From 4001ab027a2e26ca60465fd240813092aa3f73b4 Mon Sep 17 00:00:00 2001
From: zokki <zokki.softwareschmiede@gmail.com>
Date: Tue, 21 Apr 2026 19:55:16 +0200
Subject: [PATCH] fix: secret name-prefix regex (#12213)

Fixes: #12212
Sorry for this bug, I introduced it by not testing !10682 better. Now the `forbiddenPrefixPattern`-regex is compliant to the docu:
```
It cannot start with FORGEJO_, GITEA_, GITHUB_, or a number.
```

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12213
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: zokki <zokki.softwareschmiede@gmail.com>
Co-committed-by: zokki <zokki.softwareschmiede@gmail.com>
---
 models/secret/secret.go      | 2 +-
 models/secret/secret_test.go | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/models/secret/secret.go b/models/secret/secret.go
index 911d94d78a..758f346f22 100644
--- a/models/secret/secret.go
+++ b/models/secret/secret.go
@@ -20,7 +20,7 @@ import (
 
 var (
 	namePattern            = regexp.MustCompile("(?i)^[A-Z_][A-Z0-9_]*$")
-	forbiddenPrefixPattern = regexp.MustCompile("(?i)^FORGEJO_|GITEA_|GITHUB_")
+	forbiddenPrefixPattern = regexp.MustCompile("(?i)^(FORGEJO_|GITEA_|GITHUB_|[0-9])")
 
 	ErrInvalidName = util.NewInvalidArgumentErrorf("invalid secret name")
 )
diff --git a/models/secret/secret_test.go b/models/secret/secret_test.go
index 5c54b25967..e323986084 100644
--- a/models/secret/secret_test.go
+++ b/models/secret/secret_test.go
@@ -257,12 +257,18 @@ func TestSecretValidateName(t *testing.T) {
 		valid bool
 	}{
 		{"FORGEJO_", false},
+		{"PRE_FORGEJO_", true},
+		{"PRE_FORGEJO_SUF", true},
 		{"FORGEJO_123", false},
 		{"FORGEJO_ABC", false},
 		{"GITEA_", false},
+		{"PRE_GITEA_", true},
+		{"PRE_GITEA_SUF", true},
 		{"GITEA_123", false},
 		{"GITEA_ABC", false},
 		{"GITHUB_", false},
+		{"PRE_GITHUB_", true},
+		{"PRE_GITHUB_SUF", true},
 		{"GITHUB_123", false},
 		{"GITHUB_ABC", false},
 		{"123_TEST", false},