From 007d181bb51330c4c24e78c2f40a2e49cae45ed9 Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Sat, 18 Feb 2023 06:36:38 +0100
Subject: [PATCH 01/81] Notify on container image create (#22806)

Fixes #22791

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 routers/api/packages/container/manifest.go | 26 ++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/routers/api/packages/container/manifest.go b/routers/api/packages/container/manifest.go
index 6167d00f31..e36c6a851b 100644
--- a/routers/api/packages/container/manifest.go
+++ b/routers/api/packages/container/manifest.go
@@ -17,6 +17,7 @@ import (
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/notification"
 	packages_module "code.gitea.io/gitea/modules/packages"
 	container_module "code.gitea.io/gitea/modules/packages/container"
 	"code.gitea.io/gitea/modules/util"
@@ -71,11 +72,9 @@ func processManifest(mci *manifestCreationInfo, buf *packages_module.HashedBuffe
 	}
 
 	if isImageManifestMediaType(mci.MediaType) {
-		d, err := processImageManifest(mci, buf)
-		return d, err
+		return processImageManifest(mci, buf)
 	} else if isImageIndexMediaType(mci.MediaType) {
-		d, err := processImageManifestIndex(mci, buf)
-		return d, err
+		return processImageManifestIndex(mci, buf)
 	}
 	return "", errManifestInvalid
 }
@@ -182,6 +181,10 @@ func processImageManifest(mci *manifestCreationInfo, buf *packages_module.Hashed
 			return err
 		}
 
+		if err := notifyPackageCreate(mci.Creator, pv); err != nil {
+			return err
+		}
+
 		manifestDigest = digest
 
 		return nil
@@ -271,6 +274,10 @@ func processImageManifestIndex(mci *manifestCreationInfo, buf *packages_module.H
 			return err
 		}
 
+		if err := notifyPackageCreate(mci.Creator, pv); err != nil {
+			return err
+		}
+
 		manifestDigest = digest
 
 		return nil
@@ -282,6 +289,17 @@ func processImageManifestIndex(mci *manifestCreationInfo, buf *packages_module.H
 	return manifestDigest, nil
 }
 
+func notifyPackageCreate(doer *user_model.User, pv *packages_model.PackageVersion) error {
+	pd, err := packages_model.GetPackageDescriptor(db.DefaultContext, pv)
+	if err != nil {
+		return err
+	}
+
+	notification.NotifyPackageCreate(db.DefaultContext, doer, pd)
+
+	return nil
+}
+
 func createPackageAndVersion(ctx context.Context, mci *manifestCreationInfo, metadata *container_module.Metadata) (*packages_model.PackageVersion, error) {
 	created := true
 	p := &packages_model.Package{

From bd66fa586a0da58c4cf2f5f8390aef4bac9d0527 Mon Sep 17 00:00:00 2001
From: yp05327 <576951401@qq.com>
Date: Sat, 18 Feb 2023 21:11:03 +0900
Subject: [PATCH 02/81] Rename `repo.GetOwner` to `repo.LoadOwner` (#22967)

Fixes https://github.com/go-gitea/gitea/issues/22963

---------

Co-authored-by: Yarden Shoham <hrsi88@gmail.com>
---
 models/activities/action.go             |  2 +-
 models/git/protected_branch.go          |  4 ++--
 models/issues/comment.go                |  4 ++--
 models/issues/issue.go                  |  2 +-
 models/issues/pull.go                   |  2 +-
 models/perm/access/access.go            |  8 ++++----
 models/perm/access/access_test.go       |  4 ++--
 models/perm/access/repo_permission.go   |  8 ++++----
 models/repo/repo.go                     |  8 ++++----
 models/repo/update.go                   |  2 +-
 models/repo/user_repo.go                |  4 ++--
 models/repo_collaboration_test.go       |  2 +-
 modules/context/repo.go                 | 12 ++++++------
 modules/doctor/misc.go                  |  2 +-
 modules/repository/collaborator_test.go |  2 +-
 modules/repository/create.go            |  6 +++---
 modules/repository/delete.go            |  2 +-
 modules/test/context_tests.go           |  2 +-
 routers/api/v1/repo/repo.go             |  2 +-
 routers/api/v1/user/repo.go             |  4 ++--
 routers/web/repo/compare.go             |  2 +-
 routers/web/repo/http.go                |  4 ++--
 routers/web/repo/issue.go               |  4 ++--
 routers/web/repo/pull.go                |  8 ++++----
 routers/web/repo/setting.go             |  2 +-
 routers/web/repo/view.go                |  4 ++--
 services/convert/issue.go               |  2 +-
 services/convert/repository.go          |  2 +-
 services/pull/check.go                  |  4 ++--
 services/pull/merge.go                  |  6 +++---
 services/pull/temp_repo.go              | 12 ++++++------
 services/repository/review.go           |  2 +-
 services/repository/transfer.go         |  2 +-
 33 files changed, 68 insertions(+), 68 deletions(-)

diff --git a/models/activities/action.go b/models/activities/action.go
index 8e7492c008..2e845bf89e 100644
--- a/models/activities/action.go
+++ b/models/activities/action.go
@@ -534,7 +534,7 @@ func NotifyWatchers(ctx context.Context, actions ...*Action) error {
 			repo = act.Repo
 
 			// check repo owner exist.
-			if err := act.Repo.GetOwner(ctx); err != nil {
+			if err := act.Repo.LoadOwner(ctx); err != nil {
 				return fmt.Errorf("can't get repo owner: %w", err)
 			}
 		} else if act.Repo == nil {
diff --git a/models/git/protected_branch.go b/models/git/protected_branch.go
index 355a7464c1..eef7e3935a 100644
--- a/models/git/protected_branch.go
+++ b/models/git/protected_branch.go
@@ -314,8 +314,8 @@ type WhitelistOptions struct {
 // This function also performs check if whitelist user and team's IDs have been changed
 // to avoid unnecessary whitelist delete and regenerate.
 func UpdateProtectBranch(ctx context.Context, repo *repo_model.Repository, protectBranch *ProtectedBranch, opts WhitelistOptions) (err error) {
-	if err = repo.GetOwner(ctx); err != nil {
-		return fmt.Errorf("GetOwner: %v", err)
+	if err = repo.LoadOwner(ctx); err != nil {
+		return fmt.Errorf("LoadOwner: %v", err)
 	}
 
 	whitelist, err := updateUserWhitelist(ctx, repo, protectBranch.WhitelistUserIDs, opts.UserIDs)
diff --git a/models/issues/comment.go b/models/issues/comment.go
index 36e7b8e785..a47dc7c151 100644
--- a/models/issues/comment.go
+++ b/models/issues/comment.go
@@ -620,7 +620,7 @@ func (c *Comment) LoadAssigneeUserAndTeam() error {
 			return err
 		}
 
-		if err = c.Issue.Repo.GetOwner(db.DefaultContext); err != nil {
+		if err = c.Issue.Repo.LoadOwner(db.DefaultContext); err != nil {
 			return err
 		}
 
@@ -824,7 +824,7 @@ func CreateComment(ctx context.Context, opts *CreateCommentOptions) (_ *Comment,
 		return nil, err
 	}
 
-	if err = opts.Repo.GetOwner(ctx); err != nil {
+	if err = opts.Repo.LoadOwner(ctx); err != nil {
 		return nil, err
 	}
 
diff --git a/models/issues/issue.go b/models/issues/issue.go
index e0dcf3d269..b1c7fdbf7e 100644
--- a/models/issues/issue.go
+++ b/models/issues/issue.go
@@ -2099,7 +2099,7 @@ func ResolveIssueMentionsByVisibility(ctx context.Context, issue *Issue, doer *u
 	resolved := make(map[string]bool, 10)
 	var mentionTeams []string
 
-	if err := issue.Repo.GetOwner(ctx); err != nil {
+	if err := issue.Repo.LoadOwner(ctx); err != nil {
 		return nil, err
 	}
 
diff --git a/models/issues/pull.go b/models/issues/pull.go
index 3f8b0bc7ac..6a1dc31556 100644
--- a/models/issues/pull.go
+++ b/models/issues/pull.go
@@ -498,7 +498,7 @@ func (pr *PullRequest) SetMerged(ctx context.Context) (bool, error) {
 		return false, err
 	}
 
-	if err := pr.Issue.Repo.GetOwner(ctx); err != nil {
+	if err := pr.Issue.Repo.LoadOwner(ctx); err != nil {
 		return false, err
 	}
 
diff --git a/models/perm/access/access.go b/models/perm/access/access.go
index 48ecf78a8c..2d1b2daa62 100644
--- a/models/perm/access/access.go
+++ b/models/perm/access/access.go
@@ -85,8 +85,8 @@ func updateUserAccess(accessMap map[int64]*userAccess, user *user_model.User, mo
 // FIXME: do cross-comparison so reduce deletions and additions to the minimum?
 func refreshAccesses(ctx context.Context, repo *repo_model.Repository, accessMap map[int64]*userAccess) (err error) {
 	minMode := perm.AccessModeRead
-	if err := repo.GetOwner(ctx); err != nil {
-		return fmt.Errorf("GetOwner: %w", err)
+	if err := repo.LoadOwner(ctx); err != nil {
+		return fmt.Errorf("LoadOwner: %w", err)
 	}
 
 	// If the repo isn't private and isn't owned by a organization,
@@ -143,7 +143,7 @@ func refreshCollaboratorAccesses(ctx context.Context, repoID int64, accessMap ma
 func RecalculateTeamAccesses(ctx context.Context, repo *repo_model.Repository, ignTeamID int64) (err error) {
 	accessMap := make(map[int64]*userAccess, 20)
 
-	if err = repo.GetOwner(ctx); err != nil {
+	if err = repo.LoadOwner(ctx); err != nil {
 		return err
 	} else if !repo.Owner.IsOrganization() {
 		return fmt.Errorf("owner is not an organization: %d", repo.OwnerID)
@@ -199,7 +199,7 @@ func RecalculateUserAccess(ctx context.Context, repo *repo_model.Repository, uid
 		accessMode = collaborator.Mode
 	}
 
-	if err = repo.GetOwner(ctx); err != nil {
+	if err = repo.LoadOwner(ctx); err != nil {
 		return err
 	} else if repo.Owner.IsOrganization() {
 		var teams []organization.Team
diff --git a/models/perm/access/access_test.go b/models/perm/access/access_test.go
index bd828a1e9d..79b131fe89 100644
--- a/models/perm/access/access_test.go
+++ b/models/perm/access/access_test.go
@@ -97,7 +97,7 @@ func TestRepository_RecalculateAccesses(t *testing.T) {
 	// test with organization repo
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3})
-	assert.NoError(t, repo1.GetOwner(db.DefaultContext))
+	assert.NoError(t, repo1.LoadOwner(db.DefaultContext))
 
 	_, err := db.GetEngine(db.DefaultContext).Delete(&repo_model.Collaboration{UserID: 2, RepoID: 3})
 	assert.NoError(t, err)
@@ -114,7 +114,7 @@ func TestRepository_RecalculateAccesses2(t *testing.T) {
 	// test with non-organization repo
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
-	assert.NoError(t, repo1.GetOwner(db.DefaultContext))
+	assert.NoError(t, repo1.LoadOwner(db.DefaultContext))
 
 	_, err := db.GetEngine(db.DefaultContext).Delete(&repo_model.Collaboration{UserID: 4, RepoID: 4})
 	assert.NoError(t, err)
diff --git a/models/perm/access/repo_permission.go b/models/perm/access/repo_permission.go
index a6bf9b6744..ee76e48200 100644
--- a/models/perm/access/repo_permission.go
+++ b/models/perm/access/repo_permission.go
@@ -175,7 +175,7 @@ func GetUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use
 		}
 	}
 
-	if err = repo.GetOwner(ctx); err != nil {
+	if err = repo.LoadOwner(ctx); err != nil {
 		return
 	}
 
@@ -210,7 +210,7 @@ func GetUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use
 		return
 	}
 
-	if err = repo.GetOwner(ctx); err != nil {
+	if err = repo.LoadOwner(ctx); err != nil {
 		return
 	}
 	if !repo.Owner.IsOrganization() {
@@ -281,7 +281,7 @@ func IsUserRealRepoAdmin(repo *repo_model.Repository, user *user_model.User) (bo
 		return true, nil
 	}
 
-	if err := repo.GetOwner(db.DefaultContext); err != nil {
+	if err := repo.LoadOwner(db.DefaultContext); err != nil {
 		return false, err
 	}
 
@@ -378,7 +378,7 @@ func HasAccess(ctx context.Context, userID int64, repo *repo_model.Repository) (
 
 // getUsersWithAccessMode returns users that have at least given access mode to the repository.
 func getUsersWithAccessMode(ctx context.Context, repo *repo_model.Repository, mode perm_model.AccessMode) (_ []*user_model.User, err error) {
-	if err = repo.GetOwner(ctx); err != nil {
+	if err = repo.LoadOwner(ctx); err != nil {
 		return nil, err
 	}
 
diff --git a/models/repo/repo.go b/models/repo/repo.go
index e7ec93a22a..dcffb63fd1 100644
--- a/models/repo/repo.go
+++ b/models/repo/repo.go
@@ -237,7 +237,7 @@ func (repo *Repository) AfterLoad() {
 // LoadAttributes loads attributes of the repository.
 func (repo *Repository) LoadAttributes(ctx context.Context) error {
 	// Load owner
-	if err := repo.GetOwner(ctx); err != nil {
+	if err := repo.LoadOwner(ctx); err != nil {
 		return fmt.Errorf("load owner: %w", err)
 	}
 
@@ -373,8 +373,8 @@ func (repo *Repository) GetUnit(ctx context.Context, tp unit.Type) (*RepoUnit, e
 	return nil, ErrUnitTypeNotExist{tp}
 }
 
-// GetOwner returns the repository owner
-func (repo *Repository) GetOwner(ctx context.Context) (err error) {
+// LoadOwner loads owner user
+func (repo *Repository) LoadOwner(ctx context.Context) (err error) {
 	if repo.Owner != nil {
 		return nil
 	}
@@ -388,7 +388,7 @@ func (repo *Repository) GetOwner(ctx context.Context) (err error) {
 // It creates a fake object that contains error details
 // when error occurs.
 func (repo *Repository) MustOwner(ctx context.Context) *user_model.User {
-	if err := repo.GetOwner(ctx); err != nil {
+	if err := repo.LoadOwner(ctx); err != nil {
 		return &user_model.User{
 			Name:     "error",
 			FullName: err.Error(),
diff --git a/models/repo/update.go b/models/repo/update.go
index 8dd1097450..f4cb67bb8f 100644
--- a/models/repo/update.go
+++ b/models/repo/update.go
@@ -143,7 +143,7 @@ func ChangeRepositoryName(doer *user_model.User, repo *Repository, newRepoName s
 		return err
 	}
 
-	if err := repo.GetOwner(db.DefaultContext); err != nil {
+	if err := repo.LoadOwner(db.DefaultContext); err != nil {
 		return err
 	}
 
diff --git a/models/repo/user_repo.go b/models/repo/user_repo.go
index 0d5b8579e0..cdb266e014 100644
--- a/models/repo/user_repo.go
+++ b/models/repo/user_repo.go
@@ -61,7 +61,7 @@ func GetWatchedRepos(ctx context.Context, userID int64, private bool, listOption
 // GetRepoAssignees returns all users that have write access and can be assigned to issues
 // of the repository,
 func GetRepoAssignees(ctx context.Context, repo *Repository) (_ []*user_model.User, err error) {
-	if err = repo.GetOwner(ctx); err != nil {
+	if err = repo.LoadOwner(ctx); err != nil {
 		return nil, err
 	}
 
@@ -111,7 +111,7 @@ func GetRepoAssignees(ctx context.Context, repo *Repository) (_ []*user_model.Us
 // TODO: may be we should have a busy choice for users to block review request to them.
 func GetReviewers(ctx context.Context, repo *Repository, doerID, posterID int64) ([]*user_model.User, error) {
 	// Get the owner of the repository - this often already pre-cached and if so saves complexity for the following queries
-	if err := repo.GetOwner(ctx); err != nil {
+	if err := repo.LoadOwner(ctx); err != nil {
 		return nil, err
 	}
 
diff --git a/models/repo_collaboration_test.go b/models/repo_collaboration_test.go
index 94c5ab5291..95fb35fe6d 100644
--- a/models/repo_collaboration_test.go
+++ b/models/repo_collaboration_test.go
@@ -17,7 +17,7 @@ func TestRepository_DeleteCollaboration(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
-	assert.NoError(t, repo.GetOwner(db.DefaultContext))
+	assert.NoError(t, repo.LoadOwner(db.DefaultContext))
 	assert.NoError(t, DeleteCollaboration(repo, 4))
 	unittest.AssertNotExistsBean(t, &repo_model.Collaboration{RepoID: repo.ID, UserID: 4})
 
diff --git a/modules/context/repo.go b/modules/context/repo.go
index a38376ff46..e4ac65e961 100644
--- a/modules/context/repo.go
+++ b/modules/context/repo.go
@@ -273,8 +273,8 @@ func RetrieveBaseRepo(ctx *Context, repo *repo_model.Repository) {
 		}
 		ctx.ServerError("GetBaseRepo", err)
 		return
-	} else if err = repo.BaseRepo.GetOwner(ctx); err != nil {
-		ctx.ServerError("BaseRepo.GetOwner", err)
+	} else if err = repo.BaseRepo.LoadOwner(ctx); err != nil {
+		ctx.ServerError("BaseRepo.LoadOwner", err)
 		return
 	}
 }
@@ -290,8 +290,8 @@ func RetrieveTemplateRepo(ctx *Context, repo *repo_model.Repository) {
 		}
 		ctx.ServerError("GetTemplateRepo", err)
 		return
-	} else if err = templateRepo.GetOwner(ctx); err != nil {
-		ctx.ServerError("TemplateRepo.GetOwner", err)
+	} else if err = templateRepo.LoadOwner(ctx); err != nil {
+		ctx.ServerError("TemplateRepo.LoadOwner", err)
 		return
 	}
 
@@ -356,8 +356,8 @@ func RedirectToRepo(ctx *Context, redirectRepoID int64) {
 
 func repoAssignment(ctx *Context, repo *repo_model.Repository) {
 	var err error
-	if err = repo.GetOwner(ctx); err != nil {
-		ctx.ServerError("GetOwner", err)
+	if err = repo.LoadOwner(ctx); err != nil {
+		ctx.ServerError("LoadOwner", err)
 		return
 	}
 
diff --git a/modules/doctor/misc.go b/modules/doctor/misc.go
index 73df513901..f20b5b26d5 100644
--- a/modules/doctor/misc.go
+++ b/modules/doctor/misc.go
@@ -141,7 +141,7 @@ func checkDaemonExport(ctx context.Context, logger log.Logger, autofix bool) err
 		if owner, has := cache.Get(repo.OwnerID); has {
 			repo.Owner = owner.(*user_model.User)
 		} else {
-			if err := repo.GetOwner(ctx); err != nil {
+			if err := repo.LoadOwner(ctx); err != nil {
 				return err
 			}
 			cache.Add(repo.OwnerID, repo.Owner)
diff --git a/modules/repository/collaborator_test.go b/modules/repository/collaborator_test.go
index 6cf239d0ea..c772806819 100644
--- a/modules/repository/collaborator_test.go
+++ b/modules/repository/collaborator_test.go
@@ -23,7 +23,7 @@ func TestRepository_AddCollaborator(t *testing.T) {
 
 	testSuccess := func(repoID, userID int64) {
 		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: repoID})
-		assert.NoError(t, repo.GetOwner(db.DefaultContext))
+		assert.NoError(t, repo.LoadOwner(db.DefaultContext))
 		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: userID})
 		assert.NoError(t, AddCollaborator(db.DefaultContext, repo, user))
 		unittest.CheckConsistencyFor(t, &repo_model.Repository{ID: repoID}, &user_model.User{ID: userID})
diff --git a/modules/repository/create.go b/modules/repository/create.go
index b9a72ad573..1704ea792c 100644
--- a/modules/repository/create.go
+++ b/modules/repository/create.go
@@ -335,7 +335,7 @@ func UpdateRepoSize(ctx context.Context, repo *repo_model.Repository) error {
 
 // CheckDaemonExportOK creates/removes git-daemon-export-ok for git-daemon...
 func CheckDaemonExportOK(ctx context.Context, repo *repo_model.Repository) error {
-	if err := repo.GetOwner(ctx); err != nil {
+	if err := repo.LoadOwner(ctx); err != nil {
 		return err
 	}
 
@@ -379,8 +379,8 @@ func UpdateRepository(ctx context.Context, repo *repo_model.Repository, visibili
 	}
 
 	if visibilityChanged {
-		if err = repo.GetOwner(ctx); err != nil {
-			return fmt.Errorf("getOwner: %w", err)
+		if err = repo.LoadOwner(ctx); err != nil {
+			return fmt.Errorf("LoadOwner: %w", err)
 		}
 		if repo.Owner.IsOrganization() {
 			// Organization repository need to recalculate access table when visibility is changed.
diff --git a/modules/repository/delete.go b/modules/repository/delete.go
index c7e05e6669..01674db4a1 100644
--- a/modules/repository/delete.go
+++ b/modules/repository/delete.go
@@ -16,7 +16,7 @@ func CanUserDelete(repo *repo_model.Repository, user *user_model.User) (bool, er
 		return true, nil
 	}
 
-	if err := repo.GetOwner(db.DefaultContext); err != nil {
+	if err := repo.LoadOwner(db.DefaultContext); err != nil {
 		return false, err
 	}
 
diff --git a/modules/test/context_tests.go b/modules/test/context_tests.go
index d50f8efc75..6c434c201b 100644
--- a/modules/test/context_tests.go
+++ b/modules/test/context_tests.go
@@ -86,7 +86,7 @@ func LoadUser(t *testing.T, ctx *context.Context, userID int64) {
 // LoadGitRepo load a git repo into a test context. Requires that ctx.Repo has
 // already been populated.
 func LoadGitRepo(t *testing.T, ctx *context.Context) {
-	assert.NoError(t, ctx.Repo.Repository.GetOwner(ctx))
+	assert.NoError(t, ctx.Repo.Repository.LoadOwner(ctx))
 	var err error
 	ctx.Repo.GitRepo, err = git.OpenRepository(ctx, ctx.Repo.Repository.RepoPath())
 	assert.NoError(t, err)
diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go
index f5db45ffea..0395198e20 100644
--- a/routers/api/v1/repo/repo.go
+++ b/routers/api/v1/repo/repo.go
@@ -201,7 +201,7 @@ func Search(ctx *context.APIContext) {
 
 	results := make([]*api.Repository, len(repos))
 	for i, repo := range repos {
-		if err = repo.GetOwner(ctx); err != nil {
+		if err = repo.LoadOwner(ctx); err != nil {
 			ctx.JSON(http.StatusInternalServerError, api.SearchError{
 				OK:    false,
 				Error: err.Error(),
diff --git a/routers/api/v1/user/repo.go b/routers/api/v1/user/repo.go
index d566c072fb..dcb14780a7 100644
--- a/routers/api/v1/user/repo.go
+++ b/routers/api/v1/user/repo.go
@@ -119,8 +119,8 @@ func ListMyRepos(ctx *context.APIContext) {
 
 	results := make([]*api.Repository, len(repos))
 	for i, repo := range repos {
-		if err = repo.GetOwner(ctx); err != nil {
-			ctx.Error(http.StatusInternalServerError, "GetOwner", err)
+		if err = repo.LoadOwner(ctx); err != nil {
+			ctx.Error(http.StatusInternalServerError, "LoadOwner", err)
 			return
 		}
 		accessMode, err := access_model.AccessLevel(ctx, ctx.Doer, repo)
diff --git a/routers/web/repo/compare.go b/routers/web/repo/compare.go
index 5b6faf4d83..4e40867de2 100644
--- a/routers/web/repo/compare.go
+++ b/routers/web/repo/compare.go
@@ -279,7 +279,7 @@ func ParseCompareInfo(ctx *context.Context) *CompareInfo {
 				}
 				return nil
 			}
-			if err := ci.HeadRepo.GetOwner(ctx); err != nil {
+			if err := ci.HeadRepo.LoadOwner(ctx); err != nil {
 				if user_model.IsErrUserNotExist(err) {
 					ctx.NotFound("GetUserByName", nil)
 				} else {
diff --git a/routers/web/repo/http.go b/routers/web/repo/http.go
index e82b94b9e8..9d4ffccc6d 100644
--- a/routers/web/repo/http.go
+++ b/routers/web/repo/http.go
@@ -146,8 +146,8 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 
 	// don't allow anonymous pulls if organization is not public
 	if isPublicPull {
-		if err := repo.GetOwner(ctx); err != nil {
-			ctx.ServerError("GetOwner", err)
+		if err := repo.LoadOwner(ctx); err != nil {
+			ctx.ServerError("LoadOwner", err)
 			return
 		}
 
diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go
index 42dcfb382d..62565af50f 100644
--- a/routers/web/repo/issue.go
+++ b/routers/web/repo/issue.go
@@ -2157,8 +2157,8 @@ func UpdatePullReviewRequest(ctx *context.Context) {
 		}
 		if reviewID < 0 {
 			// negative reviewIDs represent team requests
-			if err := issue.Repo.GetOwner(ctx); err != nil {
-				ctx.ServerError("issue.Repo.GetOwner", err)
+			if err := issue.Repo.LoadOwner(ctx); err != nil {
+				ctx.ServerError("issue.Repo.LoadOwner", err)
 				return
 			}
 
diff --git a/routers/web/repo/pull.go b/routers/web/repo/pull.go
index ad17005d90..c7a59da8a8 100644
--- a/routers/web/repo/pull.go
+++ b/routers/web/repo/pull.go
@@ -119,8 +119,8 @@ func getForkRepository(ctx *context.Context) *repo_model.Repository {
 		return nil
 	}
 
-	if err := forkRepo.GetOwner(ctx); err != nil {
-		ctx.ServerError("GetOwner", err)
+	if err := forkRepo.LoadOwner(ctx); err != nil {
+		ctx.ServerError("LoadOwner", err)
 		return nil
 	}
 
@@ -1315,8 +1315,8 @@ func CleanUpPullRequest(ctx *context.Context) {
 	} else if err = pr.LoadBaseRepo(ctx); err != nil {
 		ctx.ServerError("LoadBaseRepo", err)
 		return
-	} else if err = pr.HeadRepo.GetOwner(ctx); err != nil {
-		ctx.ServerError("HeadRepo.GetOwner", err)
+	} else if err = pr.HeadRepo.LoadOwner(ctx); err != nil {
+		ctx.ServerError("HeadRepo.LoadOwner", err)
 		return
 	}
 
diff --git a/routers/web/repo/setting.go b/routers/web/repo/setting.go
index 436438c436..387a917412 100644
--- a/routers/web/repo/setting.go
+++ b/routers/web/repo/setting.go
@@ -650,7 +650,7 @@ func SettingsPost(ctx *context.Context) {
 			ctx.Error(http.StatusNotFound)
 			return
 		}
-		if err := repo.GetOwner(ctx); err != nil {
+		if err := repo.LoadOwner(ctx); err != nil {
 			ctx.ServerError("Convert Fork", err)
 			return
 		}
diff --git a/routers/web/repo/view.go b/routers/web/repo/view.go
index 99043e3ee7..e3c61fa408 100644
--- a/routers/web/repo/view.go
+++ b/routers/web/repo/view.go
@@ -1033,8 +1033,8 @@ func Forks(ctx *context.Context) {
 	}
 
 	for _, fork := range forks {
-		if err = fork.GetOwner(ctx); err != nil {
-			ctx.ServerError("GetOwner", err)
+		if err = fork.LoadOwner(ctx); err != nil {
+			ctx.ServerError("LoadOwner", err)
 			return
 		}
 	}
diff --git a/services/convert/issue.go b/services/convert/issue.go
index 02f25e6e0e..dccf2f3727 100644
--- a/services/convert/issue.go
+++ b/services/convert/issue.go
@@ -32,7 +32,7 @@ func ToAPIIssue(ctx context.Context, issue *issues_model.Issue) *api.Issue {
 	if err := issue.LoadRepo(ctx); err != nil {
 		return &api.Issue{}
 	}
-	if err := issue.Repo.GetOwner(ctx); err != nil {
+	if err := issue.Repo.LoadOwner(ctx); err != nil {
 		return &api.Issue{}
 	}
 
diff --git a/services/convert/repository.go b/services/convert/repository.go
index 5db68e8379..fc965a9457 100644
--- a/services/convert/repository.go
+++ b/services/convert/repository.go
@@ -100,7 +100,7 @@ func innerToRepo(ctx context.Context, repo *repo_model.Repository, mode perm.Acc
 		hasProjects = true
 	}
 
-	if err := repo.GetOwner(ctx); err != nil {
+	if err := repo.LoadOwner(ctx); err != nil {
 		return nil
 	}
 
diff --git a/services/pull/check.go b/services/pull/check.go
index ea5cccbdec..310ea2e714 100644
--- a/services/pull/check.go
+++ b/services/pull/check.go
@@ -261,8 +261,8 @@ func manuallyMerged(ctx context.Context, pr *issues_model.PullRequest) bool {
 	// When the commit author is unknown set the BaseRepo owner as merger
 	if merger == nil {
 		if pr.BaseRepo.Owner == nil {
-			if err = pr.BaseRepo.GetOwner(ctx); err != nil {
-				log.Error("%-v BaseRepo.GetOwner: %v", pr, err)
+			if err = pr.BaseRepo.LoadOwner(ctx); err != nil {
+				log.Error("%-v BaseRepo.LoadOwner: %v", pr, err)
 				return false
 			}
 		}
diff --git a/services/pull/merge.go b/services/pull/merge.go
index a3d69df8df..3ac67d91b7 100644
--- a/services/pull/merge.go
+++ b/services/pull/merge.go
@@ -199,8 +199,8 @@ func Merge(ctx context.Context, pr *issues_model.PullRequest, doer *user_model.U
 	if err := pr.Issue.LoadRepo(hammerCtx); err != nil {
 		log.Error("LoadRepo for issue [%d]: %v", pr.ID, err)
 	}
-	if err := pr.Issue.Repo.GetOwner(hammerCtx); err != nil {
-		log.Error("GetOwner for PR [%d]: %v", pr.ID, err)
+	if err := pr.Issue.Repo.LoadOwner(hammerCtx); err != nil {
+		log.Error("LoadOwner for PR [%d]: %v", pr.ID, err)
 	}
 
 	if wasAutoMerged {
@@ -573,7 +573,7 @@ func rawMerge(ctx context.Context, pr *issues_model.PullRequest, doer *user_mode
 	}
 
 	var headUser *user_model.User
-	err = pr.HeadRepo.GetOwner(ctx)
+	err = pr.HeadRepo.LoadOwner(ctx)
 	if err != nil {
 		if !user_model.IsErrUserNotExist(err) {
 			log.Error("Can't find user: %d for head repository - %v", pr.HeadRepo.OwnerID, err)
diff --git a/services/pull/temp_repo.go b/services/pull/temp_repo.go
index d49a15cea0..e0d6b4a158 100644
--- a/services/pull/temp_repo.go
+++ b/services/pull/temp_repo.go
@@ -38,12 +38,12 @@ func createTemporaryRepo(ctx context.Context, pr *issues_model.PullRequest) (str
 		return "", &repo_model.ErrRepoNotExist{
 			ID: pr.BaseRepoID,
 		}
-	} else if err := pr.HeadRepo.GetOwner(ctx); err != nil {
-		log.Error("HeadRepo.GetOwner: %v", err)
-		return "", fmt.Errorf("HeadRepo.GetOwner: %w", err)
-	} else if err := pr.BaseRepo.GetOwner(ctx); err != nil {
-		log.Error("BaseRepo.GetOwner: %v", err)
-		return "", fmt.Errorf("BaseRepo.GetOwner: %w", err)
+	} else if err := pr.HeadRepo.LoadOwner(ctx); err != nil {
+		log.Error("HeadRepo.LoadOwner: %v", err)
+		return "", fmt.Errorf("HeadRepo.LoadOwner: %w", err)
+	} else if err := pr.BaseRepo.LoadOwner(ctx); err != nil {
+		log.Error("BaseRepo.LoadOwner: %v", err)
+		return "", fmt.Errorf("BaseRepo.LoadOwner: %w", err)
 	}
 
 	// Clone base repo.
diff --git a/services/repository/review.go b/services/repository/review.go
index d30d61ee06..6b5f096053 100644
--- a/services/repository/review.go
+++ b/services/repository/review.go
@@ -12,7 +12,7 @@ import (
 
 // GetReviewerTeams get all teams can be requested to review
 func GetReviewerTeams(repo *repo_model.Repository) ([]*organization.Team, error) {
-	if err := repo.GetOwner(db.DefaultContext); err != nil {
+	if err := repo.LoadOwner(db.DefaultContext); err != nil {
 		return nil, err
 	}
 	if !repo.Owner.IsOrganization() {
diff --git a/services/repository/transfer.go b/services/repository/transfer.go
index f4afb7e2de..8c167552da 100644
--- a/services/repository/transfer.go
+++ b/services/repository/transfer.go
@@ -26,7 +26,7 @@ var repoWorkingPool = sync.NewExclusivePool()
 
 // TransferOwnership transfers all corresponding setting from old user to new one.
 func TransferOwnership(ctx context.Context, doer, newOwner *user_model.User, repo *repo_model.Repository, teams []*organization.Team) error {
-	if err := repo.GetOwner(ctx); err != nil {
+	if err := repo.LoadOwner(ctx); err != nil {
 		return err
 	}
 	for _, team := range teams {

From feed1ff38f88115f27ea2357a97c21e5277aac88 Mon Sep 17 00:00:00 2001
From: Yarden Shoham <hrsi88@gmail.com>
Date: Sat, 18 Feb 2023 15:41:31 +0200
Subject: [PATCH 03/81] Rename "People" to "Members" in organization page and
 use a better icon (#22960)

`member` is how it's named in the code

Closes #22931

Before | After
--- | ---

![image](https://user-images.githubusercontent.com/20454870/219781155-69a8476e-0f04-4b70-bda5-ea6fa8ce676c.png)
|
![image](https://user-images.githubusercontent.com/20454870/219780887-61644c27-36a2-4e1f-8f98-be3911883b49.png)

---------

Signed-off-by: Yarden Shoham <hrsi88@gmail.com>
Co-authored-by: delvh <leon@kske.dev>
---
 docs/content/page/index.en-us.md    | 2 +-
 options/locale/locale_en-US.ini     | 2 +-
 templates/org/home.tmpl             | 2 +-
 templates/org/menu.tmpl             | 2 +-
 templates/user/overview/header.tmpl | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/content/page/index.en-us.md b/docs/content/page/index.en-us.md
index a0923db72a..60e50efad3 100644
--- a/docs/content/page/index.en-us.md
+++ b/docs/content/page/index.en-us.md
@@ -106,7 +106,7 @@ You can try it out using [the online demo](https://try.gitea.io/).
       - Permission to create organizations
       - Permission to import repositories
     - Organization management
-      - People
+      - Members
       - Teams
       - Avatar
       - Hooks
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 8410fef81e..51ae8c7a02 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2364,7 +2364,7 @@ org_full_name_holder = Organization Full Name
 org_name_helper = Organization names should be short and memorable.
 create_org = Create Organization
 repo_updated = Updated
-people = People
+members = Members
 teams = Teams
 code = Code
 lower_members = members
diff --git a/templates/org/home.tmpl b/templates/org/home.tmpl
index 1b3cabbde7..e1adaf1c1b 100644
--- a/templates/org/home.tmpl
+++ b/templates/org/home.tmpl
@@ -42,7 +42,7 @@
 					<div class="ui divider"></div>
 				{{end}}
 				<h4 class="ui top attached header gt-df">
-					<strong class="gt-f1">{{.locale.Tr "org.people"}}</strong>
+					<strong class="gt-f1">{{.locale.Tr "org.members"}}</strong>
 					<div class="ui">
 						<a class="text grey gt-dif gt-ac" href="{{.OrgLink}}/members"><span>{{.MembersTotal}}</span> {{svg "octicon-chevron-right"}}</a>
 					</div>
diff --git a/templates/org/menu.tmpl b/templates/org/menu.tmpl
index 5f543424fc..7ca47cd32c 100644
--- a/templates/org/menu.tmpl
+++ b/templates/org/menu.tmpl
@@ -18,7 +18,7 @@
 		{{end}}
 		{{if .IsOrganizationMember}}
 			<a class="{{if $.PageIsOrgMembers}}active {{end}}item" href="{{$.OrgLink}}/members">
-				{{svg "octicon-organization"}}&nbsp;{{$.locale.Tr "org.people"}}
+				{{svg "octicon-person"}}&nbsp;{{$.locale.Tr "org.members"}}
 				{{if .NumMembers}}
 					<div class="ui primary label">{{.NumMembers}}</div>
 				{{end}}
diff --git a/templates/user/overview/header.tmpl b/templates/user/overview/header.tmpl
index eac23fe53f..2449f5fc32 100644
--- a/templates/user/overview/header.tmpl
+++ b/templates/user/overview/header.tmpl
@@ -39,7 +39,7 @@
 			{{if .ContextUser.IsOrganization}}
 				{{if .IsOrganizationMember}}
 					<a class="item" href="{{$.OrgLink}}/members">
-						{{svg "octicon-organization"}}&nbsp;{{$.locale.Tr "org.people"}}
+						{{svg "octicon-person"}}&nbsp;{{$.locale.Tr "org.members"}}
 						{{if .NumMembers}}
 							<div class="ui primary label">{{.NumMembers}}</div>
 						{{end}}

From 6221a6fd5450692ae27e5602b41fc9ebd9150736 Mon Sep 17 00:00:00 2001
From: Brecht Van Lommel <brecht@blender.org>
Date: Sat, 18 Feb 2023 20:17:39 +0100
Subject: [PATCH 04/81] Scoped labels (#22585)

Add a new "exclusive" option per label. This makes it so that when the
label is named `scope/name`, no other label with the same `scope/`
prefix can be set on an issue.

The scope is determined by the last occurence of `/`, so for example
`scope/alpha/name` and `scope/beta/name` are considered to be in
different scopes and can coexist.

Exclusive scopes are not enforced by any database rules, however they
are enforced when editing labels at the models level, automatically
removing any existing labels in the same scope when either attaching a
new label or replacing all labels.

In menus use a circle instead of checkbox to indicate they function as
radio buttons per scope. Issue filtering by label ensures that only a
single scoped label is selected at a time. Clicking with alt key can be
used to remove a scoped label, both when editing individual issues and
batch editing.

Label rendering refactor for consistency and code simplification:

* Labels now consistently have the same shape, emojis and tooltips
everywhere. This includes the label list and label assignment menus.
* In label list, show description below label same as label menus.
* Don't use exactly black/white text colors to look a bit nicer.
* Simplify text color computation. There is no point computing luminance
in linear color space, as this is a perceptual problem and sRGB is
closer to perceptually linear.
* Increase height of label assignment menus to show more labels. Showing
only 3-4 labels at a time leads to a lot of scrolling.
* Render all labels with a new RenderLabel template helper function.

Label creation and editing in multiline modal menu:

* Change label creation to open a modal menu like label editing.
* Change menu layout to place name, description and colors on separate
lines.
* Don't color cancel button red in label editing modal menu.
* Align text to the left in model menu for better readability and
consistent with settings layout elsewhere.

Custom exclusive scoped label rendering:

* Display scoped label prefix and suffix with slightly darker and
lighter background color respectively, and a slanted edge between them
similar to the `/` symbol.
* In menus exclusive labels are grouped with a divider line.

---------

Co-authored-by: Yarden Shoham <hrsi88@gmail.com>
Co-authored-by: Lauris BH <lauris@nix.lv>
---
 models/fixtures/issue.yml                     |  17 +++
 models/fixtures/label.yml                     |  45 ++++++++
 models/fixtures/repository.yml                |  12 ++
 models/fixtures/user.yml                      |   2 +-
 models/issues/issue.go                        |  27 +++++
 models/issues/issue_test.go                   |  19 +--
 models/issues/label.go                        | 108 +++++++++++-------
 models/issues/label_test.go                   |  45 +++++++-
 .../Test_DeleteOrphanedIssueLabels/label.yml  |   5 +
 models/migrations/migrations.go               |   2 +
 models/migrations/v1_19/v244.go               |  16 +++
 modules/migration/label.go                    |   1 +
 modules/structs/issue_label.go                |   9 +-
 modules/templates/helper.go                   |  70 +++++++++++-
 options/locale/locale_en-US.ini               |   9 +-
 routers/api/v1/org/label.go                   |   4 +
 routers/api/v1/repo/label.go                  |   4 +
 routers/web/org/org_labels.go                 |   2 +
 routers/web/repo/issue.go                     |  18 ++-
 routers/web/repo/issue_label.go               |  18 ++-
 services/convert/issue.go                     |   1 +
 services/forms/repo_form.go                   |   1 +
 services/migrations/main_test.go              |   1 +
 services/repository/template.go               |   1 +
 templates/projects/view.tmpl                  |   2 +-
 .../repo/issue/labels/edit_delete_label.tmpl  |  42 ++++---
 templates/repo/issue/labels/label.tmpl        |   6 +-
 templates/repo/issue/labels/label_list.tmpl   |  34 +++---
 templates/repo/issue/labels/label_new.tmpl    |  56 ++++++---
 templates/repo/issue/list.tmpl                |  16 ++-
 templates/repo/issue/milestone_issues.tmpl    |   4 +-
 templates/repo/issue/new_form.tmpl            |  16 ++-
 .../repo/issue/view_content/sidebar.tmpl      |  16 ++-
 templates/repo/projects/view.tmpl             |   2 +-
 templates/shared/issuelist.tmpl               |   2 +-
 templates/swagger/v1_json.tmpl                |  18 ++-
 tests/integration/api_issue_test.go           |  14 +--
 tests/integration/api_nodeinfo_test.go        |   2 +-
 tests/integration/issue_test.go               |  14 +--
 web_src/js/components/ContextPopup.vue        |  23 +---
 web_src/js/features/common-issue.js           |   5 +-
 web_src/js/features/comp/LabelEdit.js         |  73 ++++++++++--
 web_src/js/features/repo-legacy.js            |  78 ++++++++-----
 web_src/js/features/repo-projects.js          |  20 +---
 web_src/js/utils.js                           |  15 +++
 web_src/less/_base.less                       |  12 +-
 web_src/less/_repository.less                 |  54 ++++++---
 47 files changed, 714 insertions(+), 247 deletions(-)
 create mode 100644 models/migrations/v1_19/v244.go

diff --git a/models/fixtures/issue.yml b/models/fixtures/issue.yml
index 4dea8add13..174345ff5a 100644
--- a/models/fixtures/issue.yml
+++ b/models/fixtures/issue.yml
@@ -287,3 +287,20 @@
   created_unix: 1602935696
   updated_unix: 1602935696
   is_locked: false
+
+-
+  id: 18
+  repo_id: 55
+  index: 1
+  poster_id: 2
+  original_author_id: 0
+  name: issue for scoped labels
+  content: content
+  milestone_id: 0
+  priority: 0
+  is_closed: false
+  is_pull: false
+  num_comments: 0
+  created_unix: 946684830
+  updated_unix: 978307200
+  is_locked: false
diff --git a/models/fixtures/label.yml b/models/fixtures/label.yml
index 57bf804457..ab4d5ef944 100644
--- a/models/fixtures/label.yml
+++ b/models/fixtures/label.yml
@@ -4,6 +4,7 @@
   org_id: 0
   name: label1
   color: '#abcdef'
+  exclusive: false
   num_issues: 2
   num_closed_issues: 0
 
@@ -13,6 +14,7 @@
   org_id: 0
   name: label2
   color: '#000000'
+  exclusive: false
   num_issues: 1
   num_closed_issues: 1
 
@@ -22,6 +24,7 @@
   org_id: 3
   name: orglabel3
   color: '#abcdef'
+  exclusive: false
   num_issues: 0
   num_closed_issues: 0
 
@@ -31,6 +34,7 @@
   org_id: 3
   name: orglabel4
   color: '#000000'
+  exclusive: false
   num_issues: 1
   num_closed_issues: 0
 
@@ -40,5 +44,46 @@
   org_id: 0
   name: pull-test-label
   color: '#000000'
+  exclusive: false
+  num_issues: 0
+  num_closed_issues: 0
+
+-
+  id: 6
+  repo_id: 55
+  org_id: 0
+  name: unscoped_label
+  color: '#000000'
+  exclusive: false
+  num_issues: 0
+  num_closed_issues: 0
+
+-
+  id: 7
+  repo_id: 55
+  org_id: 0
+  name: scope/label1
+  color: '#000000'
+  exclusive: true
+  num_issues: 0
+  num_closed_issues: 0
+
+-
+  id: 8
+  repo_id: 55
+  org_id: 0
+  name: scope/label2
+  color: '#000000'
+  exclusive: true
+  num_issues: 0
+  num_closed_issues: 0
+
+-
+  id: 9
+  repo_id: 55
+  org_id: 0
+  name: scope/subscope/label2
+  color: '#000000'
+  exclusive: true
   num_issues: 0
   num_closed_issues: 0
diff --git a/models/fixtures/repository.yml b/models/fixtures/repository.yml
index ef3cfbbbec..58f9b919ac 100644
--- a/models/fixtures/repository.yml
+++ b/models/fixtures/repository.yml
@@ -1622,3 +1622,15 @@
   is_archived: false
   is_private: true
   status: 0
+
+-
+  id: 55
+  owner_id: 2
+  owner_name: user2
+  lower_name: scoped_label
+  name: scoped_label
+  is_empty: false
+  is_archived: false
+  is_private: true
+  num_issues: 1
+  status: 0
diff --git a/models/fixtures/user.yml b/models/fixtures/user.yml
index 63a5e0f890..0a1d85b48b 100644
--- a/models/fixtures/user.yml
+++ b/models/fixtures/user.yml
@@ -66,7 +66,7 @@
   num_followers: 2
   num_following: 1
   num_stars: 2
-  num_repos: 10
+  num_repos: 11
   num_teams: 0
   num_members: 0
   visibility: 0
diff --git a/models/issues/issue.go b/models/issues/issue.go
index b1c7fdbf7e..9d7dea0177 100644
--- a/models/issues/issue.go
+++ b/models/issues/issue.go
@@ -538,6 +538,31 @@ func (ts labelSorter) Swap(i, j int) {
 	[]*Label(ts)[i], []*Label(ts)[j] = []*Label(ts)[j], []*Label(ts)[i]
 }
 
+// Ensure only one label of a given scope exists, with labels at the end of the
+// array getting preference over earlier ones.
+func RemoveDuplicateExclusiveLabels(labels []*Label) []*Label {
+	validLabels := make([]*Label, 0, len(labels))
+
+	for i, label := range labels {
+		scope := label.ExclusiveScope()
+		if scope != "" {
+			foundOther := false
+			for _, otherLabel := range labels[i+1:] {
+				if otherLabel.ExclusiveScope() == scope {
+					foundOther = true
+					break
+				}
+			}
+			if foundOther {
+				continue
+			}
+		}
+		validLabels = append(validLabels, label)
+	}
+
+	return validLabels
+}
+
 // ReplaceIssueLabels removes all current labels and add new labels to the issue.
 // Triggers appropriate WebHooks, if any.
 func ReplaceIssueLabels(issue *Issue, labels []*Label, doer *user_model.User) (err error) {
@@ -555,6 +580,8 @@ func ReplaceIssueLabels(issue *Issue, labels []*Label, doer *user_model.User) (e
 		return err
 	}
 
+	labels = RemoveDuplicateExclusiveLabels(labels)
+
 	sort.Sort(labelSorter(labels))
 	sort.Sort(labelSorter(issue.Labels))
 
diff --git a/models/issues/issue_test.go b/models/issues/issue_test.go
index de1da19ab9..3a83d8d2b7 100644
--- a/models/issues/issue_test.go
+++ b/models/issues/issue_test.go
@@ -25,7 +25,7 @@ import (
 func TestIssue_ReplaceLabels(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 
-	testSuccess := func(issueID int64, labelIDs []int64) {
+	testSuccess := func(issueID int64, labelIDs, expectedLabelIDs []int64) {
 		issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: issueID})
 		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
 		doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
@@ -35,15 +35,20 @@ func TestIssue_ReplaceLabels(t *testing.T) {
 			labels[i] = unittest.AssertExistsAndLoadBean(t, &issues_model.Label{ID: labelID, RepoID: repo.ID})
 		}
 		assert.NoError(t, issues_model.ReplaceIssueLabels(issue, labels, doer))
-		unittest.AssertCount(t, &issues_model.IssueLabel{IssueID: issueID}, len(labelIDs))
-		for _, labelID := range labelIDs {
+		unittest.AssertCount(t, &issues_model.IssueLabel{IssueID: issueID}, len(expectedLabelIDs))
+		for _, labelID := range expectedLabelIDs {
 			unittest.AssertExistsAndLoadBean(t, &issues_model.IssueLabel{IssueID: issueID, LabelID: labelID})
 		}
 	}
 
-	testSuccess(1, []int64{2})
-	testSuccess(1, []int64{1, 2})
-	testSuccess(1, []int64{})
+	testSuccess(1, []int64{2}, []int64{2})
+	testSuccess(1, []int64{1, 2}, []int64{1, 2})
+	testSuccess(1, []int64{}, []int64{})
+
+	// mutually exclusive scoped labels 7 and 8
+	testSuccess(18, []int64{6, 7}, []int64{6, 7})
+	testSuccess(18, []int64{7, 8}, []int64{8})
+	testSuccess(18, []int64{6, 8, 7}, []int64{6, 7})
 }
 
 func Test_GetIssueIDsByRepoID(t *testing.T) {
@@ -523,5 +528,5 @@ func TestCountIssues(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	count, err := issues_model.CountIssues(db.DefaultContext, &issues_model.IssuesOptions{})
 	assert.NoError(t, err)
-	assert.EqualValues(t, 17, count)
+	assert.EqualValues(t, 18, count)
 }
diff --git a/models/issues/label.go b/models/issues/label.go
index dbb7a139ef..0dd12fb5c9 100644
--- a/models/issues/label.go
+++ b/models/issues/label.go
@@ -7,8 +7,6 @@ package issues
 import (
 	"context"
 	"fmt"
-	"html/template"
-	"math"
 	"regexp"
 	"strconv"
 	"strings"
@@ -89,6 +87,7 @@ type Label struct {
 	RepoID          int64 `xorm:"INDEX"`
 	OrgID           int64 `xorm:"INDEX"`
 	Name            string
+	Exclusive       bool
 	Description     string
 	Color           string `xorm:"VARCHAR(7)"`
 	NumIssues       int
@@ -128,18 +127,22 @@ func (label *Label) CalOpenOrgIssues(ctx context.Context, repoID, labelID int64)
 }
 
 // LoadSelectedLabelsAfterClick calculates the set of selected labels when a label is clicked
-func (label *Label) LoadSelectedLabelsAfterClick(currentSelectedLabels []int64) {
+func (label *Label) LoadSelectedLabelsAfterClick(currentSelectedLabels []int64, currentSelectedExclusiveScopes []string) {
 	var labelQuerySlice []string
 	labelSelected := false
 	labelID := strconv.FormatInt(label.ID, 10)
-	for _, s := range currentSelectedLabels {
+	labelScope := label.ExclusiveScope()
+	for i, s := range currentSelectedLabels {
 		if s == label.ID {
 			labelSelected = true
 		} else if -s == label.ID {
 			labelSelected = true
 			label.IsExcluded = true
 		} else if s != 0 {
-			labelQuerySlice = append(labelQuerySlice, strconv.FormatInt(s, 10))
+			// Exclude other labels in the same scope from selection
+			if s < 0 || labelScope == "" || labelScope != currentSelectedExclusiveScopes[i] {
+				labelQuerySlice = append(labelQuerySlice, strconv.FormatInt(s, 10))
+			}
 		}
 	}
 	if !labelSelected {
@@ -159,49 +162,43 @@ func (label *Label) BelongsToRepo() bool {
 	return label.RepoID > 0
 }
 
-// SrgbToLinear converts a component of an sRGB color to its linear intensity
-// See: https://en.wikipedia.org/wiki/SRGB#The_reverse_transformation_(sRGB_to_CIE_XYZ)
-func SrgbToLinear(color uint8) float64 {
-	flt := float64(color) / 255
-	if flt <= 0.04045 {
-		return flt / 12.92
+// Get color as RGB values in 0..255 range
+func (label *Label) ColorRGB() (float64, float64, float64, error) {
+	color, err := strconv.ParseUint(label.Color[1:], 16, 64)
+	if err != nil {
+		return 0, 0, 0, err
 	}
-	return math.Pow((flt+0.055)/1.055, 2.4)
+
+	r := float64(uint8(0xFF & (uint32(color) >> 16)))
+	g := float64(uint8(0xFF & (uint32(color) >> 8)))
+	b := float64(uint8(0xFF & uint32(color)))
+	return r, g, b, nil
 }
 
-// Luminance returns the luminance of an sRGB color
-func Luminance(color uint32) float64 {
-	r := SrgbToLinear(uint8(0xFF & (color >> 16)))
-	g := SrgbToLinear(uint8(0xFF & (color >> 8)))
-	b := SrgbToLinear(uint8(0xFF & color))
-
-	// luminance ratios for sRGB
-	return 0.2126*r + 0.7152*g + 0.0722*b
-}
-
-// LuminanceThreshold is the luminance at which white and black appear to have the same contrast
-// i.e. x such that 1.05 / (x + 0.05) = (x + 0.05) / 0.05
-// i.e. math.Sqrt(1.05*0.05) - 0.05
-const LuminanceThreshold float64 = 0.179
-
-// ForegroundColor calculates the text color for labels based
-// on their background color.
-func (label *Label) ForegroundColor() template.CSS {
+// Determine if label text should be light or dark to be readable on background color
+func (label *Label) UseLightTextColor() bool {
 	if strings.HasPrefix(label.Color, "#") {
-		if color, err := strconv.ParseUint(label.Color[1:], 16, 64); err == nil {
-			// NOTE: see web_src/js/components/ContextPopup.vue for similar implementation
-			luminance := Luminance(uint32(color))
-
-			// prefer white or black based upon contrast
-			if luminance < LuminanceThreshold {
-				return template.CSS("#fff")
-			}
-			return template.CSS("#000")
+		if r, g, b, err := label.ColorRGB(); err == nil {
+			// Perceived brightness from: https://www.w3.org/TR/AERT/#color-contrast
+			// In the future WCAG 3 APCA may be a better solution
+			brightness := (0.299*r + 0.587*g + 0.114*b) / 255
+			return brightness < 0.35
 		}
 	}
 
-	// default to black
-	return template.CSS("#000")
+	return false
+}
+
+// Return scope substring of label name, or empty string if none exists
+func (label *Label) ExclusiveScope() string {
+	if !label.Exclusive {
+		return ""
+	}
+	lastIndex := strings.LastIndex(label.Name, "/")
+	if lastIndex == -1 || lastIndex == 0 || lastIndex == len(label.Name)-1 {
+		return ""
+	}
+	return label.Name[:lastIndex]
 }
 
 // NewLabel creates a new label
@@ -253,7 +250,7 @@ func UpdateLabel(l *Label) error {
 	if !LabelColorPattern.MatchString(l.Color) {
 		return fmt.Errorf("bad color code: %s", l.Color)
 	}
-	return updateLabelCols(db.DefaultContext, l, "name", "description", "color")
+	return updateLabelCols(db.DefaultContext, l, "name", "description", "color", "exclusive")
 }
 
 // DeleteLabel delete a label
@@ -620,6 +617,29 @@ func newIssueLabel(ctx context.Context, issue *Issue, label *Label, doer *user_m
 	return updateLabelCols(ctx, label, "num_issues", "num_closed_issue")
 }
 
+// Remove all issue labels in the given exclusive scope
+func RemoveDuplicateExclusiveIssueLabels(ctx context.Context, issue *Issue, label *Label, doer *user_model.User) (err error) {
+	scope := label.ExclusiveScope()
+	if scope == "" {
+		return nil
+	}
+
+	var toRemove []*Label
+	for _, issueLabel := range issue.Labels {
+		if label.ID != issueLabel.ID && issueLabel.ExclusiveScope() == scope {
+			toRemove = append(toRemove, issueLabel)
+		}
+	}
+
+	for _, issueLabel := range toRemove {
+		if err = deleteIssueLabel(ctx, issue, issueLabel, doer); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 // NewIssueLabel creates a new issue-label relation.
 func NewIssueLabel(issue *Issue, label *Label, doer *user_model.User) (err error) {
 	if HasIssueLabel(db.DefaultContext, issue.ID, label.ID) {
@@ -641,6 +661,10 @@ func NewIssueLabel(issue *Issue, label *Label, doer *user_model.User) (err error
 		return nil
 	}
 
+	if err = RemoveDuplicateExclusiveIssueLabels(ctx, issue, label, doer); err != nil {
+		return nil
+	}
+
 	if err = newIssueLabel(ctx, issue, label, doer); err != nil {
 		return err
 	}
diff --git a/models/issues/label_test.go b/models/issues/label_test.go
index 239e328d47..0e45e0db0b 100644
--- a/models/issues/label_test.go
+++ b/models/issues/label_test.go
@@ -4,7 +4,6 @@
 package issues_test
 
 import (
-	"html/template"
 	"testing"
 
 	"code.gitea.io/gitea/models/db"
@@ -25,13 +24,22 @@ func TestLabel_CalOpenIssues(t *testing.T) {
 	assert.EqualValues(t, 2, label.NumOpenIssues)
 }
 
-func TestLabel_ForegroundColor(t *testing.T) {
+func TestLabel_TextColor(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	label := unittest.AssertExistsAndLoadBean(t, &issues_model.Label{ID: 1})
-	assert.Equal(t, template.CSS("#000"), label.ForegroundColor())
+	assert.False(t, label.UseLightTextColor())
 
 	label = unittest.AssertExistsAndLoadBean(t, &issues_model.Label{ID: 2})
-	assert.Equal(t, template.CSS("#fff"), label.ForegroundColor())
+	assert.True(t, label.UseLightTextColor())
+}
+
+func TestLabel_ExclusiveScope(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	label := unittest.AssertExistsAndLoadBean(t, &issues_model.Label{ID: 7})
+	assert.Equal(t, "scope", label.ExclusiveScope())
+
+	label = unittest.AssertExistsAndLoadBean(t, &issues_model.Label{ID: 9})
+	assert.Equal(t, "scope/subscope", label.ExclusiveScope())
 }
 
 func TestNewLabels(t *testing.T) {
@@ -266,6 +274,7 @@ func TestUpdateLabel(t *testing.T) {
 		Color:       "#ffff00",
 		Name:        "newLabelName",
 		Description: label.Description,
+		Exclusive:   false,
 	}
 	label.Color = update.Color
 	label.Name = update.Name
@@ -323,6 +332,34 @@ func TestNewIssueLabel(t *testing.T) {
 	unittest.CheckConsistencyFor(t, &issues_model.Issue{}, &issues_model.Label{})
 }
 
+func TestNewIssueExclusiveLabel(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 18})
+	doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+	otherLabel := unittest.AssertExistsAndLoadBean(t, &issues_model.Label{ID: 6})
+	exclusiveLabelA := unittest.AssertExistsAndLoadBean(t, &issues_model.Label{ID: 7})
+	exclusiveLabelB := unittest.AssertExistsAndLoadBean(t, &issues_model.Label{ID: 8})
+
+	// coexisting regular and exclusive label
+	assert.NoError(t, issues_model.NewIssueLabel(issue, otherLabel, doer))
+	assert.NoError(t, issues_model.NewIssueLabel(issue, exclusiveLabelA, doer))
+	unittest.AssertExistsAndLoadBean(t, &issues_model.IssueLabel{IssueID: issue.ID, LabelID: otherLabel.ID})
+	unittest.AssertExistsAndLoadBean(t, &issues_model.IssueLabel{IssueID: issue.ID, LabelID: exclusiveLabelA.ID})
+
+	// exclusive label replaces existing one
+	assert.NoError(t, issues_model.NewIssueLabel(issue, exclusiveLabelB, doer))
+	unittest.AssertExistsAndLoadBean(t, &issues_model.IssueLabel{IssueID: issue.ID, LabelID: otherLabel.ID})
+	unittest.AssertExistsAndLoadBean(t, &issues_model.IssueLabel{IssueID: issue.ID, LabelID: exclusiveLabelB.ID})
+	unittest.AssertNotExistsBean(t, &issues_model.IssueLabel{IssueID: issue.ID, LabelID: exclusiveLabelA.ID})
+
+	// exclusive label replaces existing one again
+	assert.NoError(t, issues_model.NewIssueLabel(issue, exclusiveLabelA, doer))
+	unittest.AssertExistsAndLoadBean(t, &issues_model.IssueLabel{IssueID: issue.ID, LabelID: otherLabel.ID})
+	unittest.AssertExistsAndLoadBean(t, &issues_model.IssueLabel{IssueID: issue.ID, LabelID: exclusiveLabelA.ID})
+	unittest.AssertNotExistsBean(t, &issues_model.IssueLabel{IssueID: issue.ID, LabelID: exclusiveLabelB.ID})
+}
+
 func TestNewIssueLabels(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	label1 := unittest.AssertExistsAndLoadBean(t, &issues_model.Label{ID: 1})
diff --git a/models/migrations/fixtures/Test_DeleteOrphanedIssueLabels/label.yml b/models/migrations/fixtures/Test_DeleteOrphanedIssueLabels/label.yml
index d651c87d5b..085b7f0882 100644
--- a/models/migrations/fixtures/Test_DeleteOrphanedIssueLabels/label.yml
+++ b/models/migrations/fixtures/Test_DeleteOrphanedIssueLabels/label.yml
@@ -4,6 +4,7 @@
   org_id: 0
   name: label1
   color: '#abcdef'
+  exclusive: false
   num_issues: 2
   num_closed_issues: 0
 
@@ -13,6 +14,7 @@
   org_id: 0
   name: label2
   color: '#000000'
+  exclusive: false
   num_issues: 1
   num_closed_issues: 1
 -
@@ -21,6 +23,7 @@
   org_id:  3
   name: orglabel3
   color: '#abcdef'
+  exclusive: false
   num_issues: 0
   num_closed_issues: 0
 
@@ -30,6 +33,7 @@
   org_id: 3
   name: orglabel4
   color: '#000000'
+  exclusive: false
   num_issues: 1
   num_closed_issues: 0
 
@@ -39,5 +43,6 @@
   org_id: 0
   name: pull-test-label
   color: '#000000'
+  exclusive: false
   num_issues: 0
   num_closed_issues: 0
diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
index 73c44f008a..c7497becd1 100644
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -459,6 +459,8 @@ var migrations = []Migration{
 	NewMigration("Add card_type column to project table", v1_19.AddCardTypeToProjectTable),
 	// v242 -> v243
 	NewMigration("Alter gpg_key_import content TEXT field to MEDIUMTEXT", v1_19.AlterPublicGPGKeyImportContentFieldToMediumText),
+	// v243 -> v244
+	NewMigration("Add exclusive label", v1_19.AddExclusiveLabel),
 }
 
 // GetCurrentDBVersion returns the current db version
diff --git a/models/migrations/v1_19/v244.go b/models/migrations/v1_19/v244.go
new file mode 100644
index 0000000000..55bbfafb2f
--- /dev/null
+++ b/models/migrations/v1_19/v244.go
@@ -0,0 +1,16 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_19 //nolint
+
+import (
+	"xorm.io/xorm"
+)
+
+func AddExclusiveLabel(x *xorm.Engine) error {
+	type Label struct {
+		Exclusive bool
+	}
+
+	return x.Sync(new(Label))
+}
diff --git a/modules/migration/label.go b/modules/migration/label.go
index 38f0eb10da..4927be3c0b 100644
--- a/modules/migration/label.go
+++ b/modules/migration/label.go
@@ -9,4 +9,5 @@ type Label struct {
 	Name        string `json:"name"`
 	Color       string `json:"color"`
 	Description string `json:"description"`
+	Exclusive   bool   `json:"exclusive"`
 }
diff --git a/modules/structs/issue_label.go b/modules/structs/issue_label.go
index 5c622797f4..5bb6cc3b84 100644
--- a/modules/structs/issue_label.go
+++ b/modules/structs/issue_label.go
@@ -9,6 +9,8 @@ package structs
 type Label struct {
 	ID   int64  `json:"id"`
 	Name string `json:"name"`
+	// example: false
+	Exclusive bool `json:"exclusive"`
 	// example: 00aabb
 	Color       string `json:"color"`
 	Description string `json:"description"`
@@ -19,6 +21,8 @@ type Label struct {
 type CreateLabelOption struct {
 	// required:true
 	Name string `json:"name" binding:"Required"`
+	// example: false
+	Exclusive bool `json:"exclusive"`
 	// required:true
 	// example: #00aabb
 	Color       string `json:"color" binding:"Required"`
@@ -27,7 +31,10 @@ type CreateLabelOption struct {
 
 // EditLabelOption options for editing a label
 type EditLabelOption struct {
-	Name        *string `json:"name"`
+	Name *string `json:"name"`
+	// example: false
+	Exclusive *bool `json:"exclusive"`
+	// example: #00aabb
 	Color       *string `json:"color"`
 	Description *string `json:"description"`
 }
diff --git a/modules/templates/helper.go b/modules/templates/helper.go
index 8f8f565c1f..4ffd0a5dee 100644
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@@ -7,10 +7,12 @@ package templates
 import (
 	"bytes"
 	"context"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"html"
 	"html/template"
+	"math"
 	"mime"
 	"net/url"
 	"path/filepath"
@@ -382,6 +384,9 @@ func NewFuncMap() []template.FuncMap {
 			// the table is NOT sorted with this header
 			return ""
 		},
+		"RenderLabel": func(label *issues_model.Label) template.HTML {
+			return template.HTML(RenderLabel(label))
+		},
 		"RenderLabels": func(labels []*issues_model.Label, repoLink string) template.HTML {
 			htmlCode := `<span class="labels-list">`
 			for _, label := range labels {
@@ -389,8 +394,8 @@ func NewFuncMap() []template.FuncMap {
 				if label == nil {
 					continue
 				}
-				htmlCode += fmt.Sprintf("<a href='%s/issues?labels=%d' class='ui label' style='color: %s !important; background-color: %s !important' title='%s'>%s</a> ",
-					repoLink, label.ID, label.ForegroundColor(), label.Color, html.EscapeString(label.Description), RenderEmoji(label.Name))
+				htmlCode += fmt.Sprintf("<a href='%s/issues?labels=%d'>%s</a> ",
+					repoLink, label.ID, RenderLabel(label))
 			}
 			htmlCode += "</span>"
 			return template.HTML(htmlCode)
@@ -801,6 +806,67 @@ func RenderIssueTitle(ctx context.Context, text, urlPrefix string, metas map[str
 	return template.HTML(renderedText)
 }
 
+// RenderLabel renders a label
+func RenderLabel(label *issues_model.Label) string {
+	labelScope := label.ExclusiveScope()
+
+	textColor := "#111"
+	if label.UseLightTextColor() {
+		textColor = "#eee"
+	}
+
+	description := emoji.ReplaceAliases(template.HTMLEscapeString(label.Description))
+
+	if labelScope == "" {
+		// Regular label
+		return fmt.Sprintf("<div class='ui label' style='color: %s !important; background-color: %s !important' title='%s'>%s</div>",
+			textColor, label.Color, description, RenderEmoji(label.Name))
+	}
+
+	// Scoped label
+	scopeText := RenderEmoji(labelScope)
+	itemText := RenderEmoji(label.Name[len(labelScope)+1:])
+
+	itemColor := label.Color
+	scopeColor := label.Color
+	if r, g, b, err := label.ColorRGB(); err == nil {
+		// Make scope and item background colors slightly darker and lighter respectively.
+		// More contrast needed with higher luminance, empirically tweaked.
+		luminance := (0.299*r + 0.587*g + 0.114*b) / 255
+		contrast := 0.01 + luminance*0.06
+		// Ensure we add the same amount of contrast also near 0 and 1.
+		darken := contrast + math.Max(luminance+contrast-1.0, 0.0)
+		lighten := contrast + math.Max(contrast-luminance, 0.0)
+		// Compute factor to keep RGB values proportional.
+		darkenFactor := math.Max(luminance-darken, 0.0) / math.Max(luminance, 1.0/255.0)
+		lightenFactor := math.Min(luminance+lighten, 1.0) / math.Max(luminance, 1.0/255.0)
+
+		scopeBytes := []byte{
+			uint8(math.Min(math.Round(r*darkenFactor), 255)),
+			uint8(math.Min(math.Round(g*darkenFactor), 255)),
+			uint8(math.Min(math.Round(b*darkenFactor), 255)),
+		}
+		itemBytes := []byte{
+			uint8(math.Min(math.Round(r*lightenFactor), 255)),
+			uint8(math.Min(math.Round(g*lightenFactor), 255)),
+			uint8(math.Min(math.Round(b*lightenFactor), 255)),
+		}
+
+		itemColor = "#" + hex.EncodeToString(itemBytes)
+		scopeColor = "#" + hex.EncodeToString(scopeBytes)
+	}
+
+	return fmt.Sprintf("<span class='ui label scope-parent' title='%s'>"+
+		"<div class='ui label scope-left' style='color: %s !important; background-color: %s !important'>%s</div>"+
+		"<div class='ui label scope-middle' style='background: linear-gradient(-80deg, %s 48%%, %s 52%% 0%%);'>&nbsp;</div>"+
+		"<div class='ui label scope-right' style='color: %s !important; background-color: %s !important''>%s</div>"+
+		"</span>",
+		description,
+		textColor, scopeColor, scopeText,
+		itemColor, scopeColor,
+		textColor, itemColor, itemText)
+}
+
 // RenderEmoji renders html text with emoji post processors
 func RenderEmoji(text string) template.HTML {
 	renderedText, err := markup.RenderEmoji(template.HTMLEscapeString(text))
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 51ae8c7a02..411a585c81 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -1395,9 +1395,12 @@ issues.sign_in_require_desc = <a href="%s">Sign in</a> to join this conversation
 issues.edit = Edit
 issues.cancel = Cancel
 issues.save = Save
-issues.label_title = Label name
-issues.label_description = Label description
-issues.label_color = Label color
+issues.label_title = Name
+issues.label_description = Description
+issues.label_color = Color
+issues.label_exclusive = Exclusive
+issues.label_exclusive_desc = Name the label <code>scope/item</code> to make it mutually exclusive with other <code>scope/</code> labels.
+issues.label_exclusive_warning = Any conflicting scoped labels will be removed when editing the labels of an issue or pull request.
 issues.label_count = %d labels
 issues.label_open_issues = %d open issues/pull requests
 issues.label_edit = Edit
diff --git a/routers/api/v1/org/label.go b/routers/api/v1/org/label.go
index 5d0455cdd4..938fe79df6 100644
--- a/routers/api/v1/org/label.go
+++ b/routers/api/v1/org/label.go
@@ -94,6 +94,7 @@ func CreateLabel(ctx *context.APIContext) {
 
 	label := &issues_model.Label{
 		Name:        form.Name,
+		Exclusive:   form.Exclusive,
 		Color:       form.Color,
 		OrgID:       ctx.Org.Organization.ID,
 		Description: form.Description,
@@ -195,6 +196,9 @@ func EditLabel(ctx *context.APIContext) {
 	if form.Name != nil {
 		label.Name = *form.Name
 	}
+	if form.Exclusive != nil {
+		label.Exclusive = *form.Exclusive
+	}
 	if form.Color != nil {
 		label.Color = strings.Trim(*form.Color, " ")
 		if len(label.Color) == 6 {
diff --git a/routers/api/v1/repo/label.go b/routers/api/v1/repo/label.go
index 411c0274e6..a06d26e837 100644
--- a/routers/api/v1/repo/label.go
+++ b/routers/api/v1/repo/label.go
@@ -156,6 +156,7 @@ func CreateLabel(ctx *context.APIContext) {
 
 	label := &issues_model.Label{
 		Name:        form.Name,
+		Exclusive:   form.Exclusive,
 		Color:       form.Color,
 		RepoID:      ctx.Repo.Repository.ID,
 		Description: form.Description,
@@ -218,6 +219,9 @@ func EditLabel(ctx *context.APIContext) {
 	if form.Name != nil {
 		label.Name = *form.Name
 	}
+	if form.Exclusive != nil {
+		label.Exclusive = *form.Exclusive
+	}
 	if form.Color != nil {
 		label.Color = strings.Trim(*form.Color, " ")
 		if len(label.Color) == 6 {
diff --git a/routers/web/org/org_labels.go b/routers/web/org/org_labels.go
index 1c910a93a5..e96627762b 100644
--- a/routers/web/org/org_labels.go
+++ b/routers/web/org/org_labels.go
@@ -45,6 +45,7 @@ func NewLabel(ctx *context.Context) {
 	l := &issues_model.Label{
 		OrgID:       ctx.Org.Organization.ID,
 		Name:        form.Title,
+		Exclusive:   form.Exclusive,
 		Description: form.Description,
 		Color:       form.Color,
 	}
@@ -70,6 +71,7 @@ func UpdateLabel(ctx *context.Context) {
 	}
 
 	l.Name = form.Title
+	l.Exclusive = form.Exclusive
 	l.Description = form.Description
 	l.Color = form.Color
 	if err := issues_model.UpdateLabel(l); err != nil {
diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go
index 62565af50f..05ba26a70c 100644
--- a/routers/web/repo/issue.go
+++ b/routers/web/repo/issue.go
@@ -332,8 +332,24 @@ func issues(ctx *context.Context, milestoneID, projectID int64, isPullOption uti
 		labels = append(labels, orgLabels...)
 	}
 
+	// Get the exclusive scope for every label ID
+	labelExclusiveScopes := make([]string, 0, len(labelIDs))
+	for _, labelID := range labelIDs {
+		foundExclusiveScope := false
+		for _, label := range labels {
+			if label.ID == labelID || label.ID == -labelID {
+				labelExclusiveScopes = append(labelExclusiveScopes, label.ExclusiveScope())
+				foundExclusiveScope = true
+				break
+			}
+		}
+		if !foundExclusiveScope {
+			labelExclusiveScopes = append(labelExclusiveScopes, "")
+		}
+	}
+
 	for _, l := range labels {
-		l.LoadSelectedLabelsAfterClick(labelIDs)
+		l.LoadSelectedLabelsAfterClick(labelIDs, labelExclusiveScopes)
 	}
 	ctx.Data["Labels"] = labels
 	ctx.Data["NumLabels"] = len(labels)
diff --git a/routers/web/repo/issue_label.go b/routers/web/repo/issue_label.go
index 66e8920bd9..d4fece9f01 100644
--- a/routers/web/repo/issue_label.go
+++ b/routers/web/repo/issue_label.go
@@ -113,6 +113,7 @@ func NewLabel(ctx *context.Context) {
 	l := &issues_model.Label{
 		RepoID:      ctx.Repo.Repository.ID,
 		Name:        form.Title,
+		Exclusive:   form.Exclusive,
 		Description: form.Description,
 		Color:       form.Color,
 	}
@@ -138,6 +139,7 @@ func UpdateLabel(ctx *context.Context) {
 	}
 
 	l.Name = form.Title
+	l.Exclusive = form.Exclusive
 	l.Description = form.Description
 	l.Color = form.Color
 	if err := issues_model.UpdateLabel(l); err != nil {
@@ -175,7 +177,7 @@ func UpdateIssueLabel(ctx *context.Context) {
 				return
 			}
 		}
-	case "attach", "detach", "toggle":
+	case "attach", "detach", "toggle", "toggle-alt":
 		label, err := issues_model.GetLabelByID(ctx, ctx.FormInt64("id"))
 		if err != nil {
 			if issues_model.IsErrRepoLabelNotExist(err) {
@@ -189,12 +191,18 @@ func UpdateIssueLabel(ctx *context.Context) {
 		if action == "toggle" {
 			// detach if any issues already have label, otherwise attach
 			action = "attach"
-			for _, issue := range issues {
-				if issues_model.HasIssueLabel(ctx, issue.ID, label.ID) {
-					action = "detach"
-					break
+			if label.ExclusiveScope() == "" {
+				for _, issue := range issues {
+					if issues_model.HasIssueLabel(ctx, issue.ID, label.ID) {
+						action = "detach"
+						break
+					}
 				}
 			}
+		} else if action == "toggle-alt" {
+			// always detach with alt key pressed, to be able to remove
+			// scoped labels
+			action = "detach"
 		}
 
 		if action == "attach" {
diff --git a/services/convert/issue.go b/services/convert/issue.go
index dccf2f3727..e79fcfcccb 100644
--- a/services/convert/issue.go
+++ b/services/convert/issue.go
@@ -182,6 +182,7 @@ func ToLabel(label *issues_model.Label, repo *repo_model.Repository, org *user_m
 	result := &api.Label{
 		ID:          label.ID,
 		Name:        label.Name,
+		Exclusive:   label.Exclusive,
 		Color:       strings.TrimLeft(label.Color, "#"),
 		Description: label.Description,
 	}
diff --git a/services/forms/repo_form.go b/services/forms/repo_form.go
index c1b5800968..ff0916f8e1 100644
--- a/services/forms/repo_form.go
+++ b/services/forms/repo_form.go
@@ -564,6 +564,7 @@ func (f *CreateMilestoneForm) Validate(req *http.Request, errs binding.Errors) b
 type CreateLabelForm struct {
 	ID          int64
 	Title       string `binding:"Required;MaxSize(50)" locale:"repo.issues.label_title"`
+	Exclusive   bool   `form:"exclusive"`
 	Description string `binding:"MaxSize(200)" locale:"repo.issues.label_description"`
 	Color       string `binding:"Required;MaxSize(7)" locale:"repo.issues.label_color"`
 }
diff --git a/services/migrations/main_test.go b/services/migrations/main_test.go
index 30875f6e5b..42c433fb00 100644
--- a/services/migrations/main_test.go
+++ b/services/migrations/main_test.go
@@ -59,6 +59,7 @@ func assertCommentsEqual(t *testing.T, expected, actual []*base.Comment) {
 
 func assertLabelEqual(t *testing.T, expected, actual *base.Label) {
 	assert.Equal(t, expected.Name, actual.Name)
+	assert.Equal(t, expected.Exclusive, actual.Exclusive)
 	assert.Equal(t, expected.Color, actual.Color)
 	assert.Equal(t, expected.Description, actual.Description)
 }
diff --git a/services/repository/template.go b/services/repository/template.go
index 13e0749869..8c75948c41 100644
--- a/services/repository/template.go
+++ b/services/repository/template.go
@@ -31,6 +31,7 @@ func GenerateIssueLabels(ctx context.Context, templateRepo, generateRepo *repo_m
 		newLabels = append(newLabels, &issues_model.Label{
 			RepoID:      generateRepo.ID,
 			Name:        templateLabel.Name,
+			Exclusive:   templateLabel.Exclusive,
 			Description: templateLabel.Description,
 			Color:       templateLabel.Color,
 		})
diff --git a/templates/projects/view.tmpl b/templates/projects/view.tmpl
index 112e6be7ce..b25cf2526e 100644
--- a/templates/projects/view.tmpl
+++ b/templates/projects/view.tmpl
@@ -234,7 +234,7 @@
 						{{if or .Labels .Assignees}}
 						<div class="extra content labels-list gt-p-0 gt-pt-2">
 							{{range .Labels}}
-								<a class="ui label" target="_blank" href="{{$.RepoLink}}/issues?labels={{.ID}}" style="color: {{.ForegroundColor}}; background-color: {{.Color}};" title="{{.Description | RenderEmojiPlain}}">{{.Name | RenderEmoji}}</a>
+								<a target="_blank" href="{{$.RepoLink}}/issues?labels={{.ID}}">{{RenderLabel .}}</a>
 							{{end}}
 							<div class="right floated">
 								{{range .Assignees}}
diff --git a/templates/repo/issue/labels/edit_delete_label.tmpl b/templates/repo/issue/labels/edit_delete_label.tmpl
index a0479dde1b..450061e835 100644
--- a/templates/repo/issue/labels/edit_delete_label.tmpl
+++ b/templates/repo/issue/labels/edit_delete_label.tmpl
@@ -26,31 +26,45 @@
 		<form class="ui edit-label form ignore-dirty" action="{{$.Link}}/edit" method="post">
 			{{.CsrfTokenHtml}}
 			<input id="label-modal-id" name="id" type="hidden">
-			<div class="ui grid">
-				<div class="three wide column">
-					<div class="ui small input">
-						<input class="new-label-input emoji-input" name="title" placeholder="{{.locale.Tr "repo.issues.new_label_placeholder"}}" autofocus required maxlength="50">
-					</div>
+			<div class="required field">
+				<label for="name">{{.locale.Tr "repo.issues.label_title"}}</label>
+				<div class="ui small input">
+					<input class="label-name-input emoji-input" name="title" placeholder="{{.locale.Tr "repo.issues.new_label_placeholder"}}" autofocus required maxlength="50">
 				</div>
-				<div class="five wide column">
-					<div class="ui small fluid input">
-						<input class="new-label-desc-input" name="description" placeholder="{{.locale.Tr "repo.issues.new_label_desc_placeholder"}}" maxlength="200">
-					</div>
+			</div>
+			<div class="field label-exclusive-input-field">
+				<div class="ui checkbox">
+					<input class="label-exclusive-input" name="exclusive" type="checkbox">
+					<label>{{.locale.Tr "repo.issues.label_exclusive"}}</label>
 				</div>
+				<br/>
+				<small class="desc">{{.locale.Tr "repo.issues.label_exclusive_desc" | Safe}}</small>
+				<div class="desc gt-ml-2 gt-mt-3 gt-hidden label-exclusive-warning">
+					{{svg "octicon-alert"}} {{.locale.Tr "repo.issues.label_exclusive_warning" | Safe}}
+				</div>
+			</div>
+			<div class="field">
+				<label for="description">{{.locale.Tr "repo.issues.label_description"}}</label>
+				<div class="ui small fluid input">
+					<input class="label-desc-input" name="description" placeholder="{{.locale.Tr "repo.issues.new_label_desc_placeholder"}}" maxlength="200">
+				</div>
+			</div>
+			<div class="field color-field">
+				<label for="color">{{$.locale.Tr "repo.issues.label_color"}}</label>
 				<div class="color picker column">
 					<input class="color-picker" name="color" value="#70c24a" required maxlength="7">
-				</div>
-				<div class="column precolors">
-					{{template "repo/issue/label_precolors"}}
+					<div class="column precolors">
+						{{template "repo/issue/label_precolors"}}
+					</div>
 				</div>
 			</div>
 		</form>
 	</div>
 	<div class="actions">
-		<div class="ui negative button">
+		<div class="ui secondary small basic cancel button">
 			{{.locale.Tr "cancel"}}
 		</div>
-		<div class="ui positive button">
+		<div class="ui primary small approve button">
 			{{.locale.Tr "save"}}
 		</div>
 	</div>
diff --git a/templates/repo/issue/labels/label.tmpl b/templates/repo/issue/labels/label.tmpl
index 0afe5cb6e7..87d8f0c41c 100644
--- a/templates/repo/issue/labels/label.tmpl
+++ b/templates/repo/issue/labels/label.tmpl
@@ -1,9 +1,7 @@
 <a
-	class="ui label item {{if not .label.IsChecked}}hide{{end}}"
+	class="item {{if not .label.IsChecked}}hide{{end}}"
 	id="label_{{.label.ID}}"
 	href="{{.root.RepoLink}}/{{if or .root.IsPull .root.Issue.IsPull}}pulls{{else}}issues{{end}}?labels={{.label.ID}}"{{/* FIXME: use .root.Issue.Link or create .root.Link */}}
-	style="color: {{.label.ForegroundColor}}; background-color: {{.label.Color}}"
-	title="{{.label.Description | RenderEmojiPlain}}"
 >
-	{{.label.Name | RenderEmoji}}
+	{{RenderLabel .label}}
 </a>
diff --git a/templates/repo/issue/labels/label_list.tmpl b/templates/repo/issue/labels/label_list.tmpl
index 464c9fe208..e8f00fa256 100644
--- a/templates/repo/issue/labels/label_list.tmpl
+++ b/templates/repo/issue/labels/label_list.tmpl
@@ -30,28 +30,24 @@
 		{{range .Labels}}
 			<li class="item">
 			<div class="ui grid middle aligned">
+				<div class="nine wide column">
+					{{RenderLabel .}}
+					{{if .Description}}<br><small class="desc">{{.Description | RenderEmoji}}</small>{{end}}
+				</div>
 				<div class="four wide column">
-					<div class="ui label" style="color: {{.ForegroundColor}}; background-color: {{.Color}}">{{svg "octicon-tag"}} {{.Name | RenderEmoji}}</div>
-				</div>
-				<div class="six wide column">
-					<div class="ui">
-					{{.Description | RenderEmoji}}
-					</div>
-				</div>
-				<div class="three wide column">
 					{{if $.PageIsOrgSettingsLabels}}
-						<a class="ui right open-issues" href="{{AppSubUrl}}/issues?labels={{.ID}}">{{svg "octicon-issue-opened"}} {{$.locale.Tr "repo.issues.label_open_issues" .NumOpenIssues}}</a>
+						<a class="ui left open-issues" href="{{AppSubUrl}}/issues?labels={{.ID}}">{{svg "octicon-issue-opened"}} {{$.locale.Tr "repo.issues.label_open_issues" .NumOpenIssues}}</a>
 					{{else}}
-						<a class="ui right open-issues" href="{{$.RepoLink}}/issues?labels={{.ID}}">{{svg "octicon-issue-opened"}} {{$.locale.Tr "repo.issues.label_open_issues" .NumOpenIssues}}</a>
+						<a class="ui left open-issues" href="{{$.RepoLink}}/issues?labels={{.ID}}">{{svg "octicon-issue-opened"}} {{$.locale.Tr "repo.issues.label_open_issues" .NumOpenIssues}}</a>
 					{{end}}
 				</div>
 				<div class="three wide column">
 					{{if and (not $.PageIsOrgSettingsLabels ) (not $.Repository.IsArchived) (or $.CanWriteIssues $.CanWritePulls)}}
 						<a class="ui right delete-button" href="#" data-url="{{$.Link}}/delete" data-id="{{.ID}}">{{svg "octicon-trash"}} {{$.locale.Tr "repo.issues.label_delete"}}</a>
-						<a class="ui right edit-label-button" href="#" data-id="{{.ID}}" data-title="{{.Name}}" data-description="{{.Description}}" data-color={{.Color}}>{{svg "octicon-pencil"}} {{$.locale.Tr "repo.issues.label_edit"}}</a>
+						<a class="ui right edit-label-button" href="#" data-id="{{.ID}}" data-title="{{.Name}}" {{if .Exclusive}}data-exclusive{{end}} data-num-issues="{{.NumIssues}}" data-description="{{.Description}}" data-color={{.Color}}>{{svg "octicon-pencil"}} {{$.locale.Tr "repo.issues.label_edit"}}</a>
 					{{else if $.PageIsOrgSettingsLabels}}
 						<a class="ui right delete-button" href="#" data-url="{{$.Link}}/delete" data-id="{{.ID}}">{{svg "octicon-trash"}} {{$.locale.Tr "repo.issues.label_delete"}}</a>
-						<a class="ui right edit-label-button" href="#" data-id="{{.ID}}" data-title="{{.Name}}" data-description="{{.Description}}" data-color={{.Color}}>{{svg "octicon-pencil"}} {{$.locale.Tr "repo.issues.label_edit"}}</a>
+						<a class="ui right edit-label-button" href="#" data-id="{{.ID}}" data-title="{{.Name}}" {{if .Exclusive}}data-exclusive{{end}} data-num-issues="{{.NumIssues}}" data-description="{{.Description}}" data-color={{.Color}}>{{svg "octicon-pencil"}} {{$.locale.Tr "repo.issues.label_edit"}}</a>
 					{{end}}
 				</div>
 			</div>
@@ -73,16 +69,12 @@
 					{{range .OrgLabels}}
 					<li class="item">
 					<div class="ui grid middle aligned">
-						<div class="three wide column">
-							<div class="ui label" style="color: {{.ForegroundColor}}; background-color: {{.Color}}">{{svg "octicon-tag"}} {{.Name | RenderEmoji}}</div>
+						<div class="nine wide column">
+							{{RenderLabel .}}
+							{{if .Description}}<br><small class="desc">{{.Description | RenderEmoji}}</small>{{end}}
 						</div>
-						<div class="seven wide column">
-							<div class="ui">
-							{{.Description | RenderEmoji}}
-							</div>
-						</div>
-						<div class="three wide column">
-								<a class="ui right open-issues" href="{{$.RepoLink}}/issues?labels={{.ID}}">{{svg "octicon-issue-opened"}} {{$.locale.Tr "repo.issues.label_open_issues" .NumOpenRepoIssues}}</a>
+						<div class="four wide column">
+							<a class="ui left open-issues" href="{{$.RepoLink}}/issues?labels={{.ID}}">{{svg "octicon-issue-opened"}} {{$.locale.Tr "repo.issues.label_open_issues" .NumOpenRepoIssues}}</a>
 						</div>
 						<div class="three wide column">
 						</div>
diff --git a/templates/repo/issue/labels/label_new.tmpl b/templates/repo/issue/labels/label_new.tmpl
index 035a4db800..62f7155b74 100644
--- a/templates/repo/issue/labels/label_new.tmpl
+++ b/templates/repo/issue/labels/label_new.tmpl
@@ -1,27 +1,47 @@
-<div class="ui new-label segment hide">
-	<form class="ui form" action="{{$.Link}}/new" method="post">
-		{{.CsrfTokenHtml}}
-		<div class="ui grid">
-			<div class="three wide column">
+<div class="ui small new-label modal">
+	<div class="header">
+		{{.locale.Tr "repo.issues.new_label"}}
+	</div>
+	<div class="content">
+		<form class="ui new-label form ignore-dirty" action="{{$.Link}}/new" method="post">
+			{{.CsrfTokenHtml}}
+			<div class="required field">
+				<label for="name">{{.locale.Tr "repo.issues.label_title"}}</label>
 				<div class="ui small input">
-					<input class="new-label-input emoji-input" name="title" placeholder="{{.locale.Tr "repo.issues.new_label_placeholder"}}" autofocus required maxlength="50">
+					<input class="label-name-input emoji-input" name="title" placeholder="{{.locale.Tr "repo.issues.new_label_placeholder"}}" autofocus required maxlength="50">
 				</div>
 			</div>
-			<div class="three wide column">
+			<div class="field label-exclusive-input-field">
+				<div class="ui checkbox">
+					<input class="label-exclusive-input" name="exclusive" type="checkbox">
+					<label>{{.locale.Tr "repo.issues.label_exclusive"}}</label>
+				</div>
+				<br/>
+				<small class="desc">{{.locale.Tr "repo.issues.label_exclusive_desc" | Safe}}</small>
+			</div>
+			<div class="field">
+				<label for="description">{{.locale.Tr "repo.issues.label_description"}}</label>
 				<div class="ui small fluid input">
-					<input class="new-label-desc-input" name="description" placeholder="{{.locale.Tr "repo.issues.new_label_desc_placeholder"}}" maxlength="200">
+					<input class="label-desc-input" name="description" placeholder="{{.locale.Tr "repo.issues.new_label_desc_placeholder"}}" maxlength="200">
 				</div>
 			</div>
-			<div class="color picker column">
-				<input class="color-picker" name="color" value="#70c24a" required maxlength="7">
-			</div>
-			<div class="column precolors">
-				{{template "repo/issue/label_precolors"}}
-			</div>
-			<div class="buttons">
-				<div class="ui secondary small basic cancel button">{{.locale.Tr "repo.milestones.cancel"}}</div>
-				<button class="ui primary small button">{{.locale.Tr "repo.issues.create_label"}}</button>
+			<div class="field color-field">
+				<label for="color">{{$.locale.Tr "repo.issues.label_color"}}</label>
+				<div class="color picker column">
+					<input class="color-picker" name="color" value="#70c24a" required maxlength="7">
+					<div class="column precolors">
+						{{template "repo/issue/label_precolors"}}
+					</div>
+				</div>
 			</div>
+		</form>
+	</div>
+	<div class="actions">
+		<div class="ui secondary small basic cancel button">
+			{{.locale.Tr "cancel"}}
 		</div>
-	</form>
+		<div class="ui primary small approve button">
+			{{.locale.Tr "repo.issues.create_label"}}
+		</div>
+	</div>
 </div>
diff --git a/templates/repo/issue/list.tmpl b/templates/repo/issue/list.tmpl
index 4b55e7bec8..0e4969a706 100644
--- a/templates/repo/issue/list.tmpl
+++ b/templates/repo/issue/list.tmpl
@@ -50,8 +50,14 @@
 							</div>
 							<span class="info">{{.locale.Tr "repo.issues.filter_label_exclude" | Safe}}</span>
 							<a class="item" href="{{$.Link}}?q={{$.Keyword}}&type={{$.ViewType}}&sort={{$.SortType}}&state={{$.State}}&milestone={{$.MilestoneID}}&project={{$.ProjectID}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{.locale.Tr "repo.issues.filter_label_no_select"}}</a>
+							{{$previousExclusiveScope := "_no_scope"}}
 							{{range .Labels}}
-								<a class="item label-filter-item" href="{{$.Link}}?q={{$.Keyword}}&type={{$.ViewType}}&sort={{$.SortType}}&state={{$.State}}&labels={{.QueryString}}&milestone={{$.MilestoneID}}&project={{$.ProjectID}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}" data-label-id="{{.ID}}">{{if .IsExcluded}}{{svg "octicon-circle-slash"}}{{else if .IsSelected}}{{svg "octicon-check"}}{{end}}<span class="label color" style="background-color: {{.Color}}"></span> {{.Name | RenderEmoji}}</a>
+								{{$exclusiveScope := .ExclusiveScope}}
+								{{if and (ne $previousExclusiveScope "_no_scope") (ne $previousExclusiveScope $exclusiveScope)}}
+									<div class="ui divider"></div>
+								{{end}}
+								{{$previousExclusiveScope = $exclusiveScope}}
+								<a class="item label-filter-item" href="{{$.Link}}?q={{$.Keyword}}&type={{$.ViewType}}&sort={{$.SortType}}&state={{$.State}}&labels={{.QueryString}}&milestone={{$.MilestoneID}}&project={{$.ProjectID}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}" data-label-id="{{.ID}}">{{if .IsExcluded}}{{svg "octicon-circle-slash"}}{{else if .IsSelected}}{{if $exclusiveScope}}{{svg "octicon-dot-fill"}}{{else}}{{svg "octicon-check"}}{{end}}{{end}} {{RenderLabel .}}</a>
 							{{end}}
 						</div>
 					</div>
@@ -217,9 +223,15 @@
 							{{svg "octicon-triangle-down" 14 "dropdown icon"}}
 						</span>
 						<div class="menu">
+							{{$previousExclusiveScope := "_no_scope"}}
 							{{range .Labels}}
+								{{$exclusiveScope := .ExclusiveScope}}
+								{{if and (ne $previousExclusiveScope "_no_scope") (ne $previousExclusiveScope $exclusiveScope)}}
+									<div class="ui divider"></div>
+								{{end}}
+								{{$previousExclusiveScope = $exclusiveScope}}
 								<div class="item issue-action" data-action="toggle" data-element-id="{{.ID}}" data-url="{{$.RepoLink}}/issues/labels">
-									{{if contain $.SelLabelIDs .ID}}{{svg "octicon-check"}}{{end}}<span class="label color" style="background-color: {{.Color}}"></span> {{.Name | RenderEmoji}}
+									{{if contain $.SelLabelIDs .ID}}{{if $exclusiveScope}}{{svg "octicon-dot-fill"}}{{else}}{{svg "octicon-check"}}{{end}}{{end}} {{RenderLabel .}}
 								</div>
 							{{end}}
 						</div>
diff --git a/templates/repo/issue/milestone_issues.tmpl b/templates/repo/issue/milestone_issues.tmpl
index 8d6a97a713..57012bddb6 100644
--- a/templates/repo/issue/milestone_issues.tmpl
+++ b/templates/repo/issue/milestone_issues.tmpl
@@ -58,7 +58,7 @@
 							<span class="info">{{.locale.Tr "repo.issues.filter_label_exclude" | Safe}}</span>
 							<a class="item" href="{{$.Link}}?q={{$.Keyword}}&type={{$.ViewType}}&sort={{$.SortType}}&state={{$.State}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{.locale.Tr "repo.issues.filter_label_no_select"}}</a>
 							{{range .Labels}}
-								<a class="item label-filter-item" href="{{$.Link}}?q={{$.Keyword}}&type={{$.ViewType}}&sort={{$.SortType}}&state={{$.State}}&labels={{.QueryString}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}" data-label-id="{{.ID}}">{{if .IsExcluded}}{{svg "octicon-circle-slash"}}{{else if contain $.SelLabelIDs .ID}}{{svg "octicon-check"}}{{end}}<span class="label color" style="background-color: {{.Color}}"></span> {{.Name | RenderEmoji}}</a>
+								<a class="item label-filter-item" href="{{$.Link}}?q={{$.Keyword}}&type={{$.ViewType}}&sort={{$.SortType}}&state={{$.State}}&labels={{.QueryString}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}" data-label-id="{{.ID}}">{{if .IsExcluded}}{{svg "octicon-circle-slash"}}{{else if contain $.SelLabelIDs .ID}}{{svg "octicon-check"}}{{end}} {{RenderLabel .}}</a>
 							{{end}}
 						</div>
 					</div>
@@ -161,7 +161,7 @@
 						<div class="menu">
 							{{range .Labels}}
 								<div class="item issue-action" data-action="toggle" data-element-id="{{.ID}}" data-url="{{$.RepoLink}}/issues/labels">
-									{{if contain $.SelLabelIDs .ID}}{{svg "octicon-check"}}{{end}}<span class="label color" style="background-color: {{.Color}}"></span> {{.Name | RenderEmoji}}
+									{{if contain $.SelLabelIDs .ID}}{{svg "octicon-check"}}{{end}} {{RenderLabel .}}
 								</div>
 							{{end}}
 						</div>
diff --git a/templates/repo/issue/new_form.tmpl b/templates/repo/issue/new_form.tmpl
index 8fbd9d256a..2a6fcaa995 100644
--- a/templates/repo/issue/new_form.tmpl
+++ b/templates/repo/issue/new_form.tmpl
@@ -53,14 +53,26 @@
 					{{end}}
 					<div class="no-select item">{{.locale.Tr "repo.issues.new.clear_labels"}}</div>
 					{{if or .Labels .OrgLabels}}
+						{{$previousExclusiveScope := "_no_scope"}}
 						{{range .Labels}}
-							<a class="{{if .IsChecked}}checked{{end}} item" href="#" data-id="{{.ID}}" data-id-selector="#label_{{.ID}}"><span class="octicon-check {{if not .IsChecked}}invisible{{end}}">{{svg "octicon-check"}}</span><span class="label color" style="background-color: {{.Color}}"></span> {{.Name | RenderEmoji}}
+							{{$exclusiveScope := .ExclusiveScope}}
+							{{if and (ne $previousExclusiveScope "_no_scope") (ne $previousExclusiveScope $exclusiveScope)}}
+								<div class="ui divider"></div>
+							{{end}}
+							{{$previousExclusiveScope = $exclusiveScope}}
+							<a class="{{if .IsChecked}}checked{{end}} item" href="#" data-id="{{.ID}}" data-id-selector="#label_{{.ID}}" data-scope="{{$exclusiveScope}}"><span class="octicon-check {{if not .IsChecked}}invisible{{end}}">{{if $exclusiveScope}}{{svg "octicon-dot-fill"}}{{else}}{{svg "octicon-check"}}{{end}}</span>&nbsp;&nbsp;{{RenderLabel .}}
 							{{if .Description}}<br><small class="desc">{{.Description | RenderEmoji}}</small>{{end}}</a>
 						{{end}}
 
 						<div class="ui divider"></div>
+						{{$previousExclusiveScope := "_no_scope"}}
 						{{range .OrgLabels}}
-							<a class="{{if .IsChecked}}checked{{end}} item" href="#" data-id="{{.ID}}" data-id-selector="#label_{{.ID}}"><span class="octicon-check {{if not .IsChecked}}invisible{{end}}">{{svg "octicon-check"}}</span><span class="label color" style="background-color: {{.Color}}"></span> {{.Name | RenderEmoji}}
+							{{$exclusiveScope := .ExclusiveScope}}
+							{{if and (ne $previousExclusiveScope "_no_scope") (ne $previousExclusiveScope $exclusiveScope)}}
+								<div class="ui divider"></div>
+							{{end}}
+							{{$previousExclusiveScope = $exclusiveScope}}
+							<a class="{{if .IsChecked}}checked{{end}} item" href="#" data-id="{{.ID}}" data-id-selector="#label_{{.ID}}" data-scope="{{$exclusiveScope}}"><span class="octicon-check {{if not .IsChecked}}invisible{{end}}">{{if $exclusiveScope}}{{svg "octicon-dot-fill"}}{{else}}{{svg "octicon-check"}}{{end}}</span>&nbsp;&nbsp;{{RenderLabel .}}
 							{{if .Description}}<br><small class="desc">{{.Description | RenderEmoji}}</small>{{end}}</a>
 						{{end}}
 					{{else}}
diff --git a/templates/repo/issue/view_content/sidebar.tmpl b/templates/repo/issue/view_content/sidebar.tmpl
index 9ba46f3715..8cd34ede6e 100644
--- a/templates/repo/issue/view_content/sidebar.tmpl
+++ b/templates/repo/issue/view_content/sidebar.tmpl
@@ -123,13 +123,25 @@
 				{{end}}
 				<div class="no-select item">{{.locale.Tr "repo.issues.new.clear_labels"}}</div>
 				{{if or .Labels .OrgLabels}}
+					{{$previousExclusiveScope := "_no_scope"}}
 					{{range .Labels}}
-						<a class="{{if .IsChecked}}checked{{end}} item" href="#" data-id="{{.ID}}" data-id-selector="#label_{{.ID}}"><span class="octicon-check {{if not .IsChecked}}invisible{{end}}">{{svg "octicon-check"}}</span><span class="label color" style="background-color: {{.Color}}"></span> {{.Name | RenderEmoji}}
+						{{$exclusiveScope := .ExclusiveScope}}
+						{{if and (ne $previousExclusiveScope "_no_scope") (ne $previousExclusiveScope $exclusiveScope)}}
+							<div class="ui divider"></div>
+						{{end}}
+						{{$previousExclusiveScope = $exclusiveScope}}
+						<a class="{{if .IsChecked}}checked{{end}} item" href="#" data-id="{{.ID}}" data-id-selector="#label_{{.ID}}" data-scope="{{$exclusiveScope}}"><span class="octicon-check {{if not .IsChecked}}invisible{{end}}">{{if $exclusiveScope}}{{svg "octicon-dot-fill"}}{{else}}{{svg "octicon-check"}}{{end}}</span>&nbsp;&nbsp;{{RenderLabel .}}
 						{{if .Description}}<br><small class="desc">{{.Description | RenderEmoji}}</small>{{end}}</a>
 					{{end}}
 					<div class="ui divider"></div>
+					{{$previousExclusiveScope := "_no_scope"}}
 					{{range .OrgLabels}}
-						<a class="{{if .IsChecked}}checked{{end}} item" href="#" data-id="{{.ID}}" data-id-selector="#label_{{.ID}}"><span class="octicon-check {{if not .IsChecked}}invisible{{end}}">{{svg "octicon-check"}}</span><span class="label color" style="background-color: {{.Color}}"></span> {{.Name | RenderEmoji}}
+						{{$exclusiveScope := .ExclusiveScope}}
+						{{if and (ne $previousExclusiveScope "_no_scope") (ne $previousExclusiveScope $exclusiveScope)}}
+							<div class="ui divider"></div>
+						{{end}}
+						{{$previousExclusiveScope = $exclusiveScope}}
+						<a class="{{if .IsChecked}}checked{{end}} item" href="#" data-id="{{.ID}}" data-id-selector="#label_{{.ID}}" data-scope="{{$exclusiveScope}}"><span class="octicon-check {{if not .IsChecked}}invisible{{end}}">{{if $exclusiveScope}}{{svg "octicon-dot-fill"}}{{else}}{{svg "octicon-check"}}{{end}}</span>&nbsp;&nbsp;{{RenderLabel .}}
 						{{if .Description}}<br><small class="desc">{{.Description | RenderEmoji}}</small>{{end}}</a>
 					{{end}}
 				{{else}}
diff --git a/templates/repo/projects/view.tmpl b/templates/repo/projects/view.tmpl
index de0911e6cd..a4ada87353 100644
--- a/templates/repo/projects/view.tmpl
+++ b/templates/repo/projects/view.tmpl
@@ -245,7 +245,7 @@
 						{{if or .Labels .Assignees}}
 						<div class="extra content labels-list gt-p-0 gt-pt-2">
 							{{range .Labels}}
-								<a class="ui label" target="_blank" href="{{$.RepoLink}}/issues?labels={{.ID}}" style="color: {{.ForegroundColor}}; background-color: {{.Color}};" title="{{.Description | RenderEmojiPlain}}">{{.Name | RenderEmoji}}</a>
+								<a target="_blank" href="{{$.RepoLink}}/issues?labels={{.ID}}">{{RenderLabel .}}</a>
 							{{end}}
 							<div class="right floated">
 								{{range .Assignees}}
diff --git a/templates/shared/issuelist.tmpl b/templates/shared/issuelist.tmpl
index a246b70093..a43047c79d 100644
--- a/templates/shared/issuelist.tmpl
+++ b/templates/shared/issuelist.tmpl
@@ -42,7 +42,7 @@
 					{{end}}
 					<span class="labels-list gt-ml-2">
 						{{range .Labels}}
-							<a class="ui label" href="{{$.Link}}?q={{$.Keyword}}&type={{$.ViewType}}&state={{$.State}}&labels={{.ID}}{{if ne $.listType "milestone"}}&milestone={{$.MilestoneID}}{{end}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}" style="color: {{.ForegroundColor}}; background-color: {{.Color}}" title="{{.Description | RenderEmojiPlain}}">{{.Name | RenderEmoji}}</a>
+							<a href="{{$.Link}}?q={{$.Keyword}}&type={{$.ViewType}}&state={{$.State}}&labels={{.ID}}{{if ne $.listType "milestone"}}&milestone={{$.MilestoneID}}{{end}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{RenderLabel .}}</a>
 						{{end}}
 					</span>
 				</div>
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index 00fc3b60c4..2a675766ab 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -15348,6 +15348,11 @@
           "type": "string",
           "x-go-name": "Description"
         },
+        "exclusive": {
+          "type": "boolean",
+          "x-go-name": "Exclusive",
+          "example": false
+        },
         "name": {
           "type": "string",
           "x-go-name": "Name"
@@ -16283,12 +16288,18 @@
       "properties": {
         "color": {
           "type": "string",
-          "x-go-name": "Color"
+          "x-go-name": "Color",
+          "example": "#00aabb"
         },
         "description": {
           "type": "string",
           "x-go-name": "Description"
         },
+        "exclusive": {
+          "type": "boolean",
+          "x-go-name": "Exclusive",
+          "example": false
+        },
         "name": {
           "type": "string",
           "x-go-name": "Name"
@@ -17615,6 +17626,11 @@
           "type": "string",
           "x-go-name": "Description"
         },
+        "exclusive": {
+          "type": "boolean",
+          "x-go-name": "Exclusive",
+          "example": false
+        },
         "id": {
           "type": "integer",
           "format": "int64",
diff --git a/tests/integration/api_issue_test.go b/tests/integration/api_issue_test.go
index 2f27978a37..4344c15ea4 100644
--- a/tests/integration/api_issue_test.go
+++ b/tests/integration/api_issue_test.go
@@ -174,7 +174,7 @@ func TestAPISearchIssues(t *testing.T) {
 	token := getUserToken(t, "user2")
 
 	// as this API was used in the frontend, it uses UI page size
-	expectedIssueCount := 15 // from the fixtures
+	expectedIssueCount := 16 // from the fixtures
 	if expectedIssueCount > setting.UI.IssuePagingNum {
 		expectedIssueCount = setting.UI.IssuePagingNum
 	}
@@ -198,7 +198,7 @@ func TestAPISearchIssues(t *testing.T) {
 	req = NewRequest(t, "GET", link.String())
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
-	assert.Len(t, apiIssues, 8)
+	assert.Len(t, apiIssues, 9)
 	query.Del("since")
 	query.Del("before")
 
@@ -214,15 +214,15 @@ func TestAPISearchIssues(t *testing.T) {
 	req = NewRequest(t, "GET", link.String())
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
-	assert.EqualValues(t, "17", resp.Header().Get("X-Total-Count"))
-	assert.Len(t, apiIssues, 17)
+	assert.EqualValues(t, "18", resp.Header().Get("X-Total-Count"))
+	assert.Len(t, apiIssues, 18)
 
 	query.Add("limit", "10")
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
-	assert.EqualValues(t, "17", resp.Header().Get("X-Total-Count"))
+	assert.EqualValues(t, "18", resp.Header().Get("X-Total-Count"))
 	assert.Len(t, apiIssues, 10)
 
 	query = url.Values{"assigned": {"true"}, "state": {"all"}, "token": {token}}
@@ -251,7 +251,7 @@ func TestAPISearchIssues(t *testing.T) {
 	req = NewRequest(t, "GET", link.String())
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
-	assert.Len(t, apiIssues, 6)
+	assert.Len(t, apiIssues, 7)
 
 	query = url.Values{"owner": {"user3"}, "token": {token}} // organization
 	link.RawQuery = query.Encode()
@@ -272,7 +272,7 @@ func TestAPISearchIssuesWithLabels(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
 	// as this API was used in the frontend, it uses UI page size
-	expectedIssueCount := 15 // from the fixtures
+	expectedIssueCount := 16 // from the fixtures
 	if expectedIssueCount > setting.UI.IssuePagingNum {
 		expectedIssueCount = setting.UI.IssuePagingNum
 	}
diff --git a/tests/integration/api_nodeinfo_test.go b/tests/integration/api_nodeinfo_test.go
index 6e80ebc19c..29fff8ba72 100644
--- a/tests/integration/api_nodeinfo_test.go
+++ b/tests/integration/api_nodeinfo_test.go
@@ -34,7 +34,7 @@ func TestNodeinfo(t *testing.T) {
 		assert.True(t, nodeinfo.OpenRegistrations)
 		assert.Equal(t, "gitea", nodeinfo.Software.Name)
 		assert.Equal(t, 24, nodeinfo.Usage.Users.Total)
-		assert.Equal(t, 17, nodeinfo.Usage.LocalPosts)
+		assert.Equal(t, 18, nodeinfo.Usage.LocalPosts)
 		assert.Equal(t, 2, nodeinfo.Usage.LocalComments)
 	})
 }
diff --git a/tests/integration/issue_test.go b/tests/integration/issue_test.go
index c913a2000c..eccf3c3795 100644
--- a/tests/integration/issue_test.go
+++ b/tests/integration/issue_test.go
@@ -356,7 +356,7 @@ func TestSearchIssues(t *testing.T) {
 
 	session := loginUser(t, "user2")
 
-	expectedIssueCount := 15 // from the fixtures
+	expectedIssueCount := 16 // from the fixtures
 	if expectedIssueCount > setting.UI.IssuePagingNum {
 		expectedIssueCount = setting.UI.IssuePagingNum
 	}
@@ -377,7 +377,7 @@ func TestSearchIssues(t *testing.T) {
 	req = NewRequest(t, "GET", link.String())
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
-	assert.Len(t, apiIssues, 8)
+	assert.Len(t, apiIssues, 9)
 	query.Del("since")
 	query.Del("before")
 
@@ -393,15 +393,15 @@ func TestSearchIssues(t *testing.T) {
 	req = NewRequest(t, "GET", link.String())
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
-	assert.EqualValues(t, "17", resp.Header().Get("X-Total-Count"))
-	assert.Len(t, apiIssues, 17)
+	assert.EqualValues(t, "18", resp.Header().Get("X-Total-Count"))
+	assert.Len(t, apiIssues, 18)
 
 	query.Add("limit", "5")
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
-	assert.EqualValues(t, "17", resp.Header().Get("X-Total-Count"))
+	assert.EqualValues(t, "18", resp.Header().Get("X-Total-Count"))
 	assert.Len(t, apiIssues, 5)
 
 	query = url.Values{"assigned": {"true"}, "state": {"all"}}
@@ -430,7 +430,7 @@ func TestSearchIssues(t *testing.T) {
 	req = NewRequest(t, "GET", link.String())
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
-	assert.Len(t, apiIssues, 6)
+	assert.Len(t, apiIssues, 7)
 
 	query = url.Values{"owner": {"user3"}} // organization
 	link.RawQuery = query.Encode()
@@ -450,7 +450,7 @@ func TestSearchIssues(t *testing.T) {
 func TestSearchIssuesWithLabels(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
-	expectedIssueCount := 15 // from the fixtures
+	expectedIssueCount := 16 // from the fixtures
 	if expectedIssueCount > setting.UI.IssuePagingNum {
 		expectedIssueCount = setting.UI.IssuePagingNum
 	}
diff --git a/web_src/js/components/ContextPopup.vue b/web_src/js/components/ContextPopup.vue
index 07c73ff5cf..3244034782 100644
--- a/web_src/js/components/ContextPopup.vue
+++ b/web_src/js/components/ContextPopup.vue
@@ -26,25 +26,10 @@
 <script>
 import $ from 'jquery';
 import {SvgIcon} from '../svg.js';
+import {useLightTextOnBackground} from '../utils.js';
 
 const {appSubUrl, i18n} = window.config;
 
-// NOTE: see models/issue_label.go for similar implementation
-const srgbToLinear = (color) => {
-  color /= 255;
-  if (color <= 0.04045) {
-    return color / 12.92;
-  }
-  return ((color + 0.055) / 1.055) ** 2.4;
-};
-const luminance = (colorString) => {
-  const r = srgbToLinear(parseInt(colorString.substring(0, 2), 16));
-  const g = srgbToLinear(parseInt(colorString.substring(2, 4), 16));
-  const b = srgbToLinear(parseInt(colorString.substring(4, 6), 16));
-  return 0.2126 * r + 0.7152 * g + 0.0722 * b;
-};
-const luminanceThreshold = 0.179;
-
 export default {
   components: {SvgIcon},
   data: () => ({
@@ -92,10 +77,10 @@ export default {
     labels() {
       return this.issue.labels.map((label) => {
         let textColor;
-        if (luminance(label.color) < luminanceThreshold) {
-          textColor = '#ffffff';
+        if (useLightTextOnBackground(label.color)) {
+          textColor = '#eeeeee';
         } else {
-          textColor = '#000000';
+          textColor = '#111111';
         }
         return {name: label.name, color: `#${label.color}`, textColor};
       });
diff --git a/web_src/js/features/common-issue.js b/web_src/js/features/common-issue.js
index 4a62089c60..f53dd5081b 100644
--- a/web_src/js/features/common-issue.js
+++ b/web_src/js/features/common-issue.js
@@ -32,7 +32,7 @@ export function initCommonIssue() {
     syncIssueSelectionState();
   });
 
-  $('.issue-action').on('click', async function () {
+  $('.issue-action').on('click', async function (e) {
     let action = this.getAttribute('data-action');
     let elementId = this.getAttribute('data-element-id');
     const url = this.getAttribute('data-url');
@@ -43,6 +43,9 @@ export function initCommonIssue() {
       elementId = '';
       action = 'clear';
     }
+    if (action === 'toggle' && e.altKey) {
+      action = 'toggle-alt';
+    }
     updateIssuesMeta(
       url,
       action,
diff --git a/web_src/js/features/comp/LabelEdit.js b/web_src/js/features/comp/LabelEdit.js
index df294078fa..313d406821 100644
--- a/web_src/js/features/comp/LabelEdit.js
+++ b/web_src/js/features/comp/LabelEdit.js
@@ -1,26 +1,64 @@
 import $ from 'jquery';
 import {initCompColorPicker} from './ColorPicker.js';
 
+function isExclusiveScopeName(name) {
+  return /.*[^/]\/[^/].*/.test(name);
+}
+
+function updateExclusiveLabelEdit(form) {
+  const nameInput = $(`${form} .label-name-input`);
+  const exclusiveField = $(`${form} .label-exclusive-input-field`);
+  const exclusiveCheckbox = $(`${form} .label-exclusive-input`);
+  const exclusiveWarning = $(`${form} .label-exclusive-warning`);
+
+  if (isExclusiveScopeName(nameInput.val())) {
+    exclusiveField.removeClass('muted');
+    if (exclusiveCheckbox.prop('checked') && exclusiveCheckbox.data('exclusive-warn')) {
+      exclusiveWarning.removeClass('gt-hidden');
+    } else {
+      exclusiveWarning.addClass('gt-hidden');
+    }
+  } else {
+    exclusiveField.addClass('muted');
+    exclusiveWarning.addClass('gt-hidden');
+  }
+}
+
 export function initCompLabelEdit(selector) {
   if (!$(selector).length) return;
-  // Create label
-  const $newLabelPanel = $('.new-label.segment');
-  $('.new-label.button').on('click', () => {
-    $newLabelPanel.show();
-  });
-  $('.new-label.segment .cancel').on('click', () => {
-    $newLabelPanel.hide();
-  });
-
   initCompColorPicker();
 
+  // Create label
+  $('.new-label.button').on('click', () => {
+    updateExclusiveLabelEdit('.new-label');
+    $('.new-label.modal').modal({
+      onApprove() {
+        $('.new-label.form').trigger('submit');
+      }
+    }).modal('show');
+    return false;
+  });
+
+  // Edit label
   $('.edit-label-button').on('click', function () {
     $('.edit-label .color-picker').minicolors('value', $(this).data('color'));
     $('#label-modal-id').val($(this).data('id'));
-    $('.edit-label .new-label-input').val($(this).data('title'));
-    $('.edit-label .new-label-desc-input').val($(this).data('description'));
+
+    const nameInput = $('.edit-label .label-name-input');
+    nameInput.val($(this).data('title'));
+
+    const exclusiveCheckbox = $('.edit-label .label-exclusive-input');
+    exclusiveCheckbox.prop('checked', this.hasAttribute('data-exclusive'));
+    // Warn when label was previously not exclusive and used in issues
+    exclusiveCheckbox.data('exclusive-warn',
+      $(this).data('num-issues') > 0 &&
+      (!this.hasAttribute('data-exclusive') || !isExclusiveScopeName(nameInput.val())));
+    updateExclusiveLabelEdit('.edit-label');
+
+    $('.edit-label .label-desc-input').val($(this).data('description'));
     $('.edit-label .color-picker').val($(this).data('color'));
     $('.edit-label .minicolors-swatch-color').css('background-color', $(this).data('color'));
+
     $('.edit-label.modal').modal({
       onApprove() {
         $('.edit-label.form').trigger('submit');
@@ -28,4 +66,17 @@ export function initCompLabelEdit(selector) {
     }).modal('show');
     return false;
   });
+
+  $('.new-label .label-name-input').on('input', () => {
+    updateExclusiveLabelEdit('.new-label');
+  });
+  $('.new-label .label-exclusive-input').on('change', () => {
+    updateExclusiveLabelEdit('.new-label');
+  });
+  $('.edit-label .label-name-input').on('input', () => {
+    updateExclusiveLabelEdit('.edit-label');
+  });
+  $('.edit-label .label-exclusive-input').on('change', () => {
+    updateExclusiveLabelEdit('.edit-label');
+  });
 }
diff --git a/web_src/js/features/repo-legacy.js b/web_src/js/features/repo-legacy.js
index 07c67ba5da..2cf4963b6a 100644
--- a/web_src/js/features/repo-legacy.js
+++ b/web_src/js/features/repo-legacy.js
@@ -110,35 +110,59 @@ export function initRepoCommentForm() {
       }
 
       hasUpdateAction = $listMenu.data('action') === 'update'; // Update the var
-      if ($(this).hasClass('checked')) {
-        $(this).removeClass('checked');
-        $(this).find('.octicon-check').addClass('invisible');
-        if (hasUpdateAction) {
-          if (!($(this).data('id') in items)) {
-            items[$(this).data('id')] = {
-              'update-url': $listMenu.data('update-url'),
-              action: 'detach',
-              'issue-id': $listMenu.data('issue-id'),
-            };
-          } else {
-            delete items[$(this).data('id')];
+
+      const clickedItem = $(this);
+      const scope = $(this).attr('data-scope');
+      const canRemoveScope = e.altKey;
+
+      $(this).parent().find('.item').each(function () {
+        if (scope) {
+          // Enable only clicked item for scoped labels
+          if ($(this).attr('data-scope') !== scope) {
+            return true;
+          }
+          if ($(this).is(clickedItem)) {
+            if (!canRemoveScope && $(this).hasClass('checked')) {
+              return true;
+            }
+          } else if (!$(this).hasClass('checked')) {
+            return true;
+          }
+        } else if (!$(this).is(clickedItem)) {
+          // Toggle for other labels
+          return true;
+        }
+
+        if ($(this).hasClass('checked')) {
+          $(this).removeClass('checked');
+          $(this).find('.octicon-check').addClass('invisible');
+          if (hasUpdateAction) {
+            if (!($(this).data('id') in items)) {
+              items[$(this).data('id')] = {
+                'update-url': $listMenu.data('update-url'),
+                action: 'detach',
+                'issue-id': $listMenu.data('issue-id'),
+              };
+            } else {
+              delete items[$(this).data('id')];
+            }
+          }
+        } else {
+          $(this).addClass('checked');
+          $(this).find('.octicon-check').removeClass('invisible');
+          if (hasUpdateAction) {
+            if (!($(this).data('id') in items)) {
+              items[$(this).data('id')] = {
+                'update-url': $listMenu.data('update-url'),
+                action: 'attach',
+                'issue-id': $listMenu.data('issue-id'),
+              };
+            } else {
+              delete items[$(this).data('id')];
+            }
           }
         }
-      } else {
-        $(this).addClass('checked');
-        $(this).find('.octicon-check').removeClass('invisible');
-        if (hasUpdateAction) {
-          if (!($(this).data('id') in items)) {
-            items[$(this).data('id')] = {
-              'update-url': $listMenu.data('update-url'),
-              action: 'attach',
-              'issue-id': $listMenu.data('issue-id'),
-            };
-          } else {
-            delete items[$(this).data('id')];
-          }
-        }
-      }
+      });
 
       // TODO: Which thing should be done for choosing review requests
       // to make chosen items be shown on time here?
diff --git a/web_src/js/features/repo-projects.js b/web_src/js/features/repo-projects.js
index f6d6c89816..534f517853 100644
--- a/web_src/js/features/repo-projects.js
+++ b/web_src/js/features/repo-projects.js
@@ -1,4 +1,5 @@
 import $ from 'jquery';
+import {useLightTextOnBackground} from '../utils.js';
 
 const {csrfToken} = window.config;
 
@@ -183,26 +184,13 @@ export function initRepoProject() {
 }
 
 function setLabelColor(label, color) {
-  const red = getRelativeColor(parseInt(color.slice(1, 3), 16));
-  const green = getRelativeColor(parseInt(color.slice(3, 5), 16));
-  const blue = getRelativeColor(parseInt(color.slice(5, 7), 16));
-  const luminance = 0.2126 * red + 0.7152 * green + 0.0722 * blue;
-
-  if (luminance > 0.179) {
-    label.removeClass('light-label').addClass('dark-label');
-  } else {
+  if (useLightTextOnBackground(color)) {
     label.removeClass('dark-label').addClass('light-label');
+  } else {
+    label.removeClass('light-label').addClass('dark-label');
   }
 }
 
-/**
- * Inspired by W3C recommendation https://www.w3.org/TR/WCAG20/#relativeluminancedef
- */
-function getRelativeColor(color) {
-  color /= 255;
-  return color <= 0.03928 ? color / 12.92 : ((color + 0.055) / 1.055) ** 2.4;
-}
-
 function rgbToHex(rgb) {
   rgb = rgb.match(/^rgba?\((\d+),\s*(\d+),\s*(\d+).*\)$/);
   return `#${hex(rgb[1])}${hex(rgb[2])}${hex(rgb[3])}`;
diff --git a/web_src/js/utils.js b/web_src/js/utils.js
index c7624404c7..b3ffbf2988 100644
--- a/web_src/js/utils.js
+++ b/web_src/js/utils.js
@@ -146,3 +146,18 @@ export function toAbsoluteUrl(url) {
   }
   return `${window.location.origin}${url}`;
 }
+
+// determine if light or dark text color should be used on a given background color
+// NOTE: see models/issue_label.go for similar implementation
+export function useLightTextOnBackground(backgroundColor) {
+  if (backgroundColor[0] === '#') {
+    backgroundColor = backgroundColor.substring(1);
+  }
+  // Perceived brightness from: https://www.w3.org/TR/AERT/#color-contrast
+  // In the future WCAG 3 APCA may be a better solution.
+  const r = parseInt(backgroundColor.substring(0, 2), 16);
+  const g = parseInt(backgroundColor.substring(2, 4), 16);
+  const b = parseInt(backgroundColor.substring(4, 6), 16);
+  const brightness = (0.299 * r + 0.587 * g + 0.114 * b) / 255;
+  return brightness < 0.35;
+}
diff --git a/web_src/less/_base.less b/web_src/less/_base.less
index 4b65ae6812..771049ad39 100644
--- a/web_src/less/_base.less
+++ b/web_src/less/_base.less
@@ -1116,6 +1116,7 @@ a.ui.card:hover,
 
 .ui.modal > .content {
   background: var(--color-body);
+  text-align: left !important;
 }
 
 .ui.modal > .actions {
@@ -1364,6 +1365,10 @@ a.ui.card:hover,
   -webkit-text-fill-color: var(--color-black) !important;
 }
 
+.ui.form .field.muted {
+  opacity: var(--opacity-disabled);
+}
+
 .ui.loading.loading.input > i.icon svg {
   visibility: hidden;
 }
@@ -2568,8 +2573,7 @@ table th[data-sortt-desc] {
     border-top: none;
 
     a {
-      font-size: 15px;
-      padding-top: 5px;
+      font-size: 12px;
       padding-right: 10px;
       color: var(--color-text-light);
 
@@ -2581,10 +2585,6 @@ table th[data-sortt-desc] {
         margin-right: 30px;
       }
     }
-
-    .ui.label {
-      font-size: 1em;
-    }
   }
 
   .item:last-child {
diff --git a/web_src/less/_repository.less b/web_src/less/_repository.less
index f7087d4d30..b2c4cdcdfb 100644
--- a/web_src/less/_repository.less
+++ b/web_src/less/_repository.less
@@ -92,7 +92,7 @@
   .metas {
     .menu {
       overflow-x: auto;
-      max-height: 300px;
+      max-height: 500px;
     }
 
     .ui.list {
@@ -155,12 +155,6 @@
   }
 
   .filter.menu {
-    .label.color {
-      border-radius: 3px;
-      margin-left: 15px;
-      padding: 0 8px;
-    }
-
     &.labels {
       .label-filter .menu .info {
         display: inline-block;
@@ -181,7 +175,7 @@
     }
 
     .menu {
-      max-height: 300px;
+      max-height: 500px;
       overflow-x: auto;
       right: 0 !important;
       left: auto !important;
@@ -190,7 +184,7 @@
 
   .select-label {
     .desc {
-      padding-left: 16px;
+      padding-left: 23px;
     }
   }
 
@@ -607,7 +601,7 @@
         min-width: 220px;
 
         .filter.menu {
-          max-height: 300px;
+          max-height: 500px;
           overflow-x: auto;
         }
       }
@@ -2774,7 +2768,7 @@
 }
 
 .edit-label.modal,
-.new-label.segment {
+.new-label.modal {
   .form {
     .column {
       padding-right: 0;
@@ -2786,12 +2780,9 @@
     }
 
     .color.picker.column {
-      width: auto;
-
-      .color-picker {
-        height: 35px;
-        width: auto;
-        padding-left: 30px;
+      display: flex;
+      .minicolors {
+        flex: 1;
       }
     }
 
@@ -2872,6 +2863,35 @@
   line-height: 1.3em; // there is a `font-size: 1.25em` for inside emoji, so here the line-height needs to be larger slightly
 }
 
+// Scoped labels with different colors on left and right, and slanted divider in the middle
+.scope-parent {
+  background: none !important;
+  padding: 0 !important;
+}
+
+.ui.label.scope-left {
+  border-bottom-right-radius: 0;
+  border-top-right-radius: 0;
+  padding-right: 0;
+  margin-right: 0;
+}
+
+.ui.label.scope-middle {
+  width: 12px;
+  border-radius: 0;
+  padding-left: 0;
+  padding-right: 0;
+  margin-left: 0;
+  margin-right: 0;
+}
+
+.ui.label.scope-right {
+  border-bottom-left-radius: 0;
+  border-top-left-radius: 0;
+  padding-left: 0;
+  margin-left: 0;
+}
+
 .repo-button-row {
   margin-bottom: 10px;
 }

From d32af84a1002ceb235c86e4ac569c866ab7816d4 Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Sun, 19 Feb 2023 12:06:14 +0800
Subject: [PATCH 05/81] Refactor hiding-methods, remove jQuery show/hide,
 remove `.hide` class, remove inline style=display:none (#22950)

Close #22847

This PR:

* introduce Gitea's own `showElem` and related functions
* remove jQuery show/hide
* remove .hide class
* remove inline style=display:none

From now on:

do not use:
* "[hidden]" attribute: it's too weak, can not be applied to an element
with "display: flex"
* ".hidden" class: it has been polluted by Fomantic UI in many cases
* inline style="display: none": it's difficult to tweak
* jQuery's show/hide/toggle: it can not show/hide elements with
"display: xxx !important"

only use:
* this ".gt-hidden" class
* showElem/hideElem/toggleElem functions in "utils/dom.js"

cc: @silverwind , this is the all-in-one PR
---
 .eslintrc.yaml                                |  6 +-
 .../developers/guidelines-frontend.en-us.md   |  5 ++
 templates/admin/auth/edit.tmpl                |  6 +-
 templates/admin/auth/new.tmpl                 |  6 +-
 templates/admin/auth/source/ldap.tmpl         | 14 ++--
 templates/admin/auth/source/oauth.tmpl        |  2 +-
 templates/admin/auth/source/smtp.tmpl         |  2 +-
 templates/admin/auth/source/sspi.tmpl         |  2 +-
 templates/admin/user/edit.tmpl                |  6 +-
 templates/install.tmpl                        | 10 +--
 templates/org/settings/options.tmpl           |  4 +-
 templates/org/team/new.tmpl                   |  2 +-
 templates/repo/blame.tmpl                     |  2 +-
 templates/repo/branch_dropdown.tmpl           |  2 +-
 templates/repo/commits_list.tmpl              |  2 +-
 templates/repo/commits_list_small.tmpl        |  2 +-
 templates/repo/create.tmpl                    |  2 +-
 templates/repo/diff/box.tmpl                  |  8 +--
 templates/repo/diff/comment_form.tmpl         |  2 +-
 templates/repo/diff/comments.tmpl             |  4 +-
 templates/repo/diff/compare.tmpl              | 12 ++--
 templates/repo/diff/conversation.tmpl         |  4 +-
 templates/repo/diff/image_diff.tmpl           |  2 +-
 templates/repo/editor/edit.tmpl               |  2 +-
 templates/repo/editor/patch.tmpl              |  2 +-
 templates/repo/find/files.tmpl                |  2 +-
 templates/repo/graph.tmpl                     |  2 +-
 templates/repo/home.tmpl                      |  4 +-
 .../repo/issue/branch_selector_field.tmpl     |  2 +-
 templates/repo/issue/labels/label.tmpl        |  2 +-
 .../repo/issue/labels/labels_sidebar.tmpl     |  2 +-
 templates/repo/issue/list.tmpl                |  2 +-
 templates/repo/issue/milestone_issues.tmpl    |  2 +-
 templates/repo/issue/new_form.tmpl            |  8 +--
 templates/repo/issue/view_content.tmpl        |  8 +--
 .../repo/issue/view_content/comments.tmpl     | 12 ++--
 templates/repo/issue/view_content/pull.tmpl   |  2 +-
 .../view_content/pull_merge_instruction.tmpl  |  2 +-
 .../repo/issue/view_content/sidebar.tmpl      | 12 ++--
 templates/repo/issue/view_title.tmpl          |  8 +--
 templates/repo/migrate/migrating.tmpl         |  4 +-
 templates/repo/migrate/options.tmpl           |  4 +-
 templates/repo/settings/deploy_keys.tmpl      |  2 +-
 templates/repo/settings/githook_edit.tmpl     |  2 +-
 templates/repo/settings/lfs_file.tmpl         |  2 +-
 templates/repo/settings/webhook/history.tmpl  |  2 +-
 templates/repo/settings/webhook/settings.tmpl |  2 +-
 templates/repo/sub_menu.tmpl                  |  2 +-
 templates/repo/view_file.tmpl                 |  4 +-
 templates/repo/view_list.tmpl                 |  2 +-
 templates/repo/wiki/view.tmpl                 |  2 +-
 templates/shared/secrets/add_list.tmpl        |  2 +-
 templates/user/auth/webauthn_error.tmpl       | 18 ++---
 .../user/notification/notification_div.tmpl   |  2 +-
 templates/user/settings/keys_gpg.tmpl         |  2 +-
 templates/user/settings/keys_principal.tmpl   |  2 +-
 templates/user/settings/keys_ssh.tmpl         |  2 +-
 templates/user/settings/profile.tmpl          |  4 +-
 web_src/js/components/DiffFileTree.vue        |  6 +-
 web_src/js/features/admin/common.js           | 45 ++++++-------
 web_src/js/features/common-global.js          |  9 +--
 web_src/js/features/common-issue.js           |  5 +-
 web_src/js/features/common-organization.js    |  9 +--
 web_src/js/features/comp/WebHookEditor.js     |  7 +-
 web_src/js/features/imagediff.js              |  7 +-
 web_src/js/features/install.js                |  7 +-
 web_src/js/features/org-team.js               |  5 +-
 web_src/js/features/repo-commit.js            |  3 +-
 web_src/js/features/repo-common.js            |  7 +-
 web_src/js/features/repo-diff.js              |  8 +--
 web_src/js/features/repo-editor.js            |  5 +-
 web_src/js/features/repo-findfile.js          |  3 +-
 web_src/js/features/repo-graph.js             | 12 ++--
 web_src/js/features/repo-home.js              | 11 ++--
 web_src/js/features/repo-issue-content.js     |  4 +-
 web_src/js/features/repo-issue.js             | 35 +++++-----
 web_src/js/features/repo-legacy.js            | 41 ++++++------
 web_src/js/features/repo-migrate.js           | 25 +++----
 web_src/js/features/repo-migration.js         |  7 +-
 web_src/js/features/repo-release.js           |  3 +-
 web_src/js/features/repo-template.js          |  9 +--
 web_src/js/features/repo-unicode-escape.js    | 17 ++---
 web_src/js/features/user-auth-webauthn.js     | 11 ++--
 web_src/js/features/user-auth.js              |  5 +-
 web_src/js/features/user-settings.js          |  9 +--
 web_src/js/utils/dom.js                       | 65 +++++++++++++++++++
 web_src/less/_base.less                       |  5 --
 web_src/less/_repository.less                 | 12 ----
 web_src/less/helpers.less                     | 12 +++-
 89 files changed, 369 insertions(+), 281 deletions(-)
 create mode 100644 web_src/js/utils/dom.js

diff --git a/.eslintrc.yaml b/.eslintrc.yaml
index fdd86a4647..a73df2ee34 100644
--- a/.eslintrc.yaml
+++ b/.eslintrc.yaml
@@ -149,7 +149,7 @@ rules:
   jquery/no-global-eval: [2]
   jquery/no-grep: [2]
   jquery/no-has: [2]
-  jquery/no-hide: [0]
+  jquery/no-hide: [2]
   jquery/no-html: [0]
   jquery/no-in-array: [2]
   jquery/no-is-array: [2]
@@ -166,13 +166,13 @@ rules:
   jquery/no-proxy: [2]
   jquery/no-ready: [0]
   jquery/no-serialize: [2]
-  jquery/no-show: [0]
+  jquery/no-show: [2]
   jquery/no-size: [2]
   jquery/no-sizzle: [0]
   jquery/no-slide: [0]
   jquery/no-submit: [0]
   jquery/no-text: [0]
-  jquery/no-toggle: [0]
+  jquery/no-toggle: [2]
   jquery/no-trigger: [0]
   jquery/no-trim: [2]
   jquery/no-val: [0]
diff --git a/docs/content/doc/developers/guidelines-frontend.en-us.md b/docs/content/doc/developers/guidelines-frontend.en-us.md
index 337499c953..23be6c6773 100644
--- a/docs/content/doc/developers/guidelines-frontend.en-us.md
+++ b/docs/content/doc/developers/guidelines-frontend.en-us.md
@@ -93,6 +93,11 @@ However, there are still some special cases, so the current guideline is:
   * `node.dataset` should not be used, use `node.getAttribute` instead.
   * never bind any user data to a DOM node, use a suitable design pattern to describe the relation between node and data.
 
+### Show/Hide Elements
+
+* Vue components are recommended to use `v-if` and `v-show` to show/hide elements.
+* Go template code should use Gitea's `.gt-hidden` and `showElem()/hideElem()/toggleElem()`, see more details in `.gt-hidden`'s comment.
+
 ### Legacy Code
 
 A lot of legacy code already existed before this document's written. It's recommended to refactor legacy code to follow the guidelines.
diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index a3c94a6cc2..36d335f323 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -45,7 +45,7 @@
 						<label for="port">{{.locale.Tr "admin.auths.port"}}</label>
 						<input id="port" name="port" value="{{$cfg.Port}}"  placeholder="e.g. 636" required>
 					</div>
-					<div class="has-tls inline field {{if not .HasTLS}}hide{{end}}">
+					<div class="has-tls inline field {{if not .HasTLS}}gt-hidden{{end}}">
 						<div class="ui checkbox">
 							<label><strong>{{.locale.Tr "admin.auths.skip_tls_verify"}}</strong></label>
 							<input name="skip_verify" type="checkbox" {{if .Source.SkipVerify}}checked{{end}}>
@@ -152,7 +152,7 @@
 								<input id="use_paged_search" name="use_paged_search" type="checkbox" {{if $cfg.UsePagedSearch}}checked{{end}}>
 							</div>
 						</div>
-						<div class="field required search-page-size{{if not $cfg.UsePagedSearch}} hide{{end}}">
+						<div class="field required search-page-size{{if not $cfg.UsePagedSearch}} gt-hidden{{end}}">
 							<label for="search_page_size">{{.locale.Tr "admin.auths.search_page_size"}}</label>
 							<input id="search_page_size" name="search_page_size" value="{{if $cfg.UsePagedSearch}}{{$cfg.SearchPageSize}}{{end}}">
 						</div>
@@ -209,7 +209,7 @@
 						</div>
 						<p class="help">{{.locale.Tr "admin.auths.force_smtps_helper"}}</p>
 					</div>
-					<div class="has-tls inline field {{if not .HasTLS}}hide{{end}}">
+					<div class="has-tls inline field {{if not .HasTLS}}gt-hidden{{end}}">
 						<div class="ui checkbox">
 							<label><strong>{{.locale.Tr "admin.auths.skip_tls_verify"}}</strong></label>
 							<input name="skip_verify" type="checkbox" {{if .Source.SkipVerify}}checked{{end}}>
diff --git a/templates/admin/auth/new.tmpl b/templates/admin/auth/new.tmpl
index ab84dfccaf..9078fda469 100644
--- a/templates/admin/auth/new.tmpl
+++ b/templates/admin/auth/new.tmpl
@@ -36,13 +36,13 @@
 				{{template "admin/auth/source/smtp" .}}
 
 				<!-- PAM -->
-				<div class="pam required field {{if not (eq .type 4)}}hide{{end}}">
+				<div class="pam required field {{if not (eq .type 4)}}gt-hidden{{end}}">
 					<label for="pam_service_name">{{.locale.Tr "admin.auths.pam_service_name"}}</label>
 					<input id="pam_service_name" name="pam_service_name" value="{{.pam_service_name}}" />
 					<label for="pam_email_domain">{{.locale.Tr "admin.auths.pam_email_domain"}}</label>
 					<input id="pam_email_domain" name="pam_email_domain" value="{{.pam_email_domain}}">
 				</div>
-				<div class="pam optional field {{if not (eq .type 4)}}hide{{end}}">
+				<div class="pam optional field {{if not (eq .type 4)}}gt-hidden{{end}}">
 					<div class="ui checkbox">
 						<label for="skip_local_two_fa"><strong>{{.locale.Tr "admin.auths.skip_local_two_fa"}}</strong></label>
 						<input id="skip_local_two_fa" name="skip_local_two_fa" type="checkbox" {{if .skip_local_two_fa}}checked{{end}}>
@@ -62,7 +62,7 @@
 						<input name="attributes_in_bind" type="checkbox" {{if .attributes_in_bind}}checked{{end}}>
 					</div>
 				</div>
-				<div class="ldap inline field {{if not (eq .type 2)}}hide{{end}}">
+				<div class="ldap inline field {{if not (eq .type 2)}}gt-hidden{{end}}">
 					<div class="ui checkbox">
 						<label><strong>{{.locale.Tr "admin.auths.syncenabled"}}</strong></label>
 						<input name="is_sync_enabled" type="checkbox" {{if .is_sync_enabled}}checked{{end}}>
diff --git a/templates/admin/auth/source/ldap.tmpl b/templates/admin/auth/source/ldap.tmpl
index 8d199854ae..902cfcbcce 100644
--- a/templates/admin/auth/source/ldap.tmpl
+++ b/templates/admin/auth/source/ldap.tmpl
@@ -1,4 +1,4 @@
-<div class="ldap dldap field {{if not (or (eq .type 2) (eq .type 5))}}hide{{end}}">
+<div class="ldap dldap field {{if not (or (eq .type 2) (eq .type 5))}}gt-hidden{{end}}">
 	<div class="inline required field {{if .Err_SecurityProtocol}}error{{end}}">
 		<label>{{.locale.Tr "admin.auths.security_protocol"}}</label>
 		<div class="ui selection security-protocol dropdown">
@@ -20,17 +20,17 @@
 		<label for="port">{{.locale.Tr "admin.auths.port"}}</label>
 		<input id="port" name="port" value="{{.port}}"  placeholder="e.g. 636">
 	</div>
-	<div class="has-tls inline field {{if not .HasTLS}}hide{{end}}">
+	<div class="has-tls inline field {{if not .HasTLS}}gt-hidden{{end}}">
 		<div class="ui checkbox">
 			<label><strong>{{.locale.Tr "admin.auths.skip_tls_verify"}}</strong></label>
 			<input name="skip_verify" type="checkbox" {{if .skip_verify}}checked{{end}}>
 		</div>
 	</div>
-	<div class="ldap field {{if not (eq .type 2)}}hide{{end}}">
+	<div class="ldap field {{if not (eq .type 2)}}gt-hidden{{end}}">
 		<label for="bind_dn">{{.locale.Tr "admin.auths.bind_dn"}}</label>
 		<input id="bind_dn" name="bind_dn" value="{{.bind_dn}}" placeholder="e.g. cn=Search,dc=mydomain,dc=com">
 	</div>
-	<div class="ldap field {{if not (eq .type 2)}}hide{{end}}">
+	<div class="ldap field {{if not (eq .type 2)}}gt-hidden{{end}}">
 		<label for="bind_password">{{.locale.Tr "admin.auths.bind_password"}}</label>
 		<input id="bind_password" name="bind_password" type="password" autocomplete="off" value="{{.bind_password}}">
 	</div>
@@ -38,7 +38,7 @@
 		<label for="user_base">{{.locale.Tr "admin.auths.user_base"}}</label>
 		<input id="user_base" name="user_base" value="{{.user_base}}" placeholder="e.g. ou=Users,dc=mydomain,dc=com">
 	</div>
-	<div class="dldap required field {{if not (eq .type 5)}}hide{{end}}">
+	<div class="dldap required field {{if not (eq .type 5)}}gt-hidden{{end}}">
 		<label for="user_dn">{{.locale.Tr "admin.auths.user_dn"}}</label>
 		<input id="user_dn" name="user_dn" value="{{.user_dn}}" placeholder="e.g. uid=%s,ou=Users,dc=mydomain,dc=com">
 	</div>
@@ -115,13 +115,13 @@
 	</div>
 	<!-- ldap group end -->
 
-	<div class="ldap inline field {{if not (eq .type 2)}}hide{{end}}">
+	<div class="ldap inline field {{if not (eq .type 2)}}gt-hidden{{end}}">
 		<div class="ui checkbox">
 			<label for="use_paged_search"><strong>{{.locale.Tr "admin.auths.use_paged_search"}}</strong></label>
 			<input id="use_paged_search" name="use_paged_search" class="use-paged-search" type="checkbox" {{if .use_paged_search}}checked{{end}}>
 		</div>
 	</div>
-	<div class="ldap field search-page-size required {{if or (not (eq .type 2)) (not .use_paged_search)}}hide{{end}}">
+	<div class="ldap field search-page-size required {{if or (not (eq .type 2)) (not .use_paged_search)}}gt-hidden{{end}}">
 		<label for="search_page_size">{{.locale.Tr "admin.auths.search_page_size"}}</label>
 		<input id="search_page_size" name="search_page_size" value="{{.search_page_size}}">
 	</div>
diff --git a/templates/admin/auth/source/oauth.tmpl b/templates/admin/auth/source/oauth.tmpl
index 85c77343a5..b7ee00822f 100644
--- a/templates/admin/auth/source/oauth.tmpl
+++ b/templates/admin/auth/source/oauth.tmpl
@@ -1,4 +1,4 @@
-<div class="oauth2 field {{if not (eq .type 6)}}hide{{end}}">
+<div class="oauth2 field {{if not (eq .type 6)}}gt-hidden{{end}}">
 	<div class="inline required field">
 		<label>{{.locale.Tr "admin.auths.oauth2_provider"}}</label>
 		<div class="ui selection type dropdown">
diff --git a/templates/admin/auth/source/smtp.tmpl b/templates/admin/auth/source/smtp.tmpl
index 2d577412c1..e83f7afb69 100644
--- a/templates/admin/auth/source/smtp.tmpl
+++ b/templates/admin/auth/source/smtp.tmpl
@@ -1,4 +1,4 @@
-<div class="smtp field {{if not (eq .type 3)}}hide{{end}}">
+<div class="smtp field {{if not (eq .type 3)}}gt-hidden{{end}}">
 	<div class="inline required field">
 		<label>{{.locale.Tr "admin.auths.smtp_auth"}}</label>
 		<div class="ui selection type dropdown">
diff --git a/templates/admin/auth/source/sspi.tmpl b/templates/admin/auth/source/sspi.tmpl
index dee40d9fd5..9608616e1b 100644
--- a/templates/admin/auth/source/sspi.tmpl
+++ b/templates/admin/auth/source/sspi.tmpl
@@ -1,4 +1,4 @@
-<div class="sspi field {{if not (eq .type 7)}}hide{{end}}">
+<div class="sspi field {{if not (eq .type 7)}}gt-hidden{{end}}">
 	<div class="field">
 		<div class="ui checkbox">
 			<label for="sspi_auto_create_users"><strong>{{.locale.Tr "admin.auths.sspi_auto_create_users"}}</strong></label>
diff --git a/templates/admin/user/edit.tmpl b/templates/admin/user/edit.tmpl
index 6191efcd5e..7d31eb4d2b 100644
--- a/templates/admin/user/edit.tmpl
+++ b/templates/admin/user/edit.tmpl
@@ -56,7 +56,7 @@
 					</div>
 				</div>
 
-				<div class="required non-local field {{if .Err_LoginName}}error{{end}} {{if eq .User.LoginSource 0}}hide{{end}}">
+				<div class="required non-local field {{if .Err_LoginName}}error{{end}} {{if eq .User.LoginSource 0}}gt-hidden{{end}}">
 					<label for="login_name">{{.locale.Tr "admin.users.auth_login_name"}}</label>
 					<input id="login_name" name="login_name" value="{{.User.LoginName}}" autofocus>
 				</div>
@@ -68,7 +68,7 @@
 					<label for="email">{{.locale.Tr "email"}}</label>
 					<input id="email" name="email" type="email" value="{{.User.Email}}" autofocus required>
 				</div>
-				<div class="local field {{if .Err_Password}}error{{end}} {{if not (or (.User.IsLocal) (.User.IsOAuth2))}}hide{{end}}">
+				<div class="local field {{if .Err_Password}}error{{end}} {{if not (or (.User.IsLocal) (.User.IsOAuth2))}}gt-hidden{{end}}">
 					<label for="password">{{.locale.Tr "password"}}</label>
 					<input id="password" name="password" type="password" autocomplete="new-password">
 					<p class="help">{{.locale.Tr "admin.users.password_helper"}}</p>
@@ -116,7 +116,7 @@
 						<input name="restricted" type="checkbox" {{if .User.IsRestricted}}checked{{end}}>
 					</div>
 				</div>
-				<div class="inline field"{{if DisableGitHooks}} hidden{{end}}>
+				<div class="inline field {{if DisableGitHooks}}gt-hidden{{end}}">
 					<div class="ui checkbox tooltip" data-content="{{.locale.Tr "admin.users.allow_git_hook_tooltip"}}">
 						<label><strong>{{.locale.Tr "admin.users.allow_git_hook"}}</strong></label>
 						<input name="allow_git_hook" type="checkbox" {{if .User.CanEditGitHook}}checked{{end}} {{if DisableGitHooks}}disabled{{end}}>
diff --git a/templates/install.tmpl b/templates/install.tmpl
index cfcb7bb374..2e10b006b2 100644
--- a/templates/install.tmpl
+++ b/templates/install.tmpl
@@ -28,7 +28,7 @@
 						</div>
 					</div>
 
-					<div class="hide" data-db-setting-for="common-host">
+					<div class="gt-hidden" data-db-setting-for="common-host">
 						<div class="inline required field {{if .Err_DbSetting}}error{{end}}">
 							<label for="db_host">{{.locale.Tr "install.host"}}</label>
 							<input id="db_host" name="db_host" value="{{.db_host}}">
@@ -48,7 +48,7 @@
 						</div>
 					</div>
 
-					<div class="hide" data-db-setting-for="postgres">
+					<div class="gt-hidden" data-db-setting-for="postgres">
 						<div class="inline required field">
 							<label>{{.locale.Tr "install.ssl_mode"}}</label>
 							<div class="ui selection database type dropdown">
@@ -69,7 +69,7 @@
 						</div>
 					</div>
 
-					<div class="hide" data-db-setting-for="mysql">
+					<div class="gt-hidden" data-db-setting-for="mysql">
 						<div class="inline required field">
 							<label>{{.locale.Tr "install.charset"}}</label>
 							<div class="ui selection database type dropdown">
@@ -83,7 +83,7 @@
 						</div>
 					</div>
 
-					<div class="hide" data-db-setting-for="sqlite3">
+					<div class="gt-hidden" data-db-setting-for="sqlite3">
 						<div class="inline required field {{if or .Err_DbPath .Err_DbSetting}}error{{end}}">
 							<label for="db_path">{{.locale.Tr "install.path"}}</label>
 							<input id="db_path" name="db_path" value="{{.db_path}}">
@@ -346,5 +346,5 @@
 		</div>
 	</div>
 </div>
-<img style="display: none" src="{{AssetUrlPrefix}}/img/loading.png"/>
+<img class="gt-hidden" src="{{AssetUrlPrefix}}/img/loading.png"/>
 {{template "base/footer" .}}
diff --git a/templates/org/settings/options.tmpl b/templates/org/settings/options.tmpl
index 1f4a75ab1b..c1623db4d7 100644
--- a/templates/org/settings/options.tmpl
+++ b/templates/org/settings/options.tmpl
@@ -14,8 +14,8 @@
 						{{.CsrfTokenHtml}}
 						<div class="required field {{if .Err_Name}}error{{end}}">
 							<label for="org_name">{{.locale.Tr "org.org_name_holder"}}
-								<span class="text red hide" id="org-name-change-prompt"> {{.locale.Tr "org.settings.change_orgname_prompt"}}</span>
-								<span class="text red hide" id="org-name-change-redirect-prompt"> {{.locale.Tr "org.settings.change_orgname_redirect_prompt"}}</span>
+								<span class="text red gt-hidden" id="org-name-change-prompt"> {{.locale.Tr "org.settings.change_orgname_prompt"}}</span>
+								<span class="text red gt-hidden" id="org-name-change-redirect-prompt"> {{.locale.Tr "org.settings.change_orgname_redirect_prompt"}}</span>
 							</label>
 							<input id="org_name" name="name" value="{{.Org.Name}}" data-org-name="{{.Org.Name}}" autofocus required>
 						</div>
diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index 719ca4397d..a9fed40c5e 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -71,7 +71,7 @@
 							</div>
 							<div class="ui divider"></div>
 
-							<div class="team-units required grouped field"{{if eq .Team.AccessMode 3}} style="display: none"{{end}}>
+							<div class="team-units required grouped field {{if eq .Team.AccessMode 3}}gt-hidden{{end}}">
 								<label>{{.locale.Tr "org.team_unit_desc"}}</label>
 								<table class="ui celled table">
 									<thead>
diff --git a/templates/repo/blame.tmpl b/templates/repo/blame.tmpl
index 56198df07f..70f47aeb9c 100644
--- a/templates/repo/blame.tmpl
+++ b/templates/repo/blame.tmpl
@@ -12,7 +12,7 @@
 				<a class="ui tiny button" href="{{.RepoLink}}/src/{{.BranchNameSubURL}}/{{.TreePath | PathEscapeSegments}}">{{.locale.Tr "repo.normal_view"}}</a>
 				<a class="ui tiny button" href="{{.RepoLink}}/commits/{{.BranchNameSubURL}}/{{.TreePath | PathEscapeSegments}}">{{.locale.Tr "repo.file_history"}}</a>
 				<a class="ui tiny button unescape-button">{{.locale.Tr "repo.unescape_control_characters"}}</a>
-				<a class="ui tiny button escape-button" style="display: none;">{{.locale.Tr "repo.escape_control_characters"}}</a>
+				<a class="ui tiny button escape-button gt-hidden">{{.locale.Tr "repo.escape_control_characters"}}</a>
 			</div>
 		</div>
 	</h4>
diff --git a/templates/repo/branch_dropdown.tmpl b/templates/repo/branch_dropdown.tmpl
index e07021bd20..89d65146a9 100644
--- a/templates/repo/branch_dropdown.tmpl
+++ b/templates/repo/branch_dropdown.tmpl
@@ -27,7 +27,7 @@
 			</span>
 			{{svg "octicon-triangle-down" 14 "dropdown icon"}}
 		</button>
-		<div class="data" style="display: none" data-mode="{{if or .root.IsViewTag .isTag}}tags{{else}}branches{{end}}">
+		<div class="data gt-hidden" data-mode="{{if or .root.IsViewTag .isTag}}tags{{else}}branches{{end}}">
 			{{if $showBranchesInDropdown}}
 				{{range .root.Branches}}
 					<div class="item branch {{if eq $defaultBranch .}}selected{{end}}" data-url="{{PathEscapeSegments .}}">{{.}}</div>
diff --git a/templates/repo/commits_list.tmpl b/templates/repo/commits_list.tmpl
index 4341a428b7..eaf86ab4e1 100644
--- a/templates/repo/commits_list.tmpl
+++ b/templates/repo/commits_list.tmpl
@@ -72,7 +72,7 @@
 							{{end}}
 							{{template "repo/commit_statuses" dict "Status" .Status "Statuses" .Statuses "root" $}}
 							{{if IsMultilineCommitMessage .Message}}
-							<pre class="commit-body" style="display: none;">{{RenderCommitBody $.Context .Message $commitRepoLink $.Repository.ComposeMetas}}</pre>
+							<pre class="commit-body gt-hidden">{{RenderCommitBody $.Context .Message $commitRepoLink $.Repository.ComposeMetas}}</pre>
 							{{end}}
 						</td>
 						{{if .Committer}}
diff --git a/templates/repo/commits_list_small.tmpl b/templates/repo/commits_list_small.tmpl
index 49457b47fc..7c34a8f09e 100644
--- a/templates/repo/commits_list_small.tmpl
+++ b/templates/repo/commits_list_small.tmpl
@@ -52,7 +52,7 @@
 			<button class="ui button ellipsis-button" aria-expanded="false">...</button>
 		{{end}}
 		{{if IsMultilineCommitMessage .Message}}
-			<pre class="commit-body" style="display: none;">{{RenderCommitBody $.root.Context .Message ($.comment.Issue.PullRequest.BaseRepo.Link|Escape) $.comment.Issue.PullRequest.BaseRepo.ComposeMetas}}</pre>
+			<pre class="commit-body gt-hidden">{{RenderCommitBody $.root.Context .Message ($.comment.Issue.PullRequest.BaseRepo.Link|Escape) $.comment.Issue.PullRequest.BaseRepo.ComposeMetas}}</pre>
 		{{end}}
 	</div>
 {{end}}
diff --git a/templates/repo/create.tmpl b/templates/repo/create.tmpl
index 1f8e1f59df..3887706c27 100644
--- a/templates/repo/create.tmpl
+++ b/templates/repo/create.tmpl
@@ -73,7 +73,7 @@
 						</div>
 					</div>
 
-					<div id="template_units" style="display: none;">
+					<div id="template_units" class="gt-hidden">
 						<div class="inline field">
 							<label>{{.locale.Tr "repo.template.items"}}</label>
 							<div class="ui checkbox">
diff --git a/templates/repo/diff/box.tmpl b/templates/repo/diff/box.tmpl
index 319fdb58f8..62cc069555 100644
--- a/templates/repo/diff/box.tmpl
+++ b/templates/repo/diff/box.tmpl
@@ -67,7 +67,7 @@
 				</script>
 		<div id="diff-file-list"></div>
 		<div id="diff-container">
-				<div id="diff-file-tree" class="hide"></div>
+				<div id="diff-file-tree" class="gt-hidden"></div>
 				<div id="diff-file-boxes" class="sixteen wide column">
 					{{range $i, $file := .Diff.Files}}
 						{{/*notice: the index of Diff.Files should not be used for element ID, because the index will be restarted from 0 when doing load-more for PRs with a lot of files*/}}
@@ -116,7 +116,7 @@
 									{{end}}
 									{{if not (or $file.IsIncomplete $file.IsBin $file.IsSubmodule)}}
 										<a class="ui basic tiny button unescape-button">{{$.locale.Tr "repo.unescape_control_characters"}}</a>
-										<a class="ui basic tiny button escape-button" style="display: none;">{{$.locale.Tr "repo.escape_control_characters"}}</a>
+										<a class="ui basic tiny button escape-button gt-hidden">{{$.locale.Tr "repo.escape_control_characters"}}</a>
 									{{end}}
 									{{if and (not $file.IsSubmodule) (not $.PageIsWiki)}}
 										{{if $file.IsDeleted}}
@@ -136,7 +136,7 @@
 								</div>
 							</h4>
 							<div class="diff-file-body ui attached unstackable table segment" {{if $file.IsViewed}}data-folded="true"{{end}}>
-								<div id="diff-source-{{$file.NameHash}}" class="file-body file-code unicode-escaped code-diff{{if $.IsSplitStyle}} code-diff-split{{else}} code-diff-unified{{end}}{{if $showFileViewToggle}} hide{{end}}">
+								<div id="diff-source-{{$file.NameHash}}" class="file-body file-code unicode-escaped code-diff{{if $.IsSplitStyle}} code-diff-split{{else}} code-diff-unified{{end}}{{if $showFileViewToggle}} gt-hidden{{end}}">
 									{{if or $file.IsIncomplete $file.IsBin}}
 										<div class="diff-file-body binary" style="padding: 5px 10px;">
 											{{if $file.IsIncomplete}}
@@ -187,7 +187,7 @@
 		</div>
 
 		{{if not $.Repository.IsArchived}}
-			<div class="hide" id="edit-content-form">
+			<div class="gt-hidden" id="edit-content-form">
 				<div class="ui comment form">
 					<div class="ui top attached tabular menu">
 						<a class="active write item">{{$.locale.Tr "write"}}</a>
diff --git a/templates/repo/diff/comment_form.tmpl b/templates/repo/diff/comment_form.tmpl
index 2ce0612e63..407f84e5c9 100644
--- a/templates/repo/diff/comment_form.tmpl
+++ b/templates/repo/diff/comment_form.tmpl
@@ -1,5 +1,5 @@
 {{if and $.root.SignedUserID (not $.Repository.IsArchived)}}
-	<form class="ui form {{if $.hidden}}hide comment-form comment-form-reply{{end}}" action="{{$.root.Issue.Link}}/files/reviews/comments" method="post">
+	<form class="ui form {{if $.hidden}}gt-hidden comment-form comment-form-reply{{end}}" action="{{$.root.Issue.Link}}/files/reviews/comments" method="post">
 	{{$.root.CsrfTokenHtml}}
 		<input type="hidden" name="origin" value="{{if $.root.PageIsPullFiles}}diff{{else}}timeline{{end}}">
 		<input type="hidden" name="latest_commit_id" value="{{$.root.AfterCommitID}}"/>
diff --git a/templates/repo/diff/comments.tmpl b/templates/repo/diff/comments.tmpl
index ebed33bf21..a6f191728c 100644
--- a/templates/repo/diff/comments.tmpl
+++ b/templates/repo/diff/comments.tmpl
@@ -54,8 +54,8 @@
 				<span class="no-content">{{$.root.locale.Tr "repo.issues.no_content"}}</span>
 			{{end}}
 			</div>
-			<div id="issuecomment-{{.ID}}-raw" class="raw-content hide">{{.Content}}</div>
-			<div class="edit-content-zone hide" data-write="issuecomment-{{.ID}}-write" data-preview="issuecomment-{{.ID}}-preview" data-update-url="{{$.root.RepoLink}}/comments/{{.ID}}" data-context="{{$.root.RepoLink}}"></div>
+			<div id="issuecomment-{{.ID}}-raw" class="raw-content gt-hidden">{{.Content}}</div>
+			<div class="edit-content-zone gt-hidden" data-write="issuecomment-{{.ID}}-write" data-preview="issuecomment-{{.ID}}-preview" data-update-url="{{$.root.RepoLink}}/comments/{{.ID}}" data-context="{{$.root.RepoLink}}"></div>
 		</div>
 		{{$reactions := .Reactions.GroupByType}}
 		{{if $reactions}}
diff --git a/templates/repo/diff/compare.tmpl b/templates/repo/diff/compare.tmpl
index 16749bacbf..c7538a7969 100644
--- a/templates/repo/diff/compare.tmpl
+++ b/templates/repo/diff/compare.tmpl
@@ -88,7 +88,7 @@
 						{{end}}
 					{{end}}
 				</div>
-				<div class="scrolling menu reference-list-menu base-tag-list" style="display: none">
+				<div class="scrolling menu reference-list-menu base-tag-list gt-hidden">
 					{{range .Tags}}
 						<div class="item {{if eq $.BaseBranch .}}selected{{end}}" data-url="{{$.RepoLink}}/compare/{{PathEscapeSegments .}}{{$.CompareSeparator}}{{if not $.PullRequestCtx.SameRepo}}{{PathEscape $.HeadUser.Name}}/{{PathEscape $.HeadRepo.Name}}:{{end}}{{PathEscapeSegments $.HeadBranch}}">{{$BaseCompareName}}:{{.}}</div>
 					{{end}}
@@ -157,7 +157,7 @@
 						{{end}}
 					{{end}}
 				</div>
-				<div class="scrolling menu reference-list-menu head-tag-list" style="display: none">
+				<div class="scrolling menu reference-list-menu head-tag-list gt-hidden">
 					{{range .HeadTags}}
 						<div class="{{if eq $.HeadBranch .}}selected{{end}} item" data-url="{{$.RepoLink}}/compare/{{PathEscapeSegments $.BaseBranch}}{{$.CompareSeparator}}{{if not $.PullRequestCtx.SameRepo}}{{PathEscape $.HeadUser.Name}}/{{PathEscape $.HeadRepo.Name}}:{{end}}{{PathEscapeSegments .}}">{{$HeadCompareName}}:{{.}}</div>
 					{{end}}
@@ -184,10 +184,10 @@
 	{{if .IsNothingToCompare}}
 		{{if and $.IsSigned $.AllowEmptyPr (not .Repository.IsArchived)}}
 			<div class="ui segment">{{.locale.Tr "repo.pulls.nothing_to_compare_and_allow_empty_pr"}}</div>
-			<div class="ui info message show-form-container" {{if .Flash}}style="display: none"{{end}}>
+			<div class="ui info message show-form-container {{if .Flash}}gt-hidden{{end}}">
 				<button class="ui button green show-form">{{.locale.Tr "repo.pulls.new"}}</button>
 			</div>
-			<div class="pullrequest-form" {{if not .Flash}}style="display: none"{{end}}>
+			<div class="pullrequest-form {{if not .Flash}}gt-hidden{{end}}">
 				{{template "repo/issue/new_form" .}}
 			</div>
 		{{else}}
@@ -214,7 +214,7 @@
 			</div>
 		{{else}}
 			{{if and $.IsSigned (not .Repository.IsArchived)}}
-				<div class="ui info message show-form-container" {{if .Flash}}style="display: none"{{end}}>
+				<div class="ui info message show-form-container {{if .Flash}}gt-hidden{{end}}">
 					<button class="ui button green show-form">{{.locale.Tr "repo.pulls.new"}}</button>
 				</div>
 			{{else if .Repository.IsArchived}}
@@ -223,7 +223,7 @@
 				</div>
 			{{end}}
 			{{if $.IsSigned}}
-				<div class="pullrequest-form" {{if not .Flash}}style="display: none"{{end}}>
+				<div class="pullrequest-form {{if not .Flash}}gt-hidden{{end}}">
 					{{template "repo/issue/new_form" .}}
 				</div>
 			{{end}}
diff --git a/templates/repo/diff/conversation.tmpl b/templates/repo/diff/conversation.tmpl
index b6d577ee5a..999197f94a 100644
--- a/templates/repo/diff/conversation.tmpl
+++ b/templates/repo/diff/conversation.tmpl
@@ -13,14 +13,14 @@
 					{{svg "octicon-unfold" 16 "gt-mr-3"}}
 					{{$.locale.Tr "repo.issues.review.show_resolved"}}
 				</button>
-				<button id="hide-outdated-{{(index .comments 0).ID}}" data-comment="{{(index .comments 0).ID}}" class="hide ui tiny right labeled button hide-outdated gt-df gt-ac">
+				<button id="hide-outdated-{{(index .comments 0).ID}}" data-comment="{{(index .comments 0).ID}}" class="ui tiny right labeled button hide-outdated gt-df gt-ac gt-hidden">
 					{{svg "octicon-fold" 16 "gt-mr-3"}}
 					{{$.locale.Tr "repo.issues.review.hide_resolved"}}
 				</button>
 			</div>
 		</div>
 	{{end}}
-	<div id="code-comments-{{(index  .comments 0).ID}}" class="field comment-code-cloud {{if $resolved}}hide{{end}}">
+	<div id="code-comments-{{(index  .comments 0).ID}}" class="field comment-code-cloud {{if $resolved}}gt-hidden{{end}}">
 		<div class="comment-list">
 			<ui class="ui comments">
 				{{template "repo/diff/comments" dict "root" $ "comments" .comments}}
diff --git a/templates/repo/diff/image_diff.tmpl b/templates/repo/diff/image_diff.tmpl
index d068a12d13..2d4a731758 100644
--- a/templates/repo/diff/image_diff.tmpl
+++ b/templates/repo/diff/image_diff.tmpl
@@ -11,7 +11,7 @@
 					{{end}}
 				</div>
 			</div>
-			<div class="hide">
+			<div class="gt-hidden">
 				<div class="ui bottom attached tab image-diff-container active" data-tab="diff-side-by-side-{{.file.Index}}">
 					<div class="diff-side-by-side">
 						{{if .blobBase}}
diff --git a/templates/repo/editor/edit.tmpl b/templates/repo/editor/edit.tmpl
index c4a48af9f5..992ccee8e4 100644
--- a/templates/repo/editor/edit.tmpl
+++ b/templates/repo/editor/edit.tmpl
@@ -36,7 +36,7 @@
 					{{end}}
 				</div>
 				<div class="ui bottom attached active tab segment" data-tab="write">
-					<textarea id="edit_area" name="content" class="hide" data-id="repo-{{.Repository.Name}}-{{.TreePath}}"
+					<textarea id="edit_area" name="content" class="gt-hidden" data-id="repo-{{.Repository.Name}}-{{.TreePath}}"
 						data-url="{{.Repository.Link}}/markdown"
 						data-context="{{.RepoLink}}"
 						data-markdown-file-exts="{{.MarkdownFileExts}}"
diff --git a/templates/repo/editor/patch.tmpl b/templates/repo/editor/patch.tmpl
index a271ab597b..bbd5c2dbde 100644
--- a/templates/repo/editor/patch.tmpl
+++ b/templates/repo/editor/patch.tmpl
@@ -25,7 +25,7 @@
 					<a class="active item" data-tab="write">{{svg "octicon-code" 16 "gt-mr-2"}}{{.locale.Tr "repo.editor.new_patch"}}</a>
 				</div>
 				<div class="ui bottom attached active tab segment" data-tab="write">
-					<textarea id="edit_area" name="content" class="hide" data-id="repo-{{.Repository.Name}}-patch"
+					<textarea id="edit_area" name="content" class="gt-hidden" data-id="repo-{{.Repository.Name}}-patch"
 						data-context="{{.RepoLink}}"
 						data-line-wrap-extensions="{{.LineWrapExtensions}}">
 {{.FileContent}}</textarea>
diff --git a/templates/repo/find/files.tmpl b/templates/repo/find/files.tmpl
index 5ad7fa1915..dab46cf362 100644
--- a/templates/repo/find/files.tmpl
+++ b/templates/repo/find/files.tmpl
@@ -13,7 +13,7 @@
 			<tbody>
 			</tbody>
 		</table>
-		<div id="repo-find-file-no-result" class="ui row center gt-mt-5" hidden>
+		<div id="repo-find-file-no-result" class="ui row center gt-mt-5 gt-hidden">
 			<h3>{{.locale.Tr "repo.find_file.no_matching"}}</h3>
 		</div>
 	</div>
diff --git a/templates/repo/graph.tmpl b/templates/repo/graph.tmpl
index 26f3823668..181aba4972 100644
--- a/templates/repo/graph.tmpl
+++ b/templates/repo/graph.tmpl
@@ -51,7 +51,7 @@
 				</div>
 			</h2>
 			<div class="ui dividing"></div>
-			<div class="ui segment loading hide" id="loading-indicator"></div>
+			<div class="ui segment loading gt-hidden" id="loading-indicator"></div>
 			{{template "repo/graph/svgcontainer" .}}
 			{{template "repo/graph/commits" .}}
 		</div>
diff --git a/templates/repo/home.tmpl b/templates/repo/home.tmpl
index fb33441d54..075b859a04 100644
--- a/templates/repo/home.tmpl
+++ b/templates/repo/home.tmpl
@@ -34,7 +34,7 @@
 		</div>
 		{{end}}
 		{{if and .Permission.IsAdmin (not .Repository.IsArchived)}}
-		<div class="ui repo-topic-edit grid form" id="topic_edit" style="display:none">
+		<div class="ui repo-topic-edit grid form gt-hidden" id="topic_edit">
 			<div class="fourteen wide column">
 				<div class="field">
 					<div class="ui fluid multiple search selection dropdown">
@@ -52,7 +52,7 @@
 			</div>
 		</div>
 		{{end}}
-		<div class="hide" id="validate_prompt">
+		<div class="gt-hidden" id="validate_prompt">
 			<span id="count_prompt">{{.locale.Tr "repo.topic.count_prompt"}}</span>
 			<span id="format_prompt">{{.locale.Tr "repo.topic.format_prompt"}}</span>
 		</div>
diff --git a/templates/repo/issue/branch_selector_field.tmpl b/templates/repo/issue/branch_selector_field.tmpl
index 0d87b0687c..51eb5e26a0 100644
--- a/templates/repo/issue/branch_selector_field.tmpl
+++ b/templates/repo/issue/branch_selector_field.tmpl
@@ -39,7 +39,7 @@
 				<div class="item" data-id="refs/heads/{{.}}" data-name="{{.}}" data-id-selector="#ref_selector">{{.}}</div>
 			{{end}}
 		</div>
-		<div id="tag-list" class="scrolling menu reference-list-menu {{if not .Issue}}new-issue{{end}}" style="display: none">
+		<div id="tag-list" class="scrolling menu reference-list-menu {{if not .Issue}}new-issue{{end}} gt-hidden">
 			{{if .Reference}}
 				<div class="item text small" data-id="" data-id-selector="#ref_selector"><strong><a href="#">{{.locale.Tr "repo.clear_ref"}}</a></strong></div>
 			{{end}}
diff --git a/templates/repo/issue/labels/label.tmpl b/templates/repo/issue/labels/label.tmpl
index 87d8f0c41c..6e9177aec2 100644
--- a/templates/repo/issue/labels/label.tmpl
+++ b/templates/repo/issue/labels/label.tmpl
@@ -1,5 +1,5 @@
 <a
-	class="item {{if not .label.IsChecked}}hide{{end}}"
+	class="item {{if not .label.IsChecked}}gt-hidden{{end}}"
 	id="label_{{.label.ID}}"
 	href="{{.root.RepoLink}}/{{if or .root.IsPull .root.Issue.IsPull}}pulls{{else}}issues{{end}}?labels={{.label.ID}}"{{/* FIXME: use .root.Issue.Link or create .root.Link */}}
 >
diff --git a/templates/repo/issue/labels/labels_sidebar.tmpl b/templates/repo/issue/labels/labels_sidebar.tmpl
index e2ef38d625..bd878d6f5c 100644
--- a/templates/repo/issue/labels/labels_sidebar.tmpl
+++ b/templates/repo/issue/labels/labels_sidebar.tmpl
@@ -1,5 +1,5 @@
 <div class="ui labels list">
-	<span class="no-select item {{if .ctx.HasSelectedLabel}}hide{{end}}">{{.ctx.locale.Tr "repo.issues.new.no_label"}}</span>
+	<span class="no-select item {{if .ctx.HasSelectedLabel}}gt-hidden{{end}}">{{.ctx.locale.Tr "repo.issues.new.no_label"}}</span>
 	<span class="labels-list">
 		{{range .ctx.Labels}}
 			{{template "repo/issue/labels/label" dict "root" $.root "label" .}}
diff --git a/templates/repo/issue/list.tmpl b/templates/repo/issue/list.tmpl
index 0e4969a706..2b1bea822f 100644
--- a/templates/repo/issue/list.tmpl
+++ b/templates/repo/issue/list.tmpl
@@ -199,7 +199,7 @@
 				</div>
 			</div>
 		</div>
-		<div id="issue-actions" class="ui stackable grid hide">
+		<div id="issue-actions" class="ui stackable grid gt-hidden">
 			<div class="six wide column">
 				{{template "repo/issue/openclose" .}}
 			</div>
diff --git a/templates/repo/issue/milestone_issues.tmpl b/templates/repo/issue/milestone_issues.tmpl
index 57012bddb6..fca9597446 100644
--- a/templates/repo/issue/milestone_issues.tmpl
+++ b/templates/repo/issue/milestone_issues.tmpl
@@ -135,7 +135,7 @@
 				</div>
 			</div>
 		</div>
-		<div id="issue-actions" class="ui stackable grid hide">
+		<div id="issue-actions" class="ui stackable grid gt-hidden">
 			<div class="six wide column">
 				{{template "repo/issue/openclose" .}}
 			</div>
diff --git a/templates/repo/issue/new_form.tmpl b/templates/repo/issue/new_form.tmpl
index 2a6fcaa995..8346d07a13 100644
--- a/templates/repo/issue/new_form.tmpl
+++ b/templates/repo/issue/new_form.tmpl
@@ -134,7 +134,7 @@
 				</div>
 			</div>
 			<div class="ui select-milestone list">
-				<span class="no-select item {{if .Milestone}}hide{{end}}">{{.locale.Tr "repo.issues.new.no_milestone"}}</span>
+				<span class="no-select item {{if .Milestone}}gt-hidden{{end}}">{{.locale.Tr "repo.issues.new.no_milestone"}}</span>
 				<div class="selected">
 					{{if .Milestone}}
 						<a class="item muted sidebar-item-link" href="{{.RepoLink}}/issues?milestone={{.Milestone.ID}}">
@@ -198,7 +198,7 @@
 				</div>
 			</div>
 			<div class="ui select-project list">
-				<span class="no-select item {{if .Project}}hide{{end}}">{{.locale.Tr "repo.issues.new.no_projects"}}</span>
+				<span class="no-select item {{if .Project}}gt-hidden{{end}}">{{.locale.Tr "repo.issues.new.no_projects"}}</span>
 				<div class="selected">
 					{{if .Project}}
 						<a class="item muted sidebar-item-link" href="{{.RepoLink}}/projects/{{.Project.ID}}">
@@ -236,11 +236,11 @@
 					</div>
 				</div>
 				<div class="ui assignees list">
-					<span class="no-select item {{if .HasSelectedLabel}}hide{{end}}">
+					<span class="no-select item {{if .HasSelectedLabel}}gt-hidden{{end}}">
 						{{.locale.Tr "repo.issues.new.no_assignees"}}
 					</span>
 					{{range .Assignees}}
-						<a class="hide item gt-p-2 muted" id="assignee_{{.ID}}" href="{{$.RepoLink}}/issues?assignee={{.ID}}">
+						<a class="item gt-p-2 muted gt-hidden" id="assignee_{{.ID}}" href="{{$.RepoLink}}/issues?assignee={{.ID}}">
 							{{avatar $.Context . 28 "gt-mr-3 gt-vm"}}{{.GetDisplayName}}
 						</a>
 					{{end}}
diff --git a/templates/repo/issue/view_content.tmpl b/templates/repo/issue/view_content.tmpl
index ab419472ed..887dd2c42d 100644
--- a/templates/repo/issue/view_content.tmpl
+++ b/templates/repo/issue/view_content.tmpl
@@ -77,8 +77,8 @@
 								<span class="no-content">{{.locale.Tr "repo.issues.no_content"}}</span>
 							{{end}}
 						</div>
-						<div id="issue-{{.Issue.ID}}-raw" class="raw-content hide">{{.Issue.Content}}</div>
-						<div class="edit-content-zone hide" data-write="issue-{{.Issue.ID}}-write" data-preview="issue-{{.Issue.ID}}-preview" data-update-url="{{$.RepoLink}}/issues/{{.Issue.Index}}/content" data-context="{{.RepoLink}}" data-attachment-url="{{$.RepoLink}}/issues/{{.Issue.Index}}/attachments" data-view-attachment-url="{{$.RepoLink}}/issues/{{.Issue.Index}}/view-attachments"></div>
+						<div id="issue-{{.Issue.ID}}-raw" class="raw-content gt-hidden">{{.Issue.Content}}</div>
+						<div class="edit-content-zone gt-hidden" data-write="issue-{{.Issue.ID}}-write" data-preview="issue-{{.Issue.ID}}-preview" data-update-url="{{$.RepoLink}}/issues/{{.Issue.Index}}/content" data-context="{{.RepoLink}}" data-attachment-url="{{$.RepoLink}}/issues/{{.Issue.Index}}/attachments" data-view-attachment-url="{{$.RepoLink}}/issues/{{.Issue.Index}}/view-attachments"></div>
 						{{if .Issue.Attachments}}
 							{{template "repo/issue/view_content/attachments" Dict "ctx" $ "Attachments" .Issue.Attachments "Content" .Issue.RenderedContent}}
 						{{end}}
@@ -194,7 +194,7 @@
 	{{template "repo/issue/view_content/sidebar" .}}
 </div>
 
-<div class="hide" id="edit-content-form">
+<div class="gt-hidden" id="edit-content-form">
 	<div class="ui comment form">
 		<div class="ui top tabular menu">
 			<a class="active write item">{{$.locale.Tr "write"}}</a>
@@ -224,7 +224,7 @@
 
 {{template "repo/issue/view_content/reference_issue_dialog" .}}
 
-<div class="hide" id="no-content">
+<div class="gt-hidden" id="no-content">
 	<span class="no-content">{{.locale.Tr "repo.issues.no_content"}}</span>
 </div>
 
diff --git a/templates/repo/issue/view_content/comments.tmpl b/templates/repo/issue/view_content/comments.tmpl
index 5bd5c8b48e..b81c3c7f03 100644
--- a/templates/repo/issue/view_content/comments.tmpl
+++ b/templates/repo/issue/view_content/comments.tmpl
@@ -77,8 +77,8 @@
 								<span class="no-content">{{$.locale.Tr "repo.issues.no_content"}}</span>
 							{{end}}
 						</div>
-						<div id="issuecomment-{{.ID}}-raw" class="raw-content hide">{{.Content}}</div>
-						<div class="edit-content-zone hide" data-write="issuecomment-{{.ID}}-write" data-preview="issuecomment-{{.ID}}-preview" data-update-url="{{$.RepoLink}}/comments/{{.ID}}" data-context="{{$.RepoLink}}" data-attachment-url="{{$.RepoLink}}/comments/{{.ID}}/attachments"></div>
+						<div id="issuecomment-{{.ID}}-raw" class="raw-content gt-hidden">{{.Content}}</div>
+						<div class="edit-content-zone gt-hidden" data-write="issuecomment-{{.ID}}-write" data-preview="issuecomment-{{.ID}}-preview" data-update-url="{{$.RepoLink}}/comments/{{.ID}}" data-context="{{$.RepoLink}}" data-attachment-url="{{$.RepoLink}}/comments/{{.ID}}/attachments"></div>
 						{{if .Attachments}}
 							{{template "repo/issue/view_content/attachments" Dict "ctx" $ "Attachments" .Attachments "Content" .RenderedContent}}
 						{{end}}
@@ -449,8 +449,8 @@
 									<span class="no-content">{{$.locale.Tr "repo.issues.no_content"}}</span>
 								{{end}}
 							</div>
-							<div id="issuecomment-{{.ID}}-raw" class="raw-content hide">{{.Content}}</div>
-							<div class="edit-content-zone hide" data-write="issuecomment-{{.ID}}-write" data-preview="issuecomment-{{.ID}}-preview" data-update-url="{{$.RepoLink}}/comments/{{.ID}}" data-context="{{$.RepoLink}}" data-attachment-url="{{$.RepoLink}}/comments/{{.ID}}/attachments"></div>
+							<div id="issuecomment-{{.ID}}-raw" class="raw-content gt-hidden">{{.Content}}</div>
+							<div class="edit-content-zone gt-hidden" data-write="issuecomment-{{.ID}}-write" data-preview="issuecomment-{{.ID}}-preview" data-update-url="{{$.RepoLink}}/comments/{{.ID}}" data-context="{{$.RepoLink}}" data-attachment-url="{{$.RepoLink}}/comments/{{.ID}}/attachments"></div>
 							{{if .Attachments}}
 								{{template "repo/issue/view_content/attachments" Dict "ctx" $ "Attachments" .Attachments "Content" .RenderedContent}}
 							{{end}}
@@ -576,8 +576,8 @@
 																<span class="no-content">{{$.locale.Tr "repo.issues.no_content"}}</span>
 															{{end}}
 															</div>
-															<div id="issuecomment-{{.ID}}-raw" class="raw-content hide">{{.Content}}</div>
-															<div class="edit-content-zone hide" data-write="issuecomment-{{.ID}}-write" data-preview="issuecomment-{{.ID}}-preview" data-update-url="{{$.RepoLink}}/comments/{{.ID}}" data-context="{{$.RepoLink}}" data-attachment-url="{{$.RepoLink}}/comments/{{.ID}}/attachments"></div>
+															<div id="issuecomment-{{.ID}}-raw" class="raw-content gt-hidden">{{.Content}}</div>
+															<div class="edit-content-zone gt-hidden" data-write="issuecomment-{{.ID}}-write" data-preview="issuecomment-{{.ID}}-preview" data-update-url="{{$.RepoLink}}/comments/{{.ID}}" data-context="{{$.RepoLink}}" data-attachment-url="{{$.RepoLink}}/comments/{{.ID}}/attachments"></div>
 														</div>
 														{{$reactions := .Reactions.GroupByType}}
 														{{if $reactions}}
diff --git a/templates/repo/issue/view_content/pull.tmpl b/templates/repo/issue/view_content/pull.tmpl
index dff6b5daaa..862d5d9a1b 100644
--- a/templates/repo/issue/view_content/pull.tmpl
+++ b/templates/repo/issue/view_content/pull.tmpl
@@ -456,7 +456,7 @@
 
 			{{if $.StillCanManualMerge}}
 				<div class="ui divider"></div>
-				<div class="ui form manually-merged-fields" style="display: none">
+				<div class="ui form manually-merged-fields gt-hidden">
 					<form action="{{.Link}}/merge" method="post">
 						{{.CsrfTokenHtml}}
 						<div class="field">
diff --git a/templates/repo/issue/view_content/pull_merge_instruction.tmpl b/templates/repo/issue/view_content/pull_merge_instruction.tmpl
index 5a7f6e867b..78deed9567 100644
--- a/templates/repo/issue/view_content/pull_merge_instruction.tmpl
+++ b/templates/repo/issue/view_content/pull_merge_instruction.tmpl
@@ -1,6 +1,6 @@
 <div class="ui divider"></div>
 <div class="instruct-toggle"> {{$.locale.Tr "repo.pulls.merge_instruction_hint" | Safe}} </div>
-<div class="instruct-content gt-mt-3" style="display:none">
+<div class="instruct-content gt-mt-3 gt-hidden">
 	<div><h3 class="gt-di">{{$.locale.Tr "step1"}} </h3>{{$.locale.Tr "repo.pulls.merge_instruction_step1_desc"}}</div>
 	<div class="ui secondary segment">
 		{{if eq $.Issue.PullRequest.Flow 0}}
diff --git a/templates/repo/issue/view_content/sidebar.tmpl b/templates/repo/issue/view_content/sidebar.tmpl
index 8cd34ede6e..2b24825b5f 100644
--- a/templates/repo/issue/view_content/sidebar.tmpl
+++ b/templates/repo/issue/view_content/sidebar.tmpl
@@ -50,7 +50,7 @@
 			</div>
 
 			<div class="ui assignees list">
-				<span class="no-select item {{if or .OriginalReviews .PullReviewers}}hide{{end}}">{{.locale.Tr "repo.issues.new.no_reviewers"}}</span>
+				<span class="no-select item {{if or .OriginalReviews .PullReviewers}}gt-hidden{{end}}">{{.locale.Tr "repo.issues.new.no_reviewers"}}</span>
 				<div class="selected">
 					{{range .PullReviewers}}
 						<div class="item gt-mb-2">
@@ -202,7 +202,7 @@
 			</div>
 		</div>
 		<div class="ui select-milestone list">
-			<span class="no-select item {{if .Issue.Milestone}}hide{{end}}">{{.locale.Tr "repo.issues.new.no_milestone"}}</span>
+			<span class="no-select item {{if .Issue.Milestone}}gt-hidden{{end}}">{{.locale.Tr "repo.issues.new.no_milestone"}}</span>
 			<div class="selected">
 				{{if .Issue.Milestone}}
 					<a class="item muted sidebar-item-link" href="{{.RepoLink}}/milestone/{{.Issue.Milestone.ID}}">
@@ -259,7 +259,7 @@
 				</div>
 			</div>
 			<div class="ui select-project list">
-				<span class="no-select item {{if .Issue.ProjectID}}hide{{end}}">{{.locale.Tr "repo.issues.new.no_projects"}}</span>
+				<span class="no-select item {{if .Issue.ProjectID}}gt-hidden{{end}}">{{.locale.Tr "repo.issues.new.no_projects"}}</span>
 				<div class="selected">
 					{{if .Issue.ProjectID}}
 						<a class="item muted sidebar-item-link" href="{{.Issue.Project.Link}}">
@@ -308,7 +308,7 @@
 			</div>
 		</div>
 		<div class="ui assignees list">
-			<span class="no-select item {{if .Issue.Assignees}}hide{{end}}">{{.locale.Tr "repo.issues.new.no_assignees"}}</span>
+			<span class="no-select item {{if .Issue.Assignees}}gt-hidden{{end}}">{{.locale.Tr "repo.issues.new.no_assignees"}}</span>
 			<div class="selected">
 				{{range .Issue.Assignees}}
 					<div class="item">
@@ -423,7 +423,7 @@
 		<div class="ui divider"></div>
 		<span class="text"><strong>{{.locale.Tr "repo.issues.due_date"}}</strong></span>
 		<div class="ui form" id="deadline-loader">
-			<div class="ui negative message" id="deadline-err-invalid-date" style="display: none;">
+			<div class="ui negative message gt-hidden" id="deadline-err-invalid-date">
 				{{svg "octicon-x" 16 "close icon"}}
 				{{.locale.Tr "repo.issues.due_date_invalid"}}
 			</div>
@@ -447,7 +447,7 @@
 			{{end}}
 
 			{{if and .HasIssuesOrPullsWritePermission (not .Repository.IsArchived)}}
-				<div {{if ne .Issue.DeadlineUnix 0}} style="display: none;"{{end}} id="deadlineForm">
+				<div {{if ne .Issue.DeadlineUnix 0}} class="gt-hidden"{{end}} id="deadlineForm">
 					<form class="ui fluid action input issue-due-form" action="{{AppSubUrl}}/{{PathEscape .Repository.Owner.Name}}/{{PathEscape .Repository.Name}}/issues/{{.Issue.Index}}/deadline" method="post" id="update-issue-deadline-form">
 						{{$.CsrfTokenHtml}}
 						<input required placeholder="{{.locale.Tr "repo.issues.due_date_form"}}" {{if gt .Issue.DeadlineUnix 0}}value="{{.Issue.DeadlineUnix.Format "2006-01-02"}}"{{end}} type="date" name="deadlineDate" id="deadlineDate">
diff --git a/templates/repo/issue/view_title.tmpl b/templates/repo/issue/view_title.tmpl
index 7ba6198b62..b43253f90b 100644
--- a/templates/repo/issue/view_title.tmpl
+++ b/templates/repo/issue/view_title.tmpl
@@ -8,14 +8,14 @@
 		<h1>
 			<span id="issue-title">{{RenderIssueTitle $.Context .Issue.Title $.RepoLink $.Repository.ComposeMetas | RenderCodeBlock}}</span>
 			<span class="index">#{{.Issue.Index}}</span>
-			<div id="edit-title-input" class="ui input gt-ml-4" style="display: none">
+			<div id="edit-title-input" class="ui input gt-ml-4 gt-hidden">
 				<input value="{{.Issue.Title}}" maxlength="255" autocomplete="off">
 			</div>
 		</h1>
 		{{if and (or .HasIssuesOrPullsWritePermission .IsIssuePoster) (not .Repository.IsArchived)}}
 			<div class="edit-buttons">
-				<button id="cancel-edit-title" class="ui basic button secondary in-edit" style="display: none">{{.locale.Tr "repo.issues.cancel"}}</button>
-				<button id="save-edit-title" class="ui primary button in-edit" style="display: none" data-update-url="{{$.RepoLink}}/issues/{{.Issue.Index}}/title" {{if .Issue.IsPull}}data-target-update-url="{{$.RepoLink}}/pull/{{.Issue.Index}}/target_branch"{{end}}>{{.locale.Tr "repo.issues.save"}}</button>
+				<button id="cancel-edit-title" class="ui basic button secondary in-edit gt-hidden">{{.locale.Tr "repo.issues.cancel"}}</button>
+				<button id="save-edit-title" class="ui primary button in-edit gt-hidden" data-update-url="{{$.RepoLink}}/issues/{{.Issue.Index}}/title" {{if .Issue.IsPull}}data-target-update-url="{{$.RepoLink}}/pull/{{.Issue.Index}}/target_branch"{{end}}>{{.locale.Tr "repo.issues.save"}}</button>
 			</div>
 		{{end}}
 	</div>
@@ -61,7 +61,7 @@
 					{{$.locale.Tr "repo.pulls.title_desc" .NumCommits $headHref $baseHref | Safe}}
 				</span>
 			{{end}}
-			<span id="pull-desc-edit" style="display: none">
+			<span id="pull-desc-edit gt-hidden">
 				<div class="ui floating filter dropdown">
 					<div class="ui basic small button">
 						<span class="text">{{.locale.Tr "repo.pulls.compare_compare"}}: {{$.HeadTarget}}</span>
diff --git a/templates/repo/migrate/migrating.tmpl b/templates/repo/migrate/migrating.tmpl
index e6d329a1ab..a3552610c4 100644
--- a/templates/repo/migrate/migrating.tmpl
+++ b/templates/repo/migrate/migrating.tmpl
@@ -12,7 +12,7 @@
 								<img src="{{AssetUrlPrefix}}/img/loading.png"/>
 							</div>
 						</div>
-						<div id="repo_migrating_failed_image" class="sixteen wide center aligned centered column" style="display: none;">
+						<div id="repo_migrating_failed_image" class="sixteen wide center aligned centered column gt-hidden">
 							<div>
 								<img src="{{AssetUrlPrefix}}/img/failed.png"/>
 							</div>
@@ -24,7 +24,7 @@
 								<p>{{.locale.Tr "repo.migrate.migrating" .CloneAddr | Safe}}</p>
 								<p id="repo_migrating_progress_message"></p>
 							</div>
-							<div id="repo_migrating_failed" hidden>
+							<div id="repo_migrating_failed" class="gt-hidden">
 								{{if .CloneAddr}}
 									<p>{{.locale.Tr "repo.migrate.migrating_failed" .CloneAddr | Safe}}</p>
 								{{else}}
diff --git a/templates/repo/migrate/options.tmpl b/templates/repo/migrate/options.tmpl
index 5fdf6c7ab4..d39caf01b4 100644
--- a/templates/repo/migrate/options.tmpl
+++ b/templates/repo/migrate/options.tmpl
@@ -14,9 +14,9 @@
 		<input id="lfs" name="lfs" type="checkbox" {{if .lfs}} checked{{end}}>
 		<label>{{.locale.Tr "repo.migrate_options_lfs"}}</label>
 	</div>
-	<span id="lfs_settings" style="display:none">(<a id="lfs_settings_show" href="#">{{.locale.Tr "repo.settings.advanced_settings"}}</a>)</span>
+	<span id="lfs_settings" class="gt-hidden">(<a id="lfs_settings_show" href="#">{{.locale.Tr "repo.settings.advanced_settings"}}</a>)</span>
 </div>
-<div id="lfs_endpoint" style="display:none">
+<div id="lfs_endpoint" class="gt-hidden">
 	<span class="help">{{.locale.Tr "repo.migrate_options_lfs_endpoint.description" "https://github.com/git-lfs/git-lfs/blob/main/docs/api/server-discovery.md#server-discovery" | Str2html}}{{if .ContextUser.CanImportLocal}} {{.locale.Tr "repo.migrate_options_lfs_endpoint.description.local"}}{{end}}</span>
 	<div class="inline field {{if .Err_LFSEndpoint}}error{{end}}">
 		<label>{{.locale.Tr "repo.migrate_options_lfs_endpoint.label"}}</label>
diff --git a/templates/repo/settings/deploy_keys.tmpl b/templates/repo/settings/deploy_keys.tmpl
index 26d2c5a2f2..22fddeb4df 100644
--- a/templates/repo/settings/deploy_keys.tmpl
+++ b/templates/repo/settings/deploy_keys.tmpl
@@ -15,7 +15,7 @@
 			</div>
 		</h4>
 		<div class="ui attached segment">
-			<div class="{{if not .HasError}}hide{{end}} gt-mb-4" id="add-deploy-key-panel">
+			<div class="{{if not .HasError}}gt-hidden{{end}} gt-mb-4" id="add-deploy-key-panel">
 				<form class="ui form" action="{{.Link}}" method="post">
 					{{.CsrfTokenHtml}}
 					<div class="field">
diff --git a/templates/repo/settings/githook_edit.tmpl b/templates/repo/settings/githook_edit.tmpl
index a4f8778225..d4df95b29a 100644
--- a/templates/repo/settings/githook_edit.tmpl
+++ b/templates/repo/settings/githook_edit.tmpl
@@ -18,7 +18,7 @@
 					</div>
 					<div class="field">
 						<label for="content">{{$.locale.Tr "repo.settings.githook_content"}}</label>
-						<textarea id="content" name="content" class="hide">{{if .IsActive}}{{.Content}}{{else}}{{.Sample}}{{end}}</textarea>
+						<textarea id="content" name="content" class="gt-hidden">{{if .IsActive}}{{.Content}}{{else}}{{.Sample}}{{end}}</textarea>
 						<div class="editor-loading is-loading"></div>
 					</div>
 					<div class="inline field">
diff --git a/templates/repo/settings/lfs_file.tmpl b/templates/repo/settings/lfs_file.tmpl
index 54b40bd004..450601dc9b 100644
--- a/templates/repo/settings/lfs_file.tmpl
+++ b/templates/repo/settings/lfs_file.tmpl
@@ -9,7 +9,7 @@
 				<a href="{{.LFSFilesLink}}">{{.locale.Tr "repo.settings.lfs"}}</a> / <span class="truncate sha">{{.LFSFile.Oid}}</span>
 				<div class="ui right">
 					{{if .EscapeStatus.Escaped}}
-						<a class="ui mini basic button unescape-button" style="display: none;">{{.locale.Tr "repo.unescape_control_characters"}}</a>
+						<a class="ui mini basic button unescape-button gt-hidden">{{.locale.Tr "repo.unescape_control_characters"}}</a>
 						<a class="ui mini basic button escape-button">{{.locale.Tr "repo.escape_control_characters"}}</a>
 					{{end}}
 					<a class="ui primary show-panel button" href="{{.LFSFilesLink}}/find?oid={{.LFSFile.Oid}}&size={{.LFSFile.Size}}">{{$.locale.Tr "repo.settings.lfs_findcommits"}}</a>
diff --git a/templates/repo/settings/webhook/history.tmpl b/templates/repo/settings/webhook/history.tmpl
index 767d66114c..bf7fe05de2 100644
--- a/templates/repo/settings/webhook/history.tmpl
+++ b/templates/repo/settings/webhook/history.tmpl
@@ -25,7 +25,7 @@
 							</span>
 						</div>
 					</div>
-					<div class="info hide" id="info-{{.ID}}">
+					<div class="info gt-hidden" id="info-{{.ID}}">
 						<div class="ui top attached tabular menu">
 							<a class="item active" data-tab="request-{{.ID}}">{{$.locale.Tr "repo.settings.webhook.request"}}</a>
 							<a class="item" data-tab="response-{{.ID}}">
diff --git a/templates/repo/settings/webhook/settings.tmpl b/templates/repo/settings/webhook/settings.tmpl
index 5183401de1..57745c0401 100644
--- a/templates/repo/settings/webhook/settings.tmpl
+++ b/templates/repo/settings/webhook/settings.tmpl
@@ -22,7 +22,7 @@
 		</div>
 	</div>
 
-	<div class="events fields ui grid" {{if not .Webhook.ChooseEvents}}style="display:none"{{end}}>
+	<div class="events fields ui grid {{if not .Webhook.ChooseEvents}}gt-hidden{{end}}">
 		<!-- Repository Events -->
 		<div class="fourteen wide column">
 			<label>{{.locale.Tr "repo.settings.event_header_repository"}}</label>
diff --git a/templates/repo/sub_menu.tmpl b/templates/repo/sub_menu.tmpl
index 5442307961..5c1688d019 100644
--- a/templates/repo/sub_menu.tmpl
+++ b/templates/repo/sub_menu.tmpl
@@ -21,7 +21,7 @@
 		</div>
 	</div>
 	{{if and (.Permission.CanRead $.UnitTypeCode) (not .IsEmptyRepo) .LanguageStats}}
-	<div class="ui segment sub-menu language-stats-details" style="display: none">
+	<div class="ui segment sub-menu language-stats-details gt-hidden">
 		<div class="ui horizontal center link list">
 			{{range .LanguageStats}}
 			<div class="item gt-df gt-ac gt-jc">
diff --git a/templates/repo/view_file.tmpl b/templates/repo/view_file.tmpl
index 5c2c953a5b..2e0f4d65fd 100644
--- a/templates/repo/view_file.tmpl
+++ b/templates/repo/view_file.tmpl
@@ -33,7 +33,7 @@
 					{{end}}
 					<a class="ui mini basic button" href="{{.RepoLink}}/commits/{{.BranchNameSubURL}}/{{PathEscapeSegments .TreePath}}">{{.locale.Tr "repo.file_history"}}</a>
 					{{if .EscapeStatus.Escaped}}
-						<a class="ui mini basic button unescape-button" style="display: none;">{{.locale.Tr "repo.unescape_control_characters"}}</a>
+						<a class="ui mini basic button unescape-button gt-hidden">{{.locale.Tr "repo.unescape_control_characters"}}</a>
 						<a class="ui mini basic button escape-button">{{.locale.Tr "repo.escape_control_characters"}}</a>
 					{{end}}
 				</div>
@@ -52,7 +52,7 @@
 					{{end}}
 				{{end}}
 			{{else if .EscapeStatus.Escaped}}
-				<a class="ui mini basic button unescape-button gt-mr-2" style="display: none;">{{.locale.Tr "repo.unescape_control_characters"}}</a>
+				<a class="ui mini basic button unescape-button gt-mr-2 gt-hidden">{{.locale.Tr "repo.unescape_control_characters"}}</a>
 				<a class="ui mini basic button escape-button gt-mr-2">{{.locale.Tr "repo.escape_control_characters"}}</a>
 			{{end}}
 		</div>
diff --git a/templates/repo/view_list.tmpl b/templates/repo/view_list.tmpl
index ab7065015c..6fcf60daef 100644
--- a/templates/repo/view_list.tmpl
+++ b/templates/repo/view_list.tmpl
@@ -29,7 +29,7 @@
 					<span class="grey commit-summary" title="{{.LatestCommit.Summary}}"><span class="message-wrapper">{{RenderCommitMessageLinkSubject $.Context .LatestCommit.Message $.RepoLink $commitLink $.Repository.ComposeMetas}}</span>
 						{{if IsMultilineCommitMessage .LatestCommit.Message}}
 							<button class="ui button ellipsis-button" aria-expanded="false">...</button>
-							<pre class="commit-body" style="display: none;">{{RenderCommitBody $.Context .LatestCommit.Message $.RepoLink $.Repository.ComposeMetas}}</pre>
+							<pre class="commit-body gt-hidden">{{RenderCommitBody $.Context .LatestCommit.Message $.RepoLink $.Repository.ComposeMetas}}</pre>
 						{{end}}
 					</span>
 				{{end}}
diff --git a/templates/repo/wiki/view.tmpl b/templates/repo/wiki/view.tmpl
index e56c66fa4a..15553cedd8 100644
--- a/templates/repo/wiki/view.tmpl
+++ b/templates/repo/wiki/view.tmpl
@@ -47,7 +47,7 @@
 				</div>
 				<div class="eight wide right aligned column">
 					{{if .EscapeStatus.Escaped}}
-						<a class="ui small button unescape-button" style="display: none;">{{.locale.Tr "repo.unescape_control_characters"}}</a>
+						<a class="ui small button unescape-button gt-hidden">{{.locale.Tr "repo.unescape_control_characters"}}</a>
 						<a class="ui small button escape-button">{{.locale.Tr "repo.escape_control_characters"}}</a>
 					{{end}}
 					{{if and .CanWriteWiki (not .Repository.IsMirror)}}
diff --git a/templates/shared/secrets/add_list.tmpl b/templates/shared/secrets/add_list.tmpl
index 27d415be81..9105b7ad9b 100644
--- a/templates/shared/secrets/add_list.tmpl
+++ b/templates/shared/secrets/add_list.tmpl
@@ -5,7 +5,7 @@
 	</div>
 </h4>
 <div class="ui attached segment">
-	<div class="{{if not .HasError}}hide {{end}}gt-mb-4" id="add-secret-panel">
+	<div class="{{if not .HasError}}gt-hidden {{end}}gt-mb-4" id="add-secret-panel">
 		<form class="ui form" action="{{.Link}}" method="post">
 			{{.CsrfTokenHtml}}
 			<div class="field">
diff --git a/templates/user/auth/webauthn_error.tmpl b/templates/user/auth/webauthn_error.tmpl
index c3cae710f1..447d289a28 100644
--- a/templates/user/auth/webauthn_error.tmpl
+++ b/templates/user/auth/webauthn_error.tmpl
@@ -5,18 +5,18 @@
 			<div class="header">
 			{{.locale.Tr "webauthn_error"}}
 			</div>
-			<div class="hide" data-webauthn-error-msg="browser"><p>{{.locale.Tr "webauthn_unsupported_browser"}}</div>
-			<div class="hide" data-webauthn-error-msg="unknown"><p>{{.locale.Tr "webauthn_error_unknown"}}</div>
-			<div class="hide" data-webauthn-error-msg="insecure"><p>{{.locale.Tr "webauthn_error_insecure"}}</div>
-			<div class="hide" data-webauthn-error-msg="unable-to-process"><p>{{.locale.Tr "webauthn_error_unable_to_process"}}</div>
-			<div class="hide" data-webauthn-error-msg="duplicated"><p>{{.locale.Tr "webauthn_error_duplicated"}}</div>
-			<div class="hide" data-webauthn-error-msg="empty"><p>{{.locale.Tr "webauthn_error_empty"}}</div>
-			<div class="hide" data-webauthn-error-msg="timeout"><p>{{.locale.Tr "webauthn_error_timeout"}}</div>
-			<div class="hide" data-webauthn-error-msg="general"></div>
+			<div class="gt-hidden" data-webauthn-error-msg="browser"><p>{{.locale.Tr "webauthn_unsupported_browser"}}</div>
+			<div class="gt-hidden" data-webauthn-error-msg="unknown"><p>{{.locale.Tr "webauthn_error_unknown"}}</div>
+			<div class="gt-hidden" data-webauthn-error-msg="insecure"><p>{{.locale.Tr "webauthn_error_insecure"}}</div>
+			<div class="gt-hidden" data-webauthn-error-msg="unable-to-process"><p>{{.locale.Tr "webauthn_error_unable_to_process"}}</div>
+			<div class="gt-hidden" data-webauthn-error-msg="duplicated"><p>{{.locale.Tr "webauthn_error_duplicated"}}</div>
+			<div class="gt-hidden" data-webauthn-error-msg="empty"><p>{{.locale.Tr "webauthn_error_empty"}}</div>
+			<div class="gt-hidden" data-webauthn-error-msg="timeout"><p>{{.locale.Tr "webauthn_error_timeout"}}</div>
+			<div class="gt-hidden" data-webauthn-error-msg="general"></div>
 		</div>
 	</div>
 	<div class="actions">
-		<button onclick="window.location.reload()" class="success ui button hide webauthn_error_timeout">{{.locale.Tr "webauthn_reload"}}</button>
+		<button onclick="window.location.reload()" class="success ui button gt-hidden webauthn_error_timeout">{{.locale.Tr "webauthn_reload"}}</button>
 		<div class="ui cancel button">{{.locale.Tr "cancel"}}</div>
 	</div>
 </div>
diff --git a/templates/user/notification/notification_div.tmpl b/templates/user/notification/notification_div.tmpl
index 8dae8baa28..c8db659c13 100644
--- a/templates/user/notification/notification_div.tmpl
+++ b/templates/user/notification/notification_div.tmpl
@@ -13,7 +13,7 @@
 			{{if and (eq .Status 1)}}
 				<form action="{{AppSubUrl}}/notifications/purge" method="POST" style="margin-left: auto;">
 					{{$.CsrfTokenHtml}}
-					<div class="{{if not $notificationUnreadCount}}hide{{end}}">
+					<div class="{{if not $notificationUnreadCount}}gt-hidden{{end}}">
 						<button class="ui mini button primary" title='{{$.locale.Tr "notification.mark_all_as_read"}}'>
 							{{svg "octicon-checklist"}}
 						</button>
diff --git a/templates/user/settings/keys_gpg.tmpl b/templates/user/settings/keys_gpg.tmpl
index b200a49374..c80890940a 100644
--- a/templates/user/settings/keys_gpg.tmpl
+++ b/templates/user/settings/keys_gpg.tmpl
@@ -5,7 +5,7 @@
 	</div>
 </h4>
 <div class="ui attached segment">
-	<div class="{{if not .HasGPGError}}hide{{end}} gt-mb-4" id="add-gpg-key-panel">
+	<div class="{{if not .HasGPGError}}gt-hidden{{end}} gt-mb-4" id="add-gpg-key-panel">
 		<form class="ui form{{if .HasGPGError}} error{{end}}" action="{{.Link}}" method="post">
 			{{.CsrfTokenHtml}}
 			<input type="hidden" name="title" value="none">
diff --git a/templates/user/settings/keys_principal.tmpl b/templates/user/settings/keys_principal.tmpl
index b0cacbe54c..cc1152b739 100644
--- a/templates/user/settings/keys_principal.tmpl
+++ b/templates/user/settings/keys_principal.tmpl
@@ -34,7 +34,7 @@
 	</div>
 	<br>
 
-	<div {{if not .HasPrincipalError}}class="hide"{{end}} id="add-ssh-principal-panel">
+	<div {{if not .HasPrincipalError}}class="gt-hidden"{{end}} id="add-ssh-principal-panel">
 		<h4 class="ui top attached header">
 			{{.locale.Tr "settings.add_new_principal"}}
 		</h4>
diff --git a/templates/user/settings/keys_ssh.tmpl b/templates/user/settings/keys_ssh.tmpl
index 8228a1b7f2..891959d351 100644
--- a/templates/user/settings/keys_ssh.tmpl
+++ b/templates/user/settings/keys_ssh.tmpl
@@ -11,7 +11,7 @@
 	</div>
 </h4>
 <div class="ui attached segment">
-	<div class="{{if not .HasSSHError}}hide{{end}} gt-mb-4" id="add-ssh-key-panel">
+	<div class="{{if not .HasSSHError}}gt-hidden{{end}} gt-mb-4" id="add-ssh-key-panel">
 		<form class="ui form" action="{{.Link}}" method="post">
 			{{.CsrfTokenHtml}}
 			<div class="field {{if .Err_Title}}error{{end}}">
diff --git a/templates/user/settings/profile.tmpl b/templates/user/settings/profile.tmpl
index ea9a8bba6d..240a579fb7 100644
--- a/templates/user/settings/profile.tmpl
+++ b/templates/user/settings/profile.tmpl
@@ -12,8 +12,8 @@
 				{{.CsrfTokenHtml}}
 				<div class="required field {{if .Err_Name}}error{{end}}">
 					<label for="username">{{.locale.Tr "username"}}
-						<span class="text red hide" id="name-change-prompt"> {{.locale.Tr "settings.change_username_prompt"}}</span>
-						<span class="text red hide" id="name-change-redirect-prompt"> {{.locale.Tr "settings.change_username_redirect_prompt"}}</span>
+						<span class="text red gt-hidden" id="name-change-prompt"> {{.locale.Tr "settings.change_username_prompt"}}</span>
+						<span class="text red gt-hidden" id="name-change-redirect-prompt"> {{.locale.Tr "settings.change_username_redirect_prompt"}}</span>
 					</label>
 					<input id="username" name="name" value="{{.SignedUser.Name}}" data-name="{{.SignedUser.Name}}" autofocus required {{if or (not .SignedUser.IsLocal) .IsReverseProxy}}disabled{{end}}>
 					{{if or (not .SignedUser.IsLocal) .IsReverseProxy}}
diff --git a/web_src/js/components/DiffFileTree.vue b/web_src/js/components/DiffFileTree.vue
index 3742f3a53f..fa59768ee5 100644
--- a/web_src/js/components/DiffFileTree.vue
+++ b/web_src/js/components/DiffFileTree.vue
@@ -113,11 +113,11 @@ export default {
     },
     adjustToggleButton(visible) {
       const [toShow, toHide] = document.querySelectorAll('.diff-toggle-file-tree-button .icon');
-      toShow.classList.toggle('hide', visible);  // hide the toShow icon if the tree is visible
-      toHide.classList.toggle('hide', !visible); // similarly
+      toShow.classList.toggle('gt-hidden', visible);  // hide the toShow icon if the tree is visible
+      toHide.classList.toggle('gt-hidden', !visible); // similarly
 
       const diffTree = document.getElementById('diff-file-tree');
-      diffTree.classList.toggle('hide', !visible);
+      diffTree.classList.toggle('gt-hidden', !visible);
     },
     loadMoreData() {
       this.isLoadingNewData = true;
diff --git a/web_src/js/features/admin/common.js b/web_src/js/features/admin/common.js
index d0b3e461d5..092cf770be 100644
--- a/web_src/js/features/admin/common.js
+++ b/web_src/js/features/admin/common.js
@@ -1,5 +1,6 @@
 import $ from 'jquery';
 import {checkAppUrl} from '../common-global.js';
+import {hideElem, showElem, toggleElem} from '../../utils/dom.js';
 
 const {csrfToken} = window.config;
 
@@ -18,8 +19,8 @@ export function initAdminCommon() {
       if ($(this).val().substring(0, 1) === '0') {
         $('#user_name').removeAttr('disabled');
         $('#login_name').removeAttr('required');
-        $('.non-local').hide();
-        $('.local').show();
+        hideElem($('.non-local'));
+        showElem($('.local'));
         $('#user_name').focus();
 
         if ($(this).data('password') === 'required') {
@@ -30,8 +31,8 @@ export function initAdminCommon() {
           $('#user_name').attr('disabled', 'disabled');
         }
         $('#login_name').attr('required', 'required');
-        $('.non-local').show();
-        $('.local').hide();
+        showElem($('.non-local'));
+        hideElem($('.local'));
         $('#login_name').focus();
 
         $('#password').removeAttr('required');
@@ -41,38 +42,38 @@ export function initAdminCommon() {
 
   function onSecurityProtocolChange() {
     if ($('#security_protocol').val() > 0) {
-      $('.has-tls').show();
+      showElem($('.has-tls'));
     } else {
-      $('.has-tls').hide();
+      hideElem($('.has-tls'));
     }
   }
 
   function onUsePagedSearchChange() {
     if ($('#use_paged_search').prop('checked')) {
-      $('.search-page-size').show()
+      showElem($('.search-page-size'))
         .find('input').attr('required', 'required');
     } else {
-      $('.search-page-size').hide()
+      hideElem($('.search-page-size'))
         .find('input').removeAttr('required');
     }
   }
 
   function onOAuth2Change(applyDefaultValues) {
-    $('.open_id_connect_auto_discovery_url, .oauth2_use_custom_url').hide();
+    hideElem($('.open_id_connect_auto_discovery_url, .oauth2_use_custom_url'));
     $('.open_id_connect_auto_discovery_url input[required]').removeAttr('required');
 
     const provider = $('#oauth2_provider').val();
     switch (provider) {
       case 'openidConnect':
         $('.open_id_connect_auto_discovery_url input').attr('required', 'required');
-        $('.open_id_connect_auto_discovery_url').show();
+        showElem($('.open_id_connect_auto_discovery_url'));
         break;
       default:
         if ($(`#${provider}_customURLSettings`).data('required')) {
           $('#oauth2_use_custom_url').attr('checked', 'checked');
         }
         if ($(`#${provider}_customURLSettings`).data('available')) {
-          $('.oauth2_use_custom_url').show();
+          showElem($('.oauth2_use_custom_url'));
         }
     }
     onOAuth2UseCustomURLChange(applyDefaultValues);
@@ -80,7 +81,7 @@ export function initAdminCommon() {
 
   function onOAuth2UseCustomURLChange(applyDefaultValues) {
     const provider = $('#oauth2_provider').val();
-    $('.oauth2_use_custom_url_field').hide();
+    hideElem($('.oauth2_use_custom_url_field'));
     $('.oauth2_use_custom_url_field input[required]').removeAttr('required');
 
     if ($('#oauth2_use_custom_url').is(':checked')) {
@@ -90,20 +91,20 @@ export function initAdminCommon() {
         }
         if ($(`#${provider}_${custom}`).data('available')) {
           $(`.oauth2_${custom} input`).attr('required', 'required');
-          $(`.oauth2_${custom}`).show();
+          showElem($(`.oauth2_${custom}`));
         }
       }
     }
   }
 
   function onEnableLdapGroupsChange() {
-    $('#ldap-group-options').toggle($('.js-ldap-group-toggle').is(':checked'));
+    toggleElem($('#ldap-group-options'), $('.js-ldap-group-toggle').is(':checked'));
   }
 
   // New authentication
   if ($('.admin.new.authentication').length > 0) {
     $('#auth_type').on('change', function () {
-      $('.ldap, .dldap, .smtp, .pam, .oauth2, .has-tls, .search-page-size, .sspi').hide();
+      hideElem($('.ldap, .dldap, .smtp, .pam, .oauth2, .has-tls, .search-page-size, .sspi'));
 
       $('.ldap input[required], .binddnrequired input[required], .dldap input[required], .smtp input[required], .pam input[required], .oauth2 input[required], .has-tls input[required], .sspi input[required]').removeAttr('required');
       $('.binddnrequired').removeClass('required');
@@ -111,30 +112,30 @@ export function initAdminCommon() {
       const authType = $(this).val();
       switch (authType) {
         case '2': // LDAP
-          $('.ldap').show();
+          showElem($('.ldap'));
           $('.binddnrequired input, .ldap div.required:not(.dldap) input').attr('required', 'required');
           $('.binddnrequired').addClass('required');
           break;
         case '3': // SMTP
-          $('.smtp').show();
-          $('.has-tls').show();
+          showElem($('.smtp'));
+          showElem($('.has-tls'));
           $('.smtp div.required input, .has-tls').attr('required', 'required');
           break;
         case '4': // PAM
-          $('.pam').show();
+          showElem($('.pam'));
           $('.pam input').attr('required', 'required');
           break;
         case '5': // LDAP
-          $('.dldap').show();
+          showElem($('.dldap'));
           $('.dldap div.required:not(.ldap) input').attr('required', 'required');
           break;
         case '6': // OAuth2
-          $('.oauth2').show();
+          showElem($('.oauth2'));
           $('.oauth2 div.required:not(.oauth2_use_custom_url,.oauth2_use_custom_url_field,.open_id_connect_auto_discovery_url) input').attr('required', 'required');
           onOAuth2Change(true);
           break;
         case '7': // SSPI
-          $('.sspi').show();
+          showElem($('.sspi'));
           $('.sspi div.required input').attr('required', 'required');
           break;
       }
diff --git a/web_src/js/features/common-global.js b/web_src/js/features/common-global.js
index c0acf091c7..57a429ed9f 100644
--- a/web_src/js/features/common-global.js
+++ b/web_src/js/features/common-global.js
@@ -8,6 +8,7 @@ import {attachCheckboxAria, attachDropdownAria} from './aria.js';
 import {handleGlobalEnterQuickSubmit} from './comp/QuickSubmit.js';
 import {initTooltip} from '../modules/tippy.js';
 import {svg} from '../svg.js';
+import {hideElem, showElem, toggleElem} from '../utils/dom.js';
 
 const {appUrl, csrfToken} = window.config;
 
@@ -118,7 +119,7 @@ export function initGlobalCommon() {
   $('.tabable.menu .item').tab();
 
   $('.toggle.button').on('click', function () {
-    $($(this).data('target')).slideToggle(100);
+    toggleElem($($(this).data('target')));
   });
 
   // make table <tr> and <td> elements clickable like a link
@@ -317,7 +318,7 @@ export function initGlobalLinkActions() {
 
 export function initGlobalButtons() {
   $('.show-panel.button').on('click', function () {
-    $($(this).data('panel')).show();
+    showElem($(this).data('panel'));
   });
 
   $('.hide-panel.button').on('click', function (event) {
@@ -325,12 +326,12 @@ export function initGlobalButtons() {
     event.preventDefault();
     let sel = $(this).attr('data-panel');
     if (sel) {
-      $(sel).hide();
+      hideElem($(sel));
       return;
     }
     sel = $(this).attr('data-panel-closest');
     if (sel) {
-      $(this).closest(sel).hide();
+      hideElem($(this).closest(sel));
       return;
     }
     // should never happen, otherwise there is a bug in code
diff --git a/web_src/js/features/common-issue.js b/web_src/js/features/common-issue.js
index f53dd5081b..0965caef15 100644
--- a/web_src/js/features/common-issue.js
+++ b/web_src/js/features/common-issue.js
@@ -1,5 +1,6 @@
 import $ from 'jquery';
 import {updateIssuesMeta} from './repo-issue.js';
+import {toggleElem} from '../utils/dom.js';
 
 export function initCommonIssue() {
   const $issueSelectAllWrapper = $('.issue-checkbox-all');
@@ -19,8 +20,8 @@ export function initCommonIssue() {
       $issueSelectAll.prop({'checked': false, 'indeterminate': false});
     }
     // if any issue is selected, show the action panel, otherwise show the filter panel
-    $('#issue-filters').toggle(!anyChecked);
-    $('#issue-actions').toggle(anyChecked);
+    toggleElem($('#issue-filters'), !anyChecked);
+    toggleElem($('#issue-actions'), anyChecked);
     // there are two panels but only one select-all checkbox, so move the checkbox to the visible panel
     $('#issue-filters, #issue-actions').filter(':visible').find('.column:first').prepend($issueSelectAllWrapper);
   };
diff --git a/web_src/js/features/common-organization.js b/web_src/js/features/common-organization.js
index 218c039041..1796efc6a8 100644
--- a/web_src/js/features/common-organization.js
+++ b/web_src/js/features/common-organization.js
@@ -1,5 +1,6 @@
 import $ from 'jquery';
 import {initCompLabelEdit} from './comp/LabelEdit.js';
+import {hideElem, showElem} from '../utils/dom.js';
 
 export function initCommonOrganization() {
   if ($('.organization').length === 0) {
@@ -11,11 +12,11 @@ export function initCommonOrganization() {
       const $prompt = $('#org-name-change-prompt');
       const $prompt_redirect = $('#org-name-change-redirect-prompt');
       if ($(this).val().toString().toLowerCase() !== $(this).data('org-name').toString().toLowerCase()) {
-        $prompt.show();
-        $prompt_redirect.show();
+        showElem($prompt);
+        showElem($prompt_redirect);
       } else {
-        $prompt.hide();
-        $prompt_redirect.hide();
+        hideElem($prompt);
+        hideElem($prompt_redirect);
       }
     });
   }
diff --git a/web_src/js/features/comp/WebHookEditor.js b/web_src/js/features/comp/WebHookEditor.js
index cda0fa3910..f4c82898fd 100644
--- a/web_src/js/features/comp/WebHookEditor.js
+++ b/web_src/js/features/comp/WebHookEditor.js
@@ -1,4 +1,5 @@
 import $ from 'jquery';
+import {hideElem, showElem, toggleElem} from '../../utils/dom.js';
 
 const {csrfToken} = window.config;
 
@@ -9,18 +10,18 @@ export function initCompWebHookEditor() {
 
   $('.events.checkbox input').on('change', function () {
     if ($(this).is(':checked')) {
-      $('.events.fields').show();
+      showElem($('.events.fields'));
     }
   });
   $('.non-events.checkbox input').on('change', function () {
     if ($(this).is(':checked')) {
-      $('.events.fields').hide();
+      hideElem($('.events.fields'));
     }
   });
 
   const updateContentType = function () {
     const visible = $('#http_method').val() === 'POST';
-    $('#content_type').parent().parent()[visible ? 'show' : 'hide']();
+    toggleElem($('#content_type').parent().parent(), visible);
   };
   updateContentType();
   $('#http_method').on('change', () => {
diff --git a/web_src/js/features/imagediff.js b/web_src/js/features/imagediff.js
index 250ea95798..7a285f1f8d 100644
--- a/web_src/js/features/imagediff.js
+++ b/web_src/js/features/imagediff.js
@@ -1,4 +1,5 @@
 import $ from 'jquery';
+import {hideElem} from '../utils/dom.js';
 
 function getDefaultSvgBoundsIfUndefined(svgXml, src) {
   const DefaultSize = 300;
@@ -104,7 +105,7 @@ export function initImageDiff() {
               if (bounds) {
                 info.$image.attr('width', bounds.width);
                 info.$image.attr('height', bounds.height);
-                info.$boundsInfo.hide();
+                hideElem(info.$boundsInfo);
               }
             }
           }
@@ -128,8 +129,8 @@ export function initImageDiff() {
         initOverlay(createContext($imageAfter[2], $imageBefore[2]));
       }
 
-      $container.find('> .loader').hide();
-      $container.find('> .hide').removeClass('hide');
+      hideElem($container.find('> .loader'));
+      $container.find('> .gt-hidden').removeClass('gt-hidden');
     }
 
     function initSideBySide(sizes) {
diff --git a/web_src/js/features/install.js b/web_src/js/features/install.js
index 9468ba9c42..2ba6fe1279 100644
--- a/web_src/js/features/install.js
+++ b/web_src/js/features/install.js
@@ -1,4 +1,5 @@
 import $ from 'jquery';
+import {hideElem, showElem} from '../utils/dom.js';
 
 export function initInstall() {
   if ($('.page-content.install').length === 0) {
@@ -21,12 +22,12 @@ export function initInstall() {
   // Database type change detection.
   $('#db_type').on('change', function () {
     const dbType = $(this).val();
-    $('div[data-db-setting-for]').hide();
-    $(`div[data-db-setting-for=${dbType}]`).show();
+    hideElem($('div[data-db-setting-for]'));
+    showElem($(`div[data-db-setting-for=${dbType}]`));
 
     if (dbType !== 'sqlite3') {
       // for most remote database servers
-      $(`div[data-db-setting-for=common-host]`).show();
+      showElem($(`div[data-db-setting-for=common-host]`));
       const lastDbHost = $dbHost.val();
       const isDbHostDefault = !lastDbHost || Object.values(defaultDbHosts).includes(lastDbHost);
       if (isDbHostDefault) {
diff --git a/web_src/js/features/org-team.js b/web_src/js/features/org-team.js
index 9e6c3c7ff1..3640bb96f7 100644
--- a/web_src/js/features/org-team.js
+++ b/web_src/js/features/org-team.js
@@ -1,4 +1,5 @@
 import $ from 'jquery';
+import {hideElem, showElem} from '../utils/dom.js';
 
 const {appSubUrl} = window.config;
 
@@ -7,9 +8,9 @@ export function initOrgTeamSettings() {
   $('.organization.new.team input[name=permission]').on('change', () => {
     const val = $('input[name=permission]:checked', '.organization.new.team').val();
     if (val === 'admin') {
-      $('.organization.new.team .team-units').hide();
+      hideElem($('.organization.new.team .team-units'));
     } else {
-      $('.organization.new.team .team-units').show();
+      showElem($('.organization.new.team .team-units'));
     }
   });
 }
diff --git a/web_src/js/features/repo-commit.js b/web_src/js/features/repo-commit.js
index 3aba850911..e2eef3ee59 100644
--- a/web_src/js/features/repo-commit.js
+++ b/web_src/js/features/repo-commit.js
@@ -1,5 +1,6 @@
 import $ from 'jquery';
 import {createTippy} from '../modules/tippy.js';
+import {toggleElem} from '../utils/dom.js';
 
 const {csrfToken} = window.config;
 
@@ -7,7 +8,7 @@ export function initRepoEllipsisButton() {
   $('.ellipsis-button').on('click', function (e) {
     e.preventDefault();
     const expanded = $(this).attr('aria-expanded') === 'true';
-    $(this).parent().find('.commit-body').toggle();
+    toggleElem($(this).parent().find('.commit-body'));
     $(this).attr('aria-expanded', String(!expanded));
   });
 }
diff --git a/web_src/js/features/repo-common.js b/web_src/js/features/repo-common.js
index a218c5b307..1a32d7cb64 100644
--- a/web_src/js/features/repo-common.js
+++ b/web_src/js/features/repo-common.js
@@ -1,4 +1,5 @@
 import $ from 'jquery';
+import {hideElem, showElem, toggleElem} from '../utils/dom.js';
 
 const {csrfToken} = window.config;
 
@@ -76,8 +77,8 @@ export function initRepoCommonBranchOrTagDropdown(selector) {
   $(selector).each(function () {
     const $dropdown = $(this);
     $dropdown.find('.reference.column').on('click', function () {
-      $dropdown.find('.scrolling.reference-list-menu').hide();
-      $($(this).data('target')).show();
+      hideElem($dropdown.find('.scrolling.reference-list-menu'));
+      showElem($($(this).data('target')));
       return false;
     });
   });
@@ -102,7 +103,7 @@ export function initRepoCommonLanguageStats() {
   if ($('.language-stats').length > 0) {
     $('.language-stats').on('click', (e) => {
       e.preventDefault();
-      $('.language-stats-details, .repository-menu').slideToggle();
+      toggleElem($('.language-stats-details, .repository-menu'));
     });
   }
 }
diff --git a/web_src/js/features/repo-diff.js b/web_src/js/features/repo-diff.js
index 9b5da7de82..d2559b1237 100644
--- a/web_src/js/features/repo-diff.js
+++ b/web_src/js/features/repo-diff.js
@@ -35,8 +35,8 @@ export function initRepoDiffFileViewToggle() {
     $this.addClass('active');
 
     const $target = $($this.data('toggle-selector'));
-    $target.parent().children().addClass('hide');
-    $target.removeClass('hide');
+    $target.parent().children().addClass('gt-hidden');
+    $target.removeClass('gt-hidden');
   });
 }
 
@@ -92,7 +92,7 @@ export function initRepoDiffConversationNav() {
   // Previous/Next code review conversation
   $(document).on('click', '.previous-conversation', (e) => {
     const $conversation = $(e.currentTarget).closest('.comment-code-cloud');
-    const $conversations = $('.comment-code-cloud:not(.hide)');
+    const $conversations = $('.comment-code-cloud:not(.gt-hidden)');
     const index = $conversations.index($conversation);
     const previousIndex = index > 0 ? index - 1 : $conversations.length - 1;
     const $previousConversation = $conversations.eq(previousIndex);
@@ -101,7 +101,7 @@ export function initRepoDiffConversationNav() {
   });
   $(document).on('click', '.next-conversation', (e) => {
     const $conversation = $(e.currentTarget).closest('.comment-code-cloud');
-    const $conversations = $('.comment-code-cloud:not(.hide)');
+    const $conversations = $('.comment-code-cloud:not(.gt-hidden)');
     const index = $conversations.index($conversation);
     const nextIndex = index < $conversations.length - 1 ? index + 1 : 0;
     const $nextConversation = $conversations.eq(nextIndex);
diff --git a/web_src/js/features/repo-editor.js b/web_src/js/features/repo-editor.js
index f32bdbb8c3..a9d143847d 100644
--- a/web_src/js/features/repo-editor.js
+++ b/web_src/js/features/repo-editor.js
@@ -2,6 +2,7 @@ import $ from 'jquery';
 import {htmlEscape} from 'escape-goat';
 import {initMarkupContent} from '../markup/content.js';
 import {createCodeEditor} from './codeeditor.js';
+import {hideElem, showElem} from '../utils/dom.js';
 
 const {csrfToken} = window.config;
 let previewFileModes;
@@ -81,10 +82,10 @@ export function initRepoEditor() {
 
   $('.js-quick-pull-choice-option').on('change', function () {
     if ($(this).val() === 'commit-to-new-branch') {
-      $('.quick-pull-branch-name').show();
+      showElem($('.quick-pull-branch-name'));
       $('.quick-pull-branch-name input').prop('required', true);
     } else {
-      $('.quick-pull-branch-name').hide();
+      hideElem($('.quick-pull-branch-name'));
       $('.quick-pull-branch-name input').prop('required', false);
     }
     $('#commit-button').text($(this).attr('button_text'));
diff --git a/web_src/js/features/repo-findfile.js b/web_src/js/features/repo-findfile.js
index 0eae4a75db..093f90fe8e 100644
--- a/web_src/js/features/repo-findfile.js
+++ b/web_src/js/features/repo-findfile.js
@@ -1,5 +1,6 @@
 import $ from 'jquery';
 import {svg} from '../svg.js';
+import {toggleElem} from '../utils/dom.js';
 
 const {csrf} = window.config;
 
@@ -83,7 +84,7 @@ function filterRepoFiles(filter) {
   const filterResult = filterRepoFilesWeighted(files, filter);
   const tmplRow = `<tr><td><a></a></td></tr>`;
 
-  $repoFindFileNoResult.toggle(filterResult.length === 0);
+  toggleElem($repoFindFileNoResult, filterResult.length === 0);
   for (const r of filterResult) {
     const $row = $(tmplRow);
     const $a = $row.find('a');
diff --git a/web_src/js/features/repo-graph.js b/web_src/js/features/repo-graph.js
index 16d35e66f2..e445ae1103 100644
--- a/web_src/js/features/repo-graph.js
+++ b/web_src/js/features/repo-graph.js
@@ -56,17 +56,17 @@ export function initRepoGraphGit() {
     ajaxUrl.searchParams.set('div-only', 'true');
     window.history.replaceState({}, '', queryString ? `?${queryString}` : window.location.pathname);
     $('#pagination').empty();
-    $('#rel-container').addClass('hide');
-    $('#rev-container').addClass('hide');
-    $('#loading-indicator').removeClass('hide');
+    $('#rel-container').addClass('gt-hidden');
+    $('#rev-container').addClass('gt-hidden');
+    $('#loading-indicator').removeClass('gt-hidden');
     (async () => {
       const div = $(await $.ajax(String(ajaxUrl)));
       $('#pagination').html(div.find('#pagination').html());
       $('#rel-container').html(div.find('#rel-container').html());
       $('#rev-container').html(div.find('#rev-container').html());
-      $('#loading-indicator').addClass('hide');
-      $('#rel-container').removeClass('hide');
-      $('#rev-container').removeClass('hide');
+      $('#loading-indicator').addClass('gt-hidden');
+      $('#rel-container').removeClass('gt-hidden');
+      $('#rev-container').removeClass('gt-hidden');
     })();
   };
   const dropdownSelected = params.getAll('branch');
diff --git a/web_src/js/features/repo-home.js b/web_src/js/features/repo-home.js
index c4bdf3d450..dfccffc794 100644
--- a/web_src/js/features/repo-home.js
+++ b/web_src/js/features/repo-home.js
@@ -1,5 +1,6 @@
 import $ from 'jquery';
 import {stripTags} from '../utils.js';
+import {hideElem, showElem} from '../utils/dom.js';
 
 const {appSubUrl, csrfToken} = window.config;
 
@@ -13,12 +14,12 @@ export function initRepoTopicBar() {
   const topicPrompts = getPrompts();
 
   mgrBtn.on('click', () => {
-    viewDiv.hide();
-    editDiv.css('display', ''); // show Semantic UI Grid
+    hideElem(viewDiv);
+    showElem(editDiv);
   });
 
   function getPrompts() {
-    const hidePrompt = $('div.hide#validate_prompt');
+    const hidePrompt = $('#validate_prompt');
     const prompts = {
       countPrompt: hidePrompt.children('#count_prompt').text(),
       formatPrompt: hidePrompt.children('#format_prompt').text()
@@ -47,8 +48,8 @@ export function initRepoTopicBar() {
             link.insertBefore(last);
           }
         }
-        editDiv.css('display', 'none');
-        viewDiv.show();
+        hideElem(editDiv);
+        showElem(viewDiv);
       }
     }).fail((xhr) => {
       if (xhr.status === 422) {
diff --git a/web_src/js/features/repo-issue-content.js b/web_src/js/features/repo-issue-content.js
index a96da53f24..87295573e8 100644
--- a/web_src/js/features/repo-issue-content.js
+++ b/web_src/js/features/repo-issue-content.js
@@ -16,7 +16,7 @@ function showContentHistoryDetail(issueBaseUrl, commentId, historyId, itemTitleH
   ${svg('octicon-x', 16, 'close icon inside')}
   <div class="header gt-df gt-ac gt-sb">
     <div>${itemTitleHtml}</div>
-    <div class="ui dropdown dialog-header-options gt-df gt-ac gt-mr-5 hide">
+    <div class="ui dropdown dialog-header-options gt-df gt-ac gt-mr-5 gt-hidden">
       ${i18nTextOptions}${svg('octicon-triangle-down', 14, 'dropdown icon')}
       <div class="menu">
         <div class="item red text" data-option-item="delete">${i18nTextDeleteFromHistory}</div>
@@ -62,7 +62,7 @@ function showContentHistoryDetail(issueBaseUrl, commentId, historyId, itemTitleH
         $dialog.find('.comment-diff-data').removeClass('is-loading').html(resp.diffHtml);
         // there is only one option "item[data-option-item=delete]", so the dropdown can be entirely shown/hidden.
         if (resp.canSoftDelete) {
-          $dialog.find('.dialog-header-options').removeClass('hide');
+          $dialog.find('.dialog-header-options').removeClass('gt-hidden');
         }
       });
     },
diff --git a/web_src/js/features/repo-issue.js b/web_src/js/features/repo-issue.js
index 135e3384ad..179ca9b726 100644
--- a/web_src/js/features/repo-issue.js
+++ b/web_src/js/features/repo-issue.js
@@ -5,6 +5,7 @@ import {createCommentEasyMDE, getAttachedEasyMDE} from './comp/EasyMDE.js';
 import {initEasyMDEImagePaste} from './comp/ImagePaste.js';
 import {initCompMarkupContentPreviewTab} from './comp/MarkupContentPreview.js';
 import {initTooltip, showTemporaryTooltip} from '../modules/tippy.js';
+import {hideElem, showElem, toggleElem} from '../utils/dom.js';
 
 const {appSubUrl, csrfToken} = window.config;
 
@@ -40,7 +41,7 @@ export function initRepoIssueTimeTracking() {
 }
 
 function updateDeadline(deadlineString) {
-  $('#deadline-err-invalid-date').hide();
+  hideElem($('#deadline-err-invalid-date'));
   $('#deadline-loader').addClass('loading');
 
   let realDeadline = null;
@@ -49,7 +50,7 @@ function updateDeadline(deadlineString) {
 
     if (Number.isNaN(newDate)) {
       $('#deadline-loader').removeClass('loading');
-      $('#deadline-err-invalid-date').show();
+      showElem($('#deadline-err-invalid-date'));
       return false;
     }
     realDeadline = new Date(newDate);
@@ -69,7 +70,7 @@ function updateDeadline(deadlineString) {
     },
     error() {
       $('#deadline-loader').removeClass('loading');
-      $('#deadline-err-invalid-date').show();
+      showElem($('#deadline-err-invalid-date'));
     },
   });
 }
@@ -213,8 +214,8 @@ export function initRepoIssueCodeCommentCancel() {
   $(document).on('click', '.cancel-code-comment', (e) => {
     const form = $(e.currentTarget).closest('form');
     if (form.length > 0 && form.hasClass('comment-form')) {
-      form.addClass('hide');
-      form.closest('.comment-code-cloud').find('button.comment-form-reply').show();
+      form.addClass('gt-hidden');
+      showElem(form.closest('.comment-code-cloud').find('button.comment-form-reply'));
     } else {
       form.closest('.comment-code-cloud').remove();
     }
@@ -269,7 +270,7 @@ export function initRepoPullRequestUpdate() {
 
 export function initRepoPullRequestMergeInstruction() {
   $('.show-instruction').on('click', () => {
-    $('.instruct-content').toggle();
+    toggleElem($('.instruct-content'));
   });
 }
 
@@ -455,9 +456,9 @@ export function initRepoPullRequestReview() {
   $(document).on('click', 'button.comment-form-reply', async function (e) {
     e.preventDefault();
 
-    $(this).hide();
+    hideElem($(this));
     const form = $(this).closest('.comment-code-cloud').find('.comment-form');
-    form.removeClass('hide');
+    form.removeClass('gt-hidden');
     const $textarea = form.find('textarea');
     let easyMDE = getAttachedEasyMDE($textarea);
     if (!easyMDE) {
@@ -488,10 +489,10 @@ export function initRepoPullRequestReview() {
 
   $('.btn-review').on('click', function (e) {
     e.preventDefault();
-    $(this).closest('.dropdown').find('.menu').toggle('visible');
+    $(this).closest('.dropdown').find('.menu').toggle('visible'); // eslint-disable-line
   }).closest('.dropdown').find('.close').on('click', function (e) {
     e.preventDefault();
-    $(this).closest('.menu').toggle('visible');
+    $(this).closest('.menu').toggle('visible'); // eslint-disable-line
   });
 
   $(document).on('click', 'a.add-code-comment', async function (e) {
@@ -551,7 +552,7 @@ export function initRepoIssueReferenceIssue() {
   // Reference issue
   $(document).on('click', '.reference-issue', function (event) {
     const $this = $(this);
-    $this.closest('.dropdown').find('.menu').toggle('visible');
+    $this.closest('.dropdown').find('.menu').toggle('visible');  // eslint-disable-line
 
     const content = $(`#${$this.data('target')}`).text();
     const poster = $this.data('poster-username');
@@ -587,12 +588,12 @@ export function initRepoIssueTitleEdit() {
   const $editInput = $('#edit-title-input input');
 
   const editTitleToggle = function () {
-    $issueTitle.toggle();
-    $('.not-in-edit').toggle();
-    $('#edit-title-input').toggle();
-    $('#pull-desc').toggle();
-    $('#pull-desc-edit').toggle();
-    $('.in-edit').toggle();
+    toggleElem($issueTitle);
+    toggleElem($('.not-in-edit'));
+    toggleElem($('#edit-title-input'));
+    toggleElem($('#pull-desc'));
+    toggleElem($('#pull-desc-edit'));
+    toggleElem($('.in-edit'));
     $('#issue-title-wrapper').toggleClass('edit-active');
     $editInput.focus();
     return false;
diff --git a/web_src/js/features/repo-legacy.js b/web_src/js/features/repo-legacy.js
index 2cf4963b6a..e1dc514320 100644
--- a/web_src/js/features/repo-legacy.js
+++ b/web_src/js/features/repo-legacy.js
@@ -25,6 +25,7 @@ import {initCommentContent, initMarkupContent} from '../markup/content.js';
 import {initCompReactionSelector} from './comp/ReactionSelector.js';
 import {initRepoSettingBranches} from './repo-settings.js';
 import {initRepoPullRequestMergeForm} from './repo-issue-pr-form.js';
+import {hideElem, showElem} from '../utils/dom.js';
 
 const {csrfToken} = window.config;
 
@@ -55,9 +56,9 @@ export function initRepoCommentForm() {
       }
     });
     $selectBranch.find('.reference.column').on('click', function () {
-      $selectBranch.find('.scrolling.reference-list-menu').css('display', 'none');
+      hideElem($selectBranch.find('.scrolling.reference-list-menu'));
       $selectBranch.find('.reference .text').removeClass('black');
-      $($(this).data('target')).css('display', 'block');
+      showElem($($(this).data('target')));
       $(this).find('.text').addClass('black');
       return false;
     });
@@ -174,15 +175,15 @@ export function initRepoCommentForm() {
       $(this).parent().find('.item').each(function () {
         if ($(this).hasClass('checked')) {
           listIds.push($(this).data('id'));
-          $($(this).data('id-selector')).removeClass('hide');
+          $($(this).data('id-selector')).removeClass('gt-hidden');
         } else {
-          $($(this).data('id-selector')).addClass('hide');
+          $($(this).data('id-selector')).addClass('gt-hidden');
         }
       });
       if (listIds.length === 0) {
-        $noSelect.removeClass('hide');
+        $noSelect.removeClass('gt-hidden');
       } else {
-        $noSelect.addClass('hide');
+        $noSelect.addClass('gt-hidden');
       }
       $($(this).parent().data('id')).val(listIds.join(','));
       return false;
@@ -208,9 +209,9 @@ export function initRepoCommentForm() {
       }
 
       $list.find('.item').each(function () {
-        $(this).addClass('hide');
+        $(this).addClass('gt-hidden');
       });
-      $noSelect.removeClass('hide');
+      $noSelect.removeClass('gt-hidden');
       $($(this).parent().data('id')).val('');
     });
   }
@@ -257,7 +258,7 @@ export function initRepoCommentForm() {
         </a>
       `);
 
-      $(`.ui${select_id}.list .no-select`).addClass('hide');
+      $(`.ui${select_id}.list .no-select`).addClass('gt-hidden');
       $(input_id).val($(this).data('id'));
     });
     $menu.find('.no-select.item').on('click', function () {
@@ -275,7 +276,7 @@ export function initRepoCommentForm() {
       }
 
       $list.find('.selected').html('');
-      $list.find('.no-select').removeClass('hide');
+      $list.find('.no-select').removeClass('gt-hidden');
       $(input_id).val('');
     });
   }
@@ -290,7 +291,7 @@ export function initRepoCommentForm() {
 async function onEditContent(event) {
   event.preventDefault();
 
-  $(this).closest('.dropdown').find('.menu').toggle('visible');
+  $(this).closest('.dropdown').find('.menu').toggle('visible'); // eslint-disable-line
   const $segment = $(this).closest('.header').next();
   const $editContentZone = $segment.find('.edit-content-zone');
   const $renderContent = $segment.find('.render-content');
@@ -387,16 +388,16 @@ async function onEditContent(event) {
     });
 
     $editContentZone.find('.cancel.button').on('click', () => {
-      $renderContent.show();
-      $editContentZone.hide();
+      showElem($renderContent);
+      hideElem($editContentZone);
       if (dz) {
         dz.emit('reload');
       }
     });
 
     $saveButton.on('click', () => {
-      $renderContent.show();
-      $editContentZone.hide();
+      showElem($renderContent);
+      hideElem($editContentZone);
       const $attachments = $dropzone.find('.files').find('[name=files]').map(function () {
         return $(this).val();
       }).get();
@@ -438,8 +439,8 @@ async function onEditContent(event) {
   }
 
   // Show write/preview tab and copy raw content as needed
-  $editContentZone.show();
-  $renderContent.hide();
+  showElem($editContentZone);
+  hideElem($renderContent);
   if ($textarea.val().length === 0) {
     $textarea.val($rawContent.text());
     easyMDE.value($rawContent.text());
@@ -558,10 +559,10 @@ export function initRepository() {
     // show pull request form
     $repoComparePull.find('button.show-form').on('click', function (e) {
       e.preventDefault();
-      $(this).parent().hide();
+      hideElem($(this).parent());
 
       const $form = $repoComparePull.find('.pullrequest-form');
-      $form.show();
+      showElem($form);
       $form.find('textarea.edit_area').each(function() {
         const easyMDE = getAttachedEasyMDE($(this));
         if (easyMDE) {
@@ -583,7 +584,7 @@ function initRepoIssueCommentEdit() {
 
   // Quote reply
   $(document).on('click', '.quote-reply', function (event) {
-    $(this).closest('.dropdown').find('.menu').toggle('visible');
+    $(this).closest('.dropdown').find('.menu').toggle('visible'); // eslint-disable-line
     const target = $(this).data('target');
     const quote = $(`#${target}`).text().replace(/\n/g, '\n> ');
     const content = `> ${quote}\n\n`;
diff --git a/web_src/js/features/repo-migrate.js b/web_src/js/features/repo-migrate.js
index d44f540c46..93d1390b4b 100644
--- a/web_src/js/features/repo-migrate.js
+++ b/web_src/js/features/repo-migrate.js
@@ -1,12 +1,13 @@
 import $ from 'jquery';
+import {hideElem, showElem} from '../utils/dom.js';
 
 const {appSubUrl, csrfToken} = window.config;
 
 export function initRepoMigrationStatusChecker() {
   const migrating = $('#repo_migrating');
-  $('#repo_migrating_failed').hide();
-  $('#repo_migrating_failed_image').hide();
-  $('#repo_migrating_progress_message').hide();
+  hideElem($('#repo_migrating_failed'));
+  hideElem($('#repo_migrating_failed_image'));
+  hideElem($('#repo_migrating_progress_message'));
   if (migrating) {
     const task = migrating.attr('task');
     if (task === undefined) {
@@ -24,15 +25,15 @@ export function initRepoMigrationStatusChecker() {
             window.location.reload();
             return;
           } else if (xhr.responseJSON.status === 3) {
-            $('#repo_migrating_progress').hide();
-            $('#repo_migrating').hide();
-            $('#repo_migrating_failed').show();
-            $('#repo_migrating_failed_image').show();
+            hideElem($('#repo_migrating_progress'));
+            hideElem($('#repo_migrating'));
+            showElem($('#repo_migrating_failed'));
+            showElem($('#repo_migrating_failed_image'));
             $('#repo_migrating_failed_error').text(xhr.responseJSON.message);
             return;
           }
           if (xhr.responseJSON.message) {
-            $('#repo_migrating_progress_message').show();
+            showElem($('#repo_migrating_progress_message'));
             $('#repo_migrating_progress_message').text(xhr.responseJSON.message);
           }
           setTimeout(() => {
@@ -40,10 +41,10 @@ export function initRepoMigrationStatusChecker() {
           }, 2000);
           return;
         }
-        $('#repo_migrating_progress').hide();
-        $('#repo_migrating').hide();
-        $('#repo_migrating_failed').show();
-        $('#repo_migrating_failed_image').show();
+        hideElem($('#repo_migrating_progress'));
+        hideElem($('#repo_migrating'));
+        showElem($('#repo_migrating_failed'));
+        showElem($('#repo_migrating_failed_image'));
       }
     });
   }
diff --git a/web_src/js/features/repo-migration.js b/web_src/js/features/repo-migration.js
index c317c7245c..ee2ec01943 100644
--- a/web_src/js/features/repo-migration.js
+++ b/web_src/js/features/repo-migration.js
@@ -1,4 +1,5 @@
 import $ from 'jquery';
+import {hideElem, showElem, toggleElem} from '../utils/dom.js';
 
 const $service = $('#service_type');
 const $user = $('#auth_username');
@@ -18,7 +19,7 @@ export function initRepoMigration() {
   $pass.on('keyup', () => {checkItems(false)});
   $token.on('keyup', () => {checkItems(true)});
   $mirror.on('change', () => {checkItems(true)});
-  $('#lfs_settings_show').on('click', () => { $lfsEndpoint.show(); return false });
+  $('#lfs_settings_show').on('click', () => { showElem($lfsEndpoint); return false });
   $lfs.on('change', setLFSSettingsVisibility);
 
   const $cloneAddr = $('#clone_addr');
@@ -57,6 +58,6 @@ function checkItems(tokenAuth) {
 
 function setLFSSettingsVisibility() {
   const visible = $lfs.is(':checked');
-  $lfsSettings.toggle(visible);
-  $lfsEndpoint.hide();
+  toggleElem($lfsSettings, visible);
+  hideElem($lfsEndpoint);
 }
diff --git a/web_src/js/features/repo-release.js b/web_src/js/features/repo-release.js
index 7589d108f9..a061c6b23f 100644
--- a/web_src/js/features/repo-release.js
+++ b/web_src/js/features/repo-release.js
@@ -3,13 +3,14 @@ import {attachTribute} from './tribute.js';
 import {initCompMarkupContentPreviewTab} from './comp/MarkupContentPreview.js';
 import {initEasyMDEImagePaste} from './comp/ImagePaste.js';
 import {createCommentEasyMDE} from './comp/EasyMDE.js';
+import {hideElem} from '../utils/dom.js';
 
 export function initRepoRelease() {
   $(document).on('click', '.remove-rel-attach', function() {
     const uuid = $(this).data('uuid');
     const id = $(this).data('id');
     $(`input[name='attachment-del-${uuid}']`).attr('value', true);
-    $(`#attachment-${id}`).hide();
+    hideElem($(`#attachment-${id}`));
   });
 }
 
diff --git a/web_src/js/features/repo-template.js b/web_src/js/features/repo-template.js
index dc4ae1e268..0c5ea5233a 100644
--- a/web_src/js/features/repo-template.js
+++ b/web_src/js/features/repo-template.js
@@ -1,5 +1,6 @@
 import $ from 'jquery';
 import {htmlEscape} from 'escape-goat';
+import {hideElem, showElem} from '../utils/dom.js';
 
 const {appSubUrl} = window.config;
 
@@ -9,11 +10,11 @@ export function initRepoTemplateSearch() {
     const $templateUnits = $('#template_units');
     const $nonTemplate = $('#non_template');
     if ($repoTemplate.val() !== '' && $repoTemplate.val() !== '0') {
-      $templateUnits.show();
-      $nonTemplate.hide();
+      showElem($templateUnits);
+      hideElem($nonTemplate);
     } else {
-      $templateUnits.hide();
-      $nonTemplate.show();
+      hideElem($templateUnits);
+      showElem($nonTemplate);
     }
   };
   $repoTemplate.on('change', checkTemplate);
diff --git a/web_src/js/features/repo-unicode-escape.js b/web_src/js/features/repo-unicode-escape.js
index f97bcc7ee7..67f2df1d9a 100644
--- a/web_src/js/features/repo-unicode-escape.js
+++ b/web_src/js/features/repo-unicode-escape.js
@@ -1,17 +1,18 @@
 import $ from 'jquery';
+import {hideElem, showElem} from '../utils/dom.js';
 
 export function initUnicodeEscapeButton() {
   $(document).on('click', 'a.escape-button', (e) => {
     e.preventDefault();
     $(e.target).parents('.file-content, .non-diff-file-content').find('.file-code, .file-view').addClass('unicode-escaped');
-    $(e.target).hide();
-    $(e.target).siblings('a.unescape-button').show();
+    hideElem($(e.target));
+    showElem($(e.target).siblings('a.unescape-button'));
   });
   $(document).on('click', 'a.unescape-button', (e) => {
     e.preventDefault();
     $(e.target).parents('.file-content, .non-diff-file-content').find('.file-code, .file-view').removeClass('unicode-escaped');
-    $(e.target).hide();
-    $(e.target).siblings('a.escape-button').show();
+    hideElem($(e.target));
+    showElem($(e.target).siblings('a.escape-button'));
   });
   $(document).on('click', 'a.toggle-escape-button', (e) => {
     e.preventDefault();
@@ -19,12 +20,12 @@ export function initUnicodeEscapeButton() {
     const fileView = fileContent.find('.file-code, .file-view');
     if (fileView.hasClass('unicode-escaped')) {
       fileView.removeClass('unicode-escaped');
-      fileContent.find('a.unescape-button').hide();
-      fileContent.find('a.escape-button').show();
+      hideElem(fileContent.find('a.unescape-button'));
+      showElem(fileContent.find('a.escape-button'));
     } else {
       fileView.addClass('unicode-escaped');
-      fileContent.find('a.unescape-button').show();
-      fileContent.find('a.escape-button').hide();
+      showElem(fileContent.find('a.unescape-button'));
+      hideElem(fileContent.find('a.escape-button'));
     }
   });
 }
diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js
index 9c9fffd995..f30017afc6 100644
--- a/web_src/js/features/user-auth-webauthn.js
+++ b/web_src/js/features/user-auth-webauthn.js
@@ -1,5 +1,6 @@
 import $ from 'jquery';
 import {encode, decode} from 'uint8-to-base64';
+import {hideElem, showElem} from '../utils/dom.js';
 
 const {appSubUrl, csrfToken} = window.config;
 
@@ -132,16 +133,18 @@ function webauthnRegistered(newCredential) {
 }
 
 function webAuthnError(errorType, message) {
-  $('#webauthn-error [data-webauthn-error-msg]').hide();
+  hideElem($('#webauthn-error [data-webauthn-error-msg]'));
   const $errorGeneral = $(`#webauthn-error [data-webauthn-error-msg=general]`);
   if (errorType === 'general') {
-    $errorGeneral.show().text(message || 'unknown error');
+    showElem($errorGeneral);
+    $errorGeneral.text(message || 'unknown error');
   } else {
     const $errorTyped = $(`#webauthn-error [data-webauthn-error-msg=${errorType}]`);
     if ($errorTyped.length) {
-      $errorTyped.show();
+      showElem($errorTyped);
     } else {
-      $errorGeneral.show().text(`unknown error type: ${errorType}`);
+      showElem($errorGeneral);
+      $errorGeneral.text(`unknown error type: ${errorType}`);
     }
   }
   $('#webauthn-error').modal('show');
diff --git a/web_src/js/features/user-auth.js b/web_src/js/features/user-auth.js
index 55aace3bcd..34e773fe7d 100644
--- a/web_src/js/features/user-auth.js
+++ b/web_src/js/features/user-auth.js
@@ -1,4 +1,5 @@
 import $ from 'jquery';
+import {hideElem, showElem} from '../utils/dom.js';
 
 export function initUserAuthOauth2() {
   const $oauth2LoginNav = $('#oauth2-login-navigator');
@@ -8,14 +9,14 @@ export function initUserAuthOauth2() {
     const oauthLoader = $('#oauth2-login-loader');
     const oauthNav = $('#oauth2-login-navigator');
 
-    oauthNav.hide();
+    hideElem(oauthNav);
     oauthLoader.removeClass('disabled');
 
     setTimeout(() => {
       // recover previous content to let user try again
       // usually redirection will be performed before this action
       oauthLoader.addClass('disabled');
-      oauthNav.show();
+      showElem(oauthNav);
     }, 5000);
   });
 }
diff --git a/web_src/js/features/user-settings.js b/web_src/js/features/user-settings.js
index 3ed29f39b1..d49bf39275 100644
--- a/web_src/js/features/user-settings.js
+++ b/web_src/js/features/user-settings.js
@@ -1,4 +1,5 @@
 import $ from 'jquery';
+import {hideElem, showElem} from '../utils/dom.js';
 
 export function initUserSettings() {
   if ($('.user.settings.profile').length > 0) {
@@ -6,11 +7,11 @@ export function initUserSettings() {
       const $prompt = $('#name-change-prompt');
       const $prompt_redirect = $('#name-change-redirect-prompt');
       if ($(this).val().toString().toLowerCase() !== $(this).data('name').toString().toLowerCase()) {
-        $prompt.show();
-        $prompt_redirect.show();
+        showElem($prompt);
+        showElem($prompt_redirect);
       } else {
-        $prompt.hide();
-        $prompt_redirect.hide();
+        hideElem($prompt);
+        hideElem($prompt_redirect);
       }
     });
   }
diff --git a/web_src/js/utils/dom.js b/web_src/js/utils/dom.js
new file mode 100644
index 0000000000..8872a9e4ab
--- /dev/null
+++ b/web_src/js/utils/dom.js
@@ -0,0 +1,65 @@
+function getComputedStyleProperty(el, prop) {
+  const cs = el ? window.getComputedStyle(el) : null;
+  return cs ? cs[prop] : null;
+}
+
+function isShown(el) {
+  return getComputedStyleProperty(el, 'display') !== 'none';
+}
+
+function assertShown(el, expectShown) {
+  if (window.config.runModeIsProd) return;
+
+  // to help developers to catch display bugs, this assertion can be removed after next release cycle or if it has been proved that there is no bug.
+  if (expectShown && !isShown(el)) {
+    throw new Error('element is hidden but should be shown');
+  } else if (!expectShown && isShown(el)) {
+    throw new Error('element is shown but should be hidden');
+  }
+}
+
+function elementsCall(el, func, ...args) {
+  if (el instanceof String) {
+    el = document.querySelectorAll(el);
+  }
+  if (el instanceof Node) {
+    func(el, ...args);
+  } else if (el.length !== undefined) {
+    // this works for: NodeList, HTMLCollection, Array, jQuery
+    for (const e of el) {
+      func(e, ...args);
+    }
+  } else {
+    throw new Error('invalid argument to be shown/hidden');
+  }
+}
+
+function toggleShown(el, force) {
+  if (force === true) {
+    el.classList.remove('gt-hidden');
+    assertShown(el, true);
+  } else if (force === false) {
+    el.classList.add('gt-hidden');
+    assertShown(el, false);
+  } else if (force === undefined) {
+    const wasShown = window.config.runModeIsProd ? undefined : isShown(el);
+    el.classList.toggle('gt-hidden');
+    if (wasShown !== undefined) {
+      assertShown(el, !wasShown);
+    }
+  } else {
+    throw new Error('invalid force argument');
+  }
+}
+
+export function showElem(el) {
+  elementsCall(el, toggleShown, true);
+}
+
+export function hideElem(el) {
+  elementsCall(el, toggleShown, false);
+}
+
+export function toggleElem(el, force) {
+  elementsCall(el, toggleShown, force);
+}
diff --git a/web_src/less/_base.less b/web_src/less/_base.less
index 771049ad39..fae29d0d60 100644
--- a/web_src/less/_base.less
+++ b/web_src/less/_base.less
@@ -1812,11 +1812,6 @@ footer {
   }
 }
 
-// TODO: refactor to use ".gt-hidden" instead (a simple search&replace should do the trick)
-.hide {
-  display: none;
-}
-
 .center:not(.popup) {
   text-align: center;
 }
diff --git a/web_src/less/_repository.less b/web_src/less/_repository.less
index b2c4cdcdfb..f489335712 100644
--- a/web_src/less/_repository.less
+++ b/web_src/less/_repository.less
@@ -106,10 +106,6 @@
         margin-right: 8.75px;
       }
 
-      .hide {
-        display: none !important;
-      }
-
       .dependency {
         padding: 0;
         white-space: nowrap;
@@ -2592,18 +2588,10 @@
   }
 }
 
-#issue-filters.hide {
-  display: none;
-}
-
 #issue-actions {
   margin-top: -1rem !important; // counteract padding from Semantic
 }
 
-#issue-actions.hide {
-  display: none;
-}
-
 .ui.menu .item > img:not(.ui) {
   width: auto;
 }
diff --git a/web_src/less/helpers.less b/web_src/less/helpers.less
index 2b09780fb8..9cabe01626 100644
--- a/web_src/less/helpers.less
+++ b/web_src/less/helpers.less
@@ -181,5 +181,15 @@
   .gt-js-small { justify-content: flex-start !important; }
 }
 
-// gt-hidden must be placed after all other "display: xxx !important" classes to win the hidden chance
+/*
+gt-hidden must be placed after all other "display: xxx !important" classes to win the chance
+do not use:
+* "[hidden]" attribute: it's too weak, can not be applied to an element with "display: flex"
+* ".hidden" class: it has been polluted by Fomantic UI in many cases
+* inline style="display: none": it's difficult to tweak
+* jQuery's show/hide/toggle: it can not show/hide elements with "display: xxx !important"
+only use:
+* this ".gt-hidden" class
+* showElem/hideElem/toggleElem functions in "utils/dom.js"
+*/
 .gt-hidden { display: none !important; }

From d5e417a33d04d7a2d16317495d7aad45ca0868ed Mon Sep 17 00:00:00 2001
From: yp05327 <576951401@qq.com>
Date: Sun, 19 Feb 2023 13:57:49 +0900
Subject: [PATCH 06/81] Fix no user listed in org teams page (#22979)

https://github.com/go-gitea/gitea/pull/22294 introduced this bug.
Before:

![picture](https://user-images.githubusercontent.com/18380374/219916000-5b28db1a-22b5-481a-807b-49c14ac1cd35.png)
After:

![picture](https://user-images.githubusercontent.com/18380374/219916260-6b94efbb-836a-4551-b6a8-3f9cb37d822a.png)

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 templates/shared/user/avatarlink.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/shared/user/avatarlink.tmpl b/templates/shared/user/avatarlink.tmpl
index 3e87eee78e..c99f0aacb7 100644
--- a/templates/shared/user/avatarlink.tmpl
+++ b/templates/shared/user/avatarlink.tmpl
@@ -1 +1 @@
-<a class="avatar"{{if gt .user.ID 0}} href="{{.user.HomeLink}}"{{end}}>{{avatar $.Context .}}</a>
+<a class="avatar"{{if gt .user.ID 0}} href="{{.user.HomeLink}}"{{end}}>{{avatar $.Context .user}}</a>

From 61b89747ed54e17ab5c7730adbad1c5d4d5ff78a Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Sun, 19 Feb 2023 07:35:20 +0000
Subject: [PATCH 07/81] Provide the ability to set password hash algorithm
 parameters (#22942)

This PR refactors and improves the password hashing code within gitea
and makes it possible for server administrators to set the password
hashing parameters

In addition it takes the opportunity to adjust the settings for `pbkdf2`
in order to make the hashing a little stronger.

The majority of this work was inspired by PR #14751 and I would like to
thank @boppy for their work on this.

Thanks to @gusted for the suggestion to adjust the `pbkdf2` hashing
parameters.

Close #14751

---------

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 cmd/admin_user_change_password.go             |   2 +-
 cmd/admin_user_create.go                      |   2 +-
 .../doc/advanced/config-cheat-sheet.en-us.md  |  17 +-
 models/fixtures/user.yml                      | 130 ++++++------
 models/user/user.go                           |  75 +------
 models/user/user_test.go                      |   3 +-
 modules/auth/password/hash/argon2.go          |  80 ++++++++
 modules/auth/password/hash/bcrypt.go          |  54 +++++
 modules/auth/password/hash/common.go          |  28 +++
 modules/auth/password/hash/hash.go            | 180 +++++++++++++++++
 modules/auth/password/hash/hash_test.go       | 186 ++++++++++++++++++
 modules/auth/password/hash/pbkdf2.go          |  67 +++++++
 modules/auth/password/hash/scrypt.go          |  67 +++++++
 modules/auth/password/hash/setting.go         |  61 ++++++
 modules/auth/password/hash/setting_test.go    |  38 ++++
 modules/{ => auth}/password/password.go       |   8 +-
 modules/{ => auth}/password/password_test.go  |   0
 modules/{ => auth}/password/pwn.go            |   2 +-
 modules/{ => auth}/password/pwn/pwn.go        |   0
 modules/{ => auth}/password/pwn/pwn_test.go   |   0
 modules/setting/setting.go                    |  10 +-
 routers/api/v1/admin/user.go                  |   2 +-
 routers/install/install.go                    |   3 +-
 routers/web/admin/users.go                    |   2 +-
 routers/web/auth/auth.go                      |   2 +-
 routers/web/auth/password.go                  |   2 +-
 routers/web/user/setting/account.go           |   2 +-
 27 files changed, 871 insertions(+), 152 deletions(-)
 create mode 100644 modules/auth/password/hash/argon2.go
 create mode 100644 modules/auth/password/hash/bcrypt.go
 create mode 100644 modules/auth/password/hash/common.go
 create mode 100644 modules/auth/password/hash/hash.go
 create mode 100644 modules/auth/password/hash/hash_test.go
 create mode 100644 modules/auth/password/hash/pbkdf2.go
 create mode 100644 modules/auth/password/hash/scrypt.go
 create mode 100644 modules/auth/password/hash/setting.go
 create mode 100644 modules/auth/password/hash/setting_test.go
 rename modules/{ => auth}/password/password.go (93%)
 rename modules/{ => auth}/password/password_test.go (100%)
 rename modules/{ => auth}/password/pwn.go (93%)
 rename modules/{ => auth}/password/pwn/pwn.go (100%)
 rename modules/{ => auth}/password/pwn/pwn_test.go (100%)

diff --git a/cmd/admin_user_change_password.go b/cmd/admin_user_change_password.go
index 1b7c73370d..7866bde912 100644
--- a/cmd/admin_user_change_password.go
+++ b/cmd/admin_user_change_password.go
@@ -9,7 +9,7 @@ import (
 	"fmt"
 
 	user_model "code.gitea.io/gitea/models/user"
-	pwd "code.gitea.io/gitea/modules/password"
+	pwd "code.gitea.io/gitea/modules/auth/password"
 	"code.gitea.io/gitea/modules/setting"
 
 	"github.com/urfave/cli"
diff --git a/cmd/admin_user_create.go b/cmd/admin_user_create.go
index 579c6f2f62..09eaad54be 100644
--- a/cmd/admin_user_create.go
+++ b/cmd/admin_user_create.go
@@ -10,7 +10,7 @@ import (
 
 	auth_model "code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"
-	pwd "code.gitea.io/gitea/modules/password"
+	pwd "code.gitea.io/gitea/modules/auth/password"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index 04344b15dc..36e9919bc7 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -568,7 +568,22 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o
 - `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server.
 - `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary.
 - `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining INTERNAL_TOKEN in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`)
-- `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \[argon2, pbkdf2, scrypt, bcrypt\], argon2 will spend more memory than others.
+- `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \[argon2, pbkdf2, pbkdf2_v1, pbkdf2_hi, scrypt, bcrypt\], argon2 and scrypt will spend significant amounts of memory.
+  - Note: The default parameters for `pbkdf2` hashing have changed - the previous settings are available as `pbkdf2_v1` but are not recommended.
+  - The hash functions may be tuned by using `$` after the algorithm:
+    - `argon2$<time>$<memory>$<threads>$<key-length>`
+    - `bcrypt$<cost>`
+    - `pbkdf2$<iterations>$<key-length>`
+    - `scrypt$<n>$<r>$<p>$<key-length>`
+  - The defaults are:
+    - `argon2`:    `argon2$2$65536$8$50`
+    - `bcrypt`:    `bcrypt$10`
+    - `pbkdf2`:    `pbkdf2$50000$50`
+    - `pbkdf2_v1`: `pbkdf2$10000$50`
+    - `pbkdf2_v2`: `pbkdf2$50000$50`
+    - `pbkdf2_hi`: `pbkdf2$320000$50`
+    - `scrypt`:    `scrypt$65536$16$2$50`
+  - Adjusting the algorithm parameters using this functionality is done at your own risk.
 - `CSRF_COOKIE_HTTP_ONLY`: **true**: Set false to allow JavaScript to read CSRF cookie.
 - `MIN_PASSWORD_LENGTH`: **6**: Minimum password length for new users.
 - `PASSWORD_COMPLEXITY`: **off**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, checking is disabled (off):
diff --git a/models/fixtures/user.yml b/models/fixtures/user.yml
index 0a1d85b48b..b5f8b27215 100644
--- a/models/fixtures/user.yml
+++ b/models/fixtures/user.yml
@@ -8,8 +8,8 @@
   email: user1@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user1
@@ -45,8 +45,8 @@
   email: user2@example.com
   keep_email_private: true
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user2
@@ -82,8 +82,8 @@
   email: user3@example.com
   keep_email_private: false
   email_notifications_preference: onmention
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user3
@@ -119,8 +119,8 @@
   email: user4@example.com
   keep_email_private: false
   email_notifications_preference: onmention
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user4
@@ -156,8 +156,8 @@
   email: user5@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user5
@@ -193,8 +193,8 @@
   email: user6@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user6
@@ -230,8 +230,8 @@
   email: user7@example.com
   keep_email_private: false
   email_notifications_preference: disabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user7
@@ -267,8 +267,8 @@
   email: user8@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user8
@@ -304,8 +304,8 @@
   email: user9@example.com
   keep_email_private: false
   email_notifications_preference: onmention
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user9
@@ -341,8 +341,8 @@
   email: user10@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user10
@@ -378,8 +378,8 @@
   email: user11@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user11
@@ -415,8 +415,8 @@
   email: user12@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user12
@@ -452,8 +452,8 @@
   email: user13@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user13
@@ -489,8 +489,8 @@
   email: user14@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user14
@@ -526,8 +526,8 @@
   email: user15@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user15
@@ -563,8 +563,8 @@
   email: user16@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user16
@@ -600,8 +600,8 @@
   email: user17@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user17
@@ -637,8 +637,8 @@
   email: user18@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user18
@@ -674,8 +674,8 @@
   email: user19@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user19
@@ -711,8 +711,8 @@
   email: user20@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user20
@@ -748,8 +748,8 @@
   email: user21@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user21
@@ -785,8 +785,8 @@
   email: limited_org@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: limited_org
@@ -822,8 +822,8 @@
   email: privated_org@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: privated_org
@@ -859,8 +859,8 @@
   email: user24@example.com
   keep_email_private: true
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user24
@@ -896,8 +896,8 @@
   email: org25@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: org25
@@ -933,8 +933,8 @@
   email: org26@example.com
   keep_email_private: false
   email_notifications_preference: onmention
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: org26
@@ -970,8 +970,8 @@
   email: user27@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user27
@@ -1007,8 +1007,8 @@
   email: user28@example.com
   keep_email_private: true
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user28
@@ -1044,8 +1044,8 @@
   email: user29@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user29
@@ -1081,8 +1081,8 @@
   email: user30@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user30
@@ -1118,8 +1118,8 @@
   email: user31@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user31
@@ -1155,7 +1155,7 @@
   email: user32@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a
+  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f47017
   passwd_hash_algo: argon2
   must_change_password: false
   login_source: 0
@@ -1192,8 +1192,8 @@
   email: user33@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b
-  passwd_hash_algo: argon2
+  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
+  passwd_hash_algo: pbkdf2$50000$50
   must_change_password: false
   login_source: 0
   login_name: user33
diff --git a/models/user/user.go b/models/user/user.go
index 7e896e26da..f6fafe64f3 100644
--- a/models/user/user.go
+++ b/models/user/user.go
@@ -6,8 +6,6 @@ package user
 
 import (
 	"context"
-	"crypto/sha256"
-	"crypto/subtle"
 	"encoding/hex"
 	"fmt"
 	"net/url"
@@ -21,6 +19,7 @@ import (
 	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/auth/openid"
+	"code.gitea.io/gitea/modules/auth/password/hash"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/log"
@@ -30,10 +29,6 @@ import (
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/validation"
 
-	"golang.org/x/crypto/argon2"
-	"golang.org/x/crypto/bcrypt"
-	"golang.org/x/crypto/pbkdf2"
-	"golang.org/x/crypto/scrypt"
 	"xorm.io/builder"
 )
 
@@ -48,21 +43,6 @@ const (
 	UserTypeOrganization
 )
 
-const (
-	algoBcrypt = "bcrypt"
-	algoScrypt = "scrypt"
-	algoArgon2 = "argon2"
-	algoPbkdf2 = "pbkdf2"
-)
-
-// AvailableHashAlgorithms represents the available password hashing algorithms
-var AvailableHashAlgorithms = []string{
-	algoPbkdf2,
-	algoArgon2,
-	algoScrypt,
-	algoBcrypt,
-}
-
 const (
 	// EmailNotificationsEnabled indicates that the user would like to receive all email notifications except your own
 	EmailNotificationsEnabled = "enabled"
@@ -377,42 +357,6 @@ func (u *User) NewGitSig() *git.Signature {
 	}
 }
 
-func hashPassword(passwd, salt, algo string) (string, error) {
-	var tempPasswd []byte
-	var saltBytes []byte
-
-	// There are two formats for the Salt value:
-	// * The new format is a (32+)-byte hex-encoded string
-	// * The old format was a 10-byte binary format
-	// We have to tolerate both here but Authenticate should
-	// regenerate the Salt following a successful validation.
-	if len(salt) == 10 {
-		saltBytes = []byte(salt)
-	} else {
-		var err error
-		saltBytes, err = hex.DecodeString(salt)
-		if err != nil {
-			return "", err
-		}
-	}
-
-	switch algo {
-	case algoBcrypt:
-		tempPasswd, _ = bcrypt.GenerateFromPassword([]byte(passwd), bcrypt.DefaultCost)
-		return string(tempPasswd), nil
-	case algoScrypt:
-		tempPasswd, _ = scrypt.Key([]byte(passwd), saltBytes, 65536, 16, 2, 50)
-	case algoArgon2:
-		tempPasswd = argon2.IDKey([]byte(passwd), saltBytes, 2, 65536, 8, 50)
-	case algoPbkdf2:
-		fallthrough
-	default:
-		tempPasswd = pbkdf2.Key([]byte(passwd), saltBytes, 10000, 50, sha256.New)
-	}
-
-	return hex.EncodeToString(tempPasswd), nil
-}
-
 // SetPassword hashes a password using the algorithm defined in the config value of PASSWORD_HASH_ALGO
 // change passwd, salt and passwd_hash_algo fields
 func (u *User) SetPassword(passwd string) (err error) {
@@ -426,7 +370,7 @@ func (u *User) SetPassword(passwd string) (err error) {
 	if u.Salt, err = GetUserSalt(); err != nil {
 		return err
 	}
-	if u.Passwd, err = hashPassword(passwd, u.Salt, setting.PasswordHashAlgo); err != nil {
+	if u.Passwd, err = hash.Parse(setting.PasswordHashAlgo).Hash(passwd, u.Salt); err != nil {
 		return err
 	}
 	u.PasswdHashAlgo = setting.PasswordHashAlgo
@@ -434,20 +378,9 @@ func (u *User) SetPassword(passwd string) (err error) {
 	return nil
 }
 
-// ValidatePassword checks if given password matches the one belongs to the user.
+// ValidatePassword checks if the given password matches the one belonging to the user.
 func (u *User) ValidatePassword(passwd string) bool {
-	tempHash, err := hashPassword(passwd, u.Salt, u.PasswdHashAlgo)
-	if err != nil {
-		return false
-	}
-
-	if u.PasswdHashAlgo != algoBcrypt && subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(tempHash)) == 1 {
-		return true
-	}
-	if u.PasswdHashAlgo == algoBcrypt && bcrypt.CompareHashAndPassword([]byte(u.Passwd), []byte(passwd)) == nil {
-		return true
-	}
-	return false
+	return hash.Parse(u.PasswdHashAlgo).VerifyPassword(passwd, u.Passwd, u.Salt)
 }
 
 // IsPasswordSet checks if the password is set or left empty
diff --git a/models/user/user_test.go b/models/user/user_test.go
index 7a58d2f822..fc8f6b8d51 100644
--- a/models/user/user_test.go
+++ b/models/user/user_test.go
@@ -14,6 +14,7 @@ import (
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/auth/password/hash"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/timeutil"
@@ -164,7 +165,7 @@ func TestEmailNotificationPreferences(t *testing.T) {
 func TestHashPasswordDeterministic(t *testing.T) {
 	b := make([]byte, 16)
 	u := &user_model.User{}
-	algos := []string{"argon2", "pbkdf2", "scrypt", "bcrypt"}
+	algos := hash.RecommendedHashAlgorithms
 	for j := 0; j < len(algos); j++ {
 		u.PasswdHashAlgo = algos[j]
 		for i := 0; i < 50; i++ {
diff --git a/modules/auth/password/hash/argon2.go b/modules/auth/password/hash/argon2.go
new file mode 100644
index 0000000000..14c16b53c4
--- /dev/null
+++ b/modules/auth/password/hash/argon2.go
@@ -0,0 +1,80 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package hash
+
+import (
+	"encoding/hex"
+	"strings"
+
+	"code.gitea.io/gitea/modules/log"
+
+	"golang.org/x/crypto/argon2"
+)
+
+func init() {
+	Register("argon2", NewArgon2Hasher)
+}
+
+// Argon2Hasher implements PasswordHasher
+// and uses the Argon2 key derivation function, hybrant variant
+type Argon2Hasher struct {
+	time    uint32
+	memory  uint32
+	threads uint8
+	keyLen  uint32
+}
+
+// HashWithSaltBytes a provided password and salt
+func (hasher *Argon2Hasher) HashWithSaltBytes(password string, salt []byte) string {
+	if hasher == nil {
+		return ""
+	}
+	return hex.EncodeToString(argon2.IDKey([]byte(password), salt, hasher.time, hasher.memory, hasher.threads, hasher.keyLen))
+}
+
+// NewArgon2Hasher is a factory method to create an Argon2Hasher
+// The provided config should be either empty or of the form:
+// "<time>$<memory>$<threads>$<keyLen>", where <x> is the string representation
+// of an integer
+func NewArgon2Hasher(config string) *Argon2Hasher {
+	// This default configuration uses the following parameters:
+	// time=2, memory=64*1024, threads=8, keyLen=50.
+	// It will make two passes through the memory, using 64MiB in total.
+	// This matches the original configuration for `argon2` prior to storing hash parameters
+	// in the database.
+	// THESE VALUES MUST NOT BE CHANGED OR BACKWARDS COMPATIBILITY WILL BREAK
+	hasher := &Argon2Hasher{
+		time:    2,
+		memory:  1 << 16,
+		threads: 8,
+		keyLen:  50,
+	}
+
+	if config == "" {
+		return hasher
+	}
+
+	vals := strings.SplitN(config, "$", 4)
+	if len(vals) != 4 {
+		log.Error("invalid argon2 hash spec %s", config)
+		return nil
+	}
+
+	parsed, err := parseUIntParam(vals[0], "time", "argon2", config, nil)
+	hasher.time = uint32(parsed)
+
+	parsed, err = parseUIntParam(vals[1], "memory", "argon2", config, err)
+	hasher.memory = uint32(parsed)
+
+	parsed, err = parseUIntParam(vals[2], "threads", "argon2", config, err)
+	hasher.threads = uint8(parsed)
+
+	parsed, err = parseUIntParam(vals[3], "keyLen", "argon2", config, err)
+	hasher.keyLen = uint32(parsed)
+	if err != nil {
+		return nil
+	}
+
+	return hasher
+}
diff --git a/modules/auth/password/hash/bcrypt.go b/modules/auth/password/hash/bcrypt.go
new file mode 100644
index 0000000000..ddf5420408
--- /dev/null
+++ b/modules/auth/password/hash/bcrypt.go
@@ -0,0 +1,54 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package hash
+
+import (
+	"golang.org/x/crypto/bcrypt"
+)
+
+func init() {
+	Register("bcrypt", NewBcryptHasher)
+}
+
+// BcryptHasher implements PasswordHasher
+// and uses the bcrypt password hash function.
+type BcryptHasher struct {
+	cost int
+}
+
+// HashWithSaltBytes a provided password and salt
+func (hasher *BcryptHasher) HashWithSaltBytes(password string, salt []byte) string {
+	if hasher == nil {
+		return ""
+	}
+	hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(password), hasher.cost)
+	return string(hashedPassword)
+}
+
+func (hasher *BcryptHasher) VerifyPassword(password, hashedPassword, salt string) bool {
+	return bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(password)) == nil
+}
+
+// NewBcryptHasher is a factory method to create an BcryptHasher
+// The provided config should be either empty or the string representation of the "<cost>"
+// as an integer
+func NewBcryptHasher(config string) *BcryptHasher {
+	// This matches the original configuration for `bcrypt` prior to storing hash parameters
+	// in the database.
+	// THESE VALUES MUST NOT BE CHANGED OR BACKWARDS COMPATIBILITY WILL BREAK
+	hasher := &BcryptHasher{
+		cost: 10, // cost=10. i.e. 2^10 rounds of key expansion.
+	}
+
+	if config == "" {
+		return hasher
+	}
+	var err error
+	hasher.cost, err = parseIntParam(config, "cost", "bcrypt", config, nil)
+	if err != nil {
+		return nil
+	}
+
+	return hasher
+}
diff --git a/modules/auth/password/hash/common.go b/modules/auth/password/hash/common.go
new file mode 100644
index 0000000000..ac6faf35cf
--- /dev/null
+++ b/modules/auth/password/hash/common.go
@@ -0,0 +1,28 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package hash
+
+import (
+	"strconv"
+
+	"code.gitea.io/gitea/modules/log"
+)
+
+func parseIntParam(value, param, algorithmName, config string, previousErr error) (int, error) {
+	parsed, err := strconv.Atoi(value)
+	if err != nil {
+		log.Error("invalid integer for %s representation in %s hash spec %s", param, algorithmName, config)
+		return 0, err
+	}
+	return parsed, previousErr // <- Keep the previous error as this function should still return an error once everything has been checked if any call failed
+}
+
+func parseUIntParam(value, param, algorithmName, config string, previousErr error) (uint64, error) {
+	parsed, err := strconv.ParseUint(value, 10, 64)
+	if err != nil {
+		log.Error("invalid integer for %s representation in %s hash spec %s", param, algorithmName, config)
+		return 0, err
+	}
+	return parsed, previousErr // <- Keep the previous error as this function should still return an error once everything has been checked if any call failed
+}
diff --git a/modules/auth/password/hash/hash.go b/modules/auth/password/hash/hash.go
new file mode 100644
index 0000000000..3572dd46d4
--- /dev/null
+++ b/modules/auth/password/hash/hash.go
@@ -0,0 +1,180 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package hash
+
+import (
+	"crypto/subtle"
+	"encoding/hex"
+	"fmt"
+	"strings"
+	"sync/atomic"
+
+	"code.gitea.io/gitea/modules/log"
+)
+
+// This package takes care of hashing passwords, verifying passwords, defining
+// available password algorithms, defining recommended password algorithms and
+// choosing the default password algorithm.
+
+// PasswordSaltHasher will hash a provided password with the provided saltBytes
+type PasswordSaltHasher interface {
+	HashWithSaltBytes(password string, saltBytes []byte) string
+}
+
+// PasswordHasher will hash a provided password with the salt
+type PasswordHasher interface {
+	Hash(password, salt string) (string, error)
+}
+
+// PasswordVerifier will ensure that a providedPassword matches the hashPassword when hashed with the salt
+type PasswordVerifier interface {
+	VerifyPassword(providedPassword, hashedPassword, salt string) bool
+}
+
+// PasswordHashAlgorithms are named PasswordSaltHashers with a default verifier and hash function
+type PasswordHashAlgorithm struct {
+	PasswordSaltHasher
+	Specification string // The specification that is used to create the internal PasswordSaltHasher
+}
+
+// Hash the provided password with the salt and return the hash
+func (algorithm *PasswordHashAlgorithm) Hash(password, salt string) (string, error) {
+	var saltBytes []byte
+
+	// There are two formats for the salt value:
+	// * The new format is a (32+)-byte hex-encoded string
+	// * The old format was a 10-byte binary format
+	// We have to tolerate both here.
+	if len(salt) == 10 {
+		saltBytes = []byte(salt)
+	} else {
+		var err error
+		saltBytes, err = hex.DecodeString(salt)
+		if err != nil {
+			return "", err
+		}
+	}
+
+	return algorithm.HashWithSaltBytes(password, saltBytes), nil
+}
+
+// Verify the provided password matches the hashPassword when hashed with the salt
+func (algorithm *PasswordHashAlgorithm) VerifyPassword(providedPassword, hashedPassword, salt string) bool {
+	// Some PasswordSaltHashers have their own specialised compare function that takes into
+	// account the stored parameters within the hash. e.g. bcrypt
+	if verifier, ok := algorithm.PasswordSaltHasher.(PasswordVerifier); ok {
+		return verifier.VerifyPassword(providedPassword, hashedPassword, salt)
+	}
+
+	// Compute the hash of the password.
+	providedPasswordHash, err := algorithm.Hash(providedPassword, salt)
+	if err != nil {
+		log.Error("passwordhash: %v.Hash(): %v", algorithm.Specification, err)
+		return false
+	}
+
+	// Compare it against the hashed password in constant-time.
+	return subtle.ConstantTimeCompare([]byte(hashedPassword), []byte(providedPasswordHash)) == 1
+}
+
+var (
+	lastNonDefaultAlgorithm  atomic.Value
+	availableHasherFactories = map[string]func(string) PasswordSaltHasher{}
+)
+
+// Register registers a PasswordSaltHasher with the availableHasherFactories
+// Caution: This is not thread safe.
+func Register[T PasswordSaltHasher](name string, newFn func(config string) T) {
+	if _, has := availableHasherFactories[name]; has {
+		panic(fmt.Errorf("duplicate registration of password salt hasher: %s", name))
+	}
+
+	availableHasherFactories[name] = func(config string) PasswordSaltHasher {
+		n := newFn(config)
+		return n
+	}
+}
+
+// In early versions of gitea the password hash algorithm field of a user could be
+// empty. At that point the default was `pbkdf2` without configuration values
+//
+// Please note this is not the same as the DefaultAlgorithm which is used
+// to determine what an empty PASSWORD_HASH_ALGO setting in the app.ini means.
+// These are not the same even if they have the same apparent value and they mean different things.
+//
+// DO NOT COALESCE THESE VALUES
+const defaultEmptyHashAlgorithmSpecification = "pbkdf2"
+
+// Parse will convert the provided algorithm specification in to a PasswordHashAlgorithm
+// If the provided specification matches the DefaultHashAlgorithm Specification it will be
+// used.
+// In addition the last non-default hasher will be cached to help reduce the load from
+// parsing specifications.
+//
+// NOTE: No de-aliasing is done in this function, thus any specification which does not
+// contain a configuration will use the default values for that hasher. These are not
+// necessarily the same values as those obtained by dealiasing. This allows for
+// seamless backwards compatibility with the original configuration.
+//
+// To further labour this point, running `Parse("pbkdf2")` does not obtain the
+// same algorithm as setting `PASSWORD_HASH_ALGO=pbkdf2` in app.ini, nor is it intended to.
+// A user that has `password_hash_algo='pbkdf2'` in the db means get the original, unconfigured algorithm
+// Users will be migrated automatically as they log-in to have the complete specification stored
+// in their `password_hash_algo` fields by other code.
+func Parse(algorithmSpec string) *PasswordHashAlgorithm {
+	if algorithmSpec == "" {
+		algorithmSpec = defaultEmptyHashAlgorithmSpecification
+	}
+
+	if DefaultHashAlgorithm != nil && algorithmSpec == DefaultHashAlgorithm.Specification {
+		return DefaultHashAlgorithm
+	}
+
+	ptr := lastNonDefaultAlgorithm.Load()
+	if ptr != nil {
+		hashAlgorithm, ok := ptr.(*PasswordHashAlgorithm)
+		if ok && hashAlgorithm.Specification == algorithmSpec {
+			return hashAlgorithm
+		}
+	}
+
+	// Now convert the provided specification in to a hasherType +/- some configuration parameters
+	vals := strings.SplitN(algorithmSpec, "$", 2)
+	var hasherType string
+	var config string
+
+	if len(vals) == 0 {
+		// This should not happen as algorithmSpec should not be empty
+		// due to it being assigned to defaultEmptyHashAlgorithmSpecification above
+		// but we should be absolutely cautious here
+		return nil
+	}
+
+	hasherType = vals[0]
+	if len(vals) > 1 {
+		config = vals[1]
+	}
+
+	newFn, has := availableHasherFactories[hasherType]
+	if !has {
+		// unknown hasher type
+		return nil
+	}
+
+	ph := newFn(config)
+	if ph == nil {
+		// The provided configuration is likely invalid - it will have been logged already
+		// but we cannot hash safely
+		return nil
+	}
+
+	hashAlgorithm := &PasswordHashAlgorithm{
+		PasswordSaltHasher: ph,
+		Specification:      algorithmSpec,
+	}
+
+	lastNonDefaultAlgorithm.Store(hashAlgorithm)
+
+	return hashAlgorithm
+}
diff --git a/modules/auth/password/hash/hash_test.go b/modules/auth/password/hash/hash_test.go
new file mode 100644
index 0000000000..593c8386a3
--- /dev/null
+++ b/modules/auth/password/hash/hash_test.go
@@ -0,0 +1,186 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package hash
+
+import (
+	"encoding/hex"
+	"strconv"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type testSaltHasher string
+
+func (t testSaltHasher) HashWithSaltBytes(password string, salt []byte) string {
+	return password + "$" + string(salt) + "$" + string(t)
+}
+
+func Test_registerHasher(t *testing.T) {
+	Register("Test_registerHasher", func(config string) testSaltHasher {
+		return testSaltHasher(config)
+	})
+
+	assert.Panics(t, func() {
+		Register("Test_registerHasher", func(config string) testSaltHasher {
+			return testSaltHasher(config)
+		})
+	})
+
+	assert.Equal(t, "password$salt$",
+		Parse("Test_registerHasher").PasswordSaltHasher.HashWithSaltBytes("password", []byte("salt")))
+
+	assert.Equal(t, "password$salt$config",
+		Parse("Test_registerHasher$config").PasswordSaltHasher.HashWithSaltBytes("password", []byte("salt")))
+
+	delete(availableHasherFactories, "Test_registerHasher")
+}
+
+func TestParse(t *testing.T) {
+	hashAlgorithmsToTest := []string{}
+	for plainHashAlgorithmNames := range availableHasherFactories {
+		hashAlgorithmsToTest = append(hashAlgorithmsToTest, plainHashAlgorithmNames)
+	}
+	for _, aliased := range aliasAlgorithmNames {
+		if strings.Contains(aliased, "$") {
+			hashAlgorithmsToTest = append(hashAlgorithmsToTest, aliased)
+		}
+	}
+	for _, algorithmName := range hashAlgorithmsToTest {
+		t.Run(algorithmName, func(t *testing.T) {
+			algo := Parse(algorithmName)
+			assert.NotNil(t, algo, "Algorithm %s resulted in an empty algorithm", algorithmName)
+		})
+	}
+}
+
+func TestHashing(t *testing.T) {
+	hashAlgorithmsToTest := []string{}
+	for plainHashAlgorithmNames := range availableHasherFactories {
+		hashAlgorithmsToTest = append(hashAlgorithmsToTest, plainHashAlgorithmNames)
+	}
+	for _, aliased := range aliasAlgorithmNames {
+		if strings.Contains(aliased, "$") {
+			hashAlgorithmsToTest = append(hashAlgorithmsToTest, aliased)
+		}
+	}
+
+	runTests := func(password, salt string, shouldPass bool) {
+		for _, algorithmName := range hashAlgorithmsToTest {
+			t.Run(algorithmName, func(t *testing.T) {
+				output, err := Parse(algorithmName).Hash(password, salt)
+				if shouldPass {
+					assert.NoError(t, err)
+					assert.NotEmpty(t, output, "output for %s was empty", algorithmName)
+				} else {
+					assert.Error(t, err)
+				}
+
+				assert.Equal(t, Parse(algorithmName).VerifyPassword(password, output, salt), shouldPass)
+			})
+		}
+	}
+
+	// Test with new salt format.
+	runTests(strings.Repeat("a", 16), hex.EncodeToString([]byte{0x01, 0x02, 0x03}), true)
+
+	// Test with legacy salt format.
+	runTests(strings.Repeat("a", 16), strings.Repeat("b", 10), true)
+
+	// Test with invalid salt.
+	runTests(strings.Repeat("a", 16), "a", false)
+}
+
+// vectors were generated using the current codebase.
+var vectors = []struct {
+	algorithms []string
+	password   string
+	salt       string
+	output     string
+	shouldfail bool
+}{
+	{
+		algorithms: []string{"bcrypt", "bcrypt$10"},
+		password:   "abcdef",
+		salt:       strings.Repeat("a", 10),
+		output:     "$2a$10$fjtm8BsQ2crym01/piJroenO3oSVUBhSLKaGdTYJ4tG0ePVCrU0G2",
+		shouldfail: false,
+	},
+	{
+		algorithms: []string{"scrypt", "scrypt$65536$16$2$50"},
+		password:   "abcdef",
+		salt:       strings.Repeat("a", 10),
+		output:     "3b571d0c07c62d42b7bad3dbf18fb0cd67d4d8cd4ad4c6928e1090e5b2a4a84437c6fd2627d897c0e7e65025ca62b67a0002",
+		shouldfail: false,
+	},
+	{
+		algorithms: []string{"argon2", "argon2$2$65536$8$50"},
+		password:   "abcdef",
+		salt:       strings.Repeat("a", 10),
+		output:     "551f089f570f989975b6f7c6a8ff3cf89bc486dd7bbe87ed4d80ad4362f8ee599ec8dda78dac196301b98456402bcda775dc",
+		shouldfail: false,
+	},
+	{
+		algorithms: []string{"pbkdf2", "pbkdf2$10000$50"},
+		password:   "abcdef",
+		salt:       strings.Repeat("a", 10),
+		output:     "ab48d5471b7e6ed42d10001db88c852ff7303c788e49da5c3c7b63d5adf96360303724b74b679223a3dea8a242d10abb1913",
+		shouldfail: false,
+	},
+	{
+		algorithms: []string{"bcrypt", "bcrypt$10"},
+		password:   "abcdef",
+		salt:       hex.EncodeToString([]byte{0x01, 0x02, 0x03, 0x04}),
+		output:     "$2a$10$qhgm32w9ZpqLygugWJsLjey8xRGcaq9iXAfmCeNBXxddgyoaOC3Gq",
+		shouldfail: false,
+	},
+	{
+		algorithms: []string{"scrypt", "scrypt$65536$16$2$50"},
+		password:   "abcdef",
+		salt:       hex.EncodeToString([]byte{0x01, 0x02, 0x03, 0x04}),
+		output:     "25fe5f66b43fa4eb7b6717905317cd2223cf841092dc8e0a1e8c75720ad4846cb5d9387303e14bc3c69faa3b1c51ef4b7de1",
+		shouldfail: false,
+	},
+	{
+		algorithms: []string{"argon2", "argon2$2$65536$8$50"},
+		password:   "abcdef",
+		salt:       hex.EncodeToString([]byte{0x01, 0x02, 0x03, 0x04}),
+		output:     "9c287db63a91d18bb1414b703216da4fc431387c1ae7c8acdb280222f11f0929831055dbfd5126a3b48566692e83ec750d2a",
+		shouldfail: false,
+	},
+	{
+		algorithms: []string{"pbkdf2", "pbkdf2$10000$50"},
+		password:   "abcdef",
+		salt:       hex.EncodeToString([]byte{0x01, 0x02, 0x03, 0x04}),
+		output:     "45d6cdc843d65cf0eda7b90ab41435762a282f7df013477a1c5b212ba81dbdca2edf1ecc4b5cb05956bb9e0c37ab29315d78",
+		shouldfail: false,
+	},
+	{
+		algorithms: []string{"pbkdf2$320000$50"},
+		password:   "abcdef",
+		salt:       hex.EncodeToString([]byte{0x01, 0x02, 0x03, 0x04}),
+		output:     "84e233114499e8721da80e85568e5b7b5900b3e49a30845fcda9d1e1756da4547d70f8740ac2b4a5d82f88cebcd27f21bfe2",
+		shouldfail: false,
+	},
+	{
+		algorithms: []string{"pbkdf2", "pbkdf2$10000$50"},
+		password:   "abcdef",
+		salt:       "",
+		output:     "",
+		shouldfail: true,
+	},
+}
+
+// Ensure that the current code will correctly verify against the test vectors.
+func TestVectors(t *testing.T) {
+	for i, vector := range vectors {
+		for _, algorithm := range vector.algorithms {
+			t.Run(strconv.Itoa(i)+": "+algorithm, func(t *testing.T) {
+				pa := Parse(algorithm)
+				assert.Equal(t, !vector.shouldfail, pa.VerifyPassword(vector.password, vector.output, vector.salt))
+			})
+		}
+	}
+}
diff --git a/modules/auth/password/hash/pbkdf2.go b/modules/auth/password/hash/pbkdf2.go
new file mode 100644
index 0000000000..be3121318e
--- /dev/null
+++ b/modules/auth/password/hash/pbkdf2.go
@@ -0,0 +1,67 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package hash
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"strings"
+
+	"code.gitea.io/gitea/modules/log"
+
+	"golang.org/x/crypto/pbkdf2"
+)
+
+func init() {
+	Register("pbkdf2", NewPBKDF2Hasher)
+}
+
+// PBKDF2Hasher implements PasswordHasher
+// and uses the PBKDF2 key derivation function.
+type PBKDF2Hasher struct {
+	iter, keyLen int
+}
+
+// HashWithSaltBytes a provided password and salt
+func (hasher *PBKDF2Hasher) HashWithSaltBytes(password string, salt []byte) string {
+	if hasher == nil {
+		return ""
+	}
+	return hex.EncodeToString(pbkdf2.Key([]byte(password), salt, hasher.iter, hasher.keyLen, sha256.New))
+}
+
+// NewPBKDF2Hasher is a factory method to create an PBKDF2Hasher
+// config should be either empty or of the form:
+// "<iter>$<keyLen>", where <x> is the string representation
+// of an integer
+func NewPBKDF2Hasher(config string) *PBKDF2Hasher {
+	// This default configuration uses the following parameters:
+	// iter=10000, keyLen=50.
+	// This matches the original configuration for `pbkdf2` prior to storing parameters
+	// in the database.
+	// THESE VALUES MUST NOT BE CHANGED OR BACKWARDS COMPATIBILITY WILL BREAK
+	hasher := &PBKDF2Hasher{
+		iter:   10_000,
+		keyLen: 50,
+	}
+
+	if config == "" {
+		return hasher
+	}
+
+	vals := strings.SplitN(config, "$", 2)
+	if len(vals) != 2 {
+		log.Error("invalid pbkdf2 hash spec %s", config)
+		return nil
+	}
+
+	var err error
+	hasher.iter, err = parseIntParam(vals[0], "iter", "pbkdf2", config, nil)
+	hasher.keyLen, err = parseIntParam(vals[1], "keyLen", "pbkdf2", config, err)
+	if err != nil {
+		return nil
+	}
+
+	return hasher
+}
diff --git a/modules/auth/password/hash/scrypt.go b/modules/auth/password/hash/scrypt.go
new file mode 100644
index 0000000000..e77434fc32
--- /dev/null
+++ b/modules/auth/password/hash/scrypt.go
@@ -0,0 +1,67 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package hash
+
+import (
+	"encoding/hex"
+	"strings"
+
+	"code.gitea.io/gitea/modules/log"
+
+	"golang.org/x/crypto/scrypt"
+)
+
+func init() {
+	Register("scrypt", NewScryptHasher)
+}
+
+// ScryptHasher implements PasswordHasher
+// and uses the scrypt key derivation function.
+type ScryptHasher struct {
+	n, r, p, keyLen int
+}
+
+// HashWithSaltBytes a provided password and salt
+func (hasher *ScryptHasher) HashWithSaltBytes(password string, salt []byte) string {
+	if hasher == nil {
+		return ""
+	}
+	hashedPassword, _ := scrypt.Key([]byte(password), salt, hasher.n, hasher.r, hasher.p, hasher.keyLen)
+	return hex.EncodeToString(hashedPassword)
+}
+
+// NewScryptHasher is a factory method to create an ScryptHasher
+// The provided config should be either empty or of the form:
+// "<n>$<r>$<p>$<keyLen>", where <x> is the string representation
+// of an integer
+func NewScryptHasher(config string) *ScryptHasher {
+	// This matches the original configuration for `scrypt` prior to storing hash parameters
+	// in the database.
+	// THESE VALUES MUST NOT BE CHANGED OR BACKWARDS COMPATIBILITY WILL BREAK
+	hasher := &ScryptHasher{
+		n:      1 << 16,
+		r:      16,
+		p:      2, // 2 passes through memory - this default config will use 128MiB in total.
+		keyLen: 50,
+	}
+
+	if config == "" {
+		return hasher
+	}
+
+	vals := strings.SplitN(config, "$", 4)
+	if len(vals) != 4 {
+		log.Error("invalid scrypt hash spec %s", config)
+		return nil
+	}
+	var err error
+	hasher.n, err = parseIntParam(vals[0], "n", "scrypt", config, nil)
+	hasher.r, err = parseIntParam(vals[1], "r", "scrypt", config, err)
+	hasher.p, err = parseIntParam(vals[2], "p", "scrypt", config, err)
+	hasher.keyLen, err = parseIntParam(vals[3], "keyLen", "scrypt", config, err)
+	if err != nil {
+		return nil
+	}
+	return hasher
+}
diff --git a/modules/auth/password/hash/setting.go b/modules/auth/password/hash/setting.go
new file mode 100644
index 0000000000..7016974304
--- /dev/null
+++ b/modules/auth/password/hash/setting.go
@@ -0,0 +1,61 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package hash
+
+// DefaultHashAlgorithmName represents the default value of PASSWORD_HASH_ALGO
+// configured in app.ini.
+//
+// It is NOT the same and does NOT map to the defaultEmptyHashAlgorithmSpecification.
+//
+// It will be dealiased as per aliasAlgorithmNames whereas
+// defaultEmptyHashAlgorithmSpecification does not undergo dealiasing.
+const DefaultHashAlgorithmName = "pbkdf2"
+
+var DefaultHashAlgorithm *PasswordHashAlgorithm
+
+// aliasAlgorithNames provides a mapping between the value of PASSWORD_HASH_ALGO
+// configured in the app.ini and the parameters used within the hashers internally.
+//
+// If it is necessary to change the default parameters for any hasher in future you
+// should change these values and not those in argon2.go etc.
+var aliasAlgorithmNames = map[string]string{
+	"argon2":    "argon2$2$65536$8$50",
+	"bcrypt":    "bcrypt$10",
+	"scrypt":    "scrypt$65536$16$2$50",
+	"pbkdf2":    "pbkdf2_v2", // pbkdf2 should default to pbkdf2_v2
+	"pbkdf2_v1": "pbkdf2$10000$50",
+	// The latest PBKDF2 password algorithm is used as the default since it doesn't
+	// use a lot of  memory and is safer to use on less powerful devices.
+	"pbkdf2_v2": "pbkdf2$50000$50",
+	// The pbkdf2_hi password algorithm is offered as a stronger alternative to the
+	// slightly improved pbkdf2_v2 algorithm
+	"pbkdf2_hi": "pbkdf2$320000$50",
+}
+
+var RecommendedHashAlgorithms = []string{
+	"pbkdf2",
+	"argon2",
+	"bcrypt",
+	"scrypt",
+	"pbkdf2_hi",
+}
+
+// SetDefaultPasswordHashAlgorithm will take a provided algorithmName and dealias it to
+// a complete algorithm specification.
+func SetDefaultPasswordHashAlgorithm(algorithmName string) (string, *PasswordHashAlgorithm) {
+	if algorithmName == "" {
+		algorithmName = DefaultHashAlgorithmName
+	}
+	alias, has := aliasAlgorithmNames[algorithmName]
+	for has {
+		algorithmName = alias
+		alias, has = aliasAlgorithmNames[algorithmName]
+	}
+
+	// algorithmName should now be a full algorithm specification
+	// e.g. pbkdf2$50000$50 rather than pbdkf2
+	DefaultHashAlgorithm = Parse(algorithmName)
+
+	return algorithmName, DefaultHashAlgorithm
+}
diff --git a/modules/auth/password/hash/setting_test.go b/modules/auth/password/hash/setting_test.go
new file mode 100644
index 0000000000..d707207db6
--- /dev/null
+++ b/modules/auth/password/hash/setting_test.go
@@ -0,0 +1,38 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package hash
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCheckSettingPasswordHashAlgorithm(t *testing.T) {
+	t.Run("pbkdf2 is pbkdf2_v2", func(t *testing.T) {
+		pbkdf2v2Config, pbkdf2v2Algo := SetDefaultPasswordHashAlgorithm("pbkdf2_v2")
+		pbkdf2Config, pbkdf2Algo := SetDefaultPasswordHashAlgorithm("pbkdf2")
+
+		assert.Equal(t, pbkdf2v2Config, pbkdf2Config)
+		assert.Equal(t, pbkdf2v2Algo.Specification, pbkdf2Algo.Specification)
+	})
+
+	for a, b := range aliasAlgorithmNames {
+		t.Run(a+"="+b, func(t *testing.T) {
+			aConfig, aAlgo := SetDefaultPasswordHashAlgorithm(a)
+			bConfig, bAlgo := SetDefaultPasswordHashAlgorithm(b)
+
+			assert.Equal(t, bConfig, aConfig)
+			assert.Equal(t, aAlgo.Specification, bAlgo.Specification)
+		})
+	}
+
+	t.Run("pbkdf2_v2 is the default when default password hash algorithm is empty", func(t *testing.T) {
+		emptyConfig, emptyAlgo := SetDefaultPasswordHashAlgorithm("")
+		pbkdf2v2Config, pbkdf2v2Algo := SetDefaultPasswordHashAlgorithm("pbkdf2_v2")
+
+		assert.Equal(t, pbkdf2v2Config, emptyConfig)
+		assert.Equal(t, pbkdf2v2Algo.Specification, emptyAlgo.Specification)
+	})
+}
diff --git a/modules/password/password.go b/modules/auth/password/password.go
similarity index 93%
rename from modules/password/password.go
rename to modules/auth/password/password.go
index fe2a2a7bd5..2172dc8b44 100644
--- a/modules/password/password.go
+++ b/modules/auth/password/password.go
@@ -11,8 +11,8 @@ import (
 	"strings"
 	"sync"
 
-	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/translation"
 )
 
 // complexity contains information about a particular kind of password complexity
@@ -112,13 +112,13 @@ func Generate(n int) (string, error) {
 }
 
 // BuildComplexityError builds the error message when password complexity checks fail
-func BuildComplexityError(ctx *context.Context) string {
+func BuildComplexityError(locale translation.Locale) string {
 	var buffer bytes.Buffer
-	buffer.WriteString(ctx.Tr("form.password_complexity"))
+	buffer.WriteString(locale.Tr("form.password_complexity"))
 	buffer.WriteString("<ul>")
 	for _, c := range requiredList {
 		buffer.WriteString("<li>")
-		buffer.WriteString(ctx.Tr(c.TrNameOne))
+		buffer.WriteString(locale.Tr(c.TrNameOne))
 		buffer.WriteString("</li>")
 	}
 	buffer.WriteString("</ul>")
diff --git a/modules/password/password_test.go b/modules/auth/password/password_test.go
similarity index 100%
rename from modules/password/password_test.go
rename to modules/auth/password/password_test.go
diff --git a/modules/password/pwn.go b/modules/auth/password/pwn.go
similarity index 93%
rename from modules/password/pwn.go
rename to modules/auth/password/pwn.go
index 91bad0d25b..df425ac659 100644
--- a/modules/password/pwn.go
+++ b/modules/auth/password/pwn.go
@@ -6,7 +6,7 @@ package password
 import (
 	"context"
 
-	"code.gitea.io/gitea/modules/password/pwn"
+	"code.gitea.io/gitea/modules/auth/password/pwn"
 	"code.gitea.io/gitea/modules/setting"
 )
 
diff --git a/modules/password/pwn/pwn.go b/modules/auth/password/pwn/pwn.go
similarity index 100%
rename from modules/password/pwn/pwn.go
rename to modules/auth/password/pwn/pwn.go
diff --git a/modules/password/pwn/pwn_test.go b/modules/auth/password/pwn/pwn_test.go
similarity index 100%
rename from modules/password/pwn/pwn_test.go
rename to modules/auth/password/pwn/pwn_test.go
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index a68a46f7ad..0cd2db356d 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -21,6 +21,7 @@ import (
 	"text/template"
 	"time"
 
+	"code.gitea.io/gitea/modules/auth/password/hash"
 	"code.gitea.io/gitea/modules/container"
 	"code.gitea.io/gitea/modules/generate"
 	"code.gitea.io/gitea/modules/json"
@@ -968,7 +969,14 @@ func loadFromConf(allowEmpty bool, extraConfig string) {
 	DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(true)
 	DisableWebhooks = sec.Key("DISABLE_WEBHOOKS").MustBool(false)
 	OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true)
-	PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2")
+
+	// Ensure that the provided default hash algorithm is a valid hash algorithm
+	var algorithm *hash.PasswordHashAlgorithm
+	PasswordHashAlgo, algorithm = hash.SetDefaultPasswordHashAlgorithm(sec.Key("PASSWORD_HASH_ALGO").MustString(""))
+	if algorithm == nil {
+		log.Fatal("The provided password hash algorithm was invalid: %s", sec.Key("PASSWORD_HASH_ALGO").MustString(""))
+	}
+
 	CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)
 	PasswordCheckPwn = sec.Key("PASSWORD_CHECK_PWN").MustBool(false)
 	SuccessfulTokensCacheSize = sec.Key("SUCCESSFUL_TOKENS_CACHE_SIZE").MustInt(20)
diff --git a/routers/api/v1/admin/user.go b/routers/api/v1/admin/user.go
index 75d5520a0e..1fbdab3e55 100644
--- a/routers/api/v1/admin/user.go
+++ b/routers/api/v1/admin/user.go
@@ -15,9 +15,9 @@ import (
 	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/auth/password"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/password"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/timeutil"
diff --git a/routers/install/install.go b/routers/install/install.go
index 5d7ecff48f..34ed5c355b 100644
--- a/routers/install/install.go
+++ b/routers/install/install.go
@@ -20,6 +20,7 @@ import (
 	"code.gitea.io/gitea/models/migrations"
 	system_model "code.gitea.io/gitea/models/system"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/auth/password/hash"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/generate"
@@ -79,7 +80,7 @@ func Init(ctx goctx.Context) func(next http.Handler) http.Handler {
 					"AllLangs":      translation.AllLangs(),
 					"PageStartTime": startTime,
 
-					"PasswordHashAlgorithms": user_model.AvailableHashAlgorithms,
+					"PasswordHashAlgorithms": hash.RecommendedHashAlgorithms,
 				},
 			}
 			defer ctx.Close()
diff --git a/routers/web/admin/users.go b/routers/web/admin/users.go
index 38969dadaa..1bb9d04806 100644
--- a/routers/web/admin/users.go
+++ b/routers/web/admin/users.go
@@ -14,10 +14,10 @@ import (
 	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/auth/password"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/password"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web"
diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
index 48b7dc6862..5fba632817 100644
--- a/routers/web/auth/auth.go
+++ b/routers/web/auth/auth.go
@@ -13,11 +13,11 @@ import (
 	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/auth/password"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/eventsource"
 	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/password"
 	"code.gitea.io/gitea/modules/session"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
diff --git a/routers/web/auth/password.go b/routers/web/auth/password.go
index 16628645d7..a5aa9c5344 100644
--- a/routers/web/auth/password.go
+++ b/routers/web/auth/password.go
@@ -9,10 +9,10 @@ import (
 
 	"code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/auth/password"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/password"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/web"
diff --git a/routers/web/user/setting/account.go b/routers/web/user/setting/account.go
index dbaa8fd351..0e48013b04 100644
--- a/routers/web/user/setting/account.go
+++ b/routers/web/user/setting/account.go
@@ -11,10 +11,10 @@ import (
 
 	"code.gitea.io/gitea/models"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/auth/password"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/password"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/web"

From 7eaf192967b7eec9598e296f2919c96e4e88d324 Mon Sep 17 00:00:00 2001
From: yp05327 <576951401@qq.com>
Date: Sun, 19 Feb 2023 17:31:39 +0900
Subject: [PATCH 08/81] Rename `GetUnits` to `LoadUnits` (#22970)

Same as https://github.com/go-gitea/gitea/pull/22967

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 models/organization/team.go        | 10 +++-------
 models/organization/team_list.go   |  2 +-
 routers/api/v1/org/team.go         |  2 +-
 services/convert/convert.go        |  2 +-
 tests/integration/api_team_test.go |  6 +++---
 5 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/models/organization/team.go b/models/organization/team.go
index 0c2577dab1..5e3c9ecffe 100644
--- a/models/organization/team.go
+++ b/models/organization/team.go
@@ -111,12 +111,8 @@ func (t *Team) ColorFormat(s fmt.State) {
 		t.AccessMode)
 }
 
-// GetUnits return a list of available units for a team
-func (t *Team) GetUnits() error {
-	return t.getUnits(db.DefaultContext)
-}
-
-func (t *Team) getUnits(ctx context.Context) (err error) {
+// LoadUnits load a list of available units for a team
+func (t *Team) LoadUnits(ctx context.Context) (err error) {
 	if t.Units != nil {
 		return nil
 	}
@@ -193,7 +189,7 @@ func (t *Team) UnitEnabled(ctx context.Context, tp unit.Type) bool {
 
 // UnitAccessMode returns if the team has the given unit type enabled
 func (t *Team) UnitAccessMode(ctx context.Context, tp unit.Type) perm.AccessMode {
-	if err := t.getUnits(ctx); err != nil {
+	if err := t.LoadUnits(ctx); err != nil {
 		log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error())
 	}
 
diff --git a/models/organization/team_list.go b/models/organization/team_list.go
index 5d3bd555cc..efb3104ad5 100644
--- a/models/organization/team_list.go
+++ b/models/organization/team_list.go
@@ -19,7 +19,7 @@ type TeamList []*Team
 
 func (t TeamList) LoadUnits(ctx context.Context) error {
 	for _, team := range t {
-		if err := team.getUnits(ctx); err != nil {
+		if err := team.LoadUnits(ctx); err != nil {
 			return err
 		}
 	}
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index 686e48ece3..0c6926759a 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -256,7 +256,7 @@ func EditTeam(ctx *context.APIContext) {
 
 	form := web.GetForm(ctx).(*api.EditTeamOption)
 	team := ctx.Org.Team
-	if err := team.GetUnits(); err != nil {
+	if err := team.LoadUnits(ctx); err != nil {
 		ctx.InternalServerError(err)
 		return
 	}
diff --git a/services/convert/convert.go b/services/convert/convert.go
index 16daad849b..5f2100a039 100644
--- a/services/convert/convert.go
+++ b/services/convert/convert.go
@@ -304,7 +304,7 @@ func ToTeams(ctx context.Context, teams []*organization.Team, loadOrgs bool) ([]
 	cache := make(map[int64]*api.Organization)
 	apiTeams := make([]*api.Team, len(teams))
 	for i := range teams {
-		if err := teams[i].GetUnits(); err != nil {
+		if err := teams[i].LoadUnits(ctx); err != nil {
 			return nil, err
 		}
 
diff --git a/tests/integration/api_team_test.go b/tests/integration/api_team_test.go
index 7920513136..2801fdc989 100644
--- a/tests/integration/api_team_test.go
+++ b/tests/integration/api_team_test.go
@@ -111,7 +111,7 @@ func TestAPITeam(t *testing.T) {
 
 	// Read team.
 	teamRead := unittest.AssertExistsAndLoadBean(t, &organization.Team{ID: teamID})
-	assert.NoError(t, teamRead.GetUnits())
+	assert.NoError(t, teamRead.LoadUnits(db.DefaultContext))
 	req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamID)
 	resp = MakeRequest(t, req, http.StatusOK)
 	apiTeam = api.Team{}
@@ -181,7 +181,7 @@ func TestAPITeam(t *testing.T) {
 	resp = MakeRequest(t, req, http.StatusOK)
 	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
-	assert.NoError(t, teamRead.GetUnits())
+	assert.NoError(t, teamRead.LoadUnits(db.DefaultContext))
 	checkTeamResponse(t, "ReadTeam2", &apiTeam, teamRead.Name, *teamToEditDesc.Description, teamRead.IncludesAllRepositories,
 		teamRead.AccessMode.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
 
@@ -210,7 +210,7 @@ func checkTeamResponse(t *testing.T, testName string, apiTeam *api.Team, name, d
 
 func checkTeamBean(t *testing.T, id int64, name, description string, includesAllRepositories bool, permission string, units []string, unitsMap map[string]string) {
 	team := unittest.AssertExistsAndLoadBean(t, &organization.Team{ID: id})
-	assert.NoError(t, team.GetUnits(), "GetUnits")
+	assert.NoError(t, team.LoadUnits(db.DefaultContext), "LoadUnits")
 	apiTeam, err := convert.ToTeam(db.DefaultContext, team)
 	assert.NoError(t, err)
 	checkTeamResponse(t, fmt.Sprintf("checkTeamBean/%s_%s", name, description), apiTeam, name, description, includesAllRepositories, permission, units, unitsMap)

From 6cb76bf1df581cf554670c533a1801b46a74909e Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Sun, 19 Feb 2023 21:25:23 +0800
Subject: [PATCH 09/81] Add some guidelines for refactoring (#22880)

Just some brief ideas.

Feel free to complete these guidelines, feel free to edit on this PR
directly.
---
 .../guidelines-refactoring.en-us.md           | 51 +++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 docs/content/doc/developers/guidelines-refactoring.en-us.md

diff --git a/docs/content/doc/developers/guidelines-refactoring.en-us.md b/docs/content/doc/developers/guidelines-refactoring.en-us.md
new file mode 100644
index 0000000000..2d607720dc
--- /dev/null
+++ b/docs/content/doc/developers/guidelines-refactoring.en-us.md
@@ -0,0 +1,51 @@
+---
+date: "2023-02-14T00:00:00+00:00"
+title: "Guidelines for Refactoring"
+slug: "guidelines-refactoring"
+weight: 20
+toc: false
+draft: false
+menu:
+sidebar:
+parent: "developers"
+name: "Guidelines for Refactoring"
+weight: 20
+identifier: "guidelines-refactoring"
+---
+
+# Guidelines for Refactoring
+
+**Table of Contents**
+
+{{< toc >}}
+
+## Background
+
+Since the first line of code was written at Feb 12, 2014, Gitea has grown to be a large project.
+As a result, the codebase has become larger and larger. The larger the codebase is, the more difficult it is to maintain.
+A lot of outdated mechanisms exist, a lot of frameworks are mixed together, some legacy code might cause bugs and block new features.
+To make the codebase more maintainable and make Gitea better, developers should keep in mind to use modern mechanisms to refactor the old code.
+
+This document is a collection of guidelines for refactoring the codebase.
+
+## Refactoring Suggestions
+
+* Design more about the future, but not only resolve the current problem.
+* Reduce ambiguity, reduce conflicts, improve maintainability.
+* Describe the refactoring, for example:
+  * Why the refactoring is needed.
+  * How the legacy problems would be solved.
+  * What's the Pros/Cons of the refactoring.
+* Only do necessary changes, keep the old logic as much as possible.
+* Introduce some intermediate steps to make the refactoring easier to review, a complete refactoring plan could be done in several PRs.
+* If there is any divergence, the TOC(Technical Oversight Committee) should be involved to help to make decisions.
+* Add necessary tests to make sure the refactoring is correct.
+* Non-bug refactoring is preferred to be done at the beginning of a milestone, it would be easier to find problems before the release.
+
+## Reviewing & Merging Suggestions
+
+* A refactoring PR shouldn't be kept open for a long time (usually 7 days), it should be reviewed as soon as possible.
+* A refactoring PR should be merged as soon as possible, it should not be blocked by other PRs.
+* If there is no objection from TOC, a refactoring PR could be merged after 7 days with one core member's approval (not the author).
+* Tolerate some dirty/hacky intermediate steps if the final result is good.
+* Tolerate some regression bugs if the refactoring is necessary, fix bugs as soon as possible.

From 54d7435d28c8f6241a39bd0f10b806ac7f07ad80 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Sun, 19 Feb 2023 14:24:08 +0000
Subject: [PATCH 10/81] Adjust manifest to prevent tagging latest on rcs
 (#22811)

---
 .drone.yml                    | 138 +++++++++++++++++++++++++++++++++-
 docker/manifest.rootless.tmpl |   2 +
 docker/manifest.tmpl          |   2 +
 3 files changed, 140 insertions(+), 2 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index dc8423875a..7150629028 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -985,7 +985,10 @@ depends_on:
 
 trigger:
   ref:
-  - "refs/tags/**"
+    include:
+      - "refs/tags/**"
+    exclude:
+      - "refs/tags/**-rc*"
   event:
     exclude:
     - cron
@@ -1033,6 +1036,68 @@ steps:
       event:
         exclude:
         - pull_request
+---
+
+kind: pipeline
+type: docker
+name: docker-linux-amd64-release-candidate-version
+
+platform:
+  os: linux
+  arch: amd64
+
+depends_on:
+  - testing-amd64
+  - testing-arm64
+
+trigger:
+  ref:
+    - "refs/tags/**-rc*"
+  event:
+    exclude:
+    - cron
+
+steps:
+  - name: fetch-tags
+    image: docker:git
+    pull: always
+    commands:
+      - git config --global --add safe.directory /drone/src
+      - git fetch --tags --force
+
+  - name: publish
+    image: techknowlogick/drone-docker:latest
+    pull: always
+    settings:
+      tags: ${DRONE_TAG##v}-linux-amd64
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=https://goproxy.io
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    when:
+      event:
+        exclude:
+        - pull_request
+
+  - name: publish-rootless
+    image: techknowlogick/drone-docker:latest
+    settings:
+      dockerfile: Dockerfile.rootless
+      tags: ${DRONE_TAG##v}-linux-amd64-rootless
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=https://goproxy.io
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    when:
+      event:
+        exclude:
+        - pull_request
 
 ---
 kind: pipeline
@@ -1209,7 +1274,10 @@ depends_on:
 
 trigger:
   ref:
-  - "refs/tags/**"
+    include:
+      - "refs/tags/**"
+    exclude:
+      - "refs/tags/**-rc*"
   event:
     exclude:
     - cron
@@ -1258,6 +1326,68 @@ steps:
         exclude:
         - pull_request
 
+---
+kind: pipeline
+type: docker
+name: docker-linux-arm64-release-candidate-version
+
+platform:
+  os: linux
+  arch: arm64
+
+depends_on:
+  - testing-amd64
+  - testing-arm64
+
+trigger:
+  ref:
+    - "refs/tags/**-rc*"
+  event:
+    exclude:
+    - cron
+
+steps:
+  - name: fetch-tags
+    image: docker:git
+    pull: always
+    commands:
+      - git config --global --add safe.directory /drone/src
+      - git fetch --tags --force
+
+  - name: publish
+    image: techknowlogick/drone-docker:latest
+    pull: always
+    settings:
+      tags: ${DRONE_TAG##v}-linux-arm64
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=https://goproxy.io
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    when:
+      event:
+        exclude:
+        - pull_request
+
+  - name: publish-rootless
+    image: techknowlogick/drone-docker:latest
+    settings:
+      dockerfile: Dockerfile.rootless
+      tags: ${DRONE_TAG##v}-linux-arm64-rootless
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=https://goproxy.io
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    when:
+      event:
+        exclude:
+        - pull_request
+
 ---
 kind: pipeline
 type: docker
@@ -1427,7 +1557,9 @@ trigger:
 
 depends_on:
   - docker-linux-amd64-release-version
+  - docker-linux-amd64-release-candidate-version
   - docker-linux-arm64-release-version
+  - docker-linux-arm64-release-candidate-version
 
 ---
 kind: pipeline
@@ -1509,6 +1641,8 @@ depends_on:
   - docker-linux-arm64-release
   - docker-linux-amd64-release-version
   - docker-linux-arm64-release-version
+  - docker-linux-amd64-release-candidate-version
+  - docker-linux-arm64-release-candidate-version
   - docker-linux-amd64-release-branch
   - docker-linux-arm64-release-branch
   - docker-manifest
diff --git a/docker/manifest.rootless.tmpl b/docker/manifest.rootless.tmpl
index 9559416470..46a397c828 100644
--- a/docker/manifest.rootless.tmpl
+++ b/docker/manifest.rootless.tmpl
@@ -1,10 +1,12 @@
 image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}{{#if (hasPrefix "refs/heads/release/v" build.ref)}}{{trimPrefix "refs/heads/release/v" build.ref}}-{{/if}}dev{{/if}}-rootless
 {{#if build.tags}}
+{{#unless contains "-rc" build.tag}}
 tags:
 {{#each build.tags}}
   - {{this}}-rootless
 {{/each}}
   - "latest-rootless"
+{{/unless}}
 {{/if}}
 manifests:
   -
diff --git a/docker/manifest.tmpl b/docker/manifest.tmpl
index 4cd4ea4ea2..b4ba5a76ed 100644
--- a/docker/manifest.tmpl
+++ b/docker/manifest.tmpl
@@ -1,10 +1,12 @@
 image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}{{#if (hasPrefix "refs/heads/release/v" build.ref)}}{{trimPrefix "refs/heads/release/v" build.ref}}-{{/if}}dev{{/if}}
 {{#if build.tags}}
+{{#unless contains "-rc" build.tag }}
 tags:
 {{#each build.tags}}
   - {{this}}
 {{/each}}
   - "latest"
+{{/unless}}
 {{/if}}
 manifests:
   -

From 2b02343e218755c36c6a45da8a53c06dfff843a1 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Sun, 19 Feb 2023 14:24:23 +0000
Subject: [PATCH 11/81] Migration v244.go should be v243.go (#22988)

---
 models/migrations/v1_19/{v244.go => v243.go} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename models/migrations/v1_19/{v244.go => v243.go} (100%)

diff --git a/models/migrations/v1_19/v244.go b/models/migrations/v1_19/v243.go
similarity index 100%
rename from models/migrations/v1_19/v244.go
rename to models/migrations/v1_19/v243.go

From c53ad052d8bd040ecd269d9757ce9885396a04af Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 20 Feb 2023 00:12:01 +0800
Subject: [PATCH 12/81] Refactor the setting to make unit test easier (#22405)

Some bugs caused by less unit tests in fundamental packages. This PR
refactor `setting` package so that create a unit test will be easier
than before.

- All `LoadFromXXX` files has been splited as two functions, one is
`InitProviderFromXXX` and `LoadCommonSettings`. The first functions will
only include the code to create or new a ini file. The second function
will load common settings.
- It also renames all functions in setting from `newXXXService` to
`loadXXXSetting` or `loadXXXFrom` to make the function name less
confusing.
- Move `XORMLog` to `SQLLog` because it's a better name for that.

Maybe we should finally move these `loadXXXSetting` into the `XXXInit`
function? Any idea?

---------

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: delvh <dev.lh@web.de>
---
 cmd/cmd.go                                    |    7 +-
 cmd/convert.go                                |    2 +-
 cmd/doctor.go                                 |   12 +-
 cmd/dump.go                                   |   20 +-
 cmd/dump_repo.go                              |    2 +-
 cmd/embedded.go                               |    3 +-
 cmd/mailer.go                                 |    3 +-
 cmd/main_test.go                              |    2 +-
 cmd/migrate.go                                |    2 +-
 cmd/migrate_storage.go                        |    2 +-
 cmd/restore_repo.go                           |    3 +-
 cmd/serv.go                                   |    3 +-
 cmd/web.go                                    |    3 +-
 contrib/pr/checkout.go                        |    5 +-
 models/asymkey/main_test.go                   |    2 +-
 models/dbfs/main_test.go                      |    2 +-
 models/issues/main_test.go                    |    2 +-
 models/main_test.go                           |    2 +-
 models/migrations/base/tests.go               |    6 +-
 modules/context/access_log.go                 |    2 +-
 modules/doctor/doctor.go                      |   10 +-
 modules/doctor/paths.go                       |    5 +-
 modules/highlight/highlight.go                |    8 +-
 modules/indexer/issues/indexer_test.go        |    6 +-
 modules/indexer/stats/indexer_test.go         |    4 +-
 modules/markup/html_test.go                   |    3 +-
 modules/markup/markdown/markdown_test.go      |    3 +-
 modules/setting/actions.go                    |    6 +-
 modules/setting/admin.go                      |   16 +
 modules/setting/api.go                        |   40 +
 modules/setting/attachment.go                 |    6 +-
 modules/setting/cache.go                      |    6 +-
 modules/setting/camo.go                       |   22 +
 modules/setting/config_provider.go            |   39 +
 modules/setting/cors.go                       |    8 +-
 modules/setting/cron.go                       |    8 +-
 modules/setting/cron_test.go                  |    8 +-
 modules/setting/database.go                   |    6 +-
 modules/setting/directory.go                  |   39 -
 modules/setting/federation.go                 |    4 +-
 modules/setting/git.go                        |    5 +-
 modules/setting/highlight.go                  |   17 +
 modules/setting/i18n.go                       |   17 +
 modules/setting/incoming_email.go             |    6 +-
 modules/setting/indexer.go                    |   14 +-
 modules/setting/lfs.go                        |   10 +-
 modules/setting/log.go                        |  151 +-
 modules/setting/mailer.go                     |   36 +-
 modules/setting/mailer_test.go                |    4 +-
 modules/setting/markup.go                     |   22 +-
 modules/setting/metrics.go                    |   21 +
 modules/setting/migrations.go                 |    4 +-
 modules/setting/mime_type_map.go              |    4 +-
 modules/setting/mirror.go                     |    8 +-
 .../setting/{oauth2_client.go => oauth2.go}   |   37 +-
 modules/setting/other.go                      |   22 +
 modules/setting/packages.go                   |    6 +-
 modules/setting/picture.go                    |   22 +-
 modules/setting/project.go                    |    8 +-
 modules/setting/proxy.go                      |    4 +-
 modules/setting/queue.go                      |   42 +-
 modules/setting/repository.go                 |   18 +-
 modules/setting/security.go                   |  158 +++
 modules/setting/server.go                     |  356 +++++
 modules/setting/service.go                    |   23 +-
 modules/setting/session.go                    |    8 +-
 modules/setting/setting.go                    | 1217 ++---------------
 modules/setting/ssh.go                        |  197 +++
 modules/setting/storage.go                    |   10 +-
 modules/setting/storage_test.go               |   75 +-
 modules/setting/task.go                       |   12 +-
 modules/setting/time.go                       |   64 +
 modules/setting/ui.go                         |  152 ++
 modules/setting/webhook.go                    |    4 +-
 routers/api/v1/repo/main_test.go              |    4 +-
 routers/common/middleware.go                  |    4 +-
 routers/init.go                               |    6 +-
 routers/install/install.go                    |    4 +-
 routers/install/setting.go                    |   14 +-
 routers/private/manager.go                    |    6 +-
 routers/private/ssh_log.go                    |    2 +-
 routers/web/admin/config.go                   |   12 +-
 services/webhook/main_test.go                 |    4 +-
 tests/integration/integration_test.go         |    4 +-
 .../migration-test/migration_test.go          |    8 +-
 tests/test_utils.go                           |    4 +-
 86 files changed, 1694 insertions(+), 1464 deletions(-)
 create mode 100644 modules/setting/admin.go
 create mode 100644 modules/setting/api.go
 create mode 100644 modules/setting/camo.go
 create mode 100644 modules/setting/config_provider.go
 delete mode 100644 modules/setting/directory.go
 create mode 100644 modules/setting/highlight.go
 create mode 100644 modules/setting/metrics.go
 rename modules/setting/{oauth2_client.go => oauth2.go} (74%)
 create mode 100644 modules/setting/other.go
 create mode 100644 modules/setting/security.go
 create mode 100644 modules/setting/server.go
 create mode 100644 modules/setting/ssh.go
 create mode 100644 modules/setting/time.go
 create mode 100644 modules/setting/ui.go

diff --git a/cmd/cmd.go b/cmd/cmd.go
index 493519e135..18d5db3987 100644
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -57,9 +57,10 @@ func confirm() (bool, error) {
 }
 
 func initDB(ctx context.Context) error {
-	setting.LoadFromExisting()
-	setting.InitDBConfig()
-	setting.NewXORMLogService(false)
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()
+	setting.LoadDBSetting()
+	setting.InitSQLLog(false)
 
 	if setting.Database.Type == "" {
 		log.Fatal(`Database settings are missing from the configuration file: %q.
diff --git a/cmd/convert.go b/cmd/convert.go
index b9ed9f1627..30e7d01e11 100644
--- a/cmd/convert.go
+++ b/cmd/convert.go
@@ -32,7 +32,7 @@ func runConvert(ctx *cli.Context) error {
 	log.Info("AppPath: %s", setting.AppPath)
 	log.Info("AppWorkPath: %s", setting.AppWorkPath)
 	log.Info("Custom path: %s", setting.CustomPath)
-	log.Info("Log path: %s", setting.LogRootPath)
+	log.Info("Log path: %s", setting.Log.RootPath)
 	log.Info("Configuration file: %s", setting.CustomConf)
 
 	if !setting.Database.UseMySQL {
diff --git a/cmd/doctor.go b/cmd/doctor.go
index ceb6e3fbab..e7baad60c1 100644
--- a/cmd/doctor.go
+++ b/cmd/doctor.go
@@ -87,14 +87,16 @@ func runRecreateTable(ctx *cli.Context) error {
 	golog.SetPrefix("")
 	golog.SetOutput(log.NewLoggerAsWriter("INFO", log.GetLogger(log.DEFAULT)))
 
-	setting.LoadFromExisting()
-	setting.InitDBConfig()
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()
+	setting.LoadDBSetting()
 
-	setting.EnableXORMLog = ctx.Bool("debug")
+	setting.Log.EnableXORMLog = ctx.Bool("debug")
 	setting.Database.LogSQL = ctx.Bool("debug")
-	setting.Cfg.Section("log").Key("XORM").SetValue(",")
+	// FIXME: don't use CfgProvider directly
+	setting.CfgProvider.Section("log").Key("XORM").SetValue(",")
 
-	setting.NewXORMLogService(!ctx.Bool("debug"))
+	setting.InitSQLLog(!ctx.Bool("debug"))
 	stdCtx, cancel := installSignals()
 	defer cancel()
 
diff --git a/cmd/dump.go b/cmd/dump.go
index f40ddbac23..c879d2fbee 100644
--- a/cmd/dump.go
+++ b/cmd/dump.go
@@ -181,20 +181,22 @@ func runDump(ctx *cli.Context) error {
 		}
 		fileName += "." + outType
 	}
-	setting.LoadFromExisting()
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()
 
 	// make sure we are logging to the console no matter what the configuration tells us do to
-	if _, err := setting.Cfg.Section("log").NewKey("MODE", "console"); err != nil {
+	// FIXME: don't use CfgProvider directly
+	if _, err := setting.CfgProvider.Section("log").NewKey("MODE", "console"); err != nil {
 		fatal("Setting logging mode to console failed: %v", err)
 	}
-	if _, err := setting.Cfg.Section("log.console").NewKey("STDERR", "true"); err != nil {
+	if _, err := setting.CfgProvider.Section("log.console").NewKey("STDERR", "true"); err != nil {
 		fatal("Setting console logger to stderr failed: %v", err)
 	}
 	if !setting.InstallLock {
 		log.Error("Is '%s' really the right config path?\n", setting.CustomConf)
 		return fmt.Errorf("gitea is not initialized")
 	}
-	setting.NewServices() // cannot access session settings otherwise
+	setting.LoadSettings() // cannot access session settings otherwise
 
 	stdCtx, cancel := installSignals()
 	defer cancel()
@@ -322,7 +324,7 @@ func runDump(ctx *cli.Context) error {
 		log.Info("Packing data directory...%s", setting.AppDataPath)
 
 		var excludes []string
-		if setting.Cfg.Section("session").Key("PROVIDER").Value() == "file" {
+		if setting.SessionConfig.OriginalProvider == "file" {
 			var opts session.Options
 			if err = json.Unmarshal([]byte(setting.SessionConfig.ProviderConfig), &opts); err != nil {
 				return err
@@ -339,7 +341,7 @@ func runDump(ctx *cli.Context) error {
 		excludes = append(excludes, setting.LFS.Path)
 		excludes = append(excludes, setting.Attachment.Path)
 		excludes = append(excludes, setting.Packages.Path)
-		excludes = append(excludes, setting.LogRootPath)
+		excludes = append(excludes, setting.Log.RootPath)
 		excludes = append(excludes, absFileName)
 		if err := addRecursiveExclude(w, "data", setting.AppDataPath, excludes, verbose); err != nil {
 			fatal("Failed to include data directory: %v", err)
@@ -378,12 +380,12 @@ func runDump(ctx *cli.Context) error {
 	if ctx.IsSet("skip-log") && ctx.Bool("skip-log") {
 		log.Info("Skip dumping log files")
 	} else {
-		isExist, err := util.IsExist(setting.LogRootPath)
+		isExist, err := util.IsExist(setting.Log.RootPath)
 		if err != nil {
-			log.Error("Unable to check if %s exists. Error: %v", setting.LogRootPath, err)
+			log.Error("Unable to check if %s exists. Error: %v", setting.Log.RootPath, err)
 		}
 		if isExist {
-			if err := addRecursiveExclude(w, "log", setting.LogRootPath, []string{absFileName}, verbose); err != nil {
+			if err := addRecursiveExclude(w, "log", setting.Log.RootPath, []string{absFileName}, verbose); err != nil {
 				fatal("Failed to include log: %v", err)
 			}
 		}
diff --git a/cmd/dump_repo.go b/cmd/dump_repo.go
index b7b9b3ccc7..0d3970466c 100644
--- a/cmd/dump_repo.go
+++ b/cmd/dump_repo.go
@@ -94,7 +94,7 @@ func runDumpRepository(ctx *cli.Context) error {
 	log.Info("AppPath: %s", setting.AppPath)
 	log.Info("AppWorkPath: %s", setting.AppWorkPath)
 	log.Info("Custom path: %s", setting.CustomPath)
-	log.Info("Log path: %s", setting.LogRootPath)
+	log.Info("Log path: %s", setting.Log.RootPath)
 	log.Info("Configuration file: %s", setting.CustomConf)
 
 	var (
diff --git a/cmd/embedded.go b/cmd/embedded.go
index 118781895e..d87fc0187c 100644
--- a/cmd/embedded.go
+++ b/cmd/embedded.go
@@ -112,7 +112,8 @@ func initEmbeddedExtractor(c *cli.Context) error {
 	log.DelNamedLogger(log.DEFAULT)
 
 	// Read configuration file
-	setting.LoadAllowEmpty()
+	setting.InitProviderAllowEmpty()
+	setting.LoadCommonSettings()
 
 	pats, err := getPatterns(c.Args())
 	if err != nil {
diff --git a/cmd/mailer.go b/cmd/mailer.go
index af6613f159..d05fee12bc 100644
--- a/cmd/mailer.go
+++ b/cmd/mailer.go
@@ -17,7 +17,8 @@ func runSendMail(c *cli.Context) error {
 	ctx, cancel := installSignals()
 	defer cancel()
 
-	setting.LoadFromExisting()
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()
 
 	if err := argsSet(c, "title"); err != nil {
 		return err
diff --git a/cmd/main_test.go b/cmd/main_test.go
index 9aacdf7bba..ba323af472 100644
--- a/cmd/main_test.go
+++ b/cmd/main_test.go
@@ -12,7 +12,7 @@ import (
 
 func init() {
 	setting.SetCustomPathAndConf("", "", "")
-	setting.LoadForTest()
+	setting.InitProviderAndLoadCommonSettingsForTest()
 }
 
 func TestMain(m *testing.M) {
diff --git a/cmd/migrate.go b/cmd/migrate.go
index 2546fca21d..efa791bc65 100644
--- a/cmd/migrate.go
+++ b/cmd/migrate.go
@@ -33,7 +33,7 @@ func runMigrate(ctx *cli.Context) error {
 	log.Info("AppPath: %s", setting.AppPath)
 	log.Info("AppWorkPath: %s", setting.AppWorkPath)
 	log.Info("Custom path: %s", setting.CustomPath)
-	log.Info("Log path: %s", setting.LogRootPath)
+	log.Info("Log path: %s", setting.Log.RootPath)
 	log.Info("Configuration file: %s", setting.CustomConf)
 
 	if err := db.InitEngineWithMigration(context.Background(), migrations.Migrate); err != nil {
diff --git a/cmd/migrate_storage.go b/cmd/migrate_storage.go
index 0b8ebe7c8d..dfa7212e5b 100644
--- a/cmd/migrate_storage.go
+++ b/cmd/migrate_storage.go
@@ -136,7 +136,7 @@ func runMigrateStorage(ctx *cli.Context) error {
 	log.Info("AppPath: %s", setting.AppPath)
 	log.Info("AppWorkPath: %s", setting.AppWorkPath)
 	log.Info("Custom path: %s", setting.CustomPath)
-	log.Info("Log path: %s", setting.LogRootPath)
+	log.Info("Log path: %s", setting.Log.RootPath)
 	log.Info("Configuration file: %s", setting.CustomConf)
 
 	if err := db.InitEngineWithMigration(context.Background(), migrations.Migrate); err != nil {
diff --git a/cmd/restore_repo.go b/cmd/restore_repo.go
index 23932f821c..c7dff41966 100644
--- a/cmd/restore_repo.go
+++ b/cmd/restore_repo.go
@@ -54,7 +54,8 @@ func runRestoreRepository(c *cli.Context) error {
 	ctx, cancel := installSignals()
 	defer cancel()
 
-	setting.LoadFromExisting()
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()
 	var units []string
 	if s := c.String("units"); s != "" {
 		units = strings.Split(s, ",")
diff --git a/cmd/serv.go b/cmd/serv.go
index 346c918b18..145d1b9e93 100644
--- a/cmd/serv.go
+++ b/cmd/serv.go
@@ -61,7 +61,8 @@ func setup(logPath string, debug bool) {
 	} else {
 		_ = log.NewLogger(1000, "console", "console", `{"level":"fatal","stacktracelevel":"NONE","stderr":true}`)
 	}
-	setting.LoadFromExisting()
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()
 	if debug {
 		setting.RunMode = "dev"
 	}
diff --git a/cmd/web.go b/cmd/web.go
index 49a0335615..8722ddb609 100644
--- a/cmd/web.go
+++ b/cmd/web.go
@@ -158,7 +158,8 @@ func runWeb(ctx *cli.Context) error {
 
 	log.Info("Global init")
 	// Perform global initialization
-	setting.LoadFromExisting()
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()
 	routers.GlobalInitInstalled(graceful.GetManager().HammerContext())
 
 	// We check that AppDataPath exists here (it should have been created during installation)
diff --git a/contrib/pr/checkout.go b/contrib/pr/checkout.go
index b31a4a8c68..f12d8a9419 100644
--- a/contrib/pr/checkout.go
+++ b/contrib/pr/checkout.go
@@ -49,7 +49,8 @@ func runPR() {
 		log.Fatal(err)
 	}
 	setting.SetCustomPathAndConf("", "", "")
-	setting.LoadAllowEmpty()
+	setting.InitProviderAllowEmpty()
+	setting.LoadCommonSettings()
 
 	setting.RepoRootPath, err = os.MkdirTemp(os.TempDir(), "repos")
 	if err != nil {
@@ -82,7 +83,7 @@ func runPR() {
 		setting.Database.Path = ":memory:"
 		setting.Database.Timeout = 500
 	*/
-	dbCfg := setting.Cfg.Section("database")
+	dbCfg := setting.CfgProvider.Section("database")
 	dbCfg.NewKey("DB_TYPE", "sqlite3")
 	dbCfg.NewKey("PATH", ":memory:")
 
diff --git a/models/asymkey/main_test.go b/models/asymkey/main_test.go
index 82a408ece0..7f8657189f 100644
--- a/models/asymkey/main_test.go
+++ b/models/asymkey/main_test.go
@@ -13,7 +13,7 @@ import (
 
 func init() {
 	setting.SetCustomPathAndConf("", "", "")
-	setting.LoadForTest()
+	setting.InitProviderAndLoadCommonSettingsForTest()
 }
 
 func TestMain(m *testing.M) {
diff --git a/models/dbfs/main_test.go b/models/dbfs/main_test.go
index 7a820b2d83..9dce663eea 100644
--- a/models/dbfs/main_test.go
+++ b/models/dbfs/main_test.go
@@ -13,7 +13,7 @@ import (
 
 func init() {
 	setting.SetCustomPathAndConf("", "", "")
-	setting.LoadForTest()
+	setting.InitProviderAndLoadCommonSettingsForTest()
 }
 
 func TestMain(m *testing.M) {
diff --git a/models/issues/main_test.go b/models/issues/main_test.go
index 93e05f33f6..de84da30ec 100644
--- a/models/issues/main_test.go
+++ b/models/issues/main_test.go
@@ -20,7 +20,7 @@ import (
 
 func init() {
 	setting.SetCustomPathAndConf("", "", "")
-	setting.LoadForTest()
+	setting.InitProviderAndLoadCommonSettingsForTest()
 }
 
 func TestFixturesAreConsistent(t *testing.T) {
diff --git a/models/main_test.go b/models/main_test.go
index cc4eebfe76..b5919bb286 100644
--- a/models/main_test.go
+++ b/models/main_test.go
@@ -20,7 +20,7 @@ import (
 
 func init() {
 	setting.SetCustomPathAndConf("", "", "")
-	setting.LoadForTest()
+	setting.InitProviderAndLoadCommonSettingsForTest()
 }
 
 // TestFixturesAreConsistent assert that test fixtures are consistent
diff --git a/models/migrations/base/tests.go b/models/migrations/base/tests.go
index a9bcd20f67..2f1b246648 100644
--- a/models/migrations/base/tests.go
+++ b/models/migrations/base/tests.go
@@ -149,13 +149,13 @@ func MainTest(m *testing.M) {
 	setting.AppDataPath = tmpDataPath
 
 	setting.SetCustomPathAndConf("", "", "")
-	setting.LoadForTest()
+	setting.InitProviderAndLoadCommonSettingsForTest()
 	if err = git.InitFull(context.Background()); err != nil {
 		fmt.Printf("Unable to InitFull: %v\n", err)
 		os.Exit(1)
 	}
-	setting.InitDBConfig()
-	setting.NewLogServices(true)
+	setting.LoadDBSetting()
+	setting.InitLogs(true)
 
 	exitStatus := m.Run()
 
diff --git a/modules/context/access_log.go b/modules/context/access_log.go
index 05c0f86218..84663ee8d3 100644
--- a/modules/context/access_log.go
+++ b/modules/context/access_log.go
@@ -27,7 +27,7 @@ var signedUserNameStringPointerKey interface{} = "signedUserNameStringPointerKey
 // AccessLogger returns a middleware to log access logger
 func AccessLogger() func(http.Handler) http.Handler {
 	logger := log.GetLogger("access")
-	logTemplate, _ := template.New("log").Parse(setting.AccessLogTemplate)
+	logTemplate, _ := template.New("log").Parse(setting.Log.AccessLogTemplate)
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 			start := time.Now()
diff --git a/modules/doctor/doctor.go b/modules/doctor/doctor.go
index 2025edc58d..b23805bc4c 100644
--- a/modules/doctor/doctor.go
+++ b/modules/doctor/doctor.go
@@ -44,10 +44,10 @@ func (w *wrappedLevelLogger) Log(skip int, level log.Level, format string, v ...
 }
 
 func initDBDisableConsole(ctx context.Context, disableConsole bool) error {
-	setting.LoadFromExisting()
-	setting.InitDBConfig()
-
-	setting.NewXORMLogService(disableConsole)
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()
+	setting.LoadDBSetting()
+	setting.InitSQLLog(disableConsole)
 	if err := db.InitEngine(ctx); err != nil {
 		return fmt.Errorf("db.InitEngine: %w", err)
 	}
@@ -71,7 +71,7 @@ func RunChecks(ctx context.Context, logger log.Logger, autofix bool, checks []*C
 	for i, check := range checks {
 		if !dbIsInit && !check.SkipDatabaseInitialization {
 			// Only open database after the most basic configuration check
-			setting.EnableXORMLog = false
+			setting.Log.EnableXORMLog = false
 			if err := initDBDisableConsole(ctx, true); err != nil {
 				logger.Error("Error whilst initializing the database: %v", err)
 				logger.Error("Check if you are using the right config file. You can use a --config directive to specify one.")
diff --git a/modules/doctor/paths.go b/modules/doctor/paths.go
index ad50078d3e..7b1c6ce9ad 100644
--- a/modules/doctor/paths.go
+++ b/modules/doctor/paths.go
@@ -67,7 +67,8 @@ func checkConfigurationFiles(ctx context.Context, logger log.Logger, autofix boo
 		return err
 	}
 
-	setting.LoadFromExisting()
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()
 
 	configurationFiles := []configurationFile{
 		{"Configuration File Path", setting.CustomConf, false, true, false},
@@ -75,7 +76,7 @@ func checkConfigurationFiles(ctx context.Context, logger log.Logger, autofix boo
 		{"Data Root Path", setting.AppDataPath, true, true, true},
 		{"Custom File Root Path", setting.CustomPath, true, false, false},
 		{"Work directory", setting.AppWorkPath, true, true, false},
-		{"Log Root Path", setting.LogRootPath, true, true, true},
+		{"Log Root Path", setting.Log.RootPath, true, true, true},
 	}
 
 	if options.IsDynamic() {
diff --git a/modules/highlight/highlight.go b/modules/highlight/highlight.go
index 05e472c083..a5c38940a7 100644
--- a/modules/highlight/highlight.go
+++ b/modules/highlight/highlight.go
@@ -41,12 +41,8 @@ var (
 // NewContext loads custom highlight map from local config
 func NewContext() {
 	once.Do(func() {
-		if setting.Cfg != nil {
-			keys := setting.Cfg.Section("highlight.mapping").Keys()
-			for i := range keys {
-				highlightMapping[keys[i].Name()] = keys[i].Value()
-			}
-		}
+		highlightMapping = setting.GetHighlightMapping()
+
 		// The size 512 is simply a conservative rule of thumb
 		c, err := lru.New2Q(512)
 		if err != nil {
diff --git a/modules/indexer/issues/indexer_test.go b/modules/indexer/issues/indexer_test.go
index ff0541d049..bf9d6d0d16 100644
--- a/modules/indexer/issues/indexer_test.go
+++ b/modules/indexer/issues/indexer_test.go
@@ -27,11 +27,11 @@ func TestMain(m *testing.M) {
 
 func TestBleveSearchIssues(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
-	setting.Cfg = ini.Empty()
+	setting.CfgProvider = ini.Empty()
 
 	tmpIndexerDir := t.TempDir()
 
-	setting.Cfg.Section("queue.issue_indexer").Key("DATADIR").MustString(path.Join(tmpIndexerDir, "issues.queue"))
+	setting.CfgProvider.Section("queue.issue_indexer").Key("DATADIR").MustString(path.Join(tmpIndexerDir, "issues.queue"))
 
 	oldIssuePath := setting.Indexer.IssuePath
 	setting.Indexer.IssuePath = path.Join(tmpIndexerDir, "issues.queue")
@@ -40,7 +40,7 @@ func TestBleveSearchIssues(t *testing.T) {
 	}()
 
 	setting.Indexer.IssueType = "bleve"
-	setting.NewQueueService()
+	setting.LoadQueueSettings()
 	InitIssueIndexer(true)
 	defer func() {
 		indexer := holder.get()
diff --git a/modules/indexer/stats/indexer_test.go b/modules/indexer/stats/indexer_test.go
index bc6c4cd7f8..50a5fade78 100644
--- a/modules/indexer/stats/indexer_test.go
+++ b/modules/indexer/stats/indexer_test.go
@@ -29,9 +29,9 @@ func TestMain(m *testing.M) {
 
 func TestRepoStatsIndex(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
-	setting.Cfg = ini.Empty()
+	setting.CfgProvider = ini.Empty()
 
-	setting.NewQueueService()
+	setting.LoadQueueSettings()
 
 	err := Init()
 	assert.NoError(t, err)
diff --git a/modules/markup/html_test.go b/modules/markup/html_test.go
index 32f26bffab..aea1d92676 100644
--- a/modules/markup/html_test.go
+++ b/modules/markup/html_test.go
@@ -28,7 +28,8 @@ var localMetas = map[string]string{
 }
 
 func TestMain(m *testing.M) {
-	setting.LoadAllowEmpty()
+	setting.InitProviderAllowEmpty()
+	setting.LoadCommonSettings()
 	if err := git.InitSimple(context.Background()); err != nil {
 		log.Fatal("git init failed, err: %v", err)
 	}
diff --git a/modules/markup/markdown/markdown_test.go b/modules/markup/markdown/markdown_test.go
index cc683dc5b7..bb458a65c1 100644
--- a/modules/markup/markdown/markdown_test.go
+++ b/modules/markup/markdown/markdown_test.go
@@ -33,7 +33,8 @@ var localMetas = map[string]string{
 }
 
 func TestMain(m *testing.M) {
-	setting.LoadAllowEmpty()
+	setting.InitProviderAllowEmpty()
+	setting.LoadCommonSettings()
 	if err := git.InitSimple(context.Background()); err != nil {
 		log.Fatal("git init failed, err: %v", err)
 	}
diff --git a/modules/setting/actions.go b/modules/setting/actions.go
index 5c83a73aeb..b11500dab4 100644
--- a/modules/setting/actions.go
+++ b/modules/setting/actions.go
@@ -19,11 +19,11 @@ var (
 	}
 )
 
-func newActions() {
-	sec := Cfg.Section("actions")
+func loadActionsFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("actions")
 	if err := sec.MapTo(&Actions); err != nil {
 		log.Fatal("Failed to map Actions settings: %v", err)
 	}
 
-	Actions.Storage = getStorage("actions_log", "", nil)
+	Actions.Storage = getStorage(rootCfg, "actions_log", "", nil)
 }
diff --git a/modules/setting/admin.go b/modules/setting/admin.go
new file mode 100644
index 0000000000..2d2dd26de9
--- /dev/null
+++ b/modules/setting/admin.go
@@ -0,0 +1,16 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+// Admin settings
+var Admin struct {
+	DisableRegularOrgCreation bool
+	DefaultEmailNotification  string
+}
+
+func loadAdminFrom(rootCfg ConfigProvider) {
+	mustMapSetting(rootCfg, "admin", &Admin)
+	sec := rootCfg.Section("admin")
+	Admin.DefaultEmailNotification = sec.Key("DEFAULT_EMAIL_NOTIFICATIONS").MustString("enabled")
+}
diff --git a/modules/setting/api.go b/modules/setting/api.go
new file mode 100644
index 0000000000..c36f05cfd1
--- /dev/null
+++ b/modules/setting/api.go
@@ -0,0 +1,40 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+import (
+	"net/url"
+	"path"
+
+	"code.gitea.io/gitea/modules/log"
+)
+
+// API settings
+var API = struct {
+	EnableSwagger          bool
+	SwaggerURL             string
+	MaxResponseItems       int
+	DefaultPagingNum       int
+	DefaultGitTreesPerPage int
+	DefaultMaxBlobSize     int64
+}{
+	EnableSwagger:          true,
+	SwaggerURL:             "",
+	MaxResponseItems:       50,
+	DefaultPagingNum:       30,
+	DefaultGitTreesPerPage: 1000,
+	DefaultMaxBlobSize:     10485760,
+}
+
+func loadAPIFrom(rootCfg ConfigProvider) {
+	mustMapSetting(rootCfg, "api", &API)
+
+	defaultAppURL := string(Protocol) + "://" + Domain + ":" + HTTPPort
+	u, err := url.Parse(rootCfg.Section("server").Key("ROOT_URL").MustString(defaultAppURL))
+	if err != nil {
+		log.Fatal("Invalid ROOT_URL '%s': %s", AppURL, err)
+	}
+	u.Path = path.Join(u.Path, "api", "swagger")
+	API.SwaggerURL = u.String()
+}
diff --git a/modules/setting/attachment.go b/modules/setting/attachment.go
index 68a2e87204..8b6eb9fd7a 100644
--- a/modules/setting/attachment.go
+++ b/modules/setting/attachment.go
@@ -20,11 +20,11 @@ var Attachment = struct {
 	Enabled:      true,
 }
 
-func newAttachmentService() {
-	sec := Cfg.Section("attachment")
+func loadAttachmentFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("attachment")
 	storageType := sec.Key("STORAGE_TYPE").MustString("")
 
-	Attachment.Storage = getStorage("attachments", storageType, sec)
+	Attachment.Storage = getStorage(rootCfg, "attachments", storageType, sec)
 
 	Attachment.AllowedTypes = sec.Key("ALLOWED_TYPES").MustString(".csv,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip")
 	Attachment.MaxSize = sec.Key("MAX_SIZE").MustInt64(4)
diff --git a/modules/setting/cache.go b/modules/setting/cache.go
index 2da79adb3b..783246077d 100644
--- a/modules/setting/cache.go
+++ b/modules/setting/cache.go
@@ -49,8 +49,8 @@ var CacheService = struct {
 // MemcacheMaxTTL represents the maximum memcache TTL
 const MemcacheMaxTTL = 30 * 24 * time.Hour
 
-func newCacheService() {
-	sec := Cfg.Section("cache")
+func loadCacheFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("cache")
 	if err := sec.MapTo(&CacheService); err != nil {
 		log.Fatal("Failed to map Cache settings: %v", err)
 	}
@@ -79,7 +79,7 @@ func newCacheService() {
 		Service.EnableCaptcha = false
 	}
 
-	sec = Cfg.Section("cache.last_commit")
+	sec = rootCfg.Section("cache.last_commit")
 	if !CacheService.Enabled {
 		CacheService.LastCommit.Enabled = false
 	}
diff --git a/modules/setting/camo.go b/modules/setting/camo.go
new file mode 100644
index 0000000000..366e9a116c
--- /dev/null
+++ b/modules/setting/camo.go
@@ -0,0 +1,22 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+import "code.gitea.io/gitea/modules/log"
+
+var Camo = struct {
+	Enabled   bool
+	ServerURL string `ini:"SERVER_URL"`
+	HMACKey   string `ini:"HMAC_KEY"`
+	Allways   bool
+}{}
+
+func loadCamoFrom(rootCfg ConfigProvider) {
+	mustMapSetting(rootCfg, "camo", &Camo)
+	if Camo.Enabled {
+		if Camo.ServerURL == "" || Camo.HMACKey == "" {
+			log.Fatal(`Camo settings require "SERVER_URL" and HMAC_KEY`)
+		}
+	}
+}
diff --git a/modules/setting/config_provider.go b/modules/setting/config_provider.go
new file mode 100644
index 0000000000..67a4e4ded1
--- /dev/null
+++ b/modules/setting/config_provider.go
@@ -0,0 +1,39 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+import (
+	"code.gitea.io/gitea/modules/log"
+
+	ini "gopkg.in/ini.v1"
+)
+
+// ConfigProvider represents a config provider
+type ConfigProvider interface {
+	Section(section string) *ini.Section
+	NewSection(name string) (*ini.Section, error)
+	GetSection(name string) (*ini.Section, error)
+}
+
+// a file is an implementation ConfigProvider and other implementations are possible, i.e. from docker, k8s, …
+var _ ConfigProvider = &ini.File{}
+
+func mustMapSetting(rootCfg ConfigProvider, sectionName string, setting interface{}) {
+	if err := rootCfg.Section(sectionName).MapTo(setting); err != nil {
+		log.Fatal("Failed to map %s settings: %v", sectionName, err)
+	}
+}
+
+func deprecatedSetting(rootCfg ConfigProvider, oldSection, oldKey, newSection, newKey string) {
+	if rootCfg.Section(oldSection).HasKey(oldKey) {
+		log.Error("Deprecated fallback `[%s]` `%s` present. Use `[%s]` `%s` instead. This fallback will be removed in v1.19.0", oldSection, oldKey, newSection, newKey)
+	}
+}
+
+// deprecatedSettingDB add a hint that the configuration has been moved to database but still kept in app.ini
+func deprecatedSettingDB(rootCfg ConfigProvider, oldSection, oldKey string) {
+	if rootCfg.Section(oldSection).HasKey(oldKey) {
+		log.Error("Deprecated `[%s]` `%s` present which has been copied to database table sys_setting", oldSection, oldKey)
+	}
+}
diff --git a/modules/setting/cors.go b/modules/setting/cors.go
index ae0736e830..260848b5df 100644
--- a/modules/setting/cors.go
+++ b/modules/setting/cors.go
@@ -27,12 +27,8 @@ var CORSConfig = struct {
 	XFrameOptions: "SAMEORIGIN",
 }
 
-func newCORSService() {
-	sec := Cfg.Section("cors")
-	if err := sec.MapTo(&CORSConfig); err != nil {
-		log.Fatal("Failed to map cors settings: %v", err)
-	}
-
+func loadCorsFrom(rootCfg ConfigProvider) {
+	mustMapSetting(rootCfg, "cors", &CORSConfig)
 	if CORSConfig.Enabled {
 		log.Info("CORS Service Enabled")
 	}
diff --git a/modules/setting/cron.go b/modules/setting/cron.go
index a76de2797f..45bae4dde3 100644
--- a/modules/setting/cron.go
+++ b/modules/setting/cron.go
@@ -7,7 +7,11 @@ import "reflect"
 
 // GetCronSettings maps the cron subsection to the provided config
 func GetCronSettings(name string, config interface{}) (interface{}, error) {
-	if err := Cfg.Section("cron." + name).MapTo(config); err != nil {
+	return getCronSettings(CfgProvider, name, config)
+}
+
+func getCronSettings(rootCfg ConfigProvider, name string, config interface{}) (interface{}, error) {
+	if err := rootCfg.Section("cron." + name).MapTo(config); err != nil {
 		return config, err
 	}
 
@@ -18,7 +22,7 @@ func GetCronSettings(name string, config interface{}) (interface{}, error) {
 		field := val.Field(i)
 		tpField := typ.Field(i)
 		if tpField.Type.Kind() == reflect.Struct && tpField.Anonymous {
-			if err := Cfg.Section("cron." + name).MapTo(field.Addr().Interface()); err != nil {
+			if err := rootCfg.Section("cron." + name).MapTo(field.Addr().Interface()); err != nil {
 				return config, err
 			}
 		}
diff --git a/modules/setting/cron_test.go b/modules/setting/cron_test.go
index 29cdca8fbf..be97e59bd9 100644
--- a/modules/setting/cron_test.go
+++ b/modules/setting/cron_test.go
@@ -10,7 +10,7 @@ import (
 	ini "gopkg.in/ini.v1"
 )
 
-func Test_GetCronSettings(t *testing.T) {
+func Test_getCronSettings(t *testing.T) {
 	type BaseStruct struct {
 		Base   bool
 		Second string
@@ -27,7 +27,8 @@ Base = true
 Second = white rabbit
 Extend = true
 `
-	Cfg, _ = ini.Load([]byte(iniStr))
+	cfg, err := ini.Load([]byte(iniStr))
+	assert.NoError(t, err)
 
 	extended := &Extended{
 		BaseStruct: BaseStruct{
@@ -35,8 +36,7 @@ Extend = true
 		},
 	}
 
-	_, err := GetCronSettings("test", extended)
-
+	_, err = getCronSettings(cfg, "test", extended)
 	assert.NoError(t, err)
 	assert.True(t, extended.Base)
 	assert.EqualValues(t, extended.Second, "white rabbit")
diff --git a/modules/setting/database.go b/modules/setting/database.go
index 5480f9dffd..49865a38a2 100644
--- a/modules/setting/database.go
+++ b/modules/setting/database.go
@@ -56,9 +56,9 @@ var (
 	}
 )
 
-// InitDBConfig loads the database settings
-func InitDBConfig() {
-	sec := Cfg.Section("database")
+// LoadDBSetting loads the database settings
+func LoadDBSetting() {
+	sec := CfgProvider.Section("database")
 	Database.Type = sec.Key("DB_TYPE").String()
 	defaultCharset := "utf8"
 	Database.UseMySQL = false
diff --git a/modules/setting/directory.go b/modules/setting/directory.go
deleted file mode 100644
index a80df47ab4..0000000000
--- a/modules/setting/directory.go
+++ /dev/null
@@ -1,39 +0,0 @@
-// Copyright 2021 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package setting
-
-import (
-	"fmt"
-	"os"
-)
-
-// PrepareAppDataPath creates app data directory if necessary
-func PrepareAppDataPath() error {
-	// FIXME: There are too many calls to MkdirAll in old code. It is incorrect.
-	// For example, if someDir=/mnt/vol1/gitea-home/data, if the mount point /mnt/vol1 is not mounted when Gitea runs,
-	// then gitea will make new empty directories in /mnt/vol1, all are stored in the root filesystem.
-	// The correct behavior should be: creating parent directories is end users' duty. We only create sub-directories in existing parent directories.
-	// For quickstart, the parent directories should be created automatically for first startup (eg: a flag or a check of INSTALL_LOCK).
-	// Now we can take the first step to do correctly (using Mkdir) in other packages, and prepare the AppDataPath here, then make a refactor in future.
-
-	st, err := os.Stat(AppDataPath)
-
-	if os.IsNotExist(err) {
-		err = os.MkdirAll(AppDataPath, os.ModePerm)
-		if err != nil {
-			return fmt.Errorf("unable to create the APP_DATA_PATH directory: %q, Error: %w", AppDataPath, err)
-		}
-		return nil
-	}
-
-	if err != nil {
-		return fmt.Errorf("unable to use APP_DATA_PATH %q. Error: %w", AppDataPath, err)
-	}
-
-	if !st.IsDir() /* also works for symlink */ {
-		return fmt.Errorf("the APP_DATA_PATH %q is not a directory (or symlink to a directory) and can't be used", AppDataPath)
-	}
-
-	return nil
-}
diff --git a/modules/setting/federation.go b/modules/setting/federation.go
index acab3eb580..2bea900633 100644
--- a/modules/setting/federation.go
+++ b/modules/setting/federation.go
@@ -33,8 +33,8 @@ var (
 // HttpsigAlgs is a constant slice of httpsig algorithm objects
 var HttpsigAlgs []httpsig.Algorithm
 
-func newFederationService() {
-	if err := Cfg.Section("federation").MapTo(&Federation); err != nil {
+func loadFederationFrom(rootCfg ConfigProvider) {
+	if err := rootCfg.Section("federation").MapTo(&Federation); err != nil {
 		log.Fatal("Failed to map Federation settings: %v", err)
 	} else if !httpsig.IsSupportedDigestAlgorithm(Federation.DigestAlgorithm) {
 		log.Fatal("unsupported digest algorithm: %s", Federation.DigestAlgorithm)
diff --git a/modules/setting/git.go b/modules/setting/git.go
index a05f77a97e..457b35936e 100644
--- a/modules/setting/git.go
+++ b/modules/setting/git.go
@@ -67,9 +67,8 @@ var Git = struct {
 	},
 }
 
-func newGit() {
-	sec := Cfg.Section("git")
-
+func loadGitFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("git")
 	if err := sec.MapTo(&Git); err != nil {
 		log.Fatal("Failed to map Git settings: %v", err)
 	}
diff --git a/modules/setting/highlight.go b/modules/setting/highlight.go
new file mode 100644
index 0000000000..6291b08a45
--- /dev/null
+++ b/modules/setting/highlight.go
@@ -0,0 +1,17 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+func GetHighlightMapping() map[string]string {
+	highlightMapping := map[string]string{}
+	if CfgProvider == nil {
+		return highlightMapping
+	}
+
+	keys := CfgProvider.Section("highlight.mapping").Keys()
+	for _, key := range keys {
+		highlightMapping[key.Name()] = key.Value()
+	}
+	return highlightMapping
+}
diff --git a/modules/setting/i18n.go b/modules/setting/i18n.go
index 0e67b18a3e..c3076c0ab7 100644
--- a/modules/setting/i18n.go
+++ b/modules/setting/i18n.go
@@ -47,3 +47,20 @@ func defaultI18nNames() (res []string) {
 	}
 	return res
 }
+
+var (
+	// I18n settings
+	Langs []string
+	Names []string
+)
+
+func loadI18nFrom(rootCfg ConfigProvider) {
+	Langs = rootCfg.Section("i18n").Key("LANGS").Strings(",")
+	if len(Langs) == 0 {
+		Langs = defaultI18nLangs()
+	}
+	Names = rootCfg.Section("i18n").Key("NAMES").Strings(",")
+	if len(Names) == 0 {
+		Names = defaultI18nNames()
+	}
+}
diff --git a/modules/setting/incoming_email.go b/modules/setting/incoming_email.go
index b6a637bccd..75337a312f 100644
--- a/modules/setting/incoming_email.go
+++ b/modules/setting/incoming_email.go
@@ -31,10 +31,8 @@ var IncomingEmail = struct {
 	MaximumMessageSize:   10485760,
 }
 
-func newIncomingEmail() {
-	if err := Cfg.Section("email.incoming").MapTo(&IncomingEmail); err != nil {
-		log.Fatal("Unable to map [email.incoming] section on to IncomingEmail. Error: %v", err)
-	}
+func loadIncomingEmailFrom(rootCfg ConfigProvider) {
+	mustMapSetting(rootCfg, "email.incoming", &IncomingEmail)
 
 	if !IncomingEmail.Enabled {
 		return
diff --git a/modules/setting/indexer.go b/modules/setting/indexer.go
index 1b1c8f7e7f..528a9eb655 100644
--- a/modules/setting/indexer.go
+++ b/modules/setting/indexer.go
@@ -45,8 +45,8 @@ var Indexer = struct {
 	ExcludeVendored:    true,
 }
 
-func newIndexerService() {
-	sec := Cfg.Section("indexer")
+func loadIndexerFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("indexer")
 	Indexer.IssueType = sec.Key("ISSUE_INDEXER_TYPE").MustString("bleve")
 	Indexer.IssuePath = filepath.ToSlash(sec.Key("ISSUE_INDEXER_PATH").MustString(filepath.ToSlash(filepath.Join(AppDataPath, "indexers/issues.bleve"))))
 	if !filepath.IsAbs(Indexer.IssuePath) {
@@ -57,11 +57,11 @@ func newIndexerService() {
 
 	// The following settings are deprecated and can be overridden by settings in [queue] or [queue.issue_indexer]
 	// FIXME: DEPRECATED to be removed in v1.18.0
-	deprecatedSetting("indexer", "ISSUE_INDEXER_QUEUE_TYPE", "queue.issue_indexer", "TYPE")
-	deprecatedSetting("indexer", "ISSUE_INDEXER_QUEUE_DIR", "queue.issue_indexer", "DATADIR")
-	deprecatedSetting("indexer", "ISSUE_INDEXER_QUEUE_CONN_STR", "queue.issue_indexer", "CONN_STR")
-	deprecatedSetting("indexer", "ISSUE_INDEXER_QUEUE_BATCH_NUMBER", "queue.issue_indexer", "BATCH_LENGTH")
-	deprecatedSetting("indexer", "UPDATE_BUFFER_LEN", "queue.issue_indexer", "LENGTH")
+	deprecatedSetting(rootCfg, "indexer", "ISSUE_INDEXER_QUEUE_TYPE", "queue.issue_indexer", "TYPE")
+	deprecatedSetting(rootCfg, "indexer", "ISSUE_INDEXER_QUEUE_DIR", "queue.issue_indexer", "DATADIR")
+	deprecatedSetting(rootCfg, "indexer", "ISSUE_INDEXER_QUEUE_CONN_STR", "queue.issue_indexer", "CONN_STR")
+	deprecatedSetting(rootCfg, "indexer", "ISSUE_INDEXER_QUEUE_BATCH_NUMBER", "queue.issue_indexer", "BATCH_LENGTH")
+	deprecatedSetting(rootCfg, "indexer", "UPDATE_BUFFER_LEN", "queue.issue_indexer", "LENGTH")
 
 	Indexer.RepoIndexerEnabled = sec.Key("REPO_INDEXER_ENABLED").MustBool(false)
 	Indexer.RepoType = sec.Key("REPO_INDEXER_TYPE").MustString("bleve")
diff --git a/modules/setting/lfs.go b/modules/setting/lfs.go
index 6f8e875c1d..e6c9e42f2c 100644
--- a/modules/setting/lfs.go
+++ b/modules/setting/lfs.go
@@ -25,22 +25,22 @@ var LFS = struct {
 	Storage
 }{}
 
-func newLFSService() {
-	sec := Cfg.Section("server")
+func loadLFSFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("server")
 	if err := sec.MapTo(&LFS); err != nil {
 		log.Fatal("Failed to map LFS settings: %v", err)
 	}
 
-	lfsSec := Cfg.Section("lfs")
+	lfsSec := rootCfg.Section("lfs")
 	storageType := lfsSec.Key("STORAGE_TYPE").MustString("")
 
 	// Specifically default PATH to LFS_CONTENT_PATH
 	// FIXME: DEPRECATED to be removed in v1.18.0
-	deprecatedSetting("server", "LFS_CONTENT_PATH", "lfs", "PATH")
+	deprecatedSetting(rootCfg, "server", "LFS_CONTENT_PATH", "lfs", "PATH")
 	lfsSec.Key("PATH").MustString(
 		sec.Key("LFS_CONTENT_PATH").String())
 
-	LFS.Storage = getStorage("lfs", storageType, lfsSec)
+	LFS.Storage = getStorage(rootCfg, "lfs", storageType, lfsSec)
 
 	// Rest of LFS service settings
 	if LFS.LocksPagingNum == 0 {
diff --git a/modules/setting/log.go b/modules/setting/log.go
index 8a2d47eda7..5448650aad 100644
--- a/modules/setting/log.go
+++ b/modules/setting/log.go
@@ -25,6 +25,21 @@ var (
 	logDescriptions = make(map[string]*LogDescription)
 )
 
+// Log settings
+var Log struct {
+	Level              log.Level
+	StacktraceLogLevel string
+	RootPath           string
+	EnableSSHLog       bool
+	EnableXORMLog      bool
+
+	DisableRouterLog bool
+
+	EnableAccessLog   bool
+	AccessLogTemplate string
+	BufferLength      int64
+}
+
 // GetLogDescriptions returns a race safe set of descriptions
 func GetLogDescriptions() map[string]*LogDescription {
 	descriptionLock.RLock()
@@ -94,9 +109,9 @@ type defaultLogOptions struct {
 
 func newDefaultLogOptions() defaultLogOptions {
 	return defaultLogOptions{
-		levelName:      LogLevel.String(),
+		levelName:      Log.Level.String(),
 		flags:          "stdflags",
-		filename:       filepath.Join(LogRootPath, "gitea.log"),
+		filename:       filepath.Join(Log.RootPath, "gitea.log"),
 		bufferLength:   10000,
 		disableConsole: false,
 	}
@@ -125,10 +140,33 @@ func getStacktraceLogLevel(section *ini.Section, key, defaultValue string) strin
 	return log.FromString(value).String()
 }
 
+func loadLogFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("log")
+	Log.Level = getLogLevel(sec, "LEVEL", log.INFO)
+	Log.StacktraceLogLevel = getStacktraceLogLevel(sec, "STACKTRACE_LEVEL", "None")
+	Log.RootPath = sec.Key("ROOT_PATH").MustString(path.Join(AppWorkPath, "log"))
+	forcePathSeparator(Log.RootPath)
+	Log.BufferLength = sec.Key("BUFFER_LEN").MustInt64(10000)
+
+	Log.EnableSSHLog = sec.Key("ENABLE_SSH_LOG").MustBool(false)
+	Log.EnableAccessLog = sec.Key("ENABLE_ACCESS_LOG").MustBool(false)
+	Log.AccessLogTemplate = sec.Key("ACCESS_LOG_TEMPLATE").MustString(
+		`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`,
+	)
+	// the `MustString` updates the default value, and `log.ACCESS` is used by `generateNamedLogger("access")` later
+	_ = rootCfg.Section("log").Key("ACCESS").MustString("file")
+
+	sec.Key("ROUTER").MustString("console")
+	// Allow [log]  DISABLE_ROUTER_LOG to override [server] DISABLE_ROUTER_LOG
+	Log.DisableRouterLog = sec.Key("DISABLE_ROUTER_LOG").MustBool(Log.DisableRouterLog)
+
+	Log.EnableXORMLog = rootCfg.Section("log").Key("ENABLE_XORM_LOG").MustBool(true)
+}
+
 func generateLogConfig(sec *ini.Section, name string, defaults defaultLogOptions) (mode, jsonConfig, levelName string) {
-	level := getLogLevel(sec, "LEVEL", LogLevel)
+	level := getLogLevel(sec, "LEVEL", Log.Level)
 	levelName = level.String()
-	stacktraceLevelName := getStacktraceLogLevel(sec, "STACKTRACE_LEVEL", StacktraceLogLevel)
+	stacktraceLevelName := getStacktraceLogLevel(sec, "STACKTRACE_LEVEL", Log.StacktraceLogLevel)
 	stacktraceLevel := log.FromString(stacktraceLevelName)
 	mode = name
 	keys := sec.Keys()
@@ -144,7 +182,7 @@ func generateLogConfig(sec *ini.Section, name string, defaults defaultLogOptions
 			logPath = key.MustString(defaults.filename)
 			forcePathSeparator(logPath)
 			if !filepath.IsAbs(logPath) {
-				logPath = path.Join(LogRootPath, logPath)
+				logPath = path.Join(Log.RootPath, logPath)
 			}
 		case "FLAGS":
 			flags = log.FlagsFromString(key.MustString(defaults.flags))
@@ -213,12 +251,12 @@ func generateLogConfig(sec *ini.Section, name string, defaults defaultLogOptions
 	return mode, jsonConfig, levelName
 }
 
-func generateNamedLogger(key string, options defaultLogOptions) *LogDescription {
+func generateNamedLogger(rootCfg ConfigProvider, key string, options defaultLogOptions) *LogDescription {
 	description := LogDescription{
 		Name: key,
 	}
 
-	sections := strings.Split(Cfg.Section("log").Key(strings.ToUpper(key)).MustString(""), ",")
+	sections := strings.Split(rootCfg.Section("log").Key(strings.ToUpper(key)).MustString(""), ",")
 
 	for i := 0; i < len(sections); i++ {
 		sections[i] = strings.TrimSpace(sections[i])
@@ -228,9 +266,9 @@ func generateNamedLogger(key string, options defaultLogOptions) *LogDescription
 		if len(name) == 0 || (name == "console" && options.disableConsole) {
 			continue
 		}
-		sec, err := Cfg.GetSection("log." + name + "." + key)
+		sec, err := rootCfg.GetSection("log." + name + "." + key)
 		if err != nil {
-			sec, _ = Cfg.NewSection("log." + name + "." + key)
+			sec, _ = rootCfg.NewSection("log." + name + "." + key)
 		}
 
 		provider, config, levelName := generateLogConfig(sec, name, options)
@@ -253,46 +291,17 @@ func generateNamedLogger(key string, options defaultLogOptions) *LogDescription
 	return &description
 }
 
-func newAccessLogService() {
-	EnableAccessLog = Cfg.Section("log").Key("ENABLE_ACCESS_LOG").MustBool(false)
-	AccessLogTemplate = Cfg.Section("log").Key("ACCESS_LOG_TEMPLATE").MustString(
-		`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`,
-	)
-	// the `MustString` updates the default value, and `log.ACCESS` is used by `generateNamedLogger("access")` later
-	_ = Cfg.Section("log").Key("ACCESS").MustString("file")
-	if EnableAccessLog {
-		options := newDefaultLogOptions()
-		options.filename = filepath.Join(LogRootPath, "access.log")
-		options.flags = "" // For the router we don't want any prefixed flags
-		options.bufferLength = Cfg.Section("log").Key("BUFFER_LEN").MustInt64(10000)
-		generateNamedLogger("access", options)
-	}
-}
-
-func newRouterLogService() {
-	Cfg.Section("log").Key("ROUTER").MustString("console")
-	// Allow [log]  DISABLE_ROUTER_LOG to override [server] DISABLE_ROUTER_LOG
-	DisableRouterLog = Cfg.Section("log").Key("DISABLE_ROUTER_LOG").MustBool(DisableRouterLog)
-
-	if !DisableRouterLog {
-		options := newDefaultLogOptions()
-		options.filename = filepath.Join(LogRootPath, "router.log")
-		options.flags = "date,time" // For the router we don't want any prefixed flags
-		options.bufferLength = Cfg.Section("log").Key("BUFFER_LEN").MustInt64(10000)
-		generateNamedLogger("router", options)
-	}
-}
-
-func newLogService() {
+// initLogFrom initializes logging with settings from configuration provider
+func initLogFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("log")
 	options := newDefaultLogOptions()
-	options.bufferLength = Cfg.Section("log").Key("BUFFER_LEN").MustInt64(10000)
-	EnableSSHLog = Cfg.Section("log").Key("ENABLE_SSH_LOG").MustBool(false)
+	options.bufferLength = Log.BufferLength
 
 	description := LogDescription{
 		Name: log.DEFAULT,
 	}
 
-	sections := strings.Split(Cfg.Section("log").Key("MODE").MustString("console"), ",")
+	sections := strings.Split(sec.Key("MODE").MustString("console"), ",")
 
 	useConsole := false
 	for _, name := range sections {
@@ -304,11 +313,11 @@ func newLogService() {
 			useConsole = true
 		}
 
-		sec, err := Cfg.GetSection("log." + name + ".default")
+		sec, err := rootCfg.GetSection("log." + name + ".default")
 		if err != nil {
-			sec, err = Cfg.GetSection("log." + name)
+			sec, err = rootCfg.GetSection("log." + name)
 			if err != nil {
-				sec, _ = Cfg.NewSection("log." + name)
+				sec, _ = rootCfg.NewSection("log." + name)
 			}
 		}
 
@@ -340,27 +349,45 @@ func newLogService() {
 // RestartLogsWithPIDSuffix restarts the logs with a PID suffix on files
 func RestartLogsWithPIDSuffix() {
 	filenameSuffix = fmt.Sprintf(".%d", os.Getpid())
-	NewLogServices(false)
+	InitLogs(false)
 }
 
-// NewLogServices creates all the log services
-func NewLogServices(disableConsole bool) {
-	newLogService()
-	newRouterLogService()
-	newAccessLogService()
-	NewXORMLogService(disableConsole)
-}
+// InitLogs creates all the log services
+func InitLogs(disableConsole bool) {
+	initLogFrom(CfgProvider)
 
-// NewXORMLogService initializes xorm logger service
-func NewXORMLogService(disableConsole bool) {
-	EnableXORMLog = Cfg.Section("log").Key("ENABLE_XORM_LOG").MustBool(true)
-	if EnableXORMLog {
+	if !Log.DisableRouterLog {
 		options := newDefaultLogOptions()
-		options.filename = filepath.Join(LogRootPath, "xorm.log")
-		options.bufferLength = Cfg.Section("log").Key("BUFFER_LEN").MustInt64(10000)
+		options.filename = filepath.Join(Log.RootPath, "router.log")
+		options.flags = "date,time" // For the router we don't want any prefixed flags
+		options.bufferLength = Log.BufferLength
+		generateNamedLogger(CfgProvider, "router", options)
+	}
+
+	if Log.EnableAccessLog {
+		options := newDefaultLogOptions()
+		options.filename = filepath.Join(Log.RootPath, "access.log")
+		options.flags = "" // For the router we don't want any prefixed flags
+		options.bufferLength = Log.BufferLength
+		generateNamedLogger(CfgProvider, "access", options)
+	}
+
+	initSQLLogFrom(CfgProvider, disableConsole)
+}
+
+// InitSQLLog initializes xorm logger setting
+func InitSQLLog(disableConsole bool) {
+	initSQLLogFrom(CfgProvider, disableConsole)
+}
+
+func initSQLLogFrom(rootCfg ConfigProvider, disableConsole bool) {
+	if Log.EnableXORMLog {
+		options := newDefaultLogOptions()
+		options.filename = filepath.Join(Log.RootPath, "xorm.log")
+		options.bufferLength = Log.BufferLength
 		options.disableConsole = disableConsole
 
-		Cfg.Section("log").Key("XORM").MustString(",")
-		generateNamedLogger("xorm", options)
+		rootCfg.Section("log").Key("XORM").MustString(",")
+		generateNamedLogger(rootCfg, "xorm", options)
 	}
 }
diff --git a/modules/setting/mailer.go b/modules/setting/mailer.go
index a5d311454d..62a73cb2f3 100644
--- a/modules/setting/mailer.go
+++ b/modules/setting/mailer.go
@@ -12,7 +12,6 @@ import (
 	"code.gitea.io/gitea/modules/log"
 
 	shellquote "github.com/kballard/go-shellquote"
-	ini "gopkg.in/ini.v1"
 )
 
 // Mailer represents mail service.
@@ -50,7 +49,14 @@ type Mailer struct {
 // MailService the global mailer
 var MailService *Mailer
 
-func parseMailerConfig(rootCfg *ini.File) {
+func loadMailsFrom(rootCfg ConfigProvider) {
+	loadMailerFrom(rootCfg)
+	loadRegisterMailFrom(rootCfg)
+	loadNotifyMailFrom(rootCfg)
+	loadIncomingEmailFrom(rootCfg)
+}
+
+func loadMailerFrom(rootCfg ConfigProvider) {
 	sec := rootCfg.Section("mailer")
 	// Check mailer setting.
 	if !sec.Key("ENABLED").MustBool() {
@@ -59,7 +65,7 @@ func parseMailerConfig(rootCfg *ini.File) {
 
 	// Handle Deprecations and map on to new configuration
 	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting("mailer", "MAILER_TYPE", "mailer", "PROTOCOL")
+	deprecatedSetting(rootCfg, "mailer", "MAILER_TYPE", "mailer", "PROTOCOL")
 	if sec.HasKey("MAILER_TYPE") && !sec.HasKey("PROTOCOL") {
 		if sec.Key("MAILER_TYPE").String() == "sendmail" {
 			sec.Key("PROTOCOL").MustString("sendmail")
@@ -67,7 +73,7 @@ func parseMailerConfig(rootCfg *ini.File) {
 	}
 
 	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting("mailer", "HOST", "mailer", "SMTP_ADDR")
+	deprecatedSetting(rootCfg, "mailer", "HOST", "mailer", "SMTP_ADDR")
 	if sec.HasKey("HOST") && !sec.HasKey("SMTP_ADDR") {
 		givenHost := sec.Key("HOST").String()
 		addr, port, err := net.SplitHostPort(givenHost)
@@ -84,7 +90,7 @@ func parseMailerConfig(rootCfg *ini.File) {
 	}
 
 	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting("mailer", "IS_TLS_ENABLED", "mailer", "PROTOCOL")
+	deprecatedSetting(rootCfg, "mailer", "IS_TLS_ENABLED", "mailer", "PROTOCOL")
 	if sec.HasKey("IS_TLS_ENABLED") && !sec.HasKey("PROTOCOL") {
 		if sec.Key("IS_TLS_ENABLED").MustBool() {
 			sec.Key("PROTOCOL").MustString("smtps")
@@ -94,37 +100,37 @@ func parseMailerConfig(rootCfg *ini.File) {
 	}
 
 	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting("mailer", "DISABLE_HELO", "mailer", "ENABLE_HELO")
+	deprecatedSetting(rootCfg, "mailer", "DISABLE_HELO", "mailer", "ENABLE_HELO")
 	if sec.HasKey("DISABLE_HELO") && !sec.HasKey("ENABLE_HELO") {
 		sec.Key("ENABLE_HELO").MustBool(!sec.Key("DISABLE_HELO").MustBool())
 	}
 
 	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting("mailer", "SKIP_VERIFY", "mailer", "FORCE_TRUST_SERVER_CERT")
+	deprecatedSetting(rootCfg, "mailer", "SKIP_VERIFY", "mailer", "FORCE_TRUST_SERVER_CERT")
 	if sec.HasKey("SKIP_VERIFY") && !sec.HasKey("FORCE_TRUST_SERVER_CERT") {
 		sec.Key("FORCE_TRUST_SERVER_CERT").MustBool(sec.Key("SKIP_VERIFY").MustBool())
 	}
 
 	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting("mailer", "USE_CERTIFICATE", "mailer", "USE_CLIENT_CERT")
+	deprecatedSetting(rootCfg, "mailer", "USE_CERTIFICATE", "mailer", "USE_CLIENT_CERT")
 	if sec.HasKey("USE_CERTIFICATE") && !sec.HasKey("USE_CLIENT_CERT") {
 		sec.Key("USE_CLIENT_CERT").MustBool(sec.Key("USE_CERTIFICATE").MustBool())
 	}
 
 	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting("mailer", "CERT_FILE", "mailer", "CLIENT_CERT_FILE")
+	deprecatedSetting(rootCfg, "mailer", "CERT_FILE", "mailer", "CLIENT_CERT_FILE")
 	if sec.HasKey("CERT_FILE") && !sec.HasKey("CLIENT_CERT_FILE") {
 		sec.Key("CERT_FILE").MustString(sec.Key("CERT_FILE").String())
 	}
 
 	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting("mailer", "KEY_FILE", "mailer", "CLIENT_KEY_FILE")
+	deprecatedSetting(rootCfg, "mailer", "KEY_FILE", "mailer", "CLIENT_KEY_FILE")
 	if sec.HasKey("KEY_FILE") && !sec.HasKey("CLIENT_KEY_FILE") {
 		sec.Key("KEY_FILE").MustString(sec.Key("KEY_FILE").String())
 	}
 
 	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting("mailer", "ENABLE_HTML_ALTERNATIVE", "mailer", "SEND_AS_PLAIN_TEXT")
+	deprecatedSetting(rootCfg, "mailer", "ENABLE_HTML_ALTERNATIVE", "mailer", "SEND_AS_PLAIN_TEXT")
 	if sec.HasKey("ENABLE_HTML_ALTERNATIVE") && !sec.HasKey("SEND_AS_PLAIN_TEXT") {
 		sec.Key("SEND_AS_PLAIN_TEXT").MustBool(!sec.Key("ENABLE_HTML_ALTERNATIVE").MustBool(false))
 	}
@@ -237,8 +243,8 @@ func parseMailerConfig(rootCfg *ini.File) {
 	log.Info("Mail Service Enabled")
 }
 
-func newRegisterMailService() {
-	if !Cfg.Section("service").Key("REGISTER_EMAIL_CONFIRM").MustBool() {
+func loadRegisterMailFrom(rootCfg ConfigProvider) {
+	if !rootCfg.Section("service").Key("REGISTER_EMAIL_CONFIRM").MustBool() {
 		return
 	} else if MailService == nil {
 		log.Warn("Register Mail Service: Mail Service is not enabled")
@@ -248,8 +254,8 @@ func newRegisterMailService() {
 	log.Info("Register Mail Service Enabled")
 }
 
-func newNotifyMailService() {
-	if !Cfg.Section("service").Key("ENABLE_NOTIFY_MAIL").MustBool() {
+func loadNotifyMailFrom(rootCfg ConfigProvider) {
+	if !rootCfg.Section("service").Key("ENABLE_NOTIFY_MAIL").MustBool() {
 		return
 	} else if MailService == nil {
 		log.Warn("Notify Mail Service: Mail Service is not enabled")
diff --git a/modules/setting/mailer_test.go b/modules/setting/mailer_test.go
index 0fc9b0e73f..4cfd6142be 100644
--- a/modules/setting/mailer_test.go
+++ b/modules/setting/mailer_test.go
@@ -10,7 +10,7 @@ import (
 	ini "gopkg.in/ini.v1"
 )
 
-func TestParseMailerConfig(t *testing.T) {
+func Test_loadMailerFrom(t *testing.T) {
 	iniFile := ini.Empty()
 	kases := map[string]*Mailer{
 		"smtp.mydomain.com": {
@@ -34,7 +34,7 @@ func TestParseMailerConfig(t *testing.T) {
 			sec.NewKey("HOST", host)
 
 			// Check mailer setting
-			parseMailerConfig(iniFile)
+			loadMailerFrom(iniFile)
 
 			assert.EqualValues(t, kase.SMTPAddr, MailService.SMTPAddr)
 			assert.EqualValues(t, kase.SMTPPort, MailService.SMTPPort)
diff --git a/modules/setting/markup.go b/modules/setting/markup.go
index c262234b6a..b71a902be6 100644
--- a/modules/setting/markup.go
+++ b/modules/setting/markup.go
@@ -25,6 +25,20 @@ const (
 	RenderContentModeIframe      = "iframe"
 )
 
+// Markdown settings
+var Markdown = struct {
+	EnableHardLineBreakInComments  bool
+	EnableHardLineBreakInDocuments bool
+	CustomURLSchemes               []string `ini:"CUSTOM_URL_SCHEMES"`
+	FileExtensions                 []string
+	EnableMath                     bool
+}{
+	EnableHardLineBreakInComments:  true,
+	EnableHardLineBreakInDocuments: false,
+	FileExtensions:                 strings.Split(".md,.markdown,.mdown,.mkd", ","),
+	EnableMath:                     true,
+}
+
 // MarkupRenderer defines the external parser configured in ini
 type MarkupRenderer struct {
 	Enabled              bool
@@ -46,12 +60,14 @@ type MarkupSanitizerRule struct {
 	AllowDataURIImages bool
 }
 
-func newMarkup() {
-	MermaidMaxSourceCharacters = Cfg.Section("markup").Key("MERMAID_MAX_SOURCE_CHARACTERS").MustInt(5000)
+func loadMarkupFrom(rootCfg ConfigProvider) {
+	mustMapSetting(rootCfg, "markdown", &Markdown)
+
+	MermaidMaxSourceCharacters = rootCfg.Section("markup").Key("MERMAID_MAX_SOURCE_CHARACTERS").MustInt(5000)
 	ExternalMarkupRenderers = make([]*MarkupRenderer, 0, 10)
 	ExternalSanitizerRules = make([]MarkupSanitizerRule, 0, 10)
 
-	for _, sec := range Cfg.Section("markup").ChildSections() {
+	for _, sec := range rootCfg.Section("markup").ChildSections() {
 		name := strings.TrimPrefix(sec.Name(), "markup.")
 		if name == "" {
 			log.Warn("name is empty, markup " + sec.Name() + "ignored")
diff --git a/modules/setting/metrics.go b/modules/setting/metrics.go
new file mode 100644
index 0000000000..daa0e3b70b
--- /dev/null
+++ b/modules/setting/metrics.go
@@ -0,0 +1,21 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+// Metrics settings
+var Metrics = struct {
+	Enabled                  bool
+	Token                    string
+	EnabledIssueByLabel      bool
+	EnabledIssueByRepository bool
+}{
+	Enabled:                  false,
+	Token:                    "",
+	EnabledIssueByLabel:      false,
+	EnabledIssueByRepository: false,
+}
+
+func loadMetricsFrom(rootCfg ConfigProvider) {
+	mustMapSetting(rootCfg, "metrics", &Metrics)
+}
diff --git a/modules/setting/migrations.go b/modules/setting/migrations.go
index 2f6d08b6b8..5a6079b6e2 100644
--- a/modules/setting/migrations.go
+++ b/modules/setting/migrations.go
@@ -16,8 +16,8 @@ var Migrations = struct {
 	RetryBackoff: 3,
 }
 
-func newMigrationsService() {
-	sec := Cfg.Section("migrations")
+func loadMigrationsFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("migrations")
 	Migrations.MaxAttempts = sec.Key("MAX_ATTEMPTS").MustInt(Migrations.MaxAttempts)
 	Migrations.RetryBackoff = sec.Key("RETRY_BACKOFF").MustInt(Migrations.RetryBackoff)
 
diff --git a/modules/setting/mime_type_map.go b/modules/setting/mime_type_map.go
index 6a0847bd7e..55cb2c028d 100644
--- a/modules/setting/mime_type_map.go
+++ b/modules/setting/mime_type_map.go
@@ -14,8 +14,8 @@ var MimeTypeMap = struct {
 	Map:     map[string]string{},
 }
 
-func newMimeTypeMap() {
-	sec := Cfg.Section("repository.mimetype_mapping")
+func loadMimeTypeMapFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("repository.mimetype_mapping")
 	keys := sec.Keys()
 	m := make(map[string]string, len(keys))
 	for _, key := range keys {
diff --git a/modules/setting/mirror.go b/modules/setting/mirror.go
index 9ddce97daf..875062f522 100644
--- a/modules/setting/mirror.go
+++ b/modules/setting/mirror.go
@@ -24,16 +24,16 @@ var Mirror = struct {
 	DefaultInterval: 8 * time.Hour,
 }
 
-func newMirror() {
+func loadMirrorFrom(rootCfg ConfigProvider) {
 	// Handle old configuration through `[repository]` `DISABLE_MIRRORS`
 	// - please note this was badly named and only disabled the creation of new pull mirrors
 	// FIXME: DEPRECATED to be removed in v1.18.0
-	deprecatedSetting("repository", "DISABLE_MIRRORS", "mirror", "ENABLED")
-	if Cfg.Section("repository").Key("DISABLE_MIRRORS").MustBool(false) {
+	deprecatedSetting(rootCfg, "repository", "DISABLE_MIRRORS", "mirror", "ENABLED")
+	if rootCfg.Section("repository").Key("DISABLE_MIRRORS").MustBool(false) {
 		Mirror.DisableNewPull = true
 	}
 
-	if err := Cfg.Section("mirror").MapTo(&Mirror); err != nil {
+	if err := rootCfg.Section("mirror").MapTo(&Mirror); err != nil {
 		log.Fatal("Failed to map Mirror settings: %v", err)
 	}
 
diff --git a/modules/setting/oauth2_client.go b/modules/setting/oauth2.go
similarity index 74%
rename from modules/setting/oauth2_client.go
rename to modules/setting/oauth2.go
index 6492af82d2..44f5568ef4 100644
--- a/modules/setting/oauth2_client.go
+++ b/modules/setting/oauth2.go
@@ -4,6 +4,9 @@
 package setting
 
 import (
+	"math"
+	"path/filepath"
+
 	"code.gitea.io/gitea/modules/log"
 
 	"gopkg.in/ini.v1"
@@ -59,8 +62,8 @@ var OAuth2Client struct {
 	AccountLinking         OAuth2AccountLinkingType
 }
 
-func newOAuth2Client() {
-	sec := Cfg.Section("oauth2_client")
+func loadOAuth2ClientFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("oauth2_client")
 	OAuth2Client.RegisterEmailConfirm = sec.Key("REGISTER_EMAIL_CONFIRM").MustBool(Service.RegisterEmailConfirm)
 	OAuth2Client.OpenIDConnectScopes = parseScopes(sec, "OPENID_CONNECT_SCOPES")
 	OAuth2Client.EnableAutoRegistration = sec.Key("ENABLE_AUTO_REGISTRATION").MustBool()
@@ -87,3 +90,33 @@ func parseScopes(sec *ini.Section, name string) []string {
 	}
 	return scopes
 }
+
+var OAuth2 = struct {
+	Enable                     bool
+	AccessTokenExpirationTime  int64
+	RefreshTokenExpirationTime int64
+	InvalidateRefreshTokens    bool
+	JWTSigningAlgorithm        string `ini:"JWT_SIGNING_ALGORITHM"`
+	JWTSecretBase64            string `ini:"JWT_SECRET"`
+	JWTSigningPrivateKeyFile   string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
+	MaxTokenLength             int
+}{
+	Enable:                     true,
+	AccessTokenExpirationTime:  3600,
+	RefreshTokenExpirationTime: 730,
+	InvalidateRefreshTokens:    false,
+	JWTSigningAlgorithm:        "RS256",
+	JWTSigningPrivateKeyFile:   "jwt/private.pem",
+	MaxTokenLength:             math.MaxInt16,
+}
+
+func loadOAuth2From(rootCfg ConfigProvider) {
+	if err := rootCfg.Section("oauth2").MapTo(&OAuth2); err != nil {
+		log.Fatal("Failed to OAuth2 settings: %v", err)
+		return
+	}
+
+	if !filepath.IsAbs(OAuth2.JWTSigningPrivateKeyFile) {
+		OAuth2.JWTSigningPrivateKeyFile = filepath.Join(AppDataPath, OAuth2.JWTSigningPrivateKeyFile)
+	}
+}
diff --git a/modules/setting/other.go b/modules/setting/other.go
new file mode 100644
index 0000000000..4fba754a08
--- /dev/null
+++ b/modules/setting/other.go
@@ -0,0 +1,22 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+var (
+	// Other settings
+	ShowFooterBranding         bool
+	ShowFooterVersion          bool
+	ShowFooterTemplateLoadTime bool
+	EnableFeed                 bool
+	EnableSitemap              bool
+)
+
+func loadOtherFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("other")
+	ShowFooterBranding = sec.Key("SHOW_FOOTER_BRANDING").MustBool(false)
+	ShowFooterVersion = sec.Key("SHOW_FOOTER_VERSION").MustBool(true)
+	ShowFooterTemplateLoadTime = sec.Key("SHOW_FOOTER_TEMPLATE_LOAD_TIME").MustBool(true)
+	EnableSitemap = sec.Key("ENABLE_SITEMAP").MustBool(true)
+	EnableFeed = sec.Key("ENABLE_FEED").MustBool(true)
+}
diff --git a/modules/setting/packages.go b/modules/setting/packages.go
index 84da4eb53e..13599e5a63 100644
--- a/modules/setting/packages.go
+++ b/modules/setting/packages.go
@@ -46,13 +46,13 @@ var (
 	}
 )
 
-func newPackages() {
-	sec := Cfg.Section("packages")
+func loadPackagesFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("packages")
 	if err := sec.MapTo(&Packages); err != nil {
 		log.Fatal("Failed to map Packages settings: %v", err)
 	}
 
-	Packages.Storage = getStorage("packages", "", nil)
+	Packages.Storage = getStorage(rootCfg, "packages", "", nil)
 
 	appURL, _ := url.Parse(AppURL)
 	Packages.RegistryHost = appURL.Host
diff --git a/modules/setting/picture.go b/modules/setting/picture.go
index a814af822f..6d7c8b33ce 100644
--- a/modules/setting/picture.go
+++ b/modules/setting/picture.go
@@ -32,16 +32,16 @@ var (
 	}{}
 )
 
-func newPictureService() {
-	sec := Cfg.Section("picture")
+func loadPictureFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("picture")
 
-	avatarSec := Cfg.Section("avatar")
+	avatarSec := rootCfg.Section("avatar")
 	storageType := sec.Key("AVATAR_STORAGE_TYPE").MustString("")
 	// Specifically default PATH to AVATAR_UPLOAD_PATH
 	avatarSec.Key("PATH").MustString(
 		sec.Key("AVATAR_UPLOAD_PATH").String())
 
-	Avatar.Storage = getStorage("avatars", storageType, avatarSec)
+	Avatar.Storage = getStorage(rootCfg, "avatars", storageType, avatarSec)
 
 	Avatar.MaxWidth = sec.Key("AVATAR_MAX_WIDTH").MustInt(4096)
 	Avatar.MaxHeight = sec.Key("AVATAR_MAX_HEIGHT").MustInt(3072)
@@ -60,11 +60,11 @@ func newPictureService() {
 	}
 
 	DisableGravatar = sec.Key("DISABLE_GRAVATAR").MustBool(GetDefaultDisableGravatar())
-	deprecatedSettingDB("", "DISABLE_GRAVATAR")
+	deprecatedSettingDB(rootCfg, "", "DISABLE_GRAVATAR")
 	EnableFederatedAvatar = sec.Key("ENABLE_FEDERATED_AVATAR").MustBool(GetDefaultEnableFederatedAvatar(DisableGravatar))
-	deprecatedSettingDB("", "ENABLE_FEDERATED_AVATAR")
+	deprecatedSettingDB(rootCfg, "", "ENABLE_FEDERATED_AVATAR")
 
-	newRepoAvatarService()
+	loadRepoAvatarFrom(rootCfg)
 }
 
 func GetDefaultDisableGravatar() bool {
@@ -82,16 +82,16 @@ func GetDefaultEnableFederatedAvatar(disableGravatar bool) bool {
 	return v
 }
 
-func newRepoAvatarService() {
-	sec := Cfg.Section("picture")
+func loadRepoAvatarFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("picture")
 
-	repoAvatarSec := Cfg.Section("repo-avatar")
+	repoAvatarSec := rootCfg.Section("repo-avatar")
 	storageType := sec.Key("REPOSITORY_AVATAR_STORAGE_TYPE").MustString("")
 	// Specifically default PATH to AVATAR_UPLOAD_PATH
 	repoAvatarSec.Key("PATH").MustString(
 		sec.Key("REPOSITORY_AVATAR_UPLOAD_PATH").String())
 
-	RepoAvatar.Storage = getStorage("repo-avatars", storageType, repoAvatarSec)
+	RepoAvatar.Storage = getStorage(rootCfg, "repo-avatars", storageType, repoAvatarSec)
 
 	RepoAvatar.Fallback = sec.Key("REPOSITORY_AVATAR_FALLBACK").MustString("none")
 	RepoAvatar.FallbackImage = sec.Key("REPOSITORY_AVATAR_FALLBACK_IMAGE").MustString("/assets/img/repo_default.png")
diff --git a/modules/setting/project.go b/modules/setting/project.go
index 53e09e8dad..803e933b88 100644
--- a/modules/setting/project.go
+++ b/modules/setting/project.go
@@ -3,8 +3,6 @@
 
 package setting
 
-import "code.gitea.io/gitea/modules/log"
-
 // Project settings
 var (
 	Project = struct {
@@ -16,8 +14,6 @@ var (
 	}
 )
 
-func newProject() {
-	if err := Cfg.Section("project").MapTo(&Project); err != nil {
-		log.Fatal("Failed to map Project settings: %v", err)
-	}
+func loadProjectFrom(rootCfg ConfigProvider) {
+	mustMapSetting(rootCfg, "project", &Project)
 }
diff --git a/modules/setting/proxy.go b/modules/setting/proxy.go
index fed33395ed..4ff420d090 100644
--- a/modules/setting/proxy.go
+++ b/modules/setting/proxy.go
@@ -21,8 +21,8 @@ var Proxy = struct {
 	ProxyHosts: []string{},
 }
 
-func newProxyService() {
-	sec := Cfg.Section("proxy")
+func loadProxyFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("proxy")
 	Proxy.Enabled = sec.Key("PROXY_ENABLED").MustBool(false)
 	Proxy.ProxyURL = sec.Key("PROXY_URL").MustString("")
 	if Proxy.ProxyURL != "" {
diff --git a/modules/setting/queue.go b/modules/setting/queue.go
index a67d0d849a..bd4bf48e33 100644
--- a/modules/setting/queue.go
+++ b/modules/setting/queue.go
@@ -39,8 +39,12 @@ var Queue = QueueSettings{}
 
 // GetQueueSettings returns the queue settings for the appropriately named queue
 func GetQueueSettings(name string) QueueSettings {
+	return getQueueSettings(CfgProvider, name)
+}
+
+func getQueueSettings(rootCfg ConfigProvider, name string) QueueSettings {
 	q := QueueSettings{}
-	sec := Cfg.Section("queue." + name)
+	sec := rootCfg.Section("queue." + name)
 	q.Name = name
 
 	// DataDir is not directly inheritable
@@ -82,10 +86,14 @@ func GetQueueSettings(name string) QueueSettings {
 	return q
 }
 
-// NewQueueService sets up the default settings for Queues
+// LoadQueueSettings sets up the default settings for Queues
 // This is exported for tests to be able to use the queue
-func NewQueueService() {
-	sec := Cfg.Section("queue")
+func LoadQueueSettings() {
+	loadQueueFrom(CfgProvider)
+}
+
+func loadQueueFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("queue")
 	Queue.DataDir = filepath.ToSlash(sec.Key("DATADIR").MustString("queues/"))
 	if !filepath.IsAbs(Queue.DataDir) {
 		Queue.DataDir = filepath.ToSlash(filepath.Join(AppDataPath, Queue.DataDir))
@@ -108,10 +116,10 @@ func NewQueueService() {
 
 	// Now handle the old issue_indexer configuration
 	// FIXME: DEPRECATED to be removed in v1.18.0
-	section := Cfg.Section("queue.issue_indexer")
+	section := rootCfg.Section("queue.issue_indexer")
 	directlySet := toDirectlySetKeysSet(section)
 	if !directlySet.Contains("TYPE") && defaultType == "" {
-		switch typ := Cfg.Section("indexer").Key("ISSUE_INDEXER_QUEUE_TYPE").MustString(""); typ {
+		switch typ := rootCfg.Section("indexer").Key("ISSUE_INDEXER_QUEUE_TYPE").MustString(""); typ {
 		case "levelqueue":
 			_, _ = section.NewKey("TYPE", "level")
 		case "channel":
@@ -125,25 +133,25 @@ func NewQueueService() {
 		}
 	}
 	if !directlySet.Contains("LENGTH") {
-		length := Cfg.Section("indexer").Key("UPDATE_BUFFER_LEN").MustInt(0)
+		length := rootCfg.Section("indexer").Key("UPDATE_BUFFER_LEN").MustInt(0)
 		if length != 0 {
 			_, _ = section.NewKey("LENGTH", strconv.Itoa(length))
 		}
 	}
 	if !directlySet.Contains("BATCH_LENGTH") {
-		fallback := Cfg.Section("indexer").Key("ISSUE_INDEXER_QUEUE_BATCH_NUMBER").MustInt(0)
+		fallback := rootCfg.Section("indexer").Key("ISSUE_INDEXER_QUEUE_BATCH_NUMBER").MustInt(0)
 		if fallback != 0 {
 			_, _ = section.NewKey("BATCH_LENGTH", strconv.Itoa(fallback))
 		}
 	}
 	if !directlySet.Contains("DATADIR") {
-		queueDir := filepath.ToSlash(Cfg.Section("indexer").Key("ISSUE_INDEXER_QUEUE_DIR").MustString(""))
+		queueDir := filepath.ToSlash(rootCfg.Section("indexer").Key("ISSUE_INDEXER_QUEUE_DIR").MustString(""))
 		if queueDir != "" {
 			_, _ = section.NewKey("DATADIR", queueDir)
 		}
 	}
 	if !directlySet.Contains("CONN_STR") {
-		connStr := Cfg.Section("indexer").Key("ISSUE_INDEXER_QUEUE_CONN_STR").MustString("")
+		connStr := rootCfg.Section("indexer").Key("ISSUE_INDEXER_QUEUE_CONN_STR").MustString("")
 		if connStr != "" {
 			_, _ = section.NewKey("CONN_STR", connStr)
 		}
@@ -153,31 +161,31 @@ func NewQueueService() {
 	// - will need to set default for [queue.*)] LENGTH appropriately though though
 
 	// Handle the old mailer configuration
-	handleOldLengthConfiguration("mailer", "mailer", "SEND_BUFFER_LEN", 100)
+	handleOldLengthConfiguration(rootCfg, "mailer", "mailer", "SEND_BUFFER_LEN", 100)
 
 	// Handle the old test pull requests configuration
 	// Please note this will be a unique queue
-	handleOldLengthConfiguration("pr_patch_checker", "repository", "PULL_REQUEST_QUEUE_LENGTH", 1000)
+	handleOldLengthConfiguration(rootCfg, "pr_patch_checker", "repository", "PULL_REQUEST_QUEUE_LENGTH", 1000)
 
 	// Handle the old mirror queue configuration
 	// Please note this will be a unique queue
-	handleOldLengthConfiguration("mirror", "repository", "MIRROR_QUEUE_LENGTH", 1000)
+	handleOldLengthConfiguration(rootCfg, "mirror", "repository", "MIRROR_QUEUE_LENGTH", 1000)
 }
 
 // handleOldLengthConfiguration allows fallback to older configuration. `[queue.name]` `LENGTH` will override this configuration, but
 // if that is left unset then we should fallback to the older configuration. (Except where the new length woul be <=0)
-func handleOldLengthConfiguration(queueName, oldSection, oldKey string, defaultValue int) {
-	if Cfg.Section(oldSection).HasKey(oldKey) {
+func handleOldLengthConfiguration(rootCfg ConfigProvider, queueName, oldSection, oldKey string, defaultValue int) {
+	if rootCfg.Section(oldSection).HasKey(oldKey) {
 		log.Error("Deprecated fallback for %s queue length `[%s]` `%s` present. Use `[queue.%s]` `LENGTH`. This will be removed in v1.18.0", queueName, queueName, oldSection, oldKey)
 	}
-	value := Cfg.Section(oldSection).Key(oldKey).MustInt(defaultValue)
+	value := rootCfg.Section(oldSection).Key(oldKey).MustInt(defaultValue)
 
 	// Don't override with 0
 	if value <= 0 {
 		return
 	}
 
-	section := Cfg.Section("queue." + queueName)
+	section := rootCfg.Section("queue." + queueName)
 	directlySet := toDirectlySetKeysSet(section)
 	if !directlySet.Contains("LENGTH") {
 		_, _ = section.NewKey("LENGTH", strconv.Itoa(value))
diff --git a/modules/setting/repository.go b/modules/setting/repository.go
index f53de17a4d..4964704dba 100644
--- a/modules/setting/repository.go
+++ b/modules/setting/repository.go
@@ -270,10 +270,10 @@ var (
 	}{}
 )
 
-func newRepository() {
+func loadRepositoryFrom(rootCfg ConfigProvider) {
 	var err error
 	// Determine and create root git repository path.
-	sec := Cfg.Section("repository")
+	sec := rootCfg.Section("repository")
 	Repository.DisableHTTPGit = sec.Key("DISABLE_HTTP_GIT").MustBool()
 	Repository.UseCompatSSHURI = sec.Key("USE_COMPAT_SSH_URI").MustBool()
 	Repository.MaxCreationLimit = sec.Key("MAX_CREATION_LIMIT").MustInt(-1)
@@ -295,19 +295,19 @@ func newRepository() {
 		log.Warn("SCRIPT_TYPE %q is not on the current PATH. Are you sure that this is the correct SCRIPT_TYPE?", ScriptType)
 	}
 
-	if err = Cfg.Section("repository").MapTo(&Repository); err != nil {
+	if err = sec.MapTo(&Repository); err != nil {
 		log.Fatal("Failed to map Repository settings: %v", err)
-	} else if err = Cfg.Section("repository.editor").MapTo(&Repository.Editor); err != nil {
+	} else if err = rootCfg.Section("repository.editor").MapTo(&Repository.Editor); err != nil {
 		log.Fatal("Failed to map Repository.Editor settings: %v", err)
-	} else if err = Cfg.Section("repository.upload").MapTo(&Repository.Upload); err != nil {
+	} else if err = rootCfg.Section("repository.upload").MapTo(&Repository.Upload); err != nil {
 		log.Fatal("Failed to map Repository.Upload settings: %v", err)
-	} else if err = Cfg.Section("repository.local").MapTo(&Repository.Local); err != nil {
+	} else if err = rootCfg.Section("repository.local").MapTo(&Repository.Local); err != nil {
 		log.Fatal("Failed to map Repository.Local settings: %v", err)
-	} else if err = Cfg.Section("repository.pull-request").MapTo(&Repository.PullRequest); err != nil {
+	} else if err = rootCfg.Section("repository.pull-request").MapTo(&Repository.PullRequest); err != nil {
 		log.Fatal("Failed to map Repository.PullRequest settings: %v", err)
 	}
 
-	if !Cfg.Section("packages").Key("ENABLED").MustBool(true) {
+	if !rootCfg.Section("packages").Key("ENABLED").MustBool(true) {
 		Repository.DisabledRepoUnits = append(Repository.DisabledRepoUnits, "repo.packages")
 	}
 
@@ -354,5 +354,5 @@ func newRepository() {
 		Repository.Upload.TempPath = path.Join(AppWorkPath, Repository.Upload.TempPath)
 	}
 
-	RepoArchive.Storage = getStorage("repo-archive", "", nil)
+	RepoArchive.Storage = getStorage(rootCfg, "repo-archive", "", nil)
 }
diff --git a/modules/setting/security.go b/modules/setting/security.go
new file mode 100644
index 0000000000..b9841cdb95
--- /dev/null
+++ b/modules/setting/security.go
@@ -0,0 +1,158 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+import (
+	"net/url"
+	"os"
+	"strings"
+
+	"code.gitea.io/gitea/modules/auth/password/hash"
+	"code.gitea.io/gitea/modules/generate"
+	"code.gitea.io/gitea/modules/log"
+
+	ini "gopkg.in/ini.v1"
+)
+
+var (
+	// Security settings
+	InstallLock                        bool
+	SecretKey                          string
+	InternalToken                      string // internal access token
+	LogInRememberDays                  int
+	CookieUserName                     string
+	CookieRememberName                 string
+	ReverseProxyAuthUser               string
+	ReverseProxyAuthEmail              string
+	ReverseProxyAuthFullName           string
+	ReverseProxyLimit                  int
+	ReverseProxyTrustedProxies         []string
+	MinPasswordLength                  int
+	ImportLocalPaths                   bool
+	DisableGitHooks                    bool
+	DisableWebhooks                    bool
+	OnlyAllowPushIfGiteaEnvironmentSet bool
+	PasswordComplexity                 []string
+	PasswordHashAlgo                   string
+	PasswordCheckPwn                   bool
+	SuccessfulTokensCacheSize          int
+	CSRFCookieName                     = "_csrf"
+	CSRFCookieHTTPOnly                 = true
+)
+
+// loadSecret load the secret from ini by uriKey or verbatimKey, only one of them could be set
+// If the secret is loaded from uriKey (file), the file should be non-empty, to guarantee the behavior stable and clear.
+func loadSecret(sec *ini.Section, uriKey, verbatimKey string) string {
+	// don't allow setting both URI and verbatim string
+	uri := sec.Key(uriKey).String()
+	verbatim := sec.Key(verbatimKey).String()
+	if uri != "" && verbatim != "" {
+		log.Fatal("Cannot specify both %s and %s", uriKey, verbatimKey)
+	}
+
+	// if we have no URI, use verbatim
+	if uri == "" {
+		return verbatim
+	}
+
+	tempURI, err := url.Parse(uri)
+	if err != nil {
+		log.Fatal("Failed to parse %s (%s): %v", uriKey, uri, err)
+	}
+	switch tempURI.Scheme {
+	case "file":
+		buf, err := os.ReadFile(tempURI.RequestURI())
+		if err != nil {
+			log.Fatal("Failed to read %s (%s): %v", uriKey, tempURI.RequestURI(), err)
+		}
+		val := strings.TrimSpace(string(buf))
+		if val == "" {
+			// The file shouldn't be empty, otherwise we can not know whether the user has ever set the KEY or KEY_URI
+			// For example: if INTERNAL_TOKEN_URI=file:///empty-file,
+			// Then if the token is re-generated during installation and saved to INTERNAL_TOKEN
+			// Then INTERNAL_TOKEN and INTERNAL_TOKEN_URI both exist, that's a fatal error (they shouldn't)
+			log.Fatal("Failed to read %s (%s): the file is empty", uriKey, tempURI.RequestURI())
+		}
+		return val
+
+	// only file URIs are allowed
+	default:
+		log.Fatal("Unsupported URI-Scheme %q (INTERNAL_TOKEN_URI = %q)", tempURI.Scheme, uri)
+		return ""
+	}
+}
+
+// generateSaveInternalToken generates and saves the internal token to app.ini
+func generateSaveInternalToken() {
+	token, err := generate.NewInternalToken()
+	if err != nil {
+		log.Fatal("Error generate internal token: %v", err)
+	}
+
+	InternalToken = token
+	CreateOrAppendToCustomConf("security.INTERNAL_TOKEN", func(cfg *ini.File) {
+		cfg.Section("security").Key("INTERNAL_TOKEN").SetValue(token)
+	})
+}
+
+func loadSecurityFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("security")
+	InstallLock = sec.Key("INSTALL_LOCK").MustBool(false)
+	LogInRememberDays = sec.Key("LOGIN_REMEMBER_DAYS").MustInt(7)
+	CookieUserName = sec.Key("COOKIE_USERNAME").MustString("gitea_awesome")
+	SecretKey = loadSecret(sec, "SECRET_KEY_URI", "SECRET_KEY")
+	if SecretKey == "" {
+		// FIXME: https://github.com/go-gitea/gitea/issues/16832
+		// Until it supports rotating an existing secret key, we shouldn't move users off of the widely used default value
+		SecretKey = "!#@FDEWREWR&*(" //nolint:gosec
+	}
+
+	CookieRememberName = sec.Key("COOKIE_REMEMBER_NAME").MustString("gitea_incredible")
+
+	ReverseProxyAuthUser = sec.Key("REVERSE_PROXY_AUTHENTICATION_USER").MustString("X-WEBAUTH-USER")
+	ReverseProxyAuthEmail = sec.Key("REVERSE_PROXY_AUTHENTICATION_EMAIL").MustString("X-WEBAUTH-EMAIL")
+	ReverseProxyAuthFullName = sec.Key("REVERSE_PROXY_AUTHENTICATION_FULL_NAME").MustString("X-WEBAUTH-FULLNAME")
+
+	ReverseProxyLimit = sec.Key("REVERSE_PROXY_LIMIT").MustInt(1)
+	ReverseProxyTrustedProxies = sec.Key("REVERSE_PROXY_TRUSTED_PROXIES").Strings(",")
+	if len(ReverseProxyTrustedProxies) == 0 {
+		ReverseProxyTrustedProxies = []string{"127.0.0.0/8", "::1/128"}
+	}
+
+	MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6)
+	ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false)
+	DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(true)
+	DisableWebhooks = sec.Key("DISABLE_WEBHOOKS").MustBool(false)
+	OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true)
+
+	// Ensure that the provided default hash algorithm is a valid hash algorithm
+	var algorithm *hash.PasswordHashAlgorithm
+	PasswordHashAlgo, algorithm = hash.SetDefaultPasswordHashAlgorithm(sec.Key("PASSWORD_HASH_ALGO").MustString(""))
+	if algorithm == nil {
+		log.Fatal("The provided password hash algorithm was invalid: %s", sec.Key("PASSWORD_HASH_ALGO").MustString(""))
+	}
+
+	CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)
+	PasswordCheckPwn = sec.Key("PASSWORD_CHECK_PWN").MustBool(false)
+	SuccessfulTokensCacheSize = sec.Key("SUCCESSFUL_TOKENS_CACHE_SIZE").MustInt(20)
+
+	InternalToken = loadSecret(sec, "INTERNAL_TOKEN_URI", "INTERNAL_TOKEN")
+	if InstallLock && InternalToken == "" {
+		// if Gitea has been installed but the InternalToken hasn't been generated (upgrade from an old release), we should generate
+		// some users do cluster deployment, they still depend on this auto-generating behavior.
+		generateSaveInternalToken()
+	}
+
+	cfgdata := sec.Key("PASSWORD_COMPLEXITY").Strings(",")
+	if len(cfgdata) == 0 {
+		cfgdata = []string{"off"}
+	}
+	PasswordComplexity = make([]string, 0, len(cfgdata))
+	for _, name := range cfgdata {
+		name := strings.ToLower(strings.Trim(name, `"`))
+		if name != "" {
+			PasswordComplexity = append(PasswordComplexity, name)
+		}
+	}
+}
diff --git a/modules/setting/server.go b/modules/setting/server.go
new file mode 100644
index 0000000000..6b0f3752e1
--- /dev/null
+++ b/modules/setting/server.go
@@ -0,0 +1,356 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+import (
+	"encoding/base64"
+	"net"
+	"net/url"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/util"
+)
+
+// Scheme describes protocol types
+type Scheme string
+
+// enumerates all the scheme types
+const (
+	HTTP     Scheme = "http"
+	HTTPS    Scheme = "https"
+	FCGI     Scheme = "fcgi"
+	FCGIUnix Scheme = "fcgi+unix"
+	HTTPUnix Scheme = "http+unix"
+)
+
+// LandingPage describes the default page
+type LandingPage string
+
+// enumerates all the landing page types
+const (
+	LandingPageHome          LandingPage = "/"
+	LandingPageExplore       LandingPage = "/explore"
+	LandingPageOrganizations LandingPage = "/explore/organizations"
+	LandingPageLogin         LandingPage = "/user/login"
+)
+
+var (
+	// AppName is the Application name, used in the page title.
+	// It maps to ini:"APP_NAME"
+	AppName string
+	// AppURL is the Application ROOT_URL. It always has a '/' suffix
+	// It maps to ini:"ROOT_URL"
+	AppURL string
+	// AppSubURL represents the sub-url mounting point for gitea. It is either "" or starts with '/' and ends without '/', such as '/{subpath}'.
+	// This value is empty if site does not have sub-url.
+	AppSubURL string
+	// AppDataPath is the default path for storing data.
+	// It maps to ini:"APP_DATA_PATH" in [server] and defaults to AppWorkPath + "/data"
+	AppDataPath string
+	// LocalURL is the url for locally running applications to contact Gitea. It always has a '/' suffix
+	// It maps to ini:"LOCAL_ROOT_URL" in [server]
+	LocalURL string
+	// AssetVersion holds a opaque value that is used for cache-busting assets
+	AssetVersion string
+
+	// Server settings
+	Protocol                   Scheme
+	UseProxyProtocol           bool // `ini:"USE_PROXY_PROTOCOL"`
+	ProxyProtocolTLSBridging   bool //`ini:"PROXY_PROTOCOL_TLS_BRIDGING"`
+	ProxyProtocolHeaderTimeout time.Duration
+	ProxyProtocolAcceptUnknown bool
+	Domain                     string
+	HTTPAddr                   string
+	HTTPPort                   string
+	LocalUseProxyProtocol      bool
+	RedirectOtherPort          bool
+	RedirectorUseProxyProtocol bool
+	PortToRedirect             string
+	OfflineMode                bool
+	CertFile                   string
+	KeyFile                    string
+	StaticRootPath             string
+	StaticCacheTime            time.Duration
+	EnableGzip                 bool
+	LandingPageURL             LandingPage
+	LandingPageCustom          string
+	UnixSocketPermission       uint32
+	EnablePprof                bool
+	PprofDataPath              string
+	EnableAcme                 bool
+	AcmeTOS                    bool
+	AcmeLiveDirectory          string
+	AcmeEmail                  string
+	AcmeURL                    string
+	AcmeCARoot                 string
+	SSLMinimumVersion          string
+	SSLMaximumVersion          string
+	SSLCurvePreferences        []string
+	SSLCipherSuites            []string
+	GracefulRestartable        bool
+	GracefulHammerTime         time.Duration
+	StartupTimeout             time.Duration
+	PerWriteTimeout            = 30 * time.Second
+	PerWritePerKbTimeout       = 10 * time.Second
+	StaticURLPrefix            string
+	AbsoluteAssetURL           string
+
+	HasRobotsTxt bool
+	ManifestData string
+)
+
+// MakeManifestData generates web app manifest JSON
+func MakeManifestData(appName, appURL, absoluteAssetURL string) []byte {
+	type manifestIcon struct {
+		Src   string `json:"src"`
+		Type  string `json:"type"`
+		Sizes string `json:"sizes"`
+	}
+
+	type manifestJSON struct {
+		Name      string         `json:"name"`
+		ShortName string         `json:"short_name"`
+		StartURL  string         `json:"start_url"`
+		Icons     []manifestIcon `json:"icons"`
+	}
+
+	bytes, err := json.Marshal(&manifestJSON{
+		Name:      appName,
+		ShortName: appName,
+		StartURL:  appURL,
+		Icons: []manifestIcon{
+			{
+				Src:   absoluteAssetURL + "/assets/img/logo.png",
+				Type:  "image/png",
+				Sizes: "512x512",
+			},
+			{
+				Src:   absoluteAssetURL + "/assets/img/logo.svg",
+				Type:  "image/svg+xml",
+				Sizes: "512x512",
+			},
+		},
+	})
+	if err != nil {
+		log.Error("unable to marshal manifest JSON. Error: %v", err)
+		return make([]byte, 0)
+	}
+
+	return bytes
+}
+
+// MakeAbsoluteAssetURL returns the absolute asset url prefix without a trailing slash
+func MakeAbsoluteAssetURL(appURL, staticURLPrefix string) string {
+	parsedPrefix, err := url.Parse(strings.TrimSuffix(staticURLPrefix, "/"))
+	if err != nil {
+		log.Fatal("Unable to parse STATIC_URL_PREFIX: %v", err)
+	}
+
+	if err == nil && parsedPrefix.Hostname() == "" {
+		if staticURLPrefix == "" {
+			return strings.TrimSuffix(appURL, "/")
+		}
+
+		// StaticURLPrefix is just a path
+		return util.URLJoin(appURL, strings.TrimSuffix(staticURLPrefix, "/"))
+	}
+
+	return strings.TrimSuffix(staticURLPrefix, "/")
+}
+
+func loadServerFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("server")
+	AppName = rootCfg.Section("").Key("APP_NAME").MustString("Gitea: Git with a cup of tea")
+
+	Domain = sec.Key("DOMAIN").MustString("localhost")
+	HTTPAddr = sec.Key("HTTP_ADDR").MustString("0.0.0.0")
+	HTTPPort = sec.Key("HTTP_PORT").MustString("3000")
+
+	Protocol = HTTP
+	protocolCfg := sec.Key("PROTOCOL").String()
+	switch protocolCfg {
+	case "https":
+		Protocol = HTTPS
+		// FIXME: DEPRECATED to be removed in v1.18.0
+		if sec.HasKey("ENABLE_ACME") {
+			EnableAcme = sec.Key("ENABLE_ACME").MustBool(false)
+		} else {
+			deprecatedSetting(rootCfg, "server", "ENABLE_LETSENCRYPT", "server", "ENABLE_ACME")
+			EnableAcme = sec.Key("ENABLE_LETSENCRYPT").MustBool(false)
+		}
+		if EnableAcme {
+			AcmeURL = sec.Key("ACME_URL").MustString("")
+			AcmeCARoot = sec.Key("ACME_CA_ROOT").MustString("")
+			// FIXME: DEPRECATED to be removed in v1.18.0
+			if sec.HasKey("ACME_ACCEPTTOS") {
+				AcmeTOS = sec.Key("ACME_ACCEPTTOS").MustBool(false)
+			} else {
+				deprecatedSetting(rootCfg, "server", "LETSENCRYPT_ACCEPTTOS", "server", "ACME_ACCEPTTOS")
+				AcmeTOS = sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false)
+			}
+			if !AcmeTOS {
+				log.Fatal("ACME TOS is not accepted (ACME_ACCEPTTOS).")
+			}
+			// FIXME: DEPRECATED to be removed in v1.18.0
+			if sec.HasKey("ACME_DIRECTORY") {
+				AcmeLiveDirectory = sec.Key("ACME_DIRECTORY").MustString("https")
+			} else {
+				deprecatedSetting(rootCfg, "server", "LETSENCRYPT_DIRECTORY", "server", "ACME_DIRECTORY")
+				AcmeLiveDirectory = sec.Key("LETSENCRYPT_DIRECTORY").MustString("https")
+			}
+			// FIXME: DEPRECATED to be removed in v1.18.0
+			if sec.HasKey("ACME_EMAIL") {
+				AcmeEmail = sec.Key("ACME_EMAIL").MustString("")
+			} else {
+				deprecatedSetting(rootCfg, "server", "LETSENCRYPT_EMAIL", "server", "ACME_EMAIL")
+				AcmeEmail = sec.Key("LETSENCRYPT_EMAIL").MustString("")
+			}
+		} else {
+			CertFile = sec.Key("CERT_FILE").String()
+			KeyFile = sec.Key("KEY_FILE").String()
+			if len(CertFile) > 0 && !filepath.IsAbs(CertFile) {
+				CertFile = filepath.Join(CustomPath, CertFile)
+			}
+			if len(KeyFile) > 0 && !filepath.IsAbs(KeyFile) {
+				KeyFile = filepath.Join(CustomPath, KeyFile)
+			}
+		}
+		SSLMinimumVersion = sec.Key("SSL_MIN_VERSION").MustString("")
+		SSLMaximumVersion = sec.Key("SSL_MAX_VERSION").MustString("")
+		SSLCurvePreferences = sec.Key("SSL_CURVE_PREFERENCES").Strings(",")
+		SSLCipherSuites = sec.Key("SSL_CIPHER_SUITES").Strings(",")
+	case "fcgi":
+		Protocol = FCGI
+	case "fcgi+unix", "unix", "http+unix":
+		switch protocolCfg {
+		case "fcgi+unix":
+			Protocol = FCGIUnix
+		case "unix":
+			log.Warn("unix PROTOCOL value is deprecated, please use http+unix")
+			fallthrough
+		case "http+unix":
+			Protocol = HTTPUnix
+		}
+		UnixSocketPermissionRaw := sec.Key("UNIX_SOCKET_PERMISSION").MustString("666")
+		UnixSocketPermissionParsed, err := strconv.ParseUint(UnixSocketPermissionRaw, 8, 32)
+		if err != nil || UnixSocketPermissionParsed > 0o777 {
+			log.Fatal("Failed to parse unixSocketPermission: %s", UnixSocketPermissionRaw)
+		}
+
+		UnixSocketPermission = uint32(UnixSocketPermissionParsed)
+		if !filepath.IsAbs(HTTPAddr) {
+			HTTPAddr = filepath.Join(AppWorkPath, HTTPAddr)
+		}
+	}
+	UseProxyProtocol = sec.Key("USE_PROXY_PROTOCOL").MustBool(false)
+	ProxyProtocolTLSBridging = sec.Key("PROXY_PROTOCOL_TLS_BRIDGING").MustBool(false)
+	ProxyProtocolHeaderTimeout = sec.Key("PROXY_PROTOCOL_HEADER_TIMEOUT").MustDuration(5 * time.Second)
+	ProxyProtocolAcceptUnknown = sec.Key("PROXY_PROTOCOL_ACCEPT_UNKNOWN").MustBool(false)
+	GracefulRestartable = sec.Key("ALLOW_GRACEFUL_RESTARTS").MustBool(true)
+	GracefulHammerTime = sec.Key("GRACEFUL_HAMMER_TIME").MustDuration(60 * time.Second)
+	StartupTimeout = sec.Key("STARTUP_TIMEOUT").MustDuration(0 * time.Second)
+	PerWriteTimeout = sec.Key("PER_WRITE_TIMEOUT").MustDuration(PerWriteTimeout)
+	PerWritePerKbTimeout = sec.Key("PER_WRITE_PER_KB_TIMEOUT").MustDuration(PerWritePerKbTimeout)
+
+	defaultAppURL := string(Protocol) + "://" + Domain + ":" + HTTPPort
+	AppURL = sec.Key("ROOT_URL").MustString(defaultAppURL)
+
+	// Check validity of AppURL
+	appURL, err := url.Parse(AppURL)
+	if err != nil {
+		log.Fatal("Invalid ROOT_URL '%s': %s", AppURL, err)
+	}
+	// Remove default ports from AppURL.
+	// (scheme-based URL normalization, RFC 3986 section 6.2.3)
+	if (appURL.Scheme == string(HTTP) && appURL.Port() == "80") || (appURL.Scheme == string(HTTPS) && appURL.Port() == "443") {
+		appURL.Host = appURL.Hostname()
+	}
+	// This should be TrimRight to ensure that there is only a single '/' at the end of AppURL.
+	AppURL = strings.TrimRight(appURL.String(), "/") + "/"
+
+	// Suburl should start with '/' and end without '/', such as '/{subpath}'.
+	// This value is empty if site does not have sub-url.
+	AppSubURL = strings.TrimSuffix(appURL.Path, "/")
+	StaticURLPrefix = strings.TrimSuffix(sec.Key("STATIC_URL_PREFIX").MustString(AppSubURL), "/")
+
+	// Check if Domain differs from AppURL domain than update it to AppURL's domain
+	urlHostname := appURL.Hostname()
+	if urlHostname != Domain && net.ParseIP(urlHostname) == nil && urlHostname != "" {
+		Domain = urlHostname
+	}
+
+	AbsoluteAssetURL = MakeAbsoluteAssetURL(AppURL, StaticURLPrefix)
+	AssetVersion = strings.ReplaceAll(AppVer, "+", "~") // make sure the version string is clear (no real escaping is needed)
+
+	manifestBytes := MakeManifestData(AppName, AppURL, AbsoluteAssetURL)
+	ManifestData = `application/json;base64,` + base64.StdEncoding.EncodeToString(manifestBytes)
+
+	var defaultLocalURL string
+	switch Protocol {
+	case HTTPUnix:
+		defaultLocalURL = "http://unix/"
+	case FCGI:
+		defaultLocalURL = AppURL
+	case FCGIUnix:
+		defaultLocalURL = AppURL
+	default:
+		defaultLocalURL = string(Protocol) + "://"
+		if HTTPAddr == "0.0.0.0" {
+			defaultLocalURL += net.JoinHostPort("localhost", HTTPPort) + "/"
+		} else {
+			defaultLocalURL += net.JoinHostPort(HTTPAddr, HTTPPort) + "/"
+		}
+	}
+	LocalURL = sec.Key("LOCAL_ROOT_URL").MustString(defaultLocalURL)
+	LocalURL = strings.TrimRight(LocalURL, "/") + "/"
+	LocalUseProxyProtocol = sec.Key("LOCAL_USE_PROXY_PROTOCOL").MustBool(UseProxyProtocol)
+	RedirectOtherPort = sec.Key("REDIRECT_OTHER_PORT").MustBool(false)
+	PortToRedirect = sec.Key("PORT_TO_REDIRECT").MustString("80")
+	RedirectorUseProxyProtocol = sec.Key("REDIRECTOR_USE_PROXY_PROTOCOL").MustBool(UseProxyProtocol)
+	OfflineMode = sec.Key("OFFLINE_MODE").MustBool()
+	Log.DisableRouterLog = sec.Key("DISABLE_ROUTER_LOG").MustBool()
+	if len(StaticRootPath) == 0 {
+		StaticRootPath = AppWorkPath
+	}
+	StaticRootPath = sec.Key("STATIC_ROOT_PATH").MustString(StaticRootPath)
+	StaticCacheTime = sec.Key("STATIC_CACHE_TIME").MustDuration(6 * time.Hour)
+	AppDataPath = sec.Key("APP_DATA_PATH").MustString(path.Join(AppWorkPath, "data"))
+	if !filepath.IsAbs(AppDataPath) {
+		log.Info("The provided APP_DATA_PATH: %s is not absolute - it will be made absolute against the work path: %s", AppDataPath, AppWorkPath)
+		AppDataPath = filepath.ToSlash(filepath.Join(AppWorkPath, AppDataPath))
+	}
+
+	EnableGzip = sec.Key("ENABLE_GZIP").MustBool()
+	EnablePprof = sec.Key("ENABLE_PPROF").MustBool(false)
+	PprofDataPath = sec.Key("PPROF_DATA_PATH").MustString(path.Join(AppWorkPath, "data/tmp/pprof"))
+	if !filepath.IsAbs(PprofDataPath) {
+		PprofDataPath = filepath.Join(AppWorkPath, PprofDataPath)
+	}
+
+	landingPage := sec.Key("LANDING_PAGE").MustString("home")
+	switch landingPage {
+	case "explore":
+		LandingPageURL = LandingPageExplore
+	case "organizations":
+		LandingPageURL = LandingPageOrganizations
+	case "login":
+		LandingPageURL = LandingPageLogin
+	case "":
+	case "home":
+		LandingPageURL = LandingPageHome
+	default:
+		LandingPageURL = LandingPage(landingPage)
+	}
+
+	HasRobotsTxt, err = util.IsFile(path.Join(CustomPath, "robots.txt"))
+	if err != nil {
+		log.Error("Unable to check if %s is a file. Error: %v", path.Join(CustomPath, "robots.txt"), err)
+	}
+}
diff --git a/modules/setting/service.go b/modules/setting/service.go
index 1d33ac6bce..d4a31ba5d4 100644
--- a/modules/setting/service.go
+++ b/modules/setting/service.go
@@ -12,6 +12,15 @@ import (
 	"code.gitea.io/gitea/modules/structs"
 )
 
+// enumerates all the types of captchas
+const (
+	ImageCaptcha = "image"
+	ReCaptcha    = "recaptcha"
+	HCaptcha     = "hcaptcha"
+	MCaptcha     = "mcaptcha"
+	CfTurnstile  = "cfturnstile"
+)
+
 // Service settings
 var Service = struct {
 	DefaultUserVisibility                   string
@@ -105,8 +114,8 @@ func (a AllowedVisibility) ToVisibleTypeSlice() (result []structs.VisibleType) {
 	return result
 }
 
-func newService() {
-	sec := Cfg.Section("service")
+func loadServiceFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("service")
 	Service.ActiveCodeLives = sec.Key("ACTIVE_CODE_LIVE_MINUTES").MustInt(180)
 	Service.ResetPwdCodeLives = sec.Key("RESET_PASSWD_CODE_LIVE_MINUTES").MustInt(180)
 	Service.DisableRegistration = sec.Key("DISABLE_REGISTRATION").MustBool()
@@ -184,11 +193,13 @@ func newService() {
 	}
 	Service.ValidSiteURLSchemes = schemes
 
-	if err := Cfg.Section("service.explore").MapTo(&Service.Explore); err != nil {
-		log.Fatal("Failed to map service.explore settings: %v", err)
-	}
+	mustMapSetting(rootCfg, "service.explore", &Service.Explore)
 
-	sec = Cfg.Section("openid")
+	loadOpenIDSetting(rootCfg)
+}
+
+func loadOpenIDSetting(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("openid")
 	Service.EnableOpenIDSignIn = sec.Key("ENABLE_OPENID_SIGNIN").MustBool(!InstallLock)
 	Service.EnableOpenIDSignUp = sec.Key("ENABLE_OPENID_SIGNUP").MustBool(!Service.DisableRegistration && Service.EnableOpenIDSignIn)
 	pats := sec.Key("WHITELISTED_URIS").Strings(" ")
diff --git a/modules/setting/session.go b/modules/setting/session.go
index 082538c385..b8498335d9 100644
--- a/modules/setting/session.go
+++ b/modules/setting/session.go
@@ -15,7 +15,8 @@ import (
 
 // SessionConfig defines Session settings
 var SessionConfig = struct {
-	Provider string
+	OriginalProvider string
+	Provider         string
 	// Provider configuration, it's corresponding to provider.
 	ProviderConfig string
 	// Cookie name to save session ID. Default is "MacaronSession".
@@ -39,8 +40,8 @@ var SessionConfig = struct {
 	SameSite:    http.SameSiteLaxMode,
 }
 
-func newSessionService() {
-	sec := Cfg.Section("session")
+func loadSessionFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("session")
 	SessionConfig.Provider = sec.Key("PROVIDER").In("memory",
 		[]string{"memory", "file", "redis", "mysql", "postgres", "couchbase", "memcache", "db"})
 	SessionConfig.ProviderConfig = strings.Trim(sec.Key("PROVIDER_CONFIG").MustString(path.Join(AppDataPath, "sessions")), "\" ")
@@ -67,6 +68,7 @@ func newSessionService() {
 		log.Fatal("Can't shadow session config: %v", err)
 	}
 	SessionConfig.ProviderConfig = string(shadowConfig)
+	SessionConfig.OriginalProvider = SessionConfig.Provider
 	SessionConfig.Provider = "VirtualSession"
 
 	log.Info("Session Service Enabled")
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index 0cd2db356d..83ebde9478 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -5,12 +5,8 @@
 package setting
 
 import (
-	"encoding/base64"
 	"errors"
 	"fmt"
-	"math"
-	"net"
-	"net/url"
 	"os"
 	"os/exec"
 	"path"
@@ -18,53 +14,15 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
-	"text/template"
 	"time"
 
-	"code.gitea.io/gitea/modules/auth/password/hash"
-	"code.gitea.io/gitea/modules/container"
-	"code.gitea.io/gitea/modules/generate"
-	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/user"
 	"code.gitea.io/gitea/modules/util"
 
-	gossh "golang.org/x/crypto/ssh"
 	ini "gopkg.in/ini.v1"
 )
 
-// Scheme describes protocol types
-type Scheme string
-
-// enumerates all the scheme types
-const (
-	HTTP     Scheme = "http"
-	HTTPS    Scheme = "https"
-	FCGI     Scheme = "fcgi"
-	FCGIUnix Scheme = "fcgi+unix"
-	HTTPUnix Scheme = "http+unix"
-)
-
-// LandingPage describes the default page
-type LandingPage string
-
-// enumerates all the landing page types
-const (
-	LandingPageHome          LandingPage = "/"
-	LandingPageExplore       LandingPage = "/explore"
-	LandingPageOrganizations LandingPage = "/explore/organizations"
-	LandingPageLogin         LandingPage = "/user/login"
-)
-
-// enumerates all the types of captchas
-const (
-	ImageCaptcha = "image"
-	ReCaptcha    = "recaptcha"
-	HCaptcha     = "hcaptcha"
-	MCaptcha     = "mcaptcha"
-	CfTurnstile  = "cfturnstile"
-)
-
 // settings
 var (
 	// AppVer is the version of the current build of Gitea. It is set in main.go from main.Version.
@@ -73,15 +31,7 @@ var (
 	AppBuiltWith string
 	// AppStartTime store time gitea has started
 	AppStartTime time.Time
-	// AppName is the Application name, used in the page title.
-	// It maps to ini:"APP_NAME"
-	AppName string
-	// AppURL is the Application ROOT_URL. It always has a '/' suffix
-	// It maps to ini:"ROOT_URL"
-	AppURL string
-	// AppSubURL represents the sub-url mounting point for gitea. It is either "" or starts with '/' and ends without '/', such as '/{subpath}'.
-	// This value is empty if site does not have sub-url.
-	AppSubURL string
+
 	// AppPath represents the path to the gitea binary
 	AppPath string
 	// AppWorkPath is the "working directory" of Gitea. It maps to the environment variable GITEA_WORK_DIR.
@@ -89,373 +39,17 @@ var (
 	//
 	// AppWorkPath is used as the base path for several other paths.
 	AppWorkPath string
-	// AppDataPath is the default path for storing data.
-	// It maps to ini:"APP_DATA_PATH" in [server] and defaults to AppWorkPath + "/data"
-	AppDataPath string
-	// LocalURL is the url for locally running applications to contact Gitea. It always has a '/' suffix
-	// It maps to ini:"LOCAL_ROOT_URL" in [server]
-	LocalURL string
-	// AssetVersion holds a opaque value that is used for cache-busting assets
-	AssetVersion string
-
-	// Server settings
-	Protocol                   Scheme
-	UseProxyProtocol           bool // `ini:"USE_PROXY_PROTOCOL"`
-	ProxyProtocolTLSBridging   bool //`ini:"PROXY_PROTOCOL_TLS_BRIDGING"`
-	ProxyProtocolHeaderTimeout time.Duration
-	ProxyProtocolAcceptUnknown bool
-	Domain                     string
-	HTTPAddr                   string
-	HTTPPort                   string
-	LocalUseProxyProtocol      bool
-	RedirectOtherPort          bool
-	RedirectorUseProxyProtocol bool
-	PortToRedirect             string
-	OfflineMode                bool
-	CertFile                   string
-	KeyFile                    string
-	StaticRootPath             string
-	StaticCacheTime            time.Duration
-	EnableGzip                 bool
-	LandingPageURL             LandingPage
-	LandingPageCustom          string
-	UnixSocketPermission       uint32
-	EnablePprof                bool
-	PprofDataPath              string
-	EnableAcme                 bool
-	AcmeTOS                    bool
-	AcmeLiveDirectory          string
-	AcmeEmail                  string
-	AcmeURL                    string
-	AcmeCARoot                 string
-	SSLMinimumVersion          string
-	SSLMaximumVersion          string
-	SSLCurvePreferences        []string
-	SSLCipherSuites            []string
-	GracefulRestartable        bool
-	GracefulHammerTime         time.Duration
-	StartupTimeout             time.Duration
-	PerWriteTimeout            = 30 * time.Second
-	PerWritePerKbTimeout       = 10 * time.Second
-	StaticURLPrefix            string
-	AbsoluteAssetURL           string
-
-	SSH = struct {
-		Disabled                              bool               `ini:"DISABLE_SSH"`
-		StartBuiltinServer                    bool               `ini:"START_SSH_SERVER"`
-		BuiltinServerUser                     string             `ini:"BUILTIN_SSH_SERVER_USER"`
-		UseProxyProtocol                      bool               `ini:"SSH_SERVER_USE_PROXY_PROTOCOL"`
-		Domain                                string             `ini:"SSH_DOMAIN"`
-		Port                                  int                `ini:"SSH_PORT"`
-		User                                  string             `ini:"SSH_USER"`
-		ListenHost                            string             `ini:"SSH_LISTEN_HOST"`
-		ListenPort                            int                `ini:"SSH_LISTEN_PORT"`
-		RootPath                              string             `ini:"SSH_ROOT_PATH"`
-		ServerCiphers                         []string           `ini:"SSH_SERVER_CIPHERS"`
-		ServerKeyExchanges                    []string           `ini:"SSH_SERVER_KEY_EXCHANGES"`
-		ServerMACs                            []string           `ini:"SSH_SERVER_MACS"`
-		ServerHostKeys                        []string           `ini:"SSH_SERVER_HOST_KEYS"`
-		KeyTestPath                           string             `ini:"SSH_KEY_TEST_PATH"`
-		KeygenPath                            string             `ini:"SSH_KEYGEN_PATH"`
-		AuthorizedKeysBackup                  bool               `ini:"SSH_AUTHORIZED_KEYS_BACKUP"`
-		AuthorizedPrincipalsBackup            bool               `ini:"SSH_AUTHORIZED_PRINCIPALS_BACKUP"`
-		AuthorizedKeysCommandTemplate         string             `ini:"SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE"`
-		AuthorizedKeysCommandTemplateTemplate *template.Template `ini:"-"`
-		MinimumKeySizeCheck                   bool               `ini:"-"`
-		MinimumKeySizes                       map[string]int     `ini:"-"`
-		CreateAuthorizedKeysFile              bool               `ini:"SSH_CREATE_AUTHORIZED_KEYS_FILE"`
-		CreateAuthorizedPrincipalsFile        bool               `ini:"SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE"`
-		ExposeAnonymous                       bool               `ini:"SSH_EXPOSE_ANONYMOUS"`
-		AuthorizedPrincipalsAllow             []string           `ini:"SSH_AUTHORIZED_PRINCIPALS_ALLOW"`
-		AuthorizedPrincipalsEnabled           bool               `ini:"-"`
-		TrustedUserCAKeys                     []string           `ini:"SSH_TRUSTED_USER_CA_KEYS"`
-		TrustedUserCAKeysFile                 string             `ini:"SSH_TRUSTED_USER_CA_KEYS_FILENAME"`
-		TrustedUserCAKeysParsed               []gossh.PublicKey  `ini:"-"`
-		PerWriteTimeout                       time.Duration      `ini:"SSH_PER_WRITE_TIMEOUT"`
-		PerWritePerKbTimeout                  time.Duration      `ini:"SSH_PER_WRITE_PER_KB_TIMEOUT"`
-	}{
-		Disabled:                      false,
-		StartBuiltinServer:            false,
-		Domain:                        "",
-		Port:                          22,
-		ServerCiphers:                 []string{"chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com"},
-		ServerKeyExchanges:            []string{"curve25519-sha256", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1"},
-		ServerMACs:                    []string{"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1"},
-		KeygenPath:                    "ssh-keygen",
-		MinimumKeySizeCheck:           true,
-		MinimumKeySizes:               map[string]int{"ed25519": 256, "ed25519-sk": 256, "ecdsa": 256, "ecdsa-sk": 256, "rsa": 2047},
-		ServerHostKeys:                []string{"ssh/gitea.rsa", "ssh/gogs.rsa"},
-		AuthorizedKeysCommandTemplate: "{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}",
-		PerWriteTimeout:               PerWriteTimeout,
-		PerWritePerKbTimeout:          PerWritePerKbTimeout,
-	}
-
-	// Security settings
-	InstallLock                        bool
-	SecretKey                          string
-	LogInRememberDays                  int
-	CookieUserName                     string
-	CookieRememberName                 string
-	ReverseProxyAuthUser               string
-	ReverseProxyAuthEmail              string
-	ReverseProxyAuthFullName           string
-	ReverseProxyLimit                  int
-	ReverseProxyTrustedProxies         []string
-	MinPasswordLength                  int
-	ImportLocalPaths                   bool
-	DisableGitHooks                    bool
-	DisableWebhooks                    bool
-	OnlyAllowPushIfGiteaEnvironmentSet bool
-	PasswordComplexity                 []string
-	PasswordHashAlgo                   string
-	PasswordCheckPwn                   bool
-	SuccessfulTokensCacheSize          int
-
-	Camo = struct {
-		Enabled   bool
-		ServerURL string `ini:"SERVER_URL"`
-		HMACKey   string `ini:"HMAC_KEY"`
-		Allways   bool
-	}{}
-
-	// UI settings
-	UI = struct {
-		ExplorePagingNum      int
-		SitemapPagingNum      int
-		IssuePagingNum        int
-		RepoSearchPagingNum   int
-		MembersPagingNum      int
-		FeedMaxCommitNum      int
-		FeedPagingNum         int
-		PackagesPagingNum     int
-		GraphMaxCommitNum     int
-		CodeCommentLines      int
-		ReactionMaxUserNum    int
-		ThemeColorMetaTag     string
-		MaxDisplayFileSize    int64
-		ShowUserEmail         bool
-		DefaultShowFullName   bool
-		DefaultTheme          string
-		Themes                []string
-		Reactions             []string
-		ReactionsLookup       container.Set[string] `ini:"-"`
-		CustomEmojis          []string
-		CustomEmojisMap       map[string]string `ini:"-"`
-		SearchRepoDescription bool
-		UseServiceWorker      bool
-
-		Notification struct {
-			MinTimeout            time.Duration
-			TimeoutStep           time.Duration
-			MaxTimeout            time.Duration
-			EventSourceUpdateTime time.Duration
-		} `ini:"ui.notification"`
-
-		SVG struct {
-			Enabled bool `ini:"ENABLE_RENDER"`
-		} `ini:"ui.svg"`
-
-		CSV struct {
-			MaxFileSize int64
-		} `ini:"ui.csv"`
-
-		Admin struct {
-			UserPagingNum   int
-			RepoPagingNum   int
-			NoticePagingNum int
-			OrgPagingNum    int
-		} `ini:"ui.admin"`
-		User struct {
-			RepoPagingNum int
-		} `ini:"ui.user"`
-		Meta struct {
-			Author      string
-			Description string
-			Keywords    string
-		} `ini:"ui.meta"`
-	}{
-		ExplorePagingNum:    20,
-		SitemapPagingNum:    20,
-		IssuePagingNum:      20,
-		RepoSearchPagingNum: 20,
-		MembersPagingNum:    20,
-		FeedMaxCommitNum:    5,
-		FeedPagingNum:       20,
-		PackagesPagingNum:   20,
-		GraphMaxCommitNum:   100,
-		CodeCommentLines:    4,
-		ReactionMaxUserNum:  10,
-		ThemeColorMetaTag:   `#6cc644`,
-		MaxDisplayFileSize:  8388608,
-		DefaultTheme:        `auto`,
-		Themes:              []string{`auto`, `gitea`, `arc-green`},
-		Reactions:           []string{`+1`, `-1`, `laugh`, `hooray`, `confused`, `heart`, `rocket`, `eyes`},
-		CustomEmojis:        []string{`git`, `gitea`, `codeberg`, `gitlab`, `github`, `gogs`},
-		CustomEmojisMap:     map[string]string{"git": ":git:", "gitea": ":gitea:", "codeberg": ":codeberg:", "gitlab": ":gitlab:", "github": ":github:", "gogs": ":gogs:"},
-		Notification: struct {
-			MinTimeout            time.Duration
-			TimeoutStep           time.Duration
-			MaxTimeout            time.Duration
-			EventSourceUpdateTime time.Duration
-		}{
-			MinTimeout:            10 * time.Second,
-			TimeoutStep:           10 * time.Second,
-			MaxTimeout:            60 * time.Second,
-			EventSourceUpdateTime: 10 * time.Second,
-		},
-		SVG: struct {
-			Enabled bool `ini:"ENABLE_RENDER"`
-		}{
-			Enabled: true,
-		},
-		CSV: struct {
-			MaxFileSize int64
-		}{
-			MaxFileSize: 524288,
-		},
-		Admin: struct {
-			UserPagingNum   int
-			RepoPagingNum   int
-			NoticePagingNum int
-			OrgPagingNum    int
-		}{
-			UserPagingNum:   50,
-			RepoPagingNum:   50,
-			NoticePagingNum: 25,
-			OrgPagingNum:    50,
-		},
-		User: struct {
-			RepoPagingNum int
-		}{
-			RepoPagingNum: 15,
-		},
-		Meta: struct {
-			Author      string
-			Description string
-			Keywords    string
-		}{
-			Author:      "Gitea - Git with a cup of tea",
-			Description: "Gitea (Git with a cup of tea) is a painless self-hosted Git service written in Go",
-			Keywords:    "go,git,self-hosted,gitea",
-		},
-	}
-
-	// Markdown settings
-	Markdown = struct {
-		EnableHardLineBreakInComments  bool
-		EnableHardLineBreakInDocuments bool
-		CustomURLSchemes               []string `ini:"CUSTOM_URL_SCHEMES"`
-		FileExtensions                 []string
-		EnableMath                     bool
-	}{
-		EnableHardLineBreakInComments:  true,
-		EnableHardLineBreakInDocuments: false,
-		FileExtensions:                 strings.Split(".md,.markdown,.mdown,.mkd", ","),
-		EnableMath:                     true,
-	}
-
-	// Admin settings
-	Admin struct {
-		DisableRegularOrgCreation bool
-		DefaultEmailNotification  string
-	}
-
-	// Log settings
-	LogLevel           log.Level
-	StacktraceLogLevel string
-	LogRootPath        string
-	EnableSSHLog       bool
-	EnableXORMLog      bool
-
-	DisableRouterLog bool
-
-	EnableAccessLog   bool
-	AccessLogTemplate string
-
-	// Time settings
-	TimeFormat string
-	// UILocation is the location on the UI, so that we can display the time on UI.
-	DefaultUILocation = time.Local
-
-	CSRFCookieName     = "_csrf"
-	CSRFCookieHTTPOnly = true
-
-	ManifestData string
-
-	// API settings
-	API = struct {
-		EnableSwagger          bool
-		SwaggerURL             string
-		MaxResponseItems       int
-		DefaultPagingNum       int
-		DefaultGitTreesPerPage int
-		DefaultMaxBlobSize     int64
-	}{
-		EnableSwagger:          true,
-		SwaggerURL:             "",
-		MaxResponseItems:       50,
-		DefaultPagingNum:       30,
-		DefaultGitTreesPerPage: 1000,
-		DefaultMaxBlobSize:     10485760,
-	}
-
-	OAuth2 = struct {
-		Enable                     bool
-		AccessTokenExpirationTime  int64
-		RefreshTokenExpirationTime int64
-		InvalidateRefreshTokens    bool
-		JWTSigningAlgorithm        string `ini:"JWT_SIGNING_ALGORITHM"`
-		JWTSecretBase64            string `ini:"JWT_SECRET"`
-		JWTSigningPrivateKeyFile   string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
-		MaxTokenLength             int
-	}{
-		Enable:                     true,
-		AccessTokenExpirationTime:  3600,
-		RefreshTokenExpirationTime: 730,
-		InvalidateRefreshTokens:    false,
-		JWTSigningAlgorithm:        "RS256",
-		JWTSigningPrivateKeyFile:   "jwt/private.pem",
-		MaxTokenLength:             math.MaxInt16,
-	}
-
-	// Metrics settings
-	Metrics = struct {
-		Enabled                  bool
-		Token                    string
-		EnabledIssueByLabel      bool
-		EnabledIssueByRepository bool
-	}{
-		Enabled:                  false,
-		Token:                    "",
-		EnabledIssueByLabel:      false,
-		EnabledIssueByRepository: false,
-	}
-
-	// I18n settings
-	Langs []string
-	Names []string
-
-	// Highlight settings are loaded in modules/template/highlight.go
-
-	// Other settings
-	ShowFooterBranding         bool
-	ShowFooterVersion          bool
-	ShowFooterTemplateLoadTime bool
-	EnableFeed                 bool
 
 	// Global setting objects
-	Cfg           *ini.File
-	CustomPath    string // Custom directory path
-	CustomConf    string
-	PIDFile       = "/run/gitea.pid"
-	WritePIDFile  bool
-	RunMode       string
-	IsProd        bool
-	RunUser       string
-	IsWindows     bool
-	HasRobotsTxt  bool
-	EnableSitemap bool
-	InternalToken string // internal access token
+	CfgProvider  ConfigProvider
+	CustomPath   string // Custom directory path
+	CustomConf   string
+	PIDFile      = "/run/gitea.pid"
+	WritePIDFile bool
+	RunMode      string
+	RunUser      string
+	IsProd       bool
+	IsWindows    bool
 )
 
 func getAppPath() (string, error) {
@@ -592,472 +186,132 @@ func SetCustomPathAndConf(providedCustom, providedConf, providedWorkPath string)
 	}
 }
 
-// LoadFromExisting initializes setting options from an existing config file (app.ini)
-func LoadFromExisting() {
-	loadFromConf(false, "")
+// PrepareAppDataPath creates app data directory if necessary
+func PrepareAppDataPath() error {
+	// FIXME: There are too many calls to MkdirAll in old code. It is incorrect.
+	// For example, if someDir=/mnt/vol1/gitea-home/data, if the mount point /mnt/vol1 is not mounted when Gitea runs,
+	// then gitea will make new empty directories in /mnt/vol1, all are stored in the root filesystem.
+	// The correct behavior should be: creating parent directories is end users' duty. We only create sub-directories in existing parent directories.
+	// For quickstart, the parent directories should be created automatically for first startup (eg: a flag or a check of INSTALL_LOCK).
+	// Now we can take the first step to do correctly (using Mkdir) in other packages, and prepare the AppDataPath here, then make a refactor in future.
+
+	st, err := os.Stat(AppDataPath)
+	if os.IsNotExist(err) {
+		err = os.MkdirAll(AppDataPath, os.ModePerm)
+		if err != nil {
+			return fmt.Errorf("unable to create the APP_DATA_PATH directory: %q, Error: %w", AppDataPath, err)
+		}
+		return nil
+	}
+
+	if err != nil {
+		return fmt.Errorf("unable to use APP_DATA_PATH %q. Error: %w", AppDataPath, err)
+	}
+
+	if !st.IsDir() /* also works for symlink */ {
+		return fmt.Errorf("the APP_DATA_PATH %q is not a directory (or symlink to a directory) and can't be used", AppDataPath)
+	}
+
+	return nil
 }
 
-// LoadAllowEmpty initializes setting options, it's also fine that if the config file (app.ini) doesn't exist
-func LoadAllowEmpty() {
-	loadFromConf(true, "")
+// InitProviderFromExistingFile initializes config provider from an existing config file (app.ini)
+func InitProviderFromExistingFile() {
+	CfgProvider = newFileProviderFromConf(CustomConf, WritePIDFile, false, PIDFile, "")
 }
 
-// LoadForTest initializes setting options for tests
-func LoadForTest(extraConfigs ...string) {
-	loadFromConf(true, strings.Join(extraConfigs, "\n"))
+// InitProviderAllowEmpty initializes config provider from file, it's also fine that if the config file (app.ini) doesn't exist
+func InitProviderAllowEmpty() {
+	CfgProvider = newFileProviderFromConf(CustomConf, WritePIDFile, true, PIDFile, "")
+}
+
+// InitProviderAndLoadCommonSettingsForTest initializes config provider and load common setttings for tests
+func InitProviderAndLoadCommonSettingsForTest(extraConfigs ...string) {
+	CfgProvider = newFileProviderFromConf(CustomConf, WritePIDFile, true, PIDFile, strings.Join(extraConfigs, "\n"))
+	loadCommonSettingsFrom(CfgProvider)
 	if err := PrepareAppDataPath(); err != nil {
 		log.Fatal("Can not prepare APP_DATA_PATH: %v", err)
 	}
 }
 
-func deprecatedSetting(oldSection, oldKey, newSection, newKey string) {
-	if Cfg.Section(oldSection).HasKey(oldKey) {
-		log.Error("Deprecated fallback `[%s]` `%s` present. Use `[%s]` `%s` instead. This fallback will be removed in v1.19.0", oldSection, oldKey, newSection, newKey)
-	}
-}
-
-// deprecatedSettingDB add a hint that the configuration has been moved to database but still kept in app.ini
-func deprecatedSettingDB(oldSection, oldKey string) {
-	if Cfg.Section(oldSection).HasKey(oldKey) {
-		log.Error("Deprecated `[%s]` `%s` present which has been copied to database table sys_setting", oldSection, oldKey)
-	}
-}
-
-// loadFromConf initializes configuration context.
+// newFileProviderFromConf initializes configuration context.
 // NOTE: do not print any log except error.
-func loadFromConf(allowEmpty bool, extraConfig string) {
-	Cfg = ini.Empty()
+func newFileProviderFromConf(customConf string, writePIDFile, allowEmpty bool, pidFile, extraConfig string) *ini.File {
+	cfg := ini.Empty()
 
-	if WritePIDFile && len(PIDFile) > 0 {
-		createPIDFile(PIDFile)
+	if writePIDFile && len(pidFile) > 0 {
+		createPIDFile(pidFile)
 	}
 
-	isFile, err := util.IsFile(CustomConf)
+	isFile, err := util.IsFile(customConf)
 	if err != nil {
-		log.Error("Unable to check if %s is a file. Error: %v", CustomConf, err)
+		log.Error("Unable to check if %s is a file. Error: %v", customConf, err)
 	}
 	if isFile {
-		if err := Cfg.Append(CustomConf); err != nil {
-			log.Fatal("Failed to load custom conf '%s': %v", CustomConf, err)
+		if err := cfg.Append(customConf); err != nil {
+			log.Fatal("Failed to load custom conf '%s': %v", customConf, err)
 		}
 	} else if !allowEmpty {
 		log.Fatal("Unable to find configuration file: %q.\nEnsure you are running in the correct environment or set the correct configuration file with -c.", CustomConf)
 	} // else: no config file, a config file might be created at CustomConf later (might not)
 
 	if extraConfig != "" {
-		if err = Cfg.Append([]byte(extraConfig)); err != nil {
+		if err = cfg.Append([]byte(extraConfig)); err != nil {
 			log.Fatal("Unable to append more config: %v", err)
 		}
 	}
 
-	Cfg.NameMapper = ini.SnackCase
+	cfg.NameMapper = ini.SnackCase
+	return cfg
+}
 
-	homeDir, err := util.HomeDir()
-	if err != nil {
-		log.Fatal("Failed to get home directory: %v", err)
-	}
-	homeDir = strings.ReplaceAll(homeDir, "\\", "/")
+// LoadCommonSettings loads common configurations from a configuration provider.
+func LoadCommonSettings() {
+	loadCommonSettingsFrom(CfgProvider)
+}
 
-	LogLevel = getLogLevel(Cfg.Section("log"), "LEVEL", log.INFO)
-	StacktraceLogLevel = getStacktraceLogLevel(Cfg.Section("log"), "STACKTRACE_LEVEL", "None")
-	LogRootPath = Cfg.Section("log").Key("ROOT_PATH").MustString(path.Join(AppWorkPath, "log"))
-	forcePathSeparator(LogRootPath)
+// loadCommonSettingsFrom loads common configurations from a configuration provider.
+func loadCommonSettingsFrom(cfg ConfigProvider) {
+	// WARNNING: don't change the sequence except you know what you are doing.
+	loadRunModeFrom(cfg)
+	loadLogFrom(cfg)
+	loadServerFrom(cfg)
+	loadSSHFrom(cfg)
+	loadOAuth2From(cfg)
+	loadSecurityFrom(cfg)
+	loadAttachmentFrom(cfg)
+	loadLFSFrom(cfg)
+	loadTimeFrom(cfg)
+	loadRepositoryFrom(cfg)
+	loadPictureFrom(cfg)
+	loadPackagesFrom(cfg)
+	loadActionsFrom(cfg)
+	loadUIFrom(cfg)
+	loadAdminFrom(cfg)
+	loadAPIFrom(cfg)
+	loadMetricsFrom(cfg)
+	loadCamoFrom(cfg)
+	loadI18nFrom(cfg)
+	loadGitFrom(cfg)
+	loadMirrorFrom(cfg)
+	loadMarkupFrom(cfg)
+	loadOtherFrom(cfg)
+}
 
-	sec := Cfg.Section("server")
-	AppName = Cfg.Section("").Key("APP_NAME").MustString("Gitea: Git with a cup of tea")
-
-	Domain = sec.Key("DOMAIN").MustString("localhost")
-	HTTPAddr = sec.Key("HTTP_ADDR").MustString("0.0.0.0")
-	HTTPPort = sec.Key("HTTP_PORT").MustString("3000")
-
-	Protocol = HTTP
-	protocolCfg := sec.Key("PROTOCOL").String()
-	switch protocolCfg {
-	case "https":
-		Protocol = HTTPS
-		// FIXME: DEPRECATED to be removed in v1.18.0
-		if sec.HasKey("ENABLE_ACME") {
-			EnableAcme = sec.Key("ENABLE_ACME").MustBool(false)
-		} else {
-			deprecatedSetting("server", "ENABLE_LETSENCRYPT", "server", "ENABLE_ACME")
-			EnableAcme = sec.Key("ENABLE_LETSENCRYPT").MustBool(false)
-		}
-		if EnableAcme {
-			AcmeURL = sec.Key("ACME_URL").MustString("")
-			AcmeCARoot = sec.Key("ACME_CA_ROOT").MustString("")
-			// FIXME: DEPRECATED to be removed in v1.18.0
-			if sec.HasKey("ACME_ACCEPTTOS") {
-				AcmeTOS = sec.Key("ACME_ACCEPTTOS").MustBool(false)
-			} else {
-				deprecatedSetting("server", "LETSENCRYPT_ACCEPTTOS", "server", "ACME_ACCEPTTOS")
-				AcmeTOS = sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false)
-			}
-			if !AcmeTOS {
-				log.Fatal("ACME TOS is not accepted (ACME_ACCEPTTOS).")
-			}
-			// FIXME: DEPRECATED to be removed in v1.18.0
-			if sec.HasKey("ACME_DIRECTORY") {
-				AcmeLiveDirectory = sec.Key("ACME_DIRECTORY").MustString("https")
-			} else {
-				deprecatedSetting("server", "LETSENCRYPT_DIRECTORY", "server", "ACME_DIRECTORY")
-				AcmeLiveDirectory = sec.Key("LETSENCRYPT_DIRECTORY").MustString("https")
-			}
-			// FIXME: DEPRECATED to be removed in v1.18.0
-			if sec.HasKey("ACME_EMAIL") {
-				AcmeEmail = sec.Key("ACME_EMAIL").MustString("")
-			} else {
-				deprecatedSetting("server", "LETSENCRYPT_EMAIL", "server", "ACME_EMAIL")
-				AcmeEmail = sec.Key("LETSENCRYPT_EMAIL").MustString("")
-			}
-		} else {
-			CertFile = sec.Key("CERT_FILE").String()
-			KeyFile = sec.Key("KEY_FILE").String()
-			if len(CertFile) > 0 && !filepath.IsAbs(CertFile) {
-				CertFile = filepath.Join(CustomPath, CertFile)
-			}
-			if len(KeyFile) > 0 && !filepath.IsAbs(KeyFile) {
-				KeyFile = filepath.Join(CustomPath, KeyFile)
-			}
-		}
-		SSLMinimumVersion = sec.Key("SSL_MIN_VERSION").MustString("")
-		SSLMaximumVersion = sec.Key("SSL_MAX_VERSION").MustString("")
-		SSLCurvePreferences = sec.Key("SSL_CURVE_PREFERENCES").Strings(",")
-		SSLCipherSuites = sec.Key("SSL_CIPHER_SUITES").Strings(",")
-	case "fcgi":
-		Protocol = FCGI
-	case "fcgi+unix", "unix", "http+unix":
-		switch protocolCfg {
-		case "fcgi+unix":
-			Protocol = FCGIUnix
-		case "unix":
-			log.Warn("unix PROTOCOL value is deprecated, please use http+unix")
-			fallthrough
-		case "http+unix":
-			Protocol = HTTPUnix
-		}
-		UnixSocketPermissionRaw := sec.Key("UNIX_SOCKET_PERMISSION").MustString("666")
-		UnixSocketPermissionParsed, err := strconv.ParseUint(UnixSocketPermissionRaw, 8, 32)
-		if err != nil || UnixSocketPermissionParsed > 0o777 {
-			log.Fatal("Failed to parse unixSocketPermission: %s", UnixSocketPermissionRaw)
-		}
-
-		UnixSocketPermission = uint32(UnixSocketPermissionParsed)
-		if !filepath.IsAbs(HTTPAddr) {
-			HTTPAddr = filepath.Join(AppWorkPath, HTTPAddr)
-		}
-	}
-	UseProxyProtocol = sec.Key("USE_PROXY_PROTOCOL").MustBool(false)
-	ProxyProtocolTLSBridging = sec.Key("PROXY_PROTOCOL_TLS_BRIDGING").MustBool(false)
-	ProxyProtocolHeaderTimeout = sec.Key("PROXY_PROTOCOL_HEADER_TIMEOUT").MustDuration(5 * time.Second)
-	ProxyProtocolAcceptUnknown = sec.Key("PROXY_PROTOCOL_ACCEPT_UNKNOWN").MustBool(false)
-	GracefulRestartable = sec.Key("ALLOW_GRACEFUL_RESTARTS").MustBool(true)
-	GracefulHammerTime = sec.Key("GRACEFUL_HAMMER_TIME").MustDuration(60 * time.Second)
-	StartupTimeout = sec.Key("STARTUP_TIMEOUT").MustDuration(0 * time.Second)
-	PerWriteTimeout = sec.Key("PER_WRITE_TIMEOUT").MustDuration(PerWriteTimeout)
-	PerWritePerKbTimeout = sec.Key("PER_WRITE_PER_KB_TIMEOUT").MustDuration(PerWritePerKbTimeout)
-
-	defaultAppURL := string(Protocol) + "://" + Domain + ":" + HTTPPort
-	AppURL = sec.Key("ROOT_URL").MustString(defaultAppURL)
-
-	// Check validity of AppURL
-	appURL, err := url.Parse(AppURL)
-	if err != nil {
-		log.Fatal("Invalid ROOT_URL '%s': %s", AppURL, err)
-	}
-	// Remove default ports from AppURL.
-	// (scheme-based URL normalization, RFC 3986 section 6.2.3)
-	if (appURL.Scheme == string(HTTP) && appURL.Port() == "80") || (appURL.Scheme == string(HTTPS) && appURL.Port() == "443") {
-		appURL.Host = appURL.Hostname()
-	}
-	// This should be TrimRight to ensure that there is only a single '/' at the end of AppURL.
-	AppURL = strings.TrimRight(appURL.String(), "/") + "/"
-
-	// Suburl should start with '/' and end without '/', such as '/{subpath}'.
-	// This value is empty if site does not have sub-url.
-	AppSubURL = strings.TrimSuffix(appURL.Path, "/")
-	StaticURLPrefix = strings.TrimSuffix(sec.Key("STATIC_URL_PREFIX").MustString(AppSubURL), "/")
-
-	// Check if Domain differs from AppURL domain than update it to AppURL's domain
-	urlHostname := appURL.Hostname()
-	if urlHostname != Domain && net.ParseIP(urlHostname) == nil && urlHostname != "" {
-		Domain = urlHostname
-	}
-
-	AbsoluteAssetURL = MakeAbsoluteAssetURL(AppURL, StaticURLPrefix)
-	AssetVersion = strings.ReplaceAll(AppVer, "+", "~") // make sure the version string is clear (no real escaping is needed)
-
-	manifestBytes := MakeManifestData(AppName, AppURL, AbsoluteAssetURL)
-	ManifestData = `application/json;base64,` + base64.StdEncoding.EncodeToString(manifestBytes)
-
-	var defaultLocalURL string
-	switch Protocol {
-	case HTTPUnix:
-		defaultLocalURL = "http://unix/"
-	case FCGI:
-		defaultLocalURL = AppURL
-	case FCGIUnix:
-		defaultLocalURL = AppURL
-	default:
-		defaultLocalURL = string(Protocol) + "://"
-		if HTTPAddr == "0.0.0.0" {
-			defaultLocalURL += net.JoinHostPort("localhost", HTTPPort) + "/"
-		} else {
-			defaultLocalURL += net.JoinHostPort(HTTPAddr, HTTPPort) + "/"
-		}
-	}
-	LocalURL = sec.Key("LOCAL_ROOT_URL").MustString(defaultLocalURL)
-	LocalURL = strings.TrimRight(LocalURL, "/") + "/"
-	LocalUseProxyProtocol = sec.Key("LOCAL_USE_PROXY_PROTOCOL").MustBool(UseProxyProtocol)
-	RedirectOtherPort = sec.Key("REDIRECT_OTHER_PORT").MustBool(false)
-	PortToRedirect = sec.Key("PORT_TO_REDIRECT").MustString("80")
-	RedirectorUseProxyProtocol = sec.Key("REDIRECTOR_USE_PROXY_PROTOCOL").MustBool(UseProxyProtocol)
-	OfflineMode = sec.Key("OFFLINE_MODE").MustBool()
-	DisableRouterLog = sec.Key("DISABLE_ROUTER_LOG").MustBool()
-	if len(StaticRootPath) == 0 {
-		StaticRootPath = AppWorkPath
-	}
-	StaticRootPath = sec.Key("STATIC_ROOT_PATH").MustString(StaticRootPath)
-	StaticCacheTime = sec.Key("STATIC_CACHE_TIME").MustDuration(6 * time.Hour)
-	AppDataPath = sec.Key("APP_DATA_PATH").MustString(path.Join(AppWorkPath, "data"))
-	if !filepath.IsAbs(AppDataPath) {
-		log.Info("The provided APP_DATA_PATH: %s is not absolute - it will be made absolute against the work path: %s", AppDataPath, AppWorkPath)
-		AppDataPath = filepath.ToSlash(filepath.Join(AppWorkPath, AppDataPath))
-	}
-
-	EnableGzip = sec.Key("ENABLE_GZIP").MustBool()
-	EnablePprof = sec.Key("ENABLE_PPROF").MustBool(false)
-	PprofDataPath = sec.Key("PPROF_DATA_PATH").MustString(path.Join(AppWorkPath, "data/tmp/pprof"))
-	if !filepath.IsAbs(PprofDataPath) {
-		PprofDataPath = filepath.Join(AppWorkPath, PprofDataPath)
-	}
-
-	landingPage := sec.Key("LANDING_PAGE").MustString("home")
-	switch landingPage {
-	case "explore":
-		LandingPageURL = LandingPageExplore
-	case "organizations":
-		LandingPageURL = LandingPageOrganizations
-	case "login":
-		LandingPageURL = LandingPageLogin
-	case "":
-	case "home":
-		LandingPageURL = LandingPageHome
-	default:
-		LandingPageURL = LandingPage(landingPage)
-	}
-
-	if len(SSH.Domain) == 0 {
-		SSH.Domain = Domain
-	}
-	SSH.RootPath = path.Join(homeDir, ".ssh")
-	serverCiphers := sec.Key("SSH_SERVER_CIPHERS").Strings(",")
-	if len(serverCiphers) > 0 {
-		SSH.ServerCiphers = serverCiphers
-	}
-	serverKeyExchanges := sec.Key("SSH_SERVER_KEY_EXCHANGES").Strings(",")
-	if len(serverKeyExchanges) > 0 {
-		SSH.ServerKeyExchanges = serverKeyExchanges
-	}
-	serverMACs := sec.Key("SSH_SERVER_MACS").Strings(",")
-	if len(serverMACs) > 0 {
-		SSH.ServerMACs = serverMACs
-	}
-	SSH.KeyTestPath = os.TempDir()
-	if err = Cfg.Section("server").MapTo(&SSH); err != nil {
-		log.Fatal("Failed to map SSH settings: %v", err)
-	}
-	for i, key := range SSH.ServerHostKeys {
-		if !filepath.IsAbs(key) {
-			SSH.ServerHostKeys[i] = filepath.Join(AppDataPath, key)
-		}
-	}
-
-	SSH.KeygenPath = sec.Key("SSH_KEYGEN_PATH").MustString("ssh-keygen")
-	SSH.Port = sec.Key("SSH_PORT").MustInt(22)
-	SSH.ListenPort = sec.Key("SSH_LISTEN_PORT").MustInt(SSH.Port)
-	SSH.UseProxyProtocol = sec.Key("SSH_SERVER_USE_PROXY_PROTOCOL").MustBool(false)
-
-	// When disable SSH, start builtin server value is ignored.
-	if SSH.Disabled {
-		SSH.StartBuiltinServer = false
-	}
-
-	SSH.TrustedUserCAKeysFile = sec.Key("SSH_TRUSTED_USER_CA_KEYS_FILENAME").MustString(filepath.Join(SSH.RootPath, "gitea-trusted-user-ca-keys.pem"))
-
-	for _, caKey := range SSH.TrustedUserCAKeys {
-		pubKey, _, _, _, err := gossh.ParseAuthorizedKey([]byte(caKey))
-		if err != nil {
-			log.Fatal("Failed to parse TrustedUserCaKeys: %s %v", caKey, err)
-		}
-
-		SSH.TrustedUserCAKeysParsed = append(SSH.TrustedUserCAKeysParsed, pubKey)
-	}
-	if len(SSH.TrustedUserCAKeys) > 0 {
-		// Set the default as email,username otherwise we can leave it empty
-		sec.Key("SSH_AUTHORIZED_PRINCIPALS_ALLOW").MustString("username,email")
-	} else {
-		sec.Key("SSH_AUTHORIZED_PRINCIPALS_ALLOW").MustString("off")
-	}
-
-	SSH.AuthorizedPrincipalsAllow, SSH.AuthorizedPrincipalsEnabled = parseAuthorizedPrincipalsAllow(sec.Key("SSH_AUTHORIZED_PRINCIPALS_ALLOW").Strings(","))
-
-	SSH.MinimumKeySizeCheck = sec.Key("MINIMUM_KEY_SIZE_CHECK").MustBool(SSH.MinimumKeySizeCheck)
-	minimumKeySizes := Cfg.Section("ssh.minimum_key_sizes").Keys()
-	for _, key := range minimumKeySizes {
-		if key.MustInt() != -1 {
-			SSH.MinimumKeySizes[strings.ToLower(key.Name())] = key.MustInt()
-		} else {
-			delete(SSH.MinimumKeySizes, strings.ToLower(key.Name()))
-		}
-	}
-
-	SSH.AuthorizedKeysBackup = sec.Key("SSH_AUTHORIZED_KEYS_BACKUP").MustBool(true)
-	SSH.CreateAuthorizedKeysFile = sec.Key("SSH_CREATE_AUTHORIZED_KEYS_FILE").MustBool(true)
-
-	SSH.AuthorizedPrincipalsBackup = false
-	SSH.CreateAuthorizedPrincipalsFile = false
-	if SSH.AuthorizedPrincipalsEnabled {
-		SSH.AuthorizedPrincipalsBackup = sec.Key("SSH_AUTHORIZED_PRINCIPALS_BACKUP").MustBool(true)
-		SSH.CreateAuthorizedPrincipalsFile = sec.Key("SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE").MustBool(true)
-	}
-
-	SSH.ExposeAnonymous = sec.Key("SSH_EXPOSE_ANONYMOUS").MustBool(false)
-	SSH.AuthorizedKeysCommandTemplate = sec.Key("SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE").MustString(SSH.AuthorizedKeysCommandTemplate)
-
-	SSH.AuthorizedKeysCommandTemplateTemplate = template.Must(template.New("").Parse(SSH.AuthorizedKeysCommandTemplate))
-
-	SSH.PerWriteTimeout = sec.Key("SSH_PER_WRITE_TIMEOUT").MustDuration(PerWriteTimeout)
-	SSH.PerWritePerKbTimeout = sec.Key("SSH_PER_WRITE_PER_KB_TIMEOUT").MustDuration(PerWritePerKbTimeout)
-
-	if err = Cfg.Section("oauth2").MapTo(&OAuth2); err != nil {
-		log.Fatal("Failed to OAuth2 settings: %v", err)
-		return
-	}
-
-	if !filepath.IsAbs(OAuth2.JWTSigningPrivateKeyFile) {
-		OAuth2.JWTSigningPrivateKeyFile = filepath.Join(AppDataPath, OAuth2.JWTSigningPrivateKeyFile)
-	}
-
-	sec = Cfg.Section("admin")
-	Admin.DefaultEmailNotification = sec.Key("DEFAULT_EMAIL_NOTIFICATIONS").MustString("enabled")
-
-	sec = Cfg.Section("security")
-	InstallLock = sec.Key("INSTALL_LOCK").MustBool(false)
-	LogInRememberDays = sec.Key("LOGIN_REMEMBER_DAYS").MustInt(7)
-	CookieUserName = sec.Key("COOKIE_USERNAME").MustString("gitea_awesome")
-	SecretKey = loadSecret(sec, "SECRET_KEY_URI", "SECRET_KEY")
-	if SecretKey == "" {
-		// FIXME: https://github.com/go-gitea/gitea/issues/16832
-		// Until it supports rotating an existing secret key, we shouldn't move users off of the widely used default value
-		SecretKey = "!#@FDEWREWR&*(" //nolint:gosec
-	}
-
-	CookieRememberName = sec.Key("COOKIE_REMEMBER_NAME").MustString("gitea_incredible")
-
-	ReverseProxyAuthUser = sec.Key("REVERSE_PROXY_AUTHENTICATION_USER").MustString("X-WEBAUTH-USER")
-	ReverseProxyAuthEmail = sec.Key("REVERSE_PROXY_AUTHENTICATION_EMAIL").MustString("X-WEBAUTH-EMAIL")
-	ReverseProxyAuthFullName = sec.Key("REVERSE_PROXY_AUTHENTICATION_FULL_NAME").MustString("X-WEBAUTH-FULLNAME")
-
-	ReverseProxyLimit = sec.Key("REVERSE_PROXY_LIMIT").MustInt(1)
-	ReverseProxyTrustedProxies = sec.Key("REVERSE_PROXY_TRUSTED_PROXIES").Strings(",")
-	if len(ReverseProxyTrustedProxies) == 0 {
-		ReverseProxyTrustedProxies = []string{"127.0.0.0/8", "::1/128"}
-	}
-
-	MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6)
-	ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false)
-	DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(true)
-	DisableWebhooks = sec.Key("DISABLE_WEBHOOKS").MustBool(false)
-	OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true)
-
-	// Ensure that the provided default hash algorithm is a valid hash algorithm
-	var algorithm *hash.PasswordHashAlgorithm
-	PasswordHashAlgo, algorithm = hash.SetDefaultPasswordHashAlgorithm(sec.Key("PASSWORD_HASH_ALGO").MustString(""))
-	if algorithm == nil {
-		log.Fatal("The provided password hash algorithm was invalid: %s", sec.Key("PASSWORD_HASH_ALGO").MustString(""))
-	}
-
-	CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)
-	PasswordCheckPwn = sec.Key("PASSWORD_CHECK_PWN").MustBool(false)
-	SuccessfulTokensCacheSize = sec.Key("SUCCESSFUL_TOKENS_CACHE_SIZE").MustInt(20)
-
-	InternalToken = loadSecret(sec, "INTERNAL_TOKEN_URI", "INTERNAL_TOKEN")
-	if InstallLock && InternalToken == "" {
-		// if Gitea has been installed but the InternalToken hasn't been generated (upgrade from an old release), we should generate
-		// some users do cluster deployment, they still depend on this auto-generating behavior.
-		generateSaveInternalToken()
-	}
-
-	cfgdata := sec.Key("PASSWORD_COMPLEXITY").Strings(",")
-	if len(cfgdata) == 0 {
-		cfgdata = []string{"off"}
-	}
-	PasswordComplexity = make([]string, 0, len(cfgdata))
-	for _, name := range cfgdata {
-		name := strings.ToLower(strings.Trim(name, `"`))
-		if name != "" {
-			PasswordComplexity = append(PasswordComplexity, name)
-		}
-	}
-
-	newAttachmentService()
-	newLFSService()
-
-	timeFormatKey := Cfg.Section("time").Key("FORMAT").MustString("")
-	if timeFormatKey != "" {
-		TimeFormat = map[string]string{
-			"ANSIC":       time.ANSIC,
-			"UnixDate":    time.UnixDate,
-			"RubyDate":    time.RubyDate,
-			"RFC822":      time.RFC822,
-			"RFC822Z":     time.RFC822Z,
-			"RFC850":      time.RFC850,
-			"RFC1123":     time.RFC1123,
-			"RFC1123Z":    time.RFC1123Z,
-			"RFC3339":     time.RFC3339,
-			"RFC3339Nano": time.RFC3339Nano,
-			"Kitchen":     time.Kitchen,
-			"Stamp":       time.Stamp,
-			"StampMilli":  time.StampMilli,
-			"StampMicro":  time.StampMicro,
-			"StampNano":   time.StampNano,
-		}[timeFormatKey]
-		// When the TimeFormatKey does not exist in the previous map e.g.'2006-01-02 15:04:05'
-		if len(TimeFormat) == 0 {
-			TimeFormat = timeFormatKey
-			TestTimeFormat, _ := time.Parse(TimeFormat, TimeFormat)
-			if TestTimeFormat.Format(time.RFC3339) != "2006-01-02T15:04:05Z" {
-				log.Warn("Provided TimeFormat: %s does not create a fully specified date and time.", TimeFormat)
-				log.Warn("In order to display dates and times correctly please check your time format has 2006, 01, 02, 15, 04 and 05")
-			}
-			log.Trace("Custom TimeFormat: %s", TimeFormat)
-		}
-	}
-
-	zone := Cfg.Section("time").Key("DEFAULT_UI_LOCATION").String()
-	if zone != "" {
-		DefaultUILocation, err = time.LoadLocation(zone)
-		if err != nil {
-			log.Fatal("Load time zone failed: %v", err)
-		} else {
-			log.Info("Default UI Location is %v", zone)
-		}
-	}
-	if DefaultUILocation == nil {
-		DefaultUILocation = time.Local
-	}
-
-	RunUser = Cfg.Section("").Key("RUN_USER").MustString(user.CurrentUsername())
+func loadRunModeFrom(rootCfg ConfigProvider) {
+	rootSec := rootCfg.Section("")
+	RunUser = rootSec.Key("RUN_USER").MustString(user.CurrentUsername())
 	// The following is a purposefully undocumented option. Please do not run Gitea as root. It will only cause future headaches.
 	// Please don't use root as a bandaid to "fix" something that is broken, instead the broken thing should instead be fixed properly.
-	unsafeAllowRunAsRoot := Cfg.Section("").Key("I_AM_BEING_UNSAFE_RUNNING_AS_ROOT").MustBool(false)
+	unsafeAllowRunAsRoot := rootSec.Key("I_AM_BEING_UNSAFE_RUNNING_AS_ROOT").MustBool(false)
 	RunMode = os.Getenv("GITEA_RUN_MODE")
 	if RunMode == "" {
-		RunMode = Cfg.Section("").Key("RUN_MODE").MustString("prod")
+		RunMode = rootSec.Key("RUN_MODE").MustString("prod")
 	}
 	IsProd = strings.EqualFold(RunMode, "prod")
 	// Does not check run user when the install lock is off.
-	if InstallLock {
+	installLock := rootCfg.Section("security").Key("INSTALL_LOCK").MustBool(false)
+	if installLock {
 		currentUser, match := IsRunUserMatchCurrentUser(RunUser)
 		if !match {
 			log.Fatal("Expect user '%s' but current user is: %s", RunUser, currentUser)
@@ -1072,227 +326,6 @@ func loadFromConf(allowEmpty bool, extraConfig string) {
 		}
 		log.Critical("You are running Gitea using the root user, and have purposely chosen to skip built-in protections around this. You have been warned against this.")
 	}
-
-	SSH.BuiltinServerUser = Cfg.Section("server").Key("BUILTIN_SSH_SERVER_USER").MustString(RunUser)
-	SSH.User = Cfg.Section("server").Key("SSH_USER").MustString(SSH.BuiltinServerUser)
-
-	newRepository()
-
-	newPictureService()
-
-	newPackages()
-
-	newActions()
-
-	if err = Cfg.Section("ui").MapTo(&UI); err != nil {
-		log.Fatal("Failed to map UI settings: %v", err)
-	} else if err = Cfg.Section("markdown").MapTo(&Markdown); err != nil {
-		log.Fatal("Failed to map Markdown settings: %v", err)
-	} else if err = Cfg.Section("admin").MapTo(&Admin); err != nil {
-		log.Fatal("Fail to map Admin settings: %v", err)
-	} else if err = Cfg.Section("api").MapTo(&API); err != nil {
-		log.Fatal("Failed to map API settings: %v", err)
-	} else if err = Cfg.Section("metrics").MapTo(&Metrics); err != nil {
-		log.Fatal("Failed to map Metrics settings: %v", err)
-	} else if err = Cfg.Section("camo").MapTo(&Camo); err != nil {
-		log.Fatal("Failed to map Camo settings: %v", err)
-	}
-
-	if Camo.Enabled {
-		if Camo.ServerURL == "" || Camo.HMACKey == "" {
-			log.Fatal(`Camo settings require "SERVER_URL" and HMAC_KEY`)
-		}
-	}
-
-	u := *appURL
-	u.Path = path.Join(u.Path, "api", "swagger")
-	API.SwaggerURL = u.String()
-
-	newGit()
-
-	newMirror()
-
-	Langs = Cfg.Section("i18n").Key("LANGS").Strings(",")
-	if len(Langs) == 0 {
-		Langs = defaultI18nLangs()
-	}
-	Names = Cfg.Section("i18n").Key("NAMES").Strings(",")
-	if len(Names) == 0 {
-		Names = defaultI18nNames()
-	}
-
-	ShowFooterBranding = Cfg.Section("other").Key("SHOW_FOOTER_BRANDING").MustBool(false)
-	ShowFooterVersion = Cfg.Section("other").Key("SHOW_FOOTER_VERSION").MustBool(true)
-	ShowFooterTemplateLoadTime = Cfg.Section("other").Key("SHOW_FOOTER_TEMPLATE_LOAD_TIME").MustBool(true)
-	EnableSitemap = Cfg.Section("other").Key("ENABLE_SITEMAP").MustBool(true)
-	EnableFeed = Cfg.Section("other").Key("ENABLE_FEED").MustBool(true)
-
-	UI.ShowUserEmail = Cfg.Section("ui").Key("SHOW_USER_EMAIL").MustBool(true)
-	UI.DefaultShowFullName = Cfg.Section("ui").Key("DEFAULT_SHOW_FULL_NAME").MustBool(false)
-	UI.SearchRepoDescription = Cfg.Section("ui").Key("SEARCH_REPO_DESCRIPTION").MustBool(true)
-	UI.UseServiceWorker = Cfg.Section("ui").Key("USE_SERVICE_WORKER").MustBool(false)
-
-	HasRobotsTxt, err = util.IsFile(path.Join(CustomPath, "robots.txt"))
-	if err != nil {
-		log.Error("Unable to check if %s is a file. Error: %v", path.Join(CustomPath, "robots.txt"), err)
-	}
-
-	newMarkup()
-
-	UI.ReactionsLookup = make(container.Set[string])
-	for _, reaction := range UI.Reactions {
-		UI.ReactionsLookup.Add(reaction)
-	}
-	UI.CustomEmojisMap = make(map[string]string)
-	for _, emoji := range UI.CustomEmojis {
-		UI.CustomEmojisMap[emoji] = ":" + emoji + ":"
-	}
-}
-
-func parseAuthorizedPrincipalsAllow(values []string) ([]string, bool) {
-	anything := false
-	email := false
-	username := false
-	for _, value := range values {
-		v := strings.ToLower(strings.TrimSpace(value))
-		switch v {
-		case "off":
-			return []string{"off"}, false
-		case "email":
-			email = true
-		case "username":
-			username = true
-		case "anything":
-			anything = true
-		}
-	}
-	if anything {
-		return []string{"anything"}, true
-	}
-
-	authorizedPrincipalsAllow := []string{}
-	if username {
-		authorizedPrincipalsAllow = append(authorizedPrincipalsAllow, "username")
-	}
-	if email {
-		authorizedPrincipalsAllow = append(authorizedPrincipalsAllow, "email")
-	}
-
-	return authorizedPrincipalsAllow, true
-}
-
-// loadSecret load the secret from ini by uriKey or verbatimKey, only one of them could be set
-// If the secret is loaded from uriKey (file), the file should be non-empty, to guarantee the behavior stable and clear.
-func loadSecret(sec *ini.Section, uriKey, verbatimKey string) string {
-	// don't allow setting both URI and verbatim string
-	uri := sec.Key(uriKey).String()
-	verbatim := sec.Key(verbatimKey).String()
-	if uri != "" && verbatim != "" {
-		log.Fatal("Cannot specify both %s and %s", uriKey, verbatimKey)
-	}
-
-	// if we have no URI, use verbatim
-	if uri == "" {
-		return verbatim
-	}
-
-	tempURI, err := url.Parse(uri)
-	if err != nil {
-		log.Fatal("Failed to parse %s (%s): %v", uriKey, uri, err)
-	}
-	switch tempURI.Scheme {
-	case "file":
-		buf, err := os.ReadFile(tempURI.RequestURI())
-		if err != nil {
-			log.Fatal("Failed to read %s (%s): %v", uriKey, tempURI.RequestURI(), err)
-		}
-		val := strings.TrimSpace(string(buf))
-		if val == "" {
-			// The file shouldn't be empty, otherwise we can not know whether the user has ever set the KEY or KEY_URI
-			// For example: if INTERNAL_TOKEN_URI=file:///empty-file,
-			// Then if the token is re-generated during installation and saved to INTERNAL_TOKEN
-			// Then INTERNAL_TOKEN and INTERNAL_TOKEN_URI both exist, that's a fatal error (they shouldn't)
-			log.Fatal("Failed to read %s (%s): the file is empty", uriKey, tempURI.RequestURI())
-		}
-		return val
-
-	// only file URIs are allowed
-	default:
-		log.Fatal("Unsupported URI-Scheme %q (INTERNAL_TOKEN_URI = %q)", tempURI.Scheme, uri)
-		return ""
-	}
-}
-
-// generateSaveInternalToken generates and saves the internal token to app.ini
-func generateSaveInternalToken() {
-	token, err := generate.NewInternalToken()
-	if err != nil {
-		log.Fatal("Error generate internal token: %v", err)
-	}
-
-	InternalToken = token
-	CreateOrAppendToCustomConf("security.INTERNAL_TOKEN", func(cfg *ini.File) {
-		cfg.Section("security").Key("INTERNAL_TOKEN").SetValue(token)
-	})
-}
-
-// MakeAbsoluteAssetURL returns the absolute asset url prefix without a trailing slash
-func MakeAbsoluteAssetURL(appURL, staticURLPrefix string) string {
-	parsedPrefix, err := url.Parse(strings.TrimSuffix(staticURLPrefix, "/"))
-	if err != nil {
-		log.Fatal("Unable to parse STATIC_URL_PREFIX: %v", err)
-	}
-
-	if err == nil && parsedPrefix.Hostname() == "" {
-		if staticURLPrefix == "" {
-			return strings.TrimSuffix(appURL, "/")
-		}
-
-		// StaticURLPrefix is just a path
-		return util.URLJoin(appURL, strings.TrimSuffix(staticURLPrefix, "/"))
-	}
-
-	return strings.TrimSuffix(staticURLPrefix, "/")
-}
-
-// MakeManifestData generates web app manifest JSON
-func MakeManifestData(appName, appURL, absoluteAssetURL string) []byte {
-	type manifestIcon struct {
-		Src   string `json:"src"`
-		Type  string `json:"type"`
-		Sizes string `json:"sizes"`
-	}
-
-	type manifestJSON struct {
-		Name      string         `json:"name"`
-		ShortName string         `json:"short_name"`
-		StartURL  string         `json:"start_url"`
-		Icons     []manifestIcon `json:"icons"`
-	}
-
-	bytes, err := json.Marshal(&manifestJSON{
-		Name:      appName,
-		ShortName: appName,
-		StartURL:  appURL,
-		Icons: []manifestIcon{
-			{
-				Src:   absoluteAssetURL + "/assets/img/logo.png",
-				Type:  "image/png",
-				Sizes: "512x512",
-			},
-			{
-				Src:   absoluteAssetURL + "/assets/img/logo.svg",
-				Type:  "image/svg+xml",
-				Sizes: "512x512",
-			},
-		},
-	})
-	if err != nil {
-		log.Error("unable to marshal manifest JSON. Error: %v", err)
-		return make([]byte, 0)
-	}
-
-	return bytes
 }
 
 // CreateOrAppendToCustomConf creates or updates the custom config.
@@ -1340,32 +373,30 @@ func CreateOrAppendToCustomConf(purpose string, callback func(cfg *ini.File)) {
 	}
 }
 
-// NewServices initializes the services
-func NewServices() {
-	InitDBConfig()
-	newService()
-	newOAuth2Client()
-	NewLogServices(false)
-	newCacheService()
-	newSessionService()
-	newCORSService()
-	parseMailerConfig(Cfg)
-	newIncomingEmail()
-	newRegisterMailService()
-	newNotifyMailService()
-	newProxyService()
-	newWebhookService()
-	newMigrationsService()
-	newIndexerService()
-	newTaskService()
-	NewQueueService()
-	newProject()
-	newMimeTypeMap()
-	newFederationService()
+// LoadSettings initializes the settings for normal start up
+func LoadSettings() {
+	LoadDBSetting()
+	loadServiceFrom(CfgProvider)
+	loadOAuth2ClientFrom(CfgProvider)
+	InitLogs(false)
+	loadCacheFrom(CfgProvider)
+	loadSessionFrom(CfgProvider)
+	loadCorsFrom(CfgProvider)
+	loadMailsFrom(CfgProvider)
+	loadProxyFrom(CfgProvider)
+	loadWebhookFrom(CfgProvider)
+	loadMigrationsFrom(CfgProvider)
+	loadIndexerFrom(CfgProvider)
+	loadTaskFrom(CfgProvider)
+	LoadQueueSettings()
+	loadProjectFrom(CfgProvider)
+	loadMimeTypeMapFrom(CfgProvider)
+	loadFederationFrom(CfgProvider)
 }
 
-// NewServicesForInstall initializes the services for install
-func NewServicesForInstall() {
-	newService()
-	parseMailerConfig(Cfg)
+// LoadSettingsForInstall initializes the settings for install
+func LoadSettingsForInstall() {
+	LoadDBSetting()
+	loadServiceFrom(CfgProvider)
+	loadMailerFrom(CfgProvider)
 }
diff --git a/modules/setting/ssh.go b/modules/setting/ssh.go
new file mode 100644
index 0000000000..e8796f98d6
--- /dev/null
+++ b/modules/setting/ssh.go
@@ -0,0 +1,197 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+import (
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+	"text/template"
+	"time"
+
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/util"
+
+	gossh "golang.org/x/crypto/ssh"
+)
+
+var SSH = struct {
+	Disabled                              bool               `ini:"DISABLE_SSH"`
+	StartBuiltinServer                    bool               `ini:"START_SSH_SERVER"`
+	BuiltinServerUser                     string             `ini:"BUILTIN_SSH_SERVER_USER"`
+	UseProxyProtocol                      bool               `ini:"SSH_SERVER_USE_PROXY_PROTOCOL"`
+	Domain                                string             `ini:"SSH_DOMAIN"`
+	Port                                  int                `ini:"SSH_PORT"`
+	User                                  string             `ini:"SSH_USER"`
+	ListenHost                            string             `ini:"SSH_LISTEN_HOST"`
+	ListenPort                            int                `ini:"SSH_LISTEN_PORT"`
+	RootPath                              string             `ini:"SSH_ROOT_PATH"`
+	ServerCiphers                         []string           `ini:"SSH_SERVER_CIPHERS"`
+	ServerKeyExchanges                    []string           `ini:"SSH_SERVER_KEY_EXCHANGES"`
+	ServerMACs                            []string           `ini:"SSH_SERVER_MACS"`
+	ServerHostKeys                        []string           `ini:"SSH_SERVER_HOST_KEYS"`
+	KeyTestPath                           string             `ini:"SSH_KEY_TEST_PATH"`
+	KeygenPath                            string             `ini:"SSH_KEYGEN_PATH"`
+	AuthorizedKeysBackup                  bool               `ini:"SSH_AUTHORIZED_KEYS_BACKUP"`
+	AuthorizedPrincipalsBackup            bool               `ini:"SSH_AUTHORIZED_PRINCIPALS_BACKUP"`
+	AuthorizedKeysCommandTemplate         string             `ini:"SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE"`
+	AuthorizedKeysCommandTemplateTemplate *template.Template `ini:"-"`
+	MinimumKeySizeCheck                   bool               `ini:"-"`
+	MinimumKeySizes                       map[string]int     `ini:"-"`
+	CreateAuthorizedKeysFile              bool               `ini:"SSH_CREATE_AUTHORIZED_KEYS_FILE"`
+	CreateAuthorizedPrincipalsFile        bool               `ini:"SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE"`
+	ExposeAnonymous                       bool               `ini:"SSH_EXPOSE_ANONYMOUS"`
+	AuthorizedPrincipalsAllow             []string           `ini:"SSH_AUTHORIZED_PRINCIPALS_ALLOW"`
+	AuthorizedPrincipalsEnabled           bool               `ini:"-"`
+	TrustedUserCAKeys                     []string           `ini:"SSH_TRUSTED_USER_CA_KEYS"`
+	TrustedUserCAKeysFile                 string             `ini:"SSH_TRUSTED_USER_CA_KEYS_FILENAME"`
+	TrustedUserCAKeysParsed               []gossh.PublicKey  `ini:"-"`
+	PerWriteTimeout                       time.Duration      `ini:"SSH_PER_WRITE_TIMEOUT"`
+	PerWritePerKbTimeout                  time.Duration      `ini:"SSH_PER_WRITE_PER_KB_TIMEOUT"`
+}{
+	Disabled:                      false,
+	StartBuiltinServer:            false,
+	Domain:                        "",
+	Port:                          22,
+	ServerCiphers:                 []string{"chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com"},
+	ServerKeyExchanges:            []string{"curve25519-sha256", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1"},
+	ServerMACs:                    []string{"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1"},
+	KeygenPath:                    "ssh-keygen",
+	MinimumKeySizeCheck:           true,
+	MinimumKeySizes:               map[string]int{"ed25519": 256, "ed25519-sk": 256, "ecdsa": 256, "ecdsa-sk": 256, "rsa": 2047},
+	ServerHostKeys:                []string{"ssh/gitea.rsa", "ssh/gogs.rsa"},
+	AuthorizedKeysCommandTemplate: "{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}",
+	PerWriteTimeout:               PerWriteTimeout,
+	PerWritePerKbTimeout:          PerWritePerKbTimeout,
+}
+
+func parseAuthorizedPrincipalsAllow(values []string) ([]string, bool) {
+	anything := false
+	email := false
+	username := false
+	for _, value := range values {
+		v := strings.ToLower(strings.TrimSpace(value))
+		switch v {
+		case "off":
+			return []string{"off"}, false
+		case "email":
+			email = true
+		case "username":
+			username = true
+		case "anything":
+			anything = true
+		}
+	}
+	if anything {
+		return []string{"anything"}, true
+	}
+
+	authorizedPrincipalsAllow := []string{}
+	if username {
+		authorizedPrincipalsAllow = append(authorizedPrincipalsAllow, "username")
+	}
+	if email {
+		authorizedPrincipalsAllow = append(authorizedPrincipalsAllow, "email")
+	}
+
+	return authorizedPrincipalsAllow, true
+}
+
+func loadSSHFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("server")
+	if len(SSH.Domain) == 0 {
+		SSH.Domain = Domain
+	}
+
+	homeDir, err := util.HomeDir()
+	if err != nil {
+		log.Fatal("Failed to get home directory: %v", err)
+	}
+	homeDir = strings.ReplaceAll(homeDir, "\\", "/")
+
+	SSH.RootPath = path.Join(homeDir, ".ssh")
+	serverCiphers := sec.Key("SSH_SERVER_CIPHERS").Strings(",")
+	if len(serverCiphers) > 0 {
+		SSH.ServerCiphers = serverCiphers
+	}
+	serverKeyExchanges := sec.Key("SSH_SERVER_KEY_EXCHANGES").Strings(",")
+	if len(serverKeyExchanges) > 0 {
+		SSH.ServerKeyExchanges = serverKeyExchanges
+	}
+	serverMACs := sec.Key("SSH_SERVER_MACS").Strings(",")
+	if len(serverMACs) > 0 {
+		SSH.ServerMACs = serverMACs
+	}
+	SSH.KeyTestPath = os.TempDir()
+	if err = sec.MapTo(&SSH); err != nil {
+		log.Fatal("Failed to map SSH settings: %v", err)
+	}
+	for i, key := range SSH.ServerHostKeys {
+		if !filepath.IsAbs(key) {
+			SSH.ServerHostKeys[i] = filepath.Join(AppDataPath, key)
+		}
+	}
+
+	SSH.KeygenPath = sec.Key("SSH_KEYGEN_PATH").MustString("ssh-keygen")
+	SSH.Port = sec.Key("SSH_PORT").MustInt(22)
+	SSH.ListenPort = sec.Key("SSH_LISTEN_PORT").MustInt(SSH.Port)
+	SSH.UseProxyProtocol = sec.Key("SSH_SERVER_USE_PROXY_PROTOCOL").MustBool(false)
+
+	// When disable SSH, start builtin server value is ignored.
+	if SSH.Disabled {
+		SSH.StartBuiltinServer = false
+	}
+
+	SSH.TrustedUserCAKeysFile = sec.Key("SSH_TRUSTED_USER_CA_KEYS_FILENAME").MustString(filepath.Join(SSH.RootPath, "gitea-trusted-user-ca-keys.pem"))
+
+	for _, caKey := range SSH.TrustedUserCAKeys {
+		pubKey, _, _, _, err := gossh.ParseAuthorizedKey([]byte(caKey))
+		if err != nil {
+			log.Fatal("Failed to parse TrustedUserCaKeys: %s %v", caKey, err)
+		}
+
+		SSH.TrustedUserCAKeysParsed = append(SSH.TrustedUserCAKeysParsed, pubKey)
+	}
+	if len(SSH.TrustedUserCAKeys) > 0 {
+		// Set the default as email,username otherwise we can leave it empty
+		sec.Key("SSH_AUTHORIZED_PRINCIPALS_ALLOW").MustString("username,email")
+	} else {
+		sec.Key("SSH_AUTHORIZED_PRINCIPALS_ALLOW").MustString("off")
+	}
+
+	SSH.AuthorizedPrincipalsAllow, SSH.AuthorizedPrincipalsEnabled = parseAuthorizedPrincipalsAllow(sec.Key("SSH_AUTHORIZED_PRINCIPALS_ALLOW").Strings(","))
+
+	SSH.MinimumKeySizeCheck = sec.Key("MINIMUM_KEY_SIZE_CHECK").MustBool(SSH.MinimumKeySizeCheck)
+	minimumKeySizes := rootCfg.Section("ssh.minimum_key_sizes").Keys()
+	for _, key := range minimumKeySizes {
+		if key.MustInt() != -1 {
+			SSH.MinimumKeySizes[strings.ToLower(key.Name())] = key.MustInt()
+		} else {
+			delete(SSH.MinimumKeySizes, strings.ToLower(key.Name()))
+		}
+	}
+
+	SSH.AuthorizedKeysBackup = sec.Key("SSH_AUTHORIZED_KEYS_BACKUP").MustBool(true)
+	SSH.CreateAuthorizedKeysFile = sec.Key("SSH_CREATE_AUTHORIZED_KEYS_FILE").MustBool(true)
+
+	SSH.AuthorizedPrincipalsBackup = false
+	SSH.CreateAuthorizedPrincipalsFile = false
+	if SSH.AuthorizedPrincipalsEnabled {
+		SSH.AuthorizedPrincipalsBackup = sec.Key("SSH_AUTHORIZED_PRINCIPALS_BACKUP").MustBool(true)
+		SSH.CreateAuthorizedPrincipalsFile = sec.Key("SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE").MustBool(true)
+	}
+
+	SSH.ExposeAnonymous = sec.Key("SSH_EXPOSE_ANONYMOUS").MustBool(false)
+	SSH.AuthorizedKeysCommandTemplate = sec.Key("SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE").MustString(SSH.AuthorizedKeysCommandTemplate)
+
+	SSH.AuthorizedKeysCommandTemplateTemplate = template.Must(template.New("").Parse(SSH.AuthorizedKeysCommandTemplate))
+
+	SSH.PerWriteTimeout = sec.Key("SSH_PER_WRITE_TIMEOUT").MustDuration(PerWriteTimeout)
+	SSH.PerWritePerKbTimeout = sec.Key("SSH_PER_WRITE_PER_KB_TIMEOUT").MustDuration(PerWritePerKbTimeout)
+
+	// ensure parseRunModeSetting has been executed before this
+	SSH.BuiltinServerUser = rootCfg.Section("server").Key("BUILTIN_SSH_SERVER_USER").MustString(RunUser)
+	SSH.User = rootCfg.Section("server").Key("SSH_USER").MustString(SSH.BuiltinServerUser)
+}
diff --git a/modules/setting/storage.go b/modules/setting/storage.go
index 32f74aa072..9197c5f8bb 100644
--- a/modules/setting/storage.go
+++ b/modules/setting/storage.go
@@ -30,9 +30,9 @@ func (s *Storage) MapTo(v interface{}) error {
 	return nil
 }
 
-func getStorage(name, typ string, targetSec *ini.Section) Storage {
+func getStorage(rootCfg ConfigProvider, name, typ string, targetSec *ini.Section) Storage {
 	const sectionName = "storage"
-	sec := Cfg.Section(sectionName)
+	sec := rootCfg.Section(sectionName)
 
 	// Global Defaults
 	sec.Key("MINIO_ENDPOINT").MustString("localhost:9000")
@@ -43,7 +43,7 @@ func getStorage(name, typ string, targetSec *ini.Section) Storage {
 	sec.Key("MINIO_USE_SSL").MustBool(false)
 
 	if targetSec == nil {
-		targetSec, _ = Cfg.NewSection(name)
+		targetSec, _ = rootCfg.NewSection(name)
 	}
 
 	var storage Storage
@@ -51,12 +51,12 @@ func getStorage(name, typ string, targetSec *ini.Section) Storage {
 	storage.Type = typ
 
 	overrides := make([]*ini.Section, 0, 3)
-	nameSec, err := Cfg.GetSection(sectionName + "." + name)
+	nameSec, err := rootCfg.GetSection(sectionName + "." + name)
 	if err == nil {
 		overrides = append(overrides, nameSec)
 	}
 
-	typeSec, err := Cfg.GetSection(sectionName + "." + typ)
+	typeSec, err := rootCfg.GetSection(sectionName + "." + typ)
 	if err == nil {
 		overrides = append(overrides, typeSec)
 		nextType := typeSec.Key("STORAGE_TYPE").String()
diff --git a/modules/setting/storage_test.go b/modules/setting/storage_test.go
index 256bbb7a52..7737d233b9 100644
--- a/modules/setting/storage_test.go
+++ b/modules/setting/storage_test.go
@@ -20,11 +20,12 @@ MINIO_BUCKET = gitea-attachment
 STORAGE_TYPE = minio
 MINIO_ENDPOINT = my_minio:9000
 `
-	Cfg, _ = ini.Load([]byte(iniStr))
+	cfg, err := ini.Load([]byte(iniStr))
+	assert.NoError(t, err)
 
-	sec := Cfg.Section("attachment")
+	sec := cfg.Section("attachment")
 	storageType := sec.Key("STORAGE_TYPE").MustString("")
-	storage := getStorage("attachments", storageType, sec)
+	storage := getStorage(cfg, "attachments", storageType, sec)
 
 	assert.EqualValues(t, "minio", storage.Type)
 	assert.EqualValues(t, "my_minio:9000", storage.Section.Key("MINIO_ENDPOINT").String())
@@ -42,11 +43,12 @@ MINIO_BUCKET = gitea-attachment
 [storage.minio]
 MINIO_BUCKET = gitea
 `
-	Cfg, _ = ini.Load([]byte(iniStr))
+	cfg, err := ini.Load([]byte(iniStr))
+	assert.NoError(t, err)
 
-	sec := Cfg.Section("attachment")
+	sec := cfg.Section("attachment")
 	storageType := sec.Key("STORAGE_TYPE").MustString("")
-	storage := getStorage("attachments", storageType, sec)
+	storage := getStorage(cfg, "attachments", storageType, sec)
 
 	assert.EqualValues(t, "minio", storage.Type)
 	assert.EqualValues(t, "gitea-attachment", storage.Section.Key("MINIO_BUCKET").String())
@@ -63,11 +65,12 @@ MINIO_BUCKET = gitea-minio
 [storage]
 MINIO_BUCKET = gitea
 `
-	Cfg, _ = ini.Load([]byte(iniStr))
+	cfg, err := ini.Load([]byte(iniStr))
+	assert.NoError(t, err)
 
-	sec := Cfg.Section("attachment")
+	sec := cfg.Section("attachment")
 	storageType := sec.Key("STORAGE_TYPE").MustString("")
-	storage := getStorage("attachments", storageType, sec)
+	storage := getStorage(cfg, "attachments", storageType, sec)
 
 	assert.EqualValues(t, "minio", storage.Type)
 	assert.EqualValues(t, "gitea-minio", storage.Section.Key("MINIO_BUCKET").String())
@@ -85,22 +88,24 @@ MINIO_BUCKET = gitea
 [storage]
 STORAGE_TYPE = local
 `
-	Cfg, _ = ini.Load([]byte(iniStr))
+	cfg, err := ini.Load([]byte(iniStr))
+	assert.NoError(t, err)
 
-	sec := Cfg.Section("attachment")
+	sec := cfg.Section("attachment")
 	storageType := sec.Key("STORAGE_TYPE").MustString("")
-	storage := getStorage("attachments", storageType, sec)
+	storage := getStorage(cfg, "attachments", storageType, sec)
 
 	assert.EqualValues(t, "minio", storage.Type)
 	assert.EqualValues(t, "gitea-attachment", storage.Section.Key("MINIO_BUCKET").String())
 }
 
 func Test_getStorageGetDefaults(t *testing.T) {
-	Cfg, _ = ini.Load([]byte(""))
+	cfg, err := ini.Load([]byte(""))
+	assert.NoError(t, err)
 
-	sec := Cfg.Section("attachment")
+	sec := cfg.Section("attachment")
 	storageType := sec.Key("STORAGE_TYPE").MustString("")
-	storage := getStorage("attachments", storageType, sec)
+	storage := getStorage(cfg, "attachments", storageType, sec)
 
 	assert.EqualValues(t, "gitea", storage.Section.Key("MINIO_BUCKET").String())
 }
@@ -116,26 +121,27 @@ MINIO_BUCKET = gitea-attachment
 [storage]
 MINIO_BUCKET = gitea-storage
 `
-	Cfg, _ = ini.Load([]byte(iniStr))
+	cfg, err := ini.Load([]byte(iniStr))
+	assert.NoError(t, err)
 
 	{
-		sec := Cfg.Section("attachment")
+		sec := cfg.Section("attachment")
 		storageType := sec.Key("STORAGE_TYPE").MustString("")
-		storage := getStorage("attachments", storageType, sec)
+		storage := getStorage(cfg, "attachments", storageType, sec)
 
 		assert.EqualValues(t, "gitea-attachment", storage.Section.Key("MINIO_BUCKET").String())
 	}
 	{
-		sec := Cfg.Section("lfs")
+		sec := cfg.Section("lfs")
 		storageType := sec.Key("STORAGE_TYPE").MustString("")
-		storage := getStorage("lfs", storageType, sec)
+		storage := getStorage(cfg, "lfs", storageType, sec)
 
 		assert.EqualValues(t, "gitea-lfs", storage.Section.Key("MINIO_BUCKET").String())
 	}
 	{
-		sec := Cfg.Section("avatar")
+		sec := cfg.Section("avatar")
 		storageType := sec.Key("STORAGE_TYPE").MustString("")
-		storage := getStorage("avatars", storageType, sec)
+		storage := getStorage(cfg, "avatars", storageType, sec)
 
 		assert.EqualValues(t, "gitea-storage", storage.Section.Key("MINIO_BUCKET").String())
 	}
@@ -149,19 +155,20 @@ STORAGE_TYPE = lfs
 [storage.lfs]
 MINIO_BUCKET = gitea-storage
 `
-	Cfg, _ = ini.Load([]byte(iniStr))
+	cfg, err := ini.Load([]byte(iniStr))
+	assert.NoError(t, err)
 
 	{
-		sec := Cfg.Section("attachment")
+		sec := cfg.Section("attachment")
 		storageType := sec.Key("STORAGE_TYPE").MustString("")
-		storage := getStorage("attachments", storageType, sec)
+		storage := getStorage(cfg, "attachments", storageType, sec)
 
 		assert.EqualValues(t, "gitea-storage", storage.Section.Key("MINIO_BUCKET").String())
 	}
 	{
-		sec := Cfg.Section("lfs")
+		sec := cfg.Section("lfs")
 		storageType := sec.Key("STORAGE_TYPE").MustString("")
-		storage := getStorage("lfs", storageType, sec)
+		storage := getStorage(cfg, "lfs", storageType, sec)
 
 		assert.EqualValues(t, "gitea-storage", storage.Section.Key("MINIO_BUCKET").String())
 	}
@@ -172,11 +179,12 @@ func Test_getStorageInheritStorageType(t *testing.T) {
 [storage]
 STORAGE_TYPE = minio
 `
-	Cfg, _ = ini.Load([]byte(iniStr))
+	cfg, err := ini.Load([]byte(iniStr))
+	assert.NoError(t, err)
 
-	sec := Cfg.Section("attachment")
+	sec := cfg.Section("attachment")
 	storageType := sec.Key("STORAGE_TYPE").MustString("")
-	storage := getStorage("attachments", storageType, sec)
+	storage := getStorage(cfg, "attachments", storageType, sec)
 
 	assert.EqualValues(t, "minio", storage.Type)
 }
@@ -186,11 +194,12 @@ func Test_getStorageInheritNameSectionType(t *testing.T) {
 [storage.attachments]
 STORAGE_TYPE = minio
 `
-	Cfg, _ = ini.Load([]byte(iniStr))
+	cfg, err := ini.Load([]byte(iniStr))
+	assert.NoError(t, err)
 
-	sec := Cfg.Section("attachment")
+	sec := cfg.Section("attachment")
 	storageType := sec.Key("STORAGE_TYPE").MustString("")
-	storage := getStorage("attachments", storageType, sec)
+	storage := getStorage(cfg, "attachments", storageType, sec)
 
 	assert.EqualValues(t, "minio", storage.Type)
 }
diff --git a/modules/setting/task.go b/modules/setting/task.go
index cfb0f54668..81732deeb6 100644
--- a/modules/setting/task.go
+++ b/modules/setting/task.go
@@ -5,13 +5,13 @@ package setting
 
 // FIXME: DEPRECATED to be removed in v1.18.0
 // - will need to set default for [queue.task] LENGTH to 1000 though
-func newTaskService() {
-	taskSec := Cfg.Section("task")
-	queueTaskSec := Cfg.Section("queue.task")
+func loadTaskFrom(rootCfg ConfigProvider) {
+	taskSec := rootCfg.Section("task")
+	queueTaskSec := rootCfg.Section("queue.task")
 
-	deprecatedSetting("task", "QUEUE_TYPE", "queue.task", "TYPE")
-	deprecatedSetting("task", "QUEUE_CONN_STR", "queue.task", "CONN_STR")
-	deprecatedSetting("task", "QUEUE_LENGTH", "queue.task", "LENGTH")
+	deprecatedSetting(rootCfg, "task", "QUEUE_TYPE", "queue.task", "TYPE")
+	deprecatedSetting(rootCfg, "task", "QUEUE_CONN_STR", "queue.task", "CONN_STR")
+	deprecatedSetting(rootCfg, "task", "QUEUE_LENGTH", "queue.task", "LENGTH")
 
 	switch taskSec.Key("QUEUE_TYPE").MustString("channel") {
 	case "channel":
diff --git a/modules/setting/time.go b/modules/setting/time.go
new file mode 100644
index 0000000000..5fd0fdb92f
--- /dev/null
+++ b/modules/setting/time.go
@@ -0,0 +1,64 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+import (
+	"time"
+
+	"code.gitea.io/gitea/modules/log"
+)
+
+var (
+	// Time settings
+	TimeFormat string
+	// UILocation is the location on the UI, so that we can display the time on UI.
+	DefaultUILocation = time.Local
+)
+
+func loadTimeFrom(rootCfg ConfigProvider) {
+	timeFormatKey := rootCfg.Section("time").Key("FORMAT").MustString("")
+	if timeFormatKey != "" {
+		TimeFormat = map[string]string{
+			"ANSIC":       time.ANSIC,
+			"UnixDate":    time.UnixDate,
+			"RubyDate":    time.RubyDate,
+			"RFC822":      time.RFC822,
+			"RFC822Z":     time.RFC822Z,
+			"RFC850":      time.RFC850,
+			"RFC1123":     time.RFC1123,
+			"RFC1123Z":    time.RFC1123Z,
+			"RFC3339":     time.RFC3339,
+			"RFC3339Nano": time.RFC3339Nano,
+			"Kitchen":     time.Kitchen,
+			"Stamp":       time.Stamp,
+			"StampMilli":  time.StampMilli,
+			"StampMicro":  time.StampMicro,
+			"StampNano":   time.StampNano,
+		}[timeFormatKey]
+		// When the TimeFormatKey does not exist in the previous map e.g.'2006-01-02 15:04:05'
+		if len(TimeFormat) == 0 {
+			TimeFormat = timeFormatKey
+			TestTimeFormat, _ := time.Parse(TimeFormat, TimeFormat)
+			if TestTimeFormat.Format(time.RFC3339) != "2006-01-02T15:04:05Z" {
+				log.Warn("Provided TimeFormat: %s does not create a fully specified date and time.", TimeFormat)
+				log.Warn("In order to display dates and times correctly please check your time format has 2006, 01, 02, 15, 04 and 05")
+			}
+			log.Trace("Custom TimeFormat: %s", TimeFormat)
+		}
+	}
+
+	zone := rootCfg.Section("time").Key("DEFAULT_UI_LOCATION").String()
+	if zone != "" {
+		var err error
+		DefaultUILocation, err = time.LoadLocation(zone)
+		if err != nil {
+			log.Fatal("Load time zone failed: %v", err)
+		} else {
+			log.Info("Default UI Location is %v", zone)
+		}
+	}
+	if DefaultUILocation == nil {
+		DefaultUILocation = time.Local
+	}
+}
diff --git a/modules/setting/ui.go b/modules/setting/ui.go
new file mode 100644
index 0000000000..2df3c35c76
--- /dev/null
+++ b/modules/setting/ui.go
@@ -0,0 +1,152 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+import (
+	"time"
+
+	"code.gitea.io/gitea/modules/container"
+)
+
+// UI settings
+var UI = struct {
+	ExplorePagingNum      int
+	SitemapPagingNum      int
+	IssuePagingNum        int
+	RepoSearchPagingNum   int
+	MembersPagingNum      int
+	FeedMaxCommitNum      int
+	FeedPagingNum         int
+	PackagesPagingNum     int
+	GraphMaxCommitNum     int
+	CodeCommentLines      int
+	ReactionMaxUserNum    int
+	ThemeColorMetaTag     string
+	MaxDisplayFileSize    int64
+	ShowUserEmail         bool
+	DefaultShowFullName   bool
+	DefaultTheme          string
+	Themes                []string
+	Reactions             []string
+	ReactionsLookup       container.Set[string] `ini:"-"`
+	CustomEmojis          []string
+	CustomEmojisMap       map[string]string `ini:"-"`
+	SearchRepoDescription bool
+	UseServiceWorker      bool
+	OnlyShowRelevantRepos bool
+
+	Notification struct {
+		MinTimeout            time.Duration
+		TimeoutStep           time.Duration
+		MaxTimeout            time.Duration
+		EventSourceUpdateTime time.Duration
+	} `ini:"ui.notification"`
+
+	SVG struct {
+		Enabled bool `ini:"ENABLE_RENDER"`
+	} `ini:"ui.svg"`
+
+	CSV struct {
+		MaxFileSize int64
+	} `ini:"ui.csv"`
+
+	Admin struct {
+		UserPagingNum   int
+		RepoPagingNum   int
+		NoticePagingNum int
+		OrgPagingNum    int
+	} `ini:"ui.admin"`
+	User struct {
+		RepoPagingNum int
+	} `ini:"ui.user"`
+	Meta struct {
+		Author      string
+		Description string
+		Keywords    string
+	} `ini:"ui.meta"`
+}{
+	ExplorePagingNum:    20,
+	SitemapPagingNum:    20,
+	IssuePagingNum:      20,
+	RepoSearchPagingNum: 20,
+	MembersPagingNum:    20,
+	FeedMaxCommitNum:    5,
+	FeedPagingNum:       20,
+	PackagesPagingNum:   20,
+	GraphMaxCommitNum:   100,
+	CodeCommentLines:    4,
+	ReactionMaxUserNum:  10,
+	ThemeColorMetaTag:   `#6cc644`,
+	MaxDisplayFileSize:  8388608,
+	DefaultTheme:        `auto`,
+	Themes:              []string{`auto`, `gitea`, `arc-green`},
+	Reactions:           []string{`+1`, `-1`, `laugh`, `hooray`, `confused`, `heart`, `rocket`, `eyes`},
+	CustomEmojis:        []string{`git`, `gitea`, `codeberg`, `gitlab`, `github`, `gogs`},
+	CustomEmojisMap:     map[string]string{"git": ":git:", "gitea": ":gitea:", "codeberg": ":codeberg:", "gitlab": ":gitlab:", "github": ":github:", "gogs": ":gogs:"},
+	Notification: struct {
+		MinTimeout            time.Duration
+		TimeoutStep           time.Duration
+		MaxTimeout            time.Duration
+		EventSourceUpdateTime time.Duration
+	}{
+		MinTimeout:            10 * time.Second,
+		TimeoutStep:           10 * time.Second,
+		MaxTimeout:            60 * time.Second,
+		EventSourceUpdateTime: 10 * time.Second,
+	},
+	SVG: struct {
+		Enabled bool `ini:"ENABLE_RENDER"`
+	}{
+		Enabled: true,
+	},
+	CSV: struct {
+		MaxFileSize int64
+	}{
+		MaxFileSize: 524288,
+	},
+	Admin: struct {
+		UserPagingNum   int
+		RepoPagingNum   int
+		NoticePagingNum int
+		OrgPagingNum    int
+	}{
+		UserPagingNum:   50,
+		RepoPagingNum:   50,
+		NoticePagingNum: 25,
+		OrgPagingNum:    50,
+	},
+	User: struct {
+		RepoPagingNum int
+	}{
+		RepoPagingNum: 15,
+	},
+	Meta: struct {
+		Author      string
+		Description string
+		Keywords    string
+	}{
+		Author:      "Gitea - Git with a cup of tea",
+		Description: "Gitea (Git with a cup of tea) is a painless self-hosted Git service written in Go",
+		Keywords:    "go,git,self-hosted,gitea",
+	},
+}
+
+func loadUIFrom(rootCfg ConfigProvider) {
+	mustMapSetting(rootCfg, "ui", &UI)
+	sec := rootCfg.Section("ui")
+	UI.ShowUserEmail = sec.Key("SHOW_USER_EMAIL").MustBool(true)
+	UI.DefaultShowFullName = sec.Key("DEFAULT_SHOW_FULL_NAME").MustBool(false)
+	UI.SearchRepoDescription = sec.Key("SEARCH_REPO_DESCRIPTION").MustBool(true)
+	UI.UseServiceWorker = sec.Key("USE_SERVICE_WORKER").MustBool(false)
+	UI.OnlyShowRelevantRepos = sec.Key("ONLY_SHOW_RELEVANT_REPOS").MustBool(false)
+
+	UI.ReactionsLookup = make(container.Set[string])
+	for _, reaction := range UI.Reactions {
+		UI.ReactionsLookup.Add(reaction)
+	}
+	UI.CustomEmojisMap = make(map[string]string)
+	for _, emoji := range UI.CustomEmojis {
+		UI.CustomEmojisMap[emoji] = ":" + emoji + ":"
+	}
+}
diff --git a/modules/setting/webhook.go b/modules/setting/webhook.go
index 51e36c3419..c01261dbbd 100644
--- a/modules/setting/webhook.go
+++ b/modules/setting/webhook.go
@@ -29,8 +29,8 @@ var Webhook = struct {
 	ProxyHosts:     []string{},
 }
 
-func newWebhookService() {
-	sec := Cfg.Section("webhook")
+func loadWebhookFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("webhook")
 	Webhook.QueueLength = sec.Key("QUEUE_LENGTH").MustInt(1000)
 	Webhook.DeliverTimeout = sec.Key("DELIVER_TIMEOUT").MustInt(5)
 	Webhook.SkipTLSVerify = sec.Key("SKIP_TLS_VERIFY").MustBool()
diff --git a/routers/api/v1/repo/main_test.go b/routers/api/v1/repo/main_test.go
index 543fb922d6..c7466c493f 100644
--- a/routers/api/v1/repo/main_test.go
+++ b/routers/api/v1/repo/main_test.go
@@ -13,8 +13,8 @@ import (
 )
 
 func TestMain(m *testing.M) {
-	setting.LoadForTest()
-	setting.NewQueueService()
+	setting.InitProviderAndLoadCommonSettingsForTest()
+	setting.LoadQueueSettings()
 	unittest.MainTest(m, &unittest.TestOptions{
 		GiteaRootPath: filepath.Join("..", "..", "..", ".."),
 		SetUp:         webhook_service.Init,
diff --git a/routers/common/middleware.go b/routers/common/middleware.go
index d664bfccfa..4f9d43c362 100644
--- a/routers/common/middleware.go
+++ b/routers/common/middleware.go
@@ -50,11 +50,11 @@ func Middlewares() []func(http.Handler) http.Handler {
 
 	handlers = append(handlers, middleware.StripSlashes)
 
-	if !setting.DisableRouterLog {
+	if !setting.Log.DisableRouterLog {
 		handlers = append(handlers, routing.NewLoggerHandler())
 	}
 
-	if setting.EnableAccessLog {
+	if setting.Log.EnableAccessLog {
 		handlers = append(handlers, context.AccessLogger())
 	}
 
diff --git a/routers/init.go b/routers/init.go
index ab2e2a0bb7..6a51de669a 100644
--- a/routers/init.go
+++ b/routers/init.go
@@ -73,7 +73,7 @@ func mustInitCtx(ctx context.Context, fn func(ctx context.Context) error) {
 
 // InitGitServices init new services for git, this is also called in `contrib/pr/checkout.go`
 func InitGitServices() {
-	setting.NewServices()
+	setting.LoadSettings()
 	mustInit(storage.Init)
 	mustInit(repo_service.Init)
 }
@@ -119,7 +119,7 @@ func GlobalInitInstalled(ctx context.Context) {
 	log.Info("AppPath: %s", setting.AppPath)
 	log.Info("AppWorkPath: %s", setting.AppWorkPath)
 	log.Info("Custom path: %s", setting.CustomPath)
-	log.Info("Log path: %s", setting.LogRootPath)
+	log.Info("Log path: %s", setting.Log.RootPath)
 	log.Info("Configuration file: %s", setting.CustomConf)
 	log.Info("Run Mode: %s", util.ToTitleCase(setting.RunMode))
 	log.Info("Gitea v%s%s", setting.AppVer, setting.AppBuiltWith)
@@ -127,7 +127,7 @@ func GlobalInitInstalled(ctx context.Context) {
 	// Setup i18n
 	translation.InitLocales(ctx)
 
-	setting.NewServices()
+	setting.LoadSettings()
 	mustInit(storage.Init)
 
 	mailer.NewContext(ctx)
diff --git a/routers/install/install.go b/routers/install/install.go
index 34ed5c355b..a3d64e5f73 100644
--- a/routers/install/install.go
+++ b/routers/install/install.go
@@ -134,7 +134,7 @@ func Install(ctx *context.Context) {
 	form.SSHPort = setting.SSH.Port
 	form.HTTPPort = setting.HTTPPort
 	form.AppURL = setting.AppURL
-	form.LogRootPath = setting.LogRootPath
+	form.LogRootPath = setting.Log.RootPath
 
 	// E-mail service settings
 	if setting.MailService != nil {
@@ -467,7 +467,7 @@ func SubmitInstall(ctx *context.Context) {
 	cfg.Section("session").Key("PROVIDER").SetValue("file")
 
 	cfg.Section("log").Key("MODE").SetValue("console")
-	cfg.Section("log").Key("LEVEL").SetValue(setting.LogLevel.String())
+	cfg.Section("log").Key("LEVEL").SetValue(setting.Log.Level.String())
 	cfg.Section("log").Key("ROOT_PATH").SetValue(form.LogRootPath)
 	cfg.Section("log").Key("ROUTER").SetValue("console")
 
diff --git a/routers/install/setting.go b/routers/install/setting.go
index b76219f45d..68984f1e78 100644
--- a/routers/install/setting.go
+++ b/routers/install/setting.go
@@ -15,20 +15,21 @@ import (
 
 // PreloadSettings preloads the configuration to check if we need to run install
 func PreloadSettings(ctx context.Context) bool {
-	setting.LoadAllowEmpty()
+	setting.InitProviderAllowEmpty()
+	setting.LoadCommonSettings()
 	if !setting.InstallLock {
 		log.Info("AppPath: %s", setting.AppPath)
 		log.Info("AppWorkPath: %s", setting.AppWorkPath)
 		log.Info("Custom path: %s", setting.CustomPath)
-		log.Info("Log path: %s", setting.LogRootPath)
+		log.Info("Log path: %s", setting.Log.RootPath)
 		log.Info("Configuration file: %s", setting.CustomConf)
 		log.Info("Prepare to run install page")
 		translation.InitLocales(ctx)
 		if setting.EnableSQLite3 {
 			log.Info("SQLite3 is supported")
 		}
-		setting.InitDBConfig()
-		setting.NewServicesForInstall()
+
+		setting.LoadSettingsForInstall()
 		svg.Init()
 	}
 
@@ -37,8 +38,9 @@ func PreloadSettings(ctx context.Context) bool {
 
 // reloadSettings reloads the existing settings and starts up the database
 func reloadSettings(ctx context.Context) {
-	setting.LoadFromExisting()
-	setting.InitDBConfig()
+	setting.InitProviderFromExistingFile()
+	setting.LoadCommonSettings()
+	setting.LoadDBSetting()
 	if setting.InstallLock {
 		if err := common.InitDBEngine(ctx); err == nil {
 			log.Info("ORM engine initialization successful!")
diff --git a/routers/private/manager.go b/routers/private/manager.go
index f15da298d6..a56fe9d123 100644
--- a/routers/private/manager.go
+++ b/routers/private/manager.go
@@ -116,11 +116,11 @@ func AddLogger(ctx *context.PrivateContext) {
 	}
 
 	if _, ok := opts.Config["level"]; !ok {
-		opts.Config["level"] = setting.LogLevel
+		opts.Config["level"] = setting.Log.Level
 	}
 
 	if _, ok := opts.Config["stacktraceLevel"]; !ok {
-		opts.Config["stacktraceLevel"] = setting.StacktraceLogLevel
+		opts.Config["stacktraceLevel"] = setting.Log.StacktraceLogLevel
 	}
 
 	if opts.Mode == "file" {
@@ -135,7 +135,7 @@ func AddLogger(ctx *context.PrivateContext) {
 		}
 	}
 
-	bufferLen := setting.Cfg.Section("log").Key("BUFFER_LEN").MustInt64(10000)
+	bufferLen := setting.Log.BufferLength
 	byteConfig, err := json.Marshal(opts.Config)
 	if err != nil {
 		log.Error("Failed to marshal log configuration: %v %v", opts.Config, err)
diff --git a/routers/private/ssh_log.go b/routers/private/ssh_log.go
index 54604ad554..eacfa18f05 100644
--- a/routers/private/ssh_log.go
+++ b/routers/private/ssh_log.go
@@ -15,7 +15,7 @@ import (
 
 // SSHLog hook to response ssh log
 func SSHLog(ctx *context.PrivateContext) {
-	if !setting.EnableSSHLog {
+	if !setting.Log.EnableSSHLog {
 		ctx.Status(http.StatusOK)
 		return
 	}
diff --git a/routers/web/admin/config.go b/routers/web/admin/config.go
index 73ce4cb990..2566cbe42b 100644
--- a/routers/web/admin/config.go
+++ b/routers/web/admin/config.go
@@ -117,7 +117,7 @@ func Config(ctx *context.Context) {
 	ctx.Data["AppUrl"] = setting.AppURL
 	ctx.Data["Domain"] = setting.Domain
 	ctx.Data["OfflineMode"] = setting.OfflineMode
-	ctx.Data["DisableRouterLog"] = setting.DisableRouterLog
+	ctx.Data["DisableRouterLog"] = setting.Log.DisableRouterLog
 	ctx.Data["RunUser"] = setting.RunUser
 	ctx.Data["RunMode"] = util.ToTitleCase(setting.RunMode)
 	ctx.Data["GitVersion"] = git.VersionInfo()
@@ -125,7 +125,7 @@ func Config(ctx *context.Context) {
 	ctx.Data["RepoRootPath"] = setting.RepoRootPath
 	ctx.Data["CustomRootPath"] = setting.CustomPath
 	ctx.Data["StaticRootPath"] = setting.StaticRootPath
-	ctx.Data["LogRootPath"] = setting.LogRootPath
+	ctx.Data["LogRootPath"] = setting.Log.RootPath
 	ctx.Data["ScriptType"] = setting.ScriptType
 	ctx.Data["ReverseProxyAuthUser"] = setting.ReverseProxyAuthUser
 	ctx.Data["ReverseProxyAuthEmail"] = setting.ReverseProxyAuthEmail
@@ -183,10 +183,10 @@ func Config(ctx *context.Context) {
 
 	ctx.Data["EnvVars"] = envVars
 	ctx.Data["Loggers"] = setting.GetLogDescriptions()
-	ctx.Data["EnableAccessLog"] = setting.EnableAccessLog
-	ctx.Data["AccessLogTemplate"] = setting.AccessLogTemplate
-	ctx.Data["DisableRouterLog"] = setting.DisableRouterLog
-	ctx.Data["EnableXORMLog"] = setting.EnableXORMLog
+	ctx.Data["EnableAccessLog"] = setting.Log.EnableAccessLog
+	ctx.Data["AccessLogTemplate"] = setting.Log.AccessLogTemplate
+	ctx.Data["DisableRouterLog"] = setting.Log.DisableRouterLog
+	ctx.Data["EnableXORMLog"] = setting.Log.EnableXORMLog
 	ctx.Data["LogSQL"] = setting.Database.LogSQL
 
 	ctx.HTML(http.StatusOK, tplConfig)
diff --git a/services/webhook/main_test.go b/services/webhook/main_test.go
index 6cf9410735..210221b120 100644
--- a/services/webhook/main_test.go
+++ b/services/webhook/main_test.go
@@ -15,8 +15,8 @@ import (
 )
 
 func TestMain(m *testing.M) {
-	setting.LoadForTest()
-	setting.NewQueueService()
+	setting.InitProviderAndLoadCommonSettingsForTest()
+	setting.LoadQueueSettings()
 
 	// for tests, allow only loopback IPs
 	setting.Webhook.AllowedHostList = hostmatcher.MatchBuiltinLoopback
diff --git a/tests/integration/integration_test.go b/tests/integration/integration_test.go
index fbb6322785..716f6d44ab 100644
--- a/tests/integration/integration_test.go
+++ b/tests/integration/integration_test.go
@@ -87,8 +87,8 @@ func TestMain(m *testing.M) {
 	c = routers.NormalRoutes(context.TODO())
 
 	// integration test settings...
-	if setting.Cfg != nil {
-		testingCfg := setting.Cfg.Section("integration-tests")
+	if setting.CfgProvider != nil {
+		testingCfg := setting.CfgProvider.Section("integration-tests")
 		tests.SlowTest = testingCfg.Key("SLOW_TEST").MustDuration(tests.SlowTest)
 		tests.SlowFlush = testingCfg.Key("SLOW_FLUSH").MustDuration(tests.SlowFlush)
 	}
diff --git a/tests/integration/migration-test/migration_test.go b/tests/integration/migration-test/migration_test.go
index 170a6dd444..f030f566ce 100644
--- a/tests/integration/migration-test/migration_test.go
+++ b/tests/integration/migration-test/migration_test.go
@@ -57,7 +57,7 @@ func initMigrationTest(t *testing.T) func() {
 		setting.CustomConf = giteaConf
 	}
 
-	setting.LoadForTest()
+	setting.InitProviderAndLoadCommonSettingsForTest()
 
 	assert.True(t, len(setting.RepoRootPath) != 0)
 	assert.NoError(t, util.RemoveAll(setting.RepoRootPath))
@@ -83,8 +83,8 @@ func initMigrationTest(t *testing.T) func() {
 	}
 
 	assert.NoError(t, git.InitFull(context.Background()))
-	setting.InitDBConfig()
-	setting.NewLogServices(true)
+	setting.LoadDBSetting()
+	setting.InitLogs(true)
 	return deferFn
 }
 
@@ -292,7 +292,7 @@ func doMigrationTest(t *testing.T, version string) {
 		return
 	}
 
-	setting.NewXORMLogService(false)
+	setting.InitSQLLog(false)
 
 	err := db.InitEngineWithMigration(context.Background(), wrappedMigrate)
 	assert.NoError(t, err)
diff --git a/tests/test_utils.go b/tests/test_utils.go
index 721edc86f8..9e9f97a5f5 100644
--- a/tests/test_utils.go
+++ b/tests/test_utils.go
@@ -57,7 +57,7 @@ func InitTest(requireGitea bool) {
 	}
 
 	setting.SetCustomPathAndConf("", "", "")
-	setting.LoadForTest()
+	setting.InitProviderAndLoadCommonSettingsForTest()
 	setting.Repository.DefaultBranch = "master" // many test code still assume that default branch is called "master"
 	_ = util.RemoveAll(repo_module.LocalCopyPath())
 
@@ -65,7 +65,7 @@ func InitTest(requireGitea bool) {
 		log.Fatal("git.InitOnceWithSync: %v", err)
 	}
 
-	setting.InitDBConfig()
+	setting.LoadDBSetting()
 	if err := storage.Init(); err != nil {
 		fmt.Printf("Init storage failed: %v", err)
 		os.Exit(1)

From 65fc2d1b83182134610558cbea980e18ec815a93 Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Mon, 20 Feb 2023 07:07:46 +0800
Subject: [PATCH 13/81] Fix avatar misalignment (#22955)

Fix #22818.

|  Before   | After  |
|  ----  | ----  |
| <img
src="https://user-images.githubusercontent.com/15528715/219617504-d86e7a90-d4ac-4a92-bd8a-100dddc693d5.png"
width="200px" /> | <img
src="https://user-images.githubusercontent.com/15528715/219618645-a4045f65-bda6-49ce-a676-f03a9817bb70.png"
width="200px" />|
| <img
src="https://user-images.githubusercontent.com/15528715/219618013-844ef208-853b-44bd-a67c-36e360f0ffa7.png"
width="200px" /> | <img
src="https://user-images.githubusercontent.com/15528715/219618361-cb13c369-852e-47bf-ae30-e429d348823d.png"
width="200px" /> |

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 templates/repo/issue/view_content/pull.tmpl | 2 +-
 web_src/less/_explore.less                  | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/templates/repo/issue/view_content/pull.tmpl b/templates/repo/issue/view_content/pull.tmpl
index 862d5d9a1b..cbcc163df1 100644
--- a/templates/repo/issue/view_content/pull.tmpl
+++ b/templates/repo/issue/view_content/pull.tmpl
@@ -13,7 +13,7 @@
 									{{avatar $.Context .User}}
 								</a>
 							{{end}}
-							<span>
+							<span class="gt-ml-2">
 								{{if .User}}
 									<a href="{{.User.HomeLink}}">{{.User.GetDisplayName}}</a>
 								{{else if .Team}}
diff --git a/web_src/less/_explore.less b/web_src/less/_explore.less
index 5a41f8dc55..5caf21d417 100644
--- a/web_src/less/_explore.less
+++ b/web_src/less/_explore.less
@@ -69,6 +69,7 @@
 .ui.user.list {
   .item {
     padding-bottom: 25px;
+    display: flex;
 
     &:not(:first-child) {
       border-top: 1px solid var(--color-secondary);
@@ -78,6 +79,7 @@
     img.ui.avatar {
       width: 40px;
       height: 40px;
+      margin-right: 10px;
     }
 
     .description {

From 8e9814c3469dff1ae595b6f12b60dbb32b15d2b7 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 20 Feb 2023 09:57:16 +0800
Subject: [PATCH 14/81] Fix broken pull request files (#22962)

Fix #22961
---
 templates/repo/diff/comments.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/repo/diff/comments.tmpl b/templates/repo/diff/comments.tmpl
index a6f191728c..985ad06559 100644
--- a/templates/repo/diff/comments.tmpl
+++ b/templates/repo/diff/comments.tmpl
@@ -5,7 +5,7 @@
 	{{if .OriginalAuthor}}
 		<span class="avatar"><img src="{{AppSubUrl}}/assets/img/avatar_default.png"></span>
 	{{else}}
-		{{template "shared/user/avatarlink" Dict "Context" $.Context "user" .Poster}}
+		{{template "shared/user/avatarlink" Dict "Context" $.root.Context "user" .Poster}}
 	{{end}}
 	<div class="content comment-container">
 		<div class="ui top attached header comment-header gt-df gt-ac gt-sb">

From 6840a8ccfcdbdcc352eac40a5c9beabf6e7c54ff Mon Sep 17 00:00:00 2001
From: Yarden Shoham <hrsi88@gmail.com>
Date: Mon, 20 Feb 2023 04:30:36 +0200
Subject: [PATCH 15/81] Add comment marking the end of database migrations in
 `1.19.0` (#22975)

There will be no more migrations in `1.19.0`

---------

Signed-off-by: Yarden Shoham <hrsi88@gmail.com>
---
 models/migrations/migrations.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
index c7497becd1..989a1d6ae1 100644
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -461,6 +461,8 @@ var migrations = []Migration{
 	NewMigration("Alter gpg_key_import content TEXT field to MEDIUMTEXT", v1_19.AlterPublicGPGKeyImportContentFieldToMediumText),
 	// v243 -> v244
 	NewMigration("Add exclusive label", v1_19.AddExclusiveLabel),
+
+	// Gitea 1.19.0 ends at v244
 }
 
 // GetCurrentDBVersion returns the current db version

From 2b3f12f6fd12afebb3b8397dc612621df6c730e2 Mon Sep 17 00:00:00 2001
From: Kyle D <kdumontnu@gmail.com>
Date: Sun, 19 Feb 2023 20:56:07 -0700
Subject: [PATCH 16/81] Use beforeCommit instead of baseCommit (#22949)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replaces: https://github.com/go-gitea/gitea/pull/22947
Fixes https://github.com/go-gitea/gitea/issues/22946
Probably related to https://github.com/go-gitea/gitea/issues/19530

Basically, many of the diffs were broken because they were comparing to
the base commit, where a 3-dot diff should be comparing to the [last
common
ancestor](https://matthew-brett.github.io/pydagogue/git_diff_dots.html).

This should have an integration test so that we don’t run into this
issue again.

---------

Co-authored-by: Jonathan Tran <jonnytran@gmail.com>
---
 models/db/iterate_test.go                     |   2 +-
 models/fixtures/repo_unit.yml                 |  13 +++
 routers/web/repo/compare.go                   |  11 ++-
 templates/repo/diff/box.tmpl                  |   2 +-
 .../repo20.git/hooks/post-receive.d/gitea     |   2 +-
 .../repo20.git/hooks/pre-receive.d/gitea      |   2 +-
 .../user2/repo20.git/hooks/update.d/gitea     |   2 +-
 .../07/0b2e783a6b3e521a23fdead377a3e41a04410d | Bin 0 -> 128 bytes
 .../79/adb592126eddce5f656f56db797910db025af0 | Bin 0 -> 165 bytes
 .../8b/abce967f21b9dfa6987f943b91093dac58a4f0 |   1 +
 .../a4/202876cd8bbc3f38b7d99594edbe1bb7f97a6f | Bin 0 -> 191 bytes
 .../b0/246d5964a3630491bd06c756be46513e3d7035 | Bin 0 -> 21 bytes
 .../b6/7e43a07d48243a5f670ace063acd5e13f719df | Bin 0 -> 173 bytes
 .../c8/e31bc7688741a5287fcde4fbb8fc129ca07027 |   2 +
 .../cf/e3b3c1fd36fba04f9183287b106497e1afe986 |   3 +
 .../ea/f5f7510320b6a327fb308379de2f94d8859a54 | Bin 0 -> 30 bytes
 .../user2/repo20.git/refs/heads/add-csv       |   1 +
 .../repo20.git/refs/heads/remove-files-a      |   1 +
 .../repo20.git/refs/heads/remove-files-b      |   1 +
 tests/integration/compare_test.go             |  78 ++++++++++++++++++
 20 files changed, 110 insertions(+), 11 deletions(-)
 create mode 100644 tests/gitea-repositories-meta/user2/repo20.git/objects/07/0b2e783a6b3e521a23fdead377a3e41a04410d
 create mode 100644 tests/gitea-repositories-meta/user2/repo20.git/objects/79/adb592126eddce5f656f56db797910db025af0
 create mode 100644 tests/gitea-repositories-meta/user2/repo20.git/objects/8b/abce967f21b9dfa6987f943b91093dac58a4f0
 create mode 100644 tests/gitea-repositories-meta/user2/repo20.git/objects/a4/202876cd8bbc3f38b7d99594edbe1bb7f97a6f
 create mode 100644 tests/gitea-repositories-meta/user2/repo20.git/objects/b0/246d5964a3630491bd06c756be46513e3d7035
 create mode 100644 tests/gitea-repositories-meta/user2/repo20.git/objects/b6/7e43a07d48243a5f670ace063acd5e13f719df
 create mode 100644 tests/gitea-repositories-meta/user2/repo20.git/objects/c8/e31bc7688741a5287fcde4fbb8fc129ca07027
 create mode 100644 tests/gitea-repositories-meta/user2/repo20.git/objects/cf/e3b3c1fd36fba04f9183287b106497e1afe986
 create mode 100644 tests/gitea-repositories-meta/user2/repo20.git/objects/ea/f5f7510320b6a327fb308379de2f94d8859a54
 create mode 100644 tests/gitea-repositories-meta/user2/repo20.git/refs/heads/add-csv
 create mode 100644 tests/gitea-repositories-meta/user2/repo20.git/refs/heads/remove-files-a
 create mode 100644 tests/gitea-repositories-meta/user2/repo20.git/refs/heads/remove-files-b

diff --git a/models/db/iterate_test.go b/models/db/iterate_test.go
index 63487afa49..a713fe0d8b 100644
--- a/models/db/iterate_test.go
+++ b/models/db/iterate_test.go
@@ -25,7 +25,7 @@ func TestIterate(t *testing.T) {
 		return nil
 	})
 	assert.NoError(t, err)
-	assert.EqualValues(t, 81, repoCnt)
+	assert.EqualValues(t, 83, repoCnt)
 
 	err = db.Iterate(db.DefaultContext, nil, func(ctx context.Context, repoUnit *repo_model.RepoUnit) error {
 		reopUnit2 := repo_model.RepoUnit{ID: repoUnit.ID}
diff --git a/models/fixtures/repo_unit.yml b/models/fixtures/repo_unit.yml
index 8706717ad4..503b8c9ddf 100644
--- a/models/fixtures/repo_unit.yml
+++ b/models/fixtures/repo_unit.yml
@@ -556,3 +556,16 @@
   repo_id: 54
   type: 1
   created_unix: 946684810
+
+-
+  id: 82
+  repo_id: 31
+  type: 1
+  created_unix: 946684810
+
+-
+  id: 83
+  repo_id: 31
+  type: 3
+  config: "{\"IgnoreWhitespaceConflicts\":false,\"AllowMerge\":true,\"AllowRebase\":true,\"AllowRebaseMerge\":true,\"AllowSquash\":true}"
+  created_unix: 946684810
diff --git a/routers/web/repo/compare.go b/routers/web/repo/compare.go
index 4e40867de2..f21611c634 100644
--- a/routers/web/repo/compare.go
+++ b/routers/web/repo/compare.go
@@ -43,8 +43,8 @@ const (
 )
 
 // setCompareContext sets context data.
-func setCompareContext(ctx *context.Context, base, head *git.Commit, headOwner, headName string) {
-	ctx.Data["BaseCommit"] = base
+func setCompareContext(ctx *context.Context, before, head *git.Commit, headOwner, headName string) {
+	ctx.Data["BeforeCommit"] = before
 	ctx.Data["HeadCommit"] = head
 
 	ctx.Data["GetBlobByPathForCommit"] = func(commit *git.Commit, path string) *git.Blob {
@@ -59,7 +59,7 @@ func setCompareContext(ctx *context.Context, base, head *git.Commit, headOwner,
 		return blob
 	}
 
-	setPathsCompareContext(ctx, base, head, headOwner, headName)
+	setPathsCompareContext(ctx, before, head, headOwner, headName)
 	setImageCompareContext(ctx)
 	setCsvCompareContext(ctx)
 }
@@ -629,9 +629,8 @@ func PrepareCompareDiff(
 	}
 
 	baseGitRepo := ctx.Repo.GitRepo
-	baseCommitID := ci.CompareInfo.BaseCommitID
 
-	baseCommit, err := baseGitRepo.GetCommit(baseCommitID)
+	beforeCommit, err := baseGitRepo.GetCommit(beforeCommitID)
 	if err != nil {
 		ctx.ServerError("GetCommit", err)
 		return false
@@ -668,7 +667,7 @@ func PrepareCompareDiff(
 	ctx.Data["Username"] = ci.HeadUser.Name
 	ctx.Data["Reponame"] = ci.HeadRepo.Name
 
-	setCompareContext(ctx, baseCommit, headCommit, ci.HeadUser.Name, repo.Name)
+	setCompareContext(ctx, beforeCommit, headCommit, ci.HeadUser.Name, repo.Name)
 
 	return false
 }
diff --git a/templates/repo/diff/box.tmpl b/templates/repo/diff/box.tmpl
index 62cc069555..1e79824355 100644
--- a/templates/repo/diff/box.tmpl
+++ b/templates/repo/diff/box.tmpl
@@ -71,7 +71,7 @@
 				<div id="diff-file-boxes" class="sixteen wide column">
 					{{range $i, $file := .Diff.Files}}
 						{{/*notice: the index of Diff.Files should not be used for element ID, because the index will be restarted from 0 when doing load-more for PRs with a lot of files*/}}
-						{{$blobBase := call $.GetBlobByPathForCommit $.BaseCommit $file.OldName}}
+						{{$blobBase := call $.GetBlobByPathForCommit $.BeforeCommit $file.OldName}}
 						{{$blobHead := call $.GetBlobByPathForCommit $.HeadCommit $file.Name}}
 						{{$isImage := or (call $.IsBlobAnImage $blobBase) (call $.IsBlobAnImage $blobHead)}}
 						{{$isCsv := (call $.IsCsvFile $file)}}
diff --git a/tests/gitea-repositories-meta/user2/repo20.git/hooks/post-receive.d/gitea b/tests/gitea-repositories-meta/user2/repo20.git/hooks/post-receive.d/gitea
index ee2ab2f2df..43a948da3a 100755
--- a/tests/gitea-repositories-meta/user2/repo20.git/hooks/post-receive.d/gitea
+++ b/tests/gitea-repositories-meta/user2/repo20.git/hooks/post-receive.d/gitea
@@ -1,2 +1,2 @@
 #!/usr/bin/env bash
-"/home/tris/Projects/go/src/code.gitea.io/gitea/gitea" hook --config='/home/tris/Projects/go/src/code.gitea.io/gitea/custom/conf/app.ini' post-receive
+"$GITEA_ROOT/gitea" hook --config="$GITEA_ROOT/$GITEA_CONF" post-receive
diff --git a/tests/gitea-repositories-meta/user2/repo20.git/hooks/pre-receive.d/gitea b/tests/gitea-repositories-meta/user2/repo20.git/hooks/pre-receive.d/gitea
index cdbc3c7c1a..49d0940636 100755
--- a/tests/gitea-repositories-meta/user2/repo20.git/hooks/pre-receive.d/gitea
+++ b/tests/gitea-repositories-meta/user2/repo20.git/hooks/pre-receive.d/gitea
@@ -1,2 +1,2 @@
 #!/usr/bin/env bash
-"/home/tris/Projects/go/src/code.gitea.io/gitea/gitea" hook --config='/home/tris/Projects/go/src/code.gitea.io/gitea/custom/conf/app.ini' pre-receive
+"$GITEA_ROOT/gitea" hook --config="$GITEA_ROOT/$GITEA_CONF" pre-receive
diff --git a/tests/gitea-repositories-meta/user2/repo20.git/hooks/update.d/gitea b/tests/gitea-repositories-meta/user2/repo20.git/hooks/update.d/gitea
index 7447b2fe01..38101c2426 100755
--- a/tests/gitea-repositories-meta/user2/repo20.git/hooks/update.d/gitea
+++ b/tests/gitea-repositories-meta/user2/repo20.git/hooks/update.d/gitea
@@ -1,2 +1,2 @@
 #!/usr/bin/env bash
-"/home/tris/Projects/go/src/code.gitea.io/gitea/gitea" hook --config='/home/tris/Projects/go/src/code.gitea.io/gitea/custom/conf/app.ini' update $1 $2 $3
+"$GITEA_ROOT/gitea" hook --config="$GITEA_ROOT/$GITEA_CONF" update $1 $2 $3
diff --git a/tests/gitea-repositories-meta/user2/repo20.git/objects/07/0b2e783a6b3e521a23fdead377a3e41a04410d b/tests/gitea-repositories-meta/user2/repo20.git/objects/07/0b2e783a6b3e521a23fdead377a3e41a04410d
new file mode 100644
index 0000000000000000000000000000000000000000..7ec6df17fbb8e3b25c5c31f866f2dd4ec3ccafe0
GIT binary patch
literal 128
zcmV-`0Du2@0V^p=O;s>7HfAs}00M<XhUS9l^~uxciEw8}%+!{@?J#4L&rL%kuw+hV
zUUqyE!|l$KMSsHE^wyd8yKeV7rPN@4MHE>@3WKAUhDKy*_wtRA`}fY#mbBaP(exd%
i3XnkzOrobB+Nw=mblA;n>(lw}pKI*DUIhR*r8f`;wL;SX

literal 0
HcmV?d00001

diff --git a/tests/gitea-repositories-meta/user2/repo20.git/objects/79/adb592126eddce5f656f56db797910db025af0 b/tests/gitea-repositories-meta/user2/repo20.git/objects/79/adb592126eddce5f656f56db797910db025af0
new file mode 100644
index 0000000000000000000000000000000000000000..0071ac75b4bfacbc195a4ed815c400b8704bb366
GIT binary patch
literal 165
zcmV;W09yZe0V^p=O;s>7vt%$a00M<XhUS9l^~uxciEw8}%+!{@?J#4L&rL%kuw+hV
zUUqyE!|l$KMSsHE^wyd8yKeV7rPN@4MHE>@3WKAUhDKy*_wtRA`}fY#mbBaP(exd%
z3XnkzOrobB+Nw=mblA;n>(lw}pKI*DUNtl@Ff%bxC`m0Y(JQGaVR-fRdmyvIw#Dkd
T4Vo+O=})=QIx7SK^4La`N~u-D

literal 0
HcmV?d00001

diff --git a/tests/gitea-repositories-meta/user2/repo20.git/objects/8b/abce967f21b9dfa6987f943b91093dac58a4f0 b/tests/gitea-repositories-meta/user2/repo20.git/objects/8b/abce967f21b9dfa6987f943b91093dac58a4f0
new file mode 100644
index 0000000000..06bf6dc972
--- /dev/null
+++ b/tests/gitea-repositories-meta/user2/repo20.git/objects/8b/abce967f21b9dfa6987f943b91093dac58a4f0
@@ -0,0 +1 @@
+x
•ŽAnÃ0sÖ+ø�”l‘	Ð[_A‹TkIJC>ø÷Õz[,f1›·Zç!øKÛÍ€“èSð�L5[,©DÒ‰'�:aˆRнe·µÁDlã È:^C�g”lHƒd�æ‡Â>iqr´ßm‡ïs1ø‚ÛK�º­m=?Uæå3oõž˜®�òð�Ñõ¶¿köß�{ª‚@wÔʼ˜û�E]
\ No newline at end of file
diff --git a/tests/gitea-repositories-meta/user2/repo20.git/objects/a4/202876cd8bbc3f38b7d99594edbe1bb7f97a6f b/tests/gitea-repositories-meta/user2/repo20.git/objects/a4/202876cd8bbc3f38b7d99594edbe1bb7f97a6f
new file mode 100644
index 0000000000000000000000000000000000000000..5096e42a239f82cf71251c3b96bd97c339bf1dde
GIT binary patch
literal 191
zcmV;w06_nE0V^p=O;s>5Fkvt;00M<XhUS9l^~uxciEw8}%+!{@?J#4L&rL%kuw+hV
zUUqyE!|l$KMSsHE^wyd8yKeV7rPN@4MHE>@3WKAUhDKy*_wtRA`}fY#mbBaP(exd%
zii}JK&FE!o!v9{$Pg*Ke^o1{B+r4GeHz6wl*~P#lditTQ+SEmd-MqFwo$vm+#{TP7
tLjwad6BC7!)Z!Ao<l-`h4Jx^jDT|X?ChlcB9=6Xd(9X8N6aZ1BQiS%qW7z-z

literal 0
HcmV?d00001

diff --git a/tests/gitea-repositories-meta/user2/repo20.git/objects/b0/246d5964a3630491bd06c756be46513e3d7035 b/tests/gitea-repositories-meta/user2/repo20.git/objects/b0/246d5964a3630491bd06c756be46513e3d7035
new file mode 100644
index 0000000000000000000000000000000000000000..88d468ea2322b6f08a9017449adfec2f2a7ad75c
GIT binary patch
literal 21
ccmb<m^geacKgb~2;ELfT!)Htkl6Fk*09zUd^8f$<

literal 0
HcmV?d00001

diff --git a/tests/gitea-repositories-meta/user2/repo20.git/objects/b6/7e43a07d48243a5f670ace063acd5e13f719df b/tests/gitea-repositories-meta/user2/repo20.git/objects/b6/7e43a07d48243a5f670ace063acd5e13f719df
new file mode 100644
index 0000000000000000000000000000000000000000..794a74a97c71f7749cc29577b8eb15bd0bef5372
GIT binary patch
literal 173
zcmV;e08;;W0hNwHj>0euMOo(*zQCZwY3m>%#Dd)%0y&8b6-|m-cci&JxdPk&^qziN
zN|_YU<3U#uuw)|&1<ynD(xYSaV;0Vyh`n@<ZPz)Q&6`)L3Mq(pG0_kLHP~aIF=gq-
z7{izxo)WhtlHpyS%L>2$v%n3`ue_I~YTd7o!qa?AOSym>S_jEvfFIjiYuei0seJ31
bo6MpDDw`hD_6J-u%u{{cpOg6jb7x6@F5XqV

literal 0
HcmV?d00001

diff --git a/tests/gitea-repositories-meta/user2/repo20.git/objects/c8/e31bc7688741a5287fcde4fbb8fc129ca07027 b/tests/gitea-repositories-meta/user2/repo20.git/objects/c8/e31bc7688741a5287fcde4fbb8fc129ca07027
new file mode 100644
index 0000000000..48bb1a43d9
--- /dev/null
+++ b/tests/gitea-repositories-meta/user2/repo20.git/objects/c8/e31bc7688741a5287fcde4fbb8fc129ca07027
@@ -0,0 +1,2 @@
+x
•ÎA
+Â0@Q×9Å\@™NÒ&
wž"“L´Ø4Ò¦‚·×+¸ýðàÇZÊØ€ˆvm�`ÉÙ!&ÇuÖŽmò¾÷FKÇl³·aÈê™8t¨]¢l;ÆÀHè}g´�9'2}´{�*líQ¸}&�+Ÿi+unóv¾—0N‡XË	ºÁŽ,!Â{Dõ«¿»&ÿ:uI	š¬
âú†<N¢¾¨qEo
\ No newline at end of file
diff --git a/tests/gitea-repositories-meta/user2/repo20.git/objects/cf/e3b3c1fd36fba04f9183287b106497e1afe986 b/tests/gitea-repositories-meta/user2/repo20.git/objects/cf/e3b3c1fd36fba04f9183287b106497e1afe986
new file mode 100644
index 0000000000..ed40dd00e9
--- /dev/null
+++ b/tests/gitea-repositories-meta/user2/repo20.git/objects/cf/e3b3c1fd36fba04f9183287b106497e1afe986
@@ -0,0 +1,3 @@
+x
•ŽAnÂ0EYûs
�=v2FBv=D5¶';U˜Tâöø
+Ýþ§÷ôóZ묀º‰€%›P(z“—
£ŸŠpñDì%8¶!8[Ì/oÒrïR¦1FêpÀHS.¦”┞3÷$’á]ëßïEà—gÙëÚ´í×{åy9åµ~�{	Ï
Žv°Öôµ¿Sù¯gn²ˆ
+¨¼ô”_À­À2·çÏc6tuI‚
\ No newline at end of file
diff --git a/tests/gitea-repositories-meta/user2/repo20.git/objects/ea/f5f7510320b6a327fb308379de2f94d8859a54 b/tests/gitea-repositories-meta/user2/repo20.git/objects/ea/f5f7510320b6a327fb308379de2f94d8859a54
new file mode 100644
index 0000000000000000000000000000000000000000..5302511266468ad6dba135352b4bbcff12ce555e
GIT binary patch
literal 30
mcmb<m^geacKghr&(L?j>*|i}a=gw<;p4EQH#1Q;~y$k@v-VC+?

literal 0
HcmV?d00001

diff --git a/tests/gitea-repositories-meta/user2/repo20.git/refs/heads/add-csv b/tests/gitea-repositories-meta/user2/repo20.git/refs/heads/add-csv
new file mode 100644
index 0000000000..c95a517668
--- /dev/null
+++ b/tests/gitea-repositories-meta/user2/repo20.git/refs/heads/add-csv
@@ -0,0 +1 @@
+c8e31bc7688741a5287fcde4fbb8fc129ca07027
diff --git a/tests/gitea-repositories-meta/user2/repo20.git/refs/heads/remove-files-a b/tests/gitea-repositories-meta/user2/repo20.git/refs/heads/remove-files-a
new file mode 100644
index 0000000000..138f2f43d5
--- /dev/null
+++ b/tests/gitea-repositories-meta/user2/repo20.git/refs/heads/remove-files-a
@@ -0,0 +1 @@
+cfe3b3c1fd36fba04f9183287b106497e1afe986
diff --git a/tests/gitea-repositories-meta/user2/repo20.git/refs/heads/remove-files-b b/tests/gitea-repositories-meta/user2/repo20.git/refs/heads/remove-files-b
new file mode 100644
index 0000000000..04270e29bd
--- /dev/null
+++ b/tests/gitea-repositories-meta/user2/repo20.git/refs/heads/remove-files-b
@@ -0,0 +1 @@
+8babce967f21b9dfa6987f943b91093dac58a4f0
diff --git a/tests/integration/compare_test.go b/tests/integration/compare_test.go
index dc2bff89fd..509524ca56 100644
--- a/tests/integration/compare_test.go
+++ b/tests/integration/compare_test.go
@@ -4,6 +4,7 @@
 package integration
 
 import (
+	"fmt"
 	"net/http"
 	"strings"
 	"testing"
@@ -40,3 +41,80 @@ func TestCompareDefault(t *testing.T) {
 	selection := htmlDoc.doc.Find(".choose.branch .filter.dropdown")
 	assert.Lenf(t, selection.Nodes, 2, "The template has changed")
 }
+
+// Ensure the comparison matches what we expect
+func inspectCompare(t *testing.T, htmlDoc *HTMLDoc, diffCount int, diffChanges []string) {
+	selection := htmlDoc.doc.Find("#diff-file-boxes").Children()
+
+	assert.Lenf(t, selection.Nodes, diffCount, "Expected %v diffed files, found: %v", diffCount, len(selection.Nodes))
+
+	for _, diffChange := range diffChanges {
+		selection = htmlDoc.doc.Find(fmt.Sprintf("[data-new-filename=\"%s\"]", diffChange))
+		assert.Lenf(t, selection.Nodes, 1, "Expected 1 match for [data-new-filename=\"%s\"], found: %v", diffChange, len(selection.Nodes))
+	}
+}
+
+// Git commit graph for repo20
+// * 8babce9 (origin/remove-files-b) Add a dummy file
+// * b67e43a Delete test.csv and link_hi
+// | * cfe3b3c (origin/remove-files-a) Delete test.csv and link_hi
+// |/
+// * c8e31bc (origin/add-csv) Add test csv file
+// * 808038d (HEAD -> master, origin/master, origin/HEAD) Added test links
+
+func TestCompareBranches(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	session := loginUser(t, "user2")
+
+	// Inderect compare remove-files-b (head) with add-csv (base) branch
+	//
+	//	'link_hi' and 'test.csv' are deleted, 'test.txt' is added
+	req := NewRequest(t, "GET", "/user2/repo20/compare/add-csv...remove-files-b")
+	resp := session.MakeRequest(t, req, http.StatusOK)
+	htmlDoc := NewHTMLParser(t, resp.Body)
+
+	diffCount := 3
+	diffChanges := []string{"link_hi", "test.csv", "test.txt"}
+
+	inspectCompare(t, htmlDoc, diffCount, diffChanges)
+
+	// Inderect compare remove-files-b (head) with remove-files-a (base) branch
+	//
+	//	'link_hi' and 'test.csv' are deleted, 'test.txt' is added
+
+	req = NewRequest(t, "GET", "/user2/repo20/compare/remove-files-a...remove-files-b")
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	htmlDoc = NewHTMLParser(t, resp.Body)
+
+	diffCount = 3
+	diffChanges = []string{"link_hi", "test.csv", "test.txt"}
+
+	inspectCompare(t, htmlDoc, diffCount, diffChanges)
+
+	// Inderect compare remove-files-a (head) with remove-files-b (base) branch
+	//
+	//	'link_hi' and 'test.csv' are deleted
+
+	req = NewRequest(t, "GET", "/user2/repo20/compare/remove-files-b...remove-files-a")
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	htmlDoc = NewHTMLParser(t, resp.Body)
+
+	diffCount = 2
+	diffChanges = []string{"link_hi", "test.csv"}
+
+	inspectCompare(t, htmlDoc, diffCount, diffChanges)
+
+	// Direct compare remove-files-b (head) with remove-files-a (base) branch
+	//
+	//	'test.txt' is deleted
+
+	req = NewRequest(t, "GET", "/user2/repo20/compare/remove-files-b..remove-files-a")
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	htmlDoc = NewHTMLParser(t, resp.Body)
+
+	diffCount = 1
+	diffChanges = []string{"test.txt"}
+
+	inspectCompare(t, htmlDoc, diffCount, diffChanges)
+}

From ef11d41639dd1e89676e395068ee453312560adb Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Mon, 20 Feb 2023 05:20:30 +0000
Subject: [PATCH 17/81] Make CI use a dummy password hasher for all tests
 (#22983)

During the recent hash algorithm change it became clear that the choice
of password hash algorithm plays a role in the time taken for CI to run.

Therefore as attempt to improve CI we should consider using a dummy
hashing algorithm instead of a real hashing algorithm.

This PR creates a dummy algorithm which is then set as the default
hashing algorithm during tests that use the fixtures. This hopefully
will cause a reduction in the time it takes for CI to run.

---------

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 models/fixtures/user.yml                 | 132 +++++++++++------------
 models/unittest/fixtures.go              |  10 ++
 modules/auth/password/hash/argon2.go     |   2 +-
 modules/auth/password/hash/bcrypt.go     |   2 +-
 modules/auth/password/hash/dummy.go      |  33 ++++++
 modules/auth/password/hash/dummy_test.go |  25 +++++
 modules/auth/password/hash/hash.go       |  13 ++-
 modules/auth/password/hash/hash_test.go  |   8 +-
 modules/auth/password/hash/pbkdf2.go     |   2 +-
 modules/auth/password/hash/scrypt.go     |   2 +-
 modules/setting/setting.go               |   5 +
 11 files changed, 160 insertions(+), 74 deletions(-)
 create mode 100644 modules/auth/password/hash/dummy.go
 create mode 100644 modules/auth/password/hash/dummy_test.go

diff --git a/models/fixtures/user.yml b/models/fixtures/user.yml
index b5f8b27215..b1c7fc0030 100644
--- a/models/fixtures/user.yml
+++ b/models/fixtures/user.yml
@@ -8,8 +8,8 @@
   email: user1@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user1
@@ -45,8 +45,8 @@
   email: user2@example.com
   keep_email_private: true
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user2
@@ -82,8 +82,8 @@
   email: user3@example.com
   keep_email_private: false
   email_notifications_preference: onmention
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user3
@@ -119,8 +119,8 @@
   email: user4@example.com
   keep_email_private: false
   email_notifications_preference: onmention
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user4
@@ -156,8 +156,8 @@
   email: user5@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user5
@@ -193,8 +193,8 @@
   email: user6@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user6
@@ -230,8 +230,8 @@
   email: user7@example.com
   keep_email_private: false
   email_notifications_preference: disabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user7
@@ -267,8 +267,8 @@
   email: user8@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user8
@@ -304,8 +304,8 @@
   email: user9@example.com
   keep_email_private: false
   email_notifications_preference: onmention
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user9
@@ -341,8 +341,8 @@
   email: user10@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user10
@@ -378,8 +378,8 @@
   email: user11@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user11
@@ -415,8 +415,8 @@
   email: user12@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user12
@@ -452,8 +452,8 @@
   email: user13@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user13
@@ -489,8 +489,8 @@
   email: user14@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user14
@@ -526,8 +526,8 @@
   email: user15@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user15
@@ -563,8 +563,8 @@
   email: user16@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user16
@@ -600,8 +600,8 @@
   email: user17@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user17
@@ -637,8 +637,8 @@
   email: user18@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user18
@@ -674,8 +674,8 @@
   email: user19@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user19
@@ -711,8 +711,8 @@
   email: user20@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user20
@@ -748,8 +748,8 @@
   email: user21@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user21
@@ -785,8 +785,8 @@
   email: limited_org@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: limited_org
@@ -822,8 +822,8 @@
   email: privated_org@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: privated_org
@@ -859,8 +859,8 @@
   email: user24@example.com
   keep_email_private: true
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user24
@@ -896,8 +896,8 @@
   email: org25@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: org25
@@ -933,8 +933,8 @@
   email: org26@example.com
   keep_email_private: false
   email_notifications_preference: onmention
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: org26
@@ -970,8 +970,8 @@
   email: user27@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user27
@@ -1007,8 +1007,8 @@
   email: user28@example.com
   keep_email_private: true
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user28
@@ -1044,8 +1044,8 @@
   email: user29@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user29
@@ -1081,8 +1081,8 @@
   email: user30@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user30
@@ -1118,8 +1118,8 @@
   email: user31@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user31
@@ -1155,8 +1155,8 @@
   email: user32@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f47017
-  passwd_hash_algo: argon2
+  passwd: ZogKvWdyEx:notpassword
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user32
@@ -1192,8 +1192,8 @@
   email: user33@example.com
   keep_email_private: false
   email_notifications_preference: enabled
-  passwd: e82bc8ae42a53b98c3bd0f941aacc4aa2a264407534b0a11bf270137f67af912f694b67951f92148c45f91717e1478ca7889
-  passwd_hash_algo: pbkdf2$50000$50
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
   must_change_password: false
   login_source: 0
   login_name: user33
diff --git a/models/unittest/fixtures.go b/models/unittest/fixtures.go
index 9fba053825..545452a159 100644
--- a/models/unittest/fixtures.go
+++ b/models/unittest/fixtures.go
@@ -9,6 +9,8 @@ import (
 	"time"
 
 	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/modules/auth/password/hash"
+	"code.gitea.io/gitea/modules/setting"
 
 	"github.com/go-testfixtures/testfixtures/v3"
 	"xorm.io/xorm"
@@ -64,6 +66,11 @@ func InitFixtures(opts FixturesOptions, engine ...*xorm.Engine) (err error) {
 		return err
 	}
 
+	// register the dummy hash algorithm function used in the test fixtures
+	_ = hash.Register("dummy", hash.NewDummyHasher)
+
+	setting.PasswordHashAlgo, _ = hash.SetDefaultPasswordHashAlgorithm("dummy")
+
 	return err
 }
 
@@ -115,5 +122,8 @@ func LoadFixtures(engine ...*xorm.Engine) error {
 			}
 		}
 	}
+	_ = hash.Register("dummy", hash.NewDummyHasher)
+	setting.PasswordHashAlgo, _ = hash.SetDefaultPasswordHashAlgorithm("dummy")
+
 	return err
 }
diff --git a/modules/auth/password/hash/argon2.go b/modules/auth/password/hash/argon2.go
index 14c16b53c4..0cd6472fa1 100644
--- a/modules/auth/password/hash/argon2.go
+++ b/modules/auth/password/hash/argon2.go
@@ -13,7 +13,7 @@ import (
 )
 
 func init() {
-	Register("argon2", NewArgon2Hasher)
+	MustRegister("argon2", NewArgon2Hasher)
 }
 
 // Argon2Hasher implements PasswordHasher
diff --git a/modules/auth/password/hash/bcrypt.go b/modules/auth/password/hash/bcrypt.go
index ddf5420408..4607c169cd 100644
--- a/modules/auth/password/hash/bcrypt.go
+++ b/modules/auth/password/hash/bcrypt.go
@@ -8,7 +8,7 @@ import (
 )
 
 func init() {
-	Register("bcrypt", NewBcryptHasher)
+	MustRegister("bcrypt", NewBcryptHasher)
 }
 
 // BcryptHasher implements PasswordHasher
diff --git a/modules/auth/password/hash/dummy.go b/modules/auth/password/hash/dummy.go
new file mode 100644
index 0000000000..22f2e2f648
--- /dev/null
+++ b/modules/auth/password/hash/dummy.go
@@ -0,0 +1,33 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package hash
+
+import (
+	"encoding/hex"
+)
+
+// DummyHasher implements PasswordHasher and is a dummy hasher that simply
+// puts the password in place with its salt
+// This SHOULD NOT be used in production and is provided to make the integration
+// tests faster only
+type DummyHasher struct{}
+
+// HashWithSaltBytes a provided password and salt
+func (hasher *DummyHasher) HashWithSaltBytes(password string, salt []byte) string {
+	if hasher == nil {
+		return ""
+	}
+
+	if len(salt) == 10 {
+		return string(salt) + ":" + password
+	}
+
+	return hex.EncodeToString(salt) + ":" + password
+}
+
+// NewDummyHasher is a factory method to create a DummyHasher
+// Any provided configuration is ignored
+func NewDummyHasher(_ string) *DummyHasher {
+	return &DummyHasher{}
+}
diff --git a/modules/auth/password/hash/dummy_test.go b/modules/auth/password/hash/dummy_test.go
new file mode 100644
index 0000000000..f3b36df625
--- /dev/null
+++ b/modules/auth/password/hash/dummy_test.go
@@ -0,0 +1,25 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package hash
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDummyHasher(t *testing.T) {
+	dummy := &PasswordHashAlgorithm{
+		PasswordSaltHasher: NewDummyHasher(""),
+		Specification:      "dummy",
+	}
+
+	password, salt := "password", "ZogKvWdyEx"
+
+	hash, err := dummy.Hash(password, salt)
+	assert.Nil(t, err)
+	assert.Equal(t, hash, salt+":"+password)
+
+	assert.True(t, dummy.VerifyPassword(password, hash, salt))
+}
diff --git a/modules/auth/password/hash/hash.go b/modules/auth/password/hash/hash.go
index 3572dd46d4..459320e1b0 100644
--- a/modules/auth/password/hash/hash.go
+++ b/modules/auth/password/hash/hash.go
@@ -83,17 +83,26 @@ var (
 	availableHasherFactories = map[string]func(string) PasswordSaltHasher{}
 )
 
+// MustRegister registers a PasswordSaltHasher with the availableHasherFactories
+// Caution: This is not thread safe.
+func MustRegister[T PasswordSaltHasher](name string, newFn func(config string) T) {
+	if err := Register(name, newFn); err != nil {
+		panic(err)
+	}
+}
+
 // Register registers a PasswordSaltHasher with the availableHasherFactories
 // Caution: This is not thread safe.
-func Register[T PasswordSaltHasher](name string, newFn func(config string) T) {
+func Register[T PasswordSaltHasher](name string, newFn func(config string) T) error {
 	if _, has := availableHasherFactories[name]; has {
-		panic(fmt.Errorf("duplicate registration of password salt hasher: %s", name))
+		return fmt.Errorf("duplicate registration of password salt hasher: %s", name)
 	}
 
 	availableHasherFactories[name] = func(config string) PasswordSaltHasher {
 		n := newFn(config)
 		return n
 	}
+	return nil
 }
 
 // In early versions of gitea the password hash algorithm field of a user could be
diff --git a/modules/auth/password/hash/hash_test.go b/modules/auth/password/hash/hash_test.go
index 593c8386a3..7aa051733f 100644
--- a/modules/auth/password/hash/hash_test.go
+++ b/modules/auth/password/hash/hash_test.go
@@ -19,16 +19,20 @@ func (t testSaltHasher) HashWithSaltBytes(password string, salt []byte) string {
 }
 
 func Test_registerHasher(t *testing.T) {
-	Register("Test_registerHasher", func(config string) testSaltHasher {
+	MustRegister("Test_registerHasher", func(config string) testSaltHasher {
 		return testSaltHasher(config)
 	})
 
 	assert.Panics(t, func() {
-		Register("Test_registerHasher", func(config string) testSaltHasher {
+		MustRegister("Test_registerHasher", func(config string) testSaltHasher {
 			return testSaltHasher(config)
 		})
 	})
 
+	assert.Error(t, Register("Test_registerHasher", func(config string) testSaltHasher {
+		return testSaltHasher(config)
+	}))
+
 	assert.Equal(t, "password$salt$",
 		Parse("Test_registerHasher").PasswordSaltHasher.HashWithSaltBytes("password", []byte("salt")))
 
diff --git a/modules/auth/password/hash/pbkdf2.go b/modules/auth/password/hash/pbkdf2.go
index be3121318e..27382fedb8 100644
--- a/modules/auth/password/hash/pbkdf2.go
+++ b/modules/auth/password/hash/pbkdf2.go
@@ -14,7 +14,7 @@ import (
 )
 
 func init() {
-	Register("pbkdf2", NewPBKDF2Hasher)
+	MustRegister("pbkdf2", NewPBKDF2Hasher)
 }
 
 // PBKDF2Hasher implements PasswordHasher
diff --git a/modules/auth/password/hash/scrypt.go b/modules/auth/password/hash/scrypt.go
index e77434fc32..f3d38f751a 100644
--- a/modules/auth/password/hash/scrypt.go
+++ b/modules/auth/password/hash/scrypt.go
@@ -13,7 +13,7 @@ import (
 )
 
 func init() {
-	Register("scrypt", NewScryptHasher)
+	MustRegister("scrypt", NewScryptHasher)
 }
 
 // ScryptHasher implements PasswordHasher
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index 83ebde9478..87b1e2797f 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -16,6 +16,7 @@ import (
 	"strings"
 	"time"
 
+	"code.gitea.io/gitea/modules/auth/password/hash"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/user"
 	"code.gitea.io/gitea/modules/util"
@@ -232,6 +233,10 @@ func InitProviderAndLoadCommonSettingsForTest(extraConfigs ...string) {
 	if err := PrepareAppDataPath(); err != nil {
 		log.Fatal("Can not prepare APP_DATA_PATH: %v", err)
 	}
+	// register the dummy hash algorithm function used in the test fixtures
+	_ = hash.Register("dummy", hash.NewDummyHasher)
+
+	PasswordHashAlgo, _ = hash.SetDefaultPasswordHashAlgorithm("dummy")
 }
 
 // newFileProviderFromConf initializes configuration context.

From b811ab48e513a5b98edb935e0c63e76233ee1783 Mon Sep 17 00:00:00 2001
From: yp05327 <576951401@qq.com>
Date: Mon, 20 Feb 2023 16:08:33 +0900
Subject: [PATCH 18/81] Add all units to the units permission list in org team
 members sidebar (#22971)

Add all units to the units permission list in org team members sidebar.

Before:

![BQF448EIHEYKY62XGG(5101](https://user-images.githubusercontent.com/18380374/219877772-b57df8fb-2b82-4b1a-85c8-3809f8751cab.png)
After:

![image](https://user-images.githubusercontent.com/18380374/219877762-f69482b8-abf9-4333-978e-6a3f52039a16.png)

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 templates/org/team/sidebar.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/org/team/sidebar.tmpl b/templates/org/team/sidebar.tmpl
index ab118a7e26..507173e51f 100644
--- a/templates/org/team/sidebar.tmpl
+++ b/templates/org/team/sidebar.tmpl
@@ -58,7 +58,7 @@
 						</thead>
 						<tbody>
 							{{range $t, $unit := $.Units}}
-								{{if and (lt $unit.MaxPerm 2) (not $unit.Type.UnitGlobalDisabled)}}
+								{{if (not $unit.Type.UnitGlobalDisabled)}}
 									<tr>
 										<td><strong>{{$.locale.Tr $unit.NameKey}}</strong></td>
 										<td>{{if eq ($.Team.UnitAccessMode $.Context $unit.Type) 0 -}}

From 1d64eafe8f296e77c59c18fcda428d2b5df67ac0 Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Mon, 20 Feb 2023 16:42:02 +0800
Subject: [PATCH 19/81] Add me to maintainers (#22998)

Add me to maintainers.

[List of merged
PRs](https://github.com/go-gitea/gitea/pulls?q=is%3Apr+author%3AZettat123+is%3Amerged)

Co-authored-by: Jason Song <i@wolfogre.com>
---
 MAINTAINERS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index a37d336de3..b1adf9ef0d 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -47,3 +47,4 @@ Wim <wim@42.be> (@42wim)
 Xinyu Zhou <i@sourcehut.net> (@xin-u)
 Jason Song <i@wolfogre.com> (@wolfogre)
 Yarden Shoham <hrsi88@gmail.com> (@yardenshoham)
+Yu Tian <zettat123@gmail.com> (@Zettat123)

From 3596df52c09831f7f39f8416264ff267954f35a0 Mon Sep 17 00:00:00 2001
From: oliverpool <3864879+oliverpool@users.noreply.github.com>
Date: Mon, 20 Feb 2023 09:43:04 +0100
Subject: [PATCH 20/81] Fix hidden commit status on multiple checks (#22889)

Since #22632, when a commit status has multiple checks, no check is
shown at all (hence no way to see the other checks).

This PR fixes this by always adding a tag with the
`.commit-statuses-trigger` to the DOM (the `.vm` is for vertical
alignment).

![2023-02-13-120528](https://user-images.githubusercontent.com/3864879/218441846-1a79c169-2efd-46bb-9e75-d8b45d7cc8e3.png)

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 templates/repo/commit_statuses.tmpl    | 16 +++++--
 tests/integration/git_test.go          | 15 +++++--
 tests/integration/pull_status_test.go  | 21 ++++++----
 tests/integration/repo_commits_test.go | 58 ++++++++++++++++++++++++--
 web_src/js/features/repo-commit.js     |  2 +-
 web_src/less/_base.less                |  3 +-
 web_src/less/_repository.less          | 24 -----------
 7 files changed, 92 insertions(+), 47 deletions(-)

diff --git a/templates/repo/commit_statuses.tmpl b/templates/repo/commit_statuses.tmpl
index 8250a85817..8858fb8402 100644
--- a/templates/repo/commit_statuses.tmpl
+++ b/templates/repo/commit_statuses.tmpl
@@ -1,6 +1,14 @@
-{{if eq (len .Statuses) 1}}{{$status := index .Statuses 0}}{{if $status.TargetURL}}<a class="ui link commit-statuses-trigger gt-vm" href="{{$status.TargetURL}}">{{template "repo/commit_status" .Status}}</a>{{end}}{{end}}
-<div class="ui commit-statuses-popup commit-statuses tippy-target">
-	<div class="ui relaxed list divided">
+{{if .Statuses}}
+	{{if and (eq (len .Statuses) 1) .Status.TargetURL}}
+		<a class="gt-vm gt-tdn" data-tippy="commit-statuses" href="{{.Status.TargetURL}}">
+			{{template "repo/commit_status" .Status}}
+		</a>
+	{{else}}
+		<span class="gt-vm" data-tippy="commit-statuses" tabindex="0">
+			{{template "repo/commit_status" .Status}}
+		</span>
+	{{end}}
+	<div class="tippy-target ui relaxed list divided">
 		{{range .Statuses}}
 			<div class="ui item singular-status gt-df">
 				{{template "repo/commit_status" .}}
@@ -11,4 +19,4 @@
 			</div>
 		{{end}}
 	</div>
-</div>
+{{end}}
diff --git a/tests/integration/git_test.go b/tests/integration/git_test.go
index 420a8676b9..d21f3994a1 100644
--- a/tests/integration/git_test.go
+++ b/tests/integration/git_test.go
@@ -630,8 +630,17 @@ func doAutoPRMerge(baseCtx *APITestContext, dstPath string) func(t *testing.T) {
 
 		commitID := path.Base(commitURL)
 
+		addCommitStatus := func(status api.CommitStatusState) func(*testing.T) {
+			return doAPICreateCommitStatus(ctx, commitID, api.CreateStatusOption{
+				State:       status,
+				TargetURL:   "http://test.ci/",
+				Description: "",
+				Context:     "testci",
+			})
+		}
+
 		// Call API to add Pending status for commit
-		t.Run("CreateStatus", doAPICreateCommitStatus(ctx, commitID, api.CommitStatusPending))
+		t.Run("CreateStatus", addCommitStatus(api.CommitStatusPending))
 
 		// Cancel not existing auto merge
 		ctx.ExpectedCode = http.StatusNotFound
@@ -660,7 +669,7 @@ func doAutoPRMerge(baseCtx *APITestContext, dstPath string) func(t *testing.T) {
 		assert.False(t, pr.HasMerged)
 
 		// Call API to add Failure status for commit
-		t.Run("CreateStatus", doAPICreateCommitStatus(ctx, commitID, api.CommitStatusFailure))
+		t.Run("CreateStatus", addCommitStatus(api.CommitStatusFailure))
 
 		// Check pr status
 		pr, err = doAPIGetPullRequest(ctx, baseCtx.Username, baseCtx.Reponame, pr.Index)(t)
@@ -668,7 +677,7 @@ func doAutoPRMerge(baseCtx *APITestContext, dstPath string) func(t *testing.T) {
 		assert.False(t, pr.HasMerged)
 
 		// Call API to add Success status for commit
-		t.Run("CreateStatus", doAPICreateCommitStatus(ctx, commitID, api.CommitStatusSuccess))
+		t.Run("CreateStatus", addCommitStatus(api.CommitStatusSuccess))
 
 		// wait to let gitea merge stuff
 		time.Sleep(time.Second)
diff --git a/tests/integration/pull_status_test.go b/tests/integration/pull_status_test.go
index e60d17edc0..736d1ee4f0 100644
--- a/tests/integration/pull_status_test.go
+++ b/tests/integration/pull_status_test.go
@@ -70,7 +70,12 @@ func TestPullCreate_CommitStatus(t *testing.T) {
 		for _, status := range statusList {
 
 			// Call API to add status for commit
-			t.Run("CreateStatus", doAPICreateCommitStatus(testCtx, commitID, status))
+			t.Run("CreateStatus", doAPICreateCommitStatus(testCtx, commitID, api.CreateStatusOption{
+				State:       status,
+				TargetURL:   "http://test.ci/",
+				Description: "",
+				Context:     "testci",
+			}))
 
 			req = NewRequestf(t, "GET", "/user1/repo1/pulls/1/commits")
 			resp = session.MakeRequest(t, req, http.StatusOK)
@@ -88,15 +93,13 @@ func TestPullCreate_CommitStatus(t *testing.T) {
 	})
 }
 
-func doAPICreateCommitStatus(ctx APITestContext, commitID string, status api.CommitStatusState) func(*testing.T) {
+func doAPICreateCommitStatus(ctx APITestContext, commitID string, data api.CreateStatusOption) func(*testing.T) {
 	return func(t *testing.T) {
-		req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/statuses/%s?token=%s", ctx.Username, ctx.Reponame, commitID, ctx.Token),
-			api.CreateStatusOption{
-				State:       status,
-				TargetURL:   "http://test.ci/",
-				Description: "",
-				Context:     "testci",
-			},
+		req := NewRequestWithJSON(
+			t,
+			http.MethodPost,
+			fmt.Sprintf("/api/v1/repos/%s/%s/statuses/%s?token=%s", ctx.Username, ctx.Reponame, commitID, ctx.Token),
+			data,
 		)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
diff --git a/tests/integration/repo_commits_test.go b/tests/integration/repo_commits_test.go
index cbd83c6deb..e74e3867f4 100644
--- a/tests/integration/repo_commits_test.go
+++ b/tests/integration/repo_commits_test.go
@@ -52,14 +52,19 @@ func doTestRepoCommitWithStatus(t *testing.T, state string, classes ...string) {
 
 	// Call API to add status for commit
 	ctx := NewAPITestContext(t, "user2", "repo1", auth_model.AccessTokenScopeRepo)
-	t.Run("CreateStatus", doAPICreateCommitStatus(ctx, path.Base(commitURL), api.CommitStatusState(state)))
+	t.Run("CreateStatus", doAPICreateCommitStatus(ctx, path.Base(commitURL), api.CreateStatusOption{
+		State:       api.CommitStatusState(state),
+		TargetURL:   "http://test.ci/",
+		Description: "",
+		Context:     "testci",
+	}))
 
 	req = NewRequest(t, "GET", "/user2/repo1/commits/branch/master")
 	resp = session.MakeRequest(t, req, http.StatusOK)
 
 	doc = NewHTMLParser(t, resp.Body)
-	// Check if commit status is displayed in message column
-	sel := doc.doc.Find("#commits-table tbody tr td.message a.commit-statuses-trigger .commit-status")
+	// Check if commit status is displayed in message column (.tippy-target to ignore the tippy trigger)
+	sel := doc.doc.Find("#commits-table tbody tr td.message .tippy-target .commit-status")
 	assert.Equal(t, 1, sel.Length())
 	for _, class := range classes {
 		assert.True(t, sel.HasClass(class))
@@ -145,7 +150,12 @@ func TestRepoCommitsStatusParallel(t *testing.T) {
 		go func(parentT *testing.T, i int) {
 			parentT.Run(fmt.Sprintf("ParallelCreateStatus_%d", i), func(t *testing.T) {
 				ctx := NewAPITestContext(t, "user2", "repo1", auth_model.AccessTokenScopeRepoStatus)
-				runBody := doAPICreateCommitStatus(ctx, path.Base(commitURL), api.CommitStatusState("pending"))
+				runBody := doAPICreateCommitStatus(ctx, path.Base(commitURL), api.CreateStatusOption{
+					State:       api.CommitStatusPending,
+					TargetURL:   "http://test.ci/",
+					Description: "",
+					Context:     "testci",
+				})
 				runBody(t)
 				wg.Done()
 			})
@@ -153,3 +163,43 @@ func TestRepoCommitsStatusParallel(t *testing.T) {
 	}
 	wg.Wait()
 }
+
+func TestRepoCommitsStatusMultiple(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	session := loginUser(t, "user2")
+
+	// Request repository commits page
+	req := NewRequest(t, "GET", "/user2/repo1/commits/branch/master")
+	resp := session.MakeRequest(t, req, http.StatusOK)
+
+	doc := NewHTMLParser(t, resp.Body)
+	// Get first commit URL
+	commitURL, exists := doc.doc.Find("#commits-table tbody tr td.sha a").Attr("href")
+	assert.True(t, exists)
+	assert.NotEmpty(t, commitURL)
+
+	// Call API to add status for commit
+	ctx := NewAPITestContext(t, "user2", "repo1", auth_model.AccessTokenScopeRepo)
+	t.Run("CreateStatus", doAPICreateCommitStatus(ctx, path.Base(commitURL), api.CreateStatusOption{
+		State:       api.CommitStatusSuccess,
+		TargetURL:   "http://test.ci/",
+		Description: "",
+		Context:     "testci",
+	}))
+
+	t.Run("CreateStatus", doAPICreateCommitStatus(ctx, path.Base(commitURL), api.CreateStatusOption{
+		State:       api.CommitStatusSuccess,
+		TargetURL:   "http://test.ci/",
+		Description: "",
+		Context:     "other_context",
+	}))
+
+	req = NewRequest(t, "GET", "/user2/repo1/commits/branch/master")
+	resp = session.MakeRequest(t, req, http.StatusOK)
+
+	doc = NewHTMLParser(t, resp.Body)
+	// Check that the data-tippy="commit-statuses" (for trigger) and commit-status (svg) are present
+	sel := doc.doc.Find("#commits-table tbody tr td.message [data-tippy=\"commit-statuses\"] .commit-status")
+	assert.Equal(t, 1, sel.Length())
+}
diff --git a/web_src/js/features/repo-commit.js b/web_src/js/features/repo-commit.js
index e2eef3ee59..d22aa8e980 100644
--- a/web_src/js/features/repo-commit.js
+++ b/web_src/js/features/repo-commit.js
@@ -58,7 +58,7 @@ export function initRepoCommitLastCommitLoader() {
 }
 
 export function initCommitStatuses() {
-  $('.commit-statuses-trigger').each(function () {
+  $('[data-tippy="commit-statuses"]').each(function () {
     const top = $('.repository.file.list').length > 0 || $('.repository.diff').length > 0;
 
     createTippy(this, {
diff --git a/web_src/less/_base.less b/web_src/less/_base.less
index fae29d0d60..fc04df4f94 100644
--- a/web_src/less/_base.less
+++ b/web_src/less/_base.less
@@ -340,8 +340,7 @@ a.label,
 .ui.search .results a,
 .ui .menu a,
 .ui.cards a.card,
-.issue-keyword a,
-a.commit-statuses-trigger {
+.issue-keyword a {
   text-decoration: none !important;
 }
 
diff --git a/web_src/less/_repository.less b/web_src/less/_repository.less
index f489335712..3bec5f58fb 100644
--- a/web_src/less/_repository.less
+++ b/web_src/less/_repository.less
@@ -1,28 +1,4 @@
 .repository {
-  .popup.commit-statuses {
-    // we had better limit the max size of the popup, and add scroll bars if the content size is too large.
-    // otherwise some part of the popup will be hidden by viewport boundary
-    max-height: 45vh;
-    max-width: 60vw;
-
-    &.ui.right {
-      // Override `.ui.attached.header .right:not(.dropdown) height: 30px;` which would otherwise lead to
-      // the status popup box having its height fixed at 30px. See https://github.com/go-gitea/gitea/issues/18498
-      height: auto;
-    }
-
-    overflow: auto;
-    padding: 0;
-
-    .list {
-      padding: .8em; // to make the scrollbar align to the border, we move the padding from outer `.popup` to this inside `.list`
-
-      > .item {
-        line-height: 2;
-      }
-    }
-  }
-
   .repo-header {
     .ui.compact.menu {
       margin-left: 1rem;

From 9a83aa28a351c9af1731a94ce0e1b5d3842db4e8 Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Mon, 20 Feb 2023 19:30:41 +0800
Subject: [PATCH 21/81] Get rules by id when editing branch protection rule
 (#22932)

When users rename an existing branch protection rule, a new rule with
the new name will be created and the old rule will still exist.

![image](https://user-images.githubusercontent.com/15528715/219276442-d3c001ad-e693-44ec-9ad2-b33f2666b49b.png)

---

![image](https://user-images.githubusercontent.com/15528715/219276478-547c3b93-b3f1-4292-a1ef-c1b7747fe1bb.png)

The reason is that the `SettingsProtectedBranchPost` function only get
branch protection rule by name before updating or creating a rule. When
the rule name changes, the function cannot find the existing rule so it
will create a new rule rather than update the existing rule. To fix the
bug, the function should get rule by id first.

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 options/locale/locale_en-US.ini              |  1 +
 routers/web/repo/setting_protected_branch.go | 34 +++++++++++++++++---
 services/forms/repo_form.go                  |  1 +
 3 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 411a585c81..92ca5be8d3 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2152,6 +2152,7 @@ settings.choose_branch = Choose a branch…
 settings.no_protected_branch = There are no protected branches.
 settings.edit_protected_branch = Edit
 settings.protected_branch_required_rule_name = Required rule name
+settings.protected_branch_duplicate_rule_name = Duplicate rule name
 settings.protected_branch_required_approvals_min = Required approvals cannot be negative.
 settings.tags = Tags
 settings.tags.protection = Tag Protection
diff --git a/routers/web/repo/setting_protected_branch.go b/routers/web/repo/setting_protected_branch.go
index a54565c1f1..0a8c39fef0 100644
--- a/routers/web/repo/setting_protected_branch.go
+++ b/routers/web/repo/setting_protected_branch.go
@@ -166,10 +166,36 @@ func SettingsProtectedBranchPost(ctx *context.Context) {
 	}
 
 	var err error
-	protectBranch, err = git_model.GetProtectedBranchRuleByName(ctx, ctx.Repo.Repository.ID, f.RuleName)
-	if err != nil {
-		ctx.ServerError("GetProtectBranchOfRepoByName", err)
-		return
+	if f.RuleID > 0 {
+		// If the RuleID isn't 0, it must be an edit operation. So we get rule by id.
+		protectBranch, err = git_model.GetProtectedBranchRuleByID(ctx, ctx.Repo.Repository.ID, f.RuleID)
+		if err != nil {
+			ctx.ServerError("GetProtectBranchOfRepoByID", err)
+			return
+		}
+		if protectBranch != nil && protectBranch.RuleName != f.RuleName {
+			// RuleName changed. We need to check if there is a rule with the same name.
+			// If a rule with the same name exists, an error should be returned.
+			sameNameProtectBranch, err := git_model.GetProtectedBranchRuleByName(ctx, ctx.Repo.Repository.ID, f.RuleName)
+			if err != nil {
+				ctx.ServerError("GetProtectBranchOfRepoByName", err)
+				return
+			}
+			if sameNameProtectBranch != nil {
+				ctx.Flash.Error(ctx.Tr("repo.settings.protected_branch_duplicate_rule_name"))
+				ctx.Redirect(fmt.Sprintf("%s/settings/branches/edit?rule_name=%s", ctx.Repo.RepoLink, protectBranch.RuleName))
+				return
+			}
+		}
+	} else {
+		// FIXME: If a new ProtectBranch has a duplicate RuleName, an error should be returned.
+		// Currently, if a new ProtectBranch with a duplicate RuleName is created, the existing ProtectBranch will be updated.
+		// But we cannot modify this logic now because many unit tests rely on it.
+		protectBranch, err = git_model.GetProtectedBranchRuleByName(ctx, ctx.Repo.Repository.ID, f.RuleName)
+		if err != nil {
+			ctx.ServerError("GetProtectBranchOfRepoByName", err)
+			return
+		}
 	}
 	if protectBranch == nil {
 		// No options found, create defaults.
diff --git a/services/forms/repo_form.go b/services/forms/repo_form.go
index ff0916f8e1..374ae0ac5c 100644
--- a/services/forms/repo_form.go
+++ b/services/forms/repo_form.go
@@ -190,6 +190,7 @@ func (f *RepoSettingForm) Validate(req *http.Request, errs binding.Errors) bindi
 // ProtectBranchForm form for changing protected branch settings
 type ProtectBranchForm struct {
 	RuleName                      string `binding:"Required"`
+	RuleID                        int64
 	EnablePush                    string
 	WhitelistUsers                string
 	WhitelistTeams                string

From c3d9a70d0a4fc77fe4c44028e72d1a9aadee3e5a Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 20 Feb 2023 21:08:41 +0800
Subject: [PATCH 22/81] only trigger docs build and publish when docs changed
 (#22968)

Since drone plugin
https://github.com/meltwater/drone-convert-pathschanged/ enabled, we can
filter event with path in drone.

Building docs will now only be triggered when documentations changed.

---------

Co-authored-by: Jason Song <i@wolfogre.com>
---
 .drone.yml | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index 7150629028..cf0caf7612 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -12,6 +12,9 @@ trigger:
     - push
     - tag
     - pull_request
+  paths:
+    exclude:
+      - docs/**
 
 volumes:
   - name: deps
@@ -112,7 +115,6 @@ steps:
     image: golang:1.19 # this step is kept as the lowest version of golang that we support
     pull: always
     environment:
-      GO111MODULE: on
       GOPROXY: https://goproxy.io
     commands:
       - go build -o gitea_no_gcc # test if build succeeds without the sqlite tag
@@ -124,7 +126,6 @@ steps:
   - name: build-backend-arm64
     image: golang:1.20
     environment:
-      GO111MODULE: on
       GOPROXY: https://goproxy.io
       GOOS: linux
       GOARCH: arm64
@@ -140,7 +141,6 @@ steps:
   - name: build-backend-windows
     image: golang:1.20
     environment:
-      GO111MODULE: on
       GOPROXY: https://goproxy.io
       GOOS: windows
       GOARCH: amd64
@@ -155,7 +155,6 @@ steps:
   - name: build-backend-386
     image: golang:1.20
     environment:
-      GO111MODULE: on
       GOPROXY: https://goproxy.io
       GOOS: linux
       GOARCH: 386
@@ -183,6 +182,9 @@ trigger:
     - push
     - tag
     - pull_request
+  paths:
+    exclude:
+      - docs/**
 
 volumes:
   - name: deps
@@ -410,6 +412,9 @@ trigger:
     - push
     - tag
     - pull_request
+  paths:
+    exclude:
+      - docs/**
 
 volumes:
   - name: deps
@@ -517,6 +522,9 @@ depends_on:
 trigger:
   event:
     - pull_request
+  paths:
+    exclude:
+      - docs/**
 
 volumes:
   - name: deps
@@ -696,6 +704,9 @@ trigger:
     - "release/*"
   event:
     - push
+  paths:
+    exclude:
+      - docs/**
 
 depends_on:
   - testing-amd64
@@ -947,6 +958,9 @@ trigger:
     - push
     - tag
     - pull_request
+  paths:
+    include:
+      - docs/**
 
 steps:
   - name: build-docs
@@ -1241,6 +1255,9 @@ depends_on:
 trigger:
   ref:
   - "refs/pull/**"
+  paths:
+    exclude:
+      - docs/**
 
 steps:
   - name: dryrun

From 36d1d5fb7871058e510e59b027d5ee32bba43f2b Mon Sep 17 00:00:00 2001
From: sillyguodong <33891828+sillyguodong@users.noreply.github.com>
Date: Mon, 20 Feb 2023 22:22:34 +0800
Subject: [PATCH 23/81] Fix panic when call api
 (/repos/{owner}/{repo}/pulls/{index}/files) (#22921)

Close: #22910

---
I'm confused about that why does the api (`GET
/repos/{owner}/{repo}/pulls/{index}/files`) require caller to pass the
parameters `limit` and `page`.
In my case, the caller only needs to pass a `skip-to` to paging. This is
consistent with the api `GET /{owner}/{repo}/pulls/{index}/files`
So, I deleted the code related to `listOptions`

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 routers/api/v1/repo/pull.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/routers/api/v1/repo/pull.go b/routers/api/v1/repo/pull.go
index 7005725cf6..fa8b517ae7 100644
--- a/routers/api/v1/repo/pull.go
+++ b/routers/api/v1/repo/pull.go
@@ -1420,8 +1420,9 @@ func GetPullRequestFiles(ctx *context.APIContext) {
 	startCommitID := prInfo.MergeBase
 	endCommitID := headCommitID
 
-	maxLines, maxFiles := setting.Git.MaxGitDiffLines, setting.Git.MaxGitDiffFiles
+	maxLines := setting.Git.MaxGitDiffLines
 
+	// FIXME: If there are too many files in the repo, may cause some unpredictable issues.
 	diff, err := gitdiff.GetDiff(baseGitRepo,
 		&gitdiff.DiffOptions{
 			BeforeCommitID:     startCommitID,
@@ -1429,7 +1430,7 @@ func GetPullRequestFiles(ctx *context.APIContext) {
 			SkipTo:             ctx.FormString("skip-to"),
 			MaxLines:           maxLines,
 			MaxLineCharacters:  setting.Git.MaxGitDiffLineCharacters,
-			MaxFiles:           maxFiles,
+			MaxFiles:           -1, // GetDiff() will return all files
 			WhitespaceBehavior: gitdiff.GetWhitespaceFlag(ctx.FormString("whitespace")),
 		})
 	if err != nil {
@@ -1452,6 +1453,7 @@ func GetPullRequestFiles(ctx *context.APIContext) {
 	if lenFiles < 0 {
 		lenFiles = 0
 	}
+
 	apiFiles := make([]*api.ChangedFile, 0, lenFiles)
 	for i := start; i < end; i++ {
 		apiFiles = append(apiFiles, convert.ToChangedFile(diff.Files[i], pr.HeadRepo, endCommitID))

From 018815215fa08b530108f551ab58c1f1b3657799 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 20 Feb 2023 23:52:21 +0800
Subject: [PATCH 24/81] Bump golang.org/x/net from 0.4.0 to 0.7.0 (#22980)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.4.0 to
0.7.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/net/commit/8e2b117aee74f6b86c207a808b0255de45c0a18a"><code>8e2b117</code></a>
http2/hpack: avoid quadratic complexity in hpack decoding</li>
<li><a
href="https://github.com/golang/net/commit/547e7edf3873d6f3a9c093d3785f9e2289e00746"><code>547e7ed</code></a>
http2: avoid referencing ResponseWrite.Write parameter after
returning</li>
<li><a
href="https://github.com/golang/net/commit/39940adcaaa73e661124cb80fb8dd57ea929dbaf"><code>39940ad</code></a>
html: parse comments per HTML spec</li>
<li><a
href="https://github.com/golang/net/commit/87ce33ecb484cbb6bcfc8e506ce0330ef72e0847"><code>87ce33e</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/net/commit/415cb6d518e71d202e2dc2f44c475cbff84eee72"><code>415cb6d</code></a>
all: fix some comments</li>
<li><a
href="https://github.com/golang/net/commit/7e3c19ca52e202ae203b1914fc00c8e47a4d72fa"><code>7e3c19c</code></a>
all: correct typos in comments</li>
<li><a
href="https://github.com/golang/net/commit/296f09aa3817abc1ddff7703799bf9babb7bbd16"><code>296f09a</code></a>
http2: case insensitive handling for 100-continue</li>
<li><a
href="https://github.com/golang/net/commit/f8411da775a685be247bbedcb3ed2c998f895cd2"><code>f8411da</code></a>
nettest: fix tests on dragonfly and js/wasm</li>
<li><a
href="https://github.com/golang/net/commit/8e0e7d8d38f2b6d21d742845570dde2902d06a1d"><code>8e0e7d8</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/net/commit/7805fdc37dc2b54b28b9d621030e14dcf1dab67c"><code>7805fdc</code></a>
http2: rewrite inbound flow control tracking</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/net/compare/v0.4.0...v0.7.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/net&package-manager=go_modules&previous-version=0.4.0&new-version=0.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: delvh <leon@kske.dev>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 go.mod |  6 +++---
 go.sum | 13 +++++++------
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/go.mod b/go.mod
index 3dc050b99a..343a70da25 100644
--- a/go.mod
+++ b/go.mod
@@ -103,10 +103,10 @@ require (
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20220924101305-151362477c87
 	github.com/yuin/goldmark-meta v1.1.0
 	golang.org/x/crypto v0.4.0
-	golang.org/x/net v0.4.0
+	golang.org/x/net v0.7.0
 	golang.org/x/oauth2 v0.3.0
-	golang.org/x/sys v0.3.0
-	golang.org/x/text v0.5.0
+	golang.org/x/sys v0.5.0
+	golang.org/x/text v0.7.0
 	golang.org/x/tools v0.1.12
 	google.golang.org/grpc v1.47.0
 	google.golang.org/protobuf v1.28.1
diff --git a/go.sum b/go.sum
index 03c2cc18c6..7eb420b02b 100644
--- a/go.sum
+++ b/go.sum
@@ -1463,8 +1463,8 @@ golang.org/x/net v0.0.0-20220630215102-69896b714898/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU=
-golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
+golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1609,14 +1609,15 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
+golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1627,8 +1628,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
-golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

From 9aaf6998b735ad091202513c52b1d40076dd6afe Mon Sep 17 00:00:00 2001
From: Brecht Van Lommel <brecht@blender.org>
Date: Mon, 20 Feb 2023 17:08:32 +0100
Subject: [PATCH 25/81] Fix pull request branch selector visible without
 clicking Edit (#23012)

Caused by #22950
---
 templates/repo/issue/view_title.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/repo/issue/view_title.tmpl b/templates/repo/issue/view_title.tmpl
index b43253f90b..f0ac1e021e 100644
--- a/templates/repo/issue/view_title.tmpl
+++ b/templates/repo/issue/view_title.tmpl
@@ -61,7 +61,7 @@
 					{{$.locale.Tr "repo.pulls.title_desc" .NumCommits $headHref $baseHref | Safe}}
 				</span>
 			{{end}}
-			<span id="pull-desc-edit gt-hidden">
+			<span id="pull-desc-edit" class="gt-hidden">
 				<div class="ui floating filter dropdown">
 					<div class="ui basic small button">
 						<span class="text">{{.locale.Tr "repo.pulls.compare_compare"}}: {{$.HeadTarget}}</span>

From cfc7a4efdb7f4654a6d916b10ac8efa73ad6c30c Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 21 Feb 2023 02:09:02 +0800
Subject: [PATCH 26/81] Add 1.18.4 changelog (#22991) (#22995)

Frontport from #22991
---
 CHANGELOG.md | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 18b52673a0..99a67884af 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,43 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).
 
+## [1.18.4](https://github.com/go-gitea/gitea/releases/tag/1.18.4) - 2023-02-20
+
+* SECURITY
+  * Provide the ability to set password hash algorithm parameters (#22942) (#22943)
+  * Add command to bulk set must-change-password (#22823) (#22928)
+* ENHANCEMENTS
+  * Use import of OCI structs (#22765) (#22805)
+  * Fix color of tertiary button on dark theme (#22739) (#22744)
+  * Link issue and pull requests status change in UI notifications directly to their event in the timelined view. (#22627) (#22642)
+* BUGFIXES
+  * Notify on container image create (#22806) (#22965)
+  * Fix blame view missing lines (#22826) (#22929)
+  * Fix incorrect role labels for migrated issues and comments (#22914) (#22923)
+  * Fix PR file tree folders no longer collapsing (#22864) (#22872)
+  * Escape filename when assemble URL (#22850) (#22871)
+  * Fix isAllowed of escapeStreamer (#22814) (#22837)
+  * Load issue before accessing index in merge message (#22822) (#22830)
+  * Improve trace logging for pulls and processes (#22633) (#22812)
+  * Fix restore repo bug, clarify the problem of ForeignIndex (#22776) (#22794)
+  * Add default user visibility to cli command "admin user create" (#22750) (#22760)
+  * Escape path for the file list (#22741) (#22757)
+  * Fix bugs with WebAuthn preventing sign in and registration. (#22651) (#22721)
+  * Add missing close bracket in imagediff (#22710) (#22712)
+  * Move code comments to a standalone file and fix the bug when adding a reply to an outdated review appears to not post(#20821) (#22707)
+  * Fix line spacing for plaintext previews (#22699) (#22701)
+  * Fix wrong hint when deleting a branch successfully from pull request UI (#22673) (#22698)
+  * Fix README TOC links (#22577) (#22677)
+  * Fix missing message in git hook when pull requests disabled on fork (#22625) (#22658)
+  * Improve checkIfPRContentChanged (#22611) (#22644)
+  * Prevent duplicate labels when importing more than 99 (#22591) (#22598)
+  * Don't return duplicated users who can create org repo (#22560) (#22562)
+* BUILD
+  * Upgrade golangcilint to v1.51.0 (#22764)
+* MISC
+  * Use proxy for pull mirror (#22771) (#22772)
+  * Use `--index-url` in PyPi description (#22620) (#22636)
+
 ## [1.18.3](https://github.com/go-gitea/gitea/releases/tag/v1.18.3) - 2023-01-23
 
 * SECURITY

From f4ce8c73fbeadb84daba8c8c68f46f911339b8f8 Mon Sep 17 00:00:00 2001
From: yp05327 <576951401@qq.com>
Date: Tue, 21 Feb 2023 04:21:56 +0900
Subject: [PATCH 27/81] Improve issues.LoadProject (#22982)

issues.LoadProject() is no use
change `issues.loadProject(ctx)` to issues.LoadProject(ctx)
---
 models/issues/issue.go         | 2 +-
 models/issues/issue_project.go | 6 +-----
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/models/issues/issue.go b/models/issues/issue.go
index 9d7dea0177..6c76909fcf 100644
--- a/models/issues/issue.go
+++ b/models/issues/issue.go
@@ -347,7 +347,7 @@ func (issue *Issue) LoadAttributes(ctx context.Context) (err error) {
 		return
 	}
 
-	if err = issue.loadProject(ctx); err != nil {
+	if err = issue.LoadProject(ctx); err != nil {
 		return
 	}
 
diff --git a/models/issues/issue_project.go b/models/issues/issue_project.go
index c9f4c9f533..04d12e055c 100644
--- a/models/issues/issue_project.go
+++ b/models/issues/issue_project.go
@@ -13,11 +13,7 @@ import (
 )
 
 // LoadProject load the project the issue was assigned to
-func (issue *Issue) LoadProject() (err error) {
-	return issue.loadProject(db.DefaultContext)
-}
-
-func (issue *Issue) loadProject(ctx context.Context) (err error) {
+func (issue *Issue) LoadProject(ctx context.Context) (err error) {
 	if issue.Project == nil {
 		var p project_model.Project
 		if _, err = db.GetEngine(ctx).Table("project").

From 330b16642305458339d12222eea2ee9a1bbb3b64 Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Tue, 21 Feb 2023 04:44:32 +0800
Subject: [PATCH 28/81] Remove unnecessary and incorrect
 `find('.menu').toggle()` (#22987)

Follows:
* #22950

The dropdown menu works well without these codes.

The reason is that the event bubbling still works for the dropdown menu,
the Fomantic UI dropdown menu module will hide the menu correctly if an
item is clicked.
---
 web_src/js/features/repo-issue.js  | 2 --
 web_src/js/features/repo-legacy.js | 2 --
 2 files changed, 4 deletions(-)

diff --git a/web_src/js/features/repo-issue.js b/web_src/js/features/repo-issue.js
index 179ca9b726..7b8705ad2c 100644
--- a/web_src/js/features/repo-issue.js
+++ b/web_src/js/features/repo-issue.js
@@ -552,8 +552,6 @@ export function initRepoIssueReferenceIssue() {
   // Reference issue
   $(document).on('click', '.reference-issue', function (event) {
     const $this = $(this);
-    $this.closest('.dropdown').find('.menu').toggle('visible');  // eslint-disable-line
-
     const content = $(`#${$this.data('target')}`).text();
     const poster = $this.data('poster-username');
     const reference = $this.data('reference');
diff --git a/web_src/js/features/repo-legacy.js b/web_src/js/features/repo-legacy.js
index e1dc514320..8178ed6547 100644
--- a/web_src/js/features/repo-legacy.js
+++ b/web_src/js/features/repo-legacy.js
@@ -291,7 +291,6 @@ export function initRepoCommentForm() {
 async function onEditContent(event) {
   event.preventDefault();
 
-  $(this).closest('.dropdown').find('.menu').toggle('visible'); // eslint-disable-line
   const $segment = $(this).closest('.header').next();
   const $editContentZone = $segment.find('.edit-content-zone');
   const $renderContent = $segment.find('.render-content');
@@ -584,7 +583,6 @@ function initRepoIssueCommentEdit() {
 
   // Quote reply
   $(document).on('click', '.quote-reply', function (event) {
-    $(this).closest('.dropdown').find('.menu').toggle('visible'); // eslint-disable-line
     const target = $(this).data('target');
     const quote = $(`#${target}`).text().replace(/\n/g, '\n> ');
     const content = `> ${quote}\n\n`;

From d2128b44f714fcaacdc88865e62f6f9dd8216577 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Mon, 20 Feb 2023 21:28:44 +0000
Subject: [PATCH 29/81] Add scopes to API to create token and display them
 (#22989)

The API to create tokens is missing the ability to set the required
scopes for tokens, and to show them on the API and on the UI.

This PR adds this functionality.

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 models/auth/token_scope.go                | 25 ++++++++++++++++++++---
 modules/structs/user_app.go               | 14 +++++++------
 options/locale/locale_en-US.ini           |  1 +
 routers/api/v1/user/app.go                | 13 ++++++++++--
 templates/swagger/v1_json.tmpl            | 20 ++++++++++++++++--
 templates/user/settings/applications.tmpl |  9 +++++++-
 6 files changed, 68 insertions(+), 14 deletions(-)

diff --git a/models/auth/token_scope.go b/models/auth/token_scope.go
index c61c306496..38733a1c8f 100644
--- a/models/auth/token_scope.go
+++ b/models/auth/token_scope.go
@@ -168,10 +168,23 @@ var allAccessTokenScopeBits = map[AccessTokenScope]AccessTokenScopeBitmap{
 
 // Parse parses the scope string into a bitmap, thus removing possible duplicates.
 func (s AccessTokenScope) Parse() (AccessTokenScopeBitmap, error) {
-	list := strings.Split(string(s), ",")
-
 	var bitmap AccessTokenScopeBitmap
-	for _, v := range list {
+
+	// The following is the more performant equivalent of 'for _, v := range strings.Split(remainingScope, ",")' as this is hot code
+	remainingScopes := string(s)
+	for len(remainingScopes) > 0 {
+		i := strings.IndexByte(remainingScopes, ',')
+		var v string
+		if i < 0 {
+			v = remainingScopes
+			remainingScopes = ""
+		} else if i+1 >= len(remainingScopes) {
+			v = remainingScopes[:i]
+			remainingScopes = ""
+		} else {
+			v = remainingScopes[:i]
+			remainingScopes = remainingScopes[i+1:]
+		}
 		singleScope := AccessTokenScope(v)
 		if singleScope == "" {
 			continue
@@ -187,9 +200,15 @@ func (s AccessTokenScope) Parse() (AccessTokenScopeBitmap, error) {
 		}
 		bitmap |= bits
 	}
+
 	return bitmap, nil
 }
 
+// StringSlice returns the AccessTokenScope as a []string
+func (s AccessTokenScope) StringSlice() []string {
+	return strings.Split(string(s), ",")
+}
+
 // Normalize returns a normalized scope string without any duplicates.
 func (s AccessTokenScope) Normalize() (AccessTokenScope, error) {
 	bitmap, err := s.Parse()
diff --git a/modules/structs/user_app.go b/modules/structs/user_app.go
index 3a5ae34df1..7f78fbd495 100644
--- a/modules/structs/user_app.go
+++ b/modules/structs/user_app.go
@@ -11,10 +11,11 @@ import (
 // AccessToken represents an API access token.
 // swagger:response AccessToken
 type AccessToken struct {
-	ID             int64  `json:"id"`
-	Name           string `json:"name"`
-	Token          string `json:"sha1"`
-	TokenLastEight string `json:"token_last_eight"`
+	ID             int64    `json:"id"`
+	Name           string   `json:"name"`
+	Token          string   `json:"sha1"`
+	TokenLastEight string   `json:"token_last_eight"`
+	Scopes         []string `json:"scopes"`
 }
 
 // AccessTokenList represents a list of API access token.
@@ -22,9 +23,10 @@ type AccessToken struct {
 type AccessTokenList []*AccessToken
 
 // CreateAccessTokenOption options when create access token
-// swagger:parameters userCreateToken
 type CreateAccessTokenOption struct {
-	Name string `json:"name" binding:"Required"`
+	// required: true
+	Name   string   `json:"name" binding:"Required"`
+	Scopes []string `json:"scopes"`
 }
 
 // CreateOAuth2ApplicationOptions holds options to create an oauth2 application
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 92ca5be8d3..df66ce2339 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -757,6 +757,7 @@ access_token_deletion_confirm_action = Delete
 access_token_deletion_desc = Deleting a token will revoke access to your account for applications using it. This cannot be undone. Continue?
 delete_token_success = The token has been deleted. Applications using it no longer have access to your account.
 select_scopes = Select scopes
+scopes_list = Scopes:
 
 manage_oauth2_applications = Manage OAuth2 Applications
 edit_oauth2_application = Edit OAuth2 Application
diff --git a/routers/api/v1/user/app.go b/routers/api/v1/user/app.go
index 7b2f0d8c30..f89d53945f 100644
--- a/routers/api/v1/user/app.go
+++ b/routers/api/v1/user/app.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"net/http"
 	"strconv"
+	"strings"
 
 	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/context"
@@ -62,6 +63,7 @@ func ListAccessTokens(ctx *context.APIContext) {
 			ID:             tokens[i].ID,
 			Name:           tokens[i].Name,
 			TokenLastEight: tokens[i].TokenLastEight,
+			Scopes:         tokens[i].Scope.StringSlice(),
 		}
 	}
 
@@ -82,9 +84,9 @@ func CreateAccessToken(ctx *context.APIContext) {
 	// - name: username
 	//   in: path
 	//   description: username of user
-	//   type: string
 	//   required: true
-	// - name: userCreateToken
+	//   type: string
+	// - name: body
 	//   in: body
 	//   schema:
 	//     "$ref": "#/definitions/CreateAccessTokenOption"
@@ -111,6 +113,13 @@ func CreateAccessToken(ctx *context.APIContext) {
 		return
 	}
 
+	scope, err := auth_model.AccessTokenScope(strings.Join(form.Scopes, ",")).Normalize()
+	if err != nil {
+		ctx.Error(http.StatusBadRequest, "AccessTokenScope.Normalize", fmt.Errorf("invalid access token scope provided: %w", err))
+		return
+	}
+	t.Scope = scope
+
 	if err := auth_model.NewAccessToken(t); err != nil {
 		ctx.Error(http.StatusInternalServerError, "NewAccessToken", err)
 		return
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index 2a675766ab..de774deaed 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -14084,14 +14084,13 @@
         "parameters": [
           {
             "type": "string",
-            "x-go-name": "Name",
             "description": "username of user",
             "name": "username",
             "in": "path",
             "required": true
           },
           {
-            "name": "userCreateToken",
+            "name": "body",
             "in": "body",
             "schema": {
               "$ref": "#/definitions/CreateAccessTokenOption"
@@ -14194,6 +14193,13 @@
           "type": "string",
           "x-go-name": "Name"
         },
+        "scopes": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "x-go-name": "Scopes"
+        },
         "sha1": {
           "type": "string",
           "x-go-name": "Token"
@@ -14925,10 +14931,20 @@
     "CreateAccessTokenOption": {
       "description": "CreateAccessTokenOption options when create access token",
       "type": "object",
+      "required": [
+        "name"
+      ],
       "properties": {
         "name": {
           "type": "string",
           "x-go-name": "Name"
+        },
+        "scopes": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "x-go-name": "Scopes"
         }
       },
       "x-go-package": "code.gitea.io/gitea/modules/structs"
diff --git a/templates/user/settings/applications.tmpl b/templates/user/settings/applications.tmpl
index 439ed5e148..ef9ac9a977 100644
--- a/templates/user/settings/applications.tmpl
+++ b/templates/user/settings/applications.tmpl
@@ -21,7 +21,14 @@
 						</div>
 						<i class="icon tooltip{{if .HasRecentActivity}} green{{end}}" {{if .HasRecentActivity}}data-content="{{$.locale.Tr "settings.token_state_desc"}}"{{end}}>{{svg "fontawesome-send" 36}}</i>
 						<div class="content">
-							<strong>{{.Name}}</strong>
+							<details><summary><strong>{{.Name}}</strong></summary>
+								<p class="gt-my-2">{{$.locale.Tr "settings.scopes_list"}}</p>
+								<ul class="gt-my-2">
+								{{range .Scope.StringSlice}}
+									<li>{{.}}</li>
+								{{end}}
+								</ul>
+							</details>
 							<div class="activity meta">
 								<i>{{$.locale.Tr "settings.add_on"}} <span><time data-format="short-date" datetime="{{.CreatedUnix.FormatLong}}">{{.CreatedUnix.FormatShort}}</time></span> — {{svg "octicon-info"}} {{if .HasUsed}}{{$.locale.Tr "settings.last_used"}} <span {{if .HasRecentActivity}}class="green"{{end}}><time data-format="short-date" datetime="{{.UpdatedUnix.FormatLong}}">{{.UpdatedUnix.FormatShort}}</time></span>{{else}}{{$.locale.Tr "settings.no_activity"}}{{end}}</i>
 							</div>

From d845be661f5205b70d4fa6883e7912a5d2491218 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 21 Feb 2023 06:18:26 +0800
Subject: [PATCH 30/81] handle deprecated settings (#22992)

Fix #22736
---
 modules/setting/config_provider.go |  4 ++--
 modules/setting/indexer.go         | 13 +++++++------
 modules/setting/lfs.go             |  5 +++--
 modules/setting/mailer.go          | 29 +++++++++++------------------
 modules/setting/mirror.go          |  5 +++--
 modules/setting/server.go          | 18 ++++++++++--------
 modules/setting/task.go            |  9 +++++----
 7 files changed, 41 insertions(+), 42 deletions(-)

diff --git a/modules/setting/config_provider.go b/modules/setting/config_provider.go
index 67a4e4ded1..0244a8d06e 100644
--- a/modules/setting/config_provider.go
+++ b/modules/setting/config_provider.go
@@ -25,9 +25,9 @@ func mustMapSetting(rootCfg ConfigProvider, sectionName string, setting interfac
 	}
 }
 
-func deprecatedSetting(rootCfg ConfigProvider, oldSection, oldKey, newSection, newKey string) {
+func deprecatedSetting(rootCfg ConfigProvider, oldSection, oldKey, newSection, newKey, version string) {
 	if rootCfg.Section(oldSection).HasKey(oldKey) {
-		log.Error("Deprecated fallback `[%s]` `%s` present. Use `[%s]` `%s` instead. This fallback will be removed in v1.19.0", oldSection, oldKey, newSection, newKey)
+		log.Error("Deprecated fallback `[%s]` `%s` present. Use `[%s]` `%s` instead. This fallback will be/has been removed in %s", oldSection, oldKey, newSection, newKey, version)
 	}
 }
 
diff --git a/modules/setting/indexer.go b/modules/setting/indexer.go
index 528a9eb655..5b10018eb7 100644
--- a/modules/setting/indexer.go
+++ b/modules/setting/indexer.go
@@ -56,12 +56,13 @@ func loadIndexerFrom(rootCfg ConfigProvider) {
 	Indexer.IssueIndexerName = sec.Key("ISSUE_INDEXER_NAME").MustString(Indexer.IssueIndexerName)
 
 	// The following settings are deprecated and can be overridden by settings in [queue] or [queue.issue_indexer]
-	// FIXME: DEPRECATED to be removed in v1.18.0
-	deprecatedSetting(rootCfg, "indexer", "ISSUE_INDEXER_QUEUE_TYPE", "queue.issue_indexer", "TYPE")
-	deprecatedSetting(rootCfg, "indexer", "ISSUE_INDEXER_QUEUE_DIR", "queue.issue_indexer", "DATADIR")
-	deprecatedSetting(rootCfg, "indexer", "ISSUE_INDEXER_QUEUE_CONN_STR", "queue.issue_indexer", "CONN_STR")
-	deprecatedSetting(rootCfg, "indexer", "ISSUE_INDEXER_QUEUE_BATCH_NUMBER", "queue.issue_indexer", "BATCH_LENGTH")
-	deprecatedSetting(rootCfg, "indexer", "UPDATE_BUFFER_LEN", "queue.issue_indexer", "LENGTH")
+	// DEPRECATED should not be removed because users maybe upgrade from lower version to the latest version
+	// if these are removed, the warning will not be shown
+	deprecatedSetting(rootCfg, "indexer", "ISSUE_INDEXER_QUEUE_TYPE", "queue.issue_indexer", "TYPE", "v1.19.0")
+	deprecatedSetting(rootCfg, "indexer", "ISSUE_INDEXER_QUEUE_DIR", "queue.issue_indexer", "DATADIR", "v1.19.0")
+	deprecatedSetting(rootCfg, "indexer", "ISSUE_INDEXER_QUEUE_CONN_STR", "queue.issue_indexer", "CONN_STR", "v1.19.0")
+	deprecatedSetting(rootCfg, "indexer", "ISSUE_INDEXER_QUEUE_BATCH_NUMBER", "queue.issue_indexer", "BATCH_LENGTH", "v1.19.0")
+	deprecatedSetting(rootCfg, "indexer", "UPDATE_BUFFER_LEN", "queue.issue_indexer", "LENGTH", "v1.19.0")
 
 	Indexer.RepoIndexerEnabled = sec.Key("REPO_INDEXER_ENABLED").MustBool(false)
 	Indexer.RepoType = sec.Key("REPO_INDEXER_TYPE").MustString("bleve")
diff --git a/modules/setting/lfs.go b/modules/setting/lfs.go
index e6c9e42f2c..e04cde100b 100644
--- a/modules/setting/lfs.go
+++ b/modules/setting/lfs.go
@@ -35,8 +35,9 @@ func loadLFSFrom(rootCfg ConfigProvider) {
 	storageType := lfsSec.Key("STORAGE_TYPE").MustString("")
 
 	// Specifically default PATH to LFS_CONTENT_PATH
-	// FIXME: DEPRECATED to be removed in v1.18.0
-	deprecatedSetting(rootCfg, "server", "LFS_CONTENT_PATH", "lfs", "PATH")
+	// DEPRECATED should not be removed because users maybe upgrade from lower version to the latest version
+	// if these are removed, the warning will not be shown
+	deprecatedSetting(rootCfg, "server", "LFS_CONTENT_PATH", "lfs", "PATH", "v1.19.0")
 	lfsSec.Key("PATH").MustString(
 		sec.Key("LFS_CONTENT_PATH").String())
 
diff --git a/modules/setting/mailer.go b/modules/setting/mailer.go
index 62a73cb2f3..39afce7d46 100644
--- a/modules/setting/mailer.go
+++ b/modules/setting/mailer.go
@@ -64,16 +64,16 @@ func loadMailerFrom(rootCfg ConfigProvider) {
 	}
 
 	// Handle Deprecations and map on to new configuration
-	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting(rootCfg, "mailer", "MAILER_TYPE", "mailer", "PROTOCOL")
+	// DEPRECATED should not be removed because users maybe upgrade from lower version to the latest version
+	// if these are removed, the warning will not be shown
+	deprecatedSetting(rootCfg, "mailer", "MAILER_TYPE", "mailer", "PROTOCOL", "v1.19.0")
 	if sec.HasKey("MAILER_TYPE") && !sec.HasKey("PROTOCOL") {
 		if sec.Key("MAILER_TYPE").String() == "sendmail" {
 			sec.Key("PROTOCOL").MustString("sendmail")
 		}
 	}
 
-	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting(rootCfg, "mailer", "HOST", "mailer", "SMTP_ADDR")
+	deprecatedSetting(rootCfg, "mailer", "HOST", "mailer", "SMTP_ADDR", "v1.19.0")
 	if sec.HasKey("HOST") && !sec.HasKey("SMTP_ADDR") {
 		givenHost := sec.Key("HOST").String()
 		addr, port, err := net.SplitHostPort(givenHost)
@@ -89,8 +89,7 @@ func loadMailerFrom(rootCfg ConfigProvider) {
 		sec.Key("SMTP_PORT").MustString(port)
 	}
 
-	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting(rootCfg, "mailer", "IS_TLS_ENABLED", "mailer", "PROTOCOL")
+	deprecatedSetting(rootCfg, "mailer", "IS_TLS_ENABLED", "mailer", "PROTOCOL", "v1.19.0")
 	if sec.HasKey("IS_TLS_ENABLED") && !sec.HasKey("PROTOCOL") {
 		if sec.Key("IS_TLS_ENABLED").MustBool() {
 			sec.Key("PROTOCOL").MustString("smtps")
@@ -99,38 +98,32 @@ func loadMailerFrom(rootCfg ConfigProvider) {
 		}
 	}
 
-	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting(rootCfg, "mailer", "DISABLE_HELO", "mailer", "ENABLE_HELO")
+	deprecatedSetting(rootCfg, "mailer", "DISABLE_HELO", "mailer", "ENABLE_HELO", "v1.19.0")
 	if sec.HasKey("DISABLE_HELO") && !sec.HasKey("ENABLE_HELO") {
 		sec.Key("ENABLE_HELO").MustBool(!sec.Key("DISABLE_HELO").MustBool())
 	}
 
-	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting(rootCfg, "mailer", "SKIP_VERIFY", "mailer", "FORCE_TRUST_SERVER_CERT")
+	deprecatedSetting(rootCfg, "mailer", "SKIP_VERIFY", "mailer", "FORCE_TRUST_SERVER_CERT", "v1.19.0")
 	if sec.HasKey("SKIP_VERIFY") && !sec.HasKey("FORCE_TRUST_SERVER_CERT") {
 		sec.Key("FORCE_TRUST_SERVER_CERT").MustBool(sec.Key("SKIP_VERIFY").MustBool())
 	}
 
-	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting(rootCfg, "mailer", "USE_CERTIFICATE", "mailer", "USE_CLIENT_CERT")
+	deprecatedSetting(rootCfg, "mailer", "USE_CERTIFICATE", "mailer", "USE_CLIENT_CERT", "v1.19.0")
 	if sec.HasKey("USE_CERTIFICATE") && !sec.HasKey("USE_CLIENT_CERT") {
 		sec.Key("USE_CLIENT_CERT").MustBool(sec.Key("USE_CERTIFICATE").MustBool())
 	}
 
-	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting(rootCfg, "mailer", "CERT_FILE", "mailer", "CLIENT_CERT_FILE")
+	deprecatedSetting(rootCfg, "mailer", "CERT_FILE", "mailer", "CLIENT_CERT_FILE", "v1.19.0")
 	if sec.HasKey("CERT_FILE") && !sec.HasKey("CLIENT_CERT_FILE") {
 		sec.Key("CERT_FILE").MustString(sec.Key("CERT_FILE").String())
 	}
 
-	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting(rootCfg, "mailer", "KEY_FILE", "mailer", "CLIENT_KEY_FILE")
+	deprecatedSetting(rootCfg, "mailer", "KEY_FILE", "mailer", "CLIENT_KEY_FILE", "v1.19.0")
 	if sec.HasKey("KEY_FILE") && !sec.HasKey("CLIENT_KEY_FILE") {
 		sec.Key("KEY_FILE").MustString(sec.Key("KEY_FILE").String())
 	}
 
-	// FIXME: DEPRECATED to be removed in v1.19.0
-	deprecatedSetting(rootCfg, "mailer", "ENABLE_HTML_ALTERNATIVE", "mailer", "SEND_AS_PLAIN_TEXT")
+	deprecatedSetting(rootCfg, "mailer", "ENABLE_HTML_ALTERNATIVE", "mailer", "SEND_AS_PLAIN_TEXT", "v1.19.0")
 	if sec.HasKey("ENABLE_HTML_ALTERNATIVE") && !sec.HasKey("SEND_AS_PLAIN_TEXT") {
 		sec.Key("SEND_AS_PLAIN_TEXT").MustBool(!sec.Key("ENABLE_HTML_ALTERNATIVE").MustBool(false))
 	}
diff --git a/modules/setting/mirror.go b/modules/setting/mirror.go
index 875062f522..cd6b8d4562 100644
--- a/modules/setting/mirror.go
+++ b/modules/setting/mirror.go
@@ -27,8 +27,9 @@ var Mirror = struct {
 func loadMirrorFrom(rootCfg ConfigProvider) {
 	// Handle old configuration through `[repository]` `DISABLE_MIRRORS`
 	// - please note this was badly named and only disabled the creation of new pull mirrors
-	// FIXME: DEPRECATED to be removed in v1.18.0
-	deprecatedSetting(rootCfg, "repository", "DISABLE_MIRRORS", "mirror", "ENABLED")
+	// DEPRECATED should not be removed because users maybe upgrade from lower version to the latest version
+	// if these are removed, the warning will not be shown
+	deprecatedSetting(rootCfg, "repository", "DISABLE_MIRRORS", "mirror", "ENABLED", "v1.19.0")
 	if rootCfg.Section("repository").Key("DISABLE_MIRRORS").MustBool(false) {
 		Mirror.DisableNewPull = true
 	}
diff --git a/modules/setting/server.go b/modules/setting/server.go
index 6b0f3752e1..1839062685 100644
--- a/modules/setting/server.go
+++ b/modules/setting/server.go
@@ -178,38 +178,40 @@ func loadServerFrom(rootCfg ConfigProvider) {
 	switch protocolCfg {
 	case "https":
 		Protocol = HTTPS
-		// FIXME: DEPRECATED to be removed in v1.18.0
+
+		// DEPRECATED should not be removed because users maybe upgrade from lower version to the latest version
+		// if these are removed, the warning will not be shown
 		if sec.HasKey("ENABLE_ACME") {
 			EnableAcme = sec.Key("ENABLE_ACME").MustBool(false)
 		} else {
-			deprecatedSetting(rootCfg, "server", "ENABLE_LETSENCRYPT", "server", "ENABLE_ACME")
+			deprecatedSetting(rootCfg, "server", "ENABLE_LETSENCRYPT", "server", "ENABLE_ACME", "v1.19.0")
 			EnableAcme = sec.Key("ENABLE_LETSENCRYPT").MustBool(false)
 		}
 		if EnableAcme {
 			AcmeURL = sec.Key("ACME_URL").MustString("")
 			AcmeCARoot = sec.Key("ACME_CA_ROOT").MustString("")
-			// FIXME: DEPRECATED to be removed in v1.18.0
+
 			if sec.HasKey("ACME_ACCEPTTOS") {
 				AcmeTOS = sec.Key("ACME_ACCEPTTOS").MustBool(false)
 			} else {
-				deprecatedSetting(rootCfg, "server", "LETSENCRYPT_ACCEPTTOS", "server", "ACME_ACCEPTTOS")
+				deprecatedSetting(rootCfg, "server", "LETSENCRYPT_ACCEPTTOS", "server", "ACME_ACCEPTTOS", "v1.19.0")
 				AcmeTOS = sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false)
 			}
 			if !AcmeTOS {
 				log.Fatal("ACME TOS is not accepted (ACME_ACCEPTTOS).")
 			}
-			// FIXME: DEPRECATED to be removed in v1.18.0
+
 			if sec.HasKey("ACME_DIRECTORY") {
 				AcmeLiveDirectory = sec.Key("ACME_DIRECTORY").MustString("https")
 			} else {
-				deprecatedSetting(rootCfg, "server", "LETSENCRYPT_DIRECTORY", "server", "ACME_DIRECTORY")
+				deprecatedSetting(rootCfg, "server", "LETSENCRYPT_DIRECTORY", "server", "ACME_DIRECTORY", "v1.19.0")
 				AcmeLiveDirectory = sec.Key("LETSENCRYPT_DIRECTORY").MustString("https")
 			}
-			// FIXME: DEPRECATED to be removed in v1.18.0
+
 			if sec.HasKey("ACME_EMAIL") {
 				AcmeEmail = sec.Key("ACME_EMAIL").MustString("")
 			} else {
-				deprecatedSetting(rootCfg, "server", "LETSENCRYPT_EMAIL", "server", "ACME_EMAIL")
+				deprecatedSetting(rootCfg, "server", "LETSENCRYPT_EMAIL", "server", "ACME_EMAIL", "v1.19.0")
 				AcmeEmail = sec.Key("LETSENCRYPT_EMAIL").MustString("")
 			}
 		} else {
diff --git a/modules/setting/task.go b/modules/setting/task.go
index 81732deeb6..f75b4f1481 100644
--- a/modules/setting/task.go
+++ b/modules/setting/task.go
@@ -3,15 +3,16 @@
 
 package setting
 
-// FIXME: DEPRECATED to be removed in v1.18.0
+// DEPRECATED should not be removed because users maybe upgrade from lower version to the latest version
+// if these are removed, the warning will not be shown
 // - will need to set default for [queue.task] LENGTH to 1000 though
 func loadTaskFrom(rootCfg ConfigProvider) {
 	taskSec := rootCfg.Section("task")
 	queueTaskSec := rootCfg.Section("queue.task")
 
-	deprecatedSetting(rootCfg, "task", "QUEUE_TYPE", "queue.task", "TYPE")
-	deprecatedSetting(rootCfg, "task", "QUEUE_CONN_STR", "queue.task", "CONN_STR")
-	deprecatedSetting(rootCfg, "task", "QUEUE_LENGTH", "queue.task", "LENGTH")
+	deprecatedSetting(rootCfg, "task", "QUEUE_TYPE", "queue.task", "TYPE", "v1.19.0")
+	deprecatedSetting(rootCfg, "task", "QUEUE_CONN_STR", "queue.task", "CONN_STR", "v1.19.0")
+	deprecatedSetting(rootCfg, "task", "QUEUE_LENGTH", "queue.task", "LENGTH", "v1.19.0")
 
 	switch taskSec.Key("QUEUE_TYPE").MustString("channel") {
 	case "channel":

From a82b9016c363a45c8e43b818b9f6e168e61bd8c8 Mon Sep 17 00:00:00 2001
From: Brecht Van Lommel <brecht@blender.org>
Date: Tue, 21 Feb 2023 00:16:29 +0100
Subject: [PATCH 31/81] Hide 2FA status from other members in organization
 members list (#22999)

This is rather private information that should not be given to all
members in the same organization. Only show it to organization owners.
---
 templates/org/member/members.tmpl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/templates/org/member/members.tmpl b/templates/org/member/members.tmpl
index b76cb9778f..0eae60fbfc 100644
--- a/templates/org/member/members.tmpl
+++ b/templates/org/member/members.tmpl
@@ -39,6 +39,7 @@
 							</div>
 						</div>
 						<div class="ui two wide column center">
+							{{if $.IsOrganizationOwner}}
 							<div class="meta">
 								{{$.locale.Tr "admin.users.2fa"}}
 							</div>
@@ -51,6 +52,7 @@
 									{{end}}
 								</strong>
 							</div>
+							{{end}}
 						</div>
 					{{end}}
 					<div class="ui three wide column">

From 97aacc3ea1ea89d5781da4b86a11f8340148ca49 Mon Sep 17 00:00:00 2001
From: Jason Song <i@wolfogre.com>
Date: Tue, 21 Feb 2023 08:14:02 +0800
Subject: [PATCH 32/81] Improve pull_request_template.md (#22888)

Update `pull_request_template.md` because:

- It's a kind idea to hide the tips. However, it's easier to include
them in the commit message by mistake when you cannot see them. Check
`git log | grep 'Please check the following:'`. So don't hide it, expose
it and help fix it.
- "for backports" is much clearer than "for bug fixes". I saw someone
post a PR to a release branch because they believed it was the right way
for a bugfix.
- "Allow edits by maintainers", or we have to ask the contributor to
update the branch and they could be confused.
- Remind the contributor that the words could be included in the commit
message, to avoid some words like "Hello", "Sorry". If they really need
them, they can separate them with a line, like:

```markdown
Close #xxxx
Because ... Then ... Finally ...
---
Hello, this is my first time opening a pull request. Sorry for any mistakes.
```
And the merger should be careful, check and delete the extra content
before merging.

---------

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
---
 .github/pull_request_template.md | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 3a12bb8f72..b752abb794 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,9 +1,9 @@
-<!--
-
+<!-- start tips --> 
 Please check the following:
-
-1. Make sure you are targeting the `main` branch, pull requests on release branches are only allowed for bug fixes.
-2. Read contributing guidelines: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md
-3. Describe what your pull request does and which issue you're targeting (if any)
-
--->  
+1. Make sure you are targeting the `main` branch, pull requests on release branches are only allowed for backports.
+2. Make sure you have read contributing guidelines: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md .
+3. Describe what your pull request does and which issue you're targeting (if any).
+4. It is recommended to enable "Allow edits by maintainers", so maintainers can help more easily.
+5. Your input here will be included in the commit message when this PR has been merged. If you don't want some content to be included, please separate them with a line like `---`.
+6. Delete all these tips before posting.
+<!-- end tips -->

From 35d2fa744aae5782dcced573aa08ee9ff62c8e36 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Tue, 21 Feb 2023 00:15:49 +0000
Subject: [PATCH 33/81] Fix intermittent panic in notify issue change content
 (#23019)

Ensure that issue pullrequests are loaded before trying to set the
self-reference.

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: delvh <leon@kske.dev>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
---
 models/issues/issue.go       | 14 ++++++++------
 services/webhook/notifier.go |  7 ++++---
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/models/issues/issue.go b/models/issues/issue.go
index 6c76909fcf..c59e9d14e5 100644
--- a/models/issues/issue.go
+++ b/models/issues/issue.go
@@ -251,13 +251,15 @@ func (issue *Issue) LoadPoster(ctx context.Context) (err error) {
 
 // LoadPullRequest loads pull request info
 func (issue *Issue) LoadPullRequest(ctx context.Context) (err error) {
-	if issue.IsPull && issue.PullRequest == nil {
-		issue.PullRequest, err = GetPullRequestByIssueID(ctx, issue.ID)
-		if err != nil {
-			if IsErrPullRequestNotExist(err) {
-				return err
+	if issue.IsPull {
+		if issue.PullRequest == nil {
+			issue.PullRequest, err = GetPullRequestByIssueID(ctx, issue.ID)
+			if err != nil {
+				if IsErrPullRequestNotExist(err) {
+					return err
+				}
+				return fmt.Errorf("getPullRequestByIssueID [%d]: %w", issue.ID, err)
 			}
-			return fmt.Errorf("getPullRequestByIssueID [%d]: %w", issue.ID, err)
 		}
 		issue.PullRequest.Issue = issue
 	}
diff --git a/services/webhook/notifier.go b/services/webhook/notifier.go
index ba6d968dbd..b023717cd2 100644
--- a/services/webhook/notifier.go
+++ b/services/webhook/notifier.go
@@ -150,7 +150,6 @@ func (m *webhookNotifier) NotifyIssueChangeAssignee(ctx context.Context, doer *u
 			log.Error("LoadPullRequest failed: %v", err)
 			return
 		}
-		issue.PullRequest.Issue = issue
 		apiPullRequest := &api.PullRequestPayload{
 			Index:       issue.Index,
 			PullRequest: convert.ToAPIPullRequest(ctx, issue.PullRequest, nil),
@@ -196,7 +195,6 @@ func (m *webhookNotifier) NotifyIssueChangeTitle(ctx context.Context, doer *user
 			log.Error("LoadPullRequest failed: %v", err)
 			return
 		}
-		issue.PullRequest.Issue = issue
 		err = PrepareWebhooks(ctx, EventSource{Repository: issue.Repo}, webhook_module.HookEventPullRequest, &api.PullRequestPayload{
 			Action: api.HookIssueEdited,
 			Index:  issue.Index,
@@ -328,7 +326,10 @@ func (m *webhookNotifier) NotifyIssueChangeContent(ctx context.Context, doer *us
 	mode, _ := access_model.AccessLevel(ctx, issue.Poster, issue.Repo)
 	var err error
 	if issue.IsPull {
-		issue.PullRequest.Issue = issue
+		if err := issue.LoadPullRequest(ctx); err != nil {
+			log.Error("LoadPullRequest: %v", err)
+			return
+		}
 		err = PrepareWebhooks(ctx, EventSource{Repository: issue.Repo}, webhook_module.HookEventPullRequest, &api.PullRequestPayload{
 			Action: api.HookIssueEdited,
 			Index:  issue.Index,

From 1b950b98cf98c5064bafbd57cd6cde1fa029881b Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Tue, 21 Feb 2023 08:16:56 +0800
Subject: [PATCH 34/81] Use `gt-relative` class instead of the ambiguous
 `gt-pr` class  (#23008)

`.gt-relative` is also `position: relative !important;`

There are `gt-pr-?` styles below (line 140) for `padding-right`, which
makes `.gt-pr` ambiguous

Co-authored-by: delvh <leon@kske.dev>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
---
 templates/repo/commit_page.tmpl | 2 +-
 web_src/less/helpers.less       | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/templates/repo/commit_page.tmpl b/templates/repo/commit_page.tmpl
index 0ecbf29161..028fdc7e51 100644
--- a/templates/repo/commit_page.tmpl
+++ b/templates/repo/commit_page.tmpl
@@ -17,7 +17,7 @@
 				{{$class = (printf "%s%s" $class " isWarning")}}
 			{{end}}
 		{{end}}
-		<div class="ui top attached header clearing segment gt-pr commit-header {{$class}}">
+		<div class="ui top attached header clearing segment gt-relative commit-header {{$class}}">
 			<div class="gt-df gt-mb-4 gt-fw">
 				<h3 class="gt-mb-0 gt-f1"><span class="commit-summary" title="{{.Commit.Summary}}">{{RenderCommitMessage $.Context .Commit.Message $.RepoLink $.Repository.ComposeMetas}}</span>{{template "repo/commit_statuses" dict "Status" .CommitStatus "Statuses" .CommitStatuses  "root" $}}</h3>
 				{{if not $.PageIsWiki}}
diff --git a/web_src/less/helpers.less b/web_src/less/helpers.less
index 9cabe01626..baa5959946 100644
--- a/web_src/less/helpers.less
+++ b/web_src/less/helpers.less
@@ -2,7 +2,6 @@
 .gt-di { display: inline !important; }
 .gt-dif { display: inline-flex !important; }
 .gt-dib { display: inline-block !important; }
-.gt-pr { position: relative !important; }
 .gt-ac { align-items: center !important; }
 .gt-tc { text-align: center !important; }
 .gt-tl { text-align: left !important; }

From 34ae184622ba1eee62d73f13db709bc6b646795f Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 21 Feb 2023 10:22:13 +0800
Subject: [PATCH 35/81] Render access log template as text instead of HTML
 (#23013)

Fix https://github.com/go-gitea/gitea/pull/22906#discussion_r1112106675
---
 modules/context/access_log.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/context/access_log.go b/modules/context/access_log.go
index 84663ee8d3..1aaba9dc2d 100644
--- a/modules/context/access_log.go
+++ b/modules/context/access_log.go
@@ -6,8 +6,8 @@ package context
 import (
 	"bytes"
 	"context"
-	"html/template"
 	"net/http"
+	"text/template"
 	"time"
 
 	"code.gitea.io/gitea/modules/log"

From 4fcf3a3f90ddced158cb31fbb5c1b534c824fc8c Mon Sep 17 00:00:00 2001
From: yp05327 <576951401@qq.com>
Date: Tue, 21 Feb 2023 11:56:13 +0900
Subject: [PATCH 36/81] Add me to maintainers (#23026)

Add me to maintainers.

[My PRs
list](https://github.com/go-gitea/gitea/pulls?q=is%3Apr+author%3Ayp05327+is%3Amerged+)
---
 MAINTAINERS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index b1adf9ef0d..fcd235e52a 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -48,3 +48,4 @@ Xinyu Zhou <i@sourcehut.net> (@xin-u)
 Jason Song <i@wolfogre.com> (@wolfogre)
 Yarden Shoham <hrsi88@gmail.com> (@yardenshoham)
 Yu Tian <zettat123@gmail.com> (@Zettat123)
+Eddie Yang <576951401@qq.com> (@yp05327)

From e3cffa70f9f731436ab005e4bb10f57166ffc6d5 Mon Sep 17 00:00:00 2001
From: HesterG <hestergong@gmail.com>
Date: Tue, 21 Feb 2023 13:03:44 +0800
Subject: [PATCH 37/81] add margin top to the top of branches (#23002)

add margin top as mentioned in #22973

---------

Co-authored-by: jidi <jidi@jidideMacBook-Pro.local>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 templates/repo/branch/list.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/repo/branch/list.tmpl b/templates/repo/branch/list.tmpl
index cfa81a0f5b..a093c19deb 100644
--- a/templates/repo/branch/list.tmpl
+++ b/templates/repo/branch/list.tmpl
@@ -5,7 +5,7 @@
 		{{template "base/alert" .}}
 		{{template "repo/sub_menu" .}}
 		{{if .DefaultBranchBranch}}
-			<h4 class="ui top attached header">
+			<h4 class="ui top attached header gt-mt-4">
 				{{.locale.Tr "repo.default_branch"}}
 			</h4>
 

From dc9cebdf45d3594058727a5c8a5f20af098c5e7a Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Tue, 21 Feb 2023 14:12:57 +0800
Subject: [PATCH 38/81] Use `--message=%s` for git commit message (#23028)

Close  #23027

`git commit` message option _only_ supports 4 formats (well, only ....):
* `"commit", "-m", msg`
* `"commit", "-m{msg}"`  (no space)
* `"commit", "--message", msg`
* `"commit", "--message={msg}"`

The long format with `=` is the best choice, and it's documented in `man
git-commit`:

`-m <msg>, --message=<msg> ...`

ps: I would suggest always use long format option for git command, as
much as possible.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 modules/git/commit.go      | 2 +-
 modules/repository/init.go | 5 ++---
 services/pull/merge.go     | 4 ++--
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/modules/git/commit.go b/modules/git/commit.go
index 1f6289ed02..4a55645d30 100644
--- a/modules/git/commit.go
+++ b/modules/git/commit.go
@@ -131,7 +131,7 @@ func CommitChangesWithArgs(repoPath string, args TrustedCmdArgs, opts CommitChan
 	if opts.Author != nil {
 		cmd.AddOptionFormat("--author='%s <%s>'", opts.Author.Name, opts.Author.Email)
 	}
-	cmd.AddOptionValues("-m", opts.Message)
+	cmd.AddOptionFormat("--message=%s", opts.Message)
 
 	_, _, err := cmd.RunStdString(&RunOpts{Dir: repoPath})
 	// No stderr but exit status 1 means nothing to commit.
diff --git a/modules/repository/init.go b/modules/repository/init.go
index 5705fe5b99..771b68a491 100644
--- a/modules/repository/init.go
+++ b/modules/repository/init.go
@@ -316,9 +316,8 @@ func initRepoCommit(ctx context.Context, tmpPath string, repo *repo_model.Reposi
 		return fmt.Errorf("git add --all: %w", err)
 	}
 
-	cmd := git.NewCommand(ctx, "commit").
-		AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email).
-		AddOptionValues("-m", "Initial commit")
+	cmd := git.NewCommand(ctx, "commit", "--message=Initial commit").
+		AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)
 
 	sign, keyID, signer, _ := asymkey_service.SignInitialCommit(ctx, tmpPath, u)
 	if sign {
diff --git a/services/pull/merge.go b/services/pull/merge.go
index 3ac67d91b7..ad428427cc 100644
--- a/services/pull/merge.go
+++ b/services/pull/merge.go
@@ -533,7 +533,7 @@ func rawMerge(ctx context.Context, pr *issues_model.PullRequest, doer *user_mode
 		if err := git.NewCommand(ctx, "commit").
 			AddArguments(signArgs...).
 			AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email).
-			AddOptionValues("-m", message).
+			AddOptionFormat("--message=%s", message).
 			Run(&git.RunOpts{
 				Env:    env,
 				Dir:    tmpBasePath,
@@ -641,7 +641,7 @@ func rawMerge(ctx context.Context, pr *issues_model.PullRequest, doer *user_mode
 
 func commitAndSignNoAuthor(ctx context.Context, pr *issues_model.PullRequest, message string, signArgs git.TrustedCmdArgs, tmpBasePath string, env []string) error {
 	var outbuf, errbuf strings.Builder
-	if err := git.NewCommand(ctx, "commit").AddArguments(signArgs...).AddOptionValues("-m", message).
+	if err := git.NewCommand(ctx, "commit").AddArguments(signArgs...).AddOptionFormat("--message=%s", message).
 		Run(&git.RunOpts{
 			Env:    env,
 			Dir:    tmpBasePath,

From e7be610d5773e69abbfb98d19e23112dfad6dfcc Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Tue, 21 Feb 2023 14:13:37 +0800
Subject: [PATCH 39/81] Improve frontend guidelines (#23007)

Some were out-dated, some are added.
---
 .../developers/guidelines-frontend.en-us.md   | 18 +++++++---
 web_src/js/features/aria.md                   | 33 +++++++++++++++++--
 2 files changed, 43 insertions(+), 8 deletions(-)

diff --git a/docs/content/doc/developers/guidelines-frontend.en-us.md b/docs/content/doc/developers/guidelines-frontend.en-us.md
index 23be6c6773..7f4d87d901 100644
--- a/docs/content/doc/developers/guidelines-frontend.en-us.md
+++ b/docs/content/doc/developers/guidelines-frontend.en-us.md
@@ -39,12 +39,20 @@ We recommend [Google HTML/CSS Style Guide](https://google.github.io/styleguide/h
 ### Gitea specific guidelines:
 
 1. Every feature (Fomantic-UI/jQuery module) should be put in separate files/directories.
-2. HTML ids and classes should use kebab-case.
+2. HTML ids and classes should use kebab-case, it's preferred to contain 2-3 feature related keywords.
 3. HTML ids and classes used in JavaScript should be unique for the whole project, and should contain 2-3 feature related keywords. We recommend to use the `js-` prefix for classes that are only used in JavaScript.
-4. jQuery events across different features could use their own namespaces if there are potential conflicts.
-5. CSS styling for classes provided by frameworks should not be overwritten. Always use new class-names with 2-3 feature related keywords to overwrite framework styles.
-6. The backend can pass complex data to the frontend by using `ctx.PageData["myModuleData"] = map[]{}`
-7. Simple pages and SEO-related pages use Go HTML Template render to generate static Fomantic-UI HTML output. Complex pages can use Vue3.
+4. CSS styling for classes provided by frameworks should not be overwritten. Always use new class names with 2-3 feature related keywords to overwrite framework styles. Gitea's helper CSS classes in `helpers.less` could be helpful.
+5. The backend can pass complex data to the frontend by using `ctx.PageData["myModuleData"] = map[]{}`, but do not expose whole models to the frontend to avoid leaking sensitive data.
+6. Simple pages and SEO-related pages use Go HTML Template render to generate static Fomantic-UI HTML output. Complex pages can use Vue3.
+7. Clarify variable types, prefer `elem.disabled = true` instead of `elem.setAttribute('disabled', 'anything')`, prefer `$el.prop('checked', var === 'yes')` instead of `$el.prop('checked', var)`.
+8. Use semantic elements, prefer `<button class="ui button">` instead of `<div class="ui button">`.
+9. Avoid unnecessary `!important` in CSS, add comments to explain why it's necessary if it can't be avoided.
+
+### Accessibility / ARIA
+
+In history, Gitea heavily uses Fomantic UI which is not an accessibility-friendly framework.
+Gitea uses some patches to make Fomantic UI more accessible (see the `aria.js` and `aria.md`),
+but there are still many problems which need a lot of work and time to fix.
 
 ### Framework Usage
 
diff --git a/web_src/js/features/aria.md b/web_src/js/features/aria.md
index ecd25ddb30..a55344de47 100644
--- a/web_src/js/features/aria.md
+++ b/web_src/js/features/aria.md
@@ -1,8 +1,35 @@
 **This document is used as aria/a11y reference for future developers**
 
+# Checkbox
+
+## Accessibility-friendly Checkbox
+
+The ideal checkboxes should be:
+
+```html
+<label><input type="checkbox"> ... </label>
+```
+
+However, related styles aren't supported (not implemented) yet, so at the moment, almost all the checkboxes are still using Fomantic UI checkbox.
+
+## Fomantic UI Checkbox
+
+```html
+<div class="ui checkbox">
+  <input type="checkbox"> <!-- class "hidden" will be added by $.checkbox() -->
+  <label>...</label>
+</div>
+```
+
+Then the JS `$.checkbox()` should be called to make it work with keyboard and label-clicking, then it works like the ideal checkboxes.
+
+There is still a problem: Fomantic UI checkbox is not friendly to screen readers, so we add IDs to all the Fomantic UI checkboxes automatically by JS.
+
+# Dropdown
+
 ## ARIA Dropdown
 
-There are different solutions: 
+There are different solutions:
 * combobox + listbox + option
 * menu + menuitem
 
@@ -27,7 +54,7 @@ At the moment, `menu + menuitem` seems to work better with Fomantic UI Dropdown,
 <div class="ui dropdown"> <!-- focused here, then it's not perfect to use aria-activedescendant to point to the menu item -->
   <input type="hidden" ...>
   <div class="text">Default</div>
-  <div class="menu transition hidden" tabindex="-1">
+  <div class="menu" tabindex="-1"> <!-- "transition hidden|visible" classes will be added by $.dropdown() and when the dropdown is working -->
     <div class="item active selected">Default</div>
     <div class="item">...</div>
   </div>
@@ -38,7 +65,7 @@ At the moment, `menu + menuitem` seems to work better with Fomantic UI Dropdown,
   <input type="hidden" ...>
   <input class="search" autocomplete="off" tabindex="0"> <!-- focused here -->
   <div class="text"></div>
-  <div class="menu transition visible" tabindex="-1">
+  <div class="menu" tabindex="-1"> <!-- "transition hidden|visible" classes will be added by $.dropdown() and when the dropdown is working -->
     <div class="item selected">...</div>
     <div class="item">...</div>
   </div>

From 7f790c70b9b178741e2ecbe971a6493b5eb423b2 Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Tue, 21 Feb 2023 16:25:47 +0800
Subject: [PATCH 40/81] Remove delete button for review comment (#23036)

Fix #23031.

Currently, only comments with type `CommentTypeComment` or
`CommentTypeCode` can be deleted. If user create a review comment, the
type of the comment will be `CommentTypeReview` so the comment cannot be
deleted.

https://github.com/go-gitea/gitea/blob/e7be610d5773e69abbfb98d19e23112dfad6dfcc/routers/web/repo/issue.go#L2860-L2868

And in Github, user also cannot delete a review comment. There isn't a
delete button in the menu.

<img
src="https://user-images.githubusercontent.com/15528715/220275166-5ae2dc10-4003-4857-b14e-d7b02644345f.png"
width="640px" />

So we should remove the delete button from the menu when the comment's
type is `CommentTypeReview`.
---
 templates/repo/issue/view_content/comments.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/repo/issue/view_content/comments.tmpl b/templates/repo/issue/view_content/comments.tmpl
index b81c3c7f03..2a9631d86f 100644
--- a/templates/repo/issue/view_content/comments.tmpl
+++ b/templates/repo/issue/view_content/comments.tmpl
@@ -437,7 +437,7 @@
 									{{end}}
 									{{if not $.Repository.IsArchived}}
 											{{template "repo/issue/view_content/add_reaction" Dict "ctx" $ "ActionURL" (Printf "%s/comments/%d/reactions" $.RepoLink .ID)}}
-											{{template "repo/issue/view_content/context_menu" Dict "ctx" $ "item" . "delete" true "issue" true "diff" false "IsCommentPoster" (and $.IsSigned (eq $.SignedUserID .PosterID))}}
+											{{template "repo/issue/view_content/context_menu" Dict "ctx" $ "item" . "delete" false "issue" true "diff" false "IsCommentPoster" (and $.IsSigned (eq $.SignedUserID .PosterID))}}
 									{{end}}
 							</div>
 						</div>

From e7b560f3fe07a0abf0321935d2a33d18a0f27acd Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Tue, 21 Feb 2023 18:03:41 +0800
Subject: [PATCH 41/81] Fix the Manually Merged form (#23015)

Regression bug of #19650

Close #20983
Close #21912

### The "Manually Merged" form

![image](https://user-images.githubusercontent.com/2114189/220170503-32638994-b509-4251-8aa1-d8393dda7184.png)

### Mark a PR as Manually Merged and close it

![image](https://user-images.githubusercontent.com/2114189/220170537-25c91b2c-7a9a-44d1-9e6a-ebe3f1dfc26a.png)

---------

Co-authored-by: Jason Song <i@wolfogre.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 templates/repo/issue/view_content/pull.tmpl   | 20 +++++++------------
 .../js/components/PullRequestMergeForm.vue    |  4 ++++
 2 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/templates/repo/issue/view_content/pull.tmpl b/templates/repo/issue/view_content/pull.tmpl
index cbcc163df1..f0bf23c9e9 100644
--- a/templates/repo/issue/view_content/pull.tmpl
+++ b/templates/repo/issue/view_content/pull.tmpl
@@ -129,6 +129,7 @@
 	<div class="content">
 		{{template "repo/pulls/status" .}}
 		{{$canAutoMerge := false}}
+		{{$showGeneralMergeForm := false}}
 		<div class="ui attached merge-section segment {{if not $.LatestCommitStatus}}no-header{{end}}">
 			{{if .Issue.PullRequest.HasMerged}}
 				<div class="item text">
@@ -320,6 +321,7 @@
 								'textAutoMergeCancelSchedule': {{$.locale.Tr "repo.pulls.auto_merge_cancel_schedule"}},
 								'textClearMergeMessage': {{$.locale.Tr "repo.pulls.clear_merge_message"}},
 								'textClearMergeMessageHint': {{$.locale.Tr "repo.pulls.clear_merge_message_hint"}},
+								'textMergeCommitId': {{$.locale.Tr "repo.pulls.merge_commit_id"}},
 
 								'canMergeNow': {{$canMergeNow}},
 								'allOverridableChecksOk': {{not $notAllOverridableChecksOk}},
@@ -379,6 +381,7 @@
 							window.config.pageData.pullRequestMergeForm = mergeForm;
 						</script>
 
+						{{$showGeneralMergeForm = true}}
 						<div id="pull-request-merge-form"></div>
 					{{else}}
 						{{/* no merge style was set in repo setting: not or ($prUnit.PullRequestsConfig.AllowMerge ...) */}}
@@ -452,30 +455,21 @@
 						{{$.locale.Tr "repo.pulls.cannot_auto_merge_helper"}}
 					</div>
 				{{end}}
-			{{end}}
+			{{end}}{{/* end if: pull request status */}}
 
-			{{if $.StillCanManualMerge}}
+			{{if and $.StillCanManualMerge (not $showGeneralMergeForm)}}
 				<div class="ui divider"></div>
-				<div class="ui form manually-merged-fields gt-hidden">
+				<div class="ui form">
 					<form action="{{.Link}}/merge" method="post">
 						{{.CsrfTokenHtml}}
 						<div class="field">
-							<input type="text" name="merge_commit_id"  placeholder="{{$.locale.Tr "repo.pulls.merge_commit_id"}}">
+							<input type="text" name="merge_commit_id" placeholder="{{$.locale.Tr "repo.pulls.merge_commit_id"}}">
 						</div>
 						<button class="ui red button" type="submit" name="do" value="manually-merged">
 							{{$.locale.Tr "repo.pulls.merge_manually"}}
 						</button>
-						<button class="ui button merge-cancel">
-							{{$.locale.Tr "cancel"}}
-						</button>
 					</form>
 				</div>
-
-				<div class="ui red buttons merge-button">
-					<button class="ui button" data-do="manually-merged">
-						{{$.locale.Tr "repo.pulls.merge_manually"}}
-					</button>
-				</div>
 			{{end}}
 
 			{{if and .ShowMergeInstructions .Issue.PullRequest.HeadRepo}}
diff --git a/web_src/js/components/PullRequestMergeForm.vue b/web_src/js/components/PullRequestMergeForm.vue
index 2e10ce2531..bc960c1e70 100644
--- a/web_src/js/components/PullRequestMergeForm.vue
+++ b/web_src/js/components/PullRequestMergeForm.vue
@@ -36,6 +36,10 @@
           </div>
         </template>
 
+        <div class="field" v-if="mergeStyle === 'manually-merged'">
+          <input type="text" name="merge_commit_id" :placeholder="mergeForm.textMergeCommitId">
+        </div>
+
         <button class="ui button" :class="mergeButtonStyleClass" type="submit" name="do" :value="mergeStyle">
           {{ mergeStyleDetail.textDoMerge }}
           <template v-if="autoMergeWhenSucceed">

From 9ebf6424eedce94b1f5ab3ff34b41198e51e36f8 Mon Sep 17 00:00:00 2001
From: HesterG <hestergong@gmail.com>
Date: Tue, 21 Feb 2023 19:28:31 +0800
Subject: [PATCH 42/81] Remove dashes between organization member avatars on
 hover (#23034)

On the home page of an organization, there are unexpected dashes between
the avatars of the members when hovering over the avatars, as shown in
below:

![hover including title](https://user-images.githubusercontent.com/17645053/220271470-4f49e16f-87eb-4ffa-b38e-23feae1ff92d.png)

![hover without title](https://user-images.githubusercontent.com/17645053/220271512-e4a67685-6b72-4742-a34f-e01ed248c1de.png)

This is because in `fomantic/build/semantic.css` there is a
rule `text-decoration: underline;` when hovering over the `<a>` tag.
Here, the `<a>` tag has width and height because of the avatar image inside,
leading to the unexpected underlines.

This PR overrides the `a:hover` rule so the underline does not exist anymore.

Co-authored-by: delvh <leon@kske.dev>
---
 web_src/less/_organization.less | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/web_src/less/_organization.less b/web_src/less/_organization.less
index c52753e29b..ae406f021a 100644
--- a/web_src/less/_organization.less
+++ b/web_src/less/_organization.less
@@ -93,6 +93,10 @@
   &.teams,
   &.profile {
     .members {
+      a:hover {
+        text-decoration: none;
+      }
+
       .ui.avatar {
         width: 48px;
         height: 48px;

From 1fcf96ad0166420cbdb013365ecae42e3537b42a Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Tue, 21 Feb 2023 21:36:53 +0800
Subject: [PATCH 43/81] Improve PR Review Box UI (#22986)

This PR follows:
* #22950

### Before

The Review Box has many problems:

* It doesn't work for small screens.
* It has an anonying animation which makes the UI laggy.
* It uses "custom dropdown menu" which is very difficult to fine tune.
* `$().toggle('visible')` is not a correct call
* jQuery just accepts any invalid `duration` argument:
`$().toggle('anyting')`
* The button is not a button.

<details>

![image](https://user-images.githubusercontent.com/2114189/219948865-6da3f39c-6fde-4c86-9e42-da5020f3d0c3.png)

</details>

### After

These problems are fixed, and eliminate many `!important` games.

<details>

![image](https://user-images.githubusercontent.com/2114189/219952744-8862fe1a-7ef1-49e4-bf92-2d0c1f104ee4.png)

![image](https://user-images.githubusercontent.com/2114189/219952771-be169a76-45fd-47a8-8f9c-b447d064f4ca.png)

![image](https://user-images.githubusercontent.com/2114189/219952784-3f52e9b7-64ce-4ad1-9553-64c33fb83042.png)

</details>

And most dropdown icons still looks good:

<details>

![image](https://user-images.githubusercontent.com/2114189/219952942-52866a00-e0f9-4af7-8fb5-eb1a8cad1ff3.png)

![image](https://user-images.githubusercontent.com/2114189/219948909-b3bfb844-f84e-4b79-ab1f-382ec66dec31.png)

</details>

Co-authored-by: delvh <leon@kske.dev>
---
 templates/repo/diff/box.tmpl         |  4 ++--
 templates/repo/diff/new_review.tmpl  | 10 ++++-----
 templates/repo/home.tmpl             |  2 +-
 web_src/js/features/common-global.js |  1 +
 web_src/js/features/repo-issue.js    | 10 ++++-----
 web_src/less/_base.less              | 21 +++++-------------
 web_src/less/_editor.less            |  2 +-
 web_src/less/_repository.less        |  5 -----
 web_src/less/_review.less            | 32 +++++++++++++---------------
 9 files changed, 35 insertions(+), 52 deletions(-)

diff --git a/templates/repo/diff/box.tmpl b/templates/repo/diff/box.tmpl
index 1e79824355..4e6879650d 100644
--- a/templates/repo/diff/box.tmpl
+++ b/templates/repo/diff/box.tmpl
@@ -24,10 +24,10 @@
 					{{svg "octicon-diff" 16 "gt-mr-2"}}{{.locale.Tr "repo.diff.stats_desc" .Diff.NumFiles .Diff.TotalAddition .Diff.TotalDeletion | Str2html}}
 				</div>
 			</div>
-			<div class="diff-detail-actions gt-df gt-ac">
+			<div class="diff-detail-actions gt-df gt-ac gt-w-100">
 				{{if and .PageIsPullFiles $.SignedUserID (not .IsArchived)}}
 					<progress id="viewed-files-summary" class="gt-mr-2" value="{{.Diff.NumViewedFiles}}" max="{{.Diff.NumFiles}}"></progress>
-					<label for="viewed-files-summary" id="viewed-files-summary-label" class="gt-mr-3" data-text-changed-template="{{.locale.Tr "repo.pulls.viewed_files_label"}}">
+					<label for="viewed-files-summary" id="viewed-files-summary-label" class="gt-mr-3 gt-f1" data-text-changed-template="{{.locale.Tr "repo.pulls.viewed_files_label"}}">
 						{{.locale.Tr "repo.pulls.viewed_files_label" .Diff.NumViewedFiles .Diff.NumFiles}}
 					</label>
 				{{end}}
diff --git a/templates/repo/diff/new_review.tmpl b/templates/repo/diff/new_review.tmpl
index 8586cd6a56..52aff10e29 100644
--- a/templates/repo/diff/new_review.tmpl
+++ b/templates/repo/diff/new_review.tmpl
@@ -1,11 +1,11 @@
-<div class="ui top right pointing dropdown custom" id="review-box">
-	<div class="ui tiny green button btn-review gt-ml-2 gt-mr-0">
+<div id="review-box">
+	<button class="ui tiny green button gt-ml-2 gt-mr-0 js-btn-review">
 		{{.locale.Tr "repo.diff.review"}}
 		<span class="ui small label review-comments-counter" data-pending-comment-number="{{.PendingCodeCommentNumber}}">{{.PendingCodeCommentNumber}}</span>
 		{{svg "octicon-triangle-down" 14 "dropdown icon"}}
-	</div>
-	<div class="menu review-box">
-		<div class="ui clearing segment">
+	</button>
+	<div class="review-box-panel gt-hidden">
+		<div class="ui segment">
 			<form class="ui form" action="{{.Link}}/reviews/submit" method="post">
 			{{.CsrfTokenHtml}}
 				<input type="hidden" name="commit_id" value="{{.AfterCommitID}}"/>
diff --git a/templates/repo/home.tmpl b/templates/repo/home.tmpl
index 075b859a04..2a79c51ddf 100644
--- a/templates/repo/home.tmpl
+++ b/templates/repo/home.tmpl
@@ -77,7 +77,7 @@
 					<a href="{{.Repository.Link}}/find/{{.BranchNameSubURL}}" class="ui compact basic button">{{.locale.Tr "repo.find_file.go_to_file"}}</a>
 				{{end}}
 				{{if or .CanAddFile .CanUploadFile}}
-					<button class="ui basic small compact dropdown jump icon button gt-mr-2"{{if not .Repository.CanEnableEditor}} disabled{{end}}>
+					<button class="ui basic compact dropdown jump icon button gt-mr-2"{{if not .Repository.CanEnableEditor}} disabled{{end}}>
 						<span class="text">{{.locale.Tr "repo.editor.add_file"}}</span>
 						<div class="menu">
 							{{if .CanAddFile}}
diff --git a/web_src/js/features/common-global.js b/web_src/js/features/common-global.js
index 57a429ed9f..4fa6942467 100644
--- a/web_src/js/features/common-global.js
+++ b/web_src/js/features/common-global.js
@@ -60,6 +60,7 @@ export function initGlobalEnterQuickSubmit() {
 export function initGlobalButtonClickOnEnter() {
   $(document).on('keypress', '.ui.button', (e) => {
     if (e.keyCode === 13 || e.keyCode === 32) { // enter key or space bar
+      if (e.target.nodeName === 'BUTTON') return; // button already handles space&enter correctly
       $(e.target).trigger('click');
       e.preventDefault();
     }
diff --git a/web_src/js/features/repo-issue.js b/web_src/js/features/repo-issue.js
index 7b8705ad2c..4fc8bb5e62 100644
--- a/web_src/js/features/repo-issue.js
+++ b/web_src/js/features/repo-issue.js
@@ -470,7 +470,7 @@ export function initRepoPullRequestReview() {
     assignMenuAttributes(form.find('.menu'));
   });
 
-  const $reviewBox = $('.review-box');
+  const $reviewBox = $('.review-box-panel');
   if ($reviewBox.length === 1) {
     (async () => {
       // the editor's height is too large in some cases, and the panel cannot be scrolled with page now because there is `.repository .diff-detail-box.sticky { position: sticky; }`
@@ -487,12 +487,12 @@ export function initRepoPullRequestReview() {
     return;
   }
 
-  $('.btn-review').on('click', function (e) {
+  $('.js-btn-review').on('click', function (e) {
     e.preventDefault();
-    $(this).closest('.dropdown').find('.menu').toggle('visible'); // eslint-disable-line
-  }).closest('.dropdown').find('.close').on('click', function (e) {
+    toggleElem($(this).parent().find('.review-box-panel'));
+  }).parent().find('.review-box-panel .close').on('click', function (e) {
     e.preventDefault();
-    $(this).closest('.menu').toggle('visible'); // eslint-disable-line
+    hideElem($(this).closest('.review-box-panel'));
   });
 
   $(document).on('click', 'a.add-code-comment', async function (e) {
diff --git a/web_src/less/_base.less b/web_src/less/_base.less
index fc04df4f94..42b18ed1e9 100644
--- a/web_src/less/_base.less
+++ b/web_src/less/_base.less
@@ -2476,24 +2476,13 @@ table th[data-sortt-desc] {
   }
 }
 
-/* fix up SVG dropdown triangles because fomantic thinks they are icon fonts */
-/* see https://github.com/go-gitea/gitea/issues/14014 */
-.ui.dropdown > .dropdown.icon,
-.btn-review > .dropdown.icon {
-  height: auto !important;
-  margin-left: .5rem !important;
-  margin-top: -1px !important;
-  margin-bottom: -1px !important;
-  margin-right: -.5rem !important;
+.ui.dropdown .svg.dropdown.icon,
+.svg.dropdown.icon {
+  margin-top: 0 !important; // reset the "ui.selection.dropdown > .dropdown.icon {margin-top}", for the Issue Dependencies dropdown
+  margin-right: -.5rem !important; // fix up SVG dropdown triangles because Fomantic thinks they are icon fonts
+  height: auto; // reset the ".ui.dropdown > .dropdown.icon {height}", otherwise the icon would be too small
 }
-.ui.button.dropdown > .dropdown.icon,
-.btn-review > .dropdown.icon {
-  float: right !important;
 
-  @media (max-width: 480px) {
-    display: none;
-  }
-}
 .ui.selection.dropdown > .search.icon,
 .ui.selection.dropdown > .delete.icon,
 .ui.selection.dropdown > .dropdown.icon {
diff --git a/web_src/less/_editor.less b/web_src/less/_editor.less
index 73e5bda0a2..d3f9edeb2d 100644
--- a/web_src/less/_editor.less
+++ b/web_src/less/_editor.less
@@ -13,7 +13,7 @@
 }
 
 .editor-toolbar {
-  opacity: 1 !important;
+  max-width: calc(100vw - 80px);
   border-color: var(--color-secondary);
 }
 
diff --git a/web_src/less/_repository.less b/web_src/less/_repository.less
index 3bec5f58fb..627a5f6c2f 100644
--- a/web_src/less/_repository.less
+++ b/web_src/less/_repository.less
@@ -2864,11 +2864,6 @@
   margin-top: 10px;
 }
 
-.repo-button-row .dropdown > .dropdown.icon {
-  margin-left: .25rem !important;
-  margin-right: 0 !important;
-}
-
 .wiki .repo-button-row {
   margin-bottom: 0;
 }
diff --git a/web_src/less/_review.less b/web_src/less/_review.less
index d436bc2490..54392151a1 100644
--- a/web_src/less/_review.less
+++ b/web_src/less/_review.less
@@ -220,47 +220,45 @@ a.blob-excerpt:hover {
 
 // See the comment of createCommentEasyMDE() for the review editor
 // EasyMDE's options can not handle minHeight & maxHeight together correctly, we have to set minHeight in JS code
-#review-box .CodeMirror-scroll {
+.review-box-panel .CodeMirror-scroll {
   min-height: 80px;
   max-height: calc(100vh - 360px);
 }
 
 @media @mediaSm {
-  #review-box > .menu {
-    > .ui.segment {
-      width: 94vw;
-    }
-
-    .editor-toolbar {
-      overflow-x: auto;
-    }
-  }
-
-  #review-box .CodeMirror-scroll {
+  .review-box-panel .CodeMirror-scroll {
     max-width: calc(100vw - 70px);
   }
 }
 
 @media @mediaMd {
-  #review-box .CodeMirror-scroll {
+  .review-box-panel .CodeMirror-scroll {
     max-width: 700px;
   }
 }
 
 @media @mediaLg {
-  #review-box .CodeMirror-scroll {
+  .review-box-panel .CodeMirror-scroll {
     max-width: 800px;
   }
 }
 
 @media @mediaXl {
-  #review-box .CodeMirror-scroll {
+  .review-box-panel .CodeMirror-scroll {
     max-width: 900px;
   }
 }
 
-.review-box > .segment {
-  border: none !important;
+#review-box {
+  position: relative;
+}
+
+.review-box-panel {
+  position: absolute;
+  min-width: max-content;
+  top: 45px;
+  right: -5px;
+  z-index: 2;
 }
 
 #review-box .review-comments-counter {

From c8c2a31818527f7377ddb9fb111a55d0c058ebe7 Mon Sep 17 00:00:00 2001
From: Jason Song <i@wolfogre.com>
Date: Tue, 21 Feb 2023 22:42:07 +0800
Subject: [PATCH 44/81] Add force_merge to merge request and fix checking
 mergable (#23010)

Fix #23000.
---
 routers/api/v1/repo/pull.go                   | 15 ++++++--
 routers/web/repo/pull.go                      | 16 ++++++--
 services/automerge/automerge.go               |  2 +-
 services/forms/repo_form.go                   |  2 +-
 services/pull/check.go                        | 37 ++++++++++++++-----
 .../js/components/PullRequestMergeForm.vue    |  7 +++-
 6 files changed, 59 insertions(+), 20 deletions(-)

diff --git a/routers/api/v1/repo/pull.go b/routers/api/v1/repo/pull.go
index fa8b517ae7..84eebeb94d 100644
--- a/routers/api/v1/repo/pull.go
+++ b/routers/api/v1/repo/pull.go
@@ -767,11 +767,18 @@ func MergePullRequest(ctx *context.APIContext) {
 		}
 	}
 
-	manuallMerge := repo_model.MergeStyle(form.Do) == repo_model.MergeStyleManuallyMerged
-	force := form.ForceMerge != nil && *form.ForceMerge
+	manuallyMerged := repo_model.MergeStyle(form.Do) == repo_model.MergeStyleManuallyMerged
+
+	mergeCheckType := pull_service.MergeCheckTypeGeneral
+	if form.MergeWhenChecksSucceed {
+		mergeCheckType = pull_service.MergeCheckTypeAuto
+	}
+	if manuallyMerged {
+		mergeCheckType = pull_service.MergeCheckTypeManually
+	}
 
 	// start with merging by checking
-	if err := pull_service.CheckPullMergable(ctx, ctx.Doer, &ctx.Repo.Permission, pr, manuallMerge, force); err != nil {
+	if err := pull_service.CheckPullMergable(ctx, ctx.Doer, &ctx.Repo.Permission, pr, mergeCheckType, form.ForceMerge); err != nil {
 		if errors.Is(err, pull_service.ErrIsClosed) {
 			ctx.NotFound()
 		} else if errors.Is(err, pull_service.ErrUserNotAllowedToMerge) {
@@ -793,7 +800,7 @@ func MergePullRequest(ctx *context.APIContext) {
 	}
 
 	// handle manually-merged mark
-	if manuallMerge {
+	if manuallyMerged {
 		if err := pull_service.MergedManually(pr, ctx.Doer, ctx.Repo.GitRepo, form.MergeCommitID); err != nil {
 			if models.IsErrInvalidMergeStyle(err) {
 				ctx.Error(http.StatusMethodNotAllowed, "Invalid merge style", fmt.Errorf("%s is not allowed an allowed merge style for this repository", repo_model.MergeStyle(form.Do)))
diff --git a/routers/web/repo/pull.go b/routers/web/repo/pull.go
index c7a59da8a8..38b9f22cbf 100644
--- a/routers/web/repo/pull.go
+++ b/routers/web/repo/pull.go
@@ -926,11 +926,19 @@ func MergePullRequest(ctx *context.Context) {
 	pr := issue.PullRequest
 	pr.Issue = issue
 	pr.Issue.Repo = ctx.Repo.Repository
-	manualMerge := repo_model.MergeStyle(form.Do) == repo_model.MergeStyleManuallyMerged
-	forceMerge := form.ForceMerge != nil && *form.ForceMerge
+
+	manuallyMerged := repo_model.MergeStyle(form.Do) == repo_model.MergeStyleManuallyMerged
+
+	mergeCheckType := pull_service.MergeCheckTypeGeneral
+	if form.MergeWhenChecksSucceed {
+		mergeCheckType = pull_service.MergeCheckTypeAuto
+	}
+	if manuallyMerged {
+		mergeCheckType = pull_service.MergeCheckTypeManually
+	}
 
 	// start with merging by checking
-	if err := pull_service.CheckPullMergable(ctx, ctx.Doer, &ctx.Repo.Permission, pr, manualMerge, forceMerge); err != nil {
+	if err := pull_service.CheckPullMergable(ctx, ctx.Doer, &ctx.Repo.Permission, pr, mergeCheckType, form.ForceMerge); err != nil {
 		switch {
 		case errors.Is(err, pull_service.ErrIsClosed):
 			if issue.IsPull {
@@ -962,7 +970,7 @@ func MergePullRequest(ctx *context.Context) {
 	}
 
 	// handle manually-merged mark
-	if manualMerge {
+	if manuallyMerged {
 		if err := pull_service.MergedManually(pr, ctx.Doer, ctx.Repo.GitRepo, form.MergeCommitID); err != nil {
 			switch {
 
diff --git a/services/automerge/automerge.go b/services/automerge/automerge.go
index 74cfb8da8f..9946047640 100644
--- a/services/automerge/automerge.go
+++ b/services/automerge/automerge.go
@@ -230,7 +230,7 @@ func handlePull(pullID int64, sha string) {
 		return
 	}
 
-	if err := pull_service.CheckPullMergable(ctx, doer, &perm, pr, false, false); err != nil {
+	if err := pull_service.CheckPullMergable(ctx, doer, &perm, pr, pull_service.MergeCheckTypeGeneral, false); err != nil {
 		if errors.Is(pull_service.ErrUserNotAllowedToMerge, err) {
 			log.Info("%-v was scheduled to automerge by an unauthorized user", pr)
 			return
diff --git a/services/forms/repo_form.go b/services/forms/repo_form.go
index 374ae0ac5c..e9645b5ab7 100644
--- a/services/forms/repo_form.go
+++ b/services/forms/repo_form.go
@@ -604,7 +604,7 @@ type MergePullRequestForm struct {
 	MergeMessageField      string
 	MergeCommitID          string // only used for manually-merged
 	HeadCommitID           string `json:"head_commit_id,omitempty"`
-	ForceMerge             *bool  `json:"force_merge,omitempty"`
+	ForceMerge             bool   `json:"force_merge,omitempty"`
 	MergeWhenChecksSucceed bool   `json:"merge_when_checks_succeed,omitempty"`
 	DeleteBranchAfterMerge bool   `json:"delete_branch_after_merge,omitempty"`
 }
diff --git a/services/pull/check.go b/services/pull/check.go
index 310ea2e714..02d9015414 100644
--- a/services/pull/check.go
+++ b/services/pull/check.go
@@ -59,8 +59,16 @@ func AddToTaskQueue(pr *issues_model.PullRequest) {
 	}
 }
 
+type MergeCheckType int
+
+const (
+	MergeCheckTypeGeneral  MergeCheckType = iota // general merge checks for "merge", "rebase", "squash", etc
+	MergeCheckTypeManually                       // Manually Merged button (mark a PR as merged manually)
+	MergeCheckTypeAuto                           // Auto Merge (Scheduled Merge) After Checks Succeed
+)
+
 // CheckPullMergable check if the pull mergable based on all conditions (branch protection, merge options, ...)
-func CheckPullMergable(stdCtx context.Context, doer *user_model.User, perm *access_model.Permission, pr *issues_model.PullRequest, manuallMerge, force bool) error {
+func CheckPullMergable(stdCtx context.Context, doer *user_model.User, perm *access_model.Permission, pr *issues_model.PullRequest, mergeCheckType MergeCheckType, adminSkipProtectionCheck bool) error {
 	return db.WithTx(stdCtx, func(ctx context.Context) error {
 		if pr.HasMerged {
 			return ErrHasMerged
@@ -80,8 +88,8 @@ func CheckPullMergable(stdCtx context.Context, doer *user_model.User, perm *acce
 			return ErrUserNotAllowedToMerge
 		}
 
-		if manuallMerge {
-			// don't check rules to "auto merge", doer is going to mark this pull as merged manually
+		if mergeCheckType == MergeCheckTypeManually {
+			// if doer is doing "manually merge" (mark as merged manually), do not check anything
 			return nil
 		}
 
@@ -103,14 +111,25 @@ func CheckPullMergable(stdCtx context.Context, doer *user_model.User, perm *acce
 				return err
 			}
 
-			if !force {
-				return err
+			// Now the branch protection check failed, check whether the failure could be skipped (skip by setting err = nil)
+
+			// * when doing Auto Merge (Scheduled Merge After Checks Succeed), skip the branch protection check
+			if mergeCheckType == MergeCheckTypeAuto {
+				err = nil
 			}
 
-			if isRepoAdmin, err2 := access_model.IsUserRepoAdmin(ctx, pr.BaseRepo, doer); err2 != nil {
-				log.Error("Unable to check if %-v is a repo admin in %-v: %v", doer, pr.BaseRepo, err2)
-				return err2
-			} else if !isRepoAdmin {
+			// * if the doer is admin, they could skip the branch protection check
+			if adminSkipProtectionCheck {
+				if isRepoAdmin, errCheckAdmin := access_model.IsUserRepoAdmin(ctx, pr.BaseRepo, doer); errCheckAdmin != nil {
+					log.Error("Unable to check if %-v is a repo admin in %-v: %v", doer, pr.BaseRepo, errCheckAdmin)
+					return errCheckAdmin
+				} else if isRepoAdmin {
+					err = nil // repo admin can skip the check, so clear the error
+				}
+			}
+
+			// If there is still a branch protection check error, return it
+			if err != nil {
 				return err
 			}
 		}
diff --git a/web_src/js/components/PullRequestMergeForm.vue b/web_src/js/components/PullRequestMergeForm.vue
index bc960c1e70..fc610d2194 100644
--- a/web_src/js/components/PullRequestMergeForm.vue
+++ b/web_src/js/components/PullRequestMergeForm.vue
@@ -18,6 +18,7 @@
         <input type="hidden" name="_csrf" :value="csrfToken">
         <input type="hidden" name="head_commit_id" v-model="mergeForm.pullHeadCommitID">
         <input type="hidden" name="merge_when_checks_succeed" v-model="autoMergeWhenSucceed">
+        <input type="hidden" name="force_merge" v-model="forceMerge">
 
         <template v-if="!mergeStyleDetail.hideMergeMessageTexts">
           <div class="field">
@@ -131,6 +132,7 @@ export default {
       textDoMerge: '',
       mergeTitleFieldText: '',
       mergeMessageFieldText: '',
+      hideAutoMerge: false,
     },
     mergeStyleAllowedCount: 0,
 
@@ -141,7 +143,10 @@ export default {
     mergeButtonStyleClass() {
       if (this.mergeForm.allOverridableChecksOk) return 'green';
       return this.autoMergeWhenSucceed ? 'blue' : 'red';
-    }
+    },
+    forceMerge() {
+      return this.mergeForm.canMergeNow && !this.mergeForm.allOverridableChecksOk;
+    },
   },
   watch: {
     mergeStyle(val) {

From 77f70bd5a39f8f52507f143849d105a3c020f115 Mon Sep 17 00:00:00 2001
From: silverwind <me@silverwind.io>
Date: Tue, 21 Feb 2023 16:23:45 +0100
Subject: [PATCH 45/81] Upgrade to stylelint 15 (#22944)

- Upgrade stylelint and plugin
- Change ruleset to a explicit one, with all deprecated rules removed
- Fix new issues detected by value validation

For `overflow: overlay` see
https://github.com/stylelint/stylelint/issues/6667
---
 .stylelintrc.yaml                | 115 +++++++++++++--
 package-lock.json                | 241 ++++++++++++++++---------------
 package.json                     |   5 +-
 web_src/less/_base.less          |   2 +-
 web_src/less/_font_i18n.less     |   2 +-
 web_src/less/_review.less        |   2 +-
 web_src/less/markup/content.less |   2 -
 web_src/less/modules/tippy.less  |   2 +-
 8 files changed, 232 insertions(+), 139 deletions(-)

diff --git a/.stylelintrc.yaml b/.stylelintrc.yaml
index d51a08bf8e..ca0f16b07b 100644
--- a/.stylelintrc.yaml
+++ b/.stylelintrc.yaml
@@ -1,44 +1,133 @@
-extends: stylelint-config-standard
-
 plugins:
   - stylelint-declaration-strict-value
 
 overrides:
   - files: ["**/*.less"]
     customSyntax: postcss-less
-  - files: ["**/*.less"]
-    rules:
-      scale-unlimited/declaration-strict-value: [color, {
-        ignoreValues: /^(inherit|transparent|unset|initial)$/
-      }]
   - files: ["**/chroma/*", "**/codemirror/*", "**/standalone/*", "**/console/*"]
     rules:
       scale-unlimited/declaration-strict-value: null
 
 rules:
   alpha-value-notation: null
+  annotation-no-unknown: true
+  at-rule-allowed-list: null
+  at-rule-disallowed-list: null
   at-rule-empty-line-before: null
-  block-closing-brace-empty-line-before: null
+  at-rule-no-unknown: true
+  at-rule-no-vendor-prefix: true
+  at-rule-property-required-list: null
+  block-no-empty: true
   color-function-notation: null
+  color-hex-alpha: null
   color-hex-length: null
+  color-named: null
+  color-no-hex: null
+  color-no-invalid-hex: true
   comment-empty-line-before: null
+  comment-no-empty: true
+  comment-pattern: null
+  comment-whitespace-inside: null
+  comment-word-disallowed-list: null
+  custom-media-pattern: null
+  custom-property-empty-line-before: null
+  custom-property-no-missing-var-function: true
+  custom-property-pattern: null
+  declaration-block-no-duplicate-custom-properties: true
+  declaration-block-no-duplicate-properties: [true, {ignore: [consecutive-duplicates-with-different-values]}]
   declaration-block-no-redundant-longhand-properties: null
+  declaration-block-no-shorthand-property-overrides: null
   declaration-block-single-line-max-declarations: null
   declaration-empty-line-before: null
+  declaration-no-important: null
+  declaration-property-max-values: null
+  declaration-property-unit-allowed-list: null
+  declaration-property-unit-disallowed-list: null
+  declaration-property-value-allowed-list: null
+  declaration-property-value-disallowed-list: null
+  declaration-property-value-no-unknown: true
+  font-family-name-quotes: always-where-recommended
+  font-family-no-duplicate-names: true
+  font-family-no-missing-generic-family-keyword: true
+  font-weight-notation: null
+  function-allowed-list: null
+  function-calc-no-unspaced-operator: true
+  function-disallowed-list: null
+  function-linear-gradient-no-nonstandard-direction: true
+  function-name-case: lower
   function-no-unknown: null
+  function-url-no-scheme-relative: null
+  function-url-quotes: always
+  function-url-scheme-allowed-list: null
+  function-url-scheme-disallowed-list: null
   hue-degree-notation: null
   import-notation: string
-  indentation: 2
-  max-line-length: null
+  keyframe-block-no-duplicate-selectors: true
+  keyframe-declaration-no-important: true
+  keyframe-selector-notation: null
+  keyframes-name-pattern: null
+  length-zero-no-unit: true
+  max-nesting-depth: null
+  media-feature-name-allowed-list: null
+  media-feature-name-disallowed-list: null
+  media-feature-name-no-unknown: true
+  media-feature-name-no-vendor-prefix: true
+  media-feature-name-unit-allowed-list: null
+  media-feature-name-value-allowed-list: null
+  media-feature-range-notation: null
+  named-grid-areas-no-invalid: true
   no-descending-specificity: null
+  no-duplicate-at-import-rules: true
+  no-duplicate-selectors: true
+  no-empty-source: true
+  no-invalid-double-slash-comments: true
   no-invalid-position-at-import-rule: null
-  number-leading-zero: never
+  no-irregular-whitespace: true
+  no-unknown-animations: null
   number-max-precision: null
+  property-allowed-list: null
+  property-disallowed-list: null
+  property-no-unknown: true
   property-no-vendor-prefix: null
   rule-empty-line-before: null
+  rule-selector-property-disallowed-list: null
+  scale-unlimited/declaration-strict-value: [color, {ignoreValues: /^(inherit|transparent|unset|initial|currentcolor)$/}]
+  selector-attribute-name-disallowed-list: null
+  selector-attribute-operator-allowed-list: null
+  selector-attribute-operator-disallowed-list: null
+  selector-attribute-quotes: always
   selector-class-pattern: null
+  selector-combinator-allowed-list: null
+  selector-combinator-disallowed-list: null
+  selector-disallowed-list: null
   selector-id-pattern: null
+  selector-max-attribute: null
+  selector-max-class: null
+  selector-max-combinators: null
+  selector-max-compound-selectors: null
+  selector-max-id: null
+  selector-max-pseudo-class: null
+  selector-max-specificity: null
+  selector-max-type: null
+  selector-max-universal: null
+  selector-nested-pattern: null
+  selector-no-qualifying-type: null
+  selector-no-vendor-prefix: true
+  selector-not-notation: null
+  selector-pseudo-class-allowed-list: null
+  selector-pseudo-class-disallowed-list: null
+  selector-pseudo-class-no-unknown: true
+  selector-pseudo-element-allowed-list: null
   selector-pseudo-element-colon-notation: double
+  selector-pseudo-element-disallowed-list: null
+  selector-pseudo-element-no-unknown: true
+  selector-type-case: lower
+  selector-type-no-unknown: [true, {ignore: [custom-elements]}]
   shorthand-property-no-redundant-values: true
-  string-quotes: null
-  value-no-vendor-prefix: null
+  string-no-newline: true
+  time-min-milliseconds: null
+  unit-allowed-list: null
+  unit-disallowed-list: null
+  unit-no-unknown: true
+  value-keyword-case: null
+  value-no-vendor-prefix: [true, {ignoreValues: [box, inline-box]}]
diff --git a/package-lock.json b/package-lock.json
index 940bff2726..641a42b846 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -65,9 +65,8 @@
         "jsdom": "21.0.0",
         "markdownlint-cli": "0.33.0",
         "postcss-less": "6.0.0",
-        "stylelint": "14.16.1",
-        "stylelint-config-standard": "29.0.0",
-        "stylelint-declaration-strict-value": "1.9.1",
+        "stylelint": "15.2.0",
+        "stylelint-declaration-strict-value": "1.9.2",
         "svgo": "3.0.2",
         "updates": "13.2.7",
         "vitest": "0.27.2"
@@ -297,10 +296,56 @@
         "jquery": ">= 1.7.x"
       }
     },
+    "node_modules/@csstools/css-parser-algorithms": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@csstools/css-parser-algorithms/-/css-parser-algorithms-2.0.1.tgz",
+      "integrity": "sha512-B9/8PmOtU6nBiibJg0glnNktQDZ3rZnGn/7UmDfrm2vMtrdlXO3p7ErE95N0up80IRk9YEtB5jyj/TmQ1WH3dw==",
+      "dev": true,
+      "engines": {
+        "node": "^14 || ^16 || >=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/csstools"
+      },
+      "peerDependencies": {
+        "@csstools/css-tokenizer": "^2.0.0"
+      }
+    },
+    "node_modules/@csstools/css-tokenizer": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@csstools/css-tokenizer/-/css-tokenizer-2.0.2.tgz",
+      "integrity": "sha512-prUTipz0NZH7Lc5wyBUy93NFy3QYDMVEQgSeZzNdpMbKRd6V2bgRFyJ+O0S0Dw0MXWuE/H9WXlJk3kzMZRHZ/g==",
+      "dev": true,
+      "engines": {
+        "node": "^14 || ^16 || >=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/csstools"
+      }
+    },
+    "node_modules/@csstools/media-query-list-parser": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@csstools/media-query-list-parser/-/media-query-list-parser-2.0.1.tgz",
+      "integrity": "sha512-X2/OuzEbjaxhzm97UJ+95GrMeT29d1Ib+Pu+paGLuRWZnWRK9sI9r3ikmKXPWGA1C4y4JEdBEFpp9jEqCvLeRA==",
+      "dev": true,
+      "engines": {
+        "node": "^14 || ^16 || >=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/csstools"
+      },
+      "peerDependencies": {
+        "@csstools/css-parser-algorithms": "^2.0.0",
+        "@csstools/css-tokenizer": "^2.0.0"
+      }
+    },
     "node_modules/@csstools/selector-specificity": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/@csstools/selector-specificity/-/selector-specificity-2.1.0.tgz",
-      "integrity": "sha512-zJ6hb3FDgBbO8d2e83vg6zq7tNvDqSq9RwdwfzJ8tdm9JHNvANq2fqwyRn6mlpUb7CwTs5ILdUrGwi9Gk4vY5w==",
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/@csstools/selector-specificity/-/selector-specificity-2.1.1.tgz",
+      "integrity": "sha512-jwx+WCqszn53YHOfvFMJJRd/B2GqkCBt+1MJSG6o5/s8+ytHMvDZXsJgUEWLk12UnLd7HYKac4BYU5i/Ron1Cw==",
       "dev": true,
       "engines": {
         "node": "^14 || ^16 || >=18"
@@ -1528,12 +1573,6 @@
       "integrity": "sha512-Gj7cI7z+98M282Tqmp2K5EIsoouUEzbBJhQQzDE3jSIRk6r9gsz0oUokqIUR4u1R3dMHo0pDHM7sNOHyhulypw==",
       "dev": true
     },
-    "node_modules/@types/parse-json": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/@types/parse-json/-/parse-json-4.0.0.tgz",
-      "integrity": "sha512-//oorEZjL6sbPcKUaCdIGlIUeH26mgzimjBB77G6XRgnDl/L5wOnpyBGRe/Mmf5CVW3PwEBE1NjiMZ/ssFh4wA==",
-      "dev": true
-    },
     "node_modules/@types/tern": {
       "version": "0.23.4",
       "resolved": "https://registry.npmjs.org/@types/tern/-/tern-0.23.4.tgz",
@@ -2642,19 +2681,18 @@
       "dev": true
     },
     "node_modules/cosmiconfig": {
-      "version": "7.1.0",
-      "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-7.1.0.tgz",
-      "integrity": "sha512-AdmX6xUzdNASswsFtmwSt7Vj8po9IuqXm0UXz7QKPuEUmPB4XyjGfaAr2PSuELMwkRMVH1EpIkX5bTZGRB3eCA==",
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-8.0.0.tgz",
+      "integrity": "sha512-da1EafcpH6b/TD8vDRaWV7xFINlHlF6zKsGwS1TsuVJTZRkquaS5HTMq7uq6h31619QjbsYl21gVDOm32KM1vQ==",
       "dev": true,
       "dependencies": {
-        "@types/parse-json": "^4.0.0",
         "import-fresh": "^3.2.1",
+        "js-yaml": "^4.1.0",
         "parse-json": "^5.0.0",
-        "path-type": "^4.0.0",
-        "yaml": "^1.10.0"
+        "path-type": "^4.0.0"
       },
       "engines": {
-        "node": ">=10"
+        "node": ">=14"
       }
     },
     "node_modules/cross-spawn": {
@@ -8343,16 +8381,20 @@
       "dev": true
     },
     "node_modules/stylelint": {
-      "version": "14.16.1",
-      "resolved": "https://registry.npmjs.org/stylelint/-/stylelint-14.16.1.tgz",
-      "integrity": "sha512-ErlzR/T3hhbV+a925/gbfc3f3Fep9/bnspMiJPorfGEmcBbXdS+oo6LrVtoUZ/w9fqD6o6k7PtUlCOsCRdjX/A==",
+      "version": "15.2.0",
+      "resolved": "https://registry.npmjs.org/stylelint/-/stylelint-15.2.0.tgz",
+      "integrity": "sha512-wjg5OLn8zQwjlj5cYUgyQpMWKzct42AG5dYlqkHRJQJqsystFFn3onqEc263KH4xfEI0W3lZCnlIhFfS64uwSA==",
       "dev": true,
       "dependencies": {
-        "@csstools/selector-specificity": "^2.0.2",
+        "@csstools/css-parser-algorithms": "^2.0.1",
+        "@csstools/css-tokenizer": "^2.0.1",
+        "@csstools/media-query-list-parser": "^2.0.1",
+        "@csstools/selector-specificity": "^2.1.1",
         "balanced-match": "^2.0.0",
         "colord": "^2.9.3",
-        "cosmiconfig": "^7.1.0",
+        "cosmiconfig": "^8.0.0",
         "css-functions-list": "^3.1.0",
+        "css-tree": "^2.3.1",
         "debug": "^4.3.4",
         "fast-glob": "^3.2.12",
         "fastest-levenshtein": "^1.0.16",
@@ -8361,7 +8403,7 @@
         "globby": "^11.1.0",
         "globjoin": "^0.1.4",
         "html-tags": "^3.2.0",
-        "ignore": "^5.2.1",
+        "ignore": "^5.2.4",
         "import-lazy": "^4.0.0",
         "imurmurhash": "^0.1.4",
         "is-plain-object": "^5.0.0",
@@ -8371,7 +8413,7 @@
         "micromatch": "^4.0.5",
         "normalize-path": "^3.0.0",
         "picocolors": "^1.0.0",
-        "postcss": "^8.4.19",
+        "postcss": "^8.4.21",
         "postcss-media-query-parser": "^0.2.3",
         "postcss-resolve-nested-selector": "^0.1.1",
         "postcss-safe-parser": "^6.0.0",
@@ -8385,51 +8427,30 @@
         "svg-tags": "^1.0.0",
         "table": "^6.8.1",
         "v8-compile-cache": "^2.3.0",
-        "write-file-atomic": "^4.0.2"
+        "write-file-atomic": "^5.0.0"
       },
       "bin": {
         "stylelint": "bin/stylelint.js"
       },
       "engines": {
-        "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
+        "node": "^14.13.1 || >=16.0.0"
       },
       "funding": {
         "type": "opencollective",
         "url": "https://opencollective.com/stylelint"
       }
     },
-    "node_modules/stylelint-config-recommended": {
-      "version": "9.0.0",
-      "resolved": "https://registry.npmjs.org/stylelint-config-recommended/-/stylelint-config-recommended-9.0.0.tgz",
-      "integrity": "sha512-9YQSrJq4NvvRuTbzDsWX3rrFOzOlYBmZP+o513BJN/yfEmGSr0AxdvrWs0P/ilSpVV/wisamAHu5XSk8Rcf4CQ==",
-      "dev": true,
-      "peerDependencies": {
-        "stylelint": "^14.10.0"
-      }
-    },
-    "node_modules/stylelint-config-standard": {
-      "version": "29.0.0",
-      "resolved": "https://registry.npmjs.org/stylelint-config-standard/-/stylelint-config-standard-29.0.0.tgz",
-      "integrity": "sha512-uy8tZLbfq6ZrXy4JKu3W+7lYLgRQBxYTUUB88vPgQ+ZzAxdrvcaSUW9hOMNLYBnwH+9Kkj19M2DHdZ4gKwI7tg==",
-      "dev": true,
-      "dependencies": {
-        "stylelint-config-recommended": "^9.0.0"
-      },
-      "peerDependencies": {
-        "stylelint": "^14.14.0"
-      }
-    },
     "node_modules/stylelint-declaration-strict-value": {
-      "version": "1.9.1",
-      "resolved": "https://registry.npmjs.org/stylelint-declaration-strict-value/-/stylelint-declaration-strict-value-1.9.1.tgz",
-      "integrity": "sha512-iIkMh2ukIfSTtJoEDgGq5cqUyYWP8NExPk2YSGcePtFikb7KmJoSi0QYajiZRxge/PTbYspci7nIcrtArJlAsw==",
+      "version": "1.9.2",
+      "resolved": "https://registry.npmjs.org/stylelint-declaration-strict-value/-/stylelint-declaration-strict-value-1.9.2.tgz",
+      "integrity": "sha512-Z/2yr7g4tq2iGOUWhZLzHL2g2GJYJGcPkfjDh++zI8ukLxW0tcLGJjo64XYCDjja6YcECPDUWbpN+OAoAtAYvw==",
       "dev": true,
       "dependencies": {
         "css-values": "^0.1.0",
         "shortcss": "^0.1.3"
       },
       "peerDependencies": {
-        "stylelint": ">=7 <=14"
+        "stylelint": ">=7 <=15"
       }
     },
     "node_modules/stylelint/node_modules/balanced-match": {
@@ -9778,16 +9799,16 @@
       "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="
     },
     "node_modules/write-file-atomic": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/write-file-atomic/-/write-file-atomic-4.0.2.tgz",
-      "integrity": "sha512-7KxauUdBmSdWnmpaGFg+ppNjKF8uNLry8LyzjauQDOVONfFLNKrKvQOxZ/VuTIcS/gge/YNahf5RIIQWTSarlg==",
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/write-file-atomic/-/write-file-atomic-5.0.0.tgz",
+      "integrity": "sha512-R7NYMnHSlV42K54lwY9lvW6MnSm1HSJqZL3xiSgi9E7//FYaI74r2G0rd+/X6VAMkHEdzxQaU5HUOXWUz5kA/w==",
       "dev": true,
       "dependencies": {
         "imurmurhash": "^0.1.4",
         "signal-exit": "^3.0.7"
       },
       "engines": {
-        "node": "^12.13.0 || ^14.15.0 || >=16.0.0"
+        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
       }
     },
     "node_modules/ws": {
@@ -9850,15 +9871,6 @@
       "integrity": "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==",
       "dev": true
     },
-    "node_modules/yaml": {
-      "version": "1.10.2",
-      "resolved": "https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz",
-      "integrity": "sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==",
-      "dev": true,
-      "engines": {
-        "node": ">= 6"
-      }
-    },
     "node_modules/yargs": {
       "version": "17.3.1",
       "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.3.1.tgz",
@@ -10073,10 +10085,30 @@
       "integrity": "sha512-8Ro6D4GCrmOl41+6w4NFhEOpx8vjxwVRI69bulXsFDt49uVRKhLU5TnzEV7AmOJrylkVq+ugnYNMiGHBieeKUQ==",
       "requires": {}
     },
+    "@csstools/css-parser-algorithms": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@csstools/css-parser-algorithms/-/css-parser-algorithms-2.0.1.tgz",
+      "integrity": "sha512-B9/8PmOtU6nBiibJg0glnNktQDZ3rZnGn/7UmDfrm2vMtrdlXO3p7ErE95N0up80IRk9YEtB5jyj/TmQ1WH3dw==",
+      "dev": true,
+      "requires": {}
+    },
+    "@csstools/css-tokenizer": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@csstools/css-tokenizer/-/css-tokenizer-2.0.2.tgz",
+      "integrity": "sha512-prUTipz0NZH7Lc5wyBUy93NFy3QYDMVEQgSeZzNdpMbKRd6V2bgRFyJ+O0S0Dw0MXWuE/H9WXlJk3kzMZRHZ/g==",
+      "dev": true
+    },
+    "@csstools/media-query-list-parser": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@csstools/media-query-list-parser/-/media-query-list-parser-2.0.1.tgz",
+      "integrity": "sha512-X2/OuzEbjaxhzm97UJ+95GrMeT29d1Ib+Pu+paGLuRWZnWRK9sI9r3ikmKXPWGA1C4y4JEdBEFpp9jEqCvLeRA==",
+      "dev": true,
+      "requires": {}
+    },
     "@csstools/selector-specificity": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/@csstools/selector-specificity/-/selector-specificity-2.1.0.tgz",
-      "integrity": "sha512-zJ6hb3FDgBbO8d2e83vg6zq7tNvDqSq9RwdwfzJ8tdm9JHNvANq2fqwyRn6mlpUb7CwTs5ILdUrGwi9Gk4vY5w==",
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/@csstools/selector-specificity/-/selector-specificity-2.1.1.tgz",
+      "integrity": "sha512-jwx+WCqszn53YHOfvFMJJRd/B2GqkCBt+1MJSG6o5/s8+ytHMvDZXsJgUEWLk12UnLd7HYKac4BYU5i/Ron1Cw==",
       "dev": true,
       "requires": {}
     },
@@ -10906,12 +10938,6 @@
       "integrity": "sha512-Gj7cI7z+98M282Tqmp2K5EIsoouUEzbBJhQQzDE3jSIRk6r9gsz0oUokqIUR4u1R3dMHo0pDHM7sNOHyhulypw==",
       "dev": true
     },
-    "@types/parse-json": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/@types/parse-json/-/parse-json-4.0.0.tgz",
-      "integrity": "sha512-//oorEZjL6sbPcKUaCdIGlIUeH26mgzimjBB77G6XRgnDl/L5wOnpyBGRe/Mmf5CVW3PwEBE1NjiMZ/ssFh4wA==",
-      "dev": true
-    },
     "@types/tern": {
       "version": "0.23.4",
       "resolved": "https://registry.npmjs.org/@types/tern/-/tern-0.23.4.tgz",
@@ -11749,16 +11775,15 @@
       "dev": true
     },
     "cosmiconfig": {
-      "version": "7.1.0",
-      "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-7.1.0.tgz",
-      "integrity": "sha512-AdmX6xUzdNASswsFtmwSt7Vj8po9IuqXm0UXz7QKPuEUmPB4XyjGfaAr2PSuELMwkRMVH1EpIkX5bTZGRB3eCA==",
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-8.0.0.tgz",
+      "integrity": "sha512-da1EafcpH6b/TD8vDRaWV7xFINlHlF6zKsGwS1TsuVJTZRkquaS5HTMq7uq6h31619QjbsYl21gVDOm32KM1vQ==",
       "dev": true,
       "requires": {
-        "@types/parse-json": "^4.0.0",
         "import-fresh": "^3.2.1",
+        "js-yaml": "^4.1.0",
         "parse-json": "^5.0.0",
-        "path-type": "^4.0.0",
-        "yaml": "^1.10.0"
+        "path-type": "^4.0.0"
       }
     },
     "cross-spawn": {
@@ -15993,16 +16018,20 @@
       "dev": true
     },
     "stylelint": {
-      "version": "14.16.1",
-      "resolved": "https://registry.npmjs.org/stylelint/-/stylelint-14.16.1.tgz",
-      "integrity": "sha512-ErlzR/T3hhbV+a925/gbfc3f3Fep9/bnspMiJPorfGEmcBbXdS+oo6LrVtoUZ/w9fqD6o6k7PtUlCOsCRdjX/A==",
+      "version": "15.2.0",
+      "resolved": "https://registry.npmjs.org/stylelint/-/stylelint-15.2.0.tgz",
+      "integrity": "sha512-wjg5OLn8zQwjlj5cYUgyQpMWKzct42AG5dYlqkHRJQJqsystFFn3onqEc263KH4xfEI0W3lZCnlIhFfS64uwSA==",
       "dev": true,
       "requires": {
-        "@csstools/selector-specificity": "^2.0.2",
+        "@csstools/css-parser-algorithms": "^2.0.1",
+        "@csstools/css-tokenizer": "^2.0.1",
+        "@csstools/media-query-list-parser": "^2.0.1",
+        "@csstools/selector-specificity": "^2.1.1",
         "balanced-match": "^2.0.0",
         "colord": "^2.9.3",
-        "cosmiconfig": "^7.1.0",
+        "cosmiconfig": "^8.0.0",
         "css-functions-list": "^3.1.0",
+        "css-tree": "^2.3.1",
         "debug": "^4.3.4",
         "fast-glob": "^3.2.12",
         "fastest-levenshtein": "^1.0.16",
@@ -16011,7 +16040,7 @@
         "globby": "^11.1.0",
         "globjoin": "^0.1.4",
         "html-tags": "^3.2.0",
-        "ignore": "^5.2.1",
+        "ignore": "^5.2.4",
         "import-lazy": "^4.0.0",
         "imurmurhash": "^0.1.4",
         "is-plain-object": "^5.0.0",
@@ -16021,7 +16050,7 @@
         "micromatch": "^4.0.5",
         "normalize-path": "^3.0.0",
         "picocolors": "^1.0.0",
-        "postcss": "^8.4.19",
+        "postcss": "^8.4.21",
         "postcss-media-query-parser": "^0.2.3",
         "postcss-resolve-nested-selector": "^0.1.1",
         "postcss-safe-parser": "^6.0.0",
@@ -16035,7 +16064,7 @@
         "svg-tags": "^1.0.0",
         "table": "^6.8.1",
         "v8-compile-cache": "^2.3.0",
-        "write-file-atomic": "^4.0.2"
+        "write-file-atomic": "^5.0.0"
       },
       "dependencies": {
         "balanced-match": {
@@ -16052,26 +16081,10 @@
         }
       }
     },
-    "stylelint-config-recommended": {
-      "version": "9.0.0",
-      "resolved": "https://registry.npmjs.org/stylelint-config-recommended/-/stylelint-config-recommended-9.0.0.tgz",
-      "integrity": "sha512-9YQSrJq4NvvRuTbzDsWX3rrFOzOlYBmZP+o513BJN/yfEmGSr0AxdvrWs0P/ilSpVV/wisamAHu5XSk8Rcf4CQ==",
-      "dev": true,
-      "requires": {}
-    },
-    "stylelint-config-standard": {
-      "version": "29.0.0",
-      "resolved": "https://registry.npmjs.org/stylelint-config-standard/-/stylelint-config-standard-29.0.0.tgz",
-      "integrity": "sha512-uy8tZLbfq6ZrXy4JKu3W+7lYLgRQBxYTUUB88vPgQ+ZzAxdrvcaSUW9hOMNLYBnwH+9Kkj19M2DHdZ4gKwI7tg==",
-      "dev": true,
-      "requires": {
-        "stylelint-config-recommended": "^9.0.0"
-      }
-    },
     "stylelint-declaration-strict-value": {
-      "version": "1.9.1",
-      "resolved": "https://registry.npmjs.org/stylelint-declaration-strict-value/-/stylelint-declaration-strict-value-1.9.1.tgz",
-      "integrity": "sha512-iIkMh2ukIfSTtJoEDgGq5cqUyYWP8NExPk2YSGcePtFikb7KmJoSi0QYajiZRxge/PTbYspci7nIcrtArJlAsw==",
+      "version": "1.9.2",
+      "resolved": "https://registry.npmjs.org/stylelint-declaration-strict-value/-/stylelint-declaration-strict-value-1.9.2.tgz",
+      "integrity": "sha512-Z/2yr7g4tq2iGOUWhZLzHL2g2GJYJGcPkfjDh++zI8ukLxW0tcLGJjo64XYCDjja6YcECPDUWbpN+OAoAtAYvw==",
       "dev": true,
       "requires": {
         "css-values": "^0.1.0",
@@ -16997,9 +17010,9 @@
       "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="
     },
     "write-file-atomic": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/write-file-atomic/-/write-file-atomic-4.0.2.tgz",
-      "integrity": "sha512-7KxauUdBmSdWnmpaGFg+ppNjKF8uNLry8LyzjauQDOVONfFLNKrKvQOxZ/VuTIcS/gge/YNahf5RIIQWTSarlg==",
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/write-file-atomic/-/write-file-atomic-5.0.0.tgz",
+      "integrity": "sha512-R7NYMnHSlV42K54lwY9lvW6MnSm1HSJqZL3xiSgi9E7//FYaI74r2G0rd+/X6VAMkHEdzxQaU5HUOXWUz5kA/w==",
       "dev": true,
       "requires": {
         "imurmurhash": "^0.1.4",
@@ -17043,12 +17056,6 @@
       "integrity": "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==",
       "dev": true
     },
-    "yaml": {
-      "version": "1.10.2",
-      "resolved": "https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz",
-      "integrity": "sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==",
-      "dev": true
-    },
     "yargs": {
       "version": "17.3.1",
       "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.3.1.tgz",
diff --git a/package.json b/package.json
index 4a3407bed9..fc063d66da 100644
--- a/package.json
+++ b/package.json
@@ -65,9 +65,8 @@
     "jsdom": "21.0.0",
     "markdownlint-cli": "0.33.0",
     "postcss-less": "6.0.0",
-    "stylelint": "14.16.1",
-    "stylelint-config-standard": "29.0.0",
-    "stylelint-declaration-strict-value": "1.9.1",
+    "stylelint": "15.2.0",
+    "stylelint-declaration-strict-value": "1.9.2",
     "svgo": "3.0.2",
     "updates": "13.2.7",
     "vitest": "0.27.2"
diff --git a/web_src/less/_base.less b/web_src/less/_base.less
index 42b18ed1e9..a73dae6bf3 100644
--- a/web_src/less/_base.less
+++ b/web_src/less/_base.less
@@ -226,7 +226,7 @@ body {
 
 @supports (overflow: overlay) {
   body {
-    overflow: overlay;
+    overflow: overlay; // stylelint-disable-line
     scrollbar-gutter: stable;
   }
 }
diff --git a/web_src/less/_font_i18n.less b/web_src/less/_font_i18n.less
index 2a4a75d29e..5dae8f2aa5 100644
--- a/web_src/less/_font_i18n.less
+++ b/web_src/less/_font_i18n.less
@@ -89,7 +89,7 @@ each(@fonts, {
     font-family: @family;
     src: @src;
     font-weight: @weight;
-    unicode-range: ~"U+11??, U+2E80-4DBF, U+4E00-9FFF, U+A960-A97F, U+AC00-D7FF, U+F900-FAFF, U+FE00-FE6F, U+FF00-FFEF, U+1F2??, U+2????";
+    unicode-range: U+11??, U+2E80-4DBF, U+4E00-9FFF, U+A960-A97F, U+AC00-D7FF, U+F900-FAFF, U+FE00-FE6F, U+FF00-FFEF, U+1F2??, U+2????;
   }
 }
 
diff --git a/web_src/less/_review.less b/web_src/less/_review.less
index 54392151a1..bf2be1f166 100644
--- a/web_src/less/_review.less
+++ b/web_src/less/_review.less
@@ -70,7 +70,7 @@
   max-width: 1000px;
 
   @media @mediaSm {
-    max-width: auto;
+    max-width: none;
     padding: .75rem !important;
 
     .code-comment-buttons {
diff --git a/web_src/less/markup/content.less b/web_src/less/markup/content.less
index 80c6267af8..2a9ca3db5a 100644
--- a/web_src/less/markup/content.less
+++ b/web_src/less/markup/content.less
@@ -281,8 +281,6 @@
   table {
     display: block;
     width: 100%;
-    width: -webkit-max-content;
-    width: -moz-max-content;
     width: max-content;
     max-width: 100%;
     overflow: auto;
diff --git a/web_src/less/modules/tippy.less b/web_src/less/modules/tippy.less
index 25dd7fc987..68d6eb7fa3 100644
--- a/web_src/less/modules/tippy.less
+++ b/web_src/less/modules/tippy.less
@@ -25,7 +25,7 @@
 }
 
 .tippy-box[data-theme="menu"] {
-  background-color: none;
+  background-color: transparent;
   color: var(--color-tooltip-text);
 }
 

From 09d737709031b56758f024ef9feabbafd9712cea Mon Sep 17 00:00:00 2001
From: sillyguodong <33891828+sillyguodong@users.noreply.github.com>
Date: Wed, 22 Feb 2023 00:08:20 +0800
Subject: [PATCH 46/81] display attachments of review comment when comment
 content is blank (#23035)

fix: #22647
---
 templates/repo/issue/view_content/comments.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/repo/issue/view_content/comments.tmpl b/templates/repo/issue/view_content/comments.tmpl
index 2a9631d86f..8894a7ffd2 100644
--- a/templates/repo/issue/view_content/comments.tmpl
+++ b/templates/repo/issue/view_content/comments.tmpl
@@ -399,7 +399,7 @@
 						{{end}}
 					</span>
 				</div>
-				{{if .Content}}
+				{{if or .Content .Attachments}}
 				<div class="timeline-item comment" id="{{.HashTag}}">
 					<div class="content comment-container">
 						<div class="ui top attached header comment-header gt-df gt-ac gt-sb">

From a7e98d70b6f20a80e0f98696e9445ff99546676a Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Wed, 22 Feb 2023 01:09:03 +0800
Subject: [PATCH 47/81] Fix the show/hide methods for string selector (#23042)

At that moment I made a mistake (failed to detect a JS variable type
correctly)

Close #23040
---
 web_src/js/utils/dom.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/web_src/js/utils/dom.js b/web_src/js/utils/dom.js
index 8872a9e4ab..d94d4cb092 100644
--- a/web_src/js/utils/dom.js
+++ b/web_src/js/utils/dom.js
@@ -19,7 +19,7 @@ function assertShown(el, expectShown) {
 }
 
 function elementsCall(el, func, ...args) {
-  if (el instanceof String) {
+  if (typeof el === 'string' || el instanceof String) {
     el = document.querySelectorAll(el);
   }
   if (el instanceof Node) {
@@ -34,6 +34,10 @@ function elementsCall(el, func, ...args) {
   }
 }
 
+/**
+ * @param el string (selector), Node, NodeList, HTMLCollection, Array or jQuery
+ * @param force force=true to show or force=false to hide, undefined to toggle
+ */
 function toggleShown(el, force) {
   if (force === true) {
     el.classList.remove('gt-hidden');

From 4de5cd9f367fe73815b1c72ffc54a5118cc8e1d6 Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Wed, 22 Feb 2023 01:31:17 +0800
Subject: [PATCH 48/81] Return empty url for submodule tree entries (#23043)

Close #22614.

Refer to [Github's
API](https://docs.github.com/en/rest/git/trees?apiVersion=2022-11-28#get-a-tree),
if a tree entry is a submodule, its url will be an empty string.

---------

Co-authored-by: delvh <leon@kske.dev>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
---
 services/repository/files/tree.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/services/repository/files/tree.go b/services/repository/files/tree.go
index f4304ea630..0b1d304845 100644
--- a/services/repository/files/tree.go
+++ b/services/repository/files/tree.go
@@ -85,6 +85,11 @@ func GetTreeBySHA(ctx context.Context, repo *repo_model.Repository, gitRepo *git
 		if entries[e].IsDir() {
 			copy(treeURL[copyPos:], entries[e].ID.String())
 			tree.Entries[i].URL = string(treeURL)
+		} else if entries[e].IsSubModule() {
+			// In Github Rest API Version=2022-11-28, if a tree entry is a submodule,
+			// its url will be returned as an empty string.
+			// So the URL will be set to "" here.
+			tree.Entries[i].URL = ""
 		} else {
 			copy(blobURL[copyPos:], entries[e].ID.String())
 			tree.Entries[i].URL = string(blobURL)

From 43405c35f07d8f6fb7c177cf599e19090020527e Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Tue, 21 Feb 2023 17:32:24 +0000
Subject: [PATCH 49/81] Add Bash and Zsh completion scripts (#22646)

This PR adds contrib scripts for bash and zsh completion.

Simply call:

```bash
source contrib/autocompletion/bash_autocomplete
```

or for Zsh:

```bash
source contrib/autocompletion/zsh_autocomplete
```

Signed-off-by: Andrew Thornton <art27@cantab.net>

---------

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: a1012112796 <1012112796@qq.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
---
 Dockerfile                                    |  2 ++
 Dockerfile.rootless                           |  2 ++
 contrib/autocompletion/README                 | 17 +++++++++++
 contrib/autocompletion/bash_autocomplete      | 30 +++++++++++++++++++
 contrib/autocompletion/zsh_autocomplete       | 30 +++++++++++++++++++
 .../doc/installation/from-binary.en-us.md     | 10 +++++++
 .../doc/installation/from-source.en-us.md     | 10 +++++++
 main.go                                       |  2 ++
 8 files changed, 103 insertions(+)
 create mode 100644 contrib/autocompletion/README
 create mode 100755 contrib/autocompletion/bash_autocomplete
 create mode 100644 contrib/autocompletion/zsh_autocomplete

diff --git a/Dockerfile b/Dockerfile
index 89f000882c..fad8ae1790 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -64,5 +64,7 @@ CMD ["/bin/s6-svscan", "/etc/s6"]
 COPY docker/root /
 COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
 COPY --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
+COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
 RUN chmod 755 /usr/bin/entrypoint /app/gitea/gitea /usr/local/bin/gitea /usr/local/bin/environment-to-ini
 RUN chmod 755 /etc/s6/gitea/* /etc/s6/openssh/* /etc/s6/.s6-svscan/*
+RUN chmod 644 /etc/profile.d/gitea_bash_autocomplete.sh
diff --git a/Dockerfile.rootless b/Dockerfile.rootless
index e92ce857d3..98051f7ddb 100644
--- a/Dockerfile.rootless
+++ b/Dockerfile.rootless
@@ -54,7 +54,9 @@ RUN chown git:git /var/lib/gitea /etc/gitea
 COPY docker/rootless /
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
+COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
 RUN chmod 755 /usr/local/bin/docker-entrypoint.sh /usr/local/bin/docker-setup.sh /app/gitea/gitea /usr/local/bin/gitea /usr/local/bin/environment-to-ini
+RUN chmod 644 /etc/profile.d/gitea_bash_autocomplete.sh
 
 #git:git
 USER 1000:1000
diff --git a/contrib/autocompletion/README b/contrib/autocompletion/README
new file mode 100644
index 0000000000..1defd219d8
--- /dev/null
+++ b/contrib/autocompletion/README
@@ -0,0 +1,17 @@
+Bash and Zsh completion
+=======================
+
+From within the gitea root run:
+
+```bash
+source contrib/autocompletion/bash_autocomplete
+```
+
+or for zsh run:
+
+```bash
+source contrib/autocompletion/zsh_autocomplete
+```
+
+These scripts will check if gitea is on the path and if so add autocompletion for `gitea`. Or if not autocompletion will work for `./gitea`.
+If gitea has been installed as a different program pass in the `PROG` environment variable to set the correct program name.
diff --git a/contrib/autocompletion/bash_autocomplete b/contrib/autocompletion/bash_autocomplete
new file mode 100755
index 0000000000..5cb62f26a7
--- /dev/null
+++ b/contrib/autocompletion/bash_autocomplete
@@ -0,0 +1,30 @@
+#! /bin/bash
+# Heavily inspired by https://github.com/urfave/cli
+
+_cli_bash_autocomplete() {
+  if [[ "${COMP_WORDS[0]}" != "source" ]]; then
+    local cur opts base
+    COMPREPLY=()
+    cur="${COMP_WORDS[COMP_CWORD]}"
+    if [[ "$cur" == "-"* ]]; then
+      opts=$( ${COMP_WORDS[@]:0:$COMP_CWORD} ${cur} --generate-bash-completion )
+    else
+      opts=$( ${COMP_WORDS[@]:0:$COMP_CWORD} --generate-bash-completion )
+    fi
+    COMPREPLY=( $(compgen -W "${opts}" -- ${cur}) )
+    return 0
+  fi
+}
+
+if [ -z "$PROG" ] && [ ! "$(command -v gitea &> /dev/null)" ] ; then
+  complete -o bashdefault -o default -o nospace -F _cli_bash_autocomplete gitea
+elif [ -z "$PROG" ]; then
+  complete -o bashdefault -o default -o nospace -F _cli_bash_autocomplete ./gitea
+  complete -o bashdefault -o default -o nospace -F _cli_bash_autocomplete "$PWD/gitea"
+else
+  complete -o bashdefault -o default -o nospace -F _cli_bash_autocomplete "$PROG"
+  unset PROG
+fi
+
+
+
diff --git a/contrib/autocompletion/zsh_autocomplete b/contrib/autocompletion/zsh_autocomplete
new file mode 100644
index 0000000000..b3b40df503
--- /dev/null
+++ b/contrib/autocompletion/zsh_autocomplete
@@ -0,0 +1,30 @@
+#compdef ${PROG:=gitea}
+
+
+# Heavily inspired by https://github.com/urfave/cli
+
+_cli_zsh_autocomplete() {
+
+  local -a opts
+  local cur
+  cur=${words[-1]}
+  if [[ "$cur" == "-"* ]]; then
+    opts=("${(@f)$(_CLI_ZSH_AUTOCOMPLETE_HACK=1 ${words[@]:0:#words[@]-1} ${cur} --generate-bash-completion)}")
+  else
+    opts=("${(@f)$(_CLI_ZSH_AUTOCOMPLETE_HACK=1 ${words[@]:0:#words[@]-1} --generate-bash-completion)}")
+  fi
+
+  if [[ "${opts[1]}" != "" ]]; then
+    _describe 'values' opts
+  else
+    _files
+  fi
+
+  return
+}
+
+if [ -z $PROG ] ; then
+  compdef _cli_zsh_autocomplete gitea
+else
+  compdef _cli_zsh_autocomplete $(basename $PROG)
+fi
diff --git a/docs/content/doc/installation/from-binary.en-us.md b/docs/content/doc/installation/from-binary.en-us.md
index 669180e38f..6f71b0b91e 100644
--- a/docs/content/doc/installation/from-binary.en-us.md
+++ b/docs/content/doc/installation/from-binary.en-us.md
@@ -129,6 +129,16 @@ export GITEA_WORK_DIR=/var/lib/gitea/
 cp gitea /usr/local/bin/gitea
 ```
 
+### Adding bash/zsh autocompletion (from 1.19)
+
+A script to enable bash-completion can be found at [`contrib/autocompletion/bash_autocomplete`](https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/autocompletion/bash_autocomplete). This can be copied to `/usr/share/bash-completion/completions/gitea`
+or sourced within your `.bashrc`.
+
+Similarly a script for zsh-completion can be found at [`contrib/autocompletion/zsh_autocomplete`](https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/autocompletion/zsh_autocomplete). This can be copied to `/usr/share/zsh/_gitea` or sourced within your
+`.zshrc`.
+
+YMMV and these scripts may need further improvement.
+
 ## Running Gitea
 
 After you complete the above steps, you can run Gitea two ways:
diff --git a/docs/content/doc/installation/from-source.en-us.md b/docs/content/doc/installation/from-source.en-us.md
index 4394d19203..ae3ddc5c41 100644
--- a/docs/content/doc/installation/from-source.en-us.md
+++ b/docs/content/doc/installation/from-source.en-us.md
@@ -193,3 +193,13 @@ LDFLAGS="-linkmode external -extldflags '-static' $LDFLAGS" TAGS="netgo osusergo
 ```
 
 This can be combined with `CC`, `GOOS`, and `GOARCH` as above.
+
+### Adding bash/zsh autocompletion (from 1.19)
+
+A script to enable bash-completion can be found at [`contrib/autocompletion/bash_autocomplete`](https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/autocompletion/bash_autocomplete). This should be altered as appropriate and can be `source` in your `.bashrc`
+or copied as `/usr/share/bash-completion/completions/gitea`.
+
+Similary a script for zsh-completion can be found at [`contrib/autocompletion/zsh_autocomplete`](https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/autocompletion/zsh_autocomplete). This can be copied to `/usr/share/zsh/_gitea` or sourced within your
+`.zshrc`.
+
+YMMV and these scripts may need further improvement.
diff --git a/main.go b/main.go
index 4b183a7686..eeedf54c27 100644
--- a/main.go
+++ b/main.go
@@ -113,6 +113,8 @@ arguments - which can alternatively be run by running the subcommand web.`
 		setFlagsAndBeforeOnSubcommands(&app.Commands[i], defaultFlags, establishCustomPath)
 	}
 
+	app.EnableBashCompletion = true
+
 	err := app.Run(os.Args)
 	if err != nil {
 		log.Fatal("Failed to run app with %s: %v", os.Args, err)

From 4d2d3bd65dc4f47d08bbe0ac1274206b157ce876 Mon Sep 17 00:00:00 2001
From: John Olheiser <john.olheiser@gmail.com>
Date: Tue, 21 Feb 2023 13:36:19 -0600
Subject: [PATCH 50/81] Changelog 1.18.5 (#23045) (#23049)

Frontport #23045
---
 CHANGELOG.md     | 13 +++++++++++++
 docs/config.yaml |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 99a67884af..507722f31b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,19 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).
 
+## [1.18.5](https://github.com/go-gitea/gitea/releases/tag/v1.18.5) - 2023-02-21
+
+* ENHANCEMENTS
+  * Hide 2FA status from other members in organization members list (#22999) (#23023)
+* BUGFIXES
+  * Add force_merge to merge request and fix checking mergable (#23010) (#23032)
+  * Use `--message=%s` for git commit message (#23028) (#23029)
+  * Render access log template as text instead of HTML (#23013) (#23025)
+  * Fix the Manually Merged form (#23015) (#23017)
+  * Use beforeCommit instead of baseCommit (#22949) (#22996)
+  * Display attachments of review comment when comment content is blank (#23035) (#23046)
+  * Return empty url for submodule tree entries (#23043) (#23048)
+
 ## [1.18.4](https://github.com/go-gitea/gitea/releases/tag/1.18.4) - 2023-02-20
 
 * SECURITY
diff --git a/docs/config.yaml b/docs/config.yaml
index 0a6d5d13f2..26f096b1cf 100644
--- a/docs/config.yaml
+++ b/docs/config.yaml
@@ -18,7 +18,7 @@ params:
   description: Git with a cup of tea
   author: The Gitea Authors
   website: https://docs.gitea.io
-  version: 1.18.1
+  version: 1.18.5
   minGoVersion: 1.19
   goVersion: 1.20
   minNodeVersion: 16

From 33e556e67a81d8aba1135b60d9945986633fc938 Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Wed, 22 Feb 2023 11:49:52 +0800
Subject: [PATCH 51/81] Improving CONTRIBUTING.md for backport details (#23057)

See the changes.

Two key points:
* Necessary enhancements could be backported.
* The backports shouldn't break downgrade  between minor releases.
---
 CONTRIBUTING.md | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 7a23448e0a..2cea0a4c57 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -299,9 +299,7 @@ known as the release freeze. All the feature pull requests should be
 merged before feature freeze. And, during the frozen period, a corresponding
 release branch is open for fixes backported from main branch. Release candidates
 are made during this period for user testing to
-obtain a final version that is maintained in this branch. A release is
-maintained by issuing patch releases to only correct critical problems
-such as crashes or security issues.
+obtain a final version that is maintained in this branch.
 
 Major release cycles are seasonal. They always begin on the 25th and end on
 the 24th (i.e., the 25th of December to March 24th).
@@ -311,6 +309,16 @@ for the previous version. For example, if the latest, published release is
 v1.2, then minor changes for the previous release—e.g., v1.1.0 -> v1.1.1—are
 still possible.
 
+The previous release gets fixes for:
+
+- Security issues
+- Critical bugs
+- Regressions
+- Build issues
+- Necessary enhancements (including necessary UI/UX fixes)
+
+The backported fixes should avoid breaking downgrade between minor releases as much as possible.
+
 ## Maintainers
 
 To make sure every PR is checked, we have [team

From 90a7bba1f2af1b0d0ba762fc2e1f5b3878b7dbe8 Mon Sep 17 00:00:00 2001
From: sillyguodong <33891828+sillyguodong@users.noreply.github.com>
Date: Wed, 22 Feb 2023 18:32:00 +0800
Subject: [PATCH 52/81] Add sillyguodong to maintainers (#23067)

[List of mine merged
PR](https://github.com/go-gitea/gitea/pulls?q=is%3Apr+author%3Asillyguodong+is%3Amerged+)
---
 MAINTAINERS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index fcd235e52a..c8f4220cac 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -49,3 +49,4 @@ Jason Song <i@wolfogre.com> (@wolfogre)
 Yarden Shoham <hrsi88@gmail.com> (@yardenshoham)
 Yu Tian <zettat123@gmail.com> (@Zettat123)
 Eddie Yang <576951401@qq.com> (@yp05327)
+Dong Ge <gedong_1994@163.com> (@sillyguodong)
\ No newline at end of file

From eb5a55785de39ae7162911f553b132c03ae7b424 Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Wed, 22 Feb 2023 23:26:02 +0800
Subject: [PATCH 53/81] Fix some more hidden problems (#23074)

Follows #22950
---
 templates/admin/auth/edit.tmpl      | 2 +-
 templates/admin/user/edit.tmpl      | 2 +-
 web_src/js/features/admin/common.js | 8 ++++----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index 36d335f323..d64ee188af 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -117,7 +117,7 @@
 							<input type="checkbox" name="groups_enabled" class="js-ldap-group-toggle" {{if $cfg.GroupsEnabled}}checked{{end}}>
 						</div>
 					</div>
-					<div id="ldap-group-options" class="ui segment secondary" {{if not $cfg.GroupsEnabled}}hidden{{end}}>
+					<div id="ldap-group-options" class="ui segment secondary {{if not $cfg.GroupsEnabled}}gt-hidden{{end}}">
 						<div class="field">
 							<label>{{.locale.Tr "admin.auths.group_search_base"}}</label>
 							<input name="group_dn" value="{{$cfg.GroupDN}}" placeholder="e.g. ou=group,dc=mydomain,dc=com">
diff --git a/templates/admin/user/edit.tmpl b/templates/admin/user/edit.tmpl
index 7d31eb4d2b..5dd1f531fd 100644
--- a/templates/admin/user/edit.tmpl
+++ b/templates/admin/user/edit.tmpl
@@ -122,7 +122,7 @@
 						<input name="allow_git_hook" type="checkbox" {{if .User.CanEditGitHook}}checked{{end}} {{if DisableGitHooks}}disabled{{end}}>
 					</div>
 				</div>
-				<div class="inline field" {{if or (DisableImportLocal) (.DisableMigrations)}}hidden{{end}}>
+				<div class="inline field {{if or (DisableImportLocal) (.DisableMigrations)}}gt-hidden{{end}}">
 					<div class="ui checkbox">
 						<label><strong>{{.locale.Tr "admin.users.allow_import_local"}}</strong></label>
 						<input name="allow_import_local" type="checkbox" {{if .User.CanImportLocal}}checked{{end}} {{if DisableImportLocal}}disabled{{end}}>
diff --git a/web_src/js/features/admin/common.js b/web_src/js/features/admin/common.js
index 092cf770be..d023e0bc36 100644
--- a/web_src/js/features/admin/common.js
+++ b/web_src/js/features/admin/common.js
@@ -50,11 +50,11 @@ export function initAdminCommon() {
 
   function onUsePagedSearchChange() {
     if ($('#use_paged_search').prop('checked')) {
-      showElem($('.search-page-size'))
-        .find('input').attr('required', 'required');
+      showElem('.search-page-size');
+      $('.search-page-size').find('input').attr('required', 'required');
     } else {
-      hideElem($('.search-page-size'))
-        .find('input').removeAttr('required');
+      hideElem('.search-page-size');
+      $('.search-page-size').find('input').removeAttr('required');
     }
   }
 

From 1319ba6742a8562453646763adad22379674bab5 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Wed, 22 Feb 2023 19:21:46 +0000
Subject: [PATCH 54/81] Use minio/sha256-simd for accelerated SHA256 (#23052)

minio/sha256-simd provides additional acceleration for SHA256 using
AVX512, SHA Extensions for x86 and ARM64 for ARM.

It provides a drop-in replacement for crypto/sha256 and if the
extensions are not available it falls back to standard crypto/sha256.

---------

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
---
 go.mod                                           | 2 +-
 models/auth/oauth2.go                            | 2 +-
 models/auth/twofactor.go                         | 2 +-
 models/migrations/base/hash.go                   | 2 +-
 models/migrations/v1_14/v166.go                  | 2 +-
 modules/auth/password/hash/pbkdf2.go             | 2 +-
 modules/avatar/hash.go                           | 3 ++-
 modules/avatar/identicon/identicon.go            | 3 ++-
 modules/base/tool.go                             | 2 +-
 modules/context/context.go                       | 2 +-
 modules/git/last_commit_cache.go                 | 3 ++-
 modules/lfs/content_store.go                     | 3 ++-
 modules/lfs/pointer.go                           | 3 ++-
 modules/secret/secret.go                         | 3 ++-
 modules/util/keypair_test.go                     | 2 +-
 routers/api/packages/chef/auth.go                | 3 ++-
 routers/api/packages/maven/maven.go              | 3 ++-
 services/auth/source/oauth2/jwtsigningkey.go     | 2 +-
 services/lfs/server.go                           | 2 +-
 services/mailer/token/token.go                   | 3 ++-
 services/webhook/deliver.go                      | 2 +-
 tests/integration/api_packages_chef_test.go      | 2 +-
 tests/integration/api_packages_container_test.go | 2 +-
 tests/integration/api_packages_test.go           | 2 +-
 24 files changed, 33 insertions(+), 24 deletions(-)

diff --git a/go.mod b/go.mod
index 343a70da25..f003d444b4 100644
--- a/go.mod
+++ b/go.mod
@@ -76,6 +76,7 @@ require (
 	github.com/mholt/archiver/v3 v3.5.1
 	github.com/microcosm-cc/bluemonday v1.0.21
 	github.com/minio/minio-go/v7 v7.0.46
+	github.com/minio/sha256-simd v1.0.0
 	github.com/msteinert/pam v1.1.0
 	github.com/nektos/act v0.0.0
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646
@@ -220,7 +221,6 @@ require (
 	github.com/mholt/acmez v1.0.4 // indirect
 	github.com/miekg/dns v1.1.50 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
-	github.com/minio/sha256-simd v1.0.0 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
index 09d4bfc4ea..bda0668c45 100644
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -5,7 +5,6 @@ package auth
 
 import (
 	"context"
-	"crypto/sha256"
 	"encoding/base32"
 	"encoding/base64"
 	"fmt"
@@ -18,6 +17,7 @@ import (
 	"code.gitea.io/gitea/modules/util"
 
 	uuid "github.com/google/uuid"
+	"github.com/minio/sha256-simd"
 	"golang.org/x/crypto/bcrypt"
 	"xorm.io/builder"
 	"xorm.io/xorm"
diff --git a/models/auth/twofactor.go b/models/auth/twofactor.go
index 5b3a9d011a..751a281f7e 100644
--- a/models/auth/twofactor.go
+++ b/models/auth/twofactor.go
@@ -5,7 +5,6 @@ package auth
 
 import (
 	"crypto/md5"
-	"crypto/sha256"
 	"crypto/subtle"
 	"encoding/base32"
 	"encoding/base64"
@@ -18,6 +17,7 @@ import (
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 
+	"github.com/minio/sha256-simd"
 	"github.com/pquerna/otp/totp"
 	"golang.org/x/crypto/pbkdf2"
 )
diff --git a/models/migrations/base/hash.go b/models/migrations/base/hash.go
index 00fd1efd4a..0debec272b 100644
--- a/models/migrations/base/hash.go
+++ b/models/migrations/base/hash.go
@@ -4,9 +4,9 @@
 package base
 
 import (
-	"crypto/sha256"
 	"encoding/hex"
 
+	"github.com/minio/sha256-simd"
 	"golang.org/x/crypto/pbkdf2"
 )
 
diff --git a/models/migrations/v1_14/v166.go b/models/migrations/v1_14/v166.go
index f797930d6d..de7626076a 100644
--- a/models/migrations/v1_14/v166.go
+++ b/models/migrations/v1_14/v166.go
@@ -4,9 +4,9 @@
 package v1_14 //nolint
 
 import (
-	"crypto/sha256"
 	"encoding/hex"
 
+	"github.com/minio/sha256-simd"
 	"golang.org/x/crypto/argon2"
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/crypto/pbkdf2"
diff --git a/modules/auth/password/hash/pbkdf2.go b/modules/auth/password/hash/pbkdf2.go
index 27382fedb8..9ff6d162fc 100644
--- a/modules/auth/password/hash/pbkdf2.go
+++ b/modules/auth/password/hash/pbkdf2.go
@@ -4,12 +4,12 @@
 package hash
 
 import (
-	"crypto/sha256"
 	"encoding/hex"
 	"strings"
 
 	"code.gitea.io/gitea/modules/log"
 
+	"github.com/minio/sha256-simd"
 	"golang.org/x/crypto/pbkdf2"
 )
 
diff --git a/modules/avatar/hash.go b/modules/avatar/hash.go
index 50db9c1943..4fc28a7739 100644
--- a/modules/avatar/hash.go
+++ b/modules/avatar/hash.go
@@ -4,9 +4,10 @@
 package avatar
 
 import (
-	"crypto/sha256"
 	"encoding/hex"
 	"strconv"
+
+	"github.com/minio/sha256-simd"
 )
 
 // HashAvatar will generate a unique string, which ensures that when there's a
diff --git a/modules/avatar/identicon/identicon.go b/modules/avatar/identicon/identicon.go
index 63926d5f19..9b7a2faf05 100644
--- a/modules/avatar/identicon/identicon.go
+++ b/modules/avatar/identicon/identicon.go
@@ -7,10 +7,11 @@
 package identicon
 
 import (
-	"crypto/sha256"
 	"fmt"
 	"image"
 	"image/color"
+
+	"github.com/minio/sha256-simd"
 )
 
 const minImageSize = 16
diff --git a/modules/base/tool.go b/modules/base/tool.go
index 994e58ac3c..94f19576b4 100644
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -6,7 +6,6 @@ package base
 import (
 	"crypto/md5"
 	"crypto/sha1"
-	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
@@ -26,6 +25,7 @@ import (
 	"code.gitea.io/gitea/modules/util"
 
 	"github.com/dustin/go-humanize"
+	"github.com/minio/sha256-simd"
 )
 
 // EncodeMD5 encodes string to md5 hex value.
diff --git a/modules/context/context.go b/modules/context/context.go
index a2088217ff..0c8d7411ed 100644
--- a/modules/context/context.go
+++ b/modules/context/context.go
@@ -6,7 +6,6 @@ package context
 
 import (
 	"context"
-	"crypto/sha256"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -40,6 +39,7 @@ import (
 	"gitea.com/go-chi/cache"
 	"gitea.com/go-chi/session"
 	chi "github.com/go-chi/chi/v5"
+	"github.com/minio/sha256-simd"
 	"github.com/unrolled/render"
 	"golang.org/x/crypto/pbkdf2"
 )
diff --git a/modules/git/last_commit_cache.go b/modules/git/last_commit_cache.go
index ec8f1cce62..984561b2c6 100644
--- a/modules/git/last_commit_cache.go
+++ b/modules/git/last_commit_cache.go
@@ -4,11 +4,12 @@
 package git
 
 import (
-	"crypto/sha256"
 	"fmt"
 
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+
+	"github.com/minio/sha256-simd"
 )
 
 // Cache represents a caching interface
diff --git a/modules/lfs/content_store.go b/modules/lfs/content_store.go
index 94277a6b8e..a4ae21bfd6 100644
--- a/modules/lfs/content_store.go
+++ b/modules/lfs/content_store.go
@@ -4,7 +4,6 @@
 package lfs
 
 import (
-	"crypto/sha256"
 	"encoding/hex"
 	"errors"
 	"hash"
@@ -13,6 +12,8 @@ import (
 
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/storage"
+
+	"github.com/minio/sha256-simd"
 )
 
 var (
diff --git a/modules/lfs/pointer.go b/modules/lfs/pointer.go
index b5e13d56a3..f7f225bf1c 100644
--- a/modules/lfs/pointer.go
+++ b/modules/lfs/pointer.go
@@ -4,7 +4,6 @@
 package lfs
 
 import (
-	"crypto/sha256"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -15,6 +14,8 @@ import (
 	"strings"
 
 	"code.gitea.io/gitea/modules/log"
+
+	"github.com/minio/sha256-simd"
 )
 
 const (
diff --git a/modules/secret/secret.go b/modules/secret/secret.go
index b84d1cfea8..628ae505a5 100644
--- a/modules/secret/secret.go
+++ b/modules/secret/secret.go
@@ -7,11 +7,12 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
-	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
 	"io"
+
+	"github.com/minio/sha256-simd"
 )
 
 // AesEncrypt encrypts text and given key with AES.
diff --git a/modules/util/keypair_test.go b/modules/util/keypair_test.go
index c6f68c845a..c9925f7988 100644
--- a/modules/util/keypair_test.go
+++ b/modules/util/keypair_test.go
@@ -7,12 +7,12 @@ import (
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha256"
 	"crypto/x509"
 	"encoding/pem"
 	"regexp"
 	"testing"
 
+	"github.com/minio/sha256-simd"
 	"github.com/stretchr/testify/assert"
 )
 
diff --git a/routers/api/packages/chef/auth.go b/routers/api/packages/chef/auth.go
index 69f7b763ab..1ea453f1f4 100644
--- a/routers/api/packages/chef/auth.go
+++ b/routers/api/packages/chef/auth.go
@@ -7,7 +7,6 @@ import (
 	"crypto"
 	"crypto/rsa"
 	"crypto/sha1"
-	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
@@ -25,6 +24,8 @@ import (
 	chef_module "code.gitea.io/gitea/modules/packages/chef"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/services/auth"
+
+	"github.com/minio/sha256-simd"
 )
 
 const (
diff --git a/routers/api/packages/maven/maven.go b/routers/api/packages/maven/maven.go
index d0c9983cbf..a3a23ecfa8 100644
--- a/routers/api/packages/maven/maven.go
+++ b/routers/api/packages/maven/maven.go
@@ -6,7 +6,6 @@ package maven
 import (
 	"crypto/md5"
 	"crypto/sha1"
-	"crypto/sha256"
 	"crypto/sha512"
 	"encoding/hex"
 	"encoding/xml"
@@ -27,6 +26,8 @@ import (
 	maven_module "code.gitea.io/gitea/modules/packages/maven"
 	"code.gitea.io/gitea/routers/api/packages/helper"
 	packages_service "code.gitea.io/gitea/services/packages"
+
+	"github.com/minio/sha256-simd"
 )
 
 const (
diff --git a/services/auth/source/oauth2/jwtsigningkey.go b/services/auth/source/oauth2/jwtsigningkey.go
index 93c1574379..94feddbf6b 100644
--- a/services/auth/source/oauth2/jwtsigningkey.go
+++ b/services/auth/source/oauth2/jwtsigningkey.go
@@ -9,7 +9,6 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
@@ -25,6 +24,7 @@ import (
 	"code.gitea.io/gitea/modules/util"
 
 	"github.com/golang-jwt/jwt/v4"
+	"github.com/minio/sha256-simd"
 	ini "gopkg.in/ini.v1"
 )
 
diff --git a/services/lfs/server.go b/services/lfs/server.go
index 320c8e7281..217d45124e 100644
--- a/services/lfs/server.go
+++ b/services/lfs/server.go
@@ -5,7 +5,6 @@ package lfs
 
 import (
 	stdCtx "context"
-	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
@@ -32,6 +31,7 @@ import (
 	"code.gitea.io/gitea/modules/storage"
 
 	"github.com/golang-jwt/jwt/v4"
+	"github.com/minio/sha256-simd"
 )
 
 // requestContext contain variables from the HTTP request.
diff --git a/services/mailer/token/token.go b/services/mailer/token/token.go
index 8a5a762d6b..aa7b567188 100644
--- a/services/mailer/token/token.go
+++ b/services/mailer/token/token.go
@@ -6,13 +6,14 @@ package token
 import (
 	"context"
 	crypto_hmac "crypto/hmac"
-	"crypto/sha256"
 	"encoding/base32"
 	"fmt"
 	"time"
 
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/util"
+
+	"github.com/minio/sha256-simd"
 )
 
 // A token is a verifiable container describing an action.
diff --git a/services/webhook/deliver.go b/services/webhook/deliver.go
index effbe45e56..e389b1f9fe 100644
--- a/services/webhook/deliver.go
+++ b/services/webhook/deliver.go
@@ -7,7 +7,6 @@ import (
 	"context"
 	"crypto/hmac"
 	"crypto/sha1"
-	"crypto/sha256"
 	"crypto/tls"
 	"encoding/hex"
 	"fmt"
@@ -29,6 +28,7 @@ import (
 	webhook_module "code.gitea.io/gitea/modules/webhook"
 
 	"github.com/gobwas/glob"
+	"github.com/minio/sha256-simd"
 )
 
 // Deliver deliver hook task
diff --git a/tests/integration/api_packages_chef_test.go b/tests/integration/api_packages_chef_test.go
index 14baddca94..0ee43e1741 100644
--- a/tests/integration/api_packages_chef_test.go
+++ b/tests/integration/api_packages_chef_test.go
@@ -11,7 +11,6 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha1"
-	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
@@ -34,6 +33,7 @@ import (
 	chef_router "code.gitea.io/gitea/routers/api/packages/chef"
 	"code.gitea.io/gitea/tests"
 
+	"github.com/minio/sha256-simd"
 	"github.com/stretchr/testify/assert"
 )
 
diff --git a/tests/integration/api_packages_container_test.go b/tests/integration/api_packages_container_test.go
index 3d9319f370..bbab820ecb 100644
--- a/tests/integration/api_packages_container_test.go
+++ b/tests/integration/api_packages_container_test.go
@@ -5,7 +5,6 @@ package integration
 
 import (
 	"bytes"
-	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
 	"net/http"
@@ -24,6 +23,7 @@ import (
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/tests"
 
+	"github.com/minio/sha256-simd"
 	oci "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/stretchr/testify/assert"
 )
diff --git a/tests/integration/api_packages_test.go b/tests/integration/api_packages_test.go
index 39852e212c..4a16cec015 100644
--- a/tests/integration/api_packages_test.go
+++ b/tests/integration/api_packages_test.go
@@ -5,7 +5,6 @@ package integration
 
 import (
 	"bytes"
-	"crypto/sha256"
 	"fmt"
 	"net/http"
 	"strings"
@@ -24,6 +23,7 @@ import (
 	packages_cleanup_service "code.gitea.io/gitea/services/packages/cleanup"
 	"code.gitea.io/gitea/tests"
 
+	"github.com/minio/sha256-simd"
 	"github.com/stretchr/testify/assert"
 )
 

From a78e0b7dade16bc6509b943fe86e74962f1b95b6 Mon Sep 17 00:00:00 2001
From: HesterG <hestergong@gmail.com>
Date: Thu, 23 Feb 2023 05:58:07 +0800
Subject: [PATCH 55/81] Add accessibility to the menu on the navbar (#23059)

This PR is trying to add accessibility to the menu as mentioned in
#23053 so the menu can be accessed using keyboard (A quick demo is added
below), with a reference to
[PR2612](https://github.com/go-gitea/gitea/pull/22612). The goal is to
make the menu accessible merely using keyboard like shown below. And
this PR might need confirmation from developers using screen readers.
---
 templates/base/head_navbar.tmpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/base/head_navbar.tmpl b/templates/base/head_navbar.tmpl
index 059363b72d..10bbf655b5 100644
--- a/templates/base/head_navbar.tmpl
+++ b/templates/base/head_navbar.tmpl
@@ -18,9 +18,9 @@
 				</span>
 			</a>
 			{{end}}
-			<div class="ui icon button mobile-only" id="navbar-expand-toggle">
+			<button class="ui icon button mobile-only" id="navbar-expand-toggle">
 				{{svg "octicon-three-bars"}}
-			</div>
+			</button>
 		</div>
 	</div>
 

From a084e182b0fa11621c4a684f937257bb81547b0e Mon Sep 17 00:00:00 2001
From: John Olheiser <john.olheiser@gmail.com>
Date: Wed, 22 Feb 2023 16:33:31 -0600
Subject: [PATCH 56/81] Wrap unless-check in docker manifests (#23079)

Should fix the following:
> failed to render template: Evaluation error: Helper 'unless' called
with wrong number of arguments, needed 2 but got 3

Signed-off-by: jolheiser <john.olheiser@gmail.com>
---
 docker/manifest.rootless.tmpl | 2 +-
 docker/manifest.tmpl          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docker/manifest.rootless.tmpl b/docker/manifest.rootless.tmpl
index 46a397c828..ef48dd1684 100644
--- a/docker/manifest.rootless.tmpl
+++ b/docker/manifest.rootless.tmpl
@@ -1,6 +1,6 @@
 image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}{{#if (hasPrefix "refs/heads/release/v" build.ref)}}{{trimPrefix "refs/heads/release/v" build.ref}}-{{/if}}dev{{/if}}-rootless
 {{#if build.tags}}
-{{#unless contains "-rc" build.tag}}
+{{#unless (contains "-rc" build.tag)}}
 tags:
 {{#each build.tags}}
   - {{this}}-rootless
diff --git a/docker/manifest.tmpl b/docker/manifest.tmpl
index b4ba5a76ed..018d87e979 100644
--- a/docker/manifest.tmpl
+++ b/docker/manifest.tmpl
@@ -1,6 +1,6 @@
 image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}{{#if (hasPrefix "refs/heads/release/v" build.ref)}}{{trimPrefix "refs/heads/release/v" build.ref}}-{{/if}}dev{{/if}}
 {{#if build.tags}}
-{{#unless contains "-rc" build.tag }}
+{{#unless (contains "-rc" build.tag)}}
 tags:
 {{#each build.tags}}
   - {{this}}

From 6c354546547cd3a9595a7db119a6480d9cd506a7 Mon Sep 17 00:00:00 2001
From: Andre Polykanine <ap@oire.me>
Date: Thu, 23 Feb 2023 03:24:24 +0100
Subject: [PATCH 57/81] Improve accessibility for issue comments (#22612)

Currently in Gitea issue comments are not marked up with headings. I'm
trying to fix this by adding an appropriate
[ARIA](https://www.w3.org/WAI/standards-guidelines/aria/) role for
comment header and also by enclosing the comment itself in a semantical
article element.

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
---
 templates/repo/issue/view_content.tmpl          | 6 +++---
 templates/repo/issue/view_content/comments.tmpl | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/templates/repo/issue/view_content.tmpl b/templates/repo/issue/view_content.tmpl
index 887dd2c42d..08ba509045 100644
--- a/templates/repo/issue/view_content.tmpl
+++ b/templates/repo/issue/view_content.tmpl
@@ -27,7 +27,7 @@
 				</a>
 			{{end}}
 				<div class="content comment-container">
-					<div class="ui top attached header comment-header gt-df gt-ac gt-sb">
+					<div class="ui top attached header comment-header gt-df gt-ac gt-sb" role="heading" aria-level="3">
 						<div class="comment-header-left gt-df gt-ac">
 							{{if .Issue.OriginalAuthor}}
 								<span class="text black gt-bold">
@@ -69,7 +69,7 @@
 							{{end}}
 						</div>
 					</div>
-					<div class="ui attached segment comment-body">
+					<div class="ui attached segment comment-body" role="article">
 						<div class="render-content markup" {{if or $.Permission.IsAdmin $.HasIssuesOrPullsWritePermission $.IsIssuePoster}}data-can-edit="true"{{end}}>
 							{{if .Issue.RenderedContent}}
 								{{.Issue.RenderedContent|Str2html}}
@@ -85,7 +85,7 @@
 					</div>
 					{{$reactions := .Issue.Reactions.GroupByType}}
 					{{if $reactions}}
-						<div class="ui attached segment reactions">
+						<div class="ui attached segment reactions" role="note">
 							{{template "repo/issue/view_content/reactions" Dict "ctx" $ "ActionURL" (Printf "%s/issues/%d/reactions" $.RepoLink .Issue.Index) "Reactions" $reactions}}
 						</div>
 					{{end}}
diff --git a/templates/repo/issue/view_content/comments.tmpl b/templates/repo/issue/view_content/comments.tmpl
index 8894a7ffd2..94b46bd9f1 100644
--- a/templates/repo/issue/view_content/comments.tmpl
+++ b/templates/repo/issue/view_content/comments.tmpl
@@ -22,7 +22,7 @@
 				</a>
 			{{end}}
 				<div class="content comment-container">
-					<div class="ui top attached header comment-header gt-df gt-ac gt-sb">
+					<div class="ui top attached header comment-header gt-df gt-ac gt-sb" role="heading" aria-level="3">
 						<div class="comment-header-left gt-df gt-ac">
 							{{if .OriginalAuthor}}
 								<span class="text black gt-bold gt-mr-2">
@@ -69,7 +69,7 @@
 							{{end}}
 						</div>
 					</div>
-					<div class="ui attached segment comment-body">
+					<div class="ui attached segment comment-body" role="article">
 						<div class="render-content markup" {{if or $.Permission.IsAdmin $.HasIssuesOrPullsWritePermission (and $.IsSigned (eq $.SignedUserID .PosterID))}}data-can-edit="true"{{end}}>
 							{{if .RenderedContent}}
 								{{.RenderedContent|Str2html}}
@@ -85,7 +85,7 @@
 					</div>
 					{{$reactions := .Reactions.GroupByType}}
 					{{if $reactions}}
-						<div class="ui attached segment reactions">
+						<div class="ui attached segment reactions" role="note">
 							{{template "repo/issue/view_content/reactions" Dict "ctx" $ "ActionURL" (Printf "%s/comments/%d/reactions" $.RepoLink .ID) "Reactions" $reactions}}
 						</div>
 					{{end}}

From 0ce79bb9f6d9bb070ff53d08a939112005ac3564 Mon Sep 17 00:00:00 2001
From: Joakim Pettersen <jo.pettersen@protonmail.com>
Date: Thu, 23 Feb 2023 08:34:09 +0100
Subject: [PATCH 58/81] Improve reverse proxies documentation (#23068)

Add "Traefik with a sub-path" documentation

closes #23047

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
---
 .../doc/usage/reverse-proxies.en-us.md        | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/docs/content/doc/usage/reverse-proxies.en-us.md b/docs/content/doc/usage/reverse-proxies.en-us.md
index 5797d8e5eb..b8cebee574 100644
--- a/docs/content/doc/usage/reverse-proxies.en-us.md
+++ b/docs/content/doc/usage/reverse-proxies.en-us.md
@@ -365,3 +365,23 @@ gitea:
 ```
 
 This config assumes that you are handling HTTPS on the traefik side and using HTTP between Gitea and traefik.
+
+## Traefik with a sub-path
+
+In case you already have a site, and you want Gitea to share the domain name, you can setup Traefik to serve Gitea under a sub-path by adding the following to your `docker-compose.yaml` (Assuming the provider is docker) :
+
+```yaml
+gitea:
+  image: gitea/gitea
+  ...
+  labels:
+    - "traefik.enable=true"
+    - "traefik.http.routers.gitea.rule=Host(`example.com`) && PathPrefix(`/gitea`)"
+    - "traefik.http.services.gitea-websecure.loadbalancer.server.port=3000"
+    - "traefik.http.middlewares.gitea-stripprefix.stripprefix.prefixes=/gitea"
+    - "traefik.http.routers.gitea.middlewares=gitea-stripprefix"
+```
+
+This config assumes that you are handling HTTPS on the traefik side and using HTTP between Gitea and traefik.
+
+Then you **MUST** set something like `[server] ROOT_URL = http://example.com/gitea/` correctly in your configuration.

From dd7d6e3ad0f856d1c5b565df58f800461ccc481d Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.io>
Date: Thu, 23 Feb 2023 03:25:18 -0500
Subject: [PATCH 59/81] Nest metadata in refactoring docs (#23087)

Whitespace was missing from refactoring docs metadata.

backport label applied so it is included in versioned docs.
---
 .../doc/developers/guidelines-refactoring.en-us.md     | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/content/doc/developers/guidelines-refactoring.en-us.md b/docs/content/doc/developers/guidelines-refactoring.en-us.md
index 2d607720dc..29025f25f7 100644
--- a/docs/content/doc/developers/guidelines-refactoring.en-us.md
+++ b/docs/content/doc/developers/guidelines-refactoring.en-us.md
@@ -6,11 +6,11 @@ weight: 20
 toc: false
 draft: false
 menu:
-sidebar:
-parent: "developers"
-name: "Guidelines for Refactoring"
-weight: 20
-identifier: "guidelines-refactoring"
+  sidebar:
+    parent: "developers"
+    name: "Guidelines for Refactoring"
+    weight: 20
+    identifier: "guidelines-refactoring"
 ---
 
 # Guidelines for Refactoring

From 3adfc0f02d1440d22934403b8d944218747b9289 Mon Sep 17 00:00:00 2001
From: HesterG <hestergong@gmail.com>
Date: Thu, 23 Feb 2023 20:57:03 +0800
Subject: [PATCH 60/81] Change style to improve whitespaces trimming inside
 inline markdown code  (#23093)

Given mardown source
```
x ` a` y
x `a ` y
x ` a ` y
```

Render

<img width="1421" alt="2023-02-23 15 33 14"
src="https://user-images.githubusercontent.com/17645053/220844280-a304c788-ac79-4a26-a55a-0db00f2fb3f3.png">

Fixes #23080.
---
 web_src/less/markup/content.less | 1 +
 1 file changed, 1 insertion(+)

diff --git a/web_src/less/markup/content.less b/web_src/less/markup/content.less
index 2a9ca3db5a..725a3d9886 100644
--- a/web_src/less/markup/content.less
+++ b/web_src/less/markup/content.less
@@ -415,6 +415,7 @@
     padding: .2em .4em;
     margin: 0;
     font-size: 85%;
+    white-space: break-spaces;
     background-color: var(--color-markup-code-block);
     border-radius: 4px;
   }

From 0ae1ed749dd6581379b7ccf483d66051869b52d7 Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Thu, 23 Feb 2023 15:11:56 +0100
Subject: [PATCH 61/81] Remove all package data after tests (#22984)

Fixes #21020

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: zeripath <art27@cantab.net>
---
 go.mod                                        |  2 +-
 go.sum                                        |  4 +--
 models/db/context.go                          | 13 +++++++++-
 models/db/engine.go                           |  1 +
 .../integration/api_packages_composer_test.go |  1 +
 tests/integration/api_packages_conan_test.go  |  1 +
 .../api_packages_container_test.go            |  2 +-
 .../integration/api_packages_generic_test.go  |  1 +
 tests/integration/api_packages_helm_test.go   |  1 +
 tests/integration/api_packages_maven_test.go  |  1 +
 tests/integration/api_packages_npm_test.go    |  1 +
 tests/integration/api_packages_pub_test.go    |  1 +
 tests/integration/api_packages_pypi_test.go   |  1 +
 .../integration/api_packages_rubygems_test.go |  1 +
 tests/integration/api_packages_test.go        | 26 ++++++++++++++++---
 tests/test_utils.go                           | 14 ++++++++++
 16 files changed, 62 insertions(+), 9 deletions(-)

diff --git a/go.mod b/go.mod
index f003d444b4..c97c52a077 100644
--- a/go.mod
+++ b/go.mod
@@ -117,7 +117,7 @@ require (
 	mvdan.cc/xurls/v2 v2.4.0
 	strk.kbt.io/projects/go/libravatar v0.0.0-20191008002943-06d1c002b251
 	xorm.io/builder v0.3.12
-	xorm.io/xorm v1.3.3-0.20221209153726-f1bfc5ce9830
+	xorm.io/xorm v1.3.3-0.20230219231735-056cecc97e9e
 )
 
 require (
diff --git a/go.sum b/go.sum
index 7eb420b02b..e365ba757d 100644
--- a/go.sum
+++ b/go.sum
@@ -2075,5 +2075,5 @@ strk.kbt.io/projects/go/libravatar v0.0.0-20191008002943-06d1c002b251/go.mod h1:
 xorm.io/builder v0.3.11-0.20220531020008-1bd24a7dc978/go.mod h1:aUW0S9eb9VCaPohFCH3j7czOx1PMW3i1HrSzbLYGBSE=
 xorm.io/builder v0.3.12 h1:ASZYX7fQmy+o8UJdhlLHSW57JDOkM8DNhcAF5d0LiJM=
 xorm.io/builder v0.3.12/go.mod h1:aUW0S9eb9VCaPohFCH3j7czOx1PMW3i1HrSzbLYGBSE=
-xorm.io/xorm v1.3.3-0.20221209153726-f1bfc5ce9830 h1:ohaHCvT7ocSDkTEa2/2z0BXfINYlHm/Z7IzN7MeXQlM=
-xorm.io/xorm v1.3.3-0.20221209153726-f1bfc5ce9830/go.mod h1:9NbjqdnjX6eyjRRhh01GHm64r6N9shTb/8Ak3YRt8Nw=
+xorm.io/xorm v1.3.3-0.20230219231735-056cecc97e9e h1:d5PY6mwuQK5/7T6VKfFswaKMzLmGTHkJ/ZS7+cUIAjk=
+xorm.io/xorm v1.3.3-0.20230219231735-056cecc97e9e/go.mod h1:9NbjqdnjX6eyjRRhh01GHm64r6N9shTb/8Ak3YRt8Nw=
diff --git a/models/db/context.go b/models/db/context.go
index 4b3f7f0ee7..670f6272aa 100644
--- a/models/db/context.go
+++ b/models/db/context.go
@@ -209,7 +209,7 @@ func DecrByIDs(ctx context.Context, ids []int64, decrCol string, bean interface{
 	return err
 }
 
-// DeleteBeans deletes all given beans, beans should contain delete conditions.
+// DeleteBeans deletes all given beans, beans must contain delete conditions.
 func DeleteBeans(ctx context.Context, beans ...interface{}) (err error) {
 	e := GetEngine(ctx)
 	for i := range beans {
@@ -220,6 +220,17 @@ func DeleteBeans(ctx context.Context, beans ...interface{}) (err error) {
 	return nil
 }
 
+// TruncateBeans deletes all given beans, beans may contain delete conditions.
+func TruncateBeans(ctx context.Context, beans ...interface{}) (err error) {
+	e := GetEngine(ctx)
+	for i := range beans {
+		if _, err = e.Truncate(beans[i]); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 // CountByBean counts the number of database records according non-empty fields of the bean as conditions.
 func CountByBean(ctx context.Context, bean interface{}) (int64, error) {
 	return GetEngine(ctx).Count(bean)
diff --git a/models/db/engine.go b/models/db/engine.go
index 3d05fa8b63..5020101d49 100755
--- a/models/db/engine.go
+++ b/models/db/engine.go
@@ -38,6 +38,7 @@ type Engine interface {
 	Count(...interface{}) (int64, error)
 	Decr(column string, arg ...interface{}) *xorm.Session
 	Delete(...interface{}) (int64, error)
+	Truncate(...interface{}) (int64, error)
 	Exec(...interface{}) (sql.Result, error)
 	Find(interface{}, ...interface{}) error
 	Get(beans ...interface{}) (bool, error)
diff --git a/tests/integration/api_packages_composer_test.go b/tests/integration/api_packages_composer_test.go
index 87647cc475..ac12590561 100644
--- a/tests/integration/api_packages_composer_test.go
+++ b/tests/integration/api_packages_composer_test.go
@@ -25,6 +25,7 @@ import (
 
 func TestPackageComposer(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
+
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 
 	vendorName := "gitea"
diff --git a/tests/integration/api_packages_conan_test.go b/tests/integration/api_packages_conan_test.go
index 5ced388b48..209aeecd16 100644
--- a/tests/integration/api_packages_conan_test.go
+++ b/tests/integration/api_packages_conan_test.go
@@ -205,6 +205,7 @@ func uploadConanPackageV2(t *testing.T, baseURL, token, name, version, user, cha
 
 func TestPackageConan(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
+
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 
 	name := "ConanPackage"
diff --git a/tests/integration/api_packages_container_test.go b/tests/integration/api_packages_container_test.go
index bbab820ecb..d925fd1647 100644
--- a/tests/integration/api_packages_container_test.go
+++ b/tests/integration/api_packages_container_test.go
@@ -640,7 +640,7 @@ func TestPackageContainer(t *testing.T) {
 
 		checkCatalog := func(owner string) func(t *testing.T) {
 			return func(t *testing.T) {
-				defer tests.PrepareTestEnv(t)()
+				defer tests.PrintCurrentTest(t)()
 
 				req := NewRequest(t, "GET", fmt.Sprintf("%sv2/_catalog", setting.AppURL))
 				addTokenAuthHeader(req, userToken)
diff --git a/tests/integration/api_packages_generic_test.go b/tests/integration/api_packages_generic_test.go
index 875b9ed96e..765d11fd83 100644
--- a/tests/integration/api_packages_generic_test.go
+++ b/tests/integration/api_packages_generic_test.go
@@ -21,6 +21,7 @@ import (
 
 func TestPackageGeneric(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
+
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 
 	packageName := "te-st_pac.kage"
diff --git a/tests/integration/api_packages_helm_test.go b/tests/integration/api_packages_helm_test.go
index 4a7d563431..4f61452071 100644
--- a/tests/integration/api_packages_helm_test.go
+++ b/tests/integration/api_packages_helm_test.go
@@ -26,6 +26,7 @@ import (
 
 func TestPackageHelm(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
+
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 
 	packageName := "test-chart"
diff --git a/tests/integration/api_packages_maven_test.go b/tests/integration/api_packages_maven_test.go
index 5c0dbfc99c..81112f305a 100644
--- a/tests/integration/api_packages_maven_test.go
+++ b/tests/integration/api_packages_maven_test.go
@@ -22,6 +22,7 @@ import (
 
 func TestPackageMaven(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
+
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 
 	groupID := "com.gitea"
diff --git a/tests/integration/api_packages_npm_test.go b/tests/integration/api_packages_npm_test.go
index 39d1c91e87..6c4503f7e3 100644
--- a/tests/integration/api_packages_npm_test.go
+++ b/tests/integration/api_packages_npm_test.go
@@ -24,6 +24,7 @@ import (
 
 func TestPackageNpm(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
+
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 
 	token := fmt.Sprintf("Bearer %s", getTokenForLoggedInUser(t, loginUser(t, user.Name)))
diff --git a/tests/integration/api_packages_pub_test.go b/tests/integration/api_packages_pub_test.go
index 325401fe75..24975ab621 100644
--- a/tests/integration/api_packages_pub_test.go
+++ b/tests/integration/api_packages_pub_test.go
@@ -27,6 +27,7 @@ import (
 
 func TestPackagePub(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
+
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 
 	token := "Bearer " + getUserToken(t, user.Name)
diff --git a/tests/integration/api_packages_pypi_test.go b/tests/integration/api_packages_pypi_test.go
index 71197f92a8..c7c466e730 100644
--- a/tests/integration/api_packages_pypi_test.go
+++ b/tests/integration/api_packages_pypi_test.go
@@ -25,6 +25,7 @@ import (
 
 func TestPackagePyPI(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
+
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 
 	packageName := "test-package"
diff --git a/tests/integration/api_packages_rubygems_test.go b/tests/integration/api_packages_rubygems_test.go
index c85ff9aaf5..2099357cbb 100644
--- a/tests/integration/api_packages_rubygems_test.go
+++ b/tests/integration/api_packages_rubygems_test.go
@@ -23,6 +23,7 @@ import (
 
 func TestPackageRubyGems(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
+
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 
 	packageName := "gitea"
diff --git a/tests/integration/api_packages_test.go b/tests/integration/api_packages_test.go
index 4a16cec015..4228003e2d 100644
--- a/tests/integration/api_packages_test.go
+++ b/tests/integration/api_packages_test.go
@@ -19,6 +19,7 @@ import (
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 	packages_service "code.gitea.io/gitea/services/packages"
 	packages_cleanup_service "code.gitea.io/gitea/services/packages/cleanup"
 	"code.gitea.io/gitea/tests"
@@ -235,16 +236,35 @@ func TestPackageQuota(t *testing.T) {
 func TestPackageCleanup(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
 	duration, _ := time.ParseDuration("-1h")
 
 	t.Run("Common", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
+		// Upload and delete a generic package and upload a container blob
+		data, _ := util.CryptoRandomBytes(5)
+		url := fmt.Sprintf("/api/packages/%s/generic/cleanup-test/1.1.1/file.bin", user.Name)
+		req := NewRequestWithBody(t, "PUT", url, bytes.NewReader(data))
+		AddBasicAuthHeader(req, user.Name)
+		MakeRequest(t, req, http.StatusCreated)
+
+		req = NewRequest(t, "DELETE", url)
+		AddBasicAuthHeader(req, user.Name)
+		MakeRequest(t, req, http.StatusNoContent)
+
+		data, _ = util.CryptoRandomBytes(5)
+		url = fmt.Sprintf("/v2/%s/cleanup-test/blobs/uploads?digest=sha256:%x", user.Name, sha256.Sum256(data))
+		req = NewRequestWithBody(t, "POST", url, bytes.NewReader(data))
+		AddBasicAuthHeader(req, user.Name)
+		MakeRequest(t, req, http.StatusCreated)
+
 		pbs, err := packages_model.FindExpiredUnreferencedBlobs(db.DefaultContext, duration)
 		assert.NoError(t, err)
 		assert.NotEmpty(t, pbs)
 
-		_, err = packages_model.GetInternalVersionByNameAndVersion(db.DefaultContext, 2, packages_model.TypeContainer, "test", container_model.UploadVersion)
+		_, err = packages_model.GetInternalVersionByNameAndVersion(db.DefaultContext, user.ID, packages_model.TypeContainer, "cleanup-test", container_model.UploadVersion)
 		assert.NoError(t, err)
 
 		err = packages_cleanup_service.Cleanup(db.DefaultContext, duration)
@@ -254,15 +274,13 @@ func TestPackageCleanup(t *testing.T) {
 		assert.NoError(t, err)
 		assert.Empty(t, pbs)
 
-		_, err = packages_model.GetInternalVersionByNameAndVersion(db.DefaultContext, 2, packages_model.TypeContainer, "test", container_model.UploadVersion)
+		_, err = packages_model.GetInternalVersionByNameAndVersion(db.DefaultContext, user.ID, packages_model.TypeContainer, "cleanup-test", container_model.UploadVersion)
 		assert.ErrorIs(t, err, packages_model.ErrPackageNotExist)
 	})
 
 	t.Run("CleanupRules", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
-
 		type version struct {
 			Version     string
 			ShouldExist bool
diff --git a/tests/test_utils.go b/tests/test_utils.go
index 9e9f97a5f5..5cc31b814e 100644
--- a/tests/test_utils.go
+++ b/tests/test_utils.go
@@ -13,6 +13,8 @@ import (
 	"runtime"
 	"testing"
 
+	"code.gitea.io/gitea/models/db"
+	packages_model "code.gitea.io/gitea/models/packages"
 	"code.gitea.io/gitea/models/unittest"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/git"
@@ -204,6 +206,18 @@ func PrepareTestEnv(t testing.TB, skip ...int) func() {
 		return err
 	}))
 
+	// clear all package data
+	assert.NoError(t, db.TruncateBeans(db.DefaultContext,
+		&packages_model.Package{},
+		&packages_model.PackageVersion{},
+		&packages_model.PackageFile{},
+		&packages_model.PackageBlob{},
+		&packages_model.PackageProperty{},
+		&packages_model.PackageBlobUpload{},
+		&packages_model.PackageCleanupRule{},
+	))
+	assert.NoError(t, storage.Clean(storage.Packages))
+
 	return deferFn
 }
 

From 659cf30b6932fc2da303d15156f1ece17cd2b309 Mon Sep 17 00:00:00 2001
From: Sven <25549100+bleuthoot-sven@users.noreply.github.com>
Date: Thu, 23 Feb 2023 18:19:52 +0100
Subject: [PATCH 62/81] Avoid Hugo from adding quote to actions url (#23097)

---
 docs/content/doc/advanced/config-cheat-sheet.en-us.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index 36e9919bc7..462556c9b6 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -1336,7 +1336,7 @@ PROXY_HOSTS = *.github.com
 ## Actions (`actions`)
 
 - `ENABLED`: **false**: Enable/Disable actions capabilities
-- `DEFAULT_ACTIONS_URL`: **https://gitea.com**: Default address to get action plugins, e.g. the default value means downloading from "https://gitea.com/actions/checkout" for "uses: actions/checkout@v3"
+- `DEFAULT_ACTIONS_URL`: **https://gitea.com**: Default address to get action plugins, e.g. the default value means downloading from "<https://gitea.com/actions/checkout>" for "uses: actions/checkout@v3"
 
 `DEFAULT_ACTIONS_URL` indicates where should we find the relative path action plugin. i.e. when use an action in a workflow file like
 

From 8ed6096158cb764f2259232eba0a46e6c273354c Mon Sep 17 00:00:00 2001
From: HesterG <hestergong@gmail.com>
Date: Fri, 24 Feb 2023 04:28:18 +0800
Subject: [PATCH 63/81] Add wrapper to author to avoid long name ui problem
 (#23030)

This PR is a possible solution for issue #22866. Main change is to add a
`author-wrapper` class around author name, like the wrapper added to
message. The `max-width` is set to 200px on PC, and 100px on mobile
device for now.
---
 templates/repo/view_list.tmpl |  6 +++---
 web_src/less/_repository.less | 19 +++++++++++++++----
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/templates/repo/view_list.tmpl b/templates/repo/view_list.tmpl
index 6fcf60daef..9540c872c2 100644
--- a/templates/repo/view_list.tmpl
+++ b/templates/repo/view_list.tmpl
@@ -8,14 +8,14 @@
 					{{if .LatestCommitUser}}
 						{{avatar $.Context .LatestCommitUser 24}}
 						{{if .LatestCommitUser.FullName}}
-							<a class="muted" href="{{.LatestCommitUser.HomeLink}}"><strong>{{.LatestCommitUser.FullName}}</strong></a>
+							<a class="muted author-wrapper" title="{{.LatestCommitUser.FullName}}" href="{{.LatestCommitUser.HomeLink}}"><strong>{{.LatestCommitUser.FullName}}</strong></a>
 						{{else}}
-							<a class="muted" href="{{.LatestCommitUser.HomeLink}}"><strong>{{if .LatestCommit.Author}}{{.LatestCommit.Author.Name}}{{else}}{{.LatestCommitUser.Name}}{{end}}</strong></a>
+							<a class="muted author-wrapper" title="{{if .LatestCommit.Author}}{{.LatestCommit.Author.Name}}{{else}}{{.LatestCommitUser.Name}}{{end}}" href="{{.LatestCommitUser.HomeLink}}"><strong>{{if .LatestCommit.Author}}{{.LatestCommit.Author.Name}}{{else}}{{.LatestCommitUser.Name}}{{end}}</strong></a>
 						{{end}}
 					{{else}}
 						{{if .LatestCommit.Author}}
 							{{avatarByEmail $.Context .LatestCommit.Author.Email .LatestCommit.Author.Name 24}}
-							<strong>{{.LatestCommit.Author.Name}}</strong>
+							<span class="author-wrapper" title="{{.LatestCommit.Author.Name}}"><strong>{{.LatestCommit.Author.Name}}</strong></span>
 						{{end}}
 					{{end}}
 					<a rel="nofollow" class="ui sha label {{if .LatestCommit.Signature}} isSigned {{if .LatestCommitVerification.Verified}} isVerified{{if eq .LatestCommitVerification.TrustStatus "trusted"}}{{else if eq .LatestCommitVerification.TrustStatus "untrusted"}}Untrusted{{else}}Unmatched{{end}}{{else if .LatestCommitVerification.Warning}} isWarning{{end}}{{end}}" href="{{.RepoLink}}/commit/{{PathEscape .LatestCommit.ID.String}}">
diff --git a/web_src/less/_repository.less b/web_src/less/_repository.less
index 627a5f6c2f..83e8e1f338 100644
--- a/web_src/less/_repository.less
+++ b/web_src/less/_repository.less
@@ -237,6 +237,8 @@
     }
 
     #repo-files-table {
+      table-layout: fixed;
+
       thead {
         th {
           padding-top: 8px;
@@ -2885,7 +2887,8 @@ tbody.commit-list {
   vertical-align: baseline;
 }
 
-.message-wrapper {
+.message-wrapper,
+.author-wrapper {
   overflow: hidden;
   text-overflow: ellipsis;
   max-width: calc(100% - 50px);
@@ -2893,6 +2896,10 @@ tbody.commit-list {
   vertical-align: middle;
 }
 
+.author-wrapper {
+  max-width: 180px;
+}
+
 // in the commit list, messages can wrap so we can use inline
 .commit-list .message-wrapper {
   display: inline;
@@ -2912,6 +2919,10 @@ tbody.commit-list {
     display: block;
     max-width: calc(100vw - 70px);
   }
+
+  .author-wrapper {
+    max-width: 80px;
+  }
 }
 
 @media @mediaMd {
@@ -2920,7 +2931,7 @@ tbody.commit-list {
   }
 
   th .message-wrapper {
-    max-width: 280px;
+    max-width: 120px;
   }
 }
 
@@ -2930,7 +2941,7 @@ tbody.commit-list {
   }
 
   th .message-wrapper {
-    max-width: 490px;
+    max-width: 350px;
   }
 }
 
@@ -2940,7 +2951,7 @@ tbody.commit-list {
   }
 
   th .message-wrapper {
-    max-width: 680px;
+    max-width: 525px;
   }
 }
 

From ed954b070d481a14aac08f925a15ecc8c2c33c61 Mon Sep 17 00:00:00 2001
From: yp05327 <576951401@qq.com>
Date: Fri, 24 Feb 2023 06:14:07 +0900
Subject: [PATCH 64/81] Fix commit name in Apply Patch page (#23086)

Fixes
https://github.com/go-gitea/gitea/issues/22621#issuecomment-1439309200
---
 routers/web/repo/patch.go              | 3 +++
 templates/repo/editor/commit_form.tmpl | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/routers/web/repo/patch.go b/routers/web/repo/patch.go
index 12b26f38e9..0ffec0c4ea 100644
--- a/routers/web/repo/patch.go
+++ b/routers/web/repo/patch.go
@@ -25,6 +25,8 @@ const (
 func NewDiffPatch(ctx *context.Context) {
 	canCommit := renderCommitRights(ctx)
 
+	ctx.Data["PageIsPatch"] = true
+
 	ctx.Data["TreePath"] = ""
 
 	ctx.Data["commit_summary"] = ""
@@ -51,6 +53,7 @@ func NewDiffPatchPost(ctx *context.Context) {
 	if form.CommitChoice == frmCommitChoiceNewBranch {
 		branchName = form.NewBranchName
 	}
+	ctx.Data["PageIsPatch"] = true
 	ctx.Data["TreePath"] = ""
 	ctx.Data["BranchLink"] = ctx.Repo.RepoLink + "/src/" + ctx.Repo.BranchNameSubURL()
 	ctx.Data["FileContent"] = form.Content
diff --git a/templates/repo/editor/commit_form.tmpl b/templates/repo/editor/commit_form.tmpl
index 7fac7f13bc..c6c48c5a83 100644
--- a/templates/repo/editor/commit_form.tmpl
+++ b/templates/repo/editor/commit_form.tmpl
@@ -9,7 +9,7 @@
 			{{.locale.Tr "repo.editor.commit_changes"}}
 		{{- end}}</h3>
 		<div class="field">
-			<input name="commit_summary" placeholder="{{if .PageIsDelete}}{{.locale.Tr "repo.editor.delete" .TreePath}}{{else if .PageIsUpload}}{{.locale.Tr "repo.editor.upload_files_to_dir" .TreePath}}{{else if .IsNewFile}}{{.locale.Tr "repo.editor.add_tmpl"}}{{else}}{{.locale.Tr "repo.editor.update" .TreePath}}{{end}}" value="{{.commit_summary}}" autofocus>
+			<input name="commit_summary" placeholder="{{if .PageIsDelete}}{{.locale.Tr "repo.editor.delete" .TreePath}}{{else if .PageIsUpload}}{{.locale.Tr "repo.editor.upload_files_to_dir" .TreePath}}{{else if .IsNewFile}}{{.locale.Tr "repo.editor.add_tmpl"}}{{else if .PageIsPatch}}{{.locale.Tr "repo.editor.patch"}}{{else}}{{.locale.Tr "repo.editor.update" .TreePath}}{{end}}" value="{{.commit_summary}}" autofocus>
 		</div>
 		<div class="field">
 			<textarea name="commit_message" placeholder="{{.locale.Tr "repo.editor.commit_message_desc"}}" rows="5">{{.commit_message}}</textarea>

From 1f09051f2b0893933ec4cd9fccbb6137e7e9df89 Mon Sep 17 00:00:00 2001
From: sillyguodong <33891828+sillyguodong@users.noreply.github.com>
Date: Fri, 24 Feb 2023 05:50:33 +0800
Subject: [PATCH 65/81] Fix SyncOnCommit always return false in API of
 push_mirrors (#23088)

Fix: #22990

---
Before, the return value of the api is always false,regrardless of
whether the entry of `sync_on_commit` is true or false.
I have confirmed that the value of `sync_on_commit` dropped into the
database is correct.
So, I think it is enough to make some small changes.
---
 services/convert/mirror.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/services/convert/mirror.go b/services/convert/mirror.go
index 1dcfc9b64d..f7a8e17fd0 100644
--- a/services/convert/mirror.go
+++ b/services/convert/mirror.go
@@ -24,6 +24,7 @@ func ToPushMirror(pm *repo_model.PushMirror) (*api.PushMirror, error) {
 		LastUpdateUnix: pm.LastUpdateUnix.FormatLong(),
 		LastError:      pm.LastError,
 		Interval:       pm.Interval.String(),
+		SyncOnCommit:   pm.SyncOnCommit,
 	}, nil
 }
 

From 0bc8bb3cc4f003e70bfee75863b74c2243c6d23c Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Fri, 24 Feb 2023 09:26:27 +0800
Subject: [PATCH 66/81] Make issue meta dropdown support Enter, confirm before
 reloading (#23014)

As the title. Label/assignee share the same code.

* Close #22607
* Close #20727

Also:

* partially fix for #21742, now the comment reaction and menu work with
keyboard.
* partially fix for #17705, in most cases the comment won't be lost.
* partially fix for #21539
* partially fix for #20347
* partially fix for #7329

### The `Enter` support

Before, if user presses Enter, the dropdown just disappears and nothing
happens or the window reloads.

After, Enter can be used to select/deselect labels, and press Esc to
hide the dropdown to update the labels (still no way to cancel ....
maybe you can do a Cmd+R or F5 to refresh the window to discard the
changes .....)


This is only a quick patch, the UX is still not perfect, but it's much
better than before.


### The `confirm` before reloading

And more fixes for the `reload` problem, the new behaviors:

* If nothing changes (just show/hide the dropdown), then the page won't
be reloaded.
* If there are draft comments, show a confirm dialog before reloading,
to avoid losing comments.

That's the best effect can be done at the moment, unless completely
refactor these dropdown related code.

Screenshot of the confirm dialog:

<details>


![image](https://user-images.githubusercontent.com/2114189/220538288-e2da8459-6a4e-43cb-8596-74057f8a03a2.png)

</details>

---------

Co-authored-by: Brecht Van Lommel <brecht@blender.org>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 .../repo/issue/view_content/add_reaction.tmpl |  2 +-
 .../repo/issue/view_content/context_menu.tmpl | 10 ++--
 .../repo/issue/view_content/sidebar.tmpl      |  2 +-
 web_src/js/features/aria.js                   |  3 +-
 web_src/js/features/repo-legacy.js            | 49 ++++++++++++++-----
 5 files changed, 46 insertions(+), 20 deletions(-)

diff --git a/templates/repo/issue/view_content/add_reaction.tmpl b/templates/repo/issue/view_content/add_reaction.tmpl
index 9bd9022d28..bfa8a7e122 100644
--- a/templates/repo/issue/view_content/add_reaction.tmpl
+++ b/templates/repo/issue/view_content/add_reaction.tmpl
@@ -7,7 +7,7 @@
 		<div class="header">{{.ctx.locale.Tr "repo.pick_reaction"}}</div>
 		<div class="divider"></div>
 		{{range $value := AllowedReactions}}
-			<div class="item reaction tooltip" data-content="{{$value}}">{{ReactionToEmoji $value}}</div>
+			<a class="item reaction tooltip" data-content="{{$value}}">{{ReactionToEmoji $value}}</a>
 		{{end}}
 	</div>
 </div>
diff --git a/templates/repo/issue/view_content/context_menu.tmpl b/templates/repo/issue/view_content/context_menu.tmpl
index b96fd86af5..b4b9403b2a 100644
--- a/templates/repo/issue/view_content/context_menu.tmpl
+++ b/templates/repo/issue/view_content/context_menu.tmpl
@@ -10,16 +10,16 @@
 		{{else}}
 			{{$referenceUrl = Printf "%s/files#%s" .ctx.Issue.Link .item.HashTag}}
 		{{end}}
-		<div class="item context" data-clipboard-text-type="url" data-clipboard-text="{{AppSubUrl}}{{$referenceUrl}}">{{.ctx.locale.Tr "repo.issues.context.copy_link"}}</div>
-		<div class="item context quote-reply {{if .diff}}quote-reply-diff{{end}}" data-target="{{.item.HashTag}}-raw">{{.ctx.locale.Tr "repo.issues.context.quote_reply"}}</div>
+		<a class="item context" data-clipboard-text-type="url" data-clipboard-text="{{AppSubUrl}}{{$referenceUrl}}">{{.ctx.locale.Tr "repo.issues.context.copy_link"}}</a>
+		<a class="item context quote-reply {{if .diff}}quote-reply-diff{{end}}" data-target="{{.item.HashTag}}-raw">{{.ctx.locale.Tr "repo.issues.context.quote_reply"}}</a>
 		{{if not .ctx.UnitIssuesGlobalDisabled}}
-			<div class="item context reference-issue" data-target="{{.item.HashTag}}-raw" data-modal="#reference-issue-modal" data-poster="{{.item.Poster.GetDisplayName}}" data-poster-username="{{.item.Poster.Name}}" data-reference="{{$referenceUrl}}">{{.ctx.locale.Tr "repo.issues.context.reference_issue"}}</div>
+			<a class="item context reference-issue" data-target="{{.item.HashTag}}-raw" data-modal="#reference-issue-modal" data-poster="{{.item.Poster.GetDisplayName}}" data-poster-username="{{.item.Poster.Name}}" data-reference="{{$referenceUrl}}">{{.ctx.locale.Tr "repo.issues.context.reference_issue"}}</a>
 		{{end}}
 		{{if or .ctx.Permission.IsAdmin .IsCommentPoster .ctx.HasIssuesOrPullsWritePermission}}
 			<div class="divider"></div>
-			<div class="item context edit-content">{{.ctx.locale.Tr "repo.issues.context.edit"}}</div>
+			<a class="item context edit-content">{{.ctx.locale.Tr "repo.issues.context.edit"}}</a>
 			{{if .delete}}
-				<div class="item context delete-comment" data-comment-id={{.item.HashTag}} data-url="{{.ctx.RepoLink}}/comments/{{.item.ID}}/delete" data-locale="{{.ctx.locale.Tr "repo.issues.delete_comment_confirm"}}">{{.ctx.locale.Tr "repo.issues.context.delete"}}</div>
+				<a class="item context delete-comment" data-comment-id={{.item.HashTag}} data-url="{{.ctx.RepoLink}}/comments/{{.item.ID}}/delete" data-locale="{{.ctx.locale.Tr "repo.issues.delete_comment_confirm"}}">{{.ctx.locale.Tr "repo.issues.context.delete"}}</a>
 			{{end}}
 		{{end}}
 	</div>
diff --git a/templates/repo/issue/view_content/sidebar.tmpl b/templates/repo/issue/view_content/sidebar.tmpl
index 2b24825b5f..d9c5062437 100644
--- a/templates/repo/issue/view_content/sidebar.tmpl
+++ b/templates/repo/issue/view_content/sidebar.tmpl
@@ -121,7 +121,7 @@
 						<input type="text" placeholder="{{.locale.Tr "repo.issues.filter_labels"}}">
 					</div>
 				{{end}}
-				<div class="no-select item">{{.locale.Tr "repo.issues.new.clear_labels"}}</div>
+				<a class="no-select item" href="#">{{.locale.Tr "repo.issues.new.clear_labels"}}</a>
 				{{if or .Labels .OrgLabels}}
 					{{$previousExclusiveScope := "_no_scope"}}
 					{{range .Labels}}
diff --git a/web_src/js/features/aria.js b/web_src/js/features/aria.js
index a5ac84e446..373d667c5f 100644
--- a/web_src/js/features/aria.js
+++ b/web_src/js/features/aria.js
@@ -81,7 +81,8 @@ function attachOneDropdownAria($dropdown) {
   $dropdown.on('keydown', (e) => {
     // here it must use keydown event before dropdown's keyup handler, otherwise there is no Enter event in our keyup handler
     if (e.key === 'Enter') {
-      const $item = $dropdown.dropdown('get item', $dropdown.dropdown('get value'));
+      let $item = $dropdown.dropdown('get item', $dropdown.dropdown('get value'));
+      if (!$item) $item = $menu.find('> .item.selected'); // when dropdown filters items by input, there is no "value", so query the "selected" item
       // if the selected item is clickable, then trigger the click event. in the future there could be a special CSS class for it.
       if ($item && $item.is('a')) $item[0].click();
     }
diff --git a/web_src/js/features/repo-legacy.js b/web_src/js/features/repo-legacy.js
index 8178ed6547..a9229c0d1e 100644
--- a/web_src/js/features/repo-legacy.js
+++ b/web_src/js/features/repo-legacy.js
@@ -29,6 +29,26 @@ import {hideElem, showElem} from '../utils/dom.js';
 
 const {csrfToken} = window.config;
 
+// if there are draft comments (more than 20 chars), confirm before reloading, to avoid losing comments
+function reloadConfirmDraftComment() {
+  const commentTextareas = [
+    document.querySelector('.edit-content-zone:not(.gt-hidden) textarea'),
+    document.querySelector('.edit_area'),
+  ];
+  for (const textarea of commentTextareas) {
+    // Most users won't feel too sad if they lose a comment with 10 or 20 chars, they can re-type these in seconds.
+    // But if they have typed more (like 50) chars and the comment is lost, they will be very unhappy.
+    if (textarea && textarea.value.trim().length > 20) {
+      textarea.parentElement.scrollIntoView();
+      if (!window.confirm('Page will be reloaded, but there are draft comments. Continuing to reload will discard the comments. Continue?')) {
+        return;
+      }
+      break;
+    }
+  }
+  window.location.reload();
+}
+
 export function initRepoCommentForm() {
   const $commentForm = $('.comment.form');
   if ($commentForm.length === 0) {
@@ -86,12 +106,15 @@ export function initRepoCommentForm() {
     let hasUpdateAction = $listMenu.data('action') === 'update';
     const items = {};
 
-    $(`.${selector}`).dropdown('setting', 'onHide', () => {
-      hasUpdateAction = $listMenu.data('action') === 'update'; // Update the var
-      if (hasUpdateAction) {
-        // TODO: Add batch functionality and make this 1 network request.
-        (async function() {
-          for (const [elementId, item] of Object.entries(items)) {
+    $(`.${selector}`).dropdown({
+      'action': 'nothing', // do not hide the menu if user presses Enter
+      fullTextSearch: 'exact',
+      async onHide() {
+        hasUpdateAction = $listMenu.data('action') === 'update'; // Update the var
+        if (hasUpdateAction) {
+          // TODO: Add batch functionality and make this 1 network request.
+          const itemEntries = Object.entries(items);
+          for (const [elementId, item] of itemEntries) {
             await updateIssuesMeta(
               item['update-url'],
               item.action,
@@ -99,9 +122,11 @@ export function initRepoCommentForm() {
               elementId,
             );
           }
-          window.location.reload();
-        })();
-      }
+          if (itemEntries.length) {
+            reloadConfirmDraftComment();
+          }
+        }
+      },
     });
 
     $listMenu.find('.item:not(.no-select)').on('click', function (e) {
@@ -196,7 +221,7 @@ export function initRepoCommentForm() {
           'clear',
           $listMenu.data('issue-id'),
           '',
-        ).then(() => window.location.reload());
+        ).then(reloadConfirmDraftComment);
       }
 
       $(this).parent().find('.item').each(function () {
@@ -239,7 +264,7 @@ export function initRepoCommentForm() {
           '',
           $menu.data('issue-id'),
           $(this).data('id'),
-        ).then(() => window.location.reload());
+        ).then(reloadConfirmDraftComment);
       }
 
       let icon = '';
@@ -272,7 +297,7 @@ export function initRepoCommentForm() {
           '',
           $menu.data('issue-id'),
           $(this).data('id'),
-        ).then(() => window.location.reload());
+        ).then(reloadConfirmDraftComment);
       }
 
       $list.find('.selected').html('');

From 5b87c05a95a3eab1cf7f9a9f23052fee9eedd9ac Mon Sep 17 00:00:00 2001
From: yp05327 <576951401@qq.com>
Date: Fri, 24 Feb 2023 14:18:52 +0900
Subject: [PATCH 67/81] improve FindProjects (#23085)

I found `FindAndCount` which can `Find` and `Count` in the same time
Maybe it is better to use it in `FindProjects`

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 models/project/project.go | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/models/project/project.go b/models/project/project.go
index 931ef44675..46b5c07c42 100644
--- a/models/project/project.go
+++ b/models/project/project.go
@@ -217,16 +217,8 @@ func CountProjects(ctx context.Context, opts SearchOptions) (int64, error) {
 
 // FindProjects returns a list of all projects that have been created in the repository
 func FindProjects(ctx context.Context, opts SearchOptions) ([]*Project, int64, error) {
-	e := db.GetEngine(ctx)
+	e := db.GetEngine(ctx).Where(opts.toConds())
 	projects := make([]*Project, 0, setting.UI.IssuePagingNum)
-	cond := opts.toConds()
-
-	count, err := e.Where(cond).Count(new(Project))
-	if err != nil {
-		return nil, 0, fmt.Errorf("Count: %w", err)
-	}
-
-	e = e.Where(cond)
 
 	if opts.Page > 0 {
 		e = e.Limit(setting.UI.IssuePagingNum, (opts.Page-1)*setting.UI.IssuePagingNum)
@@ -243,7 +235,8 @@ func FindProjects(ctx context.Context, opts SearchOptions) ([]*Project, int64, e
 		e.Asc("created_unix")
 	}
 
-	return projects, count, e.Find(&projects)
+	count, err := e.FindAndCount(&projects)
+	return projects, count, err
 }
 
 // NewProject creates a new Project

From 045becf9aacb49554efbe353b47af0e64f2509c5 Mon Sep 17 00:00:00 2001
From: HesterG <hestergong@gmail.com>
Date: Fri, 24 Feb 2023 14:31:02 +0800
Subject: [PATCH 68/81] Add HesterG to maintainers (#23104)

[List of mine merged
PR](https://github.com/go-gitea/gitea/pulls?q=is%3Apr+author%3AHesterG+is%3Amerged+)
---
 MAINTAINERS | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index c8f4220cac..9464d57914 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -49,4 +49,5 @@ Jason Song <i@wolfogre.com> (@wolfogre)
 Yarden Shoham <hrsi88@gmail.com> (@yardenshoham)
 Yu Tian <zettat123@gmail.com> (@Zettat123)
 Eddie Yang <576951401@qq.com> (@yp05327)
-Dong Ge <gedong_1994@163.com> (@sillyguodong)
\ No newline at end of file
+Dong Ge <gedong_1994@163.com> (@sillyguodong)
+Xinyi Gong <hestergong@gmail.com> (@HesterG)

From a6175b01d92a75dcbadbbfc6782a486636fd62a2 Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Fri, 24 Feb 2023 14:36:07 +0800
Subject: [PATCH 69/81] Fix nil context in RenderMarkdownToHtml (#23092)

Fix #23082.

This bug is caused by a nil context in
https://github.com/go-gitea/gitea/issues/23082#issuecomment-1441276546 .

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 modules/templates/helper.go                 |  3 ++-
 templates/package/content/cargo.tmpl        |  2 +-
 templates/package/content/chef.tmpl         |  2 +-
 templates/package/content/npm.tmpl          |  2 +-
 templates/package/content/pub.tmpl          |  2 +-
 templates/package/content/pypi.tmpl         |  4 ++--
 templates/repo/issue/comment_tab.tmpl       | 10 +++++-----
 templates/repo/issue/fields/checkboxes.tmpl |  2 +-
 templates/repo/issue/fields/dropdown.tmpl   |  6 +++---
 templates/repo/issue/fields/header.tmpl     |  8 ++++----
 templates/repo/issue/fields/input.tmpl      |  2 +-
 templates/repo/issue/fields/markdown.tmpl   |  2 +-
 templates/repo/issue/fields/textarea.tmpl   |  2 +-
 13 files changed, 24 insertions(+), 23 deletions(-)

diff --git a/modules/templates/helper.go b/modules/templates/helper.go
index 4ffd0a5dee..b7bd07670c 100644
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@@ -174,8 +174,9 @@ func NewFuncMap() []template.FuncMap {
 		"RenderEmojiPlain":               emoji.ReplaceAliases,
 		"ReactionToEmoji":                ReactionToEmoji,
 		"RenderNote":                     RenderNote,
-		"RenderMarkdownToHtml": func(input string) template.HTML {
+		"RenderMarkdownToHtml": func(ctx context.Context, input string) template.HTML {
 			output, err := markdown.RenderString(&markup.RenderContext{
+				Ctx:       ctx,
 				URLPrefix: setting.AppSubURL,
 			}, input)
 			if err != nil {
diff --git a/templates/package/content/cargo.tmpl b/templates/package/content/cargo.tmpl
index f78647ca69..410a81d901 100644
--- a/templates/package/content/cargo.tmpl
+++ b/templates/package/content/cargo.tmpl
@@ -26,7 +26,7 @@ git-fetch-with-cli = true</code></pre></div>
 	{{if or .PackageDescriptor.Metadata.Description .PackageDescriptor.Metadata.Readme}}
 		<h4 class="ui top attached header">{{.locale.Tr "packages.about"}}</h4>
 		{{if .PackageDescriptor.Metadata.Description}}<div class="ui attached segment">{{.PackageDescriptor.Metadata.Description}}</div>{{end}}
-		{{if .PackageDescriptor.Metadata.Readme}}<div class="ui attached segment">{{RenderMarkdownToHtml .PackageDescriptor.Metadata.Readme}}</div>{{end}}
+		{{if .PackageDescriptor.Metadata.Readme}}<div class="ui attached segment">{{RenderMarkdownToHtml $.Context .PackageDescriptor.Metadata.Readme}}</div>{{end}}
 	{{end}}
 
 	{{if .PackageDescriptor.Metadata.Dependencies}}
diff --git a/templates/package/content/chef.tmpl b/templates/package/content/chef.tmpl
index edc175f9be..d80ecdf403 100644
--- a/templates/package/content/chef.tmpl
+++ b/templates/package/content/chef.tmpl
@@ -20,7 +20,7 @@
 		<h4 class="ui top attached header">{{.locale.Tr "packages.about"}}</h4>
 		<div class="ui attached segment">
 			{{if .PackageDescriptor.Metadata.Description}}<p>{{.PackageDescriptor.Metadata.Description}}</p>{{end}}
-			{{if .PackageDescriptor.Metadata.LongDescription}}{{RenderMarkdownToHtml .PackageDescriptor.Metadata.LongDescription}}{{end}}
+			{{if .PackageDescriptor.Metadata.LongDescription}}{{RenderMarkdownToHtml $.Context .PackageDescriptor.Metadata.LongDescription}}{{end}}
 		</div>
 	{{end}}
 
diff --git a/templates/package/content/npm.tmpl b/templates/package/content/npm.tmpl
index ea514c5263..d0c037b38a 100644
--- a/templates/package/content/npm.tmpl
+++ b/templates/package/content/npm.tmpl
@@ -25,7 +25,7 @@
 		<div class="ui attached segment">
 			{{if .PackageDescriptor.Metadata.Readme}}
 			<div class="markup markdown">
-				{{RenderMarkdownToHtml .PackageDescriptor.Metadata.Readme}}
+				{{RenderMarkdownToHtml $.Context .PackageDescriptor.Metadata.Readme}}
 			</div>
 			{{else if .PackageDescriptor.Metadata.Description}}
 				{{.PackageDescriptor.Metadata.Description}}
diff --git a/templates/package/content/pub.tmpl b/templates/package/content/pub.tmpl
index e81439d4da..d5676fca5a 100644
--- a/templates/package/content/pub.tmpl
+++ b/templates/package/content/pub.tmpl
@@ -14,6 +14,6 @@
 	{{if or .PackageDescriptor.Metadata.Description .PackageDescriptor.Metadata.Readme}}
 		<h4 class="ui top attached header">{{.locale.Tr "packages.about"}}</h4>
 		{{if .PackageDescriptor.Metadata.Description}}<div class="ui attached segment">{{.PackageDescriptor.Metadata.Description}}</div>{{end}}
-		{{if .PackageDescriptor.Metadata.Readme}}<div class="ui attached segment">{{RenderMarkdownToHtml .PackageDescriptor.Metadata.Readme}}</div>{{end}}
+		{{if .PackageDescriptor.Metadata.Readme}}<div class="ui attached segment">{{RenderMarkdownToHtml $.Context .PackageDescriptor.Metadata.Readme}}</div>{{end}}
 	{{end}}
 {{end}}
diff --git a/templates/package/content/pypi.tmpl b/templates/package/content/pypi.tmpl
index 830ba9bd67..8dbed5395e 100644
--- a/templates/package/content/pypi.tmpl
+++ b/templates/package/content/pypi.tmpl
@@ -16,9 +16,9 @@
 		<div class="ui attached segment">
 			<p>{{if .PackageDescriptor.Metadata.Summary}}{{.PackageDescriptor.Metadata.Summary}}{{end}}</p>
 			{{if .PackageDescriptor.Metadata.LongDescription}}
-				{{RenderMarkdownToHtml .PackageDescriptor.Metadata.LongDescription}}
+				{{RenderMarkdownToHtml $.Context .PackageDescriptor.Metadata.LongDescription}}
 			{{else if .PackageDescriptor.Metadata.Description}}
-				{{RenderMarkdownToHtml .PackageDescriptor.Metadata.Description}}
+				{{RenderMarkdownToHtml $.Context .PackageDescriptor.Metadata.Description}}
 			{{end}}
 		</div>
 	{{end}}
diff --git a/templates/repo/issue/comment_tab.tmpl b/templates/repo/issue/comment_tab.tmpl
index 86efa8c833..b04a3c6bbb 100644
--- a/templates/repo/issue/comment_tab.tmpl
+++ b/templates/repo/issue/comment_tab.tmpl
@@ -2,15 +2,15 @@
 	<input type="hidden" name="template-file" value="{{.TemplateFile}}">
 	{{range .Fields}}
 		{{if eq .Type "input"}}
-			{{template "repo/issue/fields/input" .}}
+			{{template "repo/issue/fields/input" Dict "Context" $.Context "item" .}}
 		{{else if eq .Type "markdown"}}
-			{{template "repo/issue/fields/markdown" .}}
+			{{template "repo/issue/fields/markdown" Dict "Context" $.Context "item" .}}
 		{{else if eq .Type "textarea"}}
-			{{template "repo/issue/fields/textarea" .}}
+			{{template "repo/issue/fields/textarea" Dict "Context" $.Context "item" .}}
 		{{else if eq .Type "dropdown"}}
-			{{template "repo/issue/fields/dropdown" .}}
+			{{template "repo/issue/fields/dropdown" Dict "Context" $.Context "item" .}}
 		{{else if eq .Type "checkboxes"}}
-			{{template "repo/issue/fields/checkboxes" .}}
+			{{template "repo/issue/fields/checkboxes" Dict "Context" $.Context "item" .}}
 		{{end}}
 	{{end}}
 {{else}}
diff --git a/templates/repo/issue/fields/checkboxes.tmpl b/templates/repo/issue/fields/checkboxes.tmpl
index b70334681f..80835b649a 100644
--- a/templates/repo/issue/fields/checkboxes.tmpl
+++ b/templates/repo/issue/fields/checkboxes.tmpl
@@ -1,7 +1,7 @@
 <div class="field">
 	{{template "repo/issue/fields/header" .}}
 	{{$field := .}}
-	{{range $i, $opt := .Attributes.options}}
+	{{range $i, $opt := .item.Attributes.options}}
 		<div class="field">
 			<div class="ui checkbox">
 				<input type="checkbox" name="form-field-{{$field.ID}}-{{$i}}" {{if $opt.required}}readonly checked{{end}}>
diff --git a/templates/repo/issue/fields/dropdown.tmpl b/templates/repo/issue/fields/dropdown.tmpl
index 83c2bb4aac..9adce5602f 100644
--- a/templates/repo/issue/fields/dropdown.tmpl
+++ b/templates/repo/issue/fields/dropdown.tmpl
@@ -1,12 +1,12 @@
 <div class="field">
 	{{template "repo/issue/fields/header" .}}
 	{{/* FIXME: required validation */}}
-	<div class="ui fluid selection dropdown {{if .Attributes.multiple}}multiple clearable{{end}}">
-		<input type="hidden" name="form-field-{{.ID}}" value="0">
+	<div class="ui fluid selection dropdown {{if .item.Attributes.multiple}}multiple clearable{{end}}">
+		<input type="hidden" name="form-field-{{.item.ID}}" value="0">
 		<i class="dropdown icon"></i>
 		<div class="default text"></div>
 		<div class="menu">
-			{{range $i, $opt := .Attributes.options}}
+			{{range $i, $opt := .item.Attributes.options}}
 				<div class="item" data-value="{{$i}}">{{$opt}}</div>
 			{{end}}
 		</div>
diff --git a/templates/repo/issue/fields/header.tmpl b/templates/repo/issue/fields/header.tmpl
index fb8511b4f0..6034fed5fd 100644
--- a/templates/repo/issue/fields/header.tmpl
+++ b/templates/repo/issue/fields/header.tmpl
@@ -1,6 +1,6 @@
-{{if .Attributes.label}}
-	<h3>{{.Attributes.label}}{{if .Validations.required}}<label class="required"></label>{{end}}</h3>
+{{if .item.Attributes.label}}
+	<h3>{{.item.Attributes.label}}{{if .item.Validations.required}}<label class="required"></label>{{end}}</h3>
 {{end}}
-{{if .Attributes.description}}
-	<span class="help">{{RenderMarkdownToHtml .Attributes.description}}</span>
+{{if .item.Attributes.description}}
+	<span class="help">{{RenderMarkdownToHtml .Context .item.Attributes.description}}</span>
 {{end}}
diff --git a/templates/repo/issue/fields/input.tmpl b/templates/repo/issue/fields/input.tmpl
index d73354f6d3..3fc8a86510 100644
--- a/templates/repo/issue/fields/input.tmpl
+++ b/templates/repo/issue/fields/input.tmpl
@@ -1,4 +1,4 @@
 <div class="field">
 	{{template "repo/issue/fields/header" .}}
-	<input type="{{if .Validations.is_number}}number{{else}}text{{end}}" name="form-field-{{.ID}}" placeholder="{{.Attributes.placeholder}}" value="{{.Attributes.value}}" {{if .Validations.required}}required{{end}} {{if .Validations.regex}}pattern="{{.Validations.regex}}" title="{{.Validations.regex}}"{{end}}>
+	<input type="{{if .item.Validations.is_number}}number{{else}}text{{end}}" name="form-field-{{.item.ID}}" placeholder="{{.item.Attributes.placeholder}}" value="{{.item.Attributes.value}}" {{if .item.Validations.required}}required{{end}} {{if .item.Validations.regex}}pattern="{{.item.Validations.regex}}" title="{{.item.Validations.regex}}"{{end}}>
 </div>
diff --git a/templates/repo/issue/fields/markdown.tmpl b/templates/repo/issue/fields/markdown.tmpl
index 8236171523..fd5b6afd22 100644
--- a/templates/repo/issue/fields/markdown.tmpl
+++ b/templates/repo/issue/fields/markdown.tmpl
@@ -1,3 +1,3 @@
 <div class="field">
-	<div>{{RenderMarkdownToHtml .Attributes.value}}</div>
+	<div>{{RenderMarkdownToHtml .Context .item.Attributes.value}}</div>
 </div>
diff --git a/templates/repo/issue/fields/textarea.tmpl b/templates/repo/issue/fields/textarea.tmpl
index 5ad82e2460..4b390fc9d6 100644
--- a/templates/repo/issue/fields/textarea.tmpl
+++ b/templates/repo/issue/fields/textarea.tmpl
@@ -2,5 +2,5 @@
 	{{template "repo/issue/fields/header" .}}
 	{{/* FIXME: preview markdown result */}}
 	{{/* FIXME: required validation for markdown editor */}}
-	<textarea name="form-field-{{.ID}}" placeholder="{{.Attributes.placeholder}}" class="edit_area {{if .Attributes.render}}no-easymde{{end}}" {{if and .Validations.required .Attributes.render}}required{{end}}>{{.Attributes.value}}</textarea>
+	<textarea name="form-field-{{.item.ID}}" placeholder="{{.item.Attributes.placeholder}}" class="edit_area {{if .item.Attributes.render}}no-easymde{{end}}" {{if and .item.Validations.required .item.Attributes.render}}required{{end}}>{{.item.Attributes.value}}</textarea>
 </div>

From edf98a2dc30956c8e04b778bb7f1ce55c14ba963 Mon Sep 17 00:00:00 2001
From: Jason Song <i@wolfogre.com>
Date: Fri, 24 Feb 2023 15:58:49 +0800
Subject: [PATCH 70/81] Require approval to run actions for fork pull request
 (#22803)

Currently, Gitea will run actions automatically which are triggered by
fork pull request. It's a security risk, people can create a PR and
modify the workflow yamls to execute a malicious script.

So we should require approval for first-time contributors, which is the
default strategy of a public repo on GitHub, see [Approving workflow
runs from public
forks](https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks).

Current strategy:

- don't need approval if it's not a fork PR;
- always need approval if the user is restricted;
- don't need approval if the user can write;
- don't need approval if the user has been approved before;
- otherwise, need approval.

https://user-images.githubusercontent.com/9418365/217207121-badf50a8-826c-4425-bef1-d82d1979bc81.mov

GitHub has an option for that, you can see that at
`/<owner>/<repo>/settings/actions`, and we can support that later.

<img width="835" alt="image"
src="https://user-images.githubusercontent.com/9418365/217199990-2967e68b-e693-4e59-8186-ab33a1314a16.png">

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 models/actions/run.go                    | 12 +++---
 models/actions/run_list.go               |  8 ++++
 models/actions/status.go                 |  4 ++
 models/migrations/migrations.go          |  4 ++
 models/migrations/v1_20/v244.go          | 22 +++++++++++
 options/locale/locale_en-US.ini          |  2 +
 routers/web/repo/actions/view.go         | 49 +++++++++++++++++++++---
 routers/web/web.go                       |  1 +
 services/actions/notifier_helper.go      | 48 ++++++++++++++++++++++-
 web_src/js/components/RepoActionView.vue | 20 +++++++++-
 10 files changed, 154 insertions(+), 16 deletions(-)
 create mode 100644 models/migrations/v1_20/v244.go

diff --git a/models/actions/run.go b/models/actions/run.go
index 14d191c814..a8d991471e 100644
--- a/models/actions/run.go
+++ b/models/actions/run.go
@@ -32,11 +32,13 @@ type ActionRun struct {
 	OwnerID           int64                  `xorm:"index"`
 	WorkflowID        string                 `xorm:"index"`                    // the name of workflow file
 	Index             int64                  `xorm:"index unique(repo_index)"` // a unique number for each run of a repository
-	TriggerUserID     int64
-	TriggerUser       *user_model.User `xorm:"-"`
+	TriggerUserID     int64                  `xorm:"index"`
+	TriggerUser       *user_model.User       `xorm:"-"`
 	Ref               string
 	CommitSHA         string
 	IsForkPullRequest bool
+	NeedApproval      bool  // may need approval if it's a fork pull request
+	ApprovedBy        int64 `xorm:"index"` // who approved
 	Event             webhook_module.HookEventType
 	EventPayload      string `xorm:"LONGTEXT"`
 	Status            Status `xorm:"index"`
@@ -164,10 +166,6 @@ func InsertRun(ctx context.Context, run *ActionRun, jobs []*jobparser.SingleWork
 	}
 	run.Index = index
 
-	if run.Status.IsUnknown() {
-		run.Status = StatusWaiting
-	}
-
 	if err := db.Insert(ctx, run); err != nil {
 		return err
 	}
@@ -191,7 +189,7 @@ func InsertRun(ctx context.Context, run *ActionRun, jobs []*jobparser.SingleWork
 		job.EraseNeeds()
 		payload, _ := v.Marshal()
 		status := StatusWaiting
-		if len(needs) > 0 {
+		if len(needs) > 0 || run.NeedApproval {
 			status = StatusBlocked
 		}
 		runJobs = append(runJobs, &ActionRunJob{
diff --git a/models/actions/run_list.go b/models/actions/run_list.go
index f9d8417227..bc69c65840 100644
--- a/models/actions/run_list.go
+++ b/models/actions/run_list.go
@@ -68,6 +68,8 @@ type FindRunOptions struct {
 	OwnerID          int64
 	IsClosed         util.OptionalBool
 	WorkflowFileName string
+	TriggerUserID    int64
+	Approved         bool // not util.OptionalBool, it works only when it's true
 }
 
 func (opts FindRunOptions) toConds() builder.Cond {
@@ -89,6 +91,12 @@ func (opts FindRunOptions) toConds() builder.Cond {
 	if opts.WorkflowFileName != "" {
 		cond = cond.And(builder.Eq{"workflow_id": opts.WorkflowFileName})
 	}
+	if opts.TriggerUserID > 0 {
+		cond = cond.And(builder.Eq{"trigger_user_id": opts.TriggerUserID})
+	}
+	if opts.Approved {
+		cond = cond.And(builder.Gt{"approved_by": 0})
+	}
 	return cond
 }
 
diff --git a/models/actions/status.go b/models/actions/status.go
index 059cf9bc09..c97578f2ac 100644
--- a/models/actions/status.go
+++ b/models/actions/status.go
@@ -82,6 +82,10 @@ func (s Status) IsRunning() bool {
 	return s == StatusRunning
 }
 
+func (s Status) IsBlocked() bool {
+	return s == StatusBlocked
+}
+
 // In returns whether s is one of the given statuses
 func (s Status) In(statuses ...Status) bool {
 	for _, v := range statuses {
diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
index 989a1d6ae1..585457e474 100644
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -19,6 +19,7 @@ import (
 	"code.gitea.io/gitea/models/migrations/v1_17"
 	"code.gitea.io/gitea/models/migrations/v1_18"
 	"code.gitea.io/gitea/models/migrations/v1_19"
+	"code.gitea.io/gitea/models/migrations/v1_20"
 	"code.gitea.io/gitea/models/migrations/v1_6"
 	"code.gitea.io/gitea/models/migrations/v1_7"
 	"code.gitea.io/gitea/models/migrations/v1_8"
@@ -463,6 +464,9 @@ var migrations = []Migration{
 	NewMigration("Add exclusive label", v1_19.AddExclusiveLabel),
 
 	// Gitea 1.19.0 ends at v244
+
+	// v244 -> v245
+	NewMigration("Add NeedApproval to actions tables", v1_20.AddNeedApprovalToActionRun),
 }
 
 // GetCurrentDBVersion returns the current db version
diff --git a/models/migrations/v1_20/v244.go b/models/migrations/v1_20/v244.go
new file mode 100644
index 0000000000..977566ad7d
--- /dev/null
+++ b/models/migrations/v1_20/v244.go
@@ -0,0 +1,22 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_20 //nolint
+
+import (
+	"xorm.io/xorm"
+)
+
+func AddNeedApprovalToActionRun(x *xorm.Engine) error {
+	/*
+		New index: TriggerUserID
+		New fields: NeedApproval, ApprovedBy
+	*/
+	type ActionRun struct {
+		TriggerUserID int64 `xorm:"index"`
+		NeedApproval  bool  // may need approval if it's a fork pull request
+		ApprovedBy    int64 `xorm:"index"` // who approved
+	}
+
+	return x.Sync(new(ActionRun))
+}
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index df66ce2339..fbd3068053 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -3346,3 +3346,5 @@ runs.open_tab = %d Open
 runs.closed_tab = %d Closed
 runs.commit = Commit
 runs.pushed_by = Pushed by
+
+need_approval_desc = Need approval to run workflows for fork pull request.
diff --git a/routers/web/repo/actions/view.go b/routers/web/repo/actions/view.go
index 5370310e8d..dd2750f905 100644
--- a/routers/web/repo/actions/view.go
+++ b/routers/web/repo/actions/view.go
@@ -49,11 +49,12 @@ type ViewRequest struct {
 type ViewResponse struct {
 	State struct {
 		Run struct {
-			Link      string     `json:"link"`
-			Title     string     `json:"title"`
-			CanCancel bool       `json:"canCancel"`
-			Done      bool       `json:"done"`
-			Jobs      []*ViewJob `json:"jobs"`
+			Link       string     `json:"link"`
+			Title      string     `json:"title"`
+			CanCancel  bool       `json:"canCancel"`
+			CanApprove bool       `json:"canApprove"` // the run needs an approval and the doer has permission to approve
+			Done       bool       `json:"done"`
+			Jobs       []*ViewJob `json:"jobs"`
 		} `json:"run"`
 		CurrentJob struct {
 			Title  string         `json:"title"`
@@ -107,6 +108,7 @@ func ViewPost(ctx *context_module.Context) {
 	resp.State.Run.Title = run.Title
 	resp.State.Run.Link = run.Link()
 	resp.State.Run.CanCancel = !run.Status.IsDone() && ctx.Repo.CanWrite(unit.TypeActions)
+	resp.State.Run.CanApprove = run.NeedApproval && ctx.Repo.CanWrite(unit.TypeActions)
 	resp.State.Run.Done = run.Status.IsDone()
 	resp.State.Run.Jobs = make([]*ViewJob, 0, len(jobs)) // marshal to '[]' instead fo 'null' in json
 	for _, v := range jobs {
@@ -135,6 +137,9 @@ func ViewPost(ctx *context_module.Context) {
 
 	resp.State.CurrentJob.Title = current.Name
 	resp.State.CurrentJob.Detail = current.Status.LocaleString(ctx.Locale)
+	if run.NeedApproval {
+		resp.State.CurrentJob.Detail = ctx.Locale.Tr("actions.need_approval_desc")
+	}
 	resp.State.CurrentJob.Steps = make([]*ViewJobStep, 0) // marshal to '[]' instead fo 'null' in json
 	resp.Logs.StepsLog = make([]*ViewStepLog, 0)          // marshal to '[]' instead fo 'null' in json
 	if task != nil {
@@ -261,6 +266,40 @@ func Cancel(ctx *context_module.Context) {
 	ctx.JSON(http.StatusOK, struct{}{})
 }
 
+func Approve(ctx *context_module.Context) {
+	runIndex := ctx.ParamsInt64("run")
+
+	current, jobs := getRunJobs(ctx, runIndex, -1)
+	if ctx.Written() {
+		return
+	}
+	run := current.Run
+	doer := ctx.Doer
+
+	if err := db.WithTx(ctx, func(ctx context.Context) error {
+		run.NeedApproval = false
+		run.ApprovedBy = doer.ID
+		if err := actions_model.UpdateRun(ctx, run, "need_approval", "approved_by"); err != nil {
+			return err
+		}
+		for _, job := range jobs {
+			if len(job.Needs) == 0 && job.Status.IsBlocked() {
+				job.Status = actions_model.StatusWaiting
+				_, err := actions_model.UpdateRunJob(ctx, job, nil, "status")
+				if err != nil {
+					return err
+				}
+			}
+		}
+		return nil
+	}); err != nil {
+		ctx.Error(http.StatusInternalServerError, err.Error())
+		return
+	}
+
+	ctx.JSON(http.StatusOK, struct{}{})
+}
+
 // getRunJobs gets the jobs of runIndex, and returns jobs[jobIndex], jobs.
 // Any error will be written to the ctx.
 // It never returns a nil job of an empty jobs, if the jobIndex is out of range, it will be treated as 0.
diff --git a/routers/web/web.go b/routers/web/web.go
index 88e27ad678..ff312992dd 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -1286,6 +1286,7 @@ func RegisterRoutes(m *web.Route) {
 					m.Post("/rerun", reqRepoActionsWriter, actions.Rerun)
 				})
 				m.Post("/cancel", reqRepoActionsWriter, actions.Cancel)
+				m.Post("/approve", reqRepoActionsWriter, actions.Approve)
 			})
 		}, reqRepoActionsReader, actions.MustEnableActions)
 
diff --git a/services/actions/notifier_helper.go b/services/actions/notifier_helper.go
index df67d2fa11..ef63b8cf94 100644
--- a/services/actions/notifier_helper.go
+++ b/services/actions/notifier_helper.go
@@ -153,7 +153,7 @@ func notify(ctx context.Context, input *notifyInput) error {
 	}
 
 	for id, content := range workflows {
-		run := actions_model.ActionRun{
+		run := &actions_model.ActionRun{
 			Title:             strings.SplitN(commit.CommitMessage, "\n", 2)[0],
 			RepoID:            input.Repo.ID,
 			OwnerID:           input.Repo.OwnerID,
@@ -166,12 +166,19 @@ func notify(ctx context.Context, input *notifyInput) error {
 			EventPayload:      string(p),
 			Status:            actions_model.StatusWaiting,
 		}
+		if need, err := ifNeedApproval(ctx, run, input.Repo, input.Doer); err != nil {
+			log.Error("check if need approval for repo %d with user %d: %v", input.Repo.ID, input.Doer.ID, err)
+			continue
+		} else {
+			run.NeedApproval = need
+		}
+
 		jobs, err := jobparser.Parse(content)
 		if err != nil {
 			log.Error("jobparser.Parse: %v", err)
 			continue
 		}
-		if err := actions_model.InsertRun(ctx, &run, jobs); err != nil {
+		if err := actions_model.InsertRun(ctx, run, jobs); err != nil {
 			log.Error("InsertRun: %v", err)
 			continue
 		}
@@ -234,3 +241,40 @@ func notifyPackage(ctx context.Context, sender *user_model.User, pd *packages_mo
 		}).
 		Notify(ctx)
 }
+
+func ifNeedApproval(ctx context.Context, run *actions_model.ActionRun, repo *repo_model.Repository, user *user_model.User) (bool, error) {
+	// don't need approval if it's not a fork PR
+	if !run.IsForkPullRequest {
+		return false, nil
+	}
+
+	// always need approval if the user is restricted
+	if user.IsRestricted {
+		log.Trace("need approval because user %d is restricted", user.ID)
+		return true, nil
+	}
+
+	// don't need approval if the user can write
+	if perm, err := access_model.GetUserRepoPermission(ctx, repo, user); err != nil {
+		return false, fmt.Errorf("GetUserRepoPermission: %w", err)
+	} else if perm.CanWrite(unit_model.TypeActions) {
+		log.Trace("do not need approval because user %d can write", user.ID)
+		return false, nil
+	}
+
+	// don't need approval if the user has been approved before
+	if count, err := actions_model.CountRuns(ctx, actions_model.FindRunOptions{
+		RepoID:        repo.ID,
+		TriggerUserID: user.ID,
+		Approved:      true,
+	}); err != nil {
+		return false, fmt.Errorf("CountRuns: %w", err)
+	} else if count > 0 {
+		log.Trace("do not need approval because user %d has been approved before", user.ID)
+		return false, nil
+	}
+
+	// otherwise, need approval
+	log.Trace("need approval because it's the first time user %d triggered actions", user.ID)
+	return true, nil
+}
diff --git a/web_src/js/components/RepoActionView.vue b/web_src/js/components/RepoActionView.vue
index e0ec488933..762067f523 100644
--- a/web_src/js/components/RepoActionView.vue
+++ b/web_src/js/components/RepoActionView.vue
@@ -3,7 +3,10 @@
     <div class="action-view-header">
       <div class="action-info-summary">
         {{ run.title }}
-        <button class="run_cancel" @click="cancelRun()" v-if="run.canCancel">
+        <button class="run_approve" @click="approveRun()" v-if="run.canApprove">
+          <i class="play circle outline icon"/>
+        </button>
+        <button class="run_cancel" @click="cancelRun()" v-else-if="run.canCancel">
           <i class="stop circle outline icon"/>
         </button>
       </div>
@@ -97,6 +100,7 @@ const sfc = {
         link: '',
         title: '',
         canCancel: false,
+        canApprove: false,
         done: false,
         jobs: [
           // {
@@ -173,6 +177,10 @@ const sfc = {
     cancelRun() {
       this.fetchPost(`${this.run.link}/cancel`);
     },
+    // approve a run
+    approveRun() {
+      this.fetchPost(`${this.run.link}/approve`);
+    },
 
     createLogLine(line) {
       const div = document.createElement('div');
@@ -303,7 +311,15 @@ export function initRepositoryActionView() {
     cursor: pointer;
     transition:transform 0.2s;
   };
-  .run_cancel:hover{
+  .run_approve {
+    border: none;
+    color: var(--color-green);
+    background-color: transparent;
+    outline: none;
+    cursor: pointer;
+    transition:transform 0.2s;
+  };
+  .run_cancel:hover, .run_approve:hover {
     transform:scale(130%);
   };
 }

From 91fa0eb9d7b8c1bb5afac9d68161cf95ae0a02f8 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Fri, 24 Feb 2023 18:23:13 +0800
Subject: [PATCH 71/81] Avoid warning for system setting when start up (#23054)

Partially fix #23050

After #22294 merged, it always has a warning log like `cannot get
context cache` when starting up. This should not affect any real life
but it's annoying. This PR will fix the problem. That means when
starting up, getting the system settings will not try from the cache but
will read from the database directly.

---------

Co-authored-by: Lauris BH <lauris@nix.lv>
---
 models/avatars/avatar.go           |  4 +--
 models/avatars/avatar_test.go      |  2 +-
 models/repo.go                     |  4 +--
 models/system/setting.go           | 49 ++++++++++++++++++------------
 models/system/setting_test.go      |  6 ++--
 models/unittest/testdb.go          |  2 +-
 models/user/avatar.go              |  2 +-
 modules/repository/commits_test.go |  2 +-
 modules/templates/helper.go        |  2 +-
 routers/init.go                    |  2 +-
 routers/web/admin/config.go        |  2 +-
 11 files changed, 43 insertions(+), 34 deletions(-)

diff --git a/models/avatars/avatar.go b/models/avatars/avatar.go
index 6cf05dd284..265ee6428e 100644
--- a/models/avatars/avatar.go
+++ b/models/avatars/avatar.go
@@ -153,7 +153,7 @@ func generateEmailAvatarLink(ctx context.Context, email string, size int, final
 		return DefaultAvatarLink()
 	}
 
-	enableFederatedAvatar := system_model.GetSettingBool(ctx, system_model.KeyPictureEnableFederatedAvatar)
+	enableFederatedAvatar := system_model.GetSettingWithCacheBool(ctx, system_model.KeyPictureEnableFederatedAvatar)
 
 	var err error
 	if enableFederatedAvatar && system_model.LibravatarService != nil {
@@ -174,7 +174,7 @@ func generateEmailAvatarLink(ctx context.Context, email string, size int, final
 		return urlStr
 	}
 
-	disableGravatar := system_model.GetSettingBool(ctx, system_model.KeyPictureDisableGravatar)
+	disableGravatar := system_model.GetSettingWithCacheBool(ctx, system_model.KeyPictureDisableGravatar)
 	if !disableGravatar {
 		// copy GravatarSourceURL, because we will modify its Path.
 		avatarURLCopy := *system_model.GravatarSourceURL
diff --git a/models/avatars/avatar_test.go b/models/avatars/avatar_test.go
index a3cb36d0e1..59daaeb669 100644
--- a/models/avatars/avatar_test.go
+++ b/models/avatars/avatar_test.go
@@ -28,7 +28,7 @@ func enableGravatar(t *testing.T) {
 	err := system_model.SetSettingNoVersion(db.DefaultContext, system_model.KeyPictureDisableGravatar, "false")
 	assert.NoError(t, err)
 	setting.GravatarSource = gravatarSource
-	err = system_model.Init()
+	err = system_model.Init(db.DefaultContext)
 	assert.NoError(t, err)
 }
 
diff --git a/models/repo.go b/models/repo.go
index 38dc3f1ab1..5a1e2e028e 100644
--- a/models/repo.go
+++ b/models/repo.go
@@ -39,9 +39,9 @@ import (
 var ItemsPerPage = 40
 
 // Init initialize model
-func Init() error {
+func Init(ctx context.Context) error {
 	unit.LoadUnitConfig()
-	return system_model.Init()
+	return system_model.Init(ctx)
 }
 
 // DeleteRepository deletes a repository for a user or organization.
diff --git a/models/system/setting.go b/models/system/setting.go
index 098d9a1832..6af759dc8a 100644
--- a/models/system/setting.go
+++ b/models/system/setting.go
@@ -79,8 +79,8 @@ func IsErrDataExpired(err error) bool {
 	return ok
 }
 
-// GetSettingNoCache returns specific setting without using the cache
-func GetSettingNoCache(ctx context.Context, key string) (*Setting, error) {
+// GetSetting returns specific setting without using the cache
+func GetSetting(ctx context.Context, key string) (*Setting, error) {
 	v, err := GetSettings(ctx, []string{key})
 	if err != nil {
 		return nil, err
@@ -93,11 +93,11 @@ func GetSettingNoCache(ctx context.Context, key string) (*Setting, error) {
 
 const contextCacheKey = "system_setting"
 
-// GetSetting returns the setting value via the key
-func GetSetting(ctx context.Context, key string) (string, error) {
+// GetSettingWithCache returns the setting value via the key
+func GetSettingWithCache(ctx context.Context, key string) (string, error) {
 	return cache.GetWithContextCache(ctx, contextCacheKey, key, func() (string, error) {
 		return cache.GetString(genSettingCacheKey(key), func() (string, error) {
-			res, err := GetSettingNoCache(ctx, key)
+			res, err := GetSetting(ctx, key)
 			if err != nil {
 				return "", err
 			}
@@ -110,6 +110,15 @@ func GetSetting(ctx context.Context, key string) (string, error) {
 // none existing keys and errors are ignored and result in false
 func GetSettingBool(ctx context.Context, key string) bool {
 	s, _ := GetSetting(ctx, key)
+	if s == nil {
+		return false
+	}
+	v, _ := strconv.ParseBool(s.SettingValue)
+	return v
+}
+
+func GetSettingWithCacheBool(ctx context.Context, key string) bool {
+	s, _ := GetSettingWithCache(ctx, key)
 	v, _ := strconv.ParseBool(s)
 	return v
 }
@@ -120,7 +129,7 @@ func GetSettings(ctx context.Context, keys []string) (map[string]*Setting, error
 		keys[i] = strings.ToLower(keys[i])
 	}
 	settings := make([]*Setting, 0, len(keys))
-	if err := db.GetEngine(db.DefaultContext).
+	if err := db.GetEngine(ctx).
 		Where(builder.In("setting_key", keys)).
 		Find(&settings); err != nil {
 		return nil, err
@@ -151,9 +160,9 @@ func (settings AllSettings) GetVersion(key string) int {
 }
 
 // GetAllSettings returns all settings from user
-func GetAllSettings() (AllSettings, error) {
+func GetAllSettings(ctx context.Context) (AllSettings, error) {
 	settings := make([]*Setting, 0, 5)
-	if err := db.GetEngine(db.DefaultContext).
+	if err := db.GetEngine(ctx).
 		Find(&settings); err != nil {
 		return nil, err
 	}
@@ -168,12 +177,12 @@ func GetAllSettings() (AllSettings, error) {
 func DeleteSetting(ctx context.Context, setting *Setting) error {
 	cache.RemoveContextData(ctx, contextCacheKey, setting.SettingKey)
 	cache.Remove(genSettingCacheKey(setting.SettingKey))
-	_, err := db.GetEngine(db.DefaultContext).Delete(setting)
+	_, err := db.GetEngine(ctx).Delete(setting)
 	return err
 }
 
 func SetSettingNoVersion(ctx context.Context, key, value string) error {
-	s, err := GetSettingNoCache(ctx, key)
+	s, err := GetSetting(ctx, key)
 	if IsErrSettingIsNotExist(err) {
 		return SetSetting(ctx, &Setting{
 			SettingKey:   key,
@@ -189,7 +198,7 @@ func SetSettingNoVersion(ctx context.Context, key, value string) error {
 
 // SetSetting updates a users' setting for a specific key
 func SetSetting(ctx context.Context, setting *Setting) error {
-	if err := upsertSettingValue(strings.ToLower(setting.SettingKey), setting.SettingValue, setting.Version); err != nil {
+	if err := upsertSettingValue(ctx, strings.ToLower(setting.SettingKey), setting.SettingValue, setting.Version); err != nil {
 		return err
 	}
 
@@ -205,8 +214,8 @@ func SetSetting(ctx context.Context, setting *Setting) error {
 	return nil
 }
 
-func upsertSettingValue(key, value string, version int) error {
-	return db.WithTx(db.DefaultContext, func(ctx context.Context) error {
+func upsertSettingValue(parentCtx context.Context, key, value string, version int) error {
+	return db.WithTx(parentCtx, func(ctx context.Context) error {
 		e := db.GetEngine(ctx)
 
 		// here we use a general method to do a safe upsert for different databases (and most transaction levels)
@@ -249,9 +258,9 @@ var (
 	LibravatarService *libravatar.Libravatar
 )
 
-func Init() error {
+func Init(ctx context.Context) error {
 	var disableGravatar bool
-	disableGravatarSetting, err := GetSettingNoCache(db.DefaultContext, KeyPictureDisableGravatar)
+	disableGravatarSetting, err := GetSetting(ctx, KeyPictureDisableGravatar)
 	if IsErrSettingIsNotExist(err) {
 		disableGravatar = setting_module.GetDefaultDisableGravatar()
 		disableGravatarSetting = &Setting{SettingValue: strconv.FormatBool(disableGravatar)}
@@ -262,7 +271,7 @@ func Init() error {
 	}
 
 	var enableFederatedAvatar bool
-	enableFederatedAvatarSetting, err := GetSettingNoCache(db.DefaultContext, KeyPictureEnableFederatedAvatar)
+	enableFederatedAvatarSetting, err := GetSetting(ctx, KeyPictureEnableFederatedAvatar)
 	if IsErrSettingIsNotExist(err) {
 		enableFederatedAvatar = setting_module.GetDefaultEnableFederatedAvatar(disableGravatar)
 		enableFederatedAvatarSetting = &Setting{SettingValue: strconv.FormatBool(enableFederatedAvatar)}
@@ -275,13 +284,13 @@ func Init() error {
 	if setting_module.OfflineMode {
 		disableGravatar = true
 		enableFederatedAvatar = false
-		if !GetSettingBool(db.DefaultContext, KeyPictureDisableGravatar) {
-			if err := SetSettingNoVersion(db.DefaultContext, KeyPictureDisableGravatar, "true"); err != nil {
+		if !GetSettingBool(ctx, KeyPictureDisableGravatar) {
+			if err := SetSettingNoVersion(ctx, KeyPictureDisableGravatar, "true"); err != nil {
 				return fmt.Errorf("Failed to set setting %q: %w", KeyPictureDisableGravatar, err)
 			}
 		}
-		if GetSettingBool(db.DefaultContext, KeyPictureEnableFederatedAvatar) {
-			if err := SetSettingNoVersion(db.DefaultContext, KeyPictureEnableFederatedAvatar, "false"); err != nil {
+		if GetSettingBool(ctx, KeyPictureEnableFederatedAvatar) {
+			if err := SetSettingNoVersion(ctx, KeyPictureEnableFederatedAvatar, "false"); err != nil {
 				return fmt.Errorf("Failed to set setting %q: %w", KeyPictureEnableFederatedAvatar, err)
 			}
 		}
diff --git a/models/system/setting_test.go b/models/system/setting_test.go
index fbd04088e6..e6997ad783 100644
--- a/models/system/setting_test.go
+++ b/models/system/setting_test.go
@@ -40,10 +40,10 @@ func TestSettings(t *testing.T) {
 
 	value, err := system.GetSetting(db.DefaultContext, keyName)
 	assert.NoError(t, err)
-	assert.EqualValues(t, updatedSetting.SettingValue, value)
+	assert.EqualValues(t, updatedSetting.SettingValue, value.SettingValue)
 
 	// get all settings
-	settings, err = system.GetAllSettings()
+	settings, err = system.GetAllSettings(db.DefaultContext)
 	assert.NoError(t, err)
 	assert.Len(t, settings, 3)
 	assert.EqualValues(t, updatedSetting.SettingValue, settings[strings.ToLower(updatedSetting.SettingKey)].SettingValue)
@@ -51,7 +51,7 @@ func TestSettings(t *testing.T) {
 	// delete setting
 	err = system.DeleteSetting(db.DefaultContext, &system.Setting{SettingKey: strings.ToLower(keyName)})
 	assert.NoError(t, err)
-	settings, err = system.GetAllSettings()
+	settings, err = system.GetAllSettings(db.DefaultContext)
 	assert.NoError(t, err)
 	assert.Len(t, settings, 2)
 }
diff --git a/models/unittest/testdb.go b/models/unittest/testdb.go
index 7e327f2bd2..2bc41084ba 100644
--- a/models/unittest/testdb.go
+++ b/models/unittest/testdb.go
@@ -113,7 +113,7 @@ func MainTest(m *testing.M, testOpts *TestOptions) {
 	if err = storage.Init(); err != nil {
 		fatalTestError("storage.Init: %v\n", err)
 	}
-	if err = system_model.Init(); err != nil {
+	if err = system_model.Init(db.DefaultContext); err != nil {
 		fatalTestError("models.Init: %v\n", err)
 	}
 
diff --git a/models/user/avatar.go b/models/user/avatar.go
index 9af2a9acc2..3d1e2ed20b 100644
--- a/models/user/avatar.go
+++ b/models/user/avatar.go
@@ -67,7 +67,7 @@ func (u *User) AvatarLinkWithSize(ctx context.Context, size int) string {
 	useLocalAvatar := false
 	autoGenerateAvatar := false
 
-	disableGravatar := system_model.GetSettingBool(ctx, system_model.KeyPictureDisableGravatar)
+	disableGravatar := system_model.GetSettingWithCacheBool(ctx, system_model.KeyPictureDisableGravatar)
 
 	switch {
 	case u.UseCustomAvatar:
diff --git a/modules/repository/commits_test.go b/modules/repository/commits_test.go
index 2bd8de38aa..a407083f3a 100644
--- a/modules/repository/commits_test.go
+++ b/modules/repository/commits_test.go
@@ -106,7 +106,7 @@ func enableGravatar(t *testing.T) {
 	err := system_model.SetSettingNoVersion(db.DefaultContext, system_model.KeyPictureDisableGravatar, "false")
 	assert.NoError(t, err)
 	setting.GravatarSource = "https://secure.gravatar.com/avatar"
-	err = system_model.Init()
+	err = system_model.Init(db.DefaultContext)
 	assert.NoError(t, err)
 }
 
diff --git a/modules/templates/helper.go b/modules/templates/helper.go
index b7bd07670c..17ac68dc6b 100644
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@@ -92,7 +92,7 @@ func NewFuncMap() []template.FuncMap {
 			return setting.AssetVersion
 		},
 		"DisableGravatar": func(ctx context.Context) bool {
-			return system_model.GetSettingBool(ctx, system_model.KeyPictureDisableGravatar)
+			return system_model.GetSettingWithCacheBool(ctx, system_model.KeyPictureDisableGravatar)
 		},
 		"DefaultShowFullName": func() bool {
 			return setting.UI.DefaultShowFullName
diff --git a/routers/init.go b/routers/init.go
index 6a51de669a..d3f822dc83 100644
--- a/routers/init.go
+++ b/routers/init.go
@@ -150,7 +150,7 @@ func GlobalInitInstalled(ctx context.Context) {
 	mustInit(system.Init)
 	mustInit(oauth2.Init)
 
-	mustInit(models.Init)
+	mustInitCtx(ctx, models.Init)
 	mustInit(repo_service.Init)
 
 	// Booting long running goroutines.
diff --git a/routers/web/admin/config.go b/routers/web/admin/config.go
index 2566cbe42b..075fb423dc 100644
--- a/routers/web/admin/config.go
+++ b/routers/web/admin/config.go
@@ -103,7 +103,7 @@ func Config(ctx *context.Context) {
 	ctx.Data["PageIsAdmin"] = true
 	ctx.Data["PageIsAdminConfig"] = true
 
-	systemSettings, err := system_model.GetAllSettings()
+	systemSettings, err := system_model.GetAllSettings(ctx)
 	if err != nil {
 		ctx.ServerError("system_model.GetAllSettings", err)
 		return

From a8c4f8cebcc52a1c96fe481fc654598c4ef49fec Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Fri, 24 Feb 2023 21:17:09 +0800
Subject: [PATCH 72/81] Fix db.Find bug (#23115)

Caused by #20821

Fix #23110
---
 models/db/{list_options.go => list.go} |  4 +--
 models/db/list_test.go                 | 48 ++++++++++++++++++++++++++
 2 files changed, 50 insertions(+), 2 deletions(-)
 rename models/db/{list_options.go => list.go} (98%)
 create mode 100644 models/db/list_test.go

diff --git a/models/db/list_options.go b/models/db/list.go
similarity index 98%
rename from models/db/list_options.go
rename to models/db/list.go
index 2456f90f3b..9fb4d0741f 100644
--- a/models/db/list_options.go
+++ b/models/db/list.go
@@ -134,7 +134,7 @@ func Find[T any](ctx context.Context, opts FindOptions, objects *[]T) error {
 	if !opts.IsListAll() {
 		sess.Limit(opts.GetSkipTake())
 	}
-	return sess.Find(&objects)
+	return sess.Find(objects)
 }
 
 // Count represents a common count function which accept an options interface
@@ -148,5 +148,5 @@ func FindAndCount[T any](ctx context.Context, opts FindOptions, objects *[]T) (i
 	if !opts.IsListAll() {
 		sess.Limit(opts.GetSkipTake())
 	}
-	return sess.FindAndCount(&objects)
+	return sess.FindAndCount(objects)
 }
diff --git a/models/db/list_test.go b/models/db/list_test.go
new file mode 100644
index 0000000000..ffef1e4948
--- /dev/null
+++ b/models/db/list_test.go
@@ -0,0 +1,48 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package db_test
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models/db"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+
+	"github.com/stretchr/testify/assert"
+	"xorm.io/builder"
+)
+
+type mockListOptions struct {
+	db.ListOptions
+}
+
+func (opts *mockListOptions) IsListAll() bool {
+	return true
+}
+
+func (opts *mockListOptions) ToConds() builder.Cond {
+	return builder.NewCond()
+}
+
+func TestFind(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	xe := unittest.GetXORMEngine()
+	assert.NoError(t, xe.Sync(&repo_model.RepoUnit{}))
+
+	opts := mockListOptions{}
+	var repoUnits []repo_model.RepoUnit
+	err := db.Find(db.DefaultContext, &opts, &repoUnits)
+	assert.NoError(t, err)
+	assert.EqualValues(t, 83, len(repoUnits))
+
+	cnt, err := db.Count(db.DefaultContext, &opts, new(repo_model.RepoUnit))
+	assert.NoError(t, err)
+	assert.EqualValues(t, 83, cnt)
+
+	repoUnits = make([]repo_model.RepoUnit, 0, 10)
+	newCnt, err := db.FindAndCount(db.DefaultContext, &opts, &repoUnits)
+	assert.NoError(t, err)
+	assert.EqualValues(t, cnt, newCnt)
+}

From d20b29d7cea0fcba5e423dcfb7bbb7d2c15959d6 Mon Sep 17 00:00:00 2001
From: HesterG <hestergong@gmail.com>
Date: Fri, 24 Feb 2023 22:29:49 +0800
Subject: [PATCH 73/81] Fix height for sticky head on large screen on PR page
 (#23111)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Right now on the PR 'File Change' Tab, the file title header sticky to
the top on large screens has wrong height, resulting in wrong ui
behavior when scrolling down. This PR is to fix this.

Before:

<img width="964" alt="截�2023-02-24 17 12 29"
src="https://user-images.githubusercontent.com/17645053/221140409-025c4a84-6bbe-4b5b-a13f-bd2b79063522.png">

After:
<img width="1430" alt="截�2023-02-24 21 10 12"
src="https://user-images.githubusercontent.com/17645053/221186750-0344d652-4610-4a90-a4c0-7f6269f950d6.png">
---
 web_src/less/_repository.less | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/web_src/less/_repository.less b/web_src/less/_repository.less
index 83e8e1f338..4862e30962 100644
--- a/web_src/less/_repository.less
+++ b/web_src/less/_repository.less
@@ -3269,17 +3269,9 @@ td.blob-excerpt {
 .ui.attached.header.diff-file-header {
   &.sticky-2nd-row {
     position: sticky;
-    top: 46px;
+    top: 77px;
     z-index: 7;
-
-    @media @mediaMd {
-      top: 77px;
-    }
-
-    @media @mediaSm {
-      top: 77px;
-    }
-
+    
     @media (max-width: 480px) {
       position: static;
     }

From e77528baed9bcb8100047280515e5af6656680f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?W=C3=81NG=20Xu=C4=9Bru=C3=AC?=
 <1175567+xen0n@users.noreply.github.com>
Date: Fri, 24 Feb 2023 23:45:28 +0800
Subject: [PATCH 74/81] Bump go.etcd.io/bbolt and blevesearch deps (#23062)

This notably brings support for GOARCH=loong64, among other fixes.

---------

Signed-off-by: WANG Xuerui <xen0n@gentoo.org>
Co-authored-by: zeripath <art27@cantab.net>
---
 go.mod | 10 +++++-----
 go.sum | 23 ++++++++++-------------
 2 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/go.mod b/go.mod
index c97c52a077..5440624ca0 100644
--- a/go.mod
+++ b/go.mod
@@ -129,7 +129,7 @@ require (
 	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
 	github.com/Microsoft/go-winio v0.6.0 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20230109192245-7efeeb08f296 // indirect
-	github.com/RoaringBitmap/roaring v1.2.1 // indirect
+	github.com/RoaringBitmap/roaring v1.2.3 // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
 	github.com/andybalholm/brotli v1.0.4 // indirect
 	github.com/andybalholm/cascadia v1.3.1 // indirect
@@ -137,9 +137,9 @@ require (
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bits-and-blooms/bitset v1.3.3 // indirect
+	github.com/bits-and-blooms/bitset v1.5.0 // indirect
 	github.com/blevesearch/bleve_index_api v1.0.5 // indirect
-	github.com/blevesearch/geo v0.1.16 // indirect
+	github.com/blevesearch/geo v0.1.17 // indirect
 	github.com/blevesearch/go-porterstemmer v1.0.3 // indirect
 	github.com/blevesearch/gtreap v0.1.1 // indirect
 	github.com/blevesearch/mmap-go v1.0.4 // indirect
@@ -152,7 +152,7 @@ require (
 	github.com/blevesearch/zapx/v12 v12.3.7 // indirect
 	github.com/blevesearch/zapx/v13 v13.3.7 // indirect
 	github.com/blevesearch/zapx/v14 v14.3.7 // indirect
-	github.com/blevesearch/zapx/v15 v15.3.8 // indirect
+	github.com/blevesearch/zapx/v15 v15.3.9 // indirect
 	github.com/boombuler/barcode v1.0.1 // indirect
 	github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b // indirect
 	github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
@@ -265,7 +265,7 @@ require (
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
-	go.etcd.io/bbolt v1.3.6 // indirect
+	go.etcd.io/bbolt v1.3.7 // indirect
 	go.mongodb.org/mongo-driver v1.10.1 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
diff --git a/go.sum b/go.sum
index e365ba757d..ec2502fe04 100644
--- a/go.sum
+++ b/go.sum
@@ -123,8 +123,8 @@ github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbt
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/RoaringBitmap/roaring v0.4.23/go.mod h1:D0gp8kJQgE1A4LQ5wFLggQEyvDi06Mq5mKs52e1TwOo=
 github.com/RoaringBitmap/roaring v0.7.1/go.mod h1:jdT9ykXwHFNdJbEtxePexlFYH9LXucApeS0/+/g+p1I=
-github.com/RoaringBitmap/roaring v1.2.1 h1:58/LJlg/81wfEHd5L9qsHduznOIhyv4qb1yWcSvVq9A=
-github.com/RoaringBitmap/roaring v1.2.1/go.mod h1:icnadbWcNyfEHlYdr+tDlOTih1Bf/h+rzPpv4sbomAA=
+github.com/RoaringBitmap/roaring v1.2.3 h1:yqreLINqIrX22ErkKI0vY47/ivtJr6n+kMhVOVmhWBY=
+github.com/RoaringBitmap/roaring v1.2.3/go.mod h1:plvDsJQpxOC5bw8LRteu/MLWHsHez/3y6cubLI4/1yE=
 github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
 github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g=
@@ -176,16 +176,16 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bits-and-blooms/bitset v1.1.10/go.mod h1:w0XsmFg8qg6cmpTtJ0z3pKgjTDBMMnI/+I2syrE6XBE=
 github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
-github.com/bits-and-blooms/bitset v1.3.3 h1:R1XWiopGiXf66xygsiLpzLo67xEYvMkHw3w+rCOSAwg=
-github.com/bits-and-blooms/bitset v1.3.3/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
+github.com/bits-and-blooms/bitset v1.5.0 h1:NpE8frKRLGHIcEzkR+gZhiioW1+WbYV6fKwD6ZIpQT8=
+github.com/bits-and-blooms/bitset v1.5.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/blevesearch/bleve/v2 v2.0.5/go.mod h1:ZjWibgnbRX33c+vBRgla9QhPb4QOjD6fdVJ+R1Bk8LM=
 github.com/blevesearch/bleve/v2 v2.3.6 h1:NlntUHcV5CSWIhpugx4d/BRMGCiaoI8ZZXrXlahzNq4=
 github.com/blevesearch/bleve/v2 v2.3.6/go.mod h1:JM2legf1cKVkdV8Ehu7msKIOKC0McSw0Q16Fmv9vsW4=
 github.com/blevesearch/bleve_index_api v1.0.0/go.mod h1:fiwKS0xLEm+gBRgv5mumf0dhgFr2mDgZah1pqv1c1M4=
 github.com/blevesearch/bleve_index_api v1.0.5 h1:Lc986kpC4Z0/n1g3gg8ul7H+lxgOQPcXb9SxvQGu+tw=
 github.com/blevesearch/bleve_index_api v1.0.5/go.mod h1:YXMDwaXFFXwncRS8UobWs7nvo0DmusriM1nztTlj1ms=
-github.com/blevesearch/geo v0.1.16 h1:unVaqUmlwprk56596OQRkGjtq1VZ8XFWSARj+h2cIBY=
-github.com/blevesearch/geo v0.1.16/go.mod h1:a1OlySNE+oDQ5qY0vJGYNoLIsMpbKbx8dnmuRP8D7H0=
+github.com/blevesearch/geo v0.1.17 h1:AguzI6/5mHXapzB0gE9IKWo+wWPHZmXZoscHcjFgAFA=
+github.com/blevesearch/geo v0.1.17/go.mod h1:uRMGWG0HJYfWfFJpK3zTdnnr1K+ksZTuWKhXeSokfnM=
 github.com/blevesearch/go-porterstemmer v1.0.3 h1:GtmsqID0aZdCSNiY8SkuPJ12pD4jI+DdXTAn4YRcHCo=
 github.com/blevesearch/go-porterstemmer v1.0.3/go.mod h1:angGc5Ht+k2xhJdZi511LtmxuEf0OVpvUUNrwmM1P7M=
 github.com/blevesearch/gtreap v0.1.1 h1:2JWigFrzDMR+42WGIN/V2p0cUvn4UP3C4Q5nmaZGW8Y=
@@ -221,8 +221,8 @@ github.com/blevesearch/zapx/v14 v14.2.0/go.mod h1:GNgZusc1p4ot040cBQMRGEZobvwjCq
 github.com/blevesearch/zapx/v14 v14.3.7 h1:gfe+fbWslDWP/evHLtp/GOvmNM3sw1BbqD7LhycBX20=
 github.com/blevesearch/zapx/v14 v14.3.7/go.mod h1:9J/RbOkqZ1KSjmkOes03AkETX7hrXT0sFMpWH4ewC4w=
 github.com/blevesearch/zapx/v15 v15.2.0/go.mod h1:MmQceLpWfME4n1WrBFIwplhWmaQbQqLQARpaKUEOs/A=
-github.com/blevesearch/zapx/v15 v15.3.8 h1:q4uMngBHzL1IIhRc8AJUEkj6dGOE3u1l3phLu7hq8uk=
-github.com/blevesearch/zapx/v15 v15.3.8/go.mod h1:m7Y6m8soYUvS7MjN9eKlz1xrLCcmqfFadmu7GhWIrLY=
+github.com/blevesearch/zapx/v15 v15.3.9 h1:/s9zqKxFaZKQTTcMO2b/Tup0ch5MSztlvw+frVDfIBk=
+github.com/blevesearch/zapx/v15 v15.3.9/go.mod h1:m7Y6m8soYUvS7MjN9eKlz1xrLCcmqfFadmu7GhWIrLY=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/boombuler/barcode v1.0.1 h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs=
 github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
@@ -604,7 +604,6 @@ github.com/google/go-tpm v0.3.3/go.mod h1:9Hyn3rgnzWF9XBWVk6ml6A6hNkbWjNFlDQL51B
 github.com/google/go-tpm-tools v0.0.0-20190906225433-1614c142f845/go.mod h1:AVfHadzbdzHo54inR2x1v640jdi1YSi3NauM2DUsxk0=
 github.com/google/go-tpm-tools v0.2.0/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N1reF/eeiBk4=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@@ -796,7 +795,6 @@ github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
-github.com/json-iterator/go v0.0.0-20171115153421-f7279a603ede/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -1285,8 +1283,8 @@ github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wK
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
-go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=
-go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
+go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
+go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
 go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg=
 go.mongodb.org/mongo-driver v1.7.5/go.mod h1:VXEWRZ6URJIkUq2SCAyapmhH0ZLRBP+FT4xhp5Zvxng=
@@ -1557,7 +1555,6 @@ golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201126233918-771906719818/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

From 9eb61b77acecfb8702dfee287690c4b7329e60fc Mon Sep 17 00:00:00 2001
From: yp05327 <576951401@qq.com>
Date: Sat, 25 Feb 2023 01:56:41 +0900
Subject: [PATCH 75/81] Redirect to the commit page after applying patch
 (#23056)

Fixes https://github.com/go-gitea/gitea/issues/22621
---
 routers/web/repo/patch.go | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/routers/web/repo/patch.go b/routers/web/repo/patch.go
index 0ffec0c4ea..efb4662496 100644
--- a/routers/web/repo/patch.go
+++ b/routers/web/repo/patch.go
@@ -27,8 +27,6 @@ func NewDiffPatch(ctx *context.Context) {
 
 	ctx.Data["PageIsPatch"] = true
 
-	ctx.Data["TreePath"] = ""
-
 	ctx.Data["commit_summary"] = ""
 	ctx.Data["commit_message"] = ""
 	if canCommit {
@@ -54,7 +52,6 @@ func NewDiffPatchPost(ctx *context.Context) {
 		branchName = form.NewBranchName
 	}
 	ctx.Data["PageIsPatch"] = true
-	ctx.Data["TreePath"] = ""
 	ctx.Data["BranchLink"] = ctx.Repo.RepoLink + "/src/" + ctx.Repo.BranchNameSubURL()
 	ctx.Data["FileContent"] = form.Content
 	ctx.Data["commit_summary"] = form.CommitSummary
@@ -89,13 +86,14 @@ func NewDiffPatchPost(ctx *context.Context) {
 		message += "\n\n" + form.CommitMessage
 	}
 
-	if _, err := files.ApplyDiffPatch(ctx, ctx.Repo.Repository, ctx.Doer, &files.ApplyDiffPatchOptions{
+	fileResponse, err := files.ApplyDiffPatch(ctx, ctx.Repo.Repository, ctx.Doer, &files.ApplyDiffPatchOptions{
 		LastCommitID: form.LastCommit,
 		OldBranch:    ctx.Repo.BranchName,
 		NewBranch:    branchName,
 		Message:      message,
 		Content:      strings.ReplaceAll(form.Content, "\r", ""),
-	}); err != nil {
+	})
+	if err != nil {
 		if models.IsErrBranchAlreadyExists(err) {
 			// User has specified a branch that already exists
 			branchErr := err.(models.ErrBranchAlreadyExists)
@@ -114,6 +112,6 @@ func NewDiffPatchPost(ctx *context.Context) {
 	if form.CommitChoice == frmCommitChoiceNewBranch && ctx.Repo.Repository.UnitEnabled(ctx, unit.TypePullRequests) {
 		ctx.Redirect(ctx.Repo.RepoLink + "/compare/" + util.PathEscapeSegments(ctx.Repo.BranchName) + "..." + util.PathEscapeSegments(form.NewBranchName))
 	} else {
-		ctx.Redirect(ctx.Repo.RepoLink + "/src/branch/" + util.PathEscapeSegments(branchName) + "/" + util.PathEscapeSegments(form.TreePath))
+		ctx.Redirect(ctx.Repo.RepoLink + "/commit/" + fileResponse.Commit.SHA)
 	}
 }

From 347df0cbf0f8aa7ce4714b818a61e423cd47f398 Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Sat, 25 Feb 2023 03:11:31 +0800
Subject: [PATCH 76/81] Show empty repos in Admin Repository Management page
 (#23114)

The **Admin Repository Management** page and the **Explore Repository**
page both use the `RenderRepoSearch` function. In this function, the
`OnlyShowRelevant` search option is `true` when querying repositories
for admin page.


https://github.com/go-gitea/gitea/blob/edf98a2dc30956c8e04b778bb7f1ce55c14ba963/routers/web/explore/repo.go#L99-L115

Refer to
[#19361](https://github.com/go-gitea/gitea/pull/19361/files#diff-8058dfb85557010e0592d586675ec62ce406af7068e6311f39c160deac37f149R497),
the repositories with `is_empty=true` will be hidden if
`OnlyShowRelevant` is `true`.

Administrators should be able to see all repositories. So
`OnlyShowRelevant` shouldn't be set to `true` .

---------

Co-authored-by: Andrew Thornton <art27@cantab.net>
---
 routers/web/admin/repos.go  |  7 ++++---
 routers/web/explore/repo.go | 37 +++++++++++++++++++------------------
 2 files changed, 23 insertions(+), 21 deletions(-)

diff --git a/routers/web/admin/repos.go b/routers/web/admin/repos.go
index dc5432c549..1c4754f6d8 100644
--- a/routers/web/admin/repos.go
+++ b/routers/web/admin/repos.go
@@ -33,9 +33,10 @@ func Repos(ctx *context.Context) {
 	ctx.Data["PageIsAdminRepositories"] = true
 
 	explore.RenderRepoSearch(ctx, &explore.RepoSearchOptions{
-		Private:  true,
-		PageSize: setting.UI.Admin.RepoPagingNum,
-		TplName:  tplRepos,
+		Private:          true,
+		PageSize:         setting.UI.Admin.RepoPagingNum,
+		TplName:          tplRepos,
+		OnlyShowRelevant: false,
 	})
 }
 
diff --git a/routers/web/explore/repo.go b/routers/web/explore/repo.go
index e9684dd286..058971b9b8 100644
--- a/routers/web/explore/repo.go
+++ b/routers/web/explore/repo.go
@@ -23,14 +23,17 @@ const (
 
 // RepoSearchOptions when calling search repositories
 type RepoSearchOptions struct {
-	OwnerID    int64
-	Private    bool
-	Restricted bool
-	PageSize   int
-	TplName    base.TplName
+	OwnerID          int64
+	Private          bool
+	Restricted       bool
+	PageSize         int
+	OnlyShowRelevant bool
+	TplName          base.TplName
 }
 
 // RenderRepoSearch render repositories search page
+// This function is also used to render the Admin Repository Management page.
+// The isAdmin param should be set to true when rendering the Admin page.
 func RenderRepoSearch(ctx *context.Context, opts *RepoSearchOptions) {
 	// Sitemap index for sitemap paths
 	page := int(ctx.ParamsInt64("idx"))
@@ -48,11 +51,10 @@ func RenderRepoSearch(ctx *context.Context, opts *RepoSearchOptions) {
 	}
 
 	var (
-		repos            []*repo_model.Repository
-		count            int64
-		err              error
-		orderBy          db.SearchOrderBy
-		onlyShowRelevant bool
+		repos   []*repo_model.Repository
+		count   int64
+		err     error
+		orderBy db.SearchOrderBy
 	)
 
 	ctx.Data["SortType"] = ctx.FormString("sort")
@@ -84,11 +86,9 @@ func RenderRepoSearch(ctx *context.Context, opts *RepoSearchOptions) {
 		orderBy = db.SearchOrderByRecentUpdated
 	}
 
-	onlyShowRelevant = !ctx.FormBool(relevantReposOnlyParam)
-
 	keyword := ctx.FormTrim("q")
 
-	ctx.Data["OnlyShowRelevant"] = onlyShowRelevant
+	ctx.Data["OnlyShowRelevant"] = opts.OnlyShowRelevant
 
 	topicOnly := ctx.FormBool("topic")
 	ctx.Data["TopicOnly"] = topicOnly
@@ -111,7 +111,7 @@ func RenderRepoSearch(ctx *context.Context, opts *RepoSearchOptions) {
 		TopicOnly:          topicOnly,
 		Language:           language,
 		IncludeDescription: setting.UI.SearchRepoDescription,
-		OnlyShowRelevant:   onlyShowRelevant,
+		OnlyShowRelevant:   opts.OnlyShowRelevant,
 	})
 	if err != nil {
 		ctx.ServerError("SearchRepository", err)
@@ -158,9 +158,10 @@ func Repos(ctx *context.Context) {
 	}
 
 	RenderRepoSearch(ctx, &RepoSearchOptions{
-		PageSize: setting.UI.ExplorePagingNum,
-		OwnerID:  ownerID,
-		Private:  ctx.Doer != nil,
-		TplName:  tplExploreRepos,
+		PageSize:         setting.UI.ExplorePagingNum,
+		OwnerID:          ownerID,
+		Private:          ctx.Doer != nil,
+		TplName:          tplExploreRepos,
+		OnlyShowRelevant: !ctx.FormBool(relevantReposOnlyParam),
 	})
 }

From 740a5ecdd925aec8dcea3e73da07868f70cdacac Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Fri, 24 Feb 2023 20:18:49 +0000
Subject: [PATCH 77/81] Update go.mod dependencies (#23126)

This PR does a bulk update of a lot of our go deps.

I have not included nektos/act and xorm for the following reasons:
* Xorm updates can sometimes be complex and I'd rather do that in a
separate PR
* I think people more update with the actions code should double check
that the latest nektos/act library works correctly.

---------

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
---
 Makefile                |   2 +-
 assets/go-licenses.json |   2 +-
 go.mod                  |  91 +++++-----
 go.sum                  | 383 ++++++++++------------------------------
 4 files changed, 144 insertions(+), 334 deletions(-)

diff --git a/Makefile b/Makefile
index 717d7cafc6..3a590559d1 100644
--- a/Makefile
+++ b/Makefile
@@ -32,7 +32,7 @@ GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.4.0
 GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.51.0
 GXZ_PAGAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.10
 MISSPELL_PACKAGE ?= github.com/client9/misspell/cmd/misspell@v0.3.4
-SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.30.3
+SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.30.4
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
 GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.5.0
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@latest
diff --git a/assets/go-licenses.json b/assets/go-licenses.json
index e78e7968ac..c94d276fd6 100644
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
@@ -932,7 +932,7 @@
   {
     "name": "github.com/urfave/cli",
     "path": "github.com/urfave/cli/LICENSE",
-    "licenseText": "MIT License\n\nCopyright (c) 2016 Jeremy Saenz \u0026 Contributors\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n"
+    "licenseText": "MIT License\n\nCopyright (c) 2023 Jeremy Saenz \u0026 Contributors\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n"
   },
   {
     "name": "github.com/valyala/fastjson",
diff --git a/go.mod b/go.mod
index 5440624ca0..7404b497b7 100644
--- a/go.mod
+++ b/go.mod
@@ -16,18 +16,18 @@ require (
 	github.com/42wim/sshsig v0.0.0-20211121163825-841cf5bbc121
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/PuerkitoBio/goquery v1.8.0
-	github.com/alecthomas/chroma/v2 v2.4.0
+	github.com/alecthomas/chroma/v2 v2.5.0
 	github.com/blevesearch/bleve/v2 v2.3.6
 	github.com/bufbuild/connect-go v1.3.1
 	github.com/buildkite/terminal-to-html/v3 v3.7.0
 	github.com/caddyserver/certmagic v0.17.2
 	github.com/chi-middleware/proxy v1.1.1
-	github.com/denisenkom/go-mssqldb v0.12.2
+	github.com/denisenkom/go-mssqldb v0.12.3
 	github.com/dimiro1/reply v0.0.0-20200315094148-d0136a4c9e21
 	github.com/djherbis/buffer v1.2.0
 	github.com/djherbis/nio/v3 v3.0.1
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5
-	github.com/dustin/go-humanize v1.0.0
+	github.com/dustin/go-humanize v1.0.1
 	github.com/editorconfig/editorconfig-core-go/v2 v2.5.1
 	github.com/emersion/go-imap v1.2.1
 	github.com/emirpasic/gods v1.18.1
@@ -35,27 +35,27 @@ require (
 	github.com/felixge/fgprof v0.9.3
 	github.com/fsnotify/fsnotify v1.6.0
 	github.com/gliderlabs/ssh v0.3.5
-	github.com/go-ap/activitypub v0.0.0-20221209114049-1ceafda50f9f
+	github.com/go-ap/activitypub v0.0.0-20230218112952-bfb607b04799
 	github.com/go-ap/jsonld v0.0.0-20221030091449-f2a191312c73
 	github.com/go-chi/chi/v5 v5.0.8
 	github.com/go-chi/cors v1.2.1
 	github.com/go-enry/go-enry/v2 v2.8.3
 	github.com/go-fed/httpsig v1.1.1-0.20201223112313-55836744818e
-	github.com/go-git/go-billy/v5 v5.4.0
+	github.com/go-git/go-billy/v5 v5.4.1
 	github.com/go-git/go-git/v5 v5.5.2
 	github.com/go-ldap/ldap/v3 v3.4.4
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/go-sql-driver/mysql v1.7.0
-	github.com/go-swagger/go-swagger v0.30.3
+	github.com/go-swagger/go-swagger v0.30.4
 	github.com/go-testfixtures/testfixtures/v3 v3.8.1
-	github.com/go-webauthn/webauthn v0.6.0
+	github.com/go-webauthn/webauthn v0.8.1
 	github.com/gobwas/glob v0.2.3
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f
 	github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14
 	github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85
-	github.com/golang-jwt/jwt/v4 v4.4.3
+	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/google/go-github/v45 v45.2.0
-	github.com/google/pprof v0.0.0-20230111200839-76d1ae5aea2b
+	github.com/google/pprof v0.0.0-20230222194610-99052d3372e7
 	github.com/google/uuid v1.3.0
 	github.com/gorilla/feeds v1.1.1
 	github.com/gorilla/sessions v1.2.1
@@ -67,15 +67,15 @@ require (
 	github.com/json-iterator/go v1.1.12
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
 	github.com/keybase/go-crypto v0.0.0-20200123153347-de78d2cb44f4
-	github.com/klauspost/compress v1.15.14
-	github.com/klauspost/cpuid/v2 v2.2.3
+	github.com/klauspost/compress v1.15.15
+	github.com/klauspost/cpuid/v2 v2.2.4
 	github.com/lib/pq v1.10.7
 	github.com/markbates/goth v1.76.0
 	github.com/mattn/go-isatty v0.0.17
 	github.com/mattn/go-sqlite3 v1.14.16
 	github.com/mholt/archiver/v3 v3.5.1
-	github.com/microcosm-cc/bluemonday v1.0.21
-	github.com/minio/minio-go/v7 v7.0.46
+	github.com/microcosm-cc/bluemonday v1.0.22
+	github.com/minio/minio-go/v7 v7.0.49
 	github.com/minio/sha256-simd v1.0.0
 	github.com/msteinert/pam v1.1.0
 	github.com/nektos/act v0.0.0
@@ -89,27 +89,27 @@ require (
 	github.com/pquerna/otp v1.4.0
 	github.com/prometheus/client_golang v1.14.0
 	github.com/quasoft/websspi v1.1.2
-	github.com/santhosh-tekuri/jsonschema/v5 v5.1.1
-	github.com/sergi/go-diff v1.2.0
+	github.com/santhosh-tekuri/jsonschema/v5 v5.2.0
+	github.com/sergi/go-diff v1.3.1
 	github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546
 	github.com/stretchr/testify v1.8.1
 	github.com/syndtr/goleveldb v1.0.0
 	github.com/tstranex/u2f v1.0.0
 	github.com/unrolled/render v1.5.0
-	github.com/urfave/cli v1.22.10
-	github.com/xanzy/go-gitlab v0.78.0
+	github.com/urfave/cli v1.22.12
+	github.com/xanzy/go-gitlab v0.80.2
 	github.com/xeipuuv/gojsonschema v1.2.0
 	github.com/yohcop/openid-go v1.0.0
-	github.com/yuin/goldmark v1.5.3
+	github.com/yuin/goldmark v1.5.4
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20220924101305-151362477c87
 	github.com/yuin/goldmark-meta v1.1.0
-	golang.org/x/crypto v0.4.0
+	golang.org/x/crypto v0.6.0
 	golang.org/x/net v0.7.0
-	golang.org/x/oauth2 v0.3.0
+	golang.org/x/oauth2 v0.5.0
 	golang.org/x/sys v0.5.0
 	golang.org/x/text v0.7.0
-	golang.org/x/tools v0.1.12
-	google.golang.org/grpc v1.47.0
+	golang.org/x/tools v0.6.0
+	google.golang.org/grpc v1.53.0
 	google.golang.org/protobuf v1.28.1
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	gopkg.in/ini.v1 v1.67.0
@@ -121,17 +121,18 @@ require (
 )
 
 require (
-	cloud.google.com/go/compute v1.7.0 // indirect
+	cloud.google.com/go/compute v1.18.0 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.1.1 // indirect
-	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
+	github.com/Masterminds/semver/v3 v3.2.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
 	github.com/Microsoft/go-winio v0.6.0 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230109192245-7efeeb08f296 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect
 	github.com/RoaringBitmap/roaring v1.2.3 // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
-	github.com/andybalholm/brotli v1.0.4 // indirect
+	github.com/andybalholm/brotli v1.0.5 // indirect
 	github.com/andybalholm/cascadia v1.3.1 // indirect
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
@@ -156,15 +157,15 @@ require (
 	github.com/boombuler/barcode v1.0.1 // indirect
 	github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b // indirect
 	github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/cloudflare/circl v1.2.0 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cloudflare/circl v1.3.2 // indirect
 	github.com/couchbase/go-couchbase v0.0.0-20210224140812-5740cd35f448 // indirect
 	github.com/couchbase/gomemcached v0.1.2 // indirect
 	github.com/couchbase/goutils v0.0.0-20210118111533-e33d3ffb5401 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/dlclark/regexp2 v1.7.0 // indirect
+	github.com/dlclark/regexp2 v1.8.1 // indirect
 	github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
@@ -180,12 +181,12 @@ require (
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
 	github.com/go-openapi/loads v0.21.2 // indirect
-	github.com/go-openapi/runtime v0.24.1 // indirect
-	github.com/go-openapi/spec v0.20.7 // indirect
+	github.com/go-openapi/runtime v0.25.0 // indirect
+	github.com/go-openapi/spec v0.20.8 // indirect
 	github.com/go-openapi/strfmt v0.21.3 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/go-openapi/validate v0.22.0 // indirect
-	github.com/go-webauthn/revoke v0.1.6 // indirect
+	github.com/go-webauthn/revoke v0.1.9 // indirect
 	github.com/goccy/go-json v0.10.0 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
@@ -198,7 +199,7 @@ require (
 	github.com/gorilla/handlers v1.5.1 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/gorilla/securecookie v1.1.1 // indirect
-	github.com/hashicorp/errwrap v1.0.0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.2 // indirect
@@ -209,7 +210,7 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/pgzip v1.2.5 // indirect
-	github.com/kr/pretty v0.3.0 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/libdns/libdns v0.2.1 // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
@@ -218,7 +219,7 @@ require (
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
-	github.com/mholt/acmez v1.0.4 // indirect
+	github.com/mholt/acmez v1.1.0 // indirect
 	github.com/miekg/dns v1.1.50 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
@@ -232,7 +233,7 @@ require (
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.5 // indirect
 	github.com/pierrec/lz4/v4 v4.1.17 // indirect
 	github.com/pjbgf/sha1cd v0.2.3 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
@@ -240,7 +241,7 @@ require (
 	github.com/prometheus/common v0.37.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/rhysd/actionlint v1.6.22 // indirect
-	github.com/rivo/uniseg v0.4.3 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/robfig/cron v1.2.0 // indirect
 	github.com/rogpeppe/go-internal v1.9.0 // indirect
 	github.com/rs/xid v1.4.0 // indirect
@@ -249,13 +250,13 @@ require (
 	github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/skeema/knownhosts v1.1.0 // indirect
-	github.com/spf13/afero v1.8.2 // indirect
+	github.com/spf13/afero v1.9.2 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.12.0 // indirect
+	github.com/spf13/viper v1.14.0 // indirect
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
-	github.com/subosito/gotenv v1.3.0 // indirect
+	github.com/subosito/gotenv v1.4.1 // indirect
 	github.com/toqueteos/webbrowser v1.2.0 // indirect
 	github.com/ulikunitz/xz v0.5.11 // indirect
 	github.com/unknwon/com v1.0.1 // indirect
@@ -266,15 +267,15 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	go.etcd.io/bbolt v1.3.7 // indirect
-	go.mongodb.org/mongo-driver v1.10.1 // indirect
+	go.mongodb.org/mongo-driver v1.11.1 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
-	golang.org/x/mod v0.7.0 // indirect
-	golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde // indirect
+	golang.org/x/mod v0.8.0 // indirect
+	golang.org/x/sync v0.1.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90 // indirect
+	google.golang.org/genproto v0.0.0-20230223222841-637eb2293923 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
diff --git a/go.sum b/go.sum
index ec2502fe04..3ba3fa7ab4 100644
--- a/go.sum
+++ b/go.sum
@@ -18,35 +18,18 @@ cloud.google.com/go v0.67.0/go.mod h1:YNan/mUhNZFrYUor0vqrsQ0Ffl7Xtm/ACOy/vsTS85
 cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
 cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
 cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY=
-cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
-cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
-cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
-cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY=
-cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM=
-cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY=
-cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ=
-cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI=
-cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4=
-cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc=
-cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA=
-cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A=
-cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
 cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow=
-cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM=
-cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M=
-cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s=
-cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU=
-cloud.google.com/go/compute v1.7.0 h1:v/k9Eueb8aAJ0vZuxKMrgm6kPhCLZU9HxFU+AFDs9Uk=
-cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U=
+cloud.google.com/go/compute v1.18.0 h1:FEigFqoDbys2cvFkZ9Fjq4gnHBP55anJ0yQyau2f9oY=
+cloud.google.com/go/compute v1.18.0/go.mod h1:1X7yHxec2Ga+Ss6jPyjxRxpu2uu7PLgsOVXvgU0yacs=
+cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
+cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
 cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
@@ -57,7 +40,6 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
-cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y=
 code.gitea.io/actions-proto-go v0.2.0 h1:nYh9nhhfk67YA4wVNLsCzd//RCvXnljwXClJ33+HPVk=
 code.gitea.io/actions-proto-go v0.2.0/go.mod h1:00ys5QDo1iHN1tHNvvddAcy2W/g+425hQya1cCSvq9A=
 code.gitea.io/gitea-vet v0.2.1/go.mod h1:zcNbT/aJEmivCAhfmkHOlT645KNOf9W2KnkLgFjGGfE=
@@ -99,15 +81,17 @@ github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzS
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Julusian/godocdown v0.0.0-20170816220326-6d19f8ff2df8/go.mod h1:INZr5t32rG59/5xeltqoCJoNY7e5x/3xoY9WSWVWg74=
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
-github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
 github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
-github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmyxvxX8=
-github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk=
+github.com/Masterminds/semver/v3 v3.2.0 h1:3MEsd0SM6jqZojhjLWWeBY+Kcjy9i6MQAeY7YgDP83g=
+github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA=
+github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
 github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
@@ -115,8 +99,8 @@ github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cq
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/ProtonMail/go-crypto v0.0.0-20221026131551-cf6655e29de4/go.mod h1:UBYPn8k0D56RtnR8RFQMjmh4KrZzWJ5o7Z9SYjossQ8=
-github.com/ProtonMail/go-crypto v0.0.0-20230109192245-7efeeb08f296 h1:865LKksDklBvemmkvQ2TO6yArI12PChQJn9R/2S8ov0=
-github.com/ProtonMail/go-crypto v0.0.0-20230109192245-7efeeb08f296/go.mod h1:UBYPn8k0D56RtnR8RFQMjmh4KrZzWJ5o7Z9SYjossQ8=
+github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 h1:wPbRQzjjwFc0ih8puEVAOFGELsn1zoIIYdxvML7mDxA=
+github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8/go.mod h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g=
 github.com/PuerkitoBio/goquery v1.8.0 h1:PJTF7AmFCFKk1N6V6jmKfrNH9tV5pNE6lZMkG0gta/U=
 github.com/PuerkitoBio/goquery v1.8.0/go.mod h1:ypIiRMtY7COPGk+I/YbZLbxsxn9g5ejnI2HSMtkjZvI=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
@@ -131,25 +115,24 @@ github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/
 github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk=
 github.com/acomagu/bufpipe v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
 github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5/go.mod h1:SkGFH1ia65gfNATL8TAiHDNxPzPdmEL5uirI2Uyuz6c=
-github.com/alecthomas/assert/v2 v2.2.0 h1:f6L/b7KE2bfA+9O4FL3CM/xJccDEwPVYd5fALBiuwvw=
+github.com/alecthomas/assert/v2 v2.2.1 h1:XivOgYcduV98QCahG8T5XTezV5bylXe+lBxLG2K2ink=
 github.com/alecthomas/chroma/v2 v2.2.0/go.mod h1:vf4zrexSH54oEjJ7EdB65tGNHmH3pGZmVkgTP5RHvAs=
-github.com/alecthomas/chroma/v2 v2.4.0 h1:Loe2ZjT5x3q1bcWwemqyqEi8p11/IV/ncFCeLYDpWC4=
-github.com/alecthomas/chroma/v2 v2.4.0/go.mod h1:6kHzqF5O6FUSJzBXW7fXELjb+e+7OXW4UpoPqMO7IBQ=
+github.com/alecthomas/chroma/v2 v2.5.0 h1:CQCdj1BiBV17sD4Bd32b/Bzuiq/EqoNTrnIhyQAZ+Rk=
+github.com/alecthomas/chroma/v2 v2.5.0/go.mod h1:yrkMI9807G1ROx13fhe1v6PN2DDeaR73L3d+1nmYQtw=
 github.com/alecthomas/repr v0.0.0-20220113201626-b1b626ac65ae/go.mod h1:2kn6fqh/zIyPLmm3ugklbEi5hg5wS435eygvNfaDQL8=
-github.com/alecthomas/repr v0.1.0 h1:ENn2e1+J3k09gyj2shc0dHr/yjaWSHRlrJ4DPMevDqE=
+github.com/alecthomas/repr v0.2.0 h1:HAzS41CIzNW5syS8Mf9UwXhNH1J9aix/BvDRf1Ml2Yk=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
 github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
-github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
-github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs=
+github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/andybalholm/cascadia v1.3.1 h1:nhxRkql1kdYCc8Snf7D5/D3spOX+dBgjA6u8x004T2c=
 github.com/andybalholm/cascadia v1.3.1/go.mod h1:R4bJ1UQfqADjvDa4P6HZHLh/3OxWWEqc0Sk8XGwHqvA=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
-github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
@@ -168,7 +151,6 @@ github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZw
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
-github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -234,7 +216,6 @@ github.com/bufbuild/connect-go v1.3.1/go.mod h1:9iNvh/NOsfhNBUH5CtvXeVUskQO1xsrE
 github.com/buildkite/terminal-to-html/v3 v3.7.0 h1:chdLUSpiOj/A4v3dzxyOqixXI6aw7IDA6Dk77FXsvNU=
 github.com/buildkite/terminal-to-html/v3 v3.7.0/go.mod h1:g0ME1XqbkBSgXR9YmlIHcJIjzaMyWW+HbsG0rPb5puo=
 github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/bwesterb/go-ristretto v1.2.1/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/caddyserver/certmagic v0.17.2 h1:o30seC1T/dBqBCNNGNHWwj2i5/I/FMjBbTAhjADP3nE=
 github.com/caddyserver/certmagic v0.17.2/go.mod h1:ouWUuC490GOLJzkyN35eXfV8bSbwMwSf4bdhkIxtdQE=
 github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ=
@@ -244,8 +225,9 @@ github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a h1:MISbI8sU/PSK/
 github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a/go.mod h1:2GxOXOlEPAMFPfp014mK1SWq8G8BN8o7/dfYqJrVGn8=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chi-middleware/proxy v1.1.1 h1:4HaXUp8o2+bhHr1OhVy+VjN0+L7/07JDcn6v7YrTjrQ=
 github.com/chi-middleware/proxy v1.1.1/go.mod h1:jQwMEJct2tz9VmtCELxvnXoMfa+SOdikvbVJVHv/M+0=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
@@ -254,17 +236,11 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn
 github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
-github.com/cloudflare/circl v1.2.0 h1:NheeISPSUcYftKlfrLuOo4T62FkmD4t4jviLfFFYaec=
-github.com/cloudflare/circl v1.2.0/go.mod h1:Ch2UgYr6ti2KTtlejELlROl0YIYj7SLjAC8M+INXlMk=
+github.com/cloudflare/circl v1.3.2 h1:VWp8dY3yH69fdM7lM6A1+NhhVoDu9vqK0jOgmkQHFWk=
+github.com/cloudflare/circl v1.3.2/go.mod h1:+CauBF6R70Jqcyl8N2hC8pAXYbWkGIezuSbuGLtRhnw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
-github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
 github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI=
@@ -302,8 +278,8 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d/go.mod h1:tmAIfUFEirG/Y8jhZ9M+h36obRZAk/1fcSpXwAVlfqE=
 github.com/denisenkom/go-mssqldb v0.10.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
-github.com/denisenkom/go-mssqldb v0.12.2 h1:1OcPn5GBIobjWNd+8yjfHNIaFX14B1pWI3F9HZy5KXw=
-github.com/denisenkom/go-mssqldb v0.12.2/go.mod h1:lnIw1mZukFRZDJYQ0Pb833QS2IaC3l5HkEfra2LJ+sk=
+github.com/denisenkom/go-mssqldb v0.12.3 h1:pBSGx9Tq67pBOTLmxNuirNTeB8Vjmf886Kx+8Y+8shw=
+github.com/denisenkom/go-mssqldb v0.12.3/go.mod h1:k0mtMFOnU+AihqFxPMiF05rtiDrorD1Vrm1KEz5hxDo=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
@@ -317,16 +293,17 @@ github.com/djherbis/nio/v3 v3.0.1 h1:6wxhnuppteMa6RHA4L81Dq7ThkZH8SwnDzXDYy95vB4
 github.com/djherbis/nio/v3 v3.0.1/go.mod h1:Ng4h80pbZFMla1yKzm61cF0tqqilXZYrogmWgZxOcmg=
 github.com/dlclark/regexp2 v1.2.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
 github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
-github.com/dlclark/regexp2 v1.7.0 h1:7lJfhqlPssTb1WQx4yvTHN0uElPEv52sbaECrAQxjAo=
 github.com/dlclark/regexp2 v1.7.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/dlclark/regexp2 v1.8.1 h1:6Lcdwya6GjPUNsBct8Lg/yRPwMhABj269AAzdGSiR+0=
+github.com/dlclark/regexp2 v1.8.1/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
-github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 h1:iFaUwBSo5Svw6L7HYpRu/0lE3e0BaElwnNO1qkNQxBY=
 github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj60/X5sZFNxpG4HBPDHVqxNm4DfnCKgrbZOT+s=
 github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
-github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/dvyukov/go-fuzz v0.0.0-20210429054444-fca39067bc72/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw=
 github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
 github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
@@ -349,10 +326,6 @@ github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.m
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
-github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
-github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/ethantkoenig/rupture v1.0.1 h1:6aAXghmvtnngMgQzy7SMGdicMvkV86V4n9fT0meE5E4=
 github.com/ethantkoenig/rupture v1.0.1/go.mod h1:Sjqo/nbffZp1pVVXNGhpugIjsWmuS9KiIB4GtpEBur4=
@@ -379,8 +352,8 @@ github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
 github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
 github.com/glycerine/go-unsnap-stream v0.0.0-20181221182339-f9677308dec2/go.mod h1:/20jfyN9Y5QPEAprSgKAUr+glWDY39ZiUEAYOEv5dsE=
 github.com/glycerine/goconvey v0.0.0-20190410193231-58a59202ab31/go.mod h1:Ogl1Tioa0aV7gstGFO7KhffUsb9M4ydbEbbxpcEDc24=
-github.com/go-ap/activitypub v0.0.0-20221209114049-1ceafda50f9f h1:UV5kupaU8AP8g8Bbsn53q87XCufW/E8wvnTHDKqjoR4=
-github.com/go-ap/activitypub v0.0.0-20221209114049-1ceafda50f9f/go.mod h1:1oVD0h0aPT3OEE1ZoSUoym/UGKzxe+e0y8K2AkQ1Hqs=
+github.com/go-ap/activitypub v0.0.0-20230218112952-bfb607b04799 h1:zVZaYt1h4yWL7uRHvq2StewCu4ObtS+ws9gGgoZJ+2s=
+github.com/go-ap/activitypub v0.0.0-20230218112952-bfb607b04799/go.mod h1:1oVD0h0aPT3OEE1ZoSUoym/UGKzxe+e0y8K2AkQ1Hqs=
 github.com/go-ap/errors v0.0.0-20221205040414-01c1adfc98ea h1:ywGtLGVjJjMrq4mu35Qmu+NtlhlTk/gTayE6Bb4tQZk=
 github.com/go-ap/errors v0.0.0-20221205040414-01c1adfc98ea/go.mod h1:SaTNjEEkp0q+w3pUS1ccyEL/lUrHteORlDq/e21mCc8=
 github.com/go-ap/jsonld v0.0.0-20221030091449-f2a191312c73 h1:GMKIYXyXPGIp+hYiWOhfqK4A023HdgisDT4YGgf99mw=
@@ -402,8 +375,9 @@ github.com/go-fed/httpsig v1.1.1-0.20201223112313-55836744818e/go.mod h1:RCMrTZv
 github.com/go-git/gcfg v1.5.0 h1:Q5ViNfGF8zFgyJWPqYwA7qGFoMTEiBmdlkcfRmpIMa4=
 github.com/go-git/gcfg v1.5.0/go.mod h1:5m20vg6GwYabIxaOonVkTdrILxQMpEShl1xiMF4ua+E=
 github.com/go-git/go-billy/v5 v5.3.1/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0=
-github.com/go-git/go-billy/v5 v5.4.0 h1:Vaw7LaSTRJOUric7pe4vnzBSgyuf2KrLsu2Y4ZpQBDE=
 github.com/go-git/go-billy/v5 v5.4.0/go.mod h1:vjbugF6Fz7JIflbVpl1hJsGjSHNltrSw45YK/ukIvQg=
+github.com/go-git/go-billy/v5 v5.4.1 h1:Uwp5tDRkPr+l/TnbHOQzp+tmJfLceOlbVucgpTz8ix4=
+github.com/go-git/go-billy/v5 v5.4.1/go.mod h1:vjbugF6Fz7JIflbVpl1hJsGjSHNltrSw45YK/ukIvQg=
 github.com/go-git/go-git-fixtures/v4 v4.3.1 h1:y5z6dd3qi8Hl+stezc8p3JxDkoTRqMAlKnXHuzrfjTQ=
 github.com/go-git/go-git-fixtures/v4 v4.3.1/go.mod h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo=
 github.com/go-git/go-git/v5 v5.5.2 h1:v8lgZa5k9ylUw+OR/roJHTxR4QItsNFI5nKtAXFuynw=
@@ -443,15 +417,14 @@ github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXym
 github.com/go-openapi/loads v0.21.1/go.mod h1:/DtAMXXneXFjbQMGEtbamCZb+4x7eGwkvZCvBmwUG+g=
 github.com/go-openapi/loads v0.21.2 h1:r2a/xFIYeZ4Qd2TnGpWDIQNcP80dIaZgf704za8enro=
 github.com/go-openapi/loads v0.21.2/go.mod h1:Jq58Os6SSGz0rzh62ptiu8Z31I+OTHqmULx5e/gJbNw=
-github.com/go-openapi/runtime v0.24.1 h1:Sml5cgQKGYQHF+M7yYSHaH1eOjvTykrddTE/KtQVjqo=
-github.com/go-openapi/runtime v0.24.1/go.mod h1:AKurw9fNre+h3ELZfk6ILsfvPN+bvvlaU/M9q/r9hpk=
+github.com/go-openapi/runtime v0.25.0 h1:7yQTCdRbWhX8vnIjdzU8S00tBYf7Sg71EBeorlPHvhc=
+github.com/go-openapi/runtime v0.25.0/go.mod h1:Ux6fikcHXyyob6LNWxtE96hWwjBPYF0DXgVFuMTneOs=
 github.com/go-openapi/spec v0.20.4/go.mod h1:faYFR1CvsJZ0mNsmsphTMSoRrNV3TEDoAM7FOEWeq8I=
 github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
-github.com/go-openapi/spec v0.20.7 h1:1Rlu/ZrOCCob0n+JKKJAWhNWMPW8bOZRg8FJaY+0SKI=
-github.com/go-openapi/spec v0.20.7/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
+github.com/go-openapi/spec v0.20.8 h1:ubHmXNY3FCIOinT8RNrrPfGc9t7I1qhPtdOGoG2AxRU=
+github.com/go-openapi/spec v0.20.8/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
 github.com/go-openapi/strfmt v0.21.0/go.mod h1:ZRQ409bWMj+SOgXofQAGTIo2Ebu72Gs+WaRADcS5iNg=
 github.com/go-openapi/strfmt v0.21.1/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k=
-github.com/go-openapi/strfmt v0.21.2/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k=
 github.com/go-openapi/strfmt v0.21.3 h1:xwhj5X6CjXEZZHMWy1zKJxvW9AfHC9pkyUjLvHtKG7o=
 github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
@@ -459,7 +432,6 @@ github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/
 github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
 github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
-github.com/go-openapi/validate v0.21.0/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg=
 github.com/go-openapi/validate v0.22.0 h1:b0QecH6VslW/TxtpKgzpO1SNG7GU2FsaqKdP1E2T50Y=
 github.com/go-openapi/validate v0.22.0/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg=
 github.com/go-redis/redis v6.15.2+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
@@ -472,18 +444,17 @@ github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB
 github.com/go-sql-driver/mysql v1.7.0 h1:ueSltNNllEqE3qcWBTD0iQd3IpL/6U+mJxLkazJ7YPc=
 github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-stack/stack v1.8.1/go.mod h1:dcoOX6HbPZSZptuspn9bctJ+N/CnF5gGygcUP3XYfe4=
-github.com/go-swagger/go-swagger v0.30.3 h1:HuzvdMRed/9Q8vmzVcfNBQByZVtT79DNZxZ18OprdoI=
-github.com/go-swagger/go-swagger v0.30.3/go.mod h1:neDPes8r8PCz2JPvHRDj8BTULLh4VJUt7n6MpQqxhHM=
+github.com/go-swagger/go-swagger v0.30.4 h1:cPrWLSXY6ZdcgfRicOj0lANg72TkTHz6uv/OlUdzO5U=
+github.com/go-swagger/go-swagger v0.30.4/go.mod h1:YM5D5kR9c1ft3ynMXvDk2uo/7UZHKFEqKXcAL9f4Phc=
 github.com/go-swagger/scan-repo-boundary v0.0.0-20180623220736-973b3573c013 h1:l9rI6sNaZgNC0LnF3MiE+qTmyBA/tZAg1rtyrGbUMK0=
 github.com/go-test/deep v1.0.7 h1:/VSMRlnY/JSyqxQUzQLKVMAskpY/NZKFA5j2P+0pP2M=
 github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8=
 github.com/go-testfixtures/testfixtures/v3 v3.8.1 h1:uonwvepqRvSgddcrReZQhojTlWlmOlHkYAb9ZaOMWgU=
 github.com/go-testfixtures/testfixtures/v3 v3.8.1/go.mod h1:Kdu7YeMC0KRXVHdaQ91Vmx3pcjoTF63h4f1qTJDdXLA=
-github.com/go-webauthn/revoke v0.1.6 h1:3tv+itza9WpX5tryRQx4GwxCCBrCIiJ8GIkOhxiAmmU=
-github.com/go-webauthn/revoke v0.1.6/go.mod h1:TB4wuW4tPlwgF3znujA96F70/YSQXHPPWl7vgY09Iy8=
-github.com/go-webauthn/webauthn v0.6.0 h1:uLInMApSvBfP+vEFasNE0rnVPG++fjp7lmAIvNhe+UU=
-github.com/go-webauthn/webauthn v0.6.0/go.mod h1:7edMRZXwuM6JIVjN68G24Bzt+bPCvTmjiL0j+cAmXtY=
+github.com/go-webauthn/revoke v0.1.9 h1:gSJ1ckA9VaKA2GN4Ukp+kiGTk1/EXtaDb1YE8RknbS0=
+github.com/go-webauthn/revoke v0.1.9/go.mod h1:j6WKPnv0HovtEs++paan9g3ar46gm1NarktkXBaPR+w=
+github.com/go-webauthn/webauthn v0.8.1 h1:Yv9yOxEhsJULGYLbDfEuQXtSu2RthLGzPPSN2DYdXG8=
+github.com/go-webauthn/webauthn v0.8.1/go.mod h1:22OJd+TV8oHrjjXmPHtcPR82lR/yR5m5ilGiF8yPFrE=
 github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0=
 github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY=
 github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg=
@@ -527,8 +498,8 @@ github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14/go.mod h1:jPoNZLWDAqA5N3
 github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85 h1:UjoPNDAQ5JPCjlxoJd6K8ALZqSDDhk2ymieAZOVaDg0=
 github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85/go.mod h1:fR6z1Ie6rtF7kl/vBYMfgD5/G5B1blui7z426/sj2DU=
 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
-github.com/golang-jwt/jwt/v4 v4.4.3 h1:Hxl6lhQFj4AnOX6MLrsCb/+7tCj7DxP7VA+2rDIq5AU=
-github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
+github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
@@ -549,8 +520,6 @@ github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt
 github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
-github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
-github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -566,13 +535,11 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
 github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.2/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
@@ -588,9 +555,6 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
-github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-github/v45 v45.2.0 h1:5oRLszbrkvxDDqBCNj2hjDZMKmvexaZ1xw/FCD+K3FI=
@@ -607,7 +571,6 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
@@ -619,29 +582,17 @@ github.com/google/pprof v0.0.0-20200905233945-acf8798be1f7/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
-github.com/google/pprof v0.0.0-20230111200839-76d1ae5aea2b h1:8htHrh2bw9c7Idkb7YNac+ZpTqLMjRpI+FWu51ltaQc=
-github.com/google/pprof v0.0.0-20230111200839-76d1ae5aea2b/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
+github.com/google/pprof v0.0.0-20230222194610-99052d3372e7 h1:pNFnpaSXfibgW7aUbk9pwLmI7LNwh/iR46x/YwN/lNg=
+github.com/google/pprof v0.0.0-20230222194610-99052d3372e7/go.mod h1:uglQLonpP8qtYCYyzA+8c/9qtqgA3qsXGYqCPKARAFg=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=
-github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM=
-github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM=
-github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM=
-github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c=
-github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
@@ -674,11 +625,11 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
-github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE=
 github.com/hashicorp/consul/sdk v0.3.0/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
-github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
+github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
@@ -709,7 +660,7 @@ github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2p
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU=
 github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg=
@@ -822,13 +773,13 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
 github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
 github.com/klauspost/compress v1.11.4/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
-github.com/klauspost/compress v1.15.14 h1:i7WCKDToww0wA+9qrUZ1xOjp218vfFo3nTU6UHp+gOc=
-github.com/klauspost/compress v1.15.14/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
+github.com/klauspost/compress v1.15.15 h1:EF27CXIuDsYJ6mmvtBRlEuB2UVOqHG1tAXgZ7yIO+lw=
+github.com/klauspost/compress v1.15.15/go.mod h1:ZcK2JAFqKOpnBlxcLsJzYfrS9X1akm9fHZNnD9+Vo/4=
 github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
 github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.3 h1:sxCkb+qR91z4vsqw4vGGZlDgPz3G7gjaLyK3V8y70BU=
-github.com/klauspost/cpuid/v2 v2.2.3/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
+github.com/klauspost/cpuid/v2 v2.2.4 h1:acbojRNwl3o09bUq+yDCtZFc1aiwaAAxtcn8YkZXnvk=
+github.com/klauspost/cpuid/v2 v2.2.4/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
 github.com/klauspost/pgzip v1.2.5 h1:qnWYvvKqedOF2ulHpMG72XQol4ILEJ8k2wwRl/Km8oE=
 github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/kljensen/snowball v0.6.0/go.mod h1:27N7E8fVU5H68RlUmnWwZCfxgt4POBJfENGMvNRhldw=
@@ -839,8 +790,8 @@ github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
-github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
@@ -913,19 +864,19 @@ github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwp
 github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/mholt/acmez v1.0.4 h1:N3cE4Pek+dSolbsofIkAYz6H1d3pE+2G0os7QHslf80=
-github.com/mholt/acmez v1.0.4/go.mod h1:qFGLZ4u+ehWINeJZjzPlsnjJBCPAADWTcIqE/7DAYQY=
+github.com/mholt/acmez v1.1.0 h1:IQ9CGHKOHokorxnffsqDvmmE30mDenO1lptYZ1AYkHY=
+github.com/mholt/acmez v1.1.0/go.mod h1:zwo5+fbLLTowAX8o8ETfQzbDtwGEXnPhkmGdKIP+bgs=
 github.com/mholt/archiver/v3 v3.5.1 h1:rDjOBX9JSF5BvoJGvjqK479aL70qh9DIpZCl+k7Clwo=
 github.com/mholt/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4=
-github.com/microcosm-cc/bluemonday v1.0.21 h1:dNH3e4PSyE4vNX+KlRGHT5KrSvjeUkoNPwEORjffHJg=
-github.com/microcosm-cc/bluemonday v1.0.21/go.mod h1:ytNkv4RrDrLJ2pqlsSI46O6IVXmZOBBD4SaJyDwwTkM=
+github.com/microcosm-cc/bluemonday v1.0.22 h1:p2tT7RNzRdCi0qmwxG+HbqD6ILkmwter1ZwVZn1oTxA=
+github.com/microcosm-cc/bluemonday v1.0.22/go.mod h1:ytNkv4RrDrLJ2pqlsSI46O6IVXmZOBBD4SaJyDwwTkM=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
 github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
 github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
-github.com/minio/minio-go/v7 v7.0.46 h1:Vo3tNmNXuj7ME5qrvN4iadO7b4mzu/RSFdUkUhaPldk=
-github.com/minio/minio-go/v7 v7.0.46/go.mod h1:nCrRzjoSUQh8hgKKtu3Y708OLvRLtuASMg2/nvmbarw=
+github.com/minio/minio-go/v7 v7.0.49 h1:dE5DfOtnXMXCjr/HWI6zN9vCrY6Sv666qhhiwUMvGV4=
+github.com/minio/minio-go/v7 v7.0.49/go.mod h1:UI34MvQEiob3Cf/gGExGMmzugkM/tNgbFypNDy5LMVc=
 github.com/minio/sha256-simd v1.0.0 h1:v1ta+49hkWZyvaKwrQB8elexRqm6Y0aMLjCNsrYxo6g=
 github.com/minio/sha256-simd v1.0.0/go.mod h1:OuYzVNI5vcoYIAmbIvHPl3N3jUzVedXbKy5RFepssQM=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
@@ -941,7 +892,6 @@ github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:F
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
@@ -1015,7 +965,6 @@ github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go
 github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74=
 github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
-github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5/go.mod h1:/wsWhb9smxSfWAKL3wpBW7V8scJMt8N8gnaMCS9E/cA=
 github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
 github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=
@@ -1028,8 +977,8 @@ github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAv
 github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/pelletier/go-toml/v2 v2.0.1 h1:8e3L2cCQzLFi2CR4g7vGFuFxX7Jl1kKX8gW+iV0GUKU=
-github.com/pelletier/go-toml/v2 v2.0.1/go.mod h1:r9LEWfGN8R5k0VXJ+0BkIe7MYkRdwZOjgMj2KwnJFUo=
+github.com/pelletier/go-toml/v2 v2.0.5 h1:ipoSadvV8oGUjnUbMub59IDPPwfxF694nG/jwbMiyQg=
+github.com/pelletier/go-toml/v2 v2.0.5/go.mod h1:OMHamSCAODeSsVrwwvcJOaoN0LIUIaFVNZzmWyNfXas=
 github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac=
 github.com/philhofer/fwd v1.0.0/go.mod h1:gk3iGcWd9+svBvR0sR+KPcfE+RNWozjowpeBVG3ZVNU=
 github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc=
@@ -1101,17 +1050,15 @@ github.com/rhysd/actionlint v1.6.22 h1:cAEf2PGNwJXhdcTVF2xS/0ORqWS+ueUHwjQYsqFsG
 github.com/rhysd/actionlint v1.6.22/go.mod h1:gIKOdxtV40mBOcD0ZR8EBa8NqjEXToAZioroS3oedMg=
 github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rivo/uniseg v0.4.3 h1:utMvzDsuh3suAEnhH0RdHmoPbU648o6CvXxTx4SBMOw=
-github.com/rivo/uniseg v0.4.3/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
+github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/robertkrimen/godocdown v0.0.0-20130622164427-0bfa04905481/go.mod h1:C9WhFzY47SzYBIvzFqSvHIR6ROgDo4TtdTuRaOMjF/s=
 github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
 github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
-github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
@@ -1126,12 +1073,12 @@ github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
-github.com/santhosh-tekuri/jsonschema/v5 v5.1.1 h1:lEOLY2vyGIqKWUI9nzsOJRV3mb3WC9dXYORsLEUcoeY=
-github.com/santhosh-tekuri/jsonschema/v5 v5.1.1/go.mod h1:FKdcjfQW6rpZSnxxUvEA5H/cDPdvJ/SZJQLWWXWGrZ0=
+github.com/santhosh-tekuri/jsonschema/v5 v5.2.0 h1:WCcC4vZDS1tYNxjWlwRJZQy28r8CMoggKnxNzxsVDMQ=
+github.com/santhosh-tekuri/jsonschema/v5 v5.2.0/go.mod h1:FKdcjfQW6rpZSnxxUvEA5H/cDPdvJ/SZJQLWWXWGrZ0=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
-github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
-github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
+github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
 github.com/shopspring/decimal v0.0.0-20200227202807-02e2044944cc/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
@@ -1164,8 +1111,8 @@ github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4k
 github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
-github.com/spf13/afero v1.8.2 h1:xehSyVa0YnHWsJ49JFljMpg1HX19V6NDZ1fkm1Xznbo=
-github.com/spf13/afero v1.8.2/go.mod h1:CtAatgMJh6bJEIs48Ay/FOnkljP3WeGUG0MC1RfAqwo=
+github.com/spf13/afero v1.9.2 h1:j49Hj62F0n+DaZ1dDCvhABaPNSGNkt32oRFxI33IEMw=
+github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
@@ -1182,8 +1129,8 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
-github.com/spf13/viper v1.12.0 h1:CZ7eSOd3kZoaYDLbXnmzgQI5RlciuXBMA+18HwHRfZQ=
-github.com/spf13/viper v1.12.0/go.mod h1:b6COn30jlNxbm/V2IqWiNWkJ+vZNiMNksliPCiuKtSI=
+github.com/spf13/viper v1.14.0 h1:Rg7d3Lo706X9tHsJMUjdiwMpHB7W8WnSVOssIY+JElU=
+github.com/spf13/viper v1.14.0/go.mod h1:WT//axPky3FdvXHzGw33dNdXXXfFQqmEalje+egj8As=
 github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf h1:pvbZ0lM0XWPBqUKqFU8cmavspvIl9nulOYwdy6IFRRo=
 github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf/go.mod h1:RJID2RhlZKId02nZ62WenDCkgHFerpIOmW0iT7GKmXM=
 github.com/stephens2424/writerset v1.0.2/go.mod h1:aS2JhsMn6eA7e82oNmW4rfsgAOp9COBTTl8mzkwADnc=
@@ -1207,8 +1154,8 @@ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1F
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/subosito/gotenv v1.3.0 h1:mjC+YW8QpAdXibNi+vNWgzmgBH4+5l5dCXv8cNysBLI=
-github.com/subosito/gotenv v1.3.0/go.mod h1:YzJjq/33h7nrwdY+iHMhEOEEbW0ovIz0tB6t6PwAXzs=
+github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs=
+github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
 github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE=
 github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
 github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
@@ -1233,8 +1180,8 @@ github.com/unrolled/render v1.5.0 h1:uNTHMvVoI9pyyXfgoDHHycIqFONNY2p4eQR9ty+NsxM
 github.com/unrolled/render v1.5.0/go.mod h1:eLTosBkQqEPEk7pRfkCRApXd++lm++nCsVlFOHpeedw=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
-github.com/urfave/cli v1.22.10 h1:p8Fspmz3iTctJstry1PYS3HVdllxnEzTEsgIgtxTrCk=
-github.com/urfave/cli v1.22.10/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
+github.com/urfave/cli v1.22.12 h1:igJgVw1JdKH+trcLWLeLwZjU9fEfPesQ+9/e4MQ44S8=
+github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8=
 github.com/urfave/cli/v2 v2.2.0/go.mod h1:SE9GqnLQmjVa0iPEY0f1w3ygNIYcIJ0OKPMoW2caLfQ=
 github.com/valyala/fastjson v1.6.3/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
 github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ=
@@ -1242,8 +1189,8 @@ github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLr
 github.com/willf/bitset v1.1.10/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/xanzy/go-gitlab v0.78.0 h1:8jUHfQVAprG04Av5g0PxVd3CNsZ5hCbojIax7Hba1mE=
-github.com/xanzy/go-gitlab v0.78.0/go.mod h1:DlByVTSXhPsJMYL6+cm8e8fTJjeBmhrXdC/yvkKKt6M=
+github.com/xanzy/go-gitlab v0.80.2 h1:CH1Q7NDklqZllox4ICVF4PwlhQGfPtE+w08Jsb74ZX0=
+github.com/xanzy/go-gitlab v0.80.2/go.mod h1:DlByVTSXhPsJMYL6+cm8e8fTJjeBmhrXdC/yvkKKt6M=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
 github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
@@ -1272,8 +1219,8 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/goldmark v1.4.15/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/yuin/goldmark v1.5.3 h1:3HUJmBFbQW9fhQOzMgseU134xfi6hU+mjWywx5Ty+/M=
-github.com/yuin/goldmark v1.5.3/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/yuin/goldmark v1.5.4 h1:2uY/xC0roWy8IBEGLgB1ywIoEJFGmRrX21YQcvGZzjU=
+github.com/yuin/goldmark v1.5.4/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/goldmark-highlighting/v2 v2.0.0-20220924101305-151362477c87 h1:Py16JEzkSdKAtEFJjiaYLYBOWGXc1r/xHj/Q/5lA37k=
 github.com/yuin/goldmark-highlighting/v2 v2.0.0-20220924101305-151362477c87/go.mod h1:ovIvrum6DQJA4QsJSovrkC4saKHQVs7TvcaeO8AIl5I=
 github.com/yuin/goldmark-meta v1.1.0 h1:pWw+JLHGZe8Rk0EGsMVssiNb/AaPMHfSRszZeUeiOUc=
@@ -1288,10 +1235,9 @@ go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
 go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg=
 go.mongodb.org/mongo-driver v1.7.5/go.mod h1:VXEWRZ6URJIkUq2SCAyapmhH0ZLRBP+FT4xhp5Zvxng=
-go.mongodb.org/mongo-driver v1.8.3/go.mod h1:0sQWfOeY63QTntERDJJ/0SuKK0T1uVSgKCuAROlKEPY=
 go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAVEYRhCXrA8=
-go.mongodb.org/mongo-driver v1.10.1 h1:NujsPveKwHaWuKUer/ceo9DzEe7HIj1SlJ6uvXZG0S4=
-go.mongodb.org/mongo-driver v1.10.1/go.mod h1:z4XpeoU6w+9Vht+jAFyLgVrD+jGSQQe0+CBWFHNiHt8=
+go.mongodb.org/mongo-driver v1.11.1 h1:QP0znIRTuL0jf1oBQoAoM0C6ZJfBK4kx0Uumtv1A7w8=
+go.mongodb.org/mongo-driver v1.11.1/go.mod h1:s7p5vEtfbeR1gYi6pnj3c3/urpbLv2T5Sfd6Rp2HBB8=
 go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
@@ -1300,29 +1246,23 @@ go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
-go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opentelemetry.io/otel v0.14.0/go.mod h1:vH5xEuwy7Rts0GNtsCW3HYQoZDY+OmBJ6t1bFGGlxgw=
-go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ=
 go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI=
-go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
 go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
-go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI=
 go.uber.org/multierr v1.9.0/go.mod h1:X2jQV1h+kxSjClGpnseKVIxpmcjrj7MNnI0bnlfKTVQ=
 go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
 go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
-go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw=
 go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
 go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -1340,24 +1280,21 @@ golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.4.0 h1:UVQgzMY87xqpKNgb+kDsll2Igd33HszWHFLmpaRMq/8=
-golang.org/x/crypto v0.4.0/go.mod h1:3quD/ATkf6oY+rnes5c3ExXTbLc8mueNue5/DoinL80=
+golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1381,7 +1318,6 @@ golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRu
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
@@ -1394,8 +1330,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA=
-golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1436,16 +1372,12 @@ golang.org/x/net v0.0.0-20200927032502-5d4f70055728/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM=
 golang.org/x/net v0.0.0-20210501142056-aec3718b3fa0/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
-golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@@ -1453,11 +1385,6 @@ golang.org/x/net v0.0.0-20210916014120-12bc252f5db8/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220630215102-69896b714898/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
@@ -1472,19 +1399,10 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
-golang.org/x/oauth2 v0.3.0 h1:6l90koy8/LaBLmLu8jpHeHexzMwEita0zFfYlggy2F8=
-golang.org/x/oauth2 v0.3.0/go.mod h1:rQrIauxkUhJ6CuwEXwymO2/eh4xz2ZWF1nBkcxS+tGk=
+golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s=
+golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1497,10 +1415,9 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde h1:ejfdSekXMDxDLbRrJMwUk6KnSLZ2McaUCVcIKM+N6jc=
-golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1562,42 +1479,22 @@ golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210902050250-f475640dd07b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1696,23 +1593,16 @@ golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
@@ -1734,26 +1624,6 @@ google.golang.org/api v0.32.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ
 google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
 google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
 google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
-google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
-google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
-google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo=
-google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4=
-google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw=
-google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU=
-google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k=
-google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
-google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
-google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI=
-google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I=
-google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo=
-google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g=
-google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA=
-google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8=
-google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs=
-google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA=
-google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw=
-google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg=
-google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -1787,7 +1657,6 @@ google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfG
 google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
@@ -1801,51 +1670,9 @@ google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
-google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
-google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
-google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24=
-google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k=
-google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k=
-google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
-google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
-google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w=
-google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E=
-google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90 h1:4SPz2GL2CXJt28MTF8V6Ap/9ZiVbQlJeGSd9qtA7DLs=
-google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
+google.golang.org/genproto v0.0.0-20230223222841-637eb2293923 h1:znp6mq/drrY+6khTAlJUDNFFcDGV2ENLYKpMq8SyCds=
+google.golang.org/genproto v0.0.0-20230223222841-637eb2293923/go.mod h1:3Dl5ZL0q0isWJt+FVcfpQyirqemEuLAK/iFvg1UP1Hw=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM=
@@ -1865,26 +1692,11 @@ google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.32.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
-google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
-google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
-google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.47.0 h1:9n77onPX5F3qfFCqjy9dhn8PbNQsIKeVU04J9G7umt8=
-google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
+google.golang.org/grpc v1.53.0 h1:LAv2ds7cmFV/XTS3XG1NneeENYrXGmorPxsBbptIjNc=
+google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -1897,8 +1709,6 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
@@ -1929,7 +1739,6 @@ gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRN
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

From f4920c9c7f5947d3b6476610f39bc3492ab4ef3b Mon Sep 17 00:00:00 2001
From: Brecht Van Lommel <brecht@blender.org>
Date: Fri, 24 Feb 2023 22:15:10 +0100
Subject: [PATCH 78/81] Add pagination for dashboard and user activity feeds
 (#22937)

Previously only the last few activities where available. This works for
all activity and for activity on a date chosen on the heatmap.
---
 models/activities/action.go               | 16 +++++------
 models/activities/action_test.go          | 27 ++++++++++++------
 models/activities/user_heatmap_test.go    |  3 +-
 routers/web/feed/profile.go               |  2 +-
 routers/web/feed/repo.go                  |  2 +-
 routers/web/user/home.go                  | 25 +++++++++++++++--
 routers/web/user/profile.go               | 34 +++++++++++++++++------
 templates/user/dashboard/feeds.tmpl       |  2 ++
 web_src/js/components/ActivityHeatmap.vue |  2 ++
 9 files changed, 81 insertions(+), 32 deletions(-)

diff --git a/models/activities/action.go b/models/activities/action.go
index 2e845bf89e..1412d2c051 100644
--- a/models/activities/action.go
+++ b/models/activities/action.go
@@ -380,14 +380,14 @@ type GetFeedsOptions struct {
 }
 
 // GetFeeds returns actions according to the provided options
-func GetFeeds(ctx context.Context, opts GetFeedsOptions) (ActionList, error) {
+func GetFeeds(ctx context.Context, opts GetFeedsOptions) (ActionList, int64, error) {
 	if opts.RequestedUser == nil && opts.RequestedTeam == nil && opts.RequestedRepo == nil {
-		return nil, fmt.Errorf("need at least one of these filters: RequestedUser, RequestedTeam, RequestedRepo")
+		return nil, 0, fmt.Errorf("need at least one of these filters: RequestedUser, RequestedTeam, RequestedRepo")
 	}
 
 	cond, err := activityQueryCondition(opts)
 	if err != nil {
-		return nil, err
+		return nil, 0, err
 	}
 
 	sess := db.GetEngine(ctx).Where(cond).
@@ -398,16 +398,16 @@ func GetFeeds(ctx context.Context, opts GetFeedsOptions) (ActionList, error) {
 	sess = db.SetSessionPagination(sess, &opts)
 
 	actions := make([]*Action, 0, opts.PageSize)
-
-	if err := sess.Desc("`action`.created_unix").Find(&actions); err != nil {
-		return nil, fmt.Errorf("Find: %w", err)
+	count, err := sess.Desc("`action`.created_unix").FindAndCount(&actions)
+	if err != nil {
+		return nil, 0, fmt.Errorf("FindAndCount: %w", err)
 	}
 
 	if err := ActionList(actions).loadAttributes(ctx); err != nil {
-		return nil, fmt.Errorf("LoadAttributes: %w", err)
+		return nil, 0, fmt.Errorf("LoadAttributes: %w", err)
 	}
 
-	return actions, nil
+	return actions, count, nil
 }
 
 // ActivityReadable return whether doer can read activities of user
diff --git a/models/activities/action_test.go b/models/activities/action_test.go
index f37e58f685..2fd86bb8f6 100644
--- a/models/activities/action_test.go
+++ b/models/activities/action_test.go
@@ -44,7 +44,7 @@ func TestGetFeeds(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 
-	actions, err := activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
+	actions, count, err := activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
 		RequestedUser:   user,
 		Actor:           user,
 		IncludePrivate:  true,
@@ -56,8 +56,9 @@ func TestGetFeeds(t *testing.T) {
 		assert.EqualValues(t, 1, actions[0].ID)
 		assert.EqualValues(t, user.ID, actions[0].UserID)
 	}
+	assert.Equal(t, int64(1), count)
 
-	actions, err = activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
+	actions, count, err = activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
 		RequestedUser:   user,
 		Actor:           user,
 		IncludePrivate:  false,
@@ -65,6 +66,7 @@ func TestGetFeeds(t *testing.T) {
 	})
 	assert.NoError(t, err)
 	assert.Len(t, actions, 0)
+	assert.Equal(t, int64(0), count)
 }
 
 func TestGetFeedsForRepos(t *testing.T) {
@@ -74,38 +76,42 @@ func TestGetFeedsForRepos(t *testing.T) {
 	pubRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 8})
 
 	// private repo & no login
-	actions, err := activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
+	actions, count, err := activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
 		RequestedRepo:  privRepo,
 		IncludePrivate: true,
 	})
 	assert.NoError(t, err)
 	assert.Len(t, actions, 0)
+	assert.Equal(t, int64(0), count)
 
 	// public repo & no login
-	actions, err = activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
+	actions, count, err = activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
 		RequestedRepo:  pubRepo,
 		IncludePrivate: true,
 	})
 	assert.NoError(t, err)
 	assert.Len(t, actions, 1)
+	assert.Equal(t, int64(1), count)
 
 	// private repo and login
-	actions, err = activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
+	actions, count, err = activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
 		RequestedRepo:  privRepo,
 		IncludePrivate: true,
 		Actor:          user,
 	})
 	assert.NoError(t, err)
 	assert.Len(t, actions, 1)
+	assert.Equal(t, int64(1), count)
 
 	// public repo & login
-	actions, err = activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
+	actions, count, err = activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
 		RequestedRepo:  pubRepo,
 		IncludePrivate: true,
 		Actor:          user,
 	})
 	assert.NoError(t, err)
 	assert.Len(t, actions, 1)
+	assert.Equal(t, int64(1), count)
 }
 
 func TestGetFeeds2(t *testing.T) {
@@ -114,7 +120,7 @@ func TestGetFeeds2(t *testing.T) {
 	org := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 3})
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 
-	actions, err := activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
+	actions, count, err := activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
 		RequestedUser:   org,
 		Actor:           user,
 		IncludePrivate:  true,
@@ -127,8 +133,9 @@ func TestGetFeeds2(t *testing.T) {
 		assert.EqualValues(t, 2, actions[0].ID)
 		assert.EqualValues(t, org.ID, actions[0].UserID)
 	}
+	assert.Equal(t, int64(1), count)
 
-	actions, err = activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
+	actions, count, err = activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
 		RequestedUser:   org,
 		Actor:           user,
 		IncludePrivate:  false,
@@ -137,6 +144,7 @@ func TestGetFeeds2(t *testing.T) {
 	})
 	assert.NoError(t, err)
 	assert.Len(t, actions, 0)
+	assert.Equal(t, int64(0), count)
 }
 
 func TestActivityReadable(t *testing.T) {
@@ -224,13 +232,14 @@ func TestGetFeedsCorrupted(t *testing.T) {
 		RepoID: 1700,
 	})
 
-	actions, err := activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
+	actions, count, err := activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
 		RequestedUser:  user,
 		Actor:          user,
 		IncludePrivate: true,
 	})
 	assert.NoError(t, err)
 	assert.Len(t, actions, 0)
+	assert.Equal(t, int64(0), count)
 }
 
 func TestConsistencyUpdateAction(t *testing.T) {
diff --git a/models/activities/user_heatmap_test.go b/models/activities/user_heatmap_test.go
index 34715ab6dd..98df7b38aa 100644
--- a/models/activities/user_heatmap_test.go
+++ b/models/activities/user_heatmap_test.go
@@ -73,7 +73,7 @@ func TestGetUserHeatmapDataByUser(t *testing.T) {
 		}
 
 		// get the action for comparison
-		actions, err := activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
+		actions, count, err := activities_model.GetFeeds(db.DefaultContext, activities_model.GetFeedsOptions{
 			RequestedUser:   user,
 			Actor:           doer,
 			IncludePrivate:  true,
@@ -90,6 +90,7 @@ func TestGetUserHeatmapDataByUser(t *testing.T) {
 		}
 		assert.NoError(t, err)
 		assert.Len(t, actions, contributions, "invalid action count: did the test data became too old?")
+		assert.Equal(t, count, int64(contributions))
 		assert.Equal(t, tc.CountResult, contributions, fmt.Sprintf("testcase '%s'", tc.desc))
 
 		// Test JSON rendering
diff --git a/routers/web/feed/profile.go b/routers/web/feed/profile.go
index 7641769192..b9dda2fc10 100644
--- a/routers/web/feed/profile.go
+++ b/routers/web/feed/profile.go
@@ -26,7 +26,7 @@ func ShowUserFeedAtom(ctx *context.Context) {
 func showUserFeed(ctx *context.Context, formatType string) {
 	includePrivate := ctx.IsSigned && (ctx.Doer.IsAdmin || ctx.Doer.ID == ctx.ContextUser.ID)
 
-	actions, err := activities_model.GetFeeds(ctx, activities_model.GetFeedsOptions{
+	actions, _, err := activities_model.GetFeeds(ctx, activities_model.GetFeedsOptions{
 		RequestedUser:   ctx.ContextUser,
 		Actor:           ctx.Doer,
 		IncludePrivate:  includePrivate,
diff --git a/routers/web/feed/repo.go b/routers/web/feed/repo.go
index 1d24b58800..5fcad26779 100644
--- a/routers/web/feed/repo.go
+++ b/routers/web/feed/repo.go
@@ -15,7 +15,7 @@ import (
 
 // ShowRepoFeed shows user activity on the repo as RSS / Atom feed
 func ShowRepoFeed(ctx *context.Context, repo *repo_model.Repository, formatType string) {
-	actions, err := activities_model.GetFeeds(ctx, activities_model.GetFeedsOptions{
+	actions, _, err := activities_model.GetFeeds(ctx, activities_model.GetFeedsOptions{
 		RequestedRepo:  repo,
 		Actor:          ctx.Doer,
 		IncludePrivate: true,
diff --git a/routers/web/user/home.go b/routers/web/user/home.go
index 4f45c1d5c3..2593ab148c 100644
--- a/routers/web/user/home.go
+++ b/routers/web/user/home.go
@@ -72,12 +72,23 @@ func Dashboard(ctx *context.Context) {
 		return
 	}
 
+	var (
+		date = ctx.FormString("date")
+		page = ctx.FormInt("page")
+	)
+
+	// Make sure page number is at least 1. Will be posted to ctx.Data.
+	if page <= 1 {
+		page = 1
+	}
+
 	ctx.Data["Title"] = ctxUser.DisplayName() + " - " + ctx.Tr("dashboard")
 	ctx.Data["PageIsDashboard"] = true
 	ctx.Data["PageIsNews"] = true
 	cnt, _ := organization.GetOrganizationCount(ctx, ctxUser)
 	ctx.Data["UserOrgsCount"] = cnt
 	ctx.Data["MirrorsEnabled"] = setting.Mirror.Enabled
+	ctx.Data["Date"] = date
 
 	var uid int64
 	if ctxUser != nil {
@@ -98,8 +109,7 @@ func Dashboard(ctx *context.Context) {
 		ctx.Data["HeatmapData"] = data
 	}
 
-	var err error
-	ctx.Data["Feeds"], err = activities_model.GetFeeds(ctx, activities_model.GetFeedsOptions{
+	feeds, count, err := activities_model.GetFeeds(ctx, activities_model.GetFeedsOptions{
 		RequestedUser:   ctxUser,
 		RequestedTeam:   ctx.Org.Team,
 		Actor:           ctx.Doer,
@@ -107,13 +117,22 @@ func Dashboard(ctx *context.Context) {
 		OnlyPerformedBy: false,
 		IncludeDeleted:  false,
 		Date:            ctx.FormString("date"),
-		ListOptions:     db.ListOptions{PageSize: setting.UI.FeedPagingNum},
+		ListOptions: db.ListOptions{
+			Page:     page,
+			PageSize: setting.UI.FeedPagingNum,
+		},
 	})
 	if err != nil {
 		ctx.ServerError("GetFeeds", err)
 		return
 	}
 
+	ctx.Data["Feeds"] = feeds
+
+	pager := context.NewPagination(int(count), setting.UI.FeedPagingNum, page, 5)
+	pager.AddParam(ctx, "date", "Date")
+	ctx.Data["Page"] = pager
+
 	ctx.HTML(http.StatusOK, tplDashboard)
 }
 
diff --git a/routers/web/user/profile.go b/routers/web/user/profile.go
index 4f0a816569..b445260459 100644
--- a/routers/web/user/profile.go
+++ b/routers/web/user/profile.go
@@ -119,6 +119,11 @@ func Profile(ctx *context.Context) {
 		page = 1
 	}
 
+	pagingNum := setting.UI.User.RepoPagingNum
+	if tab == "activity" {
+		pagingNum = setting.UI.FeedPagingNum
+	}
+
 	topicOnly := ctx.FormBool("topic")
 
 	var (
@@ -164,7 +169,7 @@ func Profile(ctx *context.Context) {
 	switch tab {
 	case "followers":
 		items, count, err := user_model.GetUserFollowers(ctx, ctx.ContextUser, ctx.Doer, db.ListOptions{
-			PageSize: setting.UI.User.RepoPagingNum,
+			PageSize: pagingNum,
 			Page:     page,
 		})
 		if err != nil {
@@ -176,7 +181,7 @@ func Profile(ctx *context.Context) {
 		total = int(count)
 	case "following":
 		items, count, err := user_model.GetUserFollowing(ctx, ctx.ContextUser, ctx.Doer, db.ListOptions{
-			PageSize: setting.UI.User.RepoPagingNum,
+			PageSize: pagingNum,
 			Page:     page,
 		})
 		if err != nil {
@@ -187,24 +192,32 @@ func Profile(ctx *context.Context) {
 
 		total = int(count)
 	case "activity":
-		ctx.Data["Feeds"], err = activities_model.GetFeeds(ctx, activities_model.GetFeedsOptions{
+		date := ctx.FormString("date")
+		items, count, err := activities_model.GetFeeds(ctx, activities_model.GetFeedsOptions{
 			RequestedUser:   ctx.ContextUser,
 			Actor:           ctx.Doer,
 			IncludePrivate:  showPrivate,
 			OnlyPerformedBy: true,
 			IncludeDeleted:  false,
-			Date:            ctx.FormString("date"),
-			ListOptions:     db.ListOptions{PageSize: setting.UI.FeedPagingNum},
+			Date:            date,
+			ListOptions: db.ListOptions{
+				PageSize: pagingNum,
+				Page:     page,
+			},
 		})
 		if err != nil {
 			ctx.ServerError("GetFeeds", err)
 			return
 		}
+		ctx.Data["Feeds"] = items
+		ctx.Data["Date"] = date
+
+		total = int(count)
 	case "stars":
 		ctx.Data["PageIsProfileStarList"] = true
 		repos, count, err = repo_model.SearchRepository(ctx, &repo_model.SearchRepoOptions{
 			ListOptions: db.ListOptions{
-				PageSize: setting.UI.User.RepoPagingNum,
+				PageSize: pagingNum,
 				Page:     page,
 			},
 			Actor:              ctx.Doer,
@@ -236,7 +249,7 @@ func Profile(ctx *context.Context) {
 	case "watching":
 		repos, count, err = repo_model.SearchRepository(ctx, &repo_model.SearchRepoOptions{
 			ListOptions: db.ListOptions{
-				PageSize: setting.UI.User.RepoPagingNum,
+				PageSize: pagingNum,
 				Page:     page,
 			},
 			Actor:              ctx.Doer,
@@ -258,7 +271,7 @@ func Profile(ctx *context.Context) {
 	default:
 		repos, count, err = repo_model.SearchRepository(ctx, &repo_model.SearchRepoOptions{
 			ListOptions: db.ListOptions{
-				PageSize: setting.UI.User.RepoPagingNum,
+				PageSize: pagingNum,
 				Page:     page,
 			},
 			Actor:              ctx.Doer,
@@ -281,12 +294,15 @@ func Profile(ctx *context.Context) {
 	ctx.Data["Repos"] = repos
 	ctx.Data["Total"] = total
 
-	pager := context.NewPagination(total, setting.UI.User.RepoPagingNum, page, 5)
+	pager := context.NewPagination(total, pagingNum, page, 5)
 	pager.SetDefaultParams(ctx)
 	pager.AddParam(ctx, "tab", "TabName")
 	if tab != "followers" && tab != "following" && tab != "activity" && tab != "projects" {
 		pager.AddParam(ctx, "language", "Language")
 	}
+	if tab == "activity" {
+		pager.AddParam(ctx, "date", "Date")
+	}
 	ctx.Data["Page"] = pager
 	ctx.Data["IsPackageEnabled"] = setting.Packages.Enabled
 	ctx.Data["IsRepoIndexerEnabled"] = setting.Indexer.RepoIndexerEnabled
diff --git a/templates/user/dashboard/feeds.tmpl b/templates/user/dashboard/feeds.tmpl
index 3f156249ff..75a76db570 100644
--- a/templates/user/dashboard/feeds.tmpl
+++ b/templates/user/dashboard/feeds.tmpl
@@ -124,3 +124,5 @@
 		<div class="ui divider"></div>
 	</div>
 {{end}}
+
+{{template "base/paginate" .}}
diff --git a/web_src/js/components/ActivityHeatmap.vue b/web_src/js/components/ActivityHeatmap.vue
index d0f81c586c..98ffce44b5 100644
--- a/web_src/js/components/ActivityHeatmap.vue
+++ b/web_src/js/components/ActivityHeatmap.vue
@@ -70,6 +70,8 @@ export default {
         params.set('date', clickedDate);
       }
 
+      params.delete('page');
+
       const newSearch = params.toString();
       window.location.search = newSearch.length ? `?${newSearch}` : '';
     }

From d827215011260ca704606e421ce9e1eff32387bc Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Fri, 24 Feb 2023 21:45:55 +0000
Subject: [PATCH 79/81] Fix DBConsistency checks on MSSQL (#23132)

Unfortunately xorm's `builder.Select(...).From(...)` does not escape the
table names. This is mostly not a problem but is a problem with the
`user` table.

This PR simply escapes the user table. No other uses of `From("user")`
where found in the codebase so I think this should be all that is
needed.

Fix #23064

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 models/issues/label.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/models/issues/label.go b/models/issues/label.go
index 0dd12fb5c9..90e4eb458f 100644
--- a/models/issues/label.go
+++ b/models/issues/label.go
@@ -778,7 +778,7 @@ func CountOrphanedLabels(ctx context.Context) (int64, error) {
 	norepo, err := db.GetEngine(ctx).Table("label").
 		Where(builder.And(
 			builder.Gt{"repo_id": 0},
-			builder.NotIn("repo_id", builder.Select("id").From("repository")),
+			builder.NotIn("repo_id", builder.Select("id").From("`repository`")),
 		)).
 		Count()
 	if err != nil {
@@ -788,7 +788,7 @@ func CountOrphanedLabels(ctx context.Context) (int64, error) {
 	noorg, err := db.GetEngine(ctx).Table("label").
 		Where(builder.And(
 			builder.Gt{"org_id": 0},
-			builder.NotIn("org_id", builder.Select("id").From("user")),
+			builder.NotIn("org_id", builder.Select("id").From("`user`")),
 		)).
 		Count()
 	if err != nil {
@@ -809,7 +809,7 @@ func DeleteOrphanedLabels(ctx context.Context) error {
 	if _, err := db.GetEngine(ctx).
 		Where(builder.And(
 			builder.Gt{"repo_id": 0},
-			builder.NotIn("repo_id", builder.Select("id").From("repository")),
+			builder.NotIn("repo_id", builder.Select("id").From("`repository`")),
 		)).
 		Delete(Label{}); err != nil {
 		return err
@@ -819,7 +819,7 @@ func DeleteOrphanedLabels(ctx context.Context) error {
 	if _, err := db.GetEngine(ctx).
 		Where(builder.And(
 			builder.Gt{"org_id": 0},
-			builder.NotIn("org_id", builder.Select("id").From("user")),
+			builder.NotIn("org_id", builder.Select("id").From("`user`")),
 		)).
 		Delete(Label{}); err != nil {
 		return err

From 843f81113ebe71fd725210c5a382268333865cc7 Mon Sep 17 00:00:00 2001
From: Brecht Van Lommel <brecht@blender.org>
Date: Sat, 25 Feb 2023 00:10:50 +0100
Subject: [PATCH 80/81] Projects: rename Board to Column in interface and
 improve consistency (#22767)

---
 options/locale/locale_en-US.ini   | 32 +++++++++++++-------------
 templates/projects/new.tmpl       | 24 ++++++++++---------
 templates/projects/view.tmpl      | 38 +++++++++++++++----------------
 templates/repo/projects/new.tmpl  |  6 ++---
 templates/repo/projects/view.tmpl | 38 +++++++++++++++----------------
 5 files changed, 70 insertions(+), 68 deletions(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index fbd3068053..c818b0dcc5 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -57,7 +57,7 @@ new_mirror = New Mirror
 new_fork = New Repository Fork
 new_org = New Organization
 new_project = New Project
-new_project_board = New Project board
+new_project_column = New Column
 manage_org = Manage Organizations
 admin_panel = Site Administration
 account_settings = Account Settings
@@ -1203,35 +1203,35 @@ projects.description = Description (optional)
 projects.description_placeholder = Description
 projects.create = Create Project
 projects.title = Title
-projects.new = New project
+projects.new = New Project
 projects.new_subheader = Coordinate, track, and update your work in one place, so projects stay transparent and on schedule.
 projects.create_success = The project '%s' has been created.
 projects.deletion = Delete Project
 projects.deletion_desc = Deleting a project removes it from all related issues. Continue?
 projects.deletion_success = The project has been deleted.
-projects.edit = Edit Projects
+projects.edit = Edit Project
 projects.edit_subheader = Projects organize issues and track progress.
-projects.modify = Update Project
+projects.modify = Edit Project
 projects.edit_success = Project '%s' has been updated.
 projects.type.none = "None"
 projects.type.basic_kanban = "Basic Kanban"
 projects.type.bug_triage = "Bug Triage"
-projects.template.desc = "Project template"
+projects.template.desc = "Template"
 projects.template.desc_helper = "Select a project template to get started"
 projects.type.uncategorized = Uncategorized
-projects.board.edit = "Edit board"
-projects.board.edit_title = "New Board Name"
-projects.board.new_title = "New Board Name"
-projects.board.new_submit = "Submit"
-projects.board.new = "New Board"
-projects.board.set_default = "Set Default"
-projects.board.set_default_desc = "Set this board as default for uncategorized issues and pulls"
-projects.board.delete = "Delete Board"
-projects.board.deletion_desc = "Deleting a project board moves all related issues to 'Uncategorized'. Continue?"
-projects.board.color = "Color"
+projects.column.edit = "Edit Column"
+projects.column.edit_title = "Name"
+projects.column.new_title = "Name"
+projects.column.new_submit = "Create Column"
+projects.column.new = "New Column"
+projects.column.set_default = "Set Default"
+projects.column.set_default_desc = "Set this column as default for uncategorized issues and pulls"
+projects.column.delete = "Delete Column"
+projects.column.deletion_desc = "Deleting a project column moves all related issues to 'Uncategorized'. Continue?"
+projects.column.color = "Color"
 projects.open = Open
 projects.close = Close
-projects.board.assigned_to = Assigned to
+projects.column.assigned_to = Assigned to
 projects.card_type.desc = "Card Previews"
 projects.card_type.images_and_text = "Images and Text"
 projects.card_type.text_only = "Text Only"
diff --git a/templates/projects/new.tmpl b/templates/projects/new.tmpl
index 19bf503692..c96f948ded 100644
--- a/templates/projects/new.tmpl
+++ b/templates/projects/new.tmpl
@@ -31,14 +31,16 @@
 				</div>
 
 				{{if not .PageIsEditProjects}}
-					<label>{{.locale.Tr "repo.projects.template.desc"}}</label>
-					<div class="ui selection dropdown">
-						<input type="hidden" name="board_type" value="{{.type}}">
-						<div class="default text">{{.locale.Tr "repo.projects.template.desc_helper"}}</div>
-						<div class="menu">
-							{{range $element := .BoardTypes}}
-								<div class="item" data-id="{{$element.BoardType}}" data-value="{{$element.BoardType}}">{{$.locale.Tr $element.Translation}}</div>
-							{{end}}
+					<div class="field">
+						<label>{{.locale.Tr "repo.projects.template.desc"}}</label>
+						<div class="ui selection dropdown">
+							<input type="hidden" name="board_type" value="{{.type}}">
+							<div class="default text">{{.locale.Tr "repo.projects.template.desc_helper"}}</div>
+							<div class="menu">
+								{{range $element := .ProjectTypes}}
+									<div class="item" data-id="{{$element.BoardType}}" data-value="{{$element.BoardType}}">{{$.locale.Tr $element.Translation}}</div>
+								{{end}}
+							</div>
 						</div>
 					</div>
 				{{end}}
@@ -47,14 +49,14 @@
 				<div class="ui divider"></div>
 				<div class="ui left">
 					{{if .PageIsEditProjects}}
-					<a class="ui primary basic button" href="{{.RepoLink}}/projects">
+					<a class="ui cancel button" href="{{.RepoLink}}/projects">
 						{{.locale.Tr "repo.milestones.cancel"}}
 					</a>
-					<button class="ui green button">
+					<button class="ui primary button">
 						{{.locale.Tr "repo.projects.modify"}}
 					</button>
 					{{else}}
-						<button class="ui green button">
+						<button class="ui primary button">
 							{{.locale.Tr "repo.projects.create"}}
 						</button>
 					{{end}}
diff --git a/templates/projects/view.tmpl b/templates/projects/view.tmpl
index b25cf2526e..3d0bea35d5 100644
--- a/templates/projects/view.tmpl
+++ b/templates/projects/view.tmpl
@@ -5,21 +5,21 @@
 			</div>
 			<div class="column right aligned">
 				{{if .CanWriteProjects}}
-					<a class="ui green button show-modal item" data-modal="#new-board-item">{{.locale.Tr "new_project_board"}}</a>
+					<a class="ui green button show-modal item" data-modal="#new-board-item">{{.locale.Tr "new_project_column"}}</a>
 				{{end}}
 				<div class="ui small modal new-board-modal" id="new-board-item">
 					<div class="header">
-						{{$.locale.Tr "repo.projects.board.new"}}
+						{{$.locale.Tr "repo.projects.column.new"}}
 					</div>
 					<div class="content">
 						<form class="ui form">
 							<div class="required field">
-								<label for="new_board">{{$.locale.Tr "repo.projects.board.new_title"}}</label>
+								<label for="new_board">{{$.locale.Tr "repo.projects.column.new_title"}}</label>
 								<input class="new-board" id="new_board" name="title" required>
 							</div>
 
 							<div class="field color-field">
-								<label for="new_board_color">{{$.locale.Tr "repo.projects.board.color"}}</label>
+								<label for="new_board_color">{{$.locale.Tr "repo.projects.column.color"}}</label>
 								<div class="color picker column">
 									<input class="color-picker" maxlength="7" placeholder="#c320f6" id="new_board_color_picker" name="color">
 									<div class="column precolors">
@@ -30,7 +30,7 @@
 
 							<div class="text right actions">
 								<div class="ui cancel button">{{$.locale.Tr "settings.cancel"}}</div>
-								<button data-url="{{$.Link}}" class="ui green button" id="new_board_submit">{{$.locale.Tr "repo.projects.board.new_submit"}}</button>
+								<button data-url="{{$.Link}}" class="ui primary button" id="new_board_submit">{{$.locale.Tr "repo.projects.column.new_submit"}}</button>
 							</div>
 						</form>
 					</div>
@@ -92,32 +92,32 @@
 							<div class="menu user-menu" tabindex="-1">
 								<a class="item show-modal button" data-modal="#edit-project-board-modal-{{.ID}}">
 									{{svg "octicon-pencil"}}
-									{{$.locale.Tr "repo.projects.board.edit"}}
+									{{$.locale.Tr "repo.projects.column.edit"}}
 								</a>
 								{{if not .Default}}
 									<a class="item show-modal button" data-modal="#set-default-project-board-modal-{{.ID}}">
 										{{svg "octicon-pin"}}
-										{{$.locale.Tr "repo.projects.board.set_default"}}
+										{{$.locale.Tr "repo.projects.column.set_default"}}
 									</a>
 								{{end}}
 								<a class="item show-modal button" data-modal="#delete-board-modal-{{.ID}}">
 									{{svg "octicon-trash"}}
-									{{$.locale.Tr "repo.projects.board.delete"}}
+									{{$.locale.Tr "repo.projects.column.delete"}}
 								</a>
 
 								<div class="ui small modal edit-project-board" id="edit-project-board-modal-{{.ID}}">
 									<div class="header">
-										{{$.locale.Tr "repo.projects.board.edit"}}
+										{{$.locale.Tr "repo.projects.column.edit"}}
 									</div>
 									<div class="content">
 										<form class="ui form">
 											<div class="required field">
-												<label for="new_board_title">{{$.locale.Tr "repo.projects.board.edit_title"}}</label>
+												<label for="new_board_title">{{$.locale.Tr "repo.projects.column.edit_title"}}</label>
 												<input class="project-board-title" id="new_board_title" name="title" value="{{.Title}}" required>
 											</div>
 
 											<div class="field color-field">
-												<label for="new_board_color">{{$.locale.Tr "repo.projects.board.color"}}</label>
+												<label for="new_board_color">{{$.locale.Tr "repo.projects.column.color"}}</label>
 												<div class="color picker column">
 													<input class="color-picker" maxlength="7" placeholder="#c320f6" id="new_board_color" name="color" value="{{.Color}}">
 													<div class="column precolors">
@@ -128,7 +128,7 @@
 
 											<div class="text right actions">
 												<div class="ui cancel button">{{$.locale.Tr "settings.cancel"}}</div>
-												<button data-url="{{$.Link}}/{{.ID}}" class="ui red button">{{$.locale.Tr "repo.projects.board.edit"}}</button>
+												<button data-url="{{$.Link}}/{{.ID}}" class="ui primary button">{{$.locale.Tr "repo.projects.column.edit"}}</button>
 											</div>
 										</form>
 									</div>
@@ -136,31 +136,31 @@
 
 								<div class="ui basic modal" id="set-default-project-board-modal-{{.ID}}">
 									<div class="ui icon header">
-										{{$.locale.Tr "repo.projects.board.set_default"}}
+										{{$.locale.Tr "repo.projects.column.set_default"}}
 									</div>
 									<div class="content center">
 										<label>
-											{{$.locale.Tr "repo.projects.board.set_default_desc"}}
+											{{$.locale.Tr "repo.projects.column.set_default_desc"}}
 										</label>
 									</div>
 									<div class="text right actions">
 										<div class="ui cancel button">{{$.locale.Tr "settings.cancel"}}</div>
-										<button class="ui red button set-default-project-board" data-url="{{$.Link}}/{{.ID}}/default">{{$.locale.Tr "repo.projects.board.set_default"}}</button>
+										<button class="ui primary button set-default-project-board" data-url="{{$.Link}}/{{.ID}}/default">{{$.locale.Tr "repo.projects.column.set_default"}}</button>
 									</div>
 								</div>
 
 								<div class="ui basic modal" id="delete-board-modal-{{.ID}}">
 									<div class="ui icon header">
-										{{$.locale.Tr "repo.projects.board.delete"}}
+										{{$.locale.Tr "repo.projects.column.delete"}}
 									</div>
 									<div class="content center">
 										<label>
-											{{$.locale.Tr "repo.projects.board.deletion_desc"}}
+											{{$.locale.Tr "repo.projects.column.deletion_desc"}}
 										</label>
 									</div>
 									<div class="text right actions">
 										<div class="ui cancel button">{{$.locale.Tr "settings.cancel"}}</div>
-										<button class="ui red button delete-project-board" data-url="{{$.Link}}/{{.ID}}">{{$.locale.Tr "repo.projects.board.delete"}}</button>
+										<button class="ui red button delete-project-board" data-url="{{$.Link}}/{{.ID}}">{{$.locale.Tr "repo.projects.column.delete"}}</button>
 									</div>
 								</div>
 							</div>
@@ -238,7 +238,7 @@
 							{{end}}
 							<div class="right floated">
 								{{range .Assignees}}
-									<a class="tooltip" target="_blank" href="{{.HomeLink}}" data-content="{{$.locale.Tr "repo.projects.board.assigned_to"}} {{.Name}}">{{avatar . 28 "mini gt-mr-3"}}</a>
+									<a class="tooltip" target="_blank" href="{{.HomeLink}}" data-content="{{$.locale.Tr "repo.projects.column.assigned_to"}} {{.Name}}">{{avatar . 28 "mini gt-mr-3"}}</a>
 								{{end}}
 							</div>
 						</div>
diff --git a/templates/repo/projects/new.tmpl b/templates/repo/projects/new.tmpl
index c90fa4369c..b65601c158 100644
--- a/templates/repo/projects/new.tmpl
+++ b/templates/repo/projects/new.tmpl
@@ -71,14 +71,14 @@
 				<div class="ui divider"></div>
 				<div class="ui left">
 					{{if .PageIsEditProjects}}
-					<a class="ui primary basic button" href="{{.RepoLink}}/projects">
+					<a class="ui cancel button" href="{{.RepoLink}}/projects">
 						{{.locale.Tr "repo.milestones.cancel"}}
 					</a>
-					<button class="ui green button">
+					<button class="ui primary button">
 						{{.locale.Tr "repo.projects.modify"}}
 					</button>
 					{{else}}
-						<button class="ui green button">
+						<button class="ui primary button">
 							{{.locale.Tr "repo.projects.create"}}
 						</button>
 					{{end}}
diff --git a/templates/repo/projects/view.tmpl b/templates/repo/projects/view.tmpl
index a4ada87353..1450fdac1c 100644
--- a/templates/repo/projects/view.tmpl
+++ b/templates/repo/projects/view.tmpl
@@ -9,21 +9,21 @@
 			<div class="column right aligned">
 				{{if and .CanWriteProjects (not .Repository.IsArchived)}}
 					<a class="ui green button show-modal item" href="{{$.RepoLink}}/issues/new/choose?project={{$.Project.ID}}">{{.locale.Tr "repo.issues.new"}}</a>
-					<a class="ui green button show-modal item" data-modal="#new-board-item">{{.locale.Tr "new_project_board"}}</a>
+					<a class="ui green button show-modal item" data-modal="#new-board-item">{{.locale.Tr "new_project_column"}}</a>
 				{{end}}
 				<div class="ui small modal new-board-modal" id="new-board-item">
 					<div class="header">
-						{{$.locale.Tr "repo.projects.board.new"}}
+						{{$.locale.Tr "repo.projects.column.new"}}
 					</div>
 					<div class="content">
 						<form class="ui form">
 							<div class="required field">
-								<label for="new_board">{{$.locale.Tr "repo.projects.board.new_title"}}</label>
+								<label for="new_board">{{$.locale.Tr "repo.projects.column.new_title"}}</label>
 								<input class="new-board" id="new_board" name="title" required>
 							</div>
 
 							<div class="field color-field">
-								<label for="new_board_color">{{$.locale.Tr "repo.projects.board.color"}}</label>
+								<label for="new_board_color">{{$.locale.Tr "repo.projects.column.color"}}</label>
 								<div class="color picker column">
 									<input class="color-picker" maxlength="7" placeholder="#c320f6" id="new_board_color_picker" name="color">
 									<div class="column precolors">
@@ -34,7 +34,7 @@
 
 							<div class="text right actions">
 								<div class="ui cancel button">{{$.locale.Tr "settings.cancel"}}</div>
-								<button data-url="{{$.RepoLink}}/projects/{{$.Project.ID}}" class="ui green button" id="new_board_submit">{{$.locale.Tr "repo.projects.board.new_submit"}}</button>
+								<button data-url="{{$.RepoLink}}/projects/{{$.Project.ID}}" class="ui primary button" id="new_board_submit">{{$.locale.Tr "repo.projects.column.new_submit"}}</button>
 							</div>
 						</form>
 					</div>
@@ -96,32 +96,32 @@
 							<div class="menu user-menu" tabindex="-1">
 								<a class="item show-modal button" data-modal="#edit-project-board-modal-{{.ID}}">
 									{{svg "octicon-pencil"}}
-									{{$.locale.Tr "repo.projects.board.edit"}}
+									{{$.locale.Tr "repo.projects.column.edit"}}
 								</a>
 								{{if not .Default}}
 									<a class="item show-modal button" data-modal="#set-default-project-board-modal-{{.ID}}">
 										{{svg "octicon-pin"}}
-										{{$.locale.Tr "repo.projects.board.set_default"}}
+										{{$.locale.Tr "repo.projects.column.set_default"}}
 									</a>
 								{{end}}
 								<a class="item show-modal button" data-modal="#delete-board-modal-{{.ID}}">
 									{{svg "octicon-trash"}}
-									{{$.locale.Tr "repo.projects.board.delete"}}
+									{{$.locale.Tr "repo.projects.column.delete"}}
 								</a>
 
 								<div class="ui small modal edit-project-board" id="edit-project-board-modal-{{.ID}}">
 									<div class="header">
-										{{$.locale.Tr "repo.projects.board.edit"}}
+										{{$.locale.Tr "repo.projects.column.edit"}}
 									</div>
 									<div class="content">
 										<form class="ui form">
 											<div class="required field">
-												<label for="new_board_title">{{$.locale.Tr "repo.projects.board.edit_title"}}</label>
+												<label for="new_board_title">{{$.locale.Tr "repo.projects.column.edit_title"}}</label>
 												<input class="project-board-title" id="new_board_title" name="title" value="{{.Title}}" required>
 											</div>
 
 											<div class="field color-field">
-												<label for="new_board_color">{{$.locale.Tr "repo.projects.board.color"}}</label>
+												<label for="new_board_color">{{$.locale.Tr "repo.projects.column.color"}}</label>
 												<div class="color picker column">
 													<input class="color-picker" maxlength="7" placeholder="#c320f6" id="new_board_color" name="color" value="{{.Color}}">
 													<div class="column precolors">
@@ -132,7 +132,7 @@
 
 											<div class="text right actions">
 												<div class="ui cancel button">{{$.locale.Tr "settings.cancel"}}</div>
-												<button data-url="{{$.RepoLink}}/projects/{{$.Project.ID}}/{{.ID}}" class="ui red button">{{$.locale.Tr "repo.projects.board.edit"}}</button>
+												<button data-url="{{$.RepoLink}}/projects/{{$.Project.ID}}/{{.ID}}" class="ui primary button">{{$.locale.Tr "repo.projects.column.edit"}}</button>
 											</div>
 										</form>
 									</div>
@@ -140,31 +140,31 @@
 
 								<div class="ui basic modal" id="set-default-project-board-modal-{{.ID}}">
 									<div class="ui icon header">
-										{{$.locale.Tr "repo.projects.board.set_default"}}
+										{{$.locale.Tr "repo.projects.column.set_default"}}
 									</div>
 									<div class="content center">
 										<label>
-											{{$.locale.Tr "repo.projects.board.set_default_desc"}}
+											{{$.locale.Tr "repo.projects.column.set_default_desc"}}
 										</label>
 									</div>
 									<div class="text right actions">
 										<div class="ui cancel button">{{$.locale.Tr "settings.cancel"}}</div>
-										<button class="ui red button set-default-project-board" data-url="{{$.RepoLink}}/projects/{{$.Project.ID}}/{{.ID}}/default">{{$.locale.Tr "repo.projects.board.set_default"}}</button>
+										<button class="ui primary button set-default-project-board" data-url="{{$.RepoLink}}/projects/{{$.Project.ID}}/{{.ID}}/default">{{$.locale.Tr "repo.projects.column.set_default"}}</button>
 									</div>
 								</div>
 
 								<div class="ui basic modal" id="delete-board-modal-{{.ID}}">
 									<div class="ui icon header">
-										{{$.locale.Tr "repo.projects.board.delete"}}
+										{{$.locale.Tr "repo.projects.column.delete"}}
 									</div>
 									<div class="content center">
 										<label>
-											{{$.locale.Tr "repo.projects.board.deletion_desc"}}
+											{{$.locale.Tr "repo.projects.column.deletion_desc"}}
 										</label>
 									</div>
 									<div class="text right actions">
 										<div class="ui cancel button">{{$.locale.Tr "settings.cancel"}}</div>
-										<button class="ui red button delete-project-board" data-url="{{$.RepoLink}}/projects/{{$.Project.ID}}/{{.ID}}">{{$.locale.Tr "repo.projects.board.delete"}}</button>
+										<button class="ui red button delete-project-board" data-url="{{$.RepoLink}}/projects/{{$.Project.ID}}/{{.ID}}">{{$.locale.Tr "repo.projects.column.delete"}}</button>
 									</div>
 								</div>
 							</div>
@@ -249,7 +249,7 @@
 							{{end}}
 							<div class="right floated">
 								{{range .Assignees}}
-									<a class="tooltip" target="_blank" href="{{.HomeLink}}" data-content="{{$.locale.Tr "repo.projects.board.assigned_to"}} {{.Name}}">{{avatar $.Context . 28 "mini gt-mr-3"}}</a>
+									<a class="tooltip" target="_blank" href="{{.HomeLink}}" data-content="{{$.locale.Tr "repo.projects.column.assigned_to"}} {{.Name}}">{{avatar $.Context . 28 "mini gt-mr-3"}}</a>
 								{{end}}
 							</div>
 						</div>

From 10cdcb9ea8077098921d72720f9f36fcfd950452 Mon Sep 17 00:00:00 2001
From: Brecht Van Lommel <brecht@blender.org>
Date: Sat, 25 Feb 2023 03:55:50 +0100
Subject: [PATCH 81/81] Add "Reviewed by you" filter for pull requests (#22927)

This includes pull requests that you approved, requested changes or
commented on. Currently such pull requests are not visible in any of the
filters on /pulls, while they may need further action like merging, or
prodding the author or reviewers.

Especially when working with a large team on a repository it's helpful
to get a full overview of pull requests that may need your attention,
without having to sift through the complete list.
---
 models/issues/issue.go                     | 61 ++++++++++++++++++++++
 options/locale/locale_en-US.ini            |  1 +
 routers/api/v1/repo/issue.go               |  7 +++
 routers/web/repo/issue.go                  | 10 +++-
 routers/web/user/home.go                   |  4 ++
 templates/repo/issue/list.tmpl             |  3 +-
 templates/repo/issue/milestone_issues.tmpl |  3 +-
 templates/swagger/v1_json.tmpl             |  6 +++
 templates/user/dashboard/issues.tmpl       | 12 +++--
 9 files changed, 100 insertions(+), 7 deletions(-)

diff --git a/models/issues/issue.go b/models/issues/issue.go
index c59e9d14e5..edd74261ec 100644
--- a/models/issues/issue.go
+++ b/models/issues/issue.go
@@ -1148,6 +1148,7 @@ type IssuesOptions struct { //nolint
 	PosterID           int64
 	MentionedID        int64
 	ReviewRequestedID  int64
+	ReviewedID         int64
 	SubscriberID       int64
 	MilestoneIDs       []int64
 	ProjectID          int64
@@ -1262,6 +1263,10 @@ func (opts *IssuesOptions) setupSessionNoLimit(sess *xorm.Session) {
 		applyReviewRequestedCondition(sess, opts.ReviewRequestedID)
 	}
 
+	if opts.ReviewedID > 0 {
+		applyReviewedCondition(sess, opts.ReviewedID)
+	}
+
 	if opts.SubscriberID > 0 {
 		applySubscribedCondition(sess, opts.SubscriberID)
 	}
@@ -1432,6 +1437,36 @@ func applyReviewRequestedCondition(sess *xorm.Session, reviewRequestedID int64)
 			reviewRequestedID, ReviewTypeApprove, ReviewTypeReject, ReviewTypeRequest, reviewRequestedID)
 }
 
+func applyReviewedCondition(sess *xorm.Session, reviewedID int64) *xorm.Session {
+	// Query for pull requests where you are a reviewer or commenter, excluding
+	// any pull requests already returned by the the review requested filter.
+	notPoster := builder.Neq{"issue.poster_id": reviewedID}
+	reviewed := builder.In("issue.id", builder.
+		Select("issue_id").
+		From("review").
+		Where(builder.And(
+			builder.Neq{"type": ReviewTypeRequest},
+			builder.Or(
+				builder.Eq{"reviewer_id": reviewedID},
+				builder.In("reviewer_team_id", builder.
+					Select("team_id").
+					From("team_user").
+					Where(builder.Eq{"uid": reviewedID}),
+				),
+			),
+		)),
+	)
+	commented := builder.In("issue.id", builder.
+		Select("issue_id").
+		From("comment").
+		Where(builder.And(
+			builder.Eq{"poster_id": reviewedID},
+			builder.In("type", CommentTypeComment, CommentTypeCode, CommentTypeReview),
+		)),
+	)
+	return sess.And(notPoster, builder.Or(reviewed, commented))
+}
+
 func applySubscribedCondition(sess *xorm.Session, subscriberID int64) *xorm.Session {
 	return sess.And(
 		builder.
@@ -1586,6 +1621,7 @@ type IssueStats struct {
 	CreateCount            int64
 	MentionCount           int64
 	ReviewRequestedCount   int64
+	ReviewedCount          int64
 }
 
 // Filter modes.
@@ -1595,6 +1631,7 @@ const (
 	FilterModeCreate
 	FilterModeMention
 	FilterModeReviewRequested
+	FilterModeReviewed
 	FilterModeYourRepositories
 )
 
@@ -1608,6 +1645,7 @@ type IssueStatsOptions struct {
 	MentionedID       int64
 	PosterID          int64
 	ReviewRequestedID int64
+	ReviewedID        int64
 	IsPull            util.OptionalBool
 	IssueIDs          []int64
 }
@@ -1646,6 +1684,7 @@ func GetIssueStats(opts *IssueStatsOptions) (*IssueStats, error) {
 		accum.CreateCount += stats.CreateCount
 		accum.OpenCount += stats.MentionCount
 		accum.ReviewRequestedCount += stats.ReviewRequestedCount
+		accum.ReviewedCount += stats.ReviewedCount
 		i = chunk
 	}
 	return accum, nil
@@ -1703,6 +1742,10 @@ func getIssueStatsChunk(opts *IssueStatsOptions, issueIDs []int64) (*IssueStats,
 			applyReviewRequestedCondition(sess, opts.ReviewRequestedID)
 		}
 
+		if opts.ReviewedID > 0 {
+			applyReviewedCondition(sess, opts.ReviewedID)
+		}
+
 		switch opts.IsPull {
 		case util.OptionalBoolTrue:
 			sess.And("issue.is_pull=?", true)
@@ -1843,6 +1886,19 @@ func GetUserIssueStats(opts UserIssueStatsOptions) (*IssueStats, error) {
 		if err != nil {
 			return nil, err
 		}
+	case FilterModeReviewed:
+		stats.OpenCount, err = applyReviewedCondition(sess(cond), opts.UserID).
+			And("issue.is_closed = ?", false).
+			Count(new(Issue))
+		if err != nil {
+			return nil, err
+		}
+		stats.ClosedCount, err = applyReviewedCondition(sess(cond), opts.UserID).
+			And("issue.is_closed = ?", true).
+			Count(new(Issue))
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	cond = cond.And(builder.Eq{"issue.is_closed": opts.IsClosed})
@@ -1871,6 +1927,11 @@ func GetUserIssueStats(opts UserIssueStatsOptions) (*IssueStats, error) {
 		return nil, err
 	}
 
+	stats.ReviewedCount, err = applyReviewedCondition(sess(cond), opts.UserID).Count(new(Issue))
+	if err != nil {
+		return nil, err
+	}
+
 	return stats, nil
 }
 
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index c818b0dcc5..2109950ca8 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -1323,6 +1323,7 @@ issues.filter_type.assigned_to_you = Assigned to you
 issues.filter_type.created_by_you = Created by you
 issues.filter_type.mentioning_you = Mentioning you
 issues.filter_type.review_requested = Review requested
+issues.filter_type.reviewed_by_you = Reviewed by you
 issues.filter_sort = Sort
 issues.filter_sort.latest = Newest
 issues.filter_sort.oldest = Oldest
diff --git a/routers/api/v1/repo/issue.go b/routers/api/v1/repo/issue.go
index 458838b935..06bf06b4e8 100644
--- a/routers/api/v1/repo/issue.go
+++ b/routers/api/v1/repo/issue.go
@@ -92,6 +92,10 @@ func SearchIssues(ctx *context.APIContext) {
 	//   in: query
 	//   description: filter pulls requesting your review, default is false
 	//   type: boolean
+	// - name: reviewed
+	//   in: query
+	//   description: filter pulls reviewed by you, default is false
+	//   type: boolean
 	// - name: owner
 	//   in: query
 	//   description: filter by owner
@@ -266,6 +270,9 @@ func SearchIssues(ctx *context.APIContext) {
 		if ctx.FormBool("review_requested") {
 			issuesOpt.ReviewRequestedID = ctxUserID
 		}
+		if ctx.FormBool("reviewed") {
+			issuesOpt.ReviewedID = ctxUserID
+		}
 
 		if issues, err = issues_model.Issues(ctx, issuesOpt); err != nil {
 			ctx.Error(http.StatusInternalServerError, "Issues", err)
diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go
index 05ba26a70c..745d6e70a0 100644
--- a/routers/web/repo/issue.go
+++ b/routers/web/repo/issue.go
@@ -138,7 +138,7 @@ func issues(ctx *context.Context, milestoneID, projectID int64, isPullOption uti
 	var err error
 	viewType := ctx.FormString("type")
 	sortType := ctx.FormString("sort")
-	types := []string{"all", "your_repositories", "assigned", "created_by", "mentioned", "review_requested"}
+	types := []string{"all", "your_repositories", "assigned", "created_by", "mentioned", "review_requested", "reviewed_by"}
 	if !util.SliceContainsString(types, viewType, true) {
 		viewType = "all"
 	}
@@ -148,6 +148,7 @@ func issues(ctx *context.Context, milestoneID, projectID int64, isPullOption uti
 		posterID          = ctx.FormInt64("poster")
 		mentionedID       int64
 		reviewRequestedID int64
+		reviewedID        int64
 		forceEmpty        bool
 	)
 
@@ -161,6 +162,8 @@ func issues(ctx *context.Context, milestoneID, projectID int64, isPullOption uti
 			assigneeID = ctx.Doer.ID
 		case "review_requested":
 			reviewRequestedID = ctx.Doer.ID
+		case "reviewed_by":
+			reviewedID = ctx.Doer.ID
 		}
 	}
 
@@ -208,6 +211,7 @@ func issues(ctx *context.Context, milestoneID, projectID int64, isPullOption uti
 			MentionedID:       mentionedID,
 			PosterID:          posterID,
 			ReviewRequestedID: reviewRequestedID,
+			ReviewedID:        reviewedID,
 			IsPull:            isPullOption,
 			IssueIDs:          issueIDs,
 		})
@@ -255,6 +259,7 @@ func issues(ctx *context.Context, milestoneID, projectID int64, isPullOption uti
 			PosterID:          posterID,
 			MentionedID:       mentionedID,
 			ReviewRequestedID: reviewRequestedID,
+			ReviewedID:        reviewedID,
 			MilestoneIDs:      mileIDs,
 			ProjectID:         projectID,
 			IsClosed:          util.OptionalBoolOf(isShowClosed),
@@ -2425,6 +2430,9 @@ func SearchIssues(ctx *context.Context) {
 		if ctx.FormBool("review_requested") {
 			issuesOpt.ReviewRequestedID = ctxUserID
 		}
+		if ctx.FormBool("reviewed") {
+			issuesOpt.ReviewedID = ctxUserID
+		}
 
 		if issues, err = issues_model.Issues(ctx, issuesOpt); err != nil {
 			ctx.Error(http.StatusInternalServerError, "Issues", err.Error())
diff --git a/routers/web/user/home.go b/routers/web/user/home.go
index 2593ab148c..a0a5dc3c4b 100644
--- a/routers/web/user/home.go
+++ b/routers/web/user/home.go
@@ -385,6 +385,8 @@ func buildIssueOverview(ctx *context.Context, unitType unit.Type) {
 		filterMode = issues_model.FilterModeMention
 	case "review_requested":
 		filterMode = issues_model.FilterModeReviewRequested
+	case "reviewed_by":
+		filterMode = issues_model.FilterModeReviewed
 	case "your_repositories":
 		fallthrough
 	default:
@@ -453,6 +455,8 @@ func buildIssueOverview(ctx *context.Context, unitType unit.Type) {
 		opts.MentionedID = ctx.Doer.ID
 	case issues_model.FilterModeReviewRequested:
 		opts.ReviewRequestedID = ctx.Doer.ID
+	case issues_model.FilterModeReviewed:
+		opts.ReviewedID = ctx.Doer.ID
 	}
 
 	// keyword holds the search term entered into the search field.
diff --git a/templates/repo/issue/list.tmpl b/templates/repo/issue/list.tmpl
index 2b1bea822f..23a8a1d0e1 100644
--- a/templates/repo/issue/list.tmpl
+++ b/templates/repo/issue/list.tmpl
@@ -171,10 +171,11 @@
 								<a class="{{if eq .ViewType "all"}}active {{end}}item" href="{{$.Link}}?q={{$.Keyword}}&type=all&sort={{$.SortType}}&state={{$.State}}&labels={{.SelectLabels}}&milestone={{$.MilestoneID}}&project={{$.ProjectID}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{.locale.Tr "repo.issues.filter_type.all_issues"}}</a>
 								<a class="{{if eq .ViewType "assigned"}}active {{end}}item" href="{{$.Link}}?q={{$.Keyword}}&type=assigned&sort={{$.SortType}}&state={{$.State}}&labels={{.SelectLabels}}&milestone={{$.MilestoneID}}&project={{$.ProjectID}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{.locale.Tr "repo.issues.filter_type.assigned_to_you"}}</a>
 								<a class="{{if eq .ViewType "created_by"}}active {{end}}item" href="{{$.Link}}?q={{$.Keyword}}&type=created_by&sort={{$.SortType}}&state={{$.State}}&labels={{.SelectLabels}}&milestone={{$.MilestoneID}}&project={{$.ProjectID}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{.locale.Tr "repo.issues.filter_type.created_by_you"}}</a>
-								<a class="{{if eq .ViewType "mentioned"}}active {{end}}item" href="{{$.Link}}?q={{$.Keyword}}&type=mentioned&sort={{$.SortType}}&state={{$.State}}&labels={{.SelectLabels}}&milestone={{$.MilestoneID}}&project={{$.ProjectID}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{.locale.Tr "repo.issues.filter_type.mentioning_you"}}</a>
 								{{if .PageIsPullList}}
 									<a class="{{if eq .ViewType "review_requested"}}active {{end}}item" href="{{$.Link}}?q={{$.Keyword}}&type=review_requested&sort={{$.SortType}}&state={{$.State}}&labels={{.SelectLabels}}&milestone={{$.MilestoneID}}&project={{$.ProjectID}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{.locale.Tr "repo.issues.filter_type.review_requested"}}</a>
+									<a class="{{if eq .ViewType "reviewed_by"}}active {{end}}item" href="{{$.Link}}?q={{$.Keyword}}&type=reviewed_by&sort={{$.SortType}}&state={{$.State}}&labels={{.SelectLabels}}&milestone={{$.MilestoneID}}&project={{$.ProjectID}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{.locale.Tr "repo.issues.filter_type.reviewed_by_you"}}</a>
 								{{end}}
+								<a class="{{if eq .ViewType "mentioned"}}active {{end}}item" href="{{$.Link}}?q={{$.Keyword}}&type=mentioned&sort={{$.SortType}}&state={{$.State}}&labels={{.SelectLabels}}&milestone={{$.MilestoneID}}&project={{$.ProjectID}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{.locale.Tr "repo.issues.filter_type.mentioning_you"}}</a>
 							</div>
 						</div>
 					{{end}}
diff --git a/templates/repo/issue/milestone_issues.tmpl b/templates/repo/issue/milestone_issues.tmpl
index fca9597446..d73fb56fbc 100644
--- a/templates/repo/issue/milestone_issues.tmpl
+++ b/templates/repo/issue/milestone_issues.tmpl
@@ -111,8 +111,9 @@
 								<a class="{{if eq .ViewType "all"}}active {{end}}item" href="{{$.Link}}?q={{$.Keyword}}&type=all&sort={{$.SortType}}&state={{$.State}}&labels={{.SelectLabels}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{.locale.Tr "repo.issues.filter_type.all_issues"}}</a>
 								<a class="{{if eq .ViewType "assigned"}}active {{end}}item" href="{{$.Link}}?q={{$.Keyword}}&type=assigned&sort={{$.SortType}}&state={{$.State}}&labels={{.SelectLabels}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{.locale.Tr "repo.issues.filter_type.assigned_to_you"}}</a>
 								<a class="{{if eq .ViewType "created_by"}}active {{end}}item" href="{{$.Link}}?q={{$.Keyword}}&type=created_by&sort={{$.SortType}}&state={{$.State}}&labels={{.SelectLabels}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{.locale.Tr "repo.issues.filter_type.created_by_you"}}</a>
-								<a class="{{if eq .ViewType "mentioned"}}active {{end}}item" href="{{$.Link}}?q={{$.Keyword}}&type=mentioned&sort={{$.SortType}}&state={{$.State}}&labels={{.SelectLabels}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{.locale.Tr "repo.issues.filter_type.mentioning_you"}}</a>
 								<a class="{{if eq .ViewType "review_requested"}}active {{end}}item" href="{{$.Link}}?q={{$.Keyword}}&type=review_requested&sort={{$.SortType}}&state={{$.State}}&labels={{.SelectLabels}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{.locale.Tr "repo.issues.filter_type.review_requested"}}</a>
+								<a class="{{if eq .ViewType "reviewed_by"}}active {{end}}item" href="{{$.Link}}?q={{$.Keyword}}&type=reviewed_by&sort={{$.SortType}}&state={{$.State}}&labels={{.SelectLabels}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{.locale.Tr "repo.issues.filter_type.reviewed_by_you"}}</a>
+								<a class="{{if eq .ViewType "mentioned"}}active {{end}}item" href="{{$.Link}}?q={{$.Keyword}}&type=mentioned&sort={{$.SortType}}&state={{$.State}}&labels={{.SelectLabels}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}">{{.locale.Tr "repo.issues.filter_type.mentioning_you"}}</a>
 							</div>
 						</div>
 					{{end}}
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index de774deaed..0605937599 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -2366,6 +2366,12 @@
             "name": "review_requested",
             "in": "query"
           },
+          {
+            "type": "boolean",
+            "description": "filter pulls reviewed by you, default is false",
+            "name": "reviewed",
+            "in": "query"
+          },
           {
             "type": "string",
             "description": "filter by owner",
diff --git a/templates/user/dashboard/issues.tmpl b/templates/user/dashboard/issues.tmpl
index 049b6a1681..29023d921a 100644
--- a/templates/user/dashboard/issues.tmpl
+++ b/templates/user/dashboard/issues.tmpl
@@ -17,16 +17,20 @@
 						{{.locale.Tr "repo.issues.filter_type.created_by_you"}}
 						<strong class="ui right">{{CountFmt .IssueStats.CreateCount}}</strong>
 					</a>
-					<a class="{{if eq .ViewType "mentioned"}}ui basic primary button{{end}} item" href="{{.Link}}?type=mentioned&repos=[{{range $.RepoIDs}}{{.}}%2C{{end}}]&sort={{$.SortType}}&state={{.State}}">
-						{{.locale.Tr "repo.issues.filter_type.mentioning_you"}}
-						<strong class="ui right">{{CountFmt .IssueStats.MentionCount}}</strong>
-					</a>
 					{{if .PageIsPulls}}
 						<a class="{{if eq .ViewType "review_requested"}}ui basic primary button{{end}} item" href="{{.Link}}?type=review_requested&repos=[{{range $.RepoIDs}}{{.}}%2C{{end}}]&sort={{$.SortType}}&state={{.State}}">
 							{{.locale.Tr "repo.issues.filter_type.review_requested"}}
 							<strong class="ui right">{{CountFmt .IssueStats.ReviewRequestedCount}}</strong>
 						</a>
+						<a class="{{if eq .ViewType "reviewed_by"}}ui basic primary button{{end}} item" href="{{.Link}}?type=reviewed_by&repos=[{{range $.RepoIDs}}{{.}}%2C{{end}}]&sort={{$.SortType}}&state={{.State}}">
+							{{.locale.Tr "repo.issues.filter_type.reviewed_by_you"}}
+							<strong class="ui right">{{CountFmt .IssueStats.ReviewedCount}}</strong>
+						</a>
 					{{end}}
+					<a class="{{if eq .ViewType "mentioned"}}ui basic primary button{{end}} item" href="{{.Link}}?type=mentioned&repos=[{{range $.RepoIDs}}{{.}}%2C{{end}}]&sort={{$.SortType}}&state={{.State}}">
+						{{.locale.Tr "repo.issues.filter_type.mentioning_you"}}
+						<strong class="ui right">{{CountFmt .IssueStats.MentionCount}}</strong>
+					</a>
 					<div class="ui divider"></div>
 					<a class="{{if not $.RepoIDs}}ui basic primary button{{end}} repo name item" href="{{$.Link}}?type={{$.ViewType}}&sort={{$.SortType}}&state={{$.State}}&q={{$.Keyword}}">
 						<span class="text truncate">All</span>