by batch
+// So we have to feed the files to some tools (like gofmt) batch by batch

 // We also introduce a `gitea-fmt` command, it does better import formatting than gofmt/goimports. `gitea-fmt` calls `gofmt` internally.

@ -61,7 +60,7 @@ func newFileCollector(fileFilter string, batchSize int) (*fileCollector, error)
 			"build",
 			"cmd",
 			"contrib",
-			"integrations",
+			"tests",
 			"models",
 			"modules",
 			"routers",
@ -71,8 +70,8 @@ func newFileCollector(fileFilter string, batchSize int) (*fileCollector, error)
 		co.includePatterns = append(co.includePatterns, regexp.MustCompile(`.*\.go$`))

 		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`.*\bbindata\.go$`))
-		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`integrations/gitea-repositories-meta`))
-		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`integrations/migration-test`))
+		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`tests/gitea-repositories-meta`))
+		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`tests/integration/migration-test`))
 		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`modules/git/tests`))
 		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`models/fixtures`))
 		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`models/migrations/fixtures`))
@ -195,7 +194,6 @@ Options:

 Commands:
  %[1]s gofmt ...
-  %[1]s misspell ...

 Arguments:
  {file-list}     the file list
@ -206,6 +204,17 @@ Example:
 `, "file-batch-exec")
 }

+func getGoVersion() string {
+	goModFile, err := os.ReadFile("go.mod")
+	if err != nil {
+		log.Fatalf(`Faild to read "go.mod": %v`, err)
+		os.Exit(1)
+	}
+	goModVersionRegex := regexp.MustCompile(`go \d+\.\d+`)
+	goModVersionLine := goModVersionRegex.Find(goModFile)
+	return string(goModVersionLine[3:])
+}
+
 func newFileCollectorFromMainOptions(mainOptions map[string]string) (fc *fileCollector, err error) {
 	fileFilter := mainOptions["file-filter"]
 	if fileFilter == "" {
@ -228,9 +237,9 @@ func containsString(a []string, s string) bool {
 	return false
 }

-func giteaFormatGoImports(files []string, hasChangedFiles, doWriteFile bool) error {
+func giteaFormatGoImports(files []string, doWriteFile bool) error {
 	for _, file := range files {
-		if err := codeformat.FormatGoImports(file, hasChangedFiles, doWriteFile); err != nil {
+		if err := codeformat.FormatGoImports(file, doWriteFile); err != nil {
 			log.Printf("failed to format go imports: %s, err=%v", file, err)
 			return err
 		}
@ -269,10 +278,8 @@ func main() {
 			if containsString(subArgs, "-d") {
 				log.Print("the -d option is not supported by gitea-fmt")
 			}
-			cmdErrors = append(cmdErrors, giteaFormatGoImports(files, containsString(subArgs, "-l"), containsString(subArgs, "-w")))
-			cmdErrors = append(cmdErrors, passThroughCmd("go", append([]string{"run", os.Getenv("GOFUMPT_PACKAGE"), "-extra", "-lang", "1.17"}, substArgs...)))
-		case "misspell":
-			cmdErrors = append(cmdErrors, passThroughCmd("go", append([]string{"run", os.Getenv("MISSPELL_PACKAGE")}, substArgs...)))
+			cmdErrors = append(cmdErrors, giteaFormatGoImports(files, containsString(subArgs, "-w")))
+			cmdErrors = append(cmdErrors, passThroughCmd("go", append([]string{"run", os.Getenv("GOFUMPT_PACKAGE"), "-extra", "-lang", getGoVersion()}, substArgs...)))
 		default:
 			log.Fatalf("unknown cmd: %s %v", subCmd, subArgs)
 		}
--- a/build/codeformat/formatimports.go
+++ b/build/codeformat/formatimports.go
@ -1,13 +1,11 @@
 // Copyright 2021 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package codeformat

 import (
 	"bytes"
 	"errors"
-	"fmt"
 	"io"
 	"os"
 	"sort"
@ -159,7 +157,7 @@ func formatGoImports(contentBytes []byte) ([]byte, error) {
 }

 // FormatGoImports format the imports by our rules (see unit tests)
-func FormatGoImports(file string, doChangedFiles, doWriteFile bool) error {
+func FormatGoImports(file string, doWriteFile bool) error {
 	f, err := os.Open(file)
 	if err != nil {
 		return err
@ -183,10 +181,6 @@ func FormatGoImports(file string, doChangedFiles, doWriteFile bool) error {
 		return nil
 	}

-	if doChangedFiles {
-		fmt.Println(file)
-	}
-
 	if doWriteFile {
 		f, err = os.OpenFile(file, os.O_TRUNC|os.O_WRONLY, 0o644)
 		if err != nil {
--- a/build/codeformat/formatimports_test.go
+++ b/build/codeformat/formatimports_test.go
@ -1,6 +1,5 @@
 // Copyright 2021 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package codeformat

--- a/build/generate-bindata.go
+++ b/build/generate-bindata.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 //go:build ignore

--- a/build/generate-emoji.go
+++ b/build/generate-emoji.go
@ -1,7 +1,6 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
 // Copyright 2015 Kenneth Shaw
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 //go:build ignore

@ -209,13 +208,12 @@ func generate() ([]byte, error) {

 const hdr = `
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT
+

 package emoji

-// Code generated by gen.go. DO NOT EDIT.
+// Code generated by build/generate-emoji.go. DO NOT EDIT.
 // Sourced from %s
-//
 var GemojiData = %#v
 `
--- a/build/generate-go-licenses.go
+++ b/build/generate-go-licenses.go
@ -0,0 +1,81 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build ignore
+
+package main
+
+import (
+	"encoding/json"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"regexp"
+	"sort"
+	"strings"
+)
+
+// regexp is based on go-license, excluding README and NOTICE
+// https://github.com/google/go-licenses/blob/master/licenses/find.go
+var licenseRe = regexp.MustCompile(`^(?i)((UN)?LICEN(S|C)E|COPYING).*$`)
+
+type LicenseEntry struct {
+	Name        string `json:"name"`
+	Path        string `json:"path"`
+	LicenseText string `json:"licenseText"`
+}
+
+func main() {
+	base, out := os.Args[1], os.Args[2]
+
+	paths := []string{}
+	err := filepath.WalkDir(base, func(path string, entry fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+		if entry.IsDir() || !licenseRe.MatchString(entry.Name()) {
+			return nil
+		}
+		paths = append(paths, path)
+		return nil
+	})
+	if err != nil {
+		panic(err)
+	}
+
+	sort.Strings(paths)
+
+	entries := []LicenseEntry{}
+	for _, path := range paths {
+		licenseText, err := os.ReadFile(path)
+		if err != nil {
+			panic(err)
+		}
+
+		path := strings.Replace(path, base+string(os.PathSeparator), "", 1)
+		name := filepath.Dir(path)
+
+		// There might be a bug somewhere in go-licenses that sometimes interprets the
+		// root package as "." and sometimes as "code.gitea.io/gitea". Workaround by
+		// removing both of them for the sake of stable output.
+		if name == "." || name == "code.gitea.io/gitea" {
+			continue
+		}
+
+		entries = append(entries, LicenseEntry{
+			Name:        name,
+			Path:        path,
+			LicenseText: string(licenseText),
+		})
+	}
+
+	jsonBytes, err := json.MarshalIndent(entries, "", "  ")
+	if err != nil {
+		panic(err)
+	}
+
+	err = os.WriteFile(out, jsonBytes, 0o644)
+	if err != nil {
+		panic(err)
+	}
+}
--- a/build/generate-licenses.go
+++ b/build/generate-licenses.go
@ -39,6 +39,14 @@ func main() {

 	defer util.Remove(file.Name())

+	if err := os.RemoveAll(destination); err != nil {
+		log.Fatalf("Cannot clean destination folder: %v", err)
+	}
+
+	if err := os.MkdirAll(destination, 0o755); err != nil {
+		log.Fatalf("Cannot create destination: %v", err)
+	}
+
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
 		log.Fatalf("Failed to download archive. %s", err)
--- a/build/gitea-format-imports.go
+++ b/build/gitea-format-imports.go
@ -1,26 +0,0 @@
-// Copyright 2021 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-//go:build ignore
-
-package main
-
-import (
-	"log"
-	"os"
-
-	"code.gitea.io/gitea/build/codeformat"
-)
-
-func main() {
-	if len(os.Args) <= 1 {
-		log.Fatalf("Usage: gitea-format-imports [files...]")
-	}
-
-	for _, file := range os.Args[1:] {
-		if err := codeformat.FormatGoImports(file); err != nil {
-			log.Fatalf("can not format file %s, err=%v", file, err)
-		}
-	}
-}
--- a/build/gocovmerge.go
+++ b/build/gocovmerge.go
@ -1,7 +1,6 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
 // Copyright (c) 2015, Wade Simmons
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 // gocovmerge takes the results from multiple `go test -coverprofile` runs and
 // merges them into one profile
--- a/cmd/admin.go
+++ b/cmd/admin.go
@ -1,7 +1,6 @@
 // Copyright 2016 The Gogs Authors. All rights reserved.
 // Copyright 2016 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -13,9 +12,8 @@ import (
 	"strings"
 	"text/tabwriter"

-	"code.gitea.io/gitea/models"
 	asymkey_model "code.gitea.io/gitea/models/asymkey"
-	"code.gitea.io/gitea/models/auth"
+	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
@ -157,6 +155,10 @@ var (
 				Name:  "email,e",
 				Usage: "Email of the user to delete",
 			},
+			cli.BoolFlag{
+				Name:  "purge",
+				Usage: "Purge user, all their repositories, organizations and comments",
+			},
 		},
 		Action: runDeleteUser,
 	}
@ -585,16 +587,16 @@ func runCreateUser(c *cli.Context) error {
 	}

 	if err := user_model.CreateUser(u, overwriteDefault); err != nil {
-		return fmt.Errorf("CreateUser: %v", err)
+		return fmt.Errorf("CreateUser: %w", err)
 	}

 	if c.Bool("access-token") {
-		t := &models.AccessToken{
+		t := &auth_model.AccessToken{
 			Name: "gitea-admin",
 			UID:  u.ID,
 		}

-		if err := models.NewAccessToken(t); err != nil {
+		if err := auth_model.NewAccessToken(t); err != nil {
 			return err
 		}

@ -628,9 +630,10 @@ func runListUsers(c *cli.Context) error {
 			}
 		}
 	} else {
-		fmt.Fprintf(w, "ID\tUsername\tEmail\tIsActive\tIsAdmin\n")
+		twofa := user_model.UserList(users).GetTwoFaStatus()
+		fmt.Fprintf(w, "ID\tUsername\tEmail\tIsActive\tIsAdmin\t2FA\n")
 		for _, u := range users {
-			fmt.Fprintf(w, "%d\t%s\t%s\t%t\t%t\n", u.ID, u.Name, u.Email, u.IsActive, u.IsAdmin)
+			fmt.Fprintf(w, "%d\t%s\t%s\t%t\t%t\t%t\n", u.ID, u.Name, u.Email, u.IsActive, u.IsAdmin, twofa[u.ID])
 		}

 	}
@ -662,7 +665,7 @@ func runDeleteUser(c *cli.Context) error {
 	} else if c.IsSet("username") {
 		user, err = user_model.GetUserByName(ctx, c.String("username"))
 	} else {
-		user, err = user_model.GetUserByID(c.Int64("id"))
+		user, err = user_model.GetUserByID(ctx, c.Int64("id"))
 	}
 	if err != nil {
 		return err
@ -675,7 +678,7 @@ func runDeleteUser(c *cli.Context) error {
 		return fmt.Errorf("The user %s does not match the provided id %d", user.Name, c.Int64("id"))
 	}

-	return user_service.DeleteUser(user)
+	return user_service.DeleteUser(ctx, user, c.Bool("purge"))
 }

 func runGenerateAccessToken(c *cli.Context) error {
@ -695,12 +698,12 @@ func runGenerateAccessToken(c *cli.Context) error {
 		return err
 	}

-	t := &models.AccessToken{
+	t := &auth_model.AccessToken{
 		Name: c.String("token-name"),
 		UID:  user.ID,
 	}

-	if err := models.NewAccessToken(t); err != nil {
+	if err := auth_model.NewAccessToken(t); err != nil {
 		return err
 	}

@ -723,7 +726,7 @@ func runRepoSyncReleases(_ *cli.Context) error {

 	log.Trace("Synchronizing repository releases (this may take a while)")
 	for page := 1; ; page++ {
-		repos, count, err := repo_model.SearchRepositoryByName(&repo_model.SearchRepoOptions{
+		repos, count, err := repo_model.SearchRepositoryByName(ctx, &repo_model.SearchRepoOptions{
 			ListOptions: db.ListOptions{
 				PageSize: repo_model.RepositoryListDefaultPageSize,
 				Page:     page,
@ -731,7 +734,7 @@ func runRepoSyncReleases(_ *cli.Context) error {
 			Private: true,
 		})
 		if err != nil {
-			return fmt.Errorf("SearchRepositoryByName: %v", err)
+			return fmt.Errorf("SearchRepositoryByName: %w", err)
 		}
 		if len(repos) == 0 {
 			break
@ -774,9 +777,9 @@ func runRepoSyncReleases(_ *cli.Context) error {
 }

 func getReleaseCount(id int64) (int64, error) {
-	return models.GetReleaseCountByRepoID(
+	return repo_model.GetReleaseCountByRepoID(
 		id,
-		models.FindReleasesOptions{
+		repo_model.FindReleasesOptions{
 			IncludeTags: true,
 		},
 	)
@ -839,8 +842,8 @@ func runAddOauth(c *cli.Context) error {
 		return err
 	}

-	return auth.CreateSource(&auth.Source{
-		Type:     auth.OAuth2,
+	return auth_model.CreateSource(&auth_model.Source{
+		Type:     auth_model.OAuth2,
 		Name:     c.String("name"),
 		IsActive: true,
 		Cfg:      parseOAuth2Config(c),
@ -859,7 +862,7 @@ func runUpdateOauth(c *cli.Context) error {
 		return err
 	}

-	source, err := auth.GetSourceByID(c.Int64("id"))
+	source, err := auth_model.GetSourceByID(c.Int64("id"))
 	if err != nil {
 		return err
 	}
@ -939,7 +942,7 @@ func runUpdateOauth(c *cli.Context) error {
 	oAuth2Config.CustomURLMapping = customURLMapping
 	source.Cfg = oAuth2Config

-	return auth.UpdateSource(source)
+	return auth_model.UpdateSource(source)
 }

 func parseSMTPConfig(c *cli.Context, conf *smtp.Source) error {
@ -1010,8 +1013,8 @@ func runAddSMTP(c *cli.Context) error {
 		smtpConfig.Auth = "PLAIN"
 	}

-	return auth.CreateSource(&auth.Source{
-		Type:     auth.SMTP,
+	return auth_model.CreateSource(&auth_model.Source{
+		Type:     auth_model.SMTP,
 		Name:     c.String("name"),
 		IsActive: active,
 		Cfg:      &smtpConfig,
@ -1030,7 +1033,7 @@ func runUpdateSMTP(c *cli.Context) error {
 		return err
 	}

-	source, err := auth.GetSourceByID(c.Int64("id"))
+	source, err := auth_model.GetSourceByID(c.Int64("id"))
 	if err != nil {
 		return err
 	}
@ -1051,7 +1054,7 @@ func runUpdateSMTP(c *cli.Context) error {

 	source.Cfg = smtpConfig

-	return auth.UpdateSource(source)
+	return auth_model.UpdateSource(source)
 }

 func runListAuth(c *cli.Context) error {
@ -1062,7 +1065,7 @@ func runListAuth(c *cli.Context) error {
 		return err
 	}

-	authSources, err := auth.Sources()
+	authSources, err := auth_model.Sources()
 	if err != nil {
 		return err
 	}
@ -1100,7 +1103,7 @@ func runDeleteAuth(c *cli.Context) error {
 		return err
 	}

-	source, err := auth.GetSourceByID(c.Int64("id"))
+	source, err := auth_model.GetSourceByID(c.Int64("id"))
 	if err != nil {
 		return err
 	}
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@ -1,6 +1,5 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -34,6 +33,10 @@ var (
 			Name:  "not-active",
 			Usage: "Deactivate the authentication source.",
 		},
+		cli.BoolFlag{
+			Name:  "active",
+			Usage: "Activate the authentication source.",
+		},
 		cli.StringFlag{
 			Name:  "security-protocol",
 			Usage: "Security protocol name.",
@ -117,6 +120,10 @@ var (
 			Name:  "synchronize-users",
 			Usage: "Enable user synchronization.",
 		},
+		cli.BoolFlag{
+			Name:  "disable-synchronize-users",
+			Usage: "Disable user synchronization.",
+		},
 		cli.UintFlag{
 			Name:  "page-size",
 			Usage: "Search page size.",
@ -183,9 +190,15 @@ func parseAuthSource(c *cli.Context, authSource *auth.Source) {
 	if c.IsSet("not-active") {
 		authSource.IsActive = !c.Bool("not-active")
 	}
+	if c.IsSet("active") {
+		authSource.IsActive = c.Bool("active")
+	}
 	if c.IsSet("synchronize-users") {
 		authSource.IsSyncEnabled = c.Bool("synchronize-users")
 	}
+	if c.IsSet("disable-synchronize-users") {
+		authSource.IsSyncEnabled = !c.Bool("disable-synchronize-users")
+	}
 }

 // parseLdapConfig assigns values on config according to command line flags.
--- a/cmd/admin_auth_ldap_test.go
+++ b/cmd/admin_auth_ldap_test.go
@ -1,6 +1,5 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -858,6 +857,36 @@ func TestUpdateLdapBindDn(t *testing.T) {
 			},
 			errMsg: "Invalid authentication type. expected: LDAP (via BindDN), actual: OAuth2",
 		},
+		// case 24
+		{
+			args: []string{
+				"ldap-test",
+				"--id", "24",
+				"--name", "ldap (via Bind DN) flip 'active' and 'user sync' attributes",
+				"--active",
+				"--disable-synchronize-users",
+			},
+			id: 24,
+			existingAuthSource: &auth.Source{
+				Type:          auth.LDAP,
+				IsActive:      false,
+				IsSyncEnabled: true,
+				Cfg: &ldap.Source{
+					Name:    "ldap (via Bind DN) flip 'active' and 'user sync' attributes",
+					Enabled: true,
+				},
+			},
+			authSource: &auth.Source{
+				Type:          auth.LDAP,
+				Name:          "ldap (via Bind DN) flip 'active' and 'user sync' attributes",
+				IsActive:      true,
+				IsSyncEnabled: false,
+				Cfg: &ldap.Source{
+					Name:    "ldap (via Bind DN) flip 'active' and 'user sync' attributes",
+					Enabled: true,
+				},
+			},
+		},
 	}

 	for n, c := range cases {
@ -1221,6 +1250,33 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
 			},
 			errMsg: "Invalid authentication type. expected: LDAP (simple auth), actual: PAM",
 		},
+		// case 20
+		{
+			args: []string{
+				"ldap-test",
+				"--id", "20",
+				"--name", "ldap (simple auth) flip 'active' attribute",
+				"--active",
+			},
+			id: 20,
+			existingAuthSource: &auth.Source{
+				Type:     auth.DLDAP,
+				IsActive: false,
+				Cfg: &ldap.Source{
+					Name:    "ldap (simple auth) flip 'active' attribute",
+					Enabled: true,
+				},
+			},
+			authSource: &auth.Source{
+				Type:     auth.DLDAP,
+				Name:     "ldap (simple auth) flip 'active' attribute",
+				IsActive: true,
+				Cfg: &ldap.Source{
+					Name:    "ldap (simple auth) flip 'active' attribute",
+					Enabled: true,
+				},
+			},
+		},
 	}

 	for n, c := range cases {
--- a/cmd/cert.go
+++ b/cmd/cert.go
@ -1,8 +1,7 @@
 // Copyright 2009 The Go Authors. All rights reserved.
 // Copyright 2014 The Gogs Authors. All rights reserved.
 // Copyright 2016 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@ -1,6 +1,5 @@
 // Copyright 2018 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 // Package cmd provides subcommands to the gitea binary - such as "web" or
 // "admin".
@ -68,7 +67,7 @@ Ensure you are running in the correct environment or set the correct configurati
 If this is the intended configuration file complete the [database] section.`, setting.CustomConf)
 	}
 	if err := db.InitEngine(ctx); err != nil {
-		return fmt.Errorf("unable to initialize the database using the configuration in %q. Error: %v", setting.CustomConf, err)
+		return fmt.Errorf("unable to initialize the database using the configuration in %q. Error: %w", setting.CustomConf, err)
 	}
 	return nil
 }
--- a/cmd/convert.go
+++ b/cmd/convert.go
@ -1,6 +1,5 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/docs.go
+++ b/cmd/docs.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/doctor.go
+++ b/cmd/doctor.go
@ -1,10 +1,10 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

 import (
+	"errors"
 	"fmt"
 	golog "log"
 	"os"
@ -13,6 +13,7 @@ import (

 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/migrations"
+	migrate_base "code.gitea.io/gitea/models/migrations/base"
 	"code.gitea.io/gitea/modules/doctor"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
@ -113,7 +114,7 @@ func runRecreateTable(ctx *cli.Context) error {
 	if err != nil {
 		return err
 	}
-	recreateTables := migrations.RecreateTables(beans...)
+	recreateTables := migrate_base.RecreateTables(beans...)

 	return db.InitEngineWithMigration(stdCtx, func(x *xorm.Engine) error {
 		if err := migrations.EnsureUpToDate(x); err != nil {
@ -123,20 +124,11 @@ func runRecreateTable(ctx *cli.Context) error {
 	})
 }

-func runDoctor(ctx *cli.Context) error {
-	// Silence the default loggers
-	log.DelNamedLogger("console")
-	log.DelNamedLogger(log.DEFAULT)
-
-	stdCtx, cancel := installSignals()
-	defer cancel()
-
-	// Now setup our own
+func setDoctorLogger(ctx *cli.Context) {
 	logFile := ctx.String("log-file")
 	if !ctx.IsSet("log-file") {
 		logFile = "doctor.log"
 	}
-
 	colorize := log.CanColorStdout
 	if ctx.IsSet("color") {
 		colorize = ctx.Bool("color")
@ -144,11 +136,50 @@ func runDoctor(ctx *cli.Context) error {

 	if len(logFile) == 0 {
 		log.NewLogger(1000, "doctor", "console", fmt.Sprintf(`{"level":"NONE","stacktracelevel":"NONE","colorize":%t}`, colorize))
-	} else if logFile == "-" {
+		return
+	}
+
+	defer func() {
+		recovered := recover()
+		if recovered == nil {
+			return
+		}
+
+		err, ok := recovered.(error)
+		if !ok {
+			panic(recovered)
+		}
+		if errors.Is(err, os.ErrPermission) {
+			fmt.Fprintf(os.Stderr, "ERROR: Unable to write logs to provided file due to permissions error: %s\n       %v\n", logFile, err)
+		} else {
+			fmt.Fprintf(os.Stderr, "ERROR: Unable to write logs to provided file: %s\n       %v\n", logFile, err)
+		}
+		fmt.Fprintf(os.Stderr, "WARN: Logging will be disabled\n       Use `--log-file` to configure log file location\n")
+		log.NewLogger(1000, "doctor", "console", fmt.Sprintf(`{"level":"NONE","stacktracelevel":"NONE","colorize":%t}`, colorize))
+	}()
+
+	if logFile == "-" {
 		log.NewLogger(1000, "doctor", "console", fmt.Sprintf(`{"level":"trace","stacktracelevel":"NONE","colorize":%t}`, colorize))
 	} else {
 		log.NewLogger(1000, "doctor", "file", fmt.Sprintf(`{"filename":%q,"level":"trace","stacktracelevel":"NONE"}`, logFile))
 	}
+}
+
+func runDoctor(ctx *cli.Context) error {
+	stdCtx, cancel := installSignals()
+	defer cancel()
+
+	// Silence the default loggers
+	log.DelNamedLogger("console")
+	log.DelNamedLogger(log.DEFAULT)
+
+	// Now setup our own
+	setDoctorLogger(ctx)
+
+	colorize := log.CanColorStdout
+	if ctx.IsSet("color") {
+		colorize = ctx.Bool("color")
+	}

 	// Finally redirect the default golog to here
 	golog.SetFlags(0)
--- a/cmd/dump.go
+++ b/cmd/dump.go
@ -1,7 +1,6 @@
 // Copyright 2014 The Gogs Authors. All rights reserved.
 // Copyright 2016 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -22,7 +21,7 @@ import (
 	"code.gitea.io/gitea/modules/util"

 	"gitea.com/go-chi/session"
-	archiver "github.com/mholt/archiver/v3"
+	"github.com/mholt/archiver/v3"
 	"github.com/urfave/cli"
 )

@ -92,7 +91,7 @@ func (o outputType) String() string {
 }

 var outputTypeEnum = &outputType{
-	Enum:    []string{"zip", "tar", "tar.sz", "tar.gz", "tar.xz", "tar.bz2", "tar.br", "tar.lz4"},
+	Enum:    []string{"zip", "tar", "tar.sz", "tar.gz", "tar.xz", "tar.bz2", "tar.br", "tar.lz4", "tar.zst"},
 	Default: "zip",
 }

@ -146,6 +145,10 @@ It can be used for backup and capture Gitea server image to send to maintainer`,
 			Name:  "skip-package-data",
 			Usage: "Skip package data",
 		},
+		cli.BoolFlag{
+			Name:  "skip-index",
+			Usage: "Skip bleve index data",
+		},
 		cli.GenericFlag{
 			Name:  "type",
 			Value: outputTypeEnum,
@ -327,6 +330,11 @@ func runDump(ctx *cli.Context) error {
 			excludes = append(excludes, opts.ProviderConfig)
 		}

+		if ctx.IsSet("skip-index") && ctx.Bool("skip-index") {
+			excludes = append(excludes, setting.Indexer.RepoPath)
+			excludes = append(excludes, setting.Indexer.IssuePath)
+		}
+
 		excludes = append(excludes, setting.RepoRootPath)
 		excludes = append(excludes, setting.LFS.Path)
 		excludes = append(excludes, setting.Attachment.Path)
@ -439,8 +447,23 @@ func addRecursiveExclude(w archiver.Writer, insidePath, absPath string, excludeA
 				}
 			}
 		} else {
-			if err = addFile(w, currentInsidePath, currentAbsPath, verbose); err != nil {
-				return err
+			// only copy regular files and symlink regular files, skip non-regular files like socket/pipe/...
+			shouldAdd := file.Mode().IsRegular()
+			if !shouldAdd && file.Mode()&os.ModeSymlink == os.ModeSymlink {
+				target, err := filepath.EvalSymlinks(currentAbsPath)
+				if err != nil {
+					return err
+				}
+				targetStat, err := os.Stat(target)
+				if err != nil {
+					return err
+				}
+				shouldAdd = targetStat.Mode().IsRegular()
+			}
+			if shouldAdd {
+				if err = addFile(w, currentInsidePath, currentAbsPath, verbose); err != nil {
+					return err
+				}
 			}
 		}
 	}
--- a/cmd/dump_repo.go
+++ b/cmd/dump_repo.go
@ -1,19 +1,22 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

 import (
 	"context"
 	"errors"
+	"fmt"
+	"os"
 	"strings"

 	"code.gitea.io/gitea/modules/convert"
+	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/log"
 	base "code.gitea.io/gitea/modules/migration"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/services/migrations"

 	"github.com/urfave/cli"
@ -83,6 +86,11 @@ func runDumpRepository(ctx *cli.Context) error {
 		return err
 	}

+	// migrations.GiteaLocalUploader depends on git module
+	if err := git.InitSimple(context.Background()); err != nil {
+		return err
+	}
+
 	log.Info("AppPath: %s", setting.AppPath)
 	log.Info("AppWorkPath: %s", setting.AppWorkPath)
 	log.Info("Custom path: %s", setting.CustomPath)
@ -128,7 +136,9 @@ func runDumpRepository(ctx *cli.Context) error {
 	} else {
 		units := strings.Split(ctx.String("units"), ",")
 		for _, unit := range units {
-			switch strings.ToLower(unit) {
+			switch strings.ToLower(strings.TrimSpace(unit)) {
+			case "":
+				continue
 			case "wiki":
 				opts.Wiki = true
 			case "issues":
@ -145,13 +155,29 @@ func runDumpRepository(ctx *cli.Context) error {
 				opts.Comments = true
 			case "pull_requests":
 				opts.PullRequests = true
+			default:
+				return errors.New("invalid unit: " + unit)
 			}
 		}
 	}

+	// the repo_dir will be removed if error occurs in DumpRepository
+	// make sure the directory doesn't exist or is empty, prevent from deleting user files
+	repoDir := ctx.String("repo_dir")
+	if exists, err := util.IsExist(repoDir); err != nil {
+		return fmt.Errorf("unable to stat repo_dir %q: %w", repoDir, err)
+	} else if exists {
+		if isDir, _ := util.IsDir(repoDir); !isDir {
+			return fmt.Errorf("repo_dir %q already exists but it's not a directory", repoDir)
+		}
+		if dir, _ := os.ReadDir(repoDir); len(dir) > 0 {
+			return fmt.Errorf("repo_dir %q is not empty", repoDir)
+		}
+	}
+
 	if err := migrations.DumpRepository(
 		context.Background(),
-		ctx.String("repo_dir"),
+		repoDir,
 		ctx.String("owner_name"),
 		opts,
 	); err != nil {
--- a/cmd/embedded.go
+++ b/cmd/embedded.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 //go:build bindata

@ -123,7 +122,7 @@ func initEmbeddedExtractor(c *cli.Context) error {

 	sections["public"] = &section{Path: "public", Names: public.AssetNames, IsDir: public.AssetIsDir, Asset: public.Asset}
 	sections["options"] = &section{Path: "options", Names: options.AssetNames, IsDir: options.AssetIsDir, Asset: options.Asset}
-	sections["templates"] = &section{Path: "templates", Names: templates.AssetNames, IsDir: templates.AssetIsDir, Asset: templates.Asset}
+	sections["templates"] = &section{Path: "templates", Names: templates.BuiltinAssetNames, IsDir: templates.BuiltinAssetIsDir, Asset: templates.BuiltinAsset}

 	for _, sec := range sections {
 		assets = append(assets, buildAssetList(sec, pats, c)...)
@ -186,11 +185,11 @@ func runViewDo(c *cli.Context) error {

 	data, err := assets[0].Section.Asset(assets[0].Name)
 	if err != nil {
-		return fmt.Errorf("%s: %v", assets[0].Path, err)
+		return fmt.Errorf("%s: %w", assets[0].Path, err)
 	}

 	if _, err = os.Stdout.Write(data); err != nil {
-		return fmt.Errorf("%s: %v", assets[0].Path, err)
+		return fmt.Errorf("%s: %w", assets[0].Path, err)
 	}

 	return nil
@ -251,11 +250,11 @@ func extractAsset(d string, a asset, overwrite, rename bool) error {

 	data, err := a.Section.Asset(a.Name)
 	if err != nil {
-		return fmt.Errorf("%s: %v", a.Path, err)
+		return fmt.Errorf("%s: %w", a.Path, err)
 	}

 	if err := os.MkdirAll(dir, os.ModePerm); err != nil {
-		return fmt.Errorf("%s: %v", dir, err)
+		return fmt.Errorf("%s: %w", dir, err)
 	}

 	perms := os.ModePerm & 0o666
@ -263,7 +262,7 @@ func extractAsset(d string, a asset, overwrite, rename bool) error {
 	fi, err := os.Lstat(dest)
 	if err != nil {
 		if !errors.Is(err, os.ErrNotExist) {
-			return fmt.Errorf("%s: %v", dest, err)
+			return fmt.Errorf("%s: %w", dest, err)
 		}
 	} else if !overwrite && !rename {
 		fmt.Printf("%s already exists; skipped.\n", dest)
@ -272,7 +271,7 @@ func extractAsset(d string, a asset, overwrite, rename bool) error {
 		return fmt.Errorf("%s already exists, but it's not a regular file", dest)
 	} else if rename {
 		if err := util.Rename(dest, dest+".bak"); err != nil {
-			return fmt.Errorf("Error creating backup for %s: %v", dest, err)
+			return fmt.Errorf("Error creating backup for %s: %w", dest, err)
 		}
 		// Attempt to respect file permissions mask (even if user:group will be set anew)
 		perms = fi.Mode()
@ -280,12 +279,12 @@ func extractAsset(d string, a asset, overwrite, rename bool) error {

 	file, err := os.OpenFile(dest, os.O_WRONLY|os.O_TRUNC|os.O_CREATE, perms)
 	if err != nil {
-		return fmt.Errorf("%s: %v", dest, err)
+		return fmt.Errorf("%s: %w", dest, err)
 	}
 	defer file.Close()

 	if _, err = file.Write(data); err != nil {
-		return fmt.Errorf("%s: %v", dest, err)
+		return fmt.Errorf("%s: %w", dest, err)
 	}

 	fmt.Println(dest)
@ -325,7 +324,7 @@ func getPatterns(args []string) ([]glob.Glob, error) {
 	pat := make([]glob.Glob, len(args))
 	for i := range args {
 		if g, err := glob.Compile(args[i], '/'); err != nil {
-			return nil, fmt.Errorf("'%s': Invalid glob pattern: %v", args[i], err)
+			return nil, fmt.Errorf("'%s': Invalid glob pattern: %w", args[i], err)
 		} else {
 			pat[i] = g
 		}
--- a/cmd/embedded_stub.go
+++ b/cmd/embedded_stub.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 //go:build !bindata

--- a/cmd/generate.go
+++ b/cmd/generate.go
@ -1,7 +1,6 @@
 // Copyright 2016 The Gogs Authors. All rights reserved.
 // Copyright 2016 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/hook.go
+++ b/cmd/hook.go
@ -1,6 +1,5 @@
 // Copyright 2017 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -218,9 +217,9 @@ Gitea or set your environment appropriately.`, "")
 		}
 	}

-	supportProcRecive := false
+	supportProcReceive := false
 	if git.CheckGitVersionAtLeast("2.29") == nil {
-		supportProcRecive = true
+		supportProcReceive = true
 	}

 	for scanner.Scan() {
@ -241,9 +240,9 @@ Gitea or set your environment appropriately.`, "")
 		lastline++

 		// If the ref is a branch or tag, check if it's protected
-		// if supportProcRecive all ref should be checked because
+		// if supportProcReceive all ref should be checked because
 		// permission check was delayed
-		if supportProcRecive || strings.HasPrefix(refFullName, git.BranchPrefix) || strings.HasPrefix(refFullName, git.TagPrefix) {
+		if supportProcReceive || strings.HasPrefix(refFullName, git.BranchPrefix) || strings.HasPrefix(refFullName, git.TagPrefix) {
 			oldCommitIDs[count] = oldCommitID
 			newCommitIDs[count] = newCommitID
 			refFullNames[count] = refFullName
@ -312,7 +311,7 @@ func runHookPostReceive(c *cli.Context) error {

 	// First of all run update-server-info no matter what
 	if _, _, err := git.NewCommand(ctx, "update-server-info").RunStdString(nil); err != nil {
-		return fmt.Errorf("Failed to call 'git update-server-info': %v", err)
+		return fmt.Errorf("Failed to call 'git update-server-info': %w", err)
 	}

 	// Now if we're an internal don't do anything else
@ -792,7 +791,7 @@ func writeDataPktLine(out io.Writer, data []byte) error {
 	if err != nil {
 		return fail("Internal Server Error", "Pkt-Line response failed: %v", err)
 	}
-	if 4 != lr {
+	if lr != 4 {
 		return fail("Internal Server Error", "Pkt-Line response failed: %v", err)
 	}

--- a/cmd/hook_test.go
+++ b/cmd/hook_test.go
@ -1,6 +1,5 @@
 // Copyright 2021 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/keys.go
+++ b/cmd/keys.go
@ -1,6 +1,5 @@
 // Copyright 2018 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/mailer.go
+++ b/cmd/mailer.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/main_test.go
+++ b/cmd/main_test.go
@ -0,0 +1,22 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models/unittest"
+	"code.gitea.io/gitea/modules/setting"
+)
+
+func init() {
+	setting.SetCustomPathAndConf("", "", "")
+	setting.LoadForTest()
+}
+
+func TestMain(m *testing.M) {
+	unittest.MainTest(m, &unittest.TestOptions{
+		GiteaRootPath: "..",
+	})
+}
--- a/cmd/manager.go
+++ b/cmd/manager.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -82,7 +81,7 @@ var (
 			},
 			cli.BoolFlag{
 				Name:  "no-system",
-				Usage: "Do not show system proceses",
+				Usage: "Do not show system processes",
 			},
 			cli.BoolFlag{
 				Name:  "stacktraces",
--- a/cmd/manager_logging.go
+++ b/cmd/manager_logging.go
@ -1,6 +1,5 @@
 // Copyright 2022 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -174,6 +173,18 @@ var (
 						Action: runAddSMTPLogger,
 					},
 				},
+			}, {
+				Name:  "log-sql",
+				Usage: "Set LogSQL",
+				Flags: []cli.Flag{
+					cli.BoolFlag{
+						Name: "debug",
+					}, cli.BoolFlag{
+						Name:  "off",
+						Usage: "Switch off SQL logging",
+					},
+				},
+				Action: runSetLogSQL,
 			},
 		},
 	}
@ -381,3 +392,18 @@ func runReleaseReopenLogging(c *cli.Context) error {
 	fmt.Fprintln(os.Stdout, msg)
 	return nil
 }
+
+func runSetLogSQL(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+	setup("manager", c.Bool("debug"))
+
+	statusCode, msg := private.SetLogSQL(ctx, !c.Bool("off"))
+	switch statusCode {
+	case http.StatusInternalServerError:
+		return fail("InternalServerError", msg)
+	}
+
+	fmt.Fprintln(os.Stdout, msg)
+	return nil
+}
--- a/cmd/migrate.go
+++ b/cmd/migrate.go
@ -1,6 +1,5 @@
 // Copyright 2018 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

--- a/cmd/migrate_storage.go
+++ b/cmd/migrate_storage.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -12,9 +11,11 @@ import (
 	"code.gitea.io/gitea/models/db"
 	git_model "code.gitea.io/gitea/models/git"
 	"code.gitea.io/gitea/models/migrations"
+	packages_model "code.gitea.io/gitea/models/packages"
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/log"
+	packages_module "code.gitea.io/gitea/modules/packages"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/storage"

@ -25,13 +26,13 @@ import (
 var CmdMigrateStorage = cli.Command{
 	Name:        "migrate-storage",
 	Usage:       "Migrate the storage",
-	Description: "This is a command for migrating storage.",
+	Description: "Copies stored files from storage configured in app.ini to parameter-configured storage",
 	Action:      runMigrateStorage,
 	Flags: []cli.Flag{
 		cli.StringFlag{
 			Name:  "type, t",
 			Value: "",
-			Usage: "Kinds of files to migrate, currently only 'attachments' is supported",
+			Usage: "Type of stored files to copy.  Allowed types: 'attachments', 'lfs', 'avatars', 'repo-avatars', 'repo-archivers', 'packages'",
 		},
 		cli.StringFlag{
 			Name:  "storage, s",
@ -80,34 +81,50 @@ var CmdMigrateStorage = cli.Command{
 	},
 }

-func migrateAttachments(dstStorage storage.ObjectStorage) error {
-	return repo_model.IterateAttachment(func(attach *repo_model.Attachment) error {
+func migrateAttachments(ctx context.Context, dstStorage storage.ObjectStorage) error {
+	return db.Iterate(ctx, nil, func(ctx context.Context, attach *repo_model.Attachment) error {
 		_, err := storage.Copy(dstStorage, attach.RelativePath(), storage.Attachments, attach.RelativePath())
 		return err
 	})
 }

-func migrateLFS(dstStorage storage.ObjectStorage) error {
-	return git_model.IterateLFS(func(mo *git_model.LFSMetaObject) error {
+func migrateLFS(ctx context.Context, dstStorage storage.ObjectStorage) error {
+	return db.Iterate(ctx, nil, func(ctx context.Context, mo *git_model.LFSMetaObject) error {
 		_, err := storage.Copy(dstStorage, mo.RelativePath(), storage.LFS, mo.RelativePath())
 		return err
 	})
 }

-func migrateAvatars(dstStorage storage.ObjectStorage) error {
-	return user_model.IterateUser(func(user *user_model.User) error {
+func migrateAvatars(ctx context.Context, dstStorage storage.ObjectStorage) error {
+	return db.Iterate(ctx, nil, func(ctx context.Context, user *user_model.User) error {
 		_, err := storage.Copy(dstStorage, user.CustomAvatarRelativePath(), storage.Avatars, user.CustomAvatarRelativePath())
 		return err
 	})
 }

-func migrateRepoAvatars(dstStorage storage.ObjectStorage) error {
-	return repo_model.IterateRepository(func(repo *repo_model.Repository) error {
+func migrateRepoAvatars(ctx context.Context, dstStorage storage.ObjectStorage) error {
+	return db.Iterate(ctx, nil, func(ctx context.Context, repo *repo_model.Repository) error {
 		_, err := storage.Copy(dstStorage, repo.CustomAvatarRelativePath(), storage.RepoAvatars, repo.CustomAvatarRelativePath())
 		return err
 	})
 }

+func migrateRepoArchivers(ctx context.Context, dstStorage storage.ObjectStorage) error {
+	return db.Iterate(ctx, nil, func(ctx context.Context, archiver *repo_model.RepoArchiver) error {
+		p := archiver.RelativePath()
+		_, err := storage.Copy(dstStorage, p, storage.RepoArchives, p)
+		return err
+	})
+}
+
+func migratePackages(ctx context.Context, dstStorage storage.ObjectStorage) error {
+	return db.Iterate(ctx, nil, func(ctx context.Context, pb *packages_model.PackageBlob) error {
+		p := packages_module.KeyToRelativePath(packages_module.BlobHash256Key(pb.HashSHA256))
+		_, err := storage.Copy(dstStorage, p, storage.Packages, p)
+		return err
+	})
+}
+
 func runMigrateStorage(ctx *cli.Context) error {
 	stdCtx, cancel := installSignals()
 	defer cancel()
@ -127,8 +144,6 @@ func runMigrateStorage(ctx *cli.Context) error {
 		return err
 	}

-	goCtx := context.Background()
-
 	if err := storage.Init(); err != nil {
 		return err
 	}
@ -145,13 +160,13 @@ func runMigrateStorage(ctx *cli.Context) error {
 			return nil
 		}
 		dstStorage, err = storage.NewLocalStorage(
-			goCtx,
+			stdCtx,
 			storage.LocalStorageConfig{
 				Path: p,
 			})
 	case string(storage.MinioStorageType):
 		dstStorage, err = storage.NewMinioStorage(
-			goCtx,
+			stdCtx,
 			storage.MinioStorageConfig{
 				Endpoint:        ctx.String("minio-endpoint"),
 				AccessKeyID:     ctx.String("minio-access-key-id"),
@ -162,35 +177,29 @@ func runMigrateStorage(ctx *cli.Context) error {
 				UseSSL:          ctx.Bool("minio-use-ssl"),
 			})
 	default:
-		return fmt.Errorf("Unsupported storage type: %s", ctx.String("storage"))
+		return fmt.Errorf("unsupported storage type: %s", ctx.String("storage"))
 	}
 	if err != nil {
 		return err
 	}

-	tp := strings.ToLower(ctx.String("type"))
-	switch tp {
-	case "attachments":
-		if err := migrateAttachments(dstStorage); err != nil {
-			return err
-		}
-	case "lfs":
-		if err := migrateLFS(dstStorage); err != nil {
-			return err
-		}
-	case "avatars":
-		if err := migrateAvatars(dstStorage); err != nil {
-			return err
-		}
-	case "repo-avatars":
-		if err := migrateRepoAvatars(dstStorage); err != nil {
-			return err
-		}
-	default:
-		return fmt.Errorf("Unsupported storage: %s", ctx.String("type"))
+	migratedMethods := map[string]func(context.Context, storage.ObjectStorage) error{
+		"attachments":    migrateAttachments,
+		"lfs":            migrateLFS,
+		"avatars":        migrateAvatars,
+		"repo-avatars":   migrateRepoAvatars,
+		"repo-archivers": migrateRepoArchivers,
+		"packages":       migratePackages,
 	}

-	log.Warn("All files have been copied to the new placement but old files are still on the original placement.")
+	tp := strings.ToLower(ctx.String("type"))
+	if m, ok := migratedMethods[tp]; ok {
+		if err := m(stdCtx, dstStorage); err != nil {
+			return err
+		}
+		log.Info("%s files have successfully been copied to the new storage.", tp)
+		return nil
+	}

-	return nil
+	return fmt.Errorf("unsupported storage: %s", ctx.String("type"))
 }
--- a/cmd/migrate_storage_test.go
+++ b/cmd/migrate_storage_test.go
@ -0,0 +1,73 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"context"
+	"os"
+	"strings"
+	"testing"
+
+	"code.gitea.io/gitea/models/packages"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	packages_module "code.gitea.io/gitea/modules/packages"
+	"code.gitea.io/gitea/modules/storage"
+	packages_service "code.gitea.io/gitea/services/packages"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMigratePackages(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	creator := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+
+	content := "package main\n\nfunc main() {\nfmt.Println(\"hi\")\n}\n"
+	buf, err := packages_module.CreateHashedBufferFromReader(strings.NewReader(content), 1024)
+	assert.NoError(t, err)
+	defer buf.Close()
+
+	v, f, err := packages_service.CreatePackageAndAddFile(&packages_service.PackageCreationInfo{
+		PackageInfo: packages_service.PackageInfo{
+			Owner:       creator,
+			PackageType: packages.TypeGeneric,
+			Name:        "test",
+			Version:     "1.0.0",
+		},
+		Creator:           creator,
+		SemverCompatible:  true,
+		VersionProperties: map[string]string{},
+	}, &packages_service.PackageFileCreationInfo{
+		PackageFileInfo: packages_service.PackageFileInfo{
+			Filename: "a.go",
+		},
+		Creator: creator,
+		Data:    buf,
+		IsLead:  true,
+	})
+	assert.NoError(t, err)
+	assert.NotNil(t, v)
+	assert.NotNil(t, f)
+
+	ctx := context.Background()
+
+	p := t.TempDir()
+
+	dstStorage, err := storage.NewLocalStorage(
+		ctx,
+		storage.LocalStorageConfig{
+			Path: p,
+		})
+	assert.NoError(t, err)
+
+	err = migratePackages(ctx, dstStorage)
+	assert.NoError(t, err)
+
+	entries, err := os.ReadDir(p)
+	assert.NoError(t, err)
+	assert.EqualValues(t, 2, len(entries))
+	assert.EqualValues(t, "01", entries[0].Name())
+	assert.EqualValues(t, "tmp", entries[1].Name())
+}
--- a/cmd/restore_repo.go
+++ b/cmd/restore_repo.go
@ -1,12 +1,12 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

 import (
 	"errors"
 	"net/http"
+	"strings"

 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/private"
@ -37,10 +37,10 @@ var CmdRestoreRepository = cli.Command{
 			Value: "",
 			Usage: "Restore destination repository name",
 		},
-		cli.StringSliceFlag{
+		cli.StringFlag{
 			Name:  "units",
-			Value: nil,
-			Usage: `Which items will be restored, one or more units should be repeated with this flag.
+			Value: "",
+			Usage: `Which items will be restored, one or more units should be separated as comma.
 wiki, issues, labels, releases, release_assets, milestones, pull_requests, comments are allowed. Empty means all units.`,
 		},
 		cli.BoolFlag{
@ -55,13 +55,16 @@ func runRestoreRepository(c *cli.Context) error {
 	defer cancel()

 	setting.LoadFromExisting()
-
+	var units []string
+	if s := c.String("units"); s != "" {
+		units = strings.Split(s, ",")
+	}
 	statusCode, errStr := private.RestoreRepo(
 		ctx,
 		c.String("repo_dir"),
 		c.String("owner_name"),
 		c.String("repo_name"),
-		c.StringSlice("units"),
+		units,
 		c.Bool("validation"),
 	)
 	if statusCode == http.StatusOK {
--- a/cmd/serv.go
+++ b/cmd/serv.go
@ -1,7 +1,6 @@
 // Copyright 2014 The Gogs Authors. All rights reserved.
 // Copyright 2016 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -43,7 +42,7 @@ const (
 var CmdServ = cli.Command{
 	Name:        "serv",
 	Usage:       "This command should only be called by SSH shell",
-	Description: `Serv provide access auth for repositories`,
+	Description: "Serv provides access auth for repositories",
 	Action:      runServ,
 	Flags: []cli.Flag{
 		cli.BoolFlag{
--- a/cmd/web.go
+++ b/cmd/web.go
@ -1,6 +1,5 @@
 // Copyright 2014 The Gogs Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -76,7 +75,7 @@ func runHTTPRedirector() {
 		http.Redirect(w, r, target, http.StatusTemporaryRedirect)
 	})

-	err := runHTTP("tcp", source, "HTTP Redirector", handler)
+	err := runHTTP("tcp", source, "HTTP Redirector", handler, setting.RedirectorUseProxyProtocol)
 	if err != nil {
 		log.Fatal("Failed to start port redirection: %v", err)
 	}
@ -126,8 +125,10 @@ func runWeb(ctx *cli.Context) error {
 				return err
 			}
 		}
-		c := install.Routes()
+		installCtx, cancel := context.WithCancel(graceful.GetManager().HammerContext())
+		c := install.Routes(installCtx)
 		err := listen(c, false)
+		cancel()
 		if err != nil {
 			log.Critical("Unable to open listener for installer. Is Gitea already running?")
 			graceful.GetManager().DoGracefulShutdown()
@ -148,8 +149,9 @@ func runWeb(ctx *cli.Context) error {
 		go func() {
 			http.DefaultServeMux.Handle("/debug/fgprof", fgprof.Handler())
 			_, _, finished := process.GetManager().AddTypedContext(context.Background(), "Web: PProf Server", process.SystemProcessType, true)
+			// The pprof server is for debug purpose only, it shouldn't be exposed on public network. At the moment it's not worth to introduce a configurable option for it.
 			log.Info("Starting pprof server on localhost:6060")
-			log.Info("%v", http.ListenAndServe("localhost:6060", nil))
+			log.Info("Stopped pprof server: %v", http.ListenAndServe("localhost:6060", nil))
 			finished()
 		}()
 	}
@ -174,7 +176,7 @@ func runWeb(ctx *cli.Context) error {
 	}

 	// Set up Chi routes
-	c := routers.NormalRoutes()
+	c := routers.NormalRoutes(graceful.GetManager().HammerContext())
 	err := listen(c, true)
 	<-graceful.GetManager().Done()
 	log.Info("PID: %d Gitea Web Finished", os.Getpid())
@ -200,7 +202,7 @@ func setPort(port string) error {
 		defaultLocalURL += ":" + setting.HTTPPort + "/"

 		// Save LOCAL_ROOT_URL if port changed
-		setting.CreateOrAppendToCustomConf(func(cfg *ini.File) {
+		setting.CreateOrAppendToCustomConf("server.LOCAL_ROOT_URL", func(cfg *ini.File) {
 			cfg.Section("server").Key("LOCAL_ROOT_URL").SetValue(defaultLocalURL)
 		})
 	}
@ -230,40 +232,38 @@ func listen(m http.Handler, handleRedirector bool) error {
 		if handleRedirector {
 			NoHTTPRedirector()
 		}
-		err = runHTTP("tcp", listenAddr, "Web", m)
+		err = runHTTP("tcp", listenAddr, "Web", m, setting.UseProxyProtocol)
 	case setting.HTTPS:
 		if setting.EnableAcme {
 			err = runACME(listenAddr, m)
 			break
-		} else {
-			if handleRedirector {
-				if setting.RedirectOtherPort {
-					go runHTTPRedirector()
-				} else {
-					NoHTTPRedirector()
-				}
-			}
-			err = runHTTPS("tcp", listenAddr, "Web", setting.CertFile, setting.KeyFile, m)
 		}
+		if handleRedirector {
+			if setting.RedirectOtherPort {
+				go runHTTPRedirector()
+			} else {
+				NoHTTPRedirector()
+			}
+		}
+		err = runHTTPS("tcp", listenAddr, "Web", setting.CertFile, setting.KeyFile, m, setting.UseProxyProtocol, setting.ProxyProtocolTLSBridging)
 	case setting.FCGI:
 		if handleRedirector {
 			NoHTTPRedirector()
 		}
-		err = runFCGI("tcp", listenAddr, "FCGI Web", m)
+		err = runFCGI("tcp", listenAddr, "FCGI Web", m, setting.UseProxyProtocol)
 	case setting.HTTPUnix:
 		if handleRedirector {
 			NoHTTPRedirector()
 		}
-		err = runHTTP("unix", listenAddr, "Web", m)
+		err = runHTTP("unix", listenAddr, "Web", m, setting.UseProxyProtocol)
 	case setting.FCGIUnix:
 		if handleRedirector {
 			NoHTTPRedirector()
 		}
-		err = runFCGI("unix", listenAddr, "Web", m)
+		err = runFCGI("unix", listenAddr, "Web", m, setting.UseProxyProtocol)
 	default:
 		log.Fatal("Invalid protocol: %s", setting.Protocol)
 	}
-
 	if err != nil {
 		log.Critical("Failed to start server: %v", err)
 	}
--- a/cmd/web_acme.go
+++ b/cmd/web_acme.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -113,14 +112,14 @@ func runACME(listenAddr string, m http.Handler) error {

 			log.Info("Running Let's Encrypt handler on %s", setting.HTTPAddr+":"+setting.PortToRedirect)
 			// all traffic coming into HTTP will be redirect to HTTPS automatically (LE HTTP-01 validation happens here)
-			err := runHTTP("tcp", setting.HTTPAddr+":"+setting.PortToRedirect, "Let's Encrypt HTTP Challenge", myACME.HTTPChallengeHandler(http.HandlerFunc(runLetsEncryptFallbackHandler)))
+			err := runHTTP("tcp", setting.HTTPAddr+":"+setting.PortToRedirect, "Let's Encrypt HTTP Challenge", myACME.HTTPChallengeHandler(http.HandlerFunc(runLetsEncryptFallbackHandler)), setting.RedirectorUseProxyProtocol)
 			if err != nil {
 				log.Fatal("Failed to start the Let's Encrypt handler on port %s: %v", setting.PortToRedirect, err)
 			}
 		}()
 	}

-	return runHTTPSWithTLSConfig("tcp", listenAddr, "Web", tlsConfig, m)
+	return runHTTPSWithTLSConfig("tcp", listenAddr, "Web", tlsConfig, m, setting.UseProxyProtocol, setting.ProxyProtocolTLSBridging)
 }

 func runLetsEncryptFallbackHandler(w http.ResponseWriter, r *http.Request) {
--- a/cmd/web_graceful.go
+++ b/cmd/web_graceful.go
@ -1,6 +1,5 @@
 // Copyright 2016 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -15,8 +14,8 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 )

-func runHTTP(network, listenAddr, name string, m http.Handler) error {
-	return graceful.HTTPListenAndServe(network, listenAddr, name, m)
+func runHTTP(network, listenAddr, name string, m http.Handler, useProxyProtocol bool) error {
+	return graceful.HTTPListenAndServe(network, listenAddr, name, m, useProxyProtocol)
 }

 // NoHTTPRedirector tells our cleanup routine that we will not be using a fallback http redirector
@ -36,7 +35,7 @@ func NoInstallListener() {
 	graceful.GetManager().InformCleanup()
 }

-func runFCGI(network, listenAddr, name string, m http.Handler) error {
+func runFCGI(network, listenAddr, name string, m http.Handler, useProxyProtocol bool) error {
 	// This needs to handle stdin as fcgi point
 	fcgiServer := graceful.NewServer(network, listenAddr, name)

@ -47,7 +46,7 @@ func runFCGI(network, listenAddr, name string, m http.Handler) error {
 			}
 			m.ServeHTTP(resp, req)
 		}))
-	})
+	}, useProxyProtocol)
 	if err != nil {
 		log.Fatal("Failed to start FCGI main server: %v", err)
 	}
--- a/cmd/web_https.go
+++ b/cmd/web_https.go
@ -1,6 +1,5 @@
 // Copyright 2021 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package cmd

@ -129,14 +128,14 @@ var (
 	defaultCiphersChaChaFirst = append(defaultCiphersChaCha, defaultCiphersAES...)
 )

-// runHTTPs listens on the provided network address and then calls
+// runHTTPS listens on the provided network address and then calls
 // Serve to handle requests on incoming TLS connections.
 //
 // Filenames containing a certificate and matching private key for the server must
 // be provided. If the certificate is signed by a certificate authority, the
 // certFile should be the concatenation of the server's certificate followed by the
 // CA's certificate.
-func runHTTPS(network, listenAddr, name, certFile, keyFile string, m http.Handler) error {
+func runHTTPS(network, listenAddr, name, certFile, keyFile string, m http.Handler, useProxyProtocol, proxyProtocolTLSBridging bool) error {
 	tlsConfig := &tls.Config{}
 	if tlsConfig.NextProtos == nil {
 		tlsConfig.NextProtos = []string{"h2", "http/1.1"}
@ -184,9 +183,9 @@ func runHTTPS(network, listenAddr, name, certFile, keyFile string, m http.Handle
 		return err
 	}

-	return graceful.HTTPListenAndServeTLSConfig(network, listenAddr, name, tlsConfig, m)
+	return graceful.HTTPListenAndServeTLSConfig(network, listenAddr, name, tlsConfig, m, useProxyProtocol, proxyProtocolTLSBridging)
 }

-func runHTTPSWithTLSConfig(network, listenAddr, name string, tlsConfig *tls.Config, m http.Handler) error {
-	return graceful.HTTPListenAndServeTLSConfig(network, listenAddr, name, tlsConfig, m)
+func runHTTPSWithTLSConfig(network, listenAddr, name string, tlsConfig *tls.Config, m http.Handler, useProxyProtocol, proxyProtocolTLSBridging bool) error {
+	return graceful.HTTPListenAndServeTLSConfig(network, listenAddr, name, tlsConfig, m, useProxyProtocol, proxyProtocolTLSBridging)
 }
--- a/contrib/environment-to-ini/environment-to-ini.go
+++ b/contrib/environment-to-ini/environment-to-ini.go
@ -1,6 +1,5 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package main

--- a/contrib/fixtures/fixture_generation.go
+++ b/contrib/fixtures/fixture_generation.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package main

--- a/contrib/init/gentoo/gitea
+++ b/contrib/init/gentoo/gitea
@ -2,14 +2,43 @@

 DIR=/var/lib/gitea
 USER=git
+HOME=/home/${USER}
+GITEA_WORK_DIR=${DIR}
+EXECUTABLE=/usr/local/bin/gitea

+export USER
+export HOME
+export GITEA_WORK_DIR
+
+name=$RC_SVCNAME
+cfgfile="/etc/$RC_SVCNAME/app.ini"
+command="${EXECUTABLE}"
+command_user="${USER}"
+command_args="web -c /etc/$RC_SVCNAME/app.ini"
+command_background="yes"
+pidfile="/run/$RC_SVCNAME/$RC_SVCNAME.pid"
 start_stop_daemon_args="--user ${USER} --chdir ${DIR}"
-command="/usr/local/bin/gitea"
-command_args="web -c /etc/gitea/app.ini"
-command_background=yes
-pidfile=/run/gitea.pid

 depend()
 {
    need net
+    ###
+    # Don't forget to add the database service requirements
+    ###
+    #after postgresql
+    #after mysql
+    #after mariadb
+    #after memcached
+    #after redis
+}
+
+start_pre()
+{
+        checkpath --directory --owner $command_user:$command_user --mode 0750 \
+                /run/$RC_SVCNAME /var/log/$RC_SVCNAME
+        ##
+        # If you want to bind Gitea to a port below 1024, uncomment
+        # the value below
+        ##
+        #setcap cap_net_bind_service=+ep "${EXECUTABLE}"
 }
--- a/contrib/pr/checkout.go
+++ b/contrib/pr/checkout.go
@ -1,6 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT

 package main

@ -14,7 +13,6 @@ import (
 	"fmt"
 	"log"
 	"net/http"
-	"net/url"
 	"os"
 	"os/exec"
 	"os/user"
@ -27,12 +25,14 @@ import (
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/unittest"
 	gitea_git "code.gitea.io/gitea/modules/git"
+	"code.gitea.io/gitea/modules/graceful"
 	"code.gitea.io/gitea/modules/markup"
 	"code.gitea.io/gitea/modules/markup/external"
 	repo_module "code.gitea.io/gitea/modules/repository"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/routers"
+	markup_service "code.gitea.io/gitea/services/markup"

 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/config"
@ -61,11 +61,7 @@ func runPR() {
 	}
 	setting.AppWorkPath = curDir
 	setting.StaticRootPath = curDir
-	setting.GravatarSourceURL, err = url.Parse("https://secure.gravatar.com/avatar/")
-	if err != nil {
-		log.Fatalf("url.Parse: %v\n", err)
-	}
-
+	setting.GravatarSource = "https://secure.gravatar.com/avatar/"
 	setting.AppURL = "http://localhost:8080/"
 	setting.HTTPPort = "8080"
 	setting.SSH.Domain = "localhost"
@ -80,7 +76,6 @@ func runPR() {
 	setting.RunUser = curUser.Username

 	log.Printf("[PR] Loading fixtures data ...\n")
-	gitea_git.CheckLFSVersion()
 	//models.LoadConfigs()
 	/*
 		setting.Database.Type = "sqlite3"
@ -112,13 +107,13 @@ func runPR() {
 	unittest.LoadFixtures()
 	util.RemoveAll(setting.RepoRootPath)
 	util.RemoveAll(repo_module.LocalCopyPath())
-	unittest.CopyDir(path.Join(curDir, "integrations/gitea-repositories-meta"), setting.RepoRootPath)
+	unittest.CopyDir(path.Join(curDir, "tests/gitea-repositories-meta"), setting.RepoRootPath)

 	log.Printf("[PR] Setting up router\n")
 	// routers.GlobalInit()
 	external.RegisterRenderers()
-	markup.Init()
-	c := routers.NormalRoutes()
+	markup.Init(markup_service.ProcessorHelper())
+	c := routers.NormalRoutes(graceful.GetManager().HammerContext())

 	log.Printf("[PR] Ready for testing !\n")
 	log.Printf("[PR] Login with user1, user2, user3, ... with pass: password\n")
--- a/contrib/systemd/gitea.service
+++ b/contrib/systemd/gitea.service
@ -49,12 +49,8 @@ After=network.target
 ###

 [Service]
-# Modify these two values and uncomment them if you have
-# repos with lots of files and get an HTTP error 500 because
-# of that
-###
-#LimitMEMLOCK=infinity
-#LimitNOFILE=65535
+# Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that
+# LimitNOFILE=524288:524288
 RestartSec=2s
 Type=simple
 User=git
@ -78,6 +74,13 @@ Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
 #CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 #AmbientCapabilities=CAP_NET_BIND_SERVICE
 ###
+# In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to
+# set the following value to false to allow capabilities to be applied on gitea process. The following
+# value if set to true sandboxes gitea service and prevent any processes from running with privileges
+# in the host user namespace.
+###
+#PrivateUsers=false
+###

 [Install]
 WantedBy=multi-user.target
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@ -7,6 +7,38 @@
 ;; see https://docs.gitea.io/en-us/config-cheat-sheet/ for additional documentation.


+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Default Configuration (non-`app.ini` configuration)
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; These values are environment-dependent but form the basis of a lot of values. They will be
+;; reported as part of the default configuration when running `gitea --help` or on start-up. The order they are emitted there is slightly different but we will list them here in the order they are set-up.
+;;
+;; - _`AppPath`_: This is the absolute path of the running gitea binary.
+;; - _`AppWorkPath`_: This refers to "working path" of the `gitea` binary. It is determined by using the first set thing in the following hierarchy:
+;;   - The `--work-path` flag passed to the binary
+;;   - The environment variable `$GITEA_WORK_DIR`
+;;   - A built-in value set at build time (see building from source)
+;;   - Otherwise it defaults to the directory of the _`AppPath`_
+;;   - If any of the above are relative paths then they are made absolute against the
+;; the directory of the _`AppPath`_
+;; - _`CustomPath`_: This is the base directory for custom templates and other options.
+;; It is determined by using the first set thing in the following hierarchy:
+;;   - The `--custom-path` flag passed to the binary
+;;   - The environment variable `$GITEA_CUSTOM`
+;;   - A built-in value set at build time (see building from source)
+;;   - Otherwise it defaults to _`AppWorkPath`_`/custom`
+;;   - If any of the above are relative paths then they are made absolute against the
+;; the directory of the _`AppWorkPath`_
+;; - _`CustomConf`_: This is the path to the `app.ini` file.
+;;   - The `--config` flag passed to the binary
+;;   - A built-in value set at build time (see building from source)
+;;   - Otherwise it defaults to _`CustomPath`_`/conf/app.ini`
+;;   - If any of the above are relative paths then they are made absolute against the
+;; the directory of the _`CustomPath`_
+;;
+;; In addition there is _`StaticRootPath`_ which can be set as a built-in at build time, but will otherwise default to _`AppWorkPath`_
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; General Settings
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -26,9 +58,21 @@ RUN_MODE = ; prod
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
-;; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'. Defaults to 'http'
+;; The protocol the server listens on. One of 'http', 'https', 'http+unix', 'fcgi' or 'fcgi+unix'. Defaults to 'http'
 ;PROTOCOL = http
 ;;
+;; Expect PROXY protocol headers on connections
+;USE_PROXY_PROTOCOL = false
+;;
+;; Use PROXY protocol in TLS Bridging mode
+;PROXY_PROTOCOL_TLS_BRIDGING = false
+;;
+; Timeout to wait for PROXY protocol header (set to 0 to have no timeout)
+;PROXY_PROTOCOL_HEADER_TIMEOUT=5s
+;;
+; Accept PROXY protocol headers with UNKNOWN type
+;PROXY_PROTOCOL_ACCEPT_UNKNOWN=false
+;;
 ;; Set the domain for the server
 ;DOMAIN = localhost
 ;;
@ -39,6 +83,8 @@ RUN_MODE = ; prod
 ;STATIC_URL_PREFIX =
 ;;
 ;; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
+;; If PROTOCOL is set to `http+unix` or `fcgi+unix`, this should be the name of the Unix socket file to use.
+;; Relative paths will be made absolute against the _`AppWorkPath`_.
 ;HTTP_ADDR = 0.0.0.0
 ;;
 ;; The port to listen on. Leave empty when using a unix socket.
@ -51,6 +97,8 @@ RUN_MODE = ; prod
 ;REDIRECT_OTHER_PORT = false
 ;PORT_TO_REDIRECT = 80
 ;;
+;; expect PROXY protocol header on connections to https redirector.
+;REDIRECTOR_USE_PROXY_PROTOCOL = %(USE_PROXY_PROTOCOL)s
 ;; Minimum and maximum supported TLS versions
 ;SSL_MIN_VERSION=TLSv1.2
 ;SSL_MAX_VERSION=
@ -76,13 +124,19 @@ RUN_MODE = ; prod
 ;; Do not set this variable if PROTOCOL is set to 'unix'.
 ;LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
 ;;
+;; When making local connections pass the PROXY protocol header.
+;LOCAL_USE_PROXY_PROTOCOL = %(USE_PROXY_PROTOCOL)s
+;;
 ;; Disable SSH feature when not available
 ;DISABLE_SSH = false
 ;;
 ;; Whether to use the builtin SSH server or not.
 ;START_SSH_SERVER = false
 ;;
-;; Username to use for the builtin SSH server.
+;; Expect PROXY protocol header on connections to the built-in SSH server
+;SSH_SERVER_USE_PROXY_PROTOCOL = false
+;;
+;; Username to use for the builtin SSH server. If blank, then it is the value of RUN_USER.
 ;BUILTIN_SSH_SERVER_USER = %(RUN_USER)s
 ;;
 ;; Domain name to be exposed in clone URL
@ -125,7 +179,7 @@ RUN_MODE = ; prod
 ;;
 ;; For the built-in SSH server, choose the keypair to offer as the host key
 ;; The private key should be at SSH_SERVER_HOST_KEY and the public SSH_SERVER_HOST_KEY.pub
-;; relative paths are made absolute relative to the APP_DATA_PATH
+;; relative paths are made absolute relative to the %(APP_DATA_PATH)s
 ;SSH_SERVER_HOST_KEYS=ssh/gitea.rsa, ssh/gogs.rsa
 ;;
 ;; Directory to create temporary files in when testing public keys using ssh-keygen,
@ -221,10 +275,10 @@ RUN_MODE = ; prod
 ;;
 ;; Root directory containing templates and static files.
 ;; default is the path where Gitea is executed
-;STATIC_ROOT_PATH =
+;STATIC_ROOT_PATH = ; Will default to the built-in value _`StaticRootPath`_
 ;;
 ;; Default path for App data
-;APP_DATA_PATH = data
+;APP_DATA_PATH = data ; relative paths will be made absolute with _`AppWorkPath`_
 ;;
 ;; Enable gzip compression for runtime-generated content, static resources excluded
 ;ENABLE_GZIP = false
@ -235,7 +289,7 @@ RUN_MODE = ; prod
 ;ENABLE_PPROF = false
 ;;
 ;; PPROF_DATA_PATH, use an absolute path when you start gitea as service
-;PPROF_DATA_PATH = data/tmp/pprof
+;PPROF_DATA_PATH = data/tmp/pprof ; Path is relative to _`AppWorkPath`_
 ;;
 ;; Landing page, can be "home", "explore", "organizations", "login", or any URL such as "/org/repo" or even "https://anotherwebsite.com"
 ;; The "login" choice is not a security measure but just a UI flow change, use REQUIRE_SIGNIN_VIEW to force users to log in.
@ -313,6 +367,7 @@ USER = root
 ;DB_TYPE = sqlite3
 ;PATH= ; defaults to data/gitea.db
 ;SQLITE_TIMEOUT = ; Query timeout defaults to: 500
+;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@ -358,14 +413,19 @@ LOG_SQL = false ; if unset defaults to true
 ;; Whether the installer is disabled (set to true to disable the installer)
 INSTALL_LOCK = false
 ;;
-;; Global secret key that will be used - if blank will be regenerated.
+;; Global secret key that will be used
+;; This key is VERY IMPORTANT. If you lose it, the data encrypted by it (like 2FA secret) can't be decrypted anymore.
 SECRET_KEY =
 ;;
+;; Alternative location to specify secret key, instead of this file; you cannot specify both this and SECRET_KEY, and must pick one
+;; This key is VERY IMPORTANT. If you lose it, the data encrypted by it (like 2FA secret) can't be decrypted anymore.
+;SECRET_KEY_URI = file:/etc/gitea/secret_key
+;;
 ;; Secret used to validate communication within Gitea binary.
 INTERNAL_TOKEN=
 ;;
-;; Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: file:/etc/gitea/internal_token)
-;INTERNAL_TOKEN_URI = ;e.g. /etc/gitea/internal_token
+;; Alternative location to specify internal token, instead of this file; you cannot specify both this and INTERNAL_TOKEN, and must pick one
+;INTERNAL_TOKEN_URI = file:/etc/gitea/internal_token
 ;;
 ;; How long to remember that a user is logged in before requiring relogin (in days)
 ;LOGIN_REMEMBER_DAYS = 7
@ -376,9 +436,10 @@ INTERNAL_TOKEN=
 ;; Name of cookie used to store authentication information.
 ;COOKIE_REMEMBER_NAME = gitea_incredible
 ;;
-;; Reverse proxy authentication header name of user name and email
+;; Reverse proxy authentication header name of user name, email, and full name
 ;REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
 ;REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL
+;REVERSE_PROXY_AUTHENTICATION_FULL_NAME = X-WEBAUTH-FULLNAME
 ;;
 ;; Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request
 ;REVERSE_PROXY_LIMIT = 1
@ -475,20 +536,6 @@ ENABLE = true
 ;; Maximum length of oauth2 token/cookie stored on server
 ;MAX_TOKEN_LENGTH = 32767

-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-[U2F]
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;
-;; NOTE: THE DEFAULT VALUES HERE WILL NEED TO BE CHANGED
-;; Two Factor authentication with security keys
-;; https://developers.yubico.com/U2F/App_ID.html
-;;
-;; DEPRECATED - this only applies to previously registered security keys using the U2F standard
-APP_ID = ; e.g. http://localhost:3000/
-
-
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 [log]
@ -617,7 +664,10 @@ ROUTER = console
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; The path of git executable. If empty, Gitea searches through the PATH environment.
-PATH =
+;PATH =
+;;
+;; The HOME directory for Git
+;HOME_PATH = %(APP_DATA_PATH)s/home
 ;;
 ;; Disables highlight of added and removed changes
 ;DISABLE_DIFF_HIGHLIGHT = false
@ -642,6 +692,7 @@ PATH =
 ;GC_ARGS =
 ;;
 ;; If use git wire protocol version 2 when git version >= 2.18, default is true, set to false when you always want git wire protocol version 1
+;; To enable this for Git over SSH when using a OpenSSH server, add `AcceptEnv GIT_PROTOCOL` to your sshd_config file.
 ;ENABLE_AUTO_GIT_WIRE_PROTOCOL = true
 ;;
 ;; Respond to pushes to a non-default branch with a URL for creating a Pull Request (if the repository has them enabled)
@ -703,13 +754,19 @@ PATH =
 ;ENABLE_REVERSE_PROXY_AUTHENTICATION = false
 ;ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
 ;ENABLE_REVERSE_PROXY_EMAIL = false
+;ENABLE_REVERSE_PROXY_FULL_NAME = false
 ;;
 ;; Enable captcha validation for registration
 ;ENABLE_CAPTCHA = false
 ;;
-;; Type of captcha you want to use. Options: image, recaptcha, hcaptcha
+;; Enable this to require captcha validation for login
+;REQUIRE_CAPTCHA_FOR_LOGIN = false
+;;
+;; Type of captcha you want to use. Options: image, recaptcha, hcaptcha, mcaptcha.
 ;CAPTCHA_TYPE = image
 ;;
+;; Change this to use recaptcha.net or other recaptcha service
+;RECAPTCHA_URL = https://www.google.com/recaptcha/
 ;; Enable recaptcha to use Google's recaptcha service
 ;; Go to https://www.google.com/recaptcha/admin to sign up for a key
 ;RECAPTCHA_SECRET =
@ -719,8 +776,13 @@ PATH =
 ;HCAPTCHA_SECRET =
 ;HCAPTCHA_SITEKEY =
 ;;
-;; Change this to use recaptcha.net or other recaptcha service
-;RECAPTCHA_URL = https://www.google.com/recaptcha/
+;; Change this to use demo.mcaptcha.org or your self-hosted mcaptcha.org instance.
+;MCAPTCHA_URL = https://demo.mcaptcha.org
+;;
+;; Go to your configured mCaptcha instance and register a sitekey
+;; and use your account's secret.
+;MCAPTCHA_SECRET =
+;MCAPTCHA_SITEKEY =
 ;;
 ;; Default value for KeepEmailPrivate
 ;; Each new user will get the value of this setting copied into their profile
@ -813,8 +875,8 @@ PATH =
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[repository]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)/gitea-repositories.
-;; A relative path is interpreted as %(GITEA_WORK_DIR)/%(ROOT)
+;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)s/gitea-repositories.
+;; A relative path is interpreted as _`AppWorkPath`_/%(ROOT)s
 ;ROOT =
 ;;
 ;; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available.
@ -862,7 +924,7 @@ PATH =
 ;USE_COMPAT_SSH_URI = false
 ;;
 ;; Close issues as long as a commit on any branch marks it as fixed
-;; Comma separated list of globally disabled repo units. Allowed values: repo.issues, repo.ext_issues, repo.pulls, repo.wiki, repo.ext_wiki
+;; Comma separated list of globally disabled repo units. Allowed values: repo.issues, repo.ext_issues, repo.pulls, repo.wiki, repo.ext_wiki, repo.projects
 ;DISABLED_REPO_UNITS =
 ;;
 ;; Comma separated list of default repo units. Allowed values: repo.code, repo.releases, repo.issues, repo.pulls, repo.wiki, repo.projects.
@ -889,6 +951,9 @@ PATH =
 ;; Allow deletion of unadopted repositories
 ;ALLOW_DELETION_OF_UNADOPTED_REPOSITORIES = false

+;; Don't allow download source archive files from UI
+;DISABLE_DOWNLOAD_SOURCE_ARCHIVES = false
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[repository.editor]
@ -1076,6 +1141,9 @@ PATH =
 ;; allow request with credentials
 ;ALLOW_CREDENTIALS = false
 ;;
+;; headers to permit
+;HEADERS = Content-Type,User-Agent
+;;
 ;; set X-FRAME-OPTIONS header
 ;X_FRAME_OPTIONS = SAMEORIGIN

@ -1089,7 +1157,7 @@ PATH =
 ;EXPLORE_PAGING_NUM = 20
 ;;
 ;; Number of issues that are displayed on one page
-;ISSUE_PAGING_NUM = 10
+;ISSUE_PAGING_NUM = 20
 ;;
 ;; Number of maximum commits displayed in one activity feed
 ;FEED_MAX_COMMIT_NUM = 5
@ -1097,6 +1165,9 @@ PATH =
 ;; Number of items that are displayed in home feed
 ;FEED_PAGING_NUM = 20
 ;;
+;; Number of items that are displayed in a single subsitemap
+;SITEMAP_PAGING_NUM = 20
+;;
 ;; Number of maximum commits displayed in commit graph.
 ;GRAPH_MAX_COMMIT_NUM = 100
 ;;
@ -1138,6 +1209,10 @@ PATH =
 ;;
 ;; Whether to enable a Service Worker to cache frontend assets
 ;USE_SERVICE_WORKER = false
+;;
+;; Whether to only show relevant repos on the explore page when no keyword is specified and default sorting is used.
+;; A repo is considered irrelevant if it's a fork or if it has no metadata (no description, no icon, no topic).
+;ONLY_SHOW_RELEVANT_REPOS = false

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1232,6 +1307,9 @@ PATH =
 ;; List of file extensions that should be rendered/edited as Markdown
 ;; Separate the extensions with a comma. To render files without any extension as markdown, just put a comma
 ;FILE_EXTENSIONS = .md,.markdown,.mdown,.mkd
+;;
+;; Enables math inline and block detection
+;ENABLE_MATH = true

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1242,7 +1320,7 @@ PATH =
 ;; Define allowed algorithms and their minimum key length (use -1 to disable a type)
 ;ED25519 = 256
 ;ECDSA = 256
-;RSA = 2048
+;RSA = 2047 ; we allow 2047 here because an otherwise valid 2048 bit RSA key can be reported as having 2047 bit length
 ;DSA = -1 ; set to 1024 to switch on

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1258,7 +1336,7 @@ PATH =
 ;ISSUE_INDEXER_TYPE = bleve
 ;;
 ;; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
-;ISSUE_INDEXER_PATH = indexers/issues.bleve
+;ISSUE_INDEXER_PATH = indexers/issues.bleve ; Relative paths will be made absolute against _`AppWorkPath`_.
 ;;
 ;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch
 ;ISSUE_INDEXER_CONN_STR = http://elastic:changeme@localhost:9200
@ -1276,7 +1354,7 @@ PATH =
 ;; When ISSUE_INDEXER_QUEUE_TYPE is levelqueue, this will be the path where the queue will be saved.
 ;; This can be overridden by `ISSUE_INDEXER_QUEUE_CONN_STR`.
 ;; default is queues/common
-;ISSUE_INDEXER_QUEUE_DIR = queues/common; **DEPRECATED** use settings in `[queue.issue_indexer]`.
+;ISSUE_INDEXER_QUEUE_DIR = queues/common; **DEPRECATED** use settings in `[queue.issue_indexer]`. Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
 ;;
 ;; When `ISSUE_INDEXER_QUEUE_TYPE` is `redis`, this will store the redis connection string.
 ;; When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this is a directory or additional options of
@ -1332,7 +1410,7 @@ PATH =
 ;TYPE = persistable-channel
 ;;
 ;; data-dir for storing persistable queues and level queues, individual queues will default to `queues/common` meaning the queue is shared.
-;DATADIR = queues/
+;DATADIR = queues/ ; Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
 ;;
 ;; Default queue length before a channel queue will block
 ;LENGTH = 20
@ -1499,6 +1577,11 @@ PATH =
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
+;; NOTICE: this section is for Gitea 1.18 and later. If you are using Gitea 1.17 or older,
+;; please refer to
+;; https://github.com/go-gitea/gitea/blob/release/v1.17/custom/conf/app.example.ini
+;; https://github.com/go-gitea/gitea/blob/release/v1.17/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+;;
 ;ENABLED = false
 ;;
 ;; Buffer length of channel, keep it as it is if you don't know what it is.
@ -1507,30 +1590,42 @@ PATH =
 ;; Prefix displayed before subject in mail
 ;SUBJECT_PREFIX =
 ;;
-;; Mail server
-;; Gmail: smtp.gmail.com:587
-;; QQ: smtp.qq.com:465
-;; As per RFC 8314 using Implicit TLS/SMTPS on port 465 (if supported) is recommended,
-;; otherwise STARTTLS on port 587 should be used.
-;HOST =
+;; Mail server protocol. One of "smtp", "smtps", "smtp+starttls", "smtp+unix", "sendmail", "dummy".
+;; - sendmail: use the operating system's `sendmail` command instead of SMTP. This is common on Linux systems.
+;; - dummy: send email messages to the log as a testing phase.
+;; If your provider does not explicitly say which protocol it uses but does provide a port,
+;; you can set SMTP_PORT instead and this will be inferred.
+;; (Before 1.18, see the notice, this was controlled via MAILER_TYPE and IS_TLS_ENABLED.)
+;PROTOCOL =
 ;;
-;; Disable HELO operation when hostnames are different.
-;DISABLE_HELO =
+;; Mail server address, e.g. smtp.gmail.com.
+;; For smtp+unix, this should be a path to a unix socket instead.
+;; (Before 1.18, see the notice, this was combined with SMTP_PORT as HOST.)
+;SMTP_ADDR =
 ;;
-;; Custom hostname for HELO operation, if no value is provided, one is retrieved from system.
+;; Mail server port. Common ports are:
+;;   25:  insecure SMTP
+;;   465: SMTP Secure
+;;   587: StartTLS
+;; If no protocol is specified, it will be inferred by this setting.
+;; (Before 1.18, this was combined with SMTP_ADDR as HOST.)
+;SMTP_PORT =
+;;
+;; Enable HELO operation. Defaults to true.
+;ENABLE_HELO = true
+;;
+;; Custom hostname for HELO operation.
+;; If no value is provided, one is retrieved from system.
 ;HELO_HOSTNAME =
 ;;
-;; Whether or not to skip verification of certificates; `true` to disable verification. This option is unsafe. Consider adding the certificate to the system trust store instead.
-;SKIP_VERIFY = false
+;; If set to `true`, completely ignores server certificate validation errors.
+;; This option is unsafe. Consider adding the certificate to the system trust store instead.
+;FORCE_TRUST_SERVER_CERT = false
 ;;
-;; Use client certificate
-;USE_CERTIFICATE = false
-;CERT_FILE = custom/mailer/cert.pem
-;KEY_FILE = custom/mailer/key.pem
-;;
-;; Should SMTP connect with TLS, (if port ends with 465 TLS will always be used.)
-;; If this is false but STARTTLS is supported the connection will be upgraded to TLS opportunistically.
-;IS_TLS_ENABLED = false
+;; Use client certificate in connection.
+;USE_CLIENT_CERT = false
+;CLIENT_CERT_FILE = custom/mailer/cert.pem
+;CLIENT_KEY_FILE = custom/mailer/key.pem
 ;;
 ;; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
 ;FROM =
@ -1538,19 +1633,15 @@ PATH =
 ;; Sometimes it is helpful to use a different address on the envelope. Set this to use ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
 ;ENVELOPE_FROM =
 ;;
-;; Mailer user name and password
-;; Please Note: Authentication is only supported when the SMTP server communication is encrypted with TLS (this can be via STARTTLS) or `HOST=localhost`.
+;; Mailer user name and password, if required by provider.
 ;USER =
 ;;
 ;; Use PASSWD = `your password` for quoting if you use special characters in the password.
 ;PASSWD =
 ;;
-;; Send mails as plain text
+;; Send mails only in plain text, without HTML alternative
 ;SEND_AS_PLAIN_TEXT = false
 ;;
-;; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log)
-;MAILER_TYPE = smtp
-;;
 ;; Specify an alternative sendmail binary
 ;SENDMAIL_PATH = sendmail
 ;;
@ -1621,7 +1712,7 @@ PATH =
 ;; file: session file path, e.g. `data/sessions`
 ;; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
 ;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
-;PROVIDER_CONFIG = data/sessions
+;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
 ;;
 ;; Session cookie name
 ;COOKIE_NAME = i_like_gitea
@ -1687,7 +1778,7 @@ PATH =
 ;ENABLED = true
 ;;
 ;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
-;ALLOWED_TYPES = .docx,.gif,.gz,.jpeg,.jpg,.mp4,.log,.pdf,.png,.pptx,.txt,.xlsx,.zip
+;ALLOWED_TYPES = .csv,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip
 ;;
 ;; Max size of each file. Defaults to 4MB
 ;MAX_SIZE = 4
@ -2107,7 +2198,7 @@ PATH =
 ;[api]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;; Enables Swagger. True or false; default is true.
+;; Enables the API documentation endpoints (/api/swagger, /api/v1/swagger, …). True or false.
 ;ENABLE_SWAGGER = true
 ;; Max number of items in a page
 ;MAX_RESPONSE_ITEMS = 50
@ -2115,7 +2206,7 @@ PATH =
 ;DEFAULT_PAGING_NUM = 30
 ;; Default and maximum number of items per page for git trees api
 ;DEFAULT_GIT_TREES_PER_PAGE = 1000
-;; Default size of a blob returned by the blobs API (default is 10MiB)
+;; Default max size of a blob returned by the blobs API (default is 10MiB)
 ;DEFAULT_MAX_BLOB_SIZE = 10485760

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2124,7 +2215,7 @@ PATH =
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; The first locale will be used as the default if user browser's language doesn't match any locale in the list.
-;LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pt-PT,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR,el-GR,fa-IR,hu-HU,id-ID,ml-IN
+;LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pt-PT,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sv-SE,ko-KR,el-GR,fa-IR,hu-HU,id-ID,ml-IN
 ;NAMES = English,简体中文,繁體中文（香港）,繁體中文（台灣）,Deutsch,Français,Nederlands,Latviešu,Русский,Українська,日本語,Español,Português do Brasil,Português de Portugal,Polski,Български,Italiano,Suomi,Türkçe,Čeština,Српски,Svenska,한국어,Ελληνικά,فارسی,Magyar nyelv,Bahasa Indonesia,മലയാളം

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2145,7 +2236,10 @@ PATH =
 ;SHOW_FOOTER_VERSION = true
 ;; Show template execution time in the footer
 ;SHOW_FOOTER_TEMPLATE_LOAD_TIME = true
-
+;; Generate sitemap. Defaults to `true`.
+;ENABLE_SITEMAP = true
+;; Enable/Disable RSS/Atom feed
+;ENABLE_FEED = true

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2231,13 +2325,16 @@ PATH =
 ;;
 ;; Allowed domains for migrating, default is blank. Blank means everything will be allowed.
 ;; Multiple domains could be separated by commas.
+;; Wildcard is supported: "github.com, *.github.com"
 ;ALLOWED_DOMAINS =
 ;;
 ;; Blocklist for migrating, default is blank. Multiple domains could be separated by commas.
 ;; When ALLOWED_DOMAINS is not blank, this option has a higher priority to deny domains.
+;; Wildcard is supported.
 ;BLOCKED_DOMAINS =
 ;;
 ;; Allow private addresses defined by RFC 1918, RFC 1122, RFC 4632 and RFC 4291 (false by default)
+;; If a domain is allowed by ALLOWED_DOMAINS, this option will be ignored.
 ;ALLOW_LOCALNETWORKS = false

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2247,10 +2344,27 @@ PATH =
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; Enable/Disable federation capabilities
-; ENABLED = true
+;ENABLED = false
 ;;
 ;; Enable/Disable user statistics for nodeinfo if federation is enabled
-; SHARE_USER_STATISTICS = true
+;SHARE_USER_STATISTICS = true
+;;
+;; Maximum federation request and response size (MB)
+;MAX_SIZE = 4
+;;
+;; WARNING: Changing the settings below can break federation.
+;;
+;; HTTP signature algorithms
+;ALGORITHMS = rsa-sha256, rsa-sha512, ed25519
+;;
+;; HTTP signature digest algorithm
+;DIGEST_ALGORITHM = SHA-256
+;;
+;; GET headers for federation requests
+;GET_HEADERS = (request-target), Date
+;;
+;; POST headers for federation requests
+;POST_HEADERS = (request-target), Date, Digest

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2263,6 +2377,35 @@ PATH =
 ;;
 ;; Path for chunked uploads. Defaults to APP_DATA_PATH + `tmp/package-upload`
 ;CHUNKED_UPLOAD_PATH = tmp/package-upload
+;;
+;; Maximum count of package versions a single owner can have (`-1` means no limits)
+;LIMIT_TOTAL_OWNER_COUNT = -1
+;; Maximum size of packages a single owner can use (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_TOTAL_OWNER_SIZE = -1
+;; Maximum size of a Composer upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_COMPOSER = -1
+;; Maximum size of a Conan upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_CONAN = -1
+;; Maximum size of a Container upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_CONTAINER = -1
+;; Maximum size of a Generic upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_GENERIC = -1
+;; Maximum size of a Helm upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_HELM = -1
+;; Maximum size of a Maven upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_MAVEN = -1
+;; Maximum size of a npm upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_NPM = -1
+;; Maximum size of a NuGet upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_NUGET = -1
+;; Maximum size of a Pub upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_PUB = -1
+;; Maximum size of a PyPI upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_PYPI = -1
+;; Maximum size of a RubyGems upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_RUBYGEMS = -1
+;; Maximum size of a Vagrant upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_VAGRANT = -1

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
--- a/docker/root/etc/s6/openssh/setup
+++ b/docker/root/etc/s6/openssh/setup
@ -14,11 +14,6 @@ if [ ! -f /data/ssh/ssh_host_rsa_key ]; then
    ssh-keygen -t rsa -b 2048 -f /data/ssh/ssh_host_rsa_key -N "" > /dev/null
 fi

-if [ ! -f /data/ssh/ssh_host_dsa_key ]; then
-    echo "Generating /data/ssh/ssh_host_dsa_key..."
-    ssh-keygen -t dsa -f /data/ssh/ssh_host_dsa_key -N "" > /dev/null
-fi
-
 if [ ! -f /data/ssh/ssh_host_ecdsa_key ]; then
    echo "Generating /data/ssh/ssh_host_ecdsa_key..."
    ssh-keygen -t ecdsa -b 256 -f /data/ssh/ssh_host_ecdsa_key -N "" > /dev/null
@ -36,17 +31,12 @@ if [ -e /data/ssh/ssh_host_ecdsa_cert ]; then
  SSH_ECDSA_CERT=${SSH_ECDSA_CERT:-"/data/ssh/ssh_host_ecdsa_cert"}
 fi

-if [ -e /data/ssh/ssh_host_dsa_cert ]; then
-  SSH_DSA_CERT=${SSH_DSA_CERT:-"/data/ssh/ssh_host_dsa_cert"}
-fi
-
 if [ -d /etc/ssh ]; then
    SSH_PORT=${SSH_PORT:-"22"} \
    SSH_LISTEN_PORT=${SSH_LISTEN_PORT:-"${SSH_PORT}"} \
    SSH_ED25519_CERT="${SSH_ED25519_CERT:+"HostCertificate "}${SSH_ED25519_CERT}" \
    SSH_RSA_CERT="${SSH_RSA_CERT:+"HostCertificate "}${SSH_RSA_CERT}" \
    SSH_ECDSA_CERT="${SSH_ECDSA_CERT:+"HostCertificate "}${SSH_ECDSA_CERT}" \
-    SSH_DSA_CERT="${SSH_DSA_CERT:+"HostCertificate "}${SSH_DSA_CERT}" \
    SSH_MAX_STARTUPS="${SSH_MAX_STARTUPS:+"MaxStartups "}${SSH_MAX_STARTUPS}" \
    SSH_MAX_SESSIONS="${SSH_MAX_SESSIONS:+"MaxSessions "}${SSH_MAX_SESSIONS}" \
    SSH_INCLUDE_FILE="${SSH_INCLUDE_FILE:+"Include "}${SSH_INCLUDE_FILE}" \
--- a/docker/root/etc/templates/sshd_config
+++ b/docker/root/etc/templates/sshd_config
@ -16,8 +16,6 @@ HostKey /data/ssh/ssh_host_rsa_key
 ${SSH_RSA_CERT}
 HostKey /data/ssh/ssh_host_ecdsa_key
 ${SSH_ECDSA_CERT}
-HostKey /data/ssh/ssh_host_dsa_key
-${SSH_DSA_CERT}

 AuthorizedKeysFile .ssh/authorized_keys
 AuthorizedPrincipalsFile .ssh/authorized_principals
--- a/docker/rootless/usr/local/bin/docker-setup.sh
+++ b/docker/rootless/usr/local/bin/docker-setup.sh
@ -5,7 +5,7 @@ mkdir -p ${HOME} && chmod 0700 ${HOME}
 if [ ! -w ${HOME} ]; then echo "${HOME} is not writable"; exit 1; fi

 # Prepare custom folder
-mkdir -p ${GITEA_CUSTOM} && chmod 0500 ${GITEA_CUSTOM}
+mkdir -p ${GITEA_CUSTOM} && chmod 0700 ${GITEA_CUSTOM}

 # Prepare temp folder
 mkdir -p ${GITEA_TEMP} && chmod 0700 ${GITEA_TEMP}
--- a/docs/.gitignore
+++ b/docs/.gitignore
@ -2,3 +2,6 @@ public/
 templates/swagger/v1_json.tmpl
 themes/
 resources/
+
+# Temporary lock file while building
+/.hugo_build.lock
--- a/docs/config.yaml
+++ b/docs/config.yaml
@ -18,10 +18,11 @@ params:
  description: Git with a cup of tea
  author: The Gitea Authors
  website: https://docs.gitea.io
-  version: 1.16.8
+  version: 1.17.3
  minGoVersion: 1.18
-  goVersion: 1.18
+  goVersion: 1.19
  minNodeVersion: 14
+  search: nav

 outputs:
  home:
--- a/docs/content/doc/advanced/clone-filter.en-us.md
+++ b/docs/content/doc/advanced/clone-filter.en-us.md
@ -30,7 +30,6 @@ see Git version of the server.
 By default, clone filters are enabled, unless `DISABLE_PARTIAL_CLONE` under
 `[git]` is set to `true`.

-
 See [GitHub blog post: Get up to speed with partial clone](https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/)
 for common use cases of clone filters (blobless and treeless clones), and
 [GitLab docs for partial clone](https://docs.gitlab.com/ee/topics/git/partial_clone.html)
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@ -27,23 +27,56 @@ accurately recorded in [app.example.ini](https://github.com/go-gitea/gitea/blob/
 (s/main/\<tag|release\>). Any string in the format `%(X)s` is a feature powered
 by [ini](https://github.com/go-ini/ini/#recursive-values), for reading values recursively.

+In the default values below, a value in the form `$XYZ` refers to an environment variable. (However, see `environment-to-ini`.) Values in the form  _`XxYyZz`_ refer to values listed as part of the default configuration. These notation forms will not work in your own `app.ini` file and are only listed here as documentation.
+
 Values containing `#` or `;` must be quoted using `` ` `` or `"""`.

 **Note:** A full restart is required for Gitea configuration changes to take effect.

 {{< toc >}}

+## Default Configuration (non-`app.ini` configuration)
+
+These values are environment-dependent but form the basis of a lot of values. They will be
+reported as part of the default configuration when running `gitea --help` or on start-up. The order they are emitted there is slightly different but we will list them here in the order they are set-up.
+
+- _`AppPath`_: This is the absolute path of the running gitea binary.
+- _`AppWorkPath`_: This refers to "working path" of the `gitea` binary. It is determined by using the first set thing in the following hierarchy:
+  - The `--work-path` flag passed to the binary
+  - The environment variable `$GITEA_WORK_DIR`
+  - A built-in value set at build time (see building from source)
+  - Otherwise it defaults to the directory of the _`AppPath`_
+  - If any of the above are relative paths then they are made absolute against the
+the directory of the _`AppPath`_
+- _`CustomPath`_: This is the base directory for custom templates and other options.
+It is determined by using the first set thing in the following hierarchy:
+  - The `--custom-path` flag passed to the binary
+  - The environment variable `$GITEA_CUSTOM`
+  - A built-in value set at build time (see building from source)
+  - Otherwise it defaults to _`AppWorkPath`_`/custom`
+  - If any of the above are relative paths then they are made absolute against the
+the directory of the _`AppWorkPath`_
+- _`CustomConf`_: This is the path to the `app.ini` file.
+  - The `--config` flag passed to the binary
+  - A built-in value set at build time (see building from source)
+  - Otherwise it defaults to _`CustomPath`_`/conf/app.ini`
+  - If any of the above are relative paths then they are made absolute against the
+the directory of the _`CustomPath`_
+
+In addition there is _`StaticRootPath`_ which can be set as a built-in at build time, but will otherwise default to _`AppWorkPath`_
+
 ## Overall (`DEFAULT`)

 - `APP_NAME`: **Gitea: Git with a cup of tea**: Application name, used in the page title.
- `RUN_USER`: **git**: The user Gitea will run as. This should be a dedicated system
-   (non-user) account. Setting this incorrectly will cause Gitea to not start.
+- `RUN_USER`: **_current OS username_/`$USER`/`$USERNAME` e.g. git**: The user Gitea will run as.
+   This should be a dedicated system (non-user) account. Setting this incorrectly will cause Gitea
+   to not start.
 - `RUN_MODE`: **prod**: Application run mode, affects performance and debugging. Either "dev", "prod" or "test".

 ## Repository (`repository`)

- `ROOT`: **%(APP_DATA_PATH)/gitea-repositories**: Root path for storing all repository data.
-   A relative path is interpreted as **%(GITEA_WORK_DIR)/%(ROOT)**.
+- `ROOT`: **%(APP_DATA_PATH)s/gitea-repositories**: Root path for storing all repository data.
+   A relative path is interpreted as **_`AppWorkPath`_/%(ROOT)s**.
 - `SCRIPT_TYPE`: **bash**: The script type this server supports. Usually this is `bash`,
   but some users report that only `sh` is available.
 - `DETECTED_CHARSETS_ORDER`: **UTF-8, UTF-16BE, UTF-16LE, UTF-32BE, UTF-32LE, ISO-8859, windows-1252, ISO-8859, windows-1250, ISO-8859, ISO-8859, ISO-8859, windows-1253, ISO-8859, windows-1255, ISO-8859, windows-1251, windows-1256, KOI8-R, ISO-8859, windows-1254, Shift_JIS, GB18030, EUC-JP, EUC-KR, Big5, ISO-2022, ISO-2022, ISO-2022, IBM424_rtl, IBM424_ltr, IBM420_rtl, IBM420_ltr**: Tie-break order of detected charsets - if the detected charsets have equal confidence, charsets earlier in the list will be chosen in preference to those later. Adding `defaults` will place the unnamed charsets at that point.
@ -78,6 +111,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `DEFAULT_BRANCH`: **main**: Default branch name of all repositories.
 - `ALLOW_ADOPTION_OF_UNADOPTED_REPOSITORIES`: **false**: Allow non-admin users to adopt unadopted repositories
 - `ALLOW_DELETION_OF_UNADOPTED_REPOSITORIES`: **false**: Allow non-admin users to delete unadopted repositories
+- `DISABLE_DOWNLOAD_SOURCE_ARCHIVES`: **false**: Don't allow download source archive files from UI

 ### Repository - Editor (`repository.editor`)

@ -130,9 +164,9 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
  - `always`: Always sign
  - Options other than `never` and `always` can be combined as a comma separated list.
 - `DEFAULT_TRUST_MODEL`: **collaborator**: \[collaborator, committer, collaboratorcommitter\]: The default trust model used for verifying commits.
-   - `collaborator`: Trust signatures signed by keys of collaborators.
-   - `committer`: Trust signatures that match committers (This matches GitHub and will force Gitea signed commits to have Gitea as the committer).
-   - `collaboratorcommitter`: Trust signatures signed by keys of collaborators which match the committer.
+  - `collaborator`: Trust signatures signed by keys of collaborators.
+  - `committer`: Trust signatures that match committers (This matches GitHub and will force Gitea signed commits to have Gitea as the committer).
+  - `collaboratorcommitter`: Trust signatures signed by keys of collaborators which match the committer.
 - `WIKI`: **never**: \[never, pubkey, twofa, always, parentsigned\]: Sign commits to wiki.
 - `CRUD_ACTIONS`: **pubkey, twofa, parentsigned**: \[never, pubkey, twofa, parentsigned, always\]: Sign CRUD actions.
  - Options as above, with the addition of:
@ -152,6 +186,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 Configuration for set the expected MIME type based on file extensions of downloadable files. Configuration presents in key-value pairs and file extensions starts with leading `.`.

 The following configuration set `Content-Type: application/vnd.android.package-archive` header when downloading files with `.apk` file extension.
+
 ```ini
 .apk=application/vnd.android.package-archive
 ```
@ -165,15 +200,17 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request
 - `MAX_AGE`: **10m**: max time to cache response
 - `ALLOW_CREDENTIALS`: **false**: allow request with credentials
+- `HEADERS`: **Content-Type,User-Agent**: additional headers that are permitted in requests
 - `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value.

 ## UI (`ui`)

 - `EXPLORE_PAGING_NUM`: **20**: Number of repositories that are shown in one explore page.
- `ISSUE_PAGING_NUM`: **10**: Number of issues that are shown in one page (for all pages that list issues).
+- `ISSUE_PAGING_NUM`: **20**: Number of issues that are shown in one page (for all pages that list issues, milestones, projects).
 - `MEMBERS_PAGING_NUM`: **20**: Number of members that are shown in organization members.
 - `FEED_MAX_COMMIT_NUM`: **5**: Number of maximum commits shown in one activity feed.
 - `FEED_PAGING_NUM`: **20**: Number of items that are displayed in home feed.
+- `SITEMAP_PAGING_NUM`: **20**: Number of items that are displayed in a single subsitemap.
 - `GRAPH_MAX_COMMIT_NUM`: **100**: Number of maximum commits shown in the commit graph.
 - `CODE_COMMENT_LINES`: **4**: Number of line of codes shown for a code comment.
 - `DEFAULT_THEME`: **auto**: \[auto, gitea, arc-green\]: Set the default theme for the Gitea install.
@ -191,6 +228,8 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `DEFAULT_SHOW_FULL_NAME`: **false**: Whether the full name of the users should be shown where possible. If the full name isn't set, the username will be used.
 - `SEARCH_REPO_DESCRIPTION`: **true**: Whether to search within description at repository search on explore page.
 - `USE_SERVICE_WORKER`: **false**: Whether to enable a Service Worker to cache frontend assets.
+- `ONLY_SHOW_RELEVANT_REPOS`: **false** Whether to only show relevant repos on the explore page when no keyword is specified and default sorting is used.
+    A repo is considered irrelevant if it's a fork or if it has no metadata (no description, no icon, no topic).

 ### UI - Admin (`ui.admin`)

@ -231,10 +270,16 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `CUSTOM_URL_SCHEMES`: Use a comma separated list (ftp,git,svn) to indicate additional
  URL hyperlinks to be rendered in Markdown. URLs beginning in http and https are
  always displayed
+- `ENABLE_MATH`: **true**: Enables detection of `\(...\)`, `\[...\]`, `$...$` and `$$...$$` blocks as math blocks.

 ## Server (`server`)

+- `APP_DATA_PATH`: **_`AppWorkPath`_/data**: This is the default root path for storing data.
 - `PROTOCOL`: **http**: \[http, https, fcgi, http+unix, fcgi+unix\]
+- `USE_PROXY_PROTOCOL`: **false**: Expect PROXY protocol headers on connections
+- `PROXY_PROTOCOL_TLS_BRIDGING`: **false**: When protocol is https, expect PROXY protocol headers after TLS negotiation.
+- `PROXY_PROTOCOL_HEADER_TIMEOUT`: **5s**: Timeout to wait for PROXY protocol header (set to 0 to have no timeout)
+- `PROXY_PROTOCOL_ACCEPT_UNKNOWN`: **false**: Accept PROXY protocol headers with Unknown type.
 - `DOMAIN`: **localhost**: Domain name of this server.
 - `ROOT_URL`: **%(PROTOCOL)s://%(DOMAIN)s:%(HTTP\_PORT)s/**:
   Overwrite the automatically generated public URL.
@ -244,14 +289,19 @@ The following configuration set `Content-Type: application/vnd.android.package-a
   This includes CSS files, images, JS files and web fonts.
   Avatar images are dynamic resources and still served by Gitea.
   The option can be just a different path, as in `/static`, or another domain, as in `https://cdn.example.com`.
-   Requests are then made as `%(ROOT_URL)s/static/css/index.css` and `https://cdn.example.com/css/index.css` respective.
+   Requests are then made as `%(ROOT_URL)s/static/assets/css/index.css` or `https://cdn.example.com/assets/css/index.css` respectively.
   The static files are located in the `public/` directory of the Gitea source repository.
+   You can proxy the STATIC_URL_PREFIX requests to Gitea server to serve the static
+   assets, or copy the manually built Gitea assets from `$GITEA_BUILD/public` to
+   the assets location, eg: `/var/www/assets`, make sure `$STATIC_URL_PREFIX/assets/css/index.css`
+   points to `/var/www/assets/css/index.css`.
+
 - `HTTP_ADDR`: **0.0.0.0**: HTTP listen address.
-   - If `PROTOCOL` is set to `fcgi`, Gitea will listen for FastCGI requests on TCP socket
+  - If `PROTOCOL` is set to `fcgi`, Gitea will listen for FastCGI requests on TCP socket
     defined by `HTTP_ADDR` and `HTTP_PORT` configuration settings.
-   - If `PROTOCOL` is set to `http+unix` or `fcgi+unix`, this should be the name of the Unix socket file to use. Relative paths will be made absolute against the AppWorkPath.
+  - If `PROTOCOL` is set to `http+unix` or `fcgi+unix`, this should be the name of the Unix socket file to use. Relative paths will be made absolute against the _`AppWorkPath`_.
 - `HTTP_PORT`: **3000**: HTTP listen port.
-   - If `PROTOCOL` is set to `fcgi`, Gitea will listen for FastCGI requests on TCP socket
+  - If `PROTOCOL` is set to `fcgi`, Gitea will listen for FastCGI requests on TCP socket
     defined by `HTTP_ADDR` and `HTTP_PORT` configuration settings.
 - `UNIX_SOCKET_PERMISSION`: **666**: Permissions for the Unix socket.
 - `LOCAL_ROOT_URL`: **%(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/**: Local
@ -259,14 +309,17 @@ The following configuration set `Content-Type: application/vnd.android.package-a
   most cases you do not need to change the default value. Alter it only if
   your SSH server node is not the same as HTTP node. Do not set this variable
   if `PROTOCOL` is set to `http+unix`.
+- `LOCAL_USE_PROXY_PROTOCOL`: **%(USE_PROXY_PROTOCOL)s**: When making local connections pass the PROXY protocol header.
+   This should be set to false if the local connection will go through the proxy.
 - `PER_WRITE_TIMEOUT`: **30s**: Timeout for any write to the connection. (Set to -1 to
   disable all timeouts.)
 - `PER_WRITE_PER_KB_TIMEOUT`: **10s**: Timeout per Kb written to connections.

 - `DISABLE_SSH`: **false**: Disable SSH feature when it's not available.
 - `START_SSH_SERVER`: **false**: When enabled, use the built-in SSH server.
+- `SSH_SERVER_USE_PROXY_PROTOCOL`: **false**: Expect PROXY protocol header on connections to the built-in SSH Server.
 - `BUILTIN_SSH_SERVER_USER`: **%(RUN_USER)s**: Username to use for the built-in SSH Server.
- `SSH_USER`: **%(BUILTIN_SSH_SERVER_USER)**: SSH username displayed in clone URLs. This is only for people who configure the SSH server themselves; in most cases, you want to leave this blank and modify the `BUILTIN_SSH_SERVER_USER`.
+- `SSH_USER`: **%(BUILTIN_SSH_SERVER_USER)s**: SSH username displayed in clone URLs. This is only for people who configure the SSH server themselves; in most cases, you want to leave this blank and modify the `BUILTIN_SSH_SERVER_USER`.
 - `SSH_DOMAIN`: **%(DOMAIN)s**: Domain name of this server, used for displayed clone URL.
 - `SSH_PORT`: **22**: SSH port displayed in clone URL.
 - `SSH_LISTEN_HOST`: **0.0.0.0**: Listen address for the built-in SSH server.
@ -293,23 +346,24 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `MINIMUM_KEY_SIZE_CHECK`: **true**: Indicate whether to check minimum key size with corresponding type.

 - `OFFLINE_MODE`: **false**: Disables use of CDN for static files and Gravatar for profile pictures.
- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. When chaining, the server certificate must come first, then intermediate CA certificates (if any). This is ignored if `ENABLE_ACME=true`. From 1.11 paths are relative to `CUSTOM_PATH`.
- `KEY_FILE`: **https/key.pem**: Key file path used for HTTPS. This is ignored if `ENABLE_ACME=true`. From 1.11 paths are relative to `CUSTOM_PATH`.
- `STATIC_ROOT_PATH`: **./**: Upper level of template and static files path.
- `APP_DATA_PATH`: **data** (**/data/gitea** on docker): Default path for application data.
+- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. When chaining, the server certificate must come first, then intermediate CA certificates (if any). This is ignored if `ENABLE_ACME=true`. Paths are relative to `CUSTOM_PATH`.
+- `KEY_FILE`: **https/key.pem**: Key file path used for HTTPS. This is ignored if `ENABLE_ACME=true`. Paths are relative to `CUSTOM_PATH`.
+- `STATIC_ROOT_PATH`: **_`StaticRootPath`_**: Upper level of template and static files path.
+- `APP_DATA_PATH`: **data** (**/data/gitea** on docker): Default path for application data. Relative paths will be made absolute against _`AppWorkPath`_.
 - `STATIC_CACHE_TIME`: **6h**: Web browser cache time for static resources on `custom/`, `public/` and all uploaded avatars. Note that this cache is disabled when `RUN_MODE` is "dev".
 - `ENABLE_GZIP`: **false**: Enable gzip compression for runtime-generated content, static resources excluded.
- `ENABLE_PPROF`: **false**: Application profiling (memory and cpu). For "web" command it listens on localhost:6060. For "serv" command it dumps to disk at `PPROF_DATA_PATH` as `(cpuprofile|memprofile)_<username>_<temporary id>`
- `PPROF_DATA_PATH`: **data/tmp/pprof**: `PPROF_DATA_PATH`, use an absolute path when you start Gitea as service
+- `ENABLE_PPROF`: **false**: Application profiling (memory and cpu). For "web" command it listens on `localhost:6060`. For "serv" command it dumps to disk at `PPROF_DATA_PATH` as `(cpuprofile|memprofile)_<username>_<temporary id>`
+- `PPROF_DATA_PATH`: **_`AppWorkPath`_/data/tmp/pprof**: `PPROF_DATA_PATH`, use an absolute path when you start Gitea as service
 - `LANDING_PAGE`: **home**: Landing page for unauthenticated users \[home, explore, organizations, login, **custom**\]. Where custom would instead be any URL such as "/org/repo" or even `https://anotherwebsite.com`
 - `LFS_START_SERVER`: **false**: Enables Git LFS support.
- `LFS_CONTENT_PATH`: **%(APP_DATA_PATH)/lfs**: Default LFS content path. (if it is on local storage.) **DEPRECATED** use settings in `[lfs]`.
+- `LFS_CONTENT_PATH`: **%(APP_DATA_PATH)s/lfs**: Default LFS content path. (if it is on local storage.) **DEPRECATED** use settings in `[lfs]`.
 - `LFS_JWT_SECRET`: **\<empty\>**: LFS authentication secret, change this a unique string.
 - `LFS_HTTP_AUTH_EXPIRY`: **20m**: LFS authentication validity period in time.Duration, pushes taking longer than this may fail.
 - `LFS_MAX_FILE_SIZE`: **0**: Maximum allowed LFS file size in bytes (Set to 0 for no limit).
 - `LFS_LOCKS_PAGING_NUM`: **50**: Maximum number of LFS Locks returned per page.

 - `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, allows redirecting http requests on `PORT_TO_REDIRECT` to the https port Gitea listens on.
+- `REDIRECTOR_USE_PROXY_PROTOCOL`: **%(USE_PROXY_PROTOCOL)s**: expect PROXY protocol header on connections to https redirector.
 - `PORT_TO_REDIRECT`: **80**: Port for the http redirection service to listen on. Used when `REDIRECT_OTHER_PORT` is true.
 - `SSL_MIN_VERSION`: **TLSv1.2**: Set the minimum version of ssl support.
 - `SSL_MAX_VERSION`: **\<empty\>**: Set the maximum version of ssl support.
@ -369,17 +423,18 @@ The following configuration set `Content-Type: application/vnd.android.package-a
  (e.g. `ALTER USER user SET SEARCH_PATH = schema_name,"$user",public;`).
 - `SSL_MODE`: **disable**: SSL/TLS encryption mode for connecting to the database. This option is only applied for PostgreSQL and MySQL.
  - Valid values for MySQL:
-     - `true`: Enable TLS with verification of the database server certificate against its root certificate. When selecting this option make sure that the root certificate required to validate the database server certificate (e.g. the CA certificate) is on the system certificate store of both the database and Gitea servers. See your system documentation for instructions on how to add a CA certificate to the certificate store.
-     - `false`: Disable TLS.
-     - `disable`: Alias for `false`, for compatibility with PostgreSQL.
-     - `skip-verify`: Enable TLS without database server certificate verification. Use this option if you have self-signed or invalid certificate on the database server.
-     - `prefer`: Enable TLS with fallback to non-TLS connection.
+    - `true`: Enable TLS with verification of the database server certificate against its root certificate. When selecting this option make sure that the root certificate required to validate the database server certificate (e.g. the CA certificate) is on the system certificate store of both the database and Gitea servers. See your system documentation for instructions on how to add a CA certificate to the certificate store.
+    - `false`: Disable TLS.
+    - `disable`: Alias for `false`, for compatibility with PostgreSQL.
+    - `skip-verify`: Enable TLS without database server certificate verification. Use this option if you have self-signed or invalid certificate on the database server.
+    - `prefer`: Enable TLS with fallback to non-TLS connection.
  - Valid values for PostgreSQL:
-     - `disable`: Disable TLS.
-     - `require`: Enable TLS without any verifications.
-     - `verify-ca`: Enable TLS with verification of the database server certificate against its root certificate.
-     - `verify-full`: Enable TLS and verify the database server name matches the given certificate in either the `Common Name` or `Subject Alternative Name` fields.
+    - `disable`: Disable TLS.
+    - `require`: Enable TLS without any verifications.
+    - `verify-ca`: Enable TLS with verification of the database server certificate against its root certificate.
+    - `verify-full`: Enable TLS and verify the database server name matches the given certificate in either the `Common Name` or `Subject Alternative Name` fields.
 - `SQLITE_TIMEOUT`: **500**: Query timeout for SQLite3 only.
+- `SQLITE_JOURNAL_MODE`: **""**: Change journal mode for SQlite3. Can be used to enable [WAL mode](https://www.sqlite.org/wal.html) when high load causes write congestion. See [SQlite3 docs](https://www.sqlite.org/pragma.html#pragma_journal_mode) for possible values. Defaults to the default for the database file, often DELETE.
 - `ITERATE_BUFFER_SIZE`: **50**: Internal buffer size for iterating.
 - `CHARSET`: **utf8mb4**: For MySQL only, either "utf8" or "utf8mb4". NOTICE: for "utf8mb4" you must use MySQL InnoDB > 5.6. Gitea is unable to check this.
 - `PATH`: **data/gitea.db**: For SQLite3 only, the database file path.
@ -398,10 +453,10 @@ relation to port exhaustion.
 - `ISSUE_INDEXER_TYPE`: **bleve**: Issue indexer type, currently supported: `bleve`, `db` or `elasticsearch`.
 - `ISSUE_INDEXER_CONN_STR`: ****: Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch. i.e. http://elastic:changeme@localhost:9200
 - `ISSUE_INDEXER_NAME`: **gitea_issues**: Issue indexer name, available when ISSUE_INDEXER_TYPE is elasticsearch
- `ISSUE_INDEXER_PATH`: **indexers/issues.bleve**: Index file used for issue search; available when ISSUE_INDEXER_TYPE is bleve and elasticsearch.
+- `ISSUE_INDEXER_PATH`: **indexers/issues.bleve**: Index file used for issue search; available when ISSUE_INDEXER_TYPE is bleve and elasticsearch. Relative paths will be made absolute against _`AppWorkPath`_.
 - The next 4 configuration values are deprecated and should be set in `queue.issue_indexer` however are kept for backwards compatibility:
 - `ISSUE_INDEXER_QUEUE_TYPE`: **levelqueue**: Issue indexer queue, currently supports:`channel`, `levelqueue`, `redis`. **DEPRECATED** use settings in `[queue.issue_indexer]`.
- `ISSUE_INDEXER_QUEUE_DIR`: **queues/common**: When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this will be the path where the queue will be saved. **DEPRECATED** use settings in `[queue.issue_indexer]`.
+- `ISSUE_INDEXER_QUEUE_DIR`: **queues/common**: When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this will be the path where the queue will be saved. **DEPRECATED** use settings in `[queue.issue_indexer]`. Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
 - `ISSUE_INDEXER_QUEUE_CONN_STR`: **addrs=127.0.0.1:6379 db=0**: When `ISSUE_INDEXER_QUEUE_TYPE` is `redis`, this will store the redis connection string. When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this is a directory or additional options of the form `leveldb://path/to/db?option=value&....`, and overrides `ISSUE_INDEXER_QUEUE_DIR`. **DEPRECATED** use settings in `[queue.issue_indexer]`.
 - `ISSUE_INDEXER_QUEUE_BATCH_NUMBER`: **20**: Batch queue number. **DEPRECATED** use settings in `[queue.issue_indexer]`.

@ -423,7 +478,7 @@ relation to port exhaustion.
 Configuration at `[queue]` will set defaults for queues with overrides for individual queues at `[queue.*]`. (However see below.)

 - `TYPE`: **persistable-channel**: General queue type, currently support: `persistable-channel` (uses a LevelDB internally), `channel`, `level`, `redis`, `dummy`
- `DATADIR`: **queues/**: Base DataDir for storing persistent and level queues. `DATADIR` for individual queues can be set in `queue.name` sections but will default to `DATADIR/`**`common`**. (Previously each queue would default to `DATADIR/`**`name`**.)
+- `DATADIR`: **queues/**: Base DataDir for storing persistent and level queues. `DATADIR` for individual queues can be set in `queue.name` sections but will default to `DATADIR/`**`common`**. (Previously each queue would default to `DATADIR/`**`name`**.) Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
 - `LENGTH`: **20**: Maximal queue size before channel queues block
 - `BATCH_LENGTH`: **20**: Batch data before passing to the handler
 - `CONN_STR`: **redis://127.0.0.1:6379/0**: Connection string for the redis queue type. Options can be set using query params. Similarly LevelDB options can also be set using: **leveldb://relative/path?option=value** or **leveldb:///absolute/path?option=value**, and will override `DATADIR`
@ -434,11 +489,11 @@ Configuration at `[queue]` will set defaults for queues with overrides for indiv
 - `MAX_ATTEMPTS`: **10**: Maximum number of attempts to create the wrapped queue
 - `TIMEOUT`: **GRACEFUL_HAMMER_TIME + 30s**: Timeout the creation of the wrapped queue if it takes longer than this to create.
 - Queues by default come with a dynamically scaling worker pool. The following settings configure this:
- `WORKERS`: **0** (v1.14 and before: **1**): Number of initial workers for the queue.
+- `WORKERS`: **0**: Number of initial workers for the queue.
 - `MAX_WORKERS`: **10**: Maximum number of worker go-routines for the queue.
 - `BLOCK_TIMEOUT`: **1s**: If the queue blocks for this time, boost the number of workers - the `BLOCK_TIMEOUT` will then be doubled before boosting again whilst the boost is ongoing.
 - `BOOST_TIMEOUT`: **5m**: Boost workers will timeout after this long.
- `BOOST_WORKERS`: **1** (v1.14 and before: **5**): This many workers will be added to the worker pool if there is a boost.
+- `BOOST_WORKERS`: **1**: This many workers will be added to the worker pool if there is a boost.

 Gitea creates the following non-unique queues:

@ -479,7 +534,8 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o
 ## Security (`security`)

 - `INSTALL_LOCK`: **false**: Controls access to the installation page. When set to "true", the installation page is not accessible.
- `SECRET_KEY`: **\<random at every install\>**: Global secret key. This should be changed.
+- `SECRET_KEY`: **\<random at every install\>**: Global secret key. This key is VERY IMPORTANT, if you lost it, the data encrypted by it (like 2FA secret) can't be decrypted anymore.
+- `SECRET_KEY_URI`: **<empty>**: Instead of defining SECRET_KEY, this option can be used to use the key stored in a file (example value: `file:/etc/gitea/secret_key`). It shouldn't be lost like SECRET_KEY.
 - `LOGIN_REMEMBER_DAYS`: **7**: Cookie lifetime, in days.
 - `COOKIE_USERNAME`: **gitea\_awesome**: Name of the cookie used to store the current username.
 - `COOKIE_REMEMBER_NAME`: **gitea\_incredible**: Name of cookie used to store authentication
@ -488,6 +544,8 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o
   authentication.
 - `REVERSE_PROXY_AUTHENTICATION_EMAIL`: **X-WEBAUTH-EMAIL**: Header name for reverse proxy
   authentication provided email.
+- `REVERSE_PROXY_AUTHENTICATION_FULL_NAME`: **X-WEBAUTH-FULLNAME**: Header name for reverse proxy
+   authentication provided full name.
 - `REVERSE_PROXY_LIMIT`: **1**: Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request.
   Number of trusted proxy count. Set to zero to not use these headers.
 - `REVERSE_PROXY_TRUSTED_PROXIES`: **127.0.0.0/8,::1/128**: List of IP addresses and networks separated by comma of trusted proxy servers. Use `*` to trust all.
@ -503,25 +561,25 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o
 - `ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET`: **true**: Set to `false` to allow local users to push to gitea-repositories without setting up the Gitea environment. This is not recommended and if you want local users to push to Gitea repositories you should set the environment appropriately.
 - `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server.
 - `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary.
- `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`)
+- `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining INTERNAL_TOKEN in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`)
 - `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \[argon2, pbkdf2, scrypt, bcrypt\], argon2 will spend more memory than others.
 - `CSRF_COOKIE_HTTP_ONLY`: **true**: Set false to allow JavaScript to read CSRF cookie.
 - `MIN_PASSWORD_LENGTH`: **6**: Minimum password length for new users.
 - `PASSWORD_COMPLEXITY`: **off**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, checking is disabled (off):
-    - lower - use one or more lower latin characters
-    - upper - use one or more upper latin characters
-    - digit - use one or more digits
-    - spec - use one or more special characters as ``!"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~``
-    - off - do not check password complexity
+  - lower - use one or more lower latin characters
+  - upper - use one or more upper latin characters
+  - digit - use one or more digits
+  - spec - use one or more special characters as ``!"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~``
+  - off - do not check password complexity
 - `PASSWORD_CHECK_PWN`: **false**: Check [HaveIBeenPwned](https://haveibeenpwned.com/Passwords) to see if a password has been exposed.
 - `SUCCESSFUL_TOKENS_CACHE_SIZE`: **20**: Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations. This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security.

 ## Camo (`camo`)

 - `ENABLED`: **false**: Enable media proxy, we support images only at the moment.
- `SERVER_URL`: **<empty>**: url of camo server, it **is required** if camo is enabled.
- `HMAC_KEY`: **<empty>**: Provide the HMAC key for encoding urls, it **is required** if camo is enabled.
- `ALLWAYS`: **false**: Set to true to use camo for https too lese only non https urls are proxyed
+- `SERVER_URL`: **<empty>**: URL of camo server, it **is required** if camo is enabled.
+- `HMAC_KEY`: **<empty>**: Provide the HMAC key for encoding URLs, it **is required** if camo is enabled.
+- `ALLWAYS`: **false**: Set to true to use camo for both HTTP and HTTPS content, otherwise only non-HTTPS URLs are proxied

 ## OpenID (`openid`)

@ -534,18 +592,18 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o

 ## OAuth2 Client (`oauth2_client`)

- `REGISTER_EMAIL_CONFIRM`: *[service]* **REGISTER\_EMAIL\_CONFIRM**: Set this to enable or disable email confirmation of OAuth2 auto-registration. (Overwrites the REGISTER\_EMAIL\_CONFIRM setting of the `[service]` section)
+- `REGISTER_EMAIL_CONFIRM`: _[service]_ **REGISTER\_EMAIL\_CONFIRM**: Set this to enable or disable email confirmation of OAuth2 auto-registration. (Overwrites the REGISTER\_EMAIL\_CONFIRM setting of the `[service]` section)
 - `OPENID_CONNECT_SCOPES`: **\<empty\>**: List of additional openid connect scopes. (`openid` is implicitly added)
 - `ENABLE_AUTO_REGISTRATION`: **false**: Automatically create user accounts for new oauth2 users.
 - `USERNAME`: **nickname**: The source of the username for new oauth2 accounts:
-    - userid - use the userid / sub attribute
-    - nickname - use the nickname attribute
-    - email - use the username part of the email attribute
+  - userid - use the userid / sub attribute
+  - nickname - use the nickname attribute
+  - email - use the username part of the email attribute
 - `UPDATE_AVATAR`: **false**: Update avatar if available from oauth2 provider. Update will be performed on each login.
 - `ACCOUNT_LINKING`: **login**: How to handle if an account / email already exists:
-    - disabled - show an error
-    - login - show an account linking login
-    - auto - automatically link with the account (Please be aware that this will grant access to an existing account just because the same username or email is provided. You must make sure that this does not cause issues with your authentication providers.)
+  - disabled - show an error
+  - login - show an account linking login
+  - auto - automatically link with the account (Please be aware that this will grant access to an existing account just because the same username or email is provided. You must make sure that this does not cause issues with your authentication providers.)

 ## Service (`service`)

@ -573,15 +631,21 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o
   for reverse authentication.
 - `ENABLE_REVERSE_PROXY_EMAIL`: **false**: Enable this to allow to auto-registration with a
   provided email rather than a generated email.
+- `ENABLE_REVERSE_PROXY_FULL_NAME`: **false**: Enable this to allow to auto-registration with a
+   provided full name for the user.
 - `ENABLE_CAPTCHA`: **false**: Enable this to use captcha validation for registration.
+- `REQUIRE_CAPTCHA_FOR_LOGIN`: **false**: Enable this to require captcha validation for login. You also must enable `ENABLE_CAPTCHA`.
 - `REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA`: **false**: Enable this to force captcha validation
-   even for External Accounts (i.e. GitHub, OpenID Connect, etc). You must `ENABLE_CAPTCHA` also.
- `CAPTCHA_TYPE`: **image**: \[image, recaptcha, hcaptcha\]
+   even for External Accounts (i.e. GitHub, OpenID Connect, etc). You also must enable `ENABLE_CAPTCHA`.
+- `CAPTCHA_TYPE`: **image**: \[image, recaptcha, hcaptcha, mcaptcha\]
 - `RECAPTCHA_SECRET`: **""**: Go to https://www.google.com/recaptcha/admin to get a secret for recaptcha.
 - `RECAPTCHA_SITEKEY`: **""**: Go to https://www.google.com/recaptcha/admin to get a sitekey for recaptcha.
 - `RECAPTCHA_URL`: **https://www.google.com/recaptcha/**: Set the recaptcha url - allows the use of recaptcha net.
 - `HCAPTCHA_SECRET`: **""**: Sign up at https://www.hcaptcha.com/ to get a secret for hcaptcha.
 - `HCAPTCHA_SITEKEY`: **""**: Sign up at https://www.hcaptcha.com/ to get a sitekey for hcaptcha.
+- `MCAPTCHA_SECRET`: **""**: Go to your mCaptcha instance to get a secret for mCaptcha.
+- `MCAPTCHA_SITEKEY`: **""**: Go to your mCaptcha instance to get a sitekey for mCaptcha.
+- `MCAPTCHA_URL` **https://demo.mcaptcha.org/**: Set the mCaptcha URL.
 - `DEFAULT_KEEP_EMAIL_PRIVATE`: **false**: By default set users to keep their email address private.
 - `DEFAULT_ALLOW_CREATE_ORGANIZATION`: **true**: Allow new users to create organizations by default.
 - `DEFAULT_USER_IS_RESTRICTED`: **false**: Give new users restricted permissions by default
@ -620,14 +684,14 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type

 - `ED25519`: **256**
 - `ECDSA`: **256**
- `RSA`: **2048**
+- `RSA`: **2047**: We set 2047 here because an otherwise valid 2048 RSA key can be reported as 2047 length.
 - `DSA`: **-1**: DSA is now disabled by default. Set to **1024** to re-enable but ensure you may need to reconfigure your SSHD provider

 ## Webhook (`webhook`)

 - `QUEUE_LENGTH`: **1000**: Hook task queue length. Use caution when editing this value.
 - `DELIVER_TIMEOUT`: **5**: Delivery timeout (sec) for shooting webhooks.
- `ALLOWED_HOST_LIST`: **external**: Since 1.15.7. Default to `*` for 1.15.x, `external` for 1.16 and later. Webhook can only call allowed hosts for security reasons. Comma separated list.
+- `ALLOWED_HOST_LIST`: **external**: Webhook can only call allowed hosts for security reasons. Comma separated list.
  - Built-in networks:
    - `loopback`: 127.0.0.0/8 for IPv4 and ::1/128 for IPv6, localhost is included.
    - `private`: RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and RFC 4193 (FC00::/7). Also called LAN/Intranet.
@ -642,42 +706,42 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type

 ## Mailer (`mailer`)

+⚠️ This section is for Gitea 1.18 and later. If you are using Gitea 1.17 or older,
+please refer to
+[Gitea 1.17 app.ini example](https://github.com/go-gitea/gitea/blob/release/v1.17/custom/conf/app.example.ini)
+and
+[Gitea 1.17 configuration document](https://github.com/go-gitea/gitea/blob/release/v1.17/docs/content/doc/advanced/config-cheat-sheet.en-us.md)
+
 - `ENABLED`: **false**: Enable to use a mail service.
- `DISABLE_HELO`: **\<empty\>**: Disable HELO operation.
- `HELO_HOSTNAME`: **\<empty\>**: Custom hostname for HELO operation.
- `HOST`: **\<empty\>**: SMTP mail host address and port (example: smtp.gitea.io:587).
-  - As per RFC 8314, if supported, Implicit TLS/SMTPS on port 465 is recommended, otherwise opportunistic TLS via STARTTLS on port 587 should be used.
- `IS_TLS_ENABLED` :  **false** : Forcibly use TLS to connect even if not on a default SMTPS port.
-  - Note, if the port ends with `465` Implicit TLS/SMTPS/SMTP over TLS will be used despite this setting.
-  - Otherwise if `IS_TLS_ENABLED=false` and the server supports `STARTTLS` this will be used. Thus if `STARTTLS` is preferred you should set `IS_TLS_ENABLED=false`.
- `FROM`: **\<empty\>**: Mail from address, RFC 5322. This can be just an email address, or
-   the "Name" \<email@example.com\> format.
- `ENVELOPE_FROM`: **\<empty\>**: Address set as the From address on the SMTP mail envelope. Set to `<>` to send an empty address.
+- `PROTOCOL`: **\<empty\>**: Mail server protocol. One of "smtp", "smtps", "smtp+starttls", "smtp+unix", "sendmail", "dummy". _Before 1.18, this was inferred from a combination of `MAILER_TYPE` and `IS_TLS_ENABLED`._
+  - SMTP family, if your provider does not explicitly say which protocol it uses but does provide a port, you can set SMTP_PORT instead and this will be inferred.
+  - **sendmail** Use the operating system's `sendmail` command instead of SMTP. This is common on Linux systems.
+  - **dummy** Send email messages to the log as a testing phase.
+  - Note that enabling sendmail will ignore all other `mailer` settings except `ENABLED`, `FROM`, `SUBJECT_PREFIX` and `SENDMAIL_PATH`.
+  - Enabling dummy will ignore all settings except `ENABLED`, `SUBJECT_PREFIX` and `FROM`.
+- `SMTP_ADDR`: **\<empty\>**: Mail server address. e.g. smtp.gmail.com. For smtp+unix, this should be a path to a unix socket instead. _Before 1.18, this was combined with `SMTP_PORT` under the name `HOST`._
+- `SMTP_PORT`: **\<empty\>**: Mail server port. If no protocol is specified, it will be inferred by this setting. Common ports are listed below. _Before 1.18, this was combined with `SMTP_ADDR` under the name `HOST`._
+  - 25:  insecure SMTP
+  - 465: SMTP Secure
+  - 587: StartTLS
+- `USE_CLIENT_CERT`: **false**: Use client certificate for TLS/SSL.
+- `CLIENT_CERT_FILE`: **custom/mailer/cert.pem**: Client certificate file.
+- `CLIENT_KEY_FILE`: **custom/mailer/key.pem**: Client key file.
+- `FORCE_TRUST_SERVER_CERT`: **false**: If set to `true`, completely ignores server certificate validation errors. This option is unsafe. Consider adding the certificate to the system trust store instead.
 - `USER`: **\<empty\>**: Username of mailing user (usually the sender's e-mail address).
 - `PASSWD`: **\<empty\>**: Password of mailing user.  Use \`your password\` for quoting if you use special characters in the password.
-   - Please note: authentication is only supported when the SMTP server communication is encrypted with TLS (this can be via `STARTTLS`) or `HOST=localhost`. See [Email Setup]({{< relref "doc/usage/email-setup.en-us.md" >}}) for more information.
- `SEND_AS_PLAIN_TEXT`: **false**: Send mails as plain text.
- `SKIP_VERIFY`: **false**: Whether or not to skip verification of certificates; `true` to disable verification.
-   - **Warning:** This option is unsafe. Consider adding the certificate to the system trust store instead.
-   - **Note:** Gitea only supports SMTP with STARTTLS.
- `USE_CERTIFICATE`: **false**: Use client certificate.
- `CERT_FILE`: **custom/mailer/cert.pem**
- `KEY_FILE`: **custom/mailer/key.pem**
+  - Please note: authentication is only supported when the SMTP server communication is encrypted with TLS (this can be via `STARTTLS`) or SMTP host is localhost. See [Email Setup]({{< relref "doc/usage/email-setup.en-us.md" >}}) for more information.
+- `ENABLE_HELO`: **true**: Enable HELO operation.
+- `HELO_HOSTNAME`: **(retrieved from system)**: HELO hostname.
+- `FROM`: **\<empty\>**: Mail from address, RFC 5322. This can be just an email address, or the "Name" \<email@example.com\> format.
+- `ENVELOPE_FROM`: **\<empty\>**: Address set as the From address on the SMTP mail envelope. Set to `<>` to send an empty address.
 - `SUBJECT_PREFIX`: **\<empty\>**: Prefix to be placed before e-mail subject lines.
- `MAILER_TYPE`: **smtp**: \[smtp, sendmail, dummy\]
-   - **smtp** Use SMTP to send mail
-   - **sendmail** Use the operating system's `sendmail` command instead of SMTP.
-   This is common on Linux systems.
-   - **dummy** Send email messages to the log as a testing phase.
-   - Note that enabling sendmail will ignore all other `mailer` settings except `ENABLED`,
-     `FROM`, `SUBJECT_PREFIX` and `SENDMAIL_PATH`.
-   - Enabling dummy will ignore all settings except `ENABLED`, `SUBJECT_PREFIX` and `FROM`.
- `SENDMAIL_PATH`: **sendmail**: The location of sendmail on the operating system (can be
-   command or full path).
- `SENDMAIL_ARGS`: **_empty_**: Specify any extra sendmail arguments. (NOTE: you should be aware that email addresses can look like options - if your `sendmail` command takes options you must set the option terminator `--`)
+- `SENDMAIL_PATH`: **sendmail**: The location of sendmail on the operating system (can be command or full path).
+- `SENDMAIL_ARGS`: **\<empty\>**: Specify any extra sendmail arguments. (NOTE: you should be aware that email addresses can look like options - if your `sendmail` command takes options you must set the option terminator `--`)
 - `SENDMAIL_TIMEOUT`: **5m**: default timeout for sending email through sendmail
 - `SENDMAIL_CONVERT_CRLF`: **true**: Most versions of sendmail prefer LF line endings rather than CRLF line endings. Set this to false if your version of sendmail requires CRLF line endings.
 - `SEND_BUFFER_LEN`: **100**: Buffer length of mailing queue. **DEPRECATED** use `LENGTH` in `[queue.mailer]`
+- `SEND_AS_PLAIN_TEXT`: **false**: Send mails only in plain text, without HTML alternative.

 ## Cache (`cache`)

@ -685,9 +749,9 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type
 - `ADAPTER`: **memory**: Cache engine adapter, either `memory`, `redis`, `twoqueue` or `memcache`. (`twoqueue` represents a size limited LRU cache.)
 - `INTERVAL`: **60**: Garbage Collection interval (sec), for memory and twoqueue cache only.
 - `HOST`: **\<empty\>**: Connection string for `redis` and `memcache`. For `twoqueue` sets configuration for the queue.
-   - Redis: `redis://:macaron@127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
-   - Memcache: `127.0.0.1:9090;127.0.0.1:9091`
-   - TwoQueue LRU cache: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000` representing the maximum number of objects stored in the cache.
+  - Redis: `redis://:macaron@127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
+  - Memcache: `127.0.0.1:9090;127.0.0.1:9091`
+  - TwoQueue LRU cache: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000` representing the maximum number of objects stored in the cache.
 - `ITEM_TTL`: **16h**: Time to keep items in cache if not used, Setting it to -1 disables caching.

 ## Cache - LastCommitCache settings (`cache.last_commit`)
@ -699,7 +763,7 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type
 ## Session (`session`)

 - `PROVIDER`: **memory**: Session engine provider \[memory, file, redis, db, mysql, couchbase, memcache, postgres\]. Setting `db` will reuse the configuration in `[database]`
- `PROVIDER_CONFIG`: **data/sessions**: For file, the root path; for db, empty (database config will be used); for others, the connection string.
+- `PROVIDER_CONFIG`: **data/sessions**: For file, the root path; for db, empty (database config will be used); for others, the connection string. Relative paths will be made absolute against _`AppWorkPath`_.
 - `COOKIE_SECURE`: **false**: Enable this to force using HTTPS for all session access.
 - `COOKIE_NAME`: **i\_like\_gitea**: The name of the cookie used for the session ID.
 - `GC_INTERVAL_TIME`: **86400**: GC interval in seconds.
@ -730,7 +794,6 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type
  - image = default image will be used (which is set in `REPOSITORY_AVATAR_FALLBACK_IMAGE`)
 - `REPOSITORY_AVATAR_FALLBACK_IMAGE`: **/img/repo_default.png**: Image used as default repository avatar (if `REPOSITORY_AVATAR_FALLBACK` is set to image and none was uploaded)

-
 ## Project (`project`)

 Default templates for project boards:
@ -741,7 +804,7 @@ Default templates for project boards:
 ## Issue and pull request attachments (`attachment`)

 - `ENABLED`: **true**: Whether issue and pull request attachments are enabled.
- `ALLOWED_TYPES`: **.docx,.gif,.gz,.jpeg,.jpg,mp4,.log,.pdf,.png,.pptx,.txt,.xlsx,.zip**: Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
+- `ALLOWED_TYPES`: **.csv,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip**: Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
 - `MAX_SIZE`: **4**: Maximum size (MB).
 - `MAX_FILES`: **5**: Maximum number of attachments that can be uploaded at once.
 - `STORAGE_TYPE`: **local**: Storage type for attachments, `local` for local disk or `minio` for s3 compatible object storage service, default is `local` or other name defined with `[storage.xxx]`
@ -765,11 +828,13 @@ Default templates for project boards:
 - `ENABLE_XORM_LOG`: **true**: Set whether to perform XORM logging. Please note SQL statement logging can be disabled by setting `LOG_SQL` to false in the `[database]` section.

 ### Router Log (`log`)
+
 - `DISABLE_ROUTER_LOG`: **false**: Mute printing of the router log.
 - `ROUTER`: **console**: The mode or name of the log the router should log to. (If you set this to `,` it will log to default Gitea logger.)
  NB: You must have `DISABLE_ROUTER_LOG` set to `false` for this option to take effect. Configure each mode in per mode log subsections `\[log.modename.router\]`.

 ### Access Log (`log`)
+
 - `ENABLE_ACCESS_LOG`: **false**: Creates an access.log in NCSA common log format, or as per the following template
 - `ACCESS`: **file**: Logging mode for the access logger, use a comma to separate values. Configure each mode in per mode log subsections `\[log.modename.access\]`. By default the file mode will log to `$ROOT_PATH/access.log`. (If you set this to `,` it will log to the default Gitea logger.)
 - `ACCESS_LOG_TEMPLATE`: **`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`**: Sets the template used to create the access log.
@ -786,9 +851,9 @@ Default templates for project boards:
 - `STACKTRACE_LEVEL`: **log.STACKTRACE_LEVEL**: Sets the log level at which to log stack traces.
 - `MODE`: **name**: Sets the mode of this sublogger - Defaults to the provided subsection name. This allows you to have two different file loggers at different levels.
 - `EXPRESSION`: **""**: A regular expression to match either the function name, file or message. Defaults to empty. Only log messages that match the expression will be saved in the logger.
- `FLAGS`: **stdflags**: A comma separated string representing the log flags. Defaults to `stdflags` which represents the prefix: `2009/01/23 01:23:23 ...a/b/c/d.go:23:runtime.Caller() [I]: message`. `none` means don't prefix log lines. See `modules/log/base.go` for more information.
+- `FLAGS`: **stdflags**: A comma separated string representing the log flags. Defaults to `stdflags` which represents the prefix: `2009/01/23 01:23:23 ...a/b/c/d.go:23:runtime.Caller() [I]: message`. `none` means don't prefix log lines. See `modules/log/flags.go` for more information.
 - `PREFIX`: **""**: An additional prefix for every log line in this logger. Defaults to empty.
- `COLORIZE`: **false**: Colorize the log lines by default
+- `COLORIZE`: **false**: Whether to colorize the log lines

 ### Console log mode (`log.console`, `log.console.*`, or `MODE=console`)

@ -827,9 +892,9 @@ Default templates for project boards:
 - `NOTICE_ON_SUCCESS`: **false**: Set to true to switch on success notices.

 - `SCHEDULE` accept formats
-   - Full crontab specs, e.g. `* * * * * ?`
-   - Descriptors, e.g. `@midnight`, `@every 1h30m` ...
-   - See more: [cron decument](https://pkg.go.dev/github.com/gogs/cron@v0.0.0-20171120032916-9f6c956d3e14)
+  - Full crontab specs, e.g. `* * * * * ?`
+  - Descriptors, e.g. `@midnight`, `@every 1h30m` ...
+  - See more: [cron documentation](https://pkg.go.dev/github.com/gogs/cron@v0.0.0-20171120032916-9f6c956d3e14)

 ### Basic cron tasks - enabled by default

@ -886,6 +951,7 @@ Default templates for project boards:
 ### Extended cron tasks (not enabled by default)

 #### Cron - Garbage collect all repositories ('cron.git_gc_repos')
+
 - `ENABLED`: **false**: Enable service.
 - `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
 - `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.
@ -894,36 +960,42 @@ Default templates for project boards:
 - `ARGS`: **\<empty\>**: Arguments for command `git gc`, e.g. `--aggressive --auto`. The default value is same with [git] -> GC_ARGS

 #### Cron - Update the '.ssh/authorized_keys' file with Gitea SSH keys ('cron.resync_all_sshkeys')
+
 - `ENABLED`: **false**: Enable service.
 - `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
 - `NOTICE_ON_SUCCESS`: **false**: Set to true to switch on success notices.
 - `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.

 #### Cron - Resynchronize pre-receive, update and post-receive hooks of all repositories ('cron.resync_all_hooks')
+
 - `ENABLED`: **false**: Enable service.
 - `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
 - `NOTICE_ON_SUCCESS`: **false**: Set to true to switch on success notices.
 - `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.

 #### Cron - Reinitialize all missing Git repositories for which records exist ('cron.reinit_missing_repos')
+
 - `ENABLED`: **false**: Enable service.
 - `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
 - `NOTICE_ON_SUCCESS`: **false**: Set to true to switch on success notices.
 - `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.

 #### Cron - Delete all repositories missing their Git files ('cron.delete_missing_repos')
+
 - `ENABLED`: **false**: Enable service.
 - `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
 - `NOTICE_ON_SUCCESS`: **false**: Set to true to switch on success notices.
 - `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.

 #### Cron -  Delete generated repository avatars ('cron.delete_generated_repository_avatars')
+
 - `ENABLED`: **false**: Enable service.
 - `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
 - `NOTICE_ON_SUCCESS`: **false**: Set to true to switch on success notices.
 - `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.

 #### Cron -  Delete all old actions from database ('cron.delete_old_actions')
+
 - `ENABLED`: **false**: Enable service.
 - `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
 - `NOTICE_ON_SUCCESS`: **false**: Set to true to switch on success notices.
@ -931,6 +1003,7 @@ Default templates for project boards:
 - `OLDER_THAN`: **@every 8760h**: any action older than this expression will be deleted from database, suggest using `8760h` (1 year) because that's the max length of heatmap.

 #### Cron -  Check for new Gitea versions ('cron.update_checker')
+
 - `ENABLED`: **false**: Enable service.
 - `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
 - `ENABLE_SUCCESS_NOTICE`: **true**: Set to false to switch off success notices.
@ -938,6 +1011,7 @@ Default templates for project boards:
 - `HTTP_ENDPOINT`: **https://dl.gitea.io/gitea/version.json**: the endpoint that Gitea will check for newer versions

 #### Cron -  Delete all old system notices from database ('cron.delete_old_system_notices')
+
 - `ENABLED`: **false**: Enable service.
 - `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
 - `NO_SUCCESS_NOTICE`: **false**: Set to true to switch off success notices.
@ -947,6 +1021,8 @@ Default templates for project boards:
 ## Git (`git`)

 - `PATH`: **""**: The path of Git executable. If empty, Gitea searches through the PATH environment.
+- `HOME_PATH`: **%(APP_DATA_PATH)s/home**: The HOME directory for Git.
+   This directory will be used to contain the `.gitconfig` and possible `.gnupg` directories that Gitea's git calls will use. If you can confirm Gitea is the only application running in this environment, you can set it to the normal home directory for Gitea user.
 - `DISABLE_DIFF_HIGHLIGHT`: **false**: Disables highlight of added and removed changes.
 - `MAX_GIT_DIFF_LINES`: **1000**: Max number of lines allowed of a single file in diff view.
 - `MAX_GIT_DIFF_LINE_CHARACTERS`: **5000**: Max character count per line highlighted in diff view.
@ -954,7 +1030,8 @@ Default templates for project boards:
 - `COMMITS_RANGE_SIZE`: **50**: Set the default commits range size
 - `BRANCHES_RANGE_SIZE`: **20**: Set the default branches range size
 - `GC_ARGS`: **\<empty\>**: Arguments for command `git gc`, e.g. `--aggressive --auto`. See more on http://git-scm.com/docs/git-gc/
- `ENABLE_AUTO_GIT_WIRE_PROTOCOL`: **true**: If use Git wire protocol version 2 when Git version >= 2.18, default is true, set to false when you always want Git wire protocol version 1
+- `ENABLE_AUTO_GIT_WIRE_PROTOCOL`: **true**: If use Git wire protocol version 2 when Git version >= 2.18, default is true, set to false when you always want Git wire protocol version 1.
+  To enable this for Git over SSH when using a OpenSSH server, add `AcceptEnv GIT_PROTOCOL` to your sshd_config file.
 - `PULL_REQUEST_PUSH_MESSAGE`: **true**: Respond to pushes to a non-default branch with a URL for creating a Pull Request (if the repository has them enabled)
 - `VERBOSE_PUSH`: **true**: Print status information about pushes as they are being processed.
 - `VERBOSE_PUSH_DELAY`: **5s**: Only print verbose information if push takes longer than this delay.
@ -963,6 +1040,7 @@ Default templates for project boards:
 - `DISABLE_PARTIAL_CLONE`: **false** Disable the usage of using partial clones for git.

 ## Git - Timeout settings (`git.timeout`)
+
 - `DEFAUlT`: **360**: Git operations default timeout seconds.
 - `MIGRATE`: **600**: Migrate external repositories timeout seconds.
 - `MIRROR`: **300**: Mirror external repositories timeout seconds.
@ -979,11 +1057,11 @@ Default templates for project boards:

 ## API (`api`)

- `ENABLE_SWAGGER`: **true**: Enables /api/swagger, /api/v1/swagger etc. endpoints. True or false; default is true.
+- `ENABLE_SWAGGER`: **true**: Enables the API documentation endpoints (`/api/swagger`, `/api/v1/swagger`, …). True or false.
 - `MAX_RESPONSE_ITEMS`: **50**: Max number of items in a page.
 - `DEFAULT_PAGING_NUM`: **30**: Default paging number of API.
 - `DEFAULT_GIT_TREES_PER_PAGE`: **1000**: Default and maximum number of items per page for Git trees API.
- `DEFAULT_MAX_BLOB_SIZE`: **10485760**: Default max size of a blob that can be return by the blobs API.
+- `DEFAULT_MAX_BLOB_SIZE`: **10485760** (10MiB): Default max size of a blob that can be returned by the blobs API.

 ## OAuth2 (`oauth2`)

@ -998,13 +1076,10 @@ Default templates for project boards:

 ## i18n (`i18n`)

- `LANGS`: **en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pt-PT,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR,el-GR,fa-IR,hu-HU,id-ID,ml-IN**:
+- `LANGS`: **en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pt-PT,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sv-SE,ko-KR,el-GR,fa-IR,hu-HU,id-ID,ml-IN**:
     List of locales shown in language selector. The first locale will be used as the default if user browser's language doesn't match any locale in the list.
 - `NAMES`: **English,简体中文,繁體中文（香港）,繁體中文（台灣）,Deutsch,Français,Nederlands,Latviešu,Русский,Українська,日本語,Español,Português do Brasil,Português de Portugal,Polski,Български,Italiano,Suomi,Türkçe,Čeština,Српски,Svenska,한국어,Ελληνικά,فارسی,Magyar nyelv,Bahasa Indonesia,മലയാളം**: Visible names corresponding to the locales

-## U2F (`U2F`) **DEPRECATED**
- `APP_ID`: **`ROOT_URL`**: Declares the facet of the application which is used for authentication of previously registered U2F keys. Requires HTTPS.
-
 ## Markup (`markup`)

 - `MERMAID_MAX_SOURCE_CHARACTERS`: **5000**: Set the maximum size of a Mermaid source. (Set to -1 to disable)
@ -1032,6 +1107,7 @@ IS_INPUT_FILE = false
  - iframe: Render the content in a separate standalone page and embed it into current page by iframe. The iframe is in sandbox mode with same-origin disabled, and the JS code are safely isolated from parent page.

 Two special environment variables are passed to the render command:
+
 - `GITEA_PREFIX_SRC`, which contains the current URL prefix in the `src` path tree. To be used as prefix for links.
 - `GITEA_PREFIX_RAW`, which contains the current URL prefix in the `raw` path tree. To be used as prefix for image paths.

@ -1047,10 +1123,10 @@ REGEXP = ^\s*((math(\s+|$)|inline(\s+|$)|display(\s+|$)))+
 ALLOW_DATA_URI_IMAGES = true
 ```

- - `ELEMENT`: The element this policy applies to. Must be non-empty.
- - `ALLOW_ATTR`: The attribute this policy allows. Must be non-empty.
- - `REGEXP`: A regex to match the contents of the attribute against. Must be present but may be empty for unconditional whitelisting of this attribute.
- - `ALLOW_DATA_URI_IMAGES`: **false** Allow data uri images (`<img src="data:image/png;base64,..."/>`).
+- `ELEMENT`: The element this policy applies to. Must be non-empty.
+- `ALLOW_ATTR`: The attribute this policy allows. Must be non-empty.
+- `REGEXP`: A regex to match the contents of the attribute against. Must be present but may be empty for unconditional whitelisting of this attribute.
+- `ALLOW_DATA_URI_IMAGES`: **false** Allow data uri images (`<img src="data:image/png;base64,..."/>`).

 Multiple sanitisation rules can be defined by adding unique subsections, e.g. `[markup.sanitizer.TeX-2]`.
 To apply a sanitisation rules only for a specify external renderer they must use the renderer name, e.g. `[markup.sanitizer.asciidoc.rule-1]`.
@ -1081,20 +1157,42 @@ Task queue configuration has been moved to `queue.task`. However, the below conf

 - `MAX_ATTEMPTS`: **3**: Max attempts per http/https request on migrations.
 - `RETRY_BACKOFF`: **3**: Backoff time per http/https request retry (seconds)
- `ALLOWED_DOMAINS`: **\<empty\>**: Domains allowlist for migrating repositories, default is blank. It means everything will be allowed. Multiple domains could be separated by commas.
- `BLOCKED_DOMAINS`: **\<empty\>**: Domains blocklist for migrating repositories, default is blank. Multiple domains could be separated by commas. When `ALLOWED_DOMAINS` is not blank, this option has a higher priority to deny domains.
- `ALLOW_LOCALNETWORKS`: **false**: Allow private addresses defined by RFC 1918, RFC 1122, RFC 4632 and RFC 4291
+- `ALLOWED_DOMAINS`: **\<empty\>**: Domains allowlist for migrating repositories, default is blank. It means everything will be allowed. Multiple domains could be separated by commas. Wildcard is supported: `github.com, *.github.com`.
+- `BLOCKED_DOMAINS`: **\<empty\>**: Domains blocklist for migrating repositories, default is blank. Multiple domains could be separated by commas. When `ALLOWED_DOMAINS` is not blank, this option has a higher priority to deny domains. Wildcard is supported.
+- `ALLOW_LOCALNETWORKS`: **false**: Allow private addresses defined by RFC 1918, RFC 1122, RFC 4632 and RFC 4291. If a domain is allowed by `ALLOWED_DOMAINS`, this option will be ignored.
 - `SKIP_TLS_VERIFY`: **false**: Allow skip tls verify

 ## Federation (`federation`)

- `ENABLED`: **true**: Enable/Disable federation capabilities
+- `ENABLED`: **false**: Enable/Disable federation capabilities
 - `SHARE_USER_STATISTICS`: **true**: Enable/Disable user statistics for nodeinfo if federation is enabled
+- `MAX_SIZE`: **4**: Maximum federation request and response size (MB)
+
+ WARNING: Changing the settings below can break federation.
+
+- `ALGORITHMS`: **rsa-sha256, rsa-sha512, ed25519**: HTTP signature algorithms
+- `DIGEST_ALGORITHM`: **SHA-256**: HTTP signature digest algorithm
+- `GET_HEADERS`: **(request-target), Date**: GET headers for federation requests
+- `POST_HEADERS`: **(request-target), Date, Digest**: POST headers for federation requests

 ## Packages (`packages`)

 - `ENABLED`: **true**: Enable/Disable package registry capabilities
 - `CHUNKED_UPLOAD_PATH`: **tmp/package-upload**: Path for chunked uploads. Defaults to `APP_DATA_PATH` + `tmp/package-upload`
+- `LIMIT_TOTAL_OWNER_COUNT`: **-1**: Maximum count of package versions a single owner can have (`-1` means no limits)
+- `LIMIT_TOTAL_OWNER_SIZE`: **-1**: Maximum size of packages a single owner can use (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_COMPOSER`: **-1**: Maximum size of a Composer upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_CONAN`: **-1**: Maximum size of a Conan upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_CONTAINER`: **-1**: Maximum size of a Container upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_GENERIC`: **-1**: Maximum size of a Generic upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_HELM`: **-1**: Maximum size of a Helm upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_MAVEN`: **-1**: Maximum size of a Maven upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_NPM`: **-1**: Maximum size of a npm upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_NUGET`: **-1**: Maximum size of a NuGet upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_PUB`: **-1**: Maximum size of a Pub upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_PYPI`: **-1**: Maximum size of a PyPI upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_RUBYGEMS`: **-1**: Maximum size of a RubyGems upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_VAGRANT`: **-1**: Maximum size of a Vagrant upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)

 ## Mirror (`mirror`)

@ -1178,6 +1276,7 @@ is `data/repo-archive` and the default of `MINIO_BASE_PATH` is `repo-archive/`.
 - `PROXY_HOSTS`: **\<empty\>**: Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts.

 i.e.
+
 ```ini
 PROXY_ENABLED = true
 PROXY_URL = socks://127.0.0.1:1080
@ -1189,3 +1288,5 @@ PROXY_HOSTS = *.github.com
 - `SHOW_FOOTER_BRANDING`: **false**: Show Gitea branding in the footer.
 - `SHOW_FOOTER_VERSION`: **true**: Show Gitea and Go version information in the footer.
 - `SHOW_FOOTER_TEMPLATE_LOAD_TIME`: **true**: Show time of template execution in the footer.
+- `ENABLE_SITEMAP`: **true**: Generate sitemap.
+- `ENABLE_FEED`: **true**: Enable/Disable RSS/Atom feed.
--- a/Show More
+++ b/Show More